Tuesday, December 27, 2016

A Cyber Look at the 2017 National Defense Authorization Act

On December 23, 2016, President Obama signed into law the National Defense Authorization Act for Fiscal Year 2017, authorizing $611 (or $619) Billion dollars primarily for the Department of Defense. While the left leaners are focusing on the inclusion of the anti-propaganda (we'll talk about this in its proper place - if you are in a hurry, you can jump there by clicking Section 1287, the Global Engagement Center), we're going to take a holistic view of the Cyber Stuff found in the 969 page appropriations bill. As an academic who runs a research center focused on cyber security and cyber crime, please forgive me if I also include some of the R & D and Education stuff that may be more workforce development focused rather than "pure cyber."

The Act is divided into five Divisions. We'll focus on a few sub-titles within those divisions, which I'll place for you here. I'll certainly get lazy and abbreviate, so feel free to refer to the full text of National Defense Authorization Act as signed for "official wording":

  • Division A - Department of Defense Authorizations
    • Title V - Military Personnel Policy
      • Subtitle A - Officer Personnel Policy
        • Sec. 509 - Pilot programs on direct commissions to cyber positions
      • Subtitle F -  National Commission on Military, National, and Public Service
        • Sections 551-557
    • Title IX - DOD Organization and Management
      • Subtitle C -  Joint Chiefs of Staff and Combatant Command Manners
        • Sec 923 - Establishment of unified combatant command for cyber operations
    • Title XI - Civilian Personnel Matters
      • Subtitle A - DOD Matters Generally
        • Sec 1103 - Training for employment personnel of DoD on matters relating to authorities for recruitment and retention at U.S. Cyber Command
        • Sec 1104 - Public-private talent exchange
    • Title XVI - Strategic Programs, Cyber, and Intelligence Matters
      • Subtitle C - Cyberspace-related Matters
        • Sec1641 - special emergency procurement authority to facility defense against or recovery from cyber attack
        • Sec 1643 - Cyber mission forces matters
        • Sec 1644 - requirement to enter into agreements relating to use of cyber opposition forces
        • Sec 1645 - cyber protection support for DoD personnel in positions highly vulnerable to cyber attack
        • Sec 1647 - advisory committee on industrial security and industrial base policy
        • Sec 1649 - Evaluation of cyber vulnerabilities on F-35 aircraft and support systems
        • Sec 1650 - Evaluation of cyber vulnerabilities of DoD critical infrastructure
        • Sec 1651 - strategy to incorporate Army reserve component cyber protection teams into DoD cyber mission force
        • Sec 1652 - Strategic Plan for DISA
        • Sec 1653 - plan for infosec continuous monitoring capability and comply-to-connect policy
        • Sec 1654 - reports on deterrence of adversaries in cyberspace
        • Sec 1655 - Sense of Congress on cyber resiliency of the networks and communication systems of the National Guard
    • Title XVIII
      • Subtitle E - Improving Cyber Preparedness for Small Business
        • Sec 1841 - Small Business Development Center Cyber Strategy and outreach
        • Sec 1842 - Role of small business development centers in cybersecurity and preparedness
        • Sec 1843 - Additional cybersecurity assistance for small business development centers 
    • TITLE XIX - Department of Homeland Security Coordination
      • Sec 1912 - Cybersecurity strategy for DHS
      • Sec 1913 - EMP and GMD planning, R&D, and protection and preparedness

  • Division B - Military Construction Authorizations
  • Division C - Department of Energy National security Authorizations
  • Division D - Funding Tables
  • Division E - Uniform Code of Military Justice Reform

  • Digging in more deeply, we'll give you page numbers to allow you to jump right to the meat of what interests you most . . .

    p.70, Sec 240 - Strategy for Improving Electronic and Electromagnetic Spectrum Warfare Capabilities

    By April 1, 2017, the Under Secretary for Acquisition, Technology, and Logistics needs to define a strategy in this area, which includes determining how to protect "programs that support or enable cyber operations" from electronic warfare, and describes how to conduct field testing in large-scale simulated exercises, with a budget submitted for 2018 on how to do that.  There already exists an Electronic Warfare Executive Committee thta will oversee this activity.

     p.110, Sec 509 - Pilot Programs on Direct Commissions to Cyber Positions

    Each secretary of a military department may carry out a pilot program to recruit cyber professionals who have appropriate educational levels and physical qualifications to serve in the military directly into the ranks at an officer level in a cyber specialty area.  Pilots are authorized to run from Jan 1, 2017 through Dec 31, 2022, with status reports submitted in 2020.

    p.131, Subtitle F - National Commission on Military, National, and Public Service

    A full review of the military selective service process ("the draft") should be considered, with part of the scope (see 551(b)(3)) being "the feasibility and advisability of modifying the military selective service process in order to obtain for  military, national, and public service individuals with skills for which the Nation has a critical need, without regard to age or sex" -- the skills listed here are "medical, dental, and nursing skills, language skills, and science, technology, engineering, and mathematics (STEM) skills." 

    Could this mean in the future that we could be drafting hackers?  And not just for traditional military service!   551(a)(2) says "consider methods to increase participation in military, national, and public service in order to address national security and other public service needs of the Nation."

    Those terms are defined in 551(c) as:
    "military service" - active service in one of the uniformed services
    "national service" - civilian employment in Federal or State government in a field in which the Nation and the public have critical needs.
    "public service" - "civilian employment in any non-governmental capacity, including with private for-profit organizations and non-profit organizations (including with appropriate faith-based organizations), that pursues and enhances the common good and meets the needs of communities, the States, or the Nation in sectors related to security, health, care for the elderly, and other areas considered appropriate by the Commission for purposes of this subtitle."

    Does that mean I could be drafted to go help a State government secure their network?  or perhaps even helping a small business Defense Industrial Base supplier to get secure?  It's too soon to know, but it is very interesting that such a review is being ordered. Given the budget realities in both categories of employers (states and small DIBs) many companies have "unsecurable" networks unless some outside resource is somehow provided!

    The Commission is ordered to produce a report to the President, within 7 months of its commencement, that includes such elements as:
    (A) do we need a draft registration system at this time?
    (B) what is the best way of getting our critical skills and abilities personnel needs met for all three target areas -- Military, National, and Private
    (C) How do we "foster among [our] youth an increased sense of service and civic responsibility in order to enhance the aquisition by the Nation of critically needed skills through education and training?"
    (D) How do we increase willingness of our youth to consider military, national, or public service
    (E)  How do we increase interest, education, and employment in our critical fields (including STEM, national security, cyber, linguistics and foreign language, health care and medical professions)
    (F) What incentives could be offered to help hire them?

    p.272 -  Sec 813 Use of Lowest Price Technically Acceptable Source Selection Process

    (C)(1) calls attention to the fact that we are idiots if we send our needs for cyber security to the lowest bidder every time.  (it actually says "information technology services, cybersecurity services, systems engineering and technical assistance services, advanced electronic testing, audit or audit readiness services, or other knowledge-based professional services;"

    p. 344 - Sec 902 Responsibilities of the Chief Information Officer of the DoD

    (I) makes it clear that the CIO "has the responsibilities for policy, oversight, and guidance for the architecture and programs related to the networking and cyber defense architecture of the Department."  THANK YOU!

    p.358 - Sec 923 Establishment of  Unified Combatant Command for Cyber Operations

    You are probably thinking "Wait!  We already have a Cyber Command!"  See below Sec. 1642, but basically our currenct Cyber Command is at a lower level than a "Unified Combatant Command" and that is quite significant.  This establishes a general/admiral level Unified Command version of Cyber Command and gives them "The principal function of the command is to prepare cyber operations forces to carry out assigned missions."

    Under "(b) Assignment of Forces" it says "Unless otherwise directed by the Secretary of Defense, all active and reserve cyber operation forces of the armed forces stationed in the United States shall be assigned to the cyber command."  BUT . . . any Cyber Operation carried out in any geography will be conducted "under the command of the commander of the unified combatant command in whose geographic area the activity or mission is to be conducted" (unless otherwise directed by the Presidet or the Secretary of Defense.)

    Which sounds like, if we are going the cyber equivalent of "guns hot" anywhere in the world, see your standard org chart.  Am I right?  Need the help of mil-speak experts to get this part sorted.

    (2)(A) makes the commander of this unit "subject to the authority, direction, and control of the Principal Cyber Advisor" and specifies their scope of operation as:
     (i) Developing strategy, doctrine, and tactics
    (ii) Preparing and submitting budget for cyber ops and cyber command
    (iii) exercising authority, direction, and control of funds for --
            (I) cyber command
            (II) cyber ops assigned to other unified combatant commands
     (iv) training and certification
    (v) conducting specialized courses of instruction for commissioned and noncommissioned officers
    (vi) validating requirements
    (vii) establishing priorities
    (viii) ensuring interoperability of equipment and forces
    (ix) formulating and submitting requirements for intelligence support
    (x) monitoring promotion of cyber operations forces ...

    The "Principal Cyber Advisor" (PCA) is not defined in this bill, but comes from the National Defense Authorization Act of 2014, which established that we should have a Principal Cyber Advisor and that they work in the Office of the Under Secretary of Defense for Policy.  Currently the PCA is Eric Rosenbach, who is also Chief of Staff for the Office of the Secretary of Defense.  His Deputy PCA is Major General Burke E. "Ed" Wilson.  (You may know Mr. Rosenbach as the author of "Find, Fix, Finish: Inside the Counterterrorism Campaigns that Killed bin Laden and Devastated Al Qaeda").

    p. 445 -  Sec 1103 - Training for employment personnel of DoD on matters related to authorities for recruitment and retention at U.S. Cyber Command

    This section says:
    If you're an HR person or a supervisor in the Cyber Command, you really ought to know enough about what Cyber people do so that you don't mess up the new Command by hiring bumbling idiots who happen to be able to check all the right cyber-sounding boxes."  (That is not an exact quote.)  Have to say, I'm a big fan of this section!

    p. 446 - Sec. 1104 - Public-Private Talent Exchange

    "The Secretary of Defense may, with the agreement of a private-sector organization and the consent of the employee, arrange for the temporary assignment of an employee to such private-sector organization, or from such private-sector organization to a DoD organization."

    I can see HUGE benefits both ways here ... I can imagine that Cyber Command may want to put someone in a Silicon Valley or well-run Financial Services company to learn how they deal with risk at scale.  At the same time, there may be a private-sector company who faces a risk they can't possibly understand without being brought "in house" and shown some things from a DoD perspective that could really cause a near-miraculous advance in the sponsoring company's ability to defend their company or sector from nation-state actors.

    It looks like they have the right hooks in ... including that after a DoD person does a stint in a private sector company, they have to serve at least twice that length of time back in DoD.  The DoD person also counts the time served as government service for purposes of benefits and promotion. The personnel swap can be for periods of three months to two years, renewable for a total of up to four years.

    p.448 - Sec. 1105 - Temporary and Term Appointments in the Competitive Service in the DoD & Sec 1106 - Direct-Hire Authority for the DoD for Post-Secondary Students and Recent Graduates

    Section 1105 establishes that if the only way to fill a critical skill is to offer someone non-standard government pay, the SecDef has the ability to do that.

    Section 1106 says the SecDef can direct hire up to 15% of their total hires for professional and administrative occupations at GS-11 or below, including people who are currently enrolled as full-time students who have completed at least one year towards a degree.

    p. 457 - Sec 1124 - Pilot program on Enhanced Pay Authority for Certain Research and Technology positions in the Science and Technology Reinvention Laboratories of the DoD

    This section authorizes up to 150% of base salary to be offered to recruit and retain talented researchers to the DoD labs.

    p. 488 - Sec 1225 - Modification of Annual report on Military Power of Iran 

    Future reports on Iran's Cyber capabilities, should specifically address their propensity and ability to use proxies and other actors to mask their cyber operations, as well as including their ability to attack non-government entities within the US, and how they cooperate and use assistance from other state and non-state actors.

    p. 560 - Sec 1292 - Enhancing Defense and Security Cooperation with India

    (E) we agree to "collaborate with the Government of India to develop mutually agreeable mechanisms to verify security of defense articles, defense services, and related technology, such as appropriate cyber security and end use monitoring arrangements."

    Title XVI - Strategic Programs, Cyber, and Intelligence Matters

    p.601 - Sec 1641 - Special Emergency Procurement Authority to Facilitate the Defense Against or Recovery from a Cyber Attack

     The same government code (Title 41 US Code § 1903) that allows us to help companies and citizens in case of a nuclear, biological, chemical, or radiological attack can also be used for cyber attacks.  (See: https://www.law.cornell.edu/uscode/text/41/1903 ).

    p.602 - Sec 1642 - Limitation on Termination of Dual-Hat Arrangement for Commander of the United States Cyber Command

    Interested parties should go read the original, but this addresses the question of whether the head of U.S. Cyber Command should also be the Director of the NSA, and basically says that the two missions should be linked until such time as U.S. Cyber Command is sufficiently established to be able to fly solo without a sudden and dramatic loss of capability as they try to stand up a non-NSA linked version of Cyber Command.

    p.603 - Sec 1643 - Cyber Mission Forces Matters; Sec 1644 - Requirement to Enter into Agreements Relating to Use of Cyber Opposition Forces;

    1643 says that To help get the new mission stood up, several waivers of the normal hiring rules are implemented, including Direct Hire Authority for positions up to the GG or GS-15 level.  They also are going to implement an accelerated training program to get the necessary skills implemented for military, civilian, and contractor personnel, as soon as they all agree on what those necessary skills should be.

    1644 gives the new unit until September 2017 to establish rules of engagement with each of the other Unified Combatant Commands including how to train and make ready for service any personnel who will be conducting cyber opposition operations.

    p.605 - Sec 1645 and Following

    1645 says that "At Risk" personnel should be identified and trained in how to use and operate personal electronic devices and accounts in a secure manner.   This could also be known as the "Hey!  Don't use your AOL Account for Government Business!" training.

    p.605 - Sec 1646 - Limitation on Full Deployment of Joint Regional Security Stacks

    This section refers to a technology being developed by DISA, the Defense Information Systems Agency, that deploys a suite of equipment that handles Firewall, Intrusion Detection and Prevention, Enterprise Management, and Virtual Routing and Forwarding, as well as many network security capabilities.  Each stack also provides the ability to do big data analytics.  There are currently eleven CONUS and five OCONUS sites being developed.  For more details on the program, see the DISA website on the JRSS initiative.  What this section says is that we won't go live with JRSS until all of the proper tests and acceptance checks have been conducted and properly trained personnel are ready to operate the stacks.

    p.606 - Sec 1647 - Advisory Committee on Industrial Security and Industrial Base Policy

    This committee will meet "at least annually" until 2022 to review the security standards for cleared facilities, especially with regards to information and networking security, including physical security and equipment installation and infosec and cyber defense policies, practices and reporting of incidents.  The committee will have five non-government and five government members.

    p.607 - Sec 1649 - Evaluation of Cyber vulnerabilities of F-35 Aircraft and Support Systems

    Perhaps the most important part of this section is the call to "Establish Department-wide information repositories to share findings relating to the evaluation and mitigation of cyber vulnerabilities" not just on the F-35 and related support systems, but on all major weapons systems of the DoD.  This section also authorizes the creation of specialty tools and systems to assist in the identification of such vulnerabilities.

    p.608 - Sec 1650 - Evaluation of Cyber Vulnerabilities of DoD Critical Infrastructure

    This section calls for every base and every military installation to have a thorough review of the identification and mitigation of all cyber vulnerabilities of major weapon systems and critical infrastructure.  The program will work through one of the covered research laboratories to establish a pilot aimed at improving the defense of control systems, increasing the resilience of military installations, and preventing or mitigating high-consequence cyber attacks.  The pilot will also help to inform future requirements for the development of new control systems.   As with Sec 1649, the development of any new required tools is authorized, as is the establishment of information repositories to share DoD-wide findings from these assessments.

    p.610 - Sec 1651 - Strategy to Incorporate Army Reserve Component Cyber Protection Teams into DoD Cyber Mission Force

    This plan calls for a report to Congress within 180 days on how Army National Guard units can be used to support State and civil operations in National Guard status under USC Title 32.  In many cases the Army National Guard employs people who have cyber security responsibilities, skills and talents as a result of their civilian-time jobs.  This plan received a great deal of attention in the past couple years with headlines such as "Pentagon to Recruit Thousands for Cybersecurity Reserve Force" but this call for a report points to the fact that it is still very unclear what the actual mission would be and how these forces would or could be deployed.  That same article points out that as of late 2015, Cyber Command was still more than 3,000 positions short of their full requested staff.  For more on the 133 "Cyber Teams" that the DoD hopes to fill, see the DoD Special Report on the Three Primary Cyber Missions from defense.gov.  In the DoD Special Report, 68 of the Teams are referred to as Cyber Protection Teams, which, according to the 2015 DoD Cyber Strategy, "will augment traditional defensive measures and defend priority DoD networks and systems against priority threats."

    (Skipping here the development of a DISA Strategic Plan)

    p.611 - Sec 1653 - Plan for Information Security Continuous Monitoring Capability and Comply-to-Connect Policy: Limitation on Software Licensing

    The Comply to Connect policy is a new DoD wide statement that if you are connecting a device to a DoD network, that device and its operator are aware of and agree to comply with all DoD security and licensing policies.  Teeth are added to make sure that .mil stays in compliance with all software licenses through monitoring of the number of stations where software is installed.

    p.613 - Sec 1654 - Reports on Deterrence of Adversaries in Cyberspace

    Both the President and the Joint Chiefs will have to report to Congress any and all cyber threats by our adversaries and a description of the various military and non-military ways to address those threats, along with the relevant authorities and legal standards that allow such actions.

    p. 663 - Sec 1841 - Improving Cyber Preparedness for Small Businesses; Sec 1842 - Role of Small Business Development Centers in Cybersecurity and Preparedness; Sec 1843 - Additional Cybersecurity Assistance for Small Business Development Centers

    In a rather unusual directive in the DoD appropriation, Congress calls for the Small Business Administration and the Department of Homeland Security to work collaboratively to develop a cyber strategy for small business development centers "to be known as the Small Business Development Center Cyber Strategy."   In case you are wondering what a Small Business Development Center is, they are defined in 15 USC § 648 - the Small Business Development Center Program.
    The program calls for SBDCs to partner with ISACs and similar organizations and unlocks certain DHS funds to help develop training programs to ensure that small businesses are aware of cyber threat indicators and cyber training programs.  (For my Alabama readers, the Alabama Small Business Development Center network has offices at Innovation Depot in Birmingham and many universities across the state.)    In 2016, SBA estimated that $115M in funds would be available for all fifty states.  While the current bill doesn't add more funding directly, it does request that a strategy be created that includes how existing cyber programs at DHS and other Federal agencies could channel existing funds through the SBDCs to maximize impact.  The SBA and DHS have one year to submit their strategy to Congress.  Let's make sure they include the InfraGard program as a resource in that plan!

    p.684 - Sec 1912 - Cybersecurity Strategy for the Department of Homeland Security

    Congress requires DHS to provide a Cybersecurity strategy that includes consideration of their 2011 cybersecurity strategy, their 2014-2018 DHS Strategic Plan, and the most recent Quadrennial Homeland Security Review (currently that would be the 2014 Quadrennial Homeland Security Review).  The strategy should include how they fulfill section 227 requirements of the Homeland Security Act, their cybersecurity investigations capabilities, their plans for cybersecurity R&D, and their plans for engaging with international cybersecurity partners.  90 days after the strategy, they are to produce for Congress an implementation plan with strategic objectives, projected timelines, and metrics.

    p.684 - Sec 1913 - EMP and GMD Planning Research and Development and Protection and Preparedness

    There are several natural and man-made risks to our electrical infrastructure.  The new trend is to designate electromagnetic pulses from man-made sources, such as nuclear devices, as EMPs, but to refer to solar storms or other naturally occurring equivalent risks as geomagnetic disturbances (GMD).  The Department of Energy has worked with several electrical groups on plans in these areas, such as the Joint EMP Resilience Strategy published in July 2016 or the September 2016 FERC Reliability Standard for Transmission Systems during GMDs.  In 2010, FERC released a major 197 page study on the cybersecurity impacts a GMD could have called Geomagnetic Storms and their Impacts on the U.S. Power Grid.  The current bill calls for continued R&D in these areas, with regular reporting to Congress as well as the inclusion of such threats in future training and outreach as well as resiliency planning tests and events.

    p. 547 - Sec 1287 - Global Engagement Center (Under Title XII - Matters Relating to Foreign Nations, Subtitle H -- Other Matters)

    This section orders the Department of State to stand up a "Global Engagement Center" the purpose of which is "to lead, synchronize, and coordinate efforts of the Federal Government to recognize, understand, expose, and counter foreign state and non-state propaganda and disinformation efforts aimed at undermining United States national security interests.

    The Center shall carry out the following functions (which I list here in full, due to the high interest):

    (1) Integrate interagency and international efforts to track and evaluate counterfactual narratives abroad that threaten the national security interests of the United States and United States allies and partner nations.

    (2) Analyze relevant information, data, analysis, and analytics from United States Government agencies, United States allies and partner nations, think tanks, academic institutions, civil society groups, and other nongovernmental organizations.

    (3) As needed, support the development and dissemination of fact-based narratives and analysis to counter propaganda and disinformation directed at the United States and United States allies and partner nations.

    (4) Identify current and emerging trends in foreign propaganda and disinformation in order to coordinate and shape the development of tactics, techniques, and procedures to expose and refute foreign misinformation and disinformation and proactively promote fact-based narratives and policies to audiences outside the United States.

    (5) Facilitate the use of a wide range of technologies and techniques by sharing expertise among Federal departments and agencies, seeking expertise from external sources, and implementing best practices.

    (6) Identify gaps in United States capabilities in areas relevant to the purpose of the Center and recommend necessary enhancements or changes.

    (7) Identify the countries and populations most susceptible to propaganda and disinformation based on information provided by appropriate interagency entities.

    (8) Administer the information access fund established pursuant to subsection (f).

    (9) Coordinate with United States allies and partner nations in order to amplify the Center's efforts and avoid duplicatoin.

    (10) Maintain, collect, use, and disseminate records (as such term is defined in section 552a(a)(4) of title 5, United States Code) for research and data analysis of foreign state and non-state propaganda and disinformatoin efforts and communications related to public diplomacy efforts intended for foreign audiences. Such research and data analysis shall be reasonably tailored to meet the purposes of this paragraph and shall be carried out with due regard for privacy and civil liberties guidance and oversight.

    The bill then goes on to authorize $60,000,000 to be transferred from DoD to State to fund such a Center.

Wednesday, November 30, 2016

NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB,  is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

Kelihos botnet delivering Troldesh Ransomware impersonating Bank of America

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au".  ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules.  All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live. 

Subject: Please Settle Credit Arrears Shortly

Dear Client!

Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.

At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.

Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.

We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.

The file can be found here: 

Sincerely Yours,
Bank of America
Customer Relations Department

The following are the different subject lines that were spammed:
URLs that downloaded a .zip file containing JavaScript

Subject - Credit Department Discovered Your Debt - 

Subject - Pay for Credit Debt when Possible - 

Subject - Please Settle Credit Arrears Shortly - 

Subject - You Have a 3-Month Credit Debt - 

Fig. 1: Zip file downloaded with the embedded URL link

URLs that downloaded a Microsoft Word document

Subject - Please Settle Credit Arrears Shortly - 

Subject - You Have a 3-Month Credit Debt - 

URL that were unreachable

Subject - Pay for Credit Debt when Possible - 
hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

    1d57eba1cb761b99ffcf6bc8e1273e9c  instructions.doc
711881576383fbfeaaf90b1d6c24fce0  instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

MD5 - 8441efe3901a0ec7f18c6ef5159877cc

Virus Total Link - 777.exe VT

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
Install it and type the following address into the address bar:
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:


When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam 

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'. 

Text of the email is as follows:

Subject: China company is looking for employees

We are the greatest transport company in China involved in 
transportation of high-dimension goods across the globe. At present, 
we are aimed at expanding by opening offices across the globe for 
deliveries of small consignments. We are looking for employees to 
open offices and ensure services (deployment and supervision of 
packages). All costs for the office establishment are undertaken by 
the organization. During the first month of your job, you and our 
employees are to be engaged in searching for the storage structure. 
You will be also required to appoint some amount of orders to your 
home address (not more than 10kg parcels a day) in order to check 
them for flaws and ship forward with pre-paid labels. We have a 
certain flow of parcels to date, and the work is already jogging on; 
if you are ready to start your operation right away, we are ready to 
pay 2800$ a month. In due course your salary will increase up to 
3500$ if you agree to work in the future office.

You have the following options of working with us:
1. You are working at home for the first month, receiving packages 
and shipping them forward; starting looking for an office place in 
your town (all the instructions you will receive from our managers)
2. You continue to work from home and get 2900$ every month, plus 
bonuses for fast shipped package
3. If something doesn't fit you and you decide to stop the job with 
us, we will pay you monthly salary and be waiting for you again in 
our team in the future!

If you have any questions please contact us at: kia01915@aol[dot]com

All costs for establishment the office are taken by the company, 
shipping is made with prepaid labels, this job does not require any 
financial investment from you. You can also combine this work with 
another one if you decide to work in the office in the future.
The convenient control panel of a corporate website will help you to 
track parcels, bonuses you are to get for a shipped package, and your 
personal information for salary and further job instructions.

The company ensures the following advantages:
1. Health benefits
2. Paid vacations and sick leaves
3. Paid flight tickets, gasoline

This is a temporary offer, as soon as we have a team of employees in 
your staff the vacancy will be closed.

Please contact our HR manager for further details: kia01915@aol[dot]com
Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com
Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.

To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware. 

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows? 
FYI: Things are about to get interesting!

Wednesday, November 09, 2016

Kronos Banking Trojan and Geo-Targeting from Kelihos

Kronos Banking Trojan and Geo-targeted attacks to Australia, Italy, United Kingdom and United States by Kelihos

I'm happy to welcome back guest-blogger Arsh Arora for another blog about the Kelihos botnet. This research is being conducted in our malware research lab at UAB by Arsh (PhD student) and Max Gannon, a malware researcher at UAB, who is about to graduate at the end of this semester and is looking for a job (hint to employers!)

Let’s start the story of the things happening with Kelihos botnet over the past couple of days. After laying low for past couple of weeks, it strikes back with authority. As observed previously http://garwarner.blogspot.com/2016/08/kelihos-botnet-sending-geo-targeted.html, Kelihos continue to geo-target different locations. First and foremost, it started by sending Money Mule spam to users in Italy, Australia, and the United Kingdom, if their email addresses ended with .it, .au, or .uk.  Second, it targeted users in the United States to download a social media management tool “Kuku.io.”  Because this was based on country-code targeted of ".us" it is more likely to impact people in education and local government, who are the main users of .us email addresses.  As all these things were happening, it sneaked a malicious word document from a website and uploaded it on the desktop without any indication to the user of the download. The malicious document eventually delivers Kronos malware which is considered to be same as Zeus malware which was sent by Kelihos in August http://garwarner.blogspot.com/2016/08/kelihos-botnet-sending-panda-zeus-to.html. This behavior was bizarre and never observed before this event.

Money Mule Spam

A brief report of the various geo-targeted spam is provided below.

1. Australia - Spam for email addresses ending with ".au" 

Email text is as follows:
Subject: Available Position

The Successful Company is hiring full/part-time employee for an Administrative Assistant position
(Customer Care Team) who can take a part oversee development projects in AU and NZ. This
opportunity is smart for everybody who ready to work as little as a several hours per weekday,
however you will apply for a full time position as well. Competent training programs are accessible
for the applicants. Work experience isn't required at all.
Please send your confirmation to this email cargoinvestmentmiltonlogistics@gmail[dot]com to get more
details concerning a vacancy.
Best Regards


An interesting thing to observe in the body of the text is the special reference to development projects in AU and NZ. To infer, the email body and addresses are not random, but specifically targeted towards the Australian users.

Some of the email subjects being used include:

Subject:  Available Position
Subject: Employment
Subject: Job Offer
Subject: Open Vacancy

2. Italy - Spam for email addresses ending with ".it"

<== Italian Money Mule spam || Google Translate ==>
Original text of the email being spammed is as follows:

Subject: Assunzione al lavoro

Cari Saluti,
Impresa europeo specializzata nella mezzi di trasporto merci per estensione proprio organico
sta ricercando le persone per i nuovi ruoli nella vostra provincia! Stipendio e' da 3002 Euro
al mese piu' bonus. Formazione e' a carico della azienda!
Se hai bisogno di fondi in piu', se sei onesto e coscienzioso dipendente che ha 22 anni
compiuti, ti invitiamo ad inviare il vostro curriculum nel nostro ufficio personale

Distinti saluti
Sandra Trevor,
Responsabile del personale

Some of the email subjects being used include

Subject: Assunzione - collocamento al lavoro
Subject: Assunzione al lavoro
Subject: Cerchiamo collaboratori in vostra area
Subject: Cerchiamo collaboratori in vostra citta
Subject: Cerchiamo collaboratori in vostra provincia
Subject: Cerchiamo collaboratori in vostra regione
Subject: Lavoro part-time
Subject: Ricerchiamo collaboratori in gruppo operante a livello globale

3. UK - Spam for email addresses ending with".uk"

Subject: Wow amazing girl..Read that article

Hey, what's up? Actually, for that long time we haven't been reaching each other, I've discovered a brilliant 
reading stuff. By now, 5 days I am stuck to it have already brought about 2,350 pound for me! I am talking about 
the soft trading market - it doesn't require any specific skills at it, all is automated.
Flick the article through and write me something as you are in. By the way, get a chance to know how the stuff 
works with a demo!
Take the best out of it!
P.s. The article itself: hxxp://newsdep3-telegraph[dot]co/


Interesting observation here is the fake url for The Telegraph newspaper. The spammers are trying to trick the user to visit the following link in disguise of telegraph newspaper.

Following Domain name is hosted on 162[.]255[.]119[.]249 and has been dominantly hosting various phishing websites https://www.virustotal.com/en/ip-address/ Information found on Domain Tools is mentioned below.

Information from Domain Tools
Information about the registrant.

Domain Name:                              NEWSDEP3-TELEGRAPH.CO
Domain ID:                                   D153329223-CO
Sponsoring Registrar:                   NAMECHEAP, INC.
Sponsoring Registrar IANA ID:   1068
Registrar URL (registration services):  http://www.namecheap.com
Domain Status:                             clientTransferProhibited
Registrant ID:                               70G0X0PHDOIUNYLZ
Registrant Name:                          WhoisGuard Protected
Registrant Organization:               WhoisGuard, Inc.
Registrant Address1:                     P.O. Box 0823-03411
Registrant City:                             Panama
Registrant State/Province:             Panama
Registrant Postal Code:                 0
Registrant Country:                       Panama
Registrant Country Code:              PA
Registrant Phone Number:            +507.8365503
Registrant Facsimile Number:       +51.17057182
Registrant Email:                           76fb43b32d694e49a7cf070f148b6aae.protect@whoisguard.com

Some of the email subjects being used include

Subject - Look what i found
Subject - Why work for your money when your money can work for you?
Subject - Wow amazing girl.. Read that article

When visited the URL it redirected to
As it can be observed it redirects to talegraph[dot]co[dot]uk, not telegraph, which is hosted in Netherlands.

Whois & Quick Stats
Dates Created on 2016-09-27 - Expires on 2017-09-27 - Updated on 2016-09-27  
IP Address is hosted on a dedicated server  
IP Location Netherlands - Zuid-holland - Papendrecht - It-ernity Internet Services Bv
ASN         Netherlands AS21155 ASN-PROSERVE Amsterdam,, NL (registered Sep 11, 2001)
Whois History 4 records have been archived since 2016-10-01  
Whois Server whois.nic.uk

Webpage of talegraph

As it can be viewed, following is a fake website portraying telegraph newspaper.

Social Media Management Tool

Kuku.io It is well-known that people of United States are crazy about social media and get super excited whenever a new app or a tool gets launched. Recently, everyone went crazy after the launch of Pokemon Go. This reaction forced the threat actors to change their way of attacks by focusing on the social media market. There were different malware being developed to exploit this weakness of the users. in a recent blog post, I mentioned how scammers were fooling people to buy cheat codes that never existed http://garwarner.blogspot.com/2016/07/pokemon-go-invitation-to-spammers.html. In continuation to these attacks, the Kelihos spammers are now inviting users to download Kuku.io, a social media management tool. The following spam is explicitly targeting email addresses ending with ".us," because of the popularity and use of social media in the United States.

Email being spammed is as follows:
Subject: Need your opinion

I'm with Kuku.io, it's a social media management tool the key characteristic of which is to schedule and create
content on various networks at the same time. What's more you also encourage your clients to share, like and
follow your posts.
Since we are connected in LinkedIn I thought it would be a good idea if I asked for your views on our product.
Check us out at: hxxps://kuku[dot]io/a/ms
I appreciate your time. I'm looking forward to receiving any of your comments!


Some of the email subjects being used include:

Subject: Need your opinion
Subject: Need your feeback
Subject: Please let me know if this is of any interest

When visited the webpage mentioned.
Webpage of Kuku[.]io

Kronos Banking Trojan

Now let's get to the sneaky part performed by Kelihos, which is dropping a malicious word document on the desktop. While doing his daily chores of running Kelihos malware and collecting the spam sent, Max  found that a document named 'oldversion' was placed on the desktop. It was strange and we have never seen this behavior previously.
Pictorial view of the document icon on the Desktop

On further scrutiny, we found that during the capture, Kelihos did a GET request to download the document.

hxxp://topswingusa[dot]top/qivi/oldversion[dot]doc - Get request https://www.virustotal.com/en/file/e6071f9205ed8540df9612d3f1a001f497931fc76dee43fee1e77750d00df256/analysis/

IP address of topwingsusa[dot]top - https://www.virustotal.com/en/ip-address/
Virus total result of topswingusa[dot]top https://www.virustotal.com/en/url/56f79838c296ac58ab81cd6571187bc1abcb33f6cb395bcebfd9db966224d4dc/analysis/

An interesting string found in the process hacker was "  UPLD save to: C:\Users\malware\Desktop\oldversion.doc"

Out of curiosity and to do more in-depth research, I decided to click the document. The document did not disappoint and asked for two of my favorite things when viewing a word document.

Enable Editing
 The document was opened in Protected view and after clicking 'Enable Editing,' it asked to "Enable Content.

Enable Content
After clicking 'Enable Content,' It spawns a child process with the name '24580.exe' and then another child process was launched with the name of "svchost.exe". The process killed itself and did not run properly.

Hence, I have to put it into OLLYDBG to get the malware working. On further observations in the debugger, I found that it was checking for virtual machine. Hence, it was vmware aware and killed itself instantaneously. But before it killed itself, I found the following string in the "svchost.exe" in the debugger, which mentioned the malware to be Kronos.

Hence, it can inferred that the following malware is Kronos. In order to be double sure, I repeated the process by downloading the malicious document and running it again.

This time I was able to gather more information, once the document is activated by 'Enable Content,' it grabs the downloader from the following url:
which is hosted on the same IP 167[.]88[.]160[.]146. Once the file "mswords2k8[dot]exe was obtained, it spawned a third process named as "MSOSQM", which was Kronos malware. 

On further scrutiny, I found that both the downloaders "24580.exe" and "mswords2k8[dot]exe" have the same MD5 hash, 547890EA5FD8374383E0663223B5A26F.

Downloader and Kronos malware

 Another interesting observation found in the debugger is presence of a string named "BOTID"


Researchers are still working on trying to find more about the significance of BOTID. Hopefully, everyone will be updated soon with the findings.