Home   Blog   Twitter   Database  

US government whistleblowers left vulnerable to eavesdropping

In response to the HTTPS-Only Standard proposal, the ACLU name 29 branches of the Federal government that don't secure whistleblowers' data.

Posted: 19 Apr 2015 | 2:49 am

Colombian hacker who spied on gov-rebel peace talks jailed for 10 years

Quoted The Count of Monte Cristo at trial ...

A Colombian hacker has been incarcerated for 10 years for spying on the local government’s peace talks with Marxist rebels, among other offences, Fox News Latino reports.…

Posted: 17 Apr 2015 | 10:16 am

Moving Around

We're reorganizing numerous teams here at F-Secure Labs, and that means moving people around between the second and third floors in our Helsinki HQ.

Moving requires moving boxes and this is what the "Platforms" team did with them:

Great Wall of Sofa

Lab Dancing Inside

By the way — we're also expanding. There are several software engineering positions available on our APT team. No box building experience required.

Job openings

On 17/04/15 At 02:35 PM

Posted: 17 Apr 2015 | 3:35 am

Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House

Long-running APT campaign Operation Pawn Storm has begun the year with a bang, introducing new infrastructure and zeroing in on targets including North Atlantic Treaty Organization (NATO) members and even the White House. This is according to the latest intelligence gleaned from Trend Micro’s ongoing research into the attack group, and comes as a follow-up to our widely publicized October 2014 report.

Operation Pawn Storm: A Background

Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media.

The group is composed of a determined group of threat actors active since at least 2007 with a very specific modus operandi. We so named it due to the attackers’ use of multiple connected tools and tactics to hit a specific target – a strategy mirroring the chess move of the same name.

The group used three very distinct attack scenarios. One was to send spear-phishing emails with malicious Microsoft® Office documents containing the information-stealing SEDNIT/Sofacy malware. Another was to inject selective exploits into legitimate Polish government websites, leading to the same malware. A final strategy was to send out phishing emails redirecting users to fake Microsoft Outlook Web Access (OWA) login pages.

Pawn Storm targeted mainly military, government and media organizations in the United States and its allies. We determined that the group also aimed its attacks on Russian dissidents and those opposing the Kremlin, as well as Ukrainian activists and military, which has led some to speculate that there might be a connection with the Russian government.

We also observed another update to Pawn Storm’s operations in February this year and found an iOS espionage app targeting Apple users.

What’s New with Operation Pawn Storm?

The first quarter of 2015 has seen a great deal of activity from the group. Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.

In a slightly different modus operandi from the usual, we observed Pawn Storm attackers sending out specially-crafted emails designed to trick users into clicking on a malicious link.

Figure 1. Sample spear-phishing email

In one case, the subject of the spam e-mail is the Southern Gas Corridor that the European Union initiated to become less dependent on Russian Gas. Other e-mails have similar geopolitical subjects, for example the Russian-Ukrainian conflict and the Open Skies Consultative Commission of the OSCE.

The emails usually have a link to what looks like a legitimate news site. When the target clicks on the link he will first load a fingerprinting script that feeds back details like OS, time zone, browser and installed plugins to the attackers. When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site. The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.

Figure 2. Screenshot of malicious HTML5 plugin

Same Old Tricks

Pawn Storm threat actors are also continuing with their phishing strategy. In fact, in autumn 2014 they set up a fake OWA webmail for a large US company which sells nuclear fuel to power stations.

Figure 3. Fake webmail login page of US company selling nuclear fuel

It’s not hard to see that a successful breach of this firm could lead to serious consequences. Other fake OWA servers include new ones targeting the armed forces of two European NATO members. A fake version of the webmail system of the NATO Liaison in the Ukraine was also put online in February this year.

White House Under Attack

Trend Micro has gathered evidence that the same group is eyeing the White House as a target. They targeted three popular YouTube bloggers with a Gmail phishing attack on January 26, 2015, four days after the bloggers had interviewed president Obama at the White House. This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place.

In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.

Organizations must remain on high alert for these kinds of attack, as Operation Pawn Storm hackers go to great lengths to make their emails appear legitimate. Military and government bodies in the US, Europe and Asia especially must invest in the right advanced cyber security tools to block phishing and malware downloads, and improve user training and education to mitigate the risk of attack.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House

Posted: 16 Apr 2015 | 5:11 am

Microsoft Security Updates April 2015


Microsoft releases 11 Security Bulletins (MS15-032 through MS15-042) today, addressing a list of over 25 CVE-identified vulnerabilities for April of 2015. Critical vulnerabilities are fixed in Internet Explorer, Microsoft Office, and the network and graphics stacks. Most of the critical remote code execution (RCE) vulnerabilities reside in the IE memory corruption bugs for all versions of Internet Explorer (6-11) and the Microsoft Office use-after-free. updated: However, they appear to *almost* all be the result of private discoveries, at least, 24 of the 25. In reference to Office vulnerability CVE-2015-1641, "Microsoft is aware of limited attacks that attempt to exploit this vulnerability".

The Microsoft Office CVE-2015-1649 use-after free is a critical RCE impacting a variety of software and scenarios. The vulnerable code exists across desktop versions Word 2007, 2010, the Word Viewer and Office Compatibility apps, but not Word 2013 or Word for Mac. It's also critical RCE on the server-side in Word Automation Services on Sharepoint 2010 and Microsoft Office Web Apps Server 2010, but not SharePoint 2013 or Web Apps 2013.

As the new Verizon Data Breach 2015 report highlighted today, many exploits currently effective against targets are exploiting vulnerabilities patched long ago. According to their figures, many of the exploited CVE used on compromised hosts were published over a year prior. Microsoft provides Windows Update to easily keep your software updated, and Kaspersky products provide vulnerability scanners to help keep all of your software up-to-date, including Microsoft's. Please patch asap.

From the heap of vulnerabilities and fixes rated "Important", the Hyper-V DoS issue effects the newest Microsoft platform code: Windows 8.1 64-bit and Windows Server 2012 R2 (including the Server Core installation, which is fairly unusual). While the flawed code has not been found to enable EoP on other VMs within the Hyper-V host, attacked Hyper-V systems may lose management of all VMs in the Virtual Machine Manager.

Posted: 14 Apr 2015 | 10:58 am

An Overview of Exploit Packs (Update 24) Mar 2015

Update March 20, 2015

Added CVE-2015-0336

Reference table : Exploit References 2014-2015

Update February 19, 2015

Added Hanjuan Exploit kit and CVE-2015-3013 for Angler 

Update January 24, 2015 

Added CVE-2015-3010, CVE-2015-3011 for Agler and a few reference articles. 
If you notice any errors, or some CVE that need to be removed (were retired by the pack authors), please let me know. Thank you very much!

Update December 12, 2014

Update Jan 8, 2014

 This is version 20 of the exploit pack table - see the added exploit packs and vulnerabilities listed below.

                                             Exploit Pack Table Update 20                                           
  Click to view or download from Google Apps

I want to give special thanks to Kafeine  L0NGC47,  Fibon and  Curt Shaffer for their help and update they made.  Note the new Yara rules sheet / tab for yara rules for exploit kit.
I also want to thank Kahu securityKafeineMalforsec and all security companies listed in References for their research.

If you wish to be a contributor (be able to update/change the exploits or add yara rules), please contact me :)
If you have additions or corrections, please email, leave post comments, or tweet (@snowfl0w) < thank you!

The Wild Wild West image was created by Kahu Security  - It shows current and retired (retiring) kits.

List of changed kits
Gong Da / GonDad Redkit 2.2 x2o (Redkit Light)Fiesta (=Neosploit)  Cool  Styxy DotkaChef
CVE-2012-1889CVE-2013-2460CVE-2013-0634 CVE-2013-1493
CVE-2012-4681CVE-2013-2551 CVE-2013-2423

Angler FlashPack = SafePack White Lotus Magnitude (Popads)Nuclear 3.x Sweet Orange 
CVE-2013-2551 CVE-2013-2551CVE-2013-0634CVE-2013-0422CVE-2013-2551
CVE-2013-2471 ??CVE-2013-2471CVE-2013-2460

CK HiManNeutrino  Blackhole (last)Grandsoft  Private EK
CVE-2011-3544CVE-2010-0188CVE-2013-0431CVE-2013-0422CVE-2010-0188 CVE-2006-0003
CVE-2012-4792*CVE-2013-2465CVE-2013-2465*and + all or someCVE-2013-2423CVE-2013-1347
CVE-2013-0634* switch 2463*<>2465*from the previousCVE-2013-2423
CVE-2013-3897Possibly + exploitsversionCVE-2013-2460
* removedfrom the previous

Sakura 1.x LightsOutGlazunov Rawin Flimkit  Cool EK (Kore-sh)Kore (formely Sibhost) 
and + all or someCVE-2013-1690CVE-2013-2423CVE-2013-2471CVE-2013-2463
from the previous

Styx 4.0Cool Topic EK Nice EK
CVE-2013-2423and + all or some
CVE-2013-2463from the previous
Social Eng


The Explot Pack Table has been updated and you can view it here.

Exploit Pack Table Update 19.1  - View or Download from Google Apps

If you keep track of exploit packs and can/wish  to contribute and be able to make changes, please contact me (see email in my profile)
I want to thank L0NGC47, Fibon, and Kafeine,  Francois Paget, Eric Romang, and other researchers who sent information for their help.

Update April 28, 2013 - added CVE-2013-2423 (Released April 17, 2013) to several packs. 
Now the following packs serve the latest Java exploit (update your Java!)

  1. Styx
  2. Sweet Orange
  3. Neutrino
  4. Sakura
  5. Whitehole
  6. Cool
  7. Safe Pack
  8. Crime Boss
  9. CritX

Other changes
  1. Whitehole
  2. Redkit
  3. Nuclear
  4. Sakura
  5. Cool Pack
  6. Blackhole
  7. Gong Da
  1. KaiXin
  2. Sibhost
  3. Popads 
  4. Alpha Pack
  5. Safe Pack
  6. Serenity
  7. SPL Pack

    There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits

March 2013
The Explot Pack Table, which has been just updated, has migrated to Google Apps - the link is below. The new format will allow easier viewing and access for those who volunteered their time to keep it up to date.

In particular, I want to thank
L0NGC47, Fibon, and Kafeine  for their help.

There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits
The updates include
  1. Neutrino  - new
  2. Cool Pack - update
  3. Sweet Orange - update
  4. SofosFO aka Stamp EK - new
  5. Styx 2.0 - new
  6. Impact - new
  7. CritXPack - new
  8. Gong Da  - update
  9. Redkit - update
  10. Whitehole - new
  11. Red Dot  - new

The long overdue Exploit pack table Update 17 is finally here. It got a colorful facelift and has newer packs (Dec. 2011-today) on a separate sheet for easier reading.
Updates / new entries for the following 13 packs have been added (see exploit listing below)

  1. Redkit 
  2. Neo Sploit
  3. Cool Pack
  4. Black hole 2.0
  5. Black hole 1.2.5
  6. Private no name
  7. Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
  8. Nuclear 2.1  (Update to 2.0 - actual v. # is unknown)
  9. CrimeBoss
  10. Grandsoft
  11. Sweet Orange 1.1 Update to 1.0 actual v. # is unknown)
  12. Sweet Orange 1.0
  13. Phoenix  3.1.15
  14. NucSoft
  15. Sakura 1.1 (Update to 1.0  actual v. # is unknown)
  16. AssocAID (unconfirmed)  

The full table in xls format - Version 17 can be downloaded from here.  

Exploit lists for the added/updated packs

AssocAID (unconfirmed)
Unknown CVE


Neo Sploit


Black hole 2.0
CVE-2012-4969 promised

Black hole 1.2.5
CVE-2007-5659 /2008-0655

Private no name

Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)

Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)

Java Signed Applet


Sweet Orange 1.1

Sweet Orange 1.0

Phoenix  3.1.15
CVE: 2010-0248
CVE: 2011-2371
Firefox social
CVE: 2012-0500


Sakura 1.1

Version 16. April 2, 2012

Thanks to Kahu security
for Wild Wild West graphic 

The full table in xls format - Version 16 can be downloaded from here. 



1. Blackhole Exploit Kit 1.2.3
  1. CVE-2011-0559 - Flash memory corruption via F-Secure
  2. CVE-2012-0507 - Java Atomic via Krebs on Security
  3. CVE-2011-3544 - Java Rhino  via Krebs on Security
2. Eleonore Exploit Kit 1.8.91 and above- via Kahu Security
  1. CVE-2012-0507 - Java Atomic- after 1.8.91was released
  2. CVE-2011-3544 - Java Rhino
  3. CVE-2011-3521 - Java Upd.27  see Timo HirvonenContagio, Kahu Security and Michael 'mihi' Schierl 
  4. CVE-2011-2462 - Adobe PDF U3D
Also includes
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
3. Incognito Exploit Pack v.2 and above 
there are rumors that Incognito development stopped after v.2 in 2011 and it is a different pack now. If you know, please send links or files.

Added after v.2 was released:
  1. CVE-2012-0507 - Java Atomic
See V.2 analysis via StopMalvertizing

4. Phoenix Exploit Kit v3.1 - via Malware Don't Need Coffee
  1. CVE-2012-0507 -  Java Atomic
  2. CVE-2011-3544 -  Java Rhino + Java TC (in one file)

5. Nuclear Pack v.2 - via TrustWave Spiderlabs

  1. CVE-2011-3544 Oracle Java Rhino
  2. CVE-2010-0840 JRE Trusted Method Chaining
  3. CVE-2010-0188 Acrobat Reader  – LibTIFF
  4. CVE-2006-0003 MDAC
6. Sakura Exploit Pack > v.1 via DaMaGeLaB

  1. CVE-2011-3544 - Java Rhino (It was in Exploitpack table v15, listing it to show all packs with this exploit)

7. Chinese Zhi Zhu Pack via Kahu Security and Francois Paget (McAfee)
  1. CVE-2012-0003 -  WMP MIDI 
  2. CVE-2011-1255 - IE Time Element Memory Corruption
  3. CVE-2011-2140 - Flash 10.3.183.x
  4. CVE-2011-2110 - Flash 10.3.181.x 
  5. CVE-2010-0806 - IEPeers

8. Gong Da Pack via Kahu Security 
  1. CVE-2011-2140  - Flash 10.3.183.x
  2. CVE-2012-0003 -  WMP MIDI  
  3. CVE-2011-3544 - Java Rhino 
9. Dragon Pack - via DaMaGeLab  December 2010 - it is old, listing for curiosity sake

  1. CVE-2010-0886 - Java SMB
  2. CVE-2010-0840 - JRE Trusted Method Chaining
  3. CVE-2008-2463 - Snapshot
  4. CVE-2010-0806 - IEPeers
  5. CVE-2007-5659/2008-0655 - Collab.collectEmailInfo
  6. CVE-2008-2992 - util.printf
  7. CVE-2009-0927 - getIco
  8. CVE-2009-4324 - newPlayer

Version 15. January 28, 2012

Additions - with many thanks to Kahu Security

 Hierarchy Exploit Pack

Siberia Private

Techno XPack

"Yang Pack"

Version 14. January 19, 2012

Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to  XyliBox (Xylitol - Steven),  Malware Intelligence blog,  and xakepy.cc for the information:

  1. Blackhole 1.2.1  (Java Rhino added, weaker Java exploits removed)
  2. Blackhole 1.2.1 (Java Skyline added)
  3. Sakura Exploit Pack 1.0  (new kid on the block, private pack)
  4. Phoenix 2.8. mini (condensed version of 2.7)
  5. Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .

The full table in xls format - Version 14 can be downloaded from here. 

The exploit pack table in XLSX format
The exploit pack table in csv format 

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.

Version 13. Aug 20, 2011

Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:
  1. Bleeding Life 3.0
  2. Merry Christmas Pack (many thanks to kahusecurity.com)+
  3. Best Pack (many thanks to kahusecurity.com)
  4. Sava Pack (many thanks to kahusecurity.com)
  5. LinuQ 
  6. Eleonore 1.6.5
  7. Zero Pack
  8. Salo Pack (incomplete but it is also old)

List of packs in the table in alphabetical order
  1. Best Pack
  2. Blackhole Exploit 1.0
  3. Blackhole Exploit 1.1
  4. Bleeding Life 2.0
  5. Bleeding Life 3.0
  6. Bomba
  7. CRIMEPACK 2.2.1
  8. CRIMEPACK 2.2.8
  9. CRIMEPACK 3.0
  10. CRIMEPACK 3.1.3
  11. Dloader
  12. EL Fiiesta
  13. Eleonore 1.3.2
  14. Eleonore 1.4.1
  15. Eleonore 1.4.4 Moded
  16. Eleonore 1.6.3a
  17. Eleonore 1.6.4
  18. Eleonore 1.6.5
  19. Fragus 1
  20. Icepack
  21. Impassioned Framework 1.0
  22. Incognito
  23. iPack
  24. JustExploit
  25. Katrin
  26. Merry Christmas Pack
  27. Liberty  1.0.7
  28. Liberty 2.1.0*
  29. LinuQ pack
  30. Lupit
  31. Mpack
  32. Mushroom/unknown
  33. Open Source Exploit (Metapack)
  34. Papka
  35. Phoenix  2.0 
  36. Phoenix 2.1
  37. Phoenix 2.2
  38. Phoenix 2.3
  39. Phoenix 2.4
  40. Phoenix 2.5
  41. Phoenix 2.7
  42. Robopak
  43. Salo pack
  44. Sava Pack
  45. SEO Sploit pack
  46. Siberia
  47. T-Iframer
  48. Unique Pack Sploit 2.1
  49. Webattack
  50. Yes Exploit 3.0RC
  51. Zero Pack
  52. Zombie Infection kit
  53. Zopack

Bleeding Life 3.0
New Version Ad is here 

Merry Christmas Pack
read analysis at
Best Pack
read analysis at 
Sava Pack
read analysis at
Eleonore 1.6.5 
[+] CVE-2011-0611
[+] CVE-2011-0559
[+] CVE-2010-4452
[-] CVE-2010-0886
Salo Pack
Old (2009), added just for
the collection

Zero Pack
62 exploits from various packs (mostly Open Source pack)
LinuQ pack
Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation.
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.

It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
CVE-2009-1148 (unconfirmed)
CVE-2009-1149 (unconfirmed)
CVE-2009-1150 (unconfirmed)
CVE-2009-1151 (confirmed)

Version 12. May 26, 2011
additional changes (many thanks to kahusecurity.com)

See the list of packs covered in the list below

The full table in xls format - Version 12 can be downloaded from here.
I want to thank everyone who sent packs and information  :)

Version 11 May 26, 2011 Changes:
    1. Phoenix2.7
    2. "Dloader" (well, dloader is a loader but the pack is  some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
    3. nuclear pack
    4. Katrin
    5. Robopak
    6. Blackhole exploit kit 1.1.0
    7. Mushroom/unknown
    8. Open Source Exploit kit


    10. May 8, 2011 Version 10        Exploit Pack Table_V10May11
    First, I want to thank everyone who sent and posted comments for updates and corrections. 

    *** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security  Wild Wild West Update

    As usual, send your corrections and update lists.

    • Eleonore 1.6.4
    • Eleonore 1.6.3a
    • Incognito
    • Blackhole
    Go1Pack  (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack 
    Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
    Go1 Pack CVE are reportedly

    Does anyone have this pack or see it offered for sale?

    Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

    • Open Source Exploit Kit
    • SALO
    • K0de

    Black color entries by Francois Paget
    Red color entries by Gunther
    Blue color entries by Mila

    Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

     9.  April 5, 2011  Version 9        ExploitPackTable_V9Apr11

    It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

    Phoenix 2.5
    Bleeding life

    Many thanks to Gunther for his contributions.
    If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes

    8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

    1. Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
    2. Correction on CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to
      etonshell for noticing)
    3. SEO Sploit pack added (thanks to whsbehind.blogspot.com,  evilcodecave.blogspot.com and blog.ahnlab.com)

    7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released
     thanks to SecNiche we have updates for Phoenix 2.4 :)
    We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

    6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released
     Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3

    5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released
    Added updates for Phoenix 2.1 and Crimepack 3.1.3

    4 Update 4  July 23, 2010  Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com
    Update 3  July 7, 2010. Please read more about this on the Brian Krebs' blog Pirate Bay Hack Exposes User Booty 
    Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue
    Update 1 June 24, 2010 Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

    Francois Paget  www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

    Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.

    Please click on the image below to expand it (it is a partial screenshot)  Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.

    Posted: 20 Mar 2015 | 8:48 pm

    Malicious Word Macro Caught Using Sneaky Trick

    There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.

    Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”


    Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”


    Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.


    Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.


    Let’s try it with OleDump. It nicely shows the objects inside of the document.


    We can also dump the ‘ThisDocument’ object.


    Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.


    A quarter ways in, there’s some URLs to take note of.


    Basically the VBA macro builds a VBS script and writes it out.


    Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.


    Let me download the file…


    And see what VirusTotal has to say…


    Regarding that image download, here’s what it is:


    The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.


    Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.


    The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.


    The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.


    Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.


    Sneaky indeed.

    Posted: 6 Mar 2015 | 8:24 pm

    From Russia with love: Sofacy/Sednit/APT28 is in town

    Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

    FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

    We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

    The techniques used by this group have evolved over the years.

    - Spearphishing

    Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

    As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

    We cover these tools using the following rules with USM:

    - Web compromises

    The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

    The following rule detects activity related to this exploit kit:

    - Phishing campaigns

    This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

    Inspecting the content of the malicious redirect we can alert on this activity using the following rule:


    [1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
    [2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
    [3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
    [4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
    [5] http://malware.prevenity.com/2014/08/malware-info.html
    [6] http://www.fireeye.com/resources/pdfs/apt28.pdf


    Posted: 28 Oct 2014 | 9:30 pm

    A More Realistic Perspective on Cybersecurity from the Director of the NSA

    A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.

    The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.

    Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.

    At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.

    If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.

    NSA Rodgers Urges Cyber-Resiliency

    Posted: 19 Sep 2014 | 2:44 pm