Malware appears to have hijacked the British Association for Counselling and Psychotherapy (BACP)'s website – and held it to ransom.…
Posted: 12 Feb 2016 | 2:46 pm
Posted: 12 Feb 2016 | 4:52 am
Our new intelligence on BlackEnergy expands previous findings on the first wide-scale coordinated attack against industrial networks. Based on our research that we will further outline below, attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.
This proves that BlackEnergy has evolved from being just an energy sector problem; now it is a threat that organizations in all sectors—public and private—should be aware of and be prepared to defend themselves from. While the motivation for the said attacks has been the subject of heavy speculation, these appear to be aimed at crippling Ukrainian public and criticial infrastructure in what could only be a politically motivated strike.
We came upon these findings by pivoting off of the original indicators of compromise, which included BlackEnergy reconnaisance and lateral movement tools and KillDisk, a disk-wiping malware, among others. A fellow senior threat researcher at Trend Micro and I began hunting for additional infections or malware samples related to the incident. We quickly realized that Prykarpattya Oblenergo and Kyivoblenergo were not the only targets revolving around the newest BlackEnergy campaign.
Based on telemetry data from open-source intelligence (OSINT) and Trend Micro Smart Protection Network, we saw that there were samples of BlackEnergy and KillDisk that may have been used against a large Ukrainian mining company and a large Ukrainian rail company. In addition, the possible infections in the mining and railway organizations appear to use some of the same BlackEnergy and KillDisk infrastructure that were seen in the two power facilities attacks.
Related Malware in a Large Ukrainian Mining Company
During the course of our investigation, we saw an overlap between the BlackEnergy samples used in the Ukrainian power incident and those apparently used against the Ukrainian mining company. One sample, amdide.sys, (SHA1: 2D805BCA41AA0EB1FC7EC3BD944EFD7DBA686AE1) appears to have been used in November 2015 to infect its target. Additional samples leveraged in the Ukrainain power utilities attack and the Ukrainian mining company are:
We also came across another sample named aliide.sys (SHA1: C7E919622D6D8EA2491ED392A0F8457EA240) that appears to have hit the same company. The naming of the BlackEnergy samples appears to mirror one of the samples that was actively used in the campaign against the Ukrainian power utilities. This sample, which is flagged as BlackEnergy, has the same exact functionality as those samples witnessed in the Ukrainian power utility attack. In addition, this sample utilizes the same infrastructure. In this case, the URL communicated with is 88[.]198[.]25[.]92:443/fHKfvEhleQ/maincraft/derstatus.php.
Additional samples that are caught as BlackEnergy and appear related are:
Both of the aforementioned samples communicate to 146[.]0[.]74[.]7:443/l7vogLG/BVZ99/rt170v/solocVI/eegL7p.php which is also one of the same C2’s used in the Ukrainian power incident. All of these BlackEnergy samples mentioned appear to be used and utilized in the November –December 2015 timeframe.
Unfortunately, this same mining organization was also hit with multiple variants of KillDisk. While none of the exact samples in the prior utility attacks appear to have been used against the mining organization, the specific samples witnessed perform the same exact functionality as those witnessed at the Ukrainian power utilities, with very little difference.
We did see KillDisk bleed over from the Ukrainian power incident that occurred as well. Two samples drew our attention, svchost.exe (SHA1: 8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569) and crab.exe (SHA1: 16f44fac7e8bc94eccd7ad9692e6665ef540eec4). Both samples seen in the Ukrainian power incident were possibly also used against this large Ukrainian mining organization.
Similar Malware in a Large Ukrainian Train/Railway Operator
Like the attacks against the Ukrainian mining company, we also witnessed KillDisk possibly being used against a large Ukrainian railway company that is part of the national Ukrainian railway system. The file tsk.exe (SHA1: f3e41eb94c4d72a98cd743bbb02d248f510ad925) was flagged as KillDisk and used in the electric utility attack as well as against the rail company. This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network.
Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack. There is remarkable overlap between the malware used, infrastructure, naming conventions, and to some degree, the timing of use for this malware, therefore leading us to believe the same actors are not only attacking power utilities, but also large mining and railway organizations throughout Ukraine.
There are many possibilities that exist about the big picture, but three in particular, stand out. One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities. Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.
Whichever is the case, attacks against Industrial Control Systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions. In addition—and this bears repeating—this attack shows that any organization, regardless of the nature or size of their business, can be a target. Given the fact that the BlackEnery campaign has destructive payload (KillDisk), companies that have this false sense of security that they are not critical or public-facing or too important enough to be targeted, may just find their operations or their ability to conduct their business grind to a halt.
The comprehensive list of indicators we’ve been tracking for BlackEnergy 2015 campaigns can be found in this appendix.
Posted: 11 Feb 2016 | 10:47 am
1. Download PhantomJS from here.
2. Download the JSPacker.js file from here.
3. Put everything in a folder or on your desktop then in DOS type the following:
C:\> phantomjs jspacker.js pack in.txt out.txt
C:\> phantomjs jspacker.js unpack in.txt out.txt
Posted: 6 Feb 2016 | 4:57 pm
In a previous blog, we discussed why Point of Sale (POS) devices remain such an attractive target and described some different attack methods. As you can see from the infographic below, retail and POS have been (pardon the pun) “Targets” on an ongoing basis for the past few years, and the trend doesn’t appear to be reversing, even with technologies such as EMV and P2PE. In this blog, we describe some of the different families of POS malware.
Families of POS malware typically utilize similar techniques as their end goal is the same – to steal account details, and especially payment card information.
Credit card data (track 1 and track 2 information) is often stored in plain text in memory on the POS device. Several variants of POS malware leverage memory scraping capabilities to capture the credit card data using regular expressions (RegEx), when searching through memory to find it. In fact, different families of POS malware sometimes share parts of RegEx or the entire RegEx. Regular expressions are an easy way to search for patterns that identify specific kinds of data; however, they can be computationally inefficient. Because of this, other malware variants use custom search algorithms to make their searches more efficient. Usually, these custom search algorithms will look for specific pieces of information: track delimiters, account number prefixes that correspond to major card issuers, primary account number (PAN) length, and some validate PANs using the Luhn algorithm. When the malware uses targeted custom searches, rather than scanning all data for patterns, the activity associated with the malware becomes more difficult to detect.
Some POS malware reduce their footprint to avoid detection by injecting processes. In addition to this they increase performance by limiting the number of processes used in memory scraping. Some kinds of POS malware scrape memory from every process to increase the likelihood of obtaining useful information; however, this also increases the odds that someone will notice the malware. To avoid this, most POS malware has a blacklist of processes that are omitted from memory scraping and it instead targets a few specific processes.
A common feature of malware that usually accompanies memory scraping is key logging. Key logging allows attackers to capture PINs in addition to account numbers. PIN pads are usually recognized by an operating system as a keyboard device, so attackers don’t need to write fancy new key logging codes to steal data from PIN pads.
Once POS malware has captured account details using the above techniques, attackers need to have some way of accessing this data. Some types of POS malware only store the data locally and don’t have built-in exfiltration features. In such cases, attackers have to manually retrieve the data – typically via some kind of remote session, though manual recovery through physical access is also a possibility.
However, many variants of POS malware do have built-in exfiltration features that send stolen data to drop sites or command and control servers. Data exfiltration can take many forms. It can range from exfiltration via e-mail, FTP, HTTP, HTTPS, DNS, TOR or other protocols. Some transmit data in plaintext while others obfuscate or encrypt data before transmission.
Stealing credit card account details is not always the only objective of POS malware. Some variants can also incorporate other standard Trojan features such as:
Now that we have a good understanding of the various capabilities of POS malware, we can look more closely at behaviors associated with some of the best-known malware families.
Rdasrv was one of the earliest identified POS RAM scrapers, discovered in early 2011. Rdasrv functions in a manner that is distinct from all other POS RAM scrapers. Instead of looking at all of the processes, it only inspects processes that are hard coded into the malware itself. Patterns that match are written to a text file for manual exfiltration at a later date.
Back in 2012 reports emerged on Dexter. Dexter has infected hundreds of point-of-sale computers at big name retailers, hotels, restaurants, and other businesses, according to a report issued by Aviv Raff, chief technology officer of Israel-based security firm Seculert. 
Dexter steals payment card data from the POS system and sends it to a remote C&C server. The source code for Dexter was leaked sometime ago, leading to many variants being created even to this day as people improve upon the code base.
Alina is a fairly well known POS RAM scraper family, which was discovered in October 2012. As of the writing of this document, Alina variants are still being actively developed by the malware writing community. As a result, its methods of persistence, RAM scraping, and data exfiltration can vary from version to version. For example early versions sent data in plain text, while later ones utilized exclusive or XOR- based encryption, or established contact with multiple C&C servers, etc. Alina variants cast a wider net than other families because targeted processes are not hard-coded, making the malware more versatile and able to target a larger set of victims. 
BlackPOS rose to fame, or perhaps infamy, when it was discovered on the POS systems in retail giant Target, in December 2013. However, back in 2012, the source code of BlackPOS was leaked, which enabled many parties both malicious and non-malicious to examine and improve its codebase. It maintains persistence by masquerading as an AntiVirus program. The exfiltration methods used by the BlackPOS are fairly simple: track 1&2 payment card data is written to a file and offloaded to a FTP for later extraction. 
Like BlackPOS, FrameworkPOS rose to infamy after it was found on the POS systems of another major retailer, The Home Depot. FrameworkPOS achieves persistence by installing a Windows Service, which starts at system boot and restarts. The service name is "McAfee Framework Management Instrumentation”, a name likely chosen to allow it to further blend in. Like many malware families, FrameworkPOS has many variants, one of which stands out due to its method of data exfiltration. Another variant utilizes DNS requests to exfiltrate date, instead of the standard write file to a FTP (as seen during the Home Depot breach). 
Chewbacca was discovered on the POS systems of several dozen different retailers around the world in late 2013. To maintain persistence, it installs itself as “spoolsv.exe” in the startup folder. After installation, the keylogger creates a file called “system.log” inside the system %temp% folder, logging keyboard events and window focus changes. Chewbacca also scrapes memory and utilizes regex to extract track 1 & 2 data of payment cards from the infected system. The extracted information is then transported via tor to a C&C server concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection.
Unlike many of the earlier malware families, Backoff was not built with a specific target in mind, which has allowed it to be used to cause a large number of data breaches. One of the larger ones targeted UPS stores between January and August, 2014. Backoff is also unique in that it uses a runtime packer to protect it from being detected. To maintain persistence Backoff will create an encrypted copy of itself. If the malware stops running for any reason, nsskrnl will be decrypted and executed to re-infect the system by utilizing a code that was injected into an explorer.exe process. Exfiltration and remote control is accomplished by communicating with a remote C&C via HTTP. 
The malware dubbed Cherrypicker POS has been around undetected since roughly 2011. It avoids detection by the use of encryption, obfuscation and cleaning up after itself. It injects various based upon it’s configuration and memory scrapes for track 1 and track 2 data, which is then logged. The logged file is then encrypted for communication back to the remote FTP.
AbaddonPOS is a simplistic piece of POS malware, coming in at around 5 KB in size. The malware implements several anti-analysis and obfuscation techniques to make manual and automated analysis difficult. To acquire track 1& 2 data the malware scraps all processes memory except it’s own. The majority of the AbaddonPOS’s code is not obfuscated with the exception of the code to encode and transmit payment card details. Which could be explained because unlike many POS malware families which utilize existing prototols, such as HTTP/IRC/Tor to communicate with a c&c, Abaddon developers created their own binary encoded protocol to exfiltrate data.
The following correlation rules from AlienVault USM are used to detect activity from the aforementioned threats:
For the security researcher, POS malware is an area of research that is of growing interest. Learning about the different families of POS malware is useful in this research, as it makes variants easier to identify and detect. Understanding the families with similar code base saves valuable time during research, especially when responding to the incident breaches – it is not necessary to view every new malware as something brand new. Lazy attackers are simply modifying existing malware to evade detection in many cases.
The following infographic lists most of the recent breaches at retailers caused by POS malware, depicting an overview of impact of POS malware.
Posted: 17 Dec 2015 | 6:00 am
- 1st Full Plugin and its export function is called Plug. Full plugins run continuously until the infected system is restarted
- 2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim’s machine.
- Strong encryption. The data sent is encapsulated using the XML-RPC protocol.
- MethodName value 10a7d030-1a61-11e3-beea-001c42e2a08b is always present in Potao traffic.
- After receiving the request the C&C server generates an RSA-2048 public key and signs this generated key with another, static RSA-2048 private key .
- In 2nd stage the malware generates a symmetric AES-256 key. This AES session key is encrypted with the newly received RSA-2048 public key and sent to the C&C server.
- The actual data exchange after the key exchange is then encrypted using symmetric cryptography, which is faster, with the AES-256 key
- The Potao malware sends an encrypted request to the server with computer ID, campaign ID, OS version, version of malware, computer name, current privileges, OS architecture (64 or 32bits) and also the name of the current process.
Posted: 12 Aug 2015 | 5:25 am
On 24/04/15 At 12:37 PM
Posted: 24 Apr 2015 | 1:37 am
If you’ve ever been to New Zealand, and then one day you were to wake up on Shikotan island (er, without knowing how you got there, or why were you asleep for so long, etc., etc.), you’d probably think you’ve been teleported to NZ. They’re just so similar!
Non-volcanic gently rolling grassy landscapes, nano-bamboo, picturesque and seemingly carefully positioned trees. All neatly trimmed, colored, and – you’d think – Photoshopped, and sparkling under the inevitable Kuril rain. If sheep and sun were added – it’d be the carbon copy of NZ – somewhere around the center of the North Island.
Only the hobbits’ cubbyholes are missing
[twitter_pullquote]Shikotan – Kuril Newzealan![/twitter_pullquote]
The name of the island comes from Ainu and translates as ‘best island’. Yep, they got that right, those ancient Kuril aborigines :).
If Wiki is to be believed the island has around 2000 inhabitants divided into two villages – Malokurilskoye and Krabozavodskoye. I’m afraid I’ve no photos of these places as we didn’t get round to visiting them.
So what else is there to see on Shikotan?
There’s Cape ‘Krai Sveta’ (‘edge of the world’) and its lighthouse.
Sadly I didn’t see either up close as I was recovering from the previous day’s ‘try everything’ mode and decided I’d best not hold up the other troops with my slowed tempo. However, those who did make it to the island said it was definitely worth it.
There’s simply tons of it lying about on the shores and in the surrounding waters here, just, well, lying there – with no one putting any claim to it. The posse therefore proceeded to search for and pocket some of the prettier specimens. Seemed a shame just to leave it there, abandoned. Turned out we gathered so much that when we embarked back onto the boat the waterline had sunk a bit :). Bizarrely, after all that careful selecting and stockpiling, most of the rocks were thrown overboard, much like the keen carp angler puts his catch back into the lake after taking so much trouble to hook it. Nowt queer as folk… :).
Still just off Shikotan, at last we were able to get some swimming in!
The water was a bearable 17°C – much warmer than on Simushir, where just looking at the ocean made you shiver. Here though, the conditions were just right for a diving contest – off the boat. Nice.
Btw, allegedly Shikotan is the only Kuril island on which snakes are found. Also here – plus on neighboring Kunashir and Iturup – can be found a most unusual plant, which the locals call Ipritka. The pollen (or oil) of this flora species is a really potent allergen, and if you come into contact with it things can get very painful – including serious burns. So if you’re ever here, dress appropriately and don’t touch anything!
Now, since we’ve already touched upon NZ in this post, let me return to that most important of questions – which place in the world is the most wildly beautiful?
Well, before our NZ adventure last year, in first place for beauty and natural unusualness – and unusual naturalness – was without a doubt Kamchatka. But then, despite some geographical nuances, Kamchatka was knocked off the top spot down to second place by the North and South Islands of New Zealand.
Then, after my crazy trip to see an eruption of Tolbachik in March-April 2013, Kamchatka once again was back on top!
Now about those nuances…
The main beauties of Kamchatka are all fairly close to one another – from around Klyuchevskaya Sopka in the north, down to Kurile Lake (and the Kambalny volcano) in the south. Whereas NZ’s best natural beauties are scattered across a much greater area. Thus, if to compare like with like, then the two islands of NZ need to be compared with Kamchatka individually. Now, Kamchatka is way cooler than either of the NZ islands on its own, but the two islands together – they destroy Kamchatka!
If we now compare NZ with Kamchatka plus the Kurils then NZ has no chance. Kamchatka + Kurils = the bomb! Oh yes. These Ks fall into my mind.
[twitter_pullquote]Which is the best? New Zealand or Russia’s Far East? The answer’s obvious![/twitter_pullquote]
The one downside to K+K: To get at their best gems you need to travel a lot further. Your suitcase of cash needs to be fatter too, but I won’t dwell on that…
But I’m not done yet! There’s still one more island I need to tell you about – Kunashir. Coming right up!…
All the photos are here.
Posted: 4 Sep 2014 | 5:46 am
If you’ve visited our website before your may notice some changes this time around. Our old site served us well but as we are moving forward as a company we felt it was time for a fresh new look for the website to reflect the fresh new ideas being developed in our company. Besides the attractive new color palette and flashy new slider we’ve streamlined our content and cleaned things up. There are also a few new features to check out. You may have noticed Cyber Engineering Services in the news lately, we added a NEWS section where you can check out all the buzz and catch up on anything you missed. We have also added a section called LEADERSHIP were you can read a bit about the fearless leaders we have taking up the helm and keeping us on our toes here at Cyber Engineering Services.
If this is your first time visiting our site, look around and sample a few pages, we’ve tried our best to lay things out so its easy to find what you need quickly. If you still have questions feel free to contact us, we’d love to talk with you. If you have suggestions for our website, feel free to comment below, we’d love to hear your feedback.
Posted: 3 Sep 2014 | 7:39 am