Home   Blog   Twitter   Database  

Bought PII from the government? PLEASE DON'T LOSE IT! 60 Sec Security [VIDEO]

Here's the latest episode of our weekly computer security roundup. The latest news presented so you can enjoy it...in just one minute!

Posted: 28 Feb 2015 | 6:02 am

Fork me! Uber hauls GitHub into court to find who hacked database of 50,000 drivers

Taxi biz demands IP addresses and more

Uber has subpoenaed GitHub to unmask netizens suspected of hacking its database of taxi drivers.…

Posted: 27 Feb 2015 | 5:59 pm

TorrentLocker Ransomware Uses Email Authentication to Refine Spam Runs

In monitoring the ransomware TorrentLocker, we noticed a new development in its arrival vector. In previous entries, we noted that a particular wave of the crypto-ransomware was using spammed messages that were designed to evade spam filters. Our research now shows that TorrentLocker malware are using emails that are designed to pass spam filters and also collect information.

Using SPF to DMARC

Previous spammed messages were authorized by the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). SPF provides a mechanism to allow receivers to check that incoming mail from a domain is being sent from a host authorized by that domain’s owner. The list of authorized IP addresses for a domain is published in the domain’s DNS records.

The new TorrentLocker emails use Domain-based Message Authentication, Reporting and Conformance (DMARC), which is an email acceptance method. DMARC leverages SPF and DKIM, and sends reports to email senders, allowing them to:

Using DMARC Reports

The DMARC reports are intended for senders to gain “insight into the operation of your own infrastructure, those operated on your behalf by third parties, and the attacks on your domain or brand by bad actors.” Unfortunately, cybercriminals are using the same reports for gaining insights into the operation of their malicious schemes.

One spam campaign was sent by notice-nsw-gov.net.  We noted that the SPF and DMARC record were as follows:


notice-nsw-gov.net.     3600    IN      TXT     “v=spf1 ip4: a mx ~all”

notice-nsw-gov.net.     3600    IN      TXT     “v=DMARC1\; p=reject\; rua=mailto:admin@notice-nsw-gov.net”

It appears that the threat actors are collecting information from “rejected” emails, emails that do not pass the acceptance process performed in spam filters.

Note that each DMARC report contains information such as ISP information, mailbox provider name and contact details, IP addresses, SPF and DKIM authentication results.

For cybercriminals, the information can be used as feedback for their spam runs. If a DMARC report is sent back to a domain owned by cybercriminals, they can check the number of spammed emails that passed SPF and DKIM. The report will indicate which ISPs have considered their emails as “authenticated” and gives the ability to refine future spam runs.

A Persistent Presence

Based on SPN data starting from November 2014, we find that Australia remains the top country affected by this malware, whose family detection is CRYPTED.

Figure 1. Top countries affected by TorrentLocker

Using the number of detections in November 2014 as our baseline, we find that December experienced a noticeable spike. The number of detections dropped in January this year but soon rocketed in mid-February.

Figure 2. TorrentLocker activity since November 2014

Protection Against Spoofed Emails

Techniques like this show that while spam filters can help weed out junk or malicious messages, they aren’t foolproof. Cybercriminals will always try to find ways to bypass or dodge filters or authentication methods.

We advise users to remain cautious when dealing with legitimate-looking emails; they might be well-crafted spoofed emails. Avoid clicking links or opening attachments without confirming the email in question.

With additional insight from Doug Otis.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

TorrentLocker Ransomware Uses Email Authentication to Refine Spam Runs

Posted: 27 Feb 2015 | 3:40 pm

Collection of Pcap files from malware analysis

Update: Feb 19. 2015

We have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps.

I had a project to test some malicious and exploit pcaps and collected a lot of them (almost 1000) from various public sources. You can see them in the PUBLIC folder. The credits go to the authors of the pcaps listed in the name of each file. Please visit their blogs and sites to see more information about the pcaps, see their recent posts, and send them thanks. The public pcaps have no passwords on them.

Update:Dec 13. 2014 

Despite rare updates of this post, we have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps!

Update:Dec 31. 2013 - added new pcaps

I did some spring cleaning yesterday and came up with these malware and exploit pcaps. Such pcaps are very useful for IDS and signature testing and development, general education, and malware identification. While there are some online public sandboxes offering pcaps for download like Cuckoo or Anubis but  looking for them is a tedious task and you cannot be totally sure the pcap is for the malware family supposedly analysed - in other words, if the sandbox says it is Zeus does not necessarily mean that it is.

I found some good pcap repositories here (http://www.netresec.com/?page=PcapFiles) but there are very few pcaps from malware.

These are from identified and verified (to the best of my knowledge and belief - email me if you find errors) malware samples.

All of them show the first stage with the initial callback and most have the DNS requests as well. A few pcaps show extended malware runs (e.g. purplehaze pcap is over 500mb).
Most pcaps are mine, a few are from online sandboxes, and one is borrowed from malware.dontneedcoffee.com. That said, I can probably find the corresponding samples for all that have MD5 listed if you really need them. Search contagio, some are posted with the samples.

Each file has the following naming convention:
BIN [RTF, PDF] - the filetype of the dropper used, malware family name, MD5, and year+month of the malware analysis.

I will be adding more pcaps in the future. Please donate your pcaps from identified samples, I am sure many of you have.

Thank you


Download all together or separately.

All pcaps archives have the same password (same scheme), email me if you need it. I tried posting it without any passwords and pass infected but they get flagged as malware. Modern AV rips though zips and zips with the pass 'infected' with ease.


See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

Download all together or separately.
  1. 2012-12-31 BIN_Xinmic_8761F29AF1AE2D6FACD0AE5F487484A5-pcap
  2. 2013-09-08 BIN_TrojanPage_86893886C7CBC7310F7675F4EFDE0A29-pcap
  3. 2013-09-08 BIN_Darkcomet_DC98ABBA995771480AECF4769A88756E-pcap
  4. 2013-09-02 8202_tbd_ 6D2C12085F0018DAEB9C1A53E53FD4D1-pcap
  5. 2013-09-02 BIN_8202_6d2c12085f0018daeb9c1a53e53fd4d1-pcap
  6. 2013-09-02 BIN_Vidgrab_6fd868e68037040c94215566852230ab-pcap
  7. 2013-09-02 BIN_PlugX_2ff2d518313475a612f095dd863c8aea-pcap
  8. 2013-09-02 BIN_Taidoor_46ef9b0f1419e26f2f37d9d3495c499f-pcap
  9. 2013-09-02 BIN_Vidgrab_660709324acb88ef11f71782af28a1f0-pcap
  10. 2013-09-02 BIN_Gh0st-gif_f4d4076dff760eb92e4ae559c2dc4525-pcap.zip
  11. 2013-07-15 BIN_Taleret.E_5328cfcb46ef18ecf7ba0d21a7adc02c.pcap
  12. 2013-05-14 BIN_Mediana_0AE47E3261EA0A2DBCE471B28DFFE007_2012-10.pcap
  13. 2013-05-14 BIN_Hupigon_8F90057AB244BD8B612CD09F566EAC0C
  14. 2013-05-14 BIN_LetsGo_yahoosb_b21ba443726385c11802a8ad731771c0_2011-07-19
  15. 2013-05-13 BIN_IXESHE_0F88D9B0D237B5FCDC0F985A548254F2-2013-05-pcap
  16. 2013-05-06 BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11-pcap
  17. 2013-05-06 BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30-pcap
  18. 2013-05-06 BIN_BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06-pcap (not a common name, see the traffic ssheet http://bit.ly/maltraffic )
  19. 2013-04-30 BIN_MSWab_Yayih_FD1BE09E499E8E380424B3835FC973A8_us-pcap
  20. 2013-04-29 BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap
  21. 2013-04-29 BIN_XTremeRAT_DAEBFDED736903D234214ED4821EAF99_2013-04-13-pcap
  22. BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap
  23. BIN_Gh0st_variant-v2010_B1D09374006E20FA795B2E70BF566C6D_2012-08.pcap
  24. BIN_Likseput_E019E37F19040059AB5662563F06B609_2012-10.pcap
  25. BIN_Nettravler_1f26e5f9b44c28b37b6cd13283838366.pcap
  26. BIN_Nettravler_DA5832657877514306EDD211DEF61AFE_2012-10.pcap
  27. BIN_Sanny-Daws_338D0B855421867732E05399A2D56670_2012-10.pcap
  28. BIN_Sofacy_a2a188cbf74c1be52681f998f8e9b6b5_2012-10.pcap
  29. BIN_Taidoor_40D79D1120638688AC7D9497CC819462_2012-10.pcap
  30. BIN_TrojanCookies_840BD11343D140916F45223BA05ABACB_2012_01.pcap
  31. PDF_CVE-2011-2462_Pdf_2011-12.pcap
  32. RTF_Mongall_Dropper_Cve-2012-0158_C6F01A6AD70DA7A554D48BDBF7C7E065_2013-01.pcap
  33. OSX_DocksterTrojan.pcap


See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

Download all together or separately.
  1. 2013-11-12_BIN_ChePro_2A5E5D3C536DA346849750A4B8C8613A-1.pcap
  2. 2013-10-15_BIN_cryptolocker_9CBB128E8211A7CD00729C159815CB1C.pcap
  3. 2013-09-20_BIN_Lader-dlGameoverZeus_12cfe1caa12991102d79a366d3aa79e9.pcap
  4. 2013-09-08 BIN_Tijcont_845B0945D5FE0E0AAA16234DC21484E0-pcap
  5. 2013-09-08 BIN_Kelihos_C94DC5C9BB7B99658C275B7337C64B33-pcap.zip
  6. 2013-08-19 BIN_Nitedrem_508af8c499102ad2ebc1a83fdbcefecb-pcap
  7. 2013-08-17 BIN_sality_CEAF4D9E1F408299144E75D7F29C1810-pcap
  8. 2013-08-15 BIN_torpigminiloader-pcap.zip
  9. 2013-13-08 EK_popads_109.236.80.170_2013-08-13.pcap
  10. 2013-11-08 BIN_Alinav5.3_4C754150639AA3A86CA4D6B6342820BE.pcap
  11. 2013-08-08 BIN_BitcoinMiner_F865C199024105A2FFDF5FA98F391D74-pcap
  12. 2013-08-07 BIN_ZeroAccess_Sirefef_C2A9CCC8C6A6DF1CA1725F955F991940_2013-08-pcap
  13. 2013-07-05 BIN_Kuluoz-Asprox_9F842AD20C50AD1AAB41F20B321BF84B
  14. 2013-05-31 Wordpress-Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-2pcap.pcap
  15. 2013-05-15 BIN_Zeus_b1551c676a54e9127cd0e7ea283b92cc-2012-04.pcap
  16. 2013-05-15 BIN_Gypthoy_3EE49121300384FF3C82EB9A1F06F288-2013-05.pcap
  17. 2013-05-12 BIN_PassAlert_B4A1368515C6C39ACEF63A4BC368EDB2-2013-05-13
  18. 2013-05-12 BIN_HorstProxy_EFE5529D697174914938F4ABF115F762-2013-05-13-pcap
  19. 2013-05-12 BIN_Bitcoinminer_12E717293715939C5196E604591A97DF-2013-05-12-pcap
  20. 2013-05-07 BIN_ZeroAccess_Sirefef_29A35124ABEAD63CD8DB2BBB469CBC7A_2013-05-pcapc
  21. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
  22. 2013-05-05 BIN_GameThief_ECBA0FEB36F9EF975EE96D1694C8164C_2013-03-pcap
  23. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
  24. 2013-04-27 EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap
  25. 2013-04-26 -- BIN_Citadel_3D6046E1218FB525805E5D8FDC605361-2013-04-samp 
  26. BIN_CitadelPacked_2012-05.pcap
  27. BIN_CitadelUnpacked_2012-05.pcap
  28. BIN_Cutwail_284Fb18Fab33C93Bc69Ce392D08Fd250_2012-10.pcap
  29. BIN_Darkmegi_2012-04.pcap
  30. BIN_DarknessDDoS_v8g_F03Bc8Dcc090607F38Ffb3A36Ccacf48_2011-01.pcap-
  31. BIN_dirtjumper_2011-10.pcap
  32. BIN_DNSChanger_2011-12.pcap
  33. BIN_Drowor_worm_0f015bb8e2f93fd7076f8d178df2450d_2013-04.pcap
  34. BIN_Googledocs_macadocs_2012-12.pcap
  35. BIN_Imaut_823e9bab188ad8cb30c14adc7e67066d.pcap
  36. BIN_IRCbot_c6716a417f82ccedf0f860b735ac0187_2013-04.pcap
  37. BIN_Kelihos_aka_Nap_0feaaa4adc31728e54b006ab9a7e6afa.pcap
  38. BIN_LoadMoney_MailRu_dl_4e801b46068b31b82dac65885a58ed9e_2013-04 .pcap
  39. BIN_purplehaze-2012-01.pcap
  40. BIN_ponyloader_470a6f47de43eff307a02f53db134289.pcap
  41. BIN_Ramnitpcap_2012-01.pcap
  42. BIN_Reedum_0ca4f93a848cf01348336a8c6ff22daf_2013-03.pcap
  43. BIN_SpyEye_2010-02.pcap
  44. BIN_Stabuniq_F31B797831B36A4877AA0FD173A7A4A2_2012-12.pcap
  45. BIN_Tbot_23AAB9C1C462F3FDFDDD98181E963230_2012-12.pcap
  46. BIN_Tbot_2E1814CCCF0C3BB2CC32E0A0671C0891_2012-12.pcap
  47. BIN_Tbot_5375FB5E867680FFB8E72D29DB9ABBD5_2012-12.pcap
  48. BIN_Tbot_A0552D1BC1A4897141CFA56F75C04857_2012-12.pcap
  49. BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap
  50. BIN_Tinba_2012-06.pcap
  51. BIN_Vobfus_634AA845F5B0B519B6D8A8670B994906_2012-12.pcap
  52. BIN_Xpaj_2012-05.pcap
  53. BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap
  54. BIN_ZeusGameover_2012-02.pcap
  55. BIN_Zeus_2010-12.pcap
  56. EK_Blackholev1_2012-03.pcap
  57. EK_Blackholev1_2012-08.pcap
  58. EK_Blackholev2_2012-09.pcap
  59. EK_Blackhole_Java_CVE-2012-4681_2012-08.pcap
  60. EK_Phoenix_2012-04.pcap
  61. EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap -  credit malware.dontneedcoffee.com

Posted: 19 Feb 2015 | 5:56 am

Equation Group: from Houston with love

In 2009, an international scientific conference was held in Houston, USA. Leading scientists from several countries were invited to attend. As is traditional for such events, the organizers sent out a post-meeting CDROM containing a presentation with the best photos from the event. It is unlikely that any of the recipients expected that while they were enjoying the beautiful pictures and memories a nation-state sponsored Trojan Horse was activating silently in the background.


Photo slideshow played from the CD

Interestingly, it looks as if most of the attendees brought pens and paper instead of laptops.

Self-elevating Autorun

The disk contains two files in the root folder, an autorun.inf and autorun.exe. This is typical of many CDROMs. The autorun.inf simply executes the main EXE from root.  Here's what it looks like:

[AutoRun] open=Autorun.exe

More interesting is the autorun.exe binary, which has the following attributes:

Date of compilation 2009.12.23 13:37:33 (GMT)
Size 62464 bytes
MD5 6fe6c03b938580ebf9b82f3b9cd4c4aa

The program starts by checking the current user's privileges. If the current user has no administrative rights, it tries to elevate privileges using three different exploits for vulnerabilities in the Windows kernel. These vulnerabilities were patched by the following Microsoft patches:

Considering the date the CDROM was shipped, it means that two of the exploits were zero-days. It's notable that the code attempts different variants of kernel exploits, and does so in a loop, one by one, until one of them succeeds. The exploit set from the sample on the CDROM includes only three exploits, but this exploitation package supports the running of up to 10 different exploits, one after another. It's not clear whether this means that there is also a malware with 10 EoP exploits in it, or whether it's just a logical limitation.

The code has separate payloads for Windows NT 4.0, 2000, XP, Vista and Windows 2008, including variations for certain service pack versions. In fact, it runs twice: firstly, to temporarily elevate privileges, then to add the current user to the local administrators group on the machine, for privilege elevation persistence.

Such attacks were crafted only for important victims who couldn't otherwise be reached #EquationAPT #TheSAS2015


If these actions are successful, the module starts another executable from the disk, rendering the photo slideshow with pictures from the Houston conference.

At the end, just before exiting, the code runs an additional procedure that does some special tests. If the date of execution fell before 1 July 2010 and it detects no presence of Bitdefender Total Security 2009/2010 or any Comodo products, it loads an additional DLL file from the disk named "show.dll", waits for seven seconds, unloads the DLL and exits.

If the date fell after 1 July 2010, or any of the above products are installed, it drops execution immediately.

The "Show" Begins – introducing DoubleFantasy

The main loader and privilege escalation tool, "autorun.exe" fires up a special dropper, which is actually an Equation Group DoubleFantasy implant installer. The installer is stored as "show.dll" in the "Presentation" folder of the CDROM.

The DLL file has the following attributes:

Date of compilation 2009.03.20 17:42:21 (GMT)
Size 151'552 bytes
MD5 ef40fcf419954226d8c029aac8540d5a
Filename show.dll
Short Description DoubleFantasy installer

First it locates data in the resource section, unpacks (UCL) and XOR-decrypts configuration data from one of the resources.

Next it creates the following registry keys:

After that it sets the (Default) value for "Version" subkey as "", which identifies the implant version.

It also attempts to self-delete on the next reboot, which fails if it's started from the CD.

When run by the exploitation package "Autorun.exe", the program already has administrative privileges from one of the three exploits. However, the code checks again if it's running with administrative privileges, and attempts to elevate using just two kernel vulnerabilities:

This indicates that the DoubleFantasy installer has been designed to run independently from the disk from Houston with its "Autorun.exe".  In fact, we've observed the independent use of the DoubleFantasy installer in other cases as well.

The installer checks for security software using a list of registry keys and values stored in the resource section. The keys are checked in quite a delicate "non-alarming" way using key enumeration instead of direct key access. List of top level keys checked:

If any of them exist, the installer will mark the system by setting a special registry key:  HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\MiscStatus

The mark will be in the form of {CE0F7387-0BB5-E60B-xxxx-xxxxxxxxxxxx} for the (Default) value data and will then exit.

If no security software is identified, it will unpack (UCL) and XOR-decrypt the main payload, which is extracted into %system%\ee.dll.

Remarkably, it loads the DLL using its own custom loader instead of using standard system LoadLibrary API call.

The module looks as if it was built using a set of components or libraries that perform:

This library code supports Win9x and the Windows NT family from NT4.0 to NT6.x. It should be mentioned that these libraries are not very well merged together. For instance, some parts of the code are unused.

Here's what the DoubleFantasy decoded configuration block looks like:


Decoded DoubleFantasy configuration block

Some of the C&Cs from DoubleFantasy configuration:

The DoubleFantasy malware copied into the victim's machine has the following properties:

Date of compilation 2009.03.31 15:32:42 (GMT)
Size 69'632 bytes
MD5 b8c0eb946de83fe8440fefbacf7de4a2
Filename ee.dll
Short Description DoubleFantasy implant

It should be noted that both the installer and the malware appear to have been compiled several months before "autorun.exe" from the CDROM, suggesting that they are more or less generic implants. It also suggests that the "autorun.exe" was probably compiled specially for the CDROM-based attack.

The DoubleFantasy Malware is the first step in the infection of a victim by the #EquationAPT Group #TheSAS2015


The Equation Group's DoubleFantasy implant is a validator-style Trojan which sends basic information about the system to the attackers. It also allows them to upload a more sophisticated Trojan platform, such as EquationDrug or GrayFish. In general, after one of these sophisticated platforms are installed, the attackers remove the DoubleFantasy implant. In case the victim doesn't check out, for example, if they are a researcher analysing the malware, the attackers can simply choose to uninstall the DoubleFantasy implant and clean up the victim's machine.

In fact, there are several known versions of the DoubleFantasy payload. The disk from Houston used version; while other versions were mostly delivered using web-exploits.

Decrypting configuration blocks from all known DoubleFantasy samples, we obtained the following internal version numbers:

Interestingly, the most popular versions are 8 and 12:


We will describe some of the versions that we managed to discover including, and

DoubleFantasy Payload v.

Md5 b8c0eb946de83fe8440fefbacf7de4a2
Size 69'632 bytes
Type Win32 GUI DLL
Timestamp Tue Mar 31 14:32:42 2009 (GMT)
Filenames ee.dll, actxprxy32.dll

This module uses a technique known as DLL COM hijacking which provides a capability to load the code in different processes.


First of all, it checks if the running module is named "ee.dll" and, if so, will undertake the final installation steps:

Original File Registry Key Registry Value New Value
(Variant 1)
New Value
(Variant 2)
linkinfo.dll HKLM\System\CurrentControlSet\ Control\SessionManager\KnownDLLs LINKINFO LI.DLL LINK32.DLL
hgfs1.dll HKLM\SYSTEM\CurrentControlSet\ Services\hgfs\networkprovider ProviderPath hgfs32.dll hgfspath.dll
midimap.dll HKLM\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Drivers32 midimapper midimapper.dll midimap32.dll
actxprxy.dll HKCR\CLSID\ {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\ InProcServer32 (Default) actxprxy32.dll actxprxyserv.dll

If an error occurs, it sets HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\MiscStatus\(Default) value to "0". Registry value {CE0F7387-0BB5-E60B-8B4E-xxxxxxxxxxxx} then contains xor-encrypted error code.

If there is an initialization error, if the hosting process is "explorer.exe" or "avp.exe", it supresses any exceptions and continues execution. This could indicate that if there were any errors in these processes they must not be shut down because of them.

To correctly hijack the replaced COM objects, the code exports a set of functions bound to original DLL files.

CompareLinkInfoReferents = linkinfo.CompareLinkInfoReferents
CompareLinkInfoVolumes = linkinfo.CompareLinkInfoVolumes
CreateLinkInfo = linkinfo.CreateLinkInfo
DestroyLinkInfo = linkinfo.DestroyLinkInfo
DisconnectLinkInfo = linkinfo.DisconnectLinkInfo
DllCanUnloadNow = actxprxy.DllCanUnloadNow
DllGetClassObject = actxprxy.DllGetClassObject
DllRegisterServer = actxprxy.DllRegisterServer
DllUnregisterServer = actxprxy.DllUnregisterServer
DriverProc = midimap.DriverProc
GetCanonicalPathInfo = linkinfo.GetCanonicalPathInfo
GetLinkInfoData = linkinfo.GetLinkInfoData
GetProxyDllInfo = actxprxy.GetProxyDllInfo
IsValidLinkInfo = linkinfo.IsValidLinkInfo
NPAddConncection = hgfs1.NPAddConncection
NPAddConncection3 = hgfs1.NPAddConncection3
NPCancelConncection = hgfs1.NPCancelConncection
NPCloseEnum = hgfs1.NPCloseEnum
NPEnumResource = hgfs1.NPEnumResource
NPFormatNetworkName = hgfs1.NPFormatNetworkName
NPGetCaps = hgfs1.NPGetCaps
NPGetConnection = hgfs1.NPGetConnection
NPGetResourceInformation = hgfs1.NPGetResourceInformation
NPGetResourceParent = hgfs1.NPGetResourceParent
NPOpenEnum = hgfs1.NPOpenEnum
ResolveLinkInfo = linkinfo.ResolveLinkInfo
modMessage = midimap.modMessage
modmCallback = midimap.modmCallback

The implants periodically run checks against a special file defined in config. If that file has changed since the last check, or at least a week has passed since the last check, it does the following:

The C&C communication code performs the following:

The following commands are supported by the backdoor:

Cmd code Command Name Description
Download&Run Group
J (0x4a) Create File Create an empty file; if file already exists get its size.
D (0x44) Append File Append chunk of data to a file (created by the "J" cmd).
V (0x56) Run or Copy Check CRC16 of file received via D command, delete it if the check fails.
Depending on the commands flag:
  • Copy file to a new location
  • Load file as a DLL
  • Start file as a new process
  • Load DLL using custom built-in loader and call "dll_u" export.
Upload Group
K (0x4b) Get File Size Get file size.
S (0x53) Read File Read file specified by 'K' command, send it to C&C. It can delete the file after transfer (under some condition).
Service Group
` (0x60) Get Info Collect info (IP and MAC addresses, implant version, system proxy server, Windows Registered Owner and Organization, Windows version and ProductID, Locale/Language and Country, Windows directory path, connection type, list of all HKLM\Software subkeys).
p (0x70) Set Victim ID Prepare to change Victim ID.
u (0x75) Set Interval Change C&C connection interval (seven days by default).
v (0x76) Set C&C IP Change primary C&C IP address.
x (0x78) Set File Path Change path and name of File-under-inspection.
(0x80) Read File Delete file specified in command.
B (0x42) Reset Victim ID Change Victim ID to the one set by Set Victim ID command:
Subcmd 0 – reconnect to C&C
Subcmd 1 – reset RC6 context
Subcmd 2 – uninstall

DoubleFantasy Payload v.

Location %System%\MSREGSTR.EXE
MD5 9245184228af33d3d97863daecc8597e
Size 31'089
Type Win32 GUI EXE
Timestamp Wed Mar 22 18:25:55 2006 (GMT)
Version Info FileDescription  Registration Software
LegalCopyright  Copyright © Microsoft Corp. 1993-1995
CompanyName  Microsoft Corporation
FileVersion        4.00.950
InternalName    MSREGSTR
OriginalFilename  MSREGSTR.EXE

Compared to version 8.2, version 8.1 implements the same tasks slightly differently.


DoubleFantasy Payload v.

Location %System%\actxprxy32.dll
MD5 562be0b1930fe5de684c2c530619d659
Size 151552
Type Win32 GUI DLL
Timestamp Wed Aug 04 07:55:07 2004 (GMT), probably fake

The implementation of version 12.2 is similar to version 8.2, although it is twice the size due to the addition of a big new library.

The main purpose of this new library to steal user names and passwords from:

In addition to browsers, the library can also inject malicious code and read the memory of other processes in order to obtain and decrypt users' passwords. The same library is also used inside the main EQUATIONDRUG orchestrator and TRIPLEFANTASY modules.

The library gathers stolen credentials and then probes them when accessing proxy server while connecting to the Internet, and, if a probe was successful, the valid credentials are encrypted with RC6 and encoded with BASE64 to be used later.

In this version the data encryption RC6 key is:
66 39 71 3C 0F 85 99 81 20 19 35 43 FE 9A 84 11

The traffic encryption RC6 key is:
32 EC 89 D8 0A 78 47 22 BD 58 2B A9 7F 12 AB 0C

The stolen user data is stored in the Windows registry as @WriteHeader value, inside two random keys in the   HKLM\SOFTWARE\Classes\CLSID\{77032DAA-B7F2-101B-A1F0-01C29183BCA1}\Containers node


The disk used in the Houston attack represents a rare and unusual operation for the Equation Group. We presume that such attacks were crafted only for important victims who couldn't otherwise be reached, for instance, through a web-based attack vector. This is confirmed by the fact that the exploitation library had three exploits inside, two of which were zero-days at the time.

The DoubleFantasy Malware is usually the first step in the infection of a victim by the Equation Group. Once the victim has been confirmed by communicating with the backdoor and checking various system parameters, a more sophisticated malware system is deployed, such as EquationDrug or Grayfish.


During the upcoming blogposts, we will continue to describe the more sophisticated malware families used by the Equation Group: EquationDrug and GrayFish.

Posted: 19 Feb 2015 | 1:00 am

The Equation Group Equals NSA / IRATEMONK

On December 29, 2013, Der Spiegel, a German weekly news magazine, published an article about an internal NSA catalog that lists technology available to the NSA's Tailored Access Operations (TAO). Among that technology is "IRATEMONK".

"IRATEMONK provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) substitution."

Source: Wikimedia

"This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives."

On January 31, 2014, Bruce Schneier deemed IRATEMONK his "NSA Exploit of the Day" which prompted this from Nicholas Weaver.


"This is probably the most interesting of the BIOS-type implants."

"yet the cost of evading the 'boot from CD' detection is now you have guaranteed 'NSA WAS HERE' writ in big glowing letters if it ever IS detected."

Well, funny story — components related to IRATEMONK have now been detected — by the folks at Kaspersky Labs. Kaspersky's research paper refers to a threat actor called the "Equation group" whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA's ANT catalog.

Ars Technica has an excellent summary here: How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last.

On 17/02/15 At 01:20 PM

Posted: 17 Feb 2015 | 3:26 am

Revelo Updated

A colleague of mine received the following email in their Gmail in-box and wondered how it got past their filters and what it does.


What almost tricked him was the fact that it called out his name. Only after looking at the originating email address did it make him pause. Good thing they didn’t spoof that. Let’s have a look at the attachment.


It’s a Javascript file. Malicious scripts are hard to detect because it’s so easy to modify and customize. By the looks of this, it concatenates a value to the variable ‘a’ then jumps to another function. It keeps doing this until the very end then evals it. The problem is trying to find the “end”. Can you find it?


First let’s deobfuscate this manually. You will need to find the end of all of the concatenation it’s doing then replace the eval with alert. After spending about a minute of eyeballing the script, I gave up. I did a search for “(a)” and found in the middle.


Just change that to “alert(a)” and execute the file with your browser and you’ll see what it does.


An easier way is just to append the short script at the end like this. When you run the script, you get the same result as above.


The deobfuscated script, by the way, makes an AJAX call to a website at tripenjoy.com, downloads a unique file which poses as a JPEG image, renames it as an executable, then runs it.


The downloaded file is definitely not a JPEG image.


The payload keeps changing and the latest one I got was a nearly FUD malware according to VirusTotal.


I’ve been meaning to update Revelo and this script prompted me to do it. The latest version allows you to deobfuscate these types of scripts quicker now by doing the same method we used above.

Run Revelo and paste in the Javascript (or open the file). Revelo needs the “<script></script>” tags so just click on Options > Add Script Tags and it will do so automatically.


Choose the “Append Variable to End” method, type in “a” (the name of the variable we want to view) and click on Execute. Done!


The second method I added is called “Intercept Return and Variable”. What this will do is intercept a user-specified variable that’s being returned from a function back to the caller.

Here’s an example. The script below passes a series of numbers to “CRYPT.obfuscate” then onto a “CRYPT.decode” function. The decode function decodes the values, converts it to a string then returns the deobfuscated result which has been highlighted in red.


All you need to do is select the new method and enter “return output” and click on Execute. Done!


I also added three more options to the menu:


The latest version of Revelo is available on the Tools page.

Posted: 15 Feb 2015 | 6:57 pm

From Russia with love: Sofacy/Sednit/APT28 is in town

Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.

- Spearphishing

Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

- Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

The following rule detects activity related to this exploit kit:

- Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:


[1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
[2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
[4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
[5] http://malware.prevenity.com/2014/08/malware-info.html
[6] http://www.fireeye.com/resources/pdfs/apt28.pdf


Posted: 28 Oct 2014 | 9:30 pm

A More Realistic Perspective on Cybersecurity from the Director of the NSA

A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.

The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.

Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.

At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.

If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.

NSA Rodgers Urges Cyber-Resiliency

Posted: 19 Sep 2014 | 2:46 pm