Home   Blog   Twitter   Database  

Obfuscated Flash Files Make Their Mark in Exploit Kits

In recent years, we noticed that more and more malicious Adobe Flash (.SWF) files are being incorporated into exploit kits like the Magnitude Exploit Kit, the Angler Exploit Kit, and the Sweet Orange Exploit Kit. However, we did some more digging and found out that the number of Flash files isn’t the only thing that has changed: these files use obfuscation techniques than files from two to three years ago.

Antivirus evasion is the primary goal of obfuscation. SWF files use obfuscation techniques to avoid detection by signatures and by emulation. While there are numerous obfuscation techniques, I will discuss four techniques that are commonly used and found in exploit kits.

String Replacement

In this technique, key data may be disguised as strings, which will be processed by the String.substr and String.replace APIs. If the data is numeric, it could be translated from the parseInt function.

Figure 1. Sample strings

Figure 1 comes from a sample of the Sweet Orange Exploit Kit. In this screenshot, the data is hidden in strings such as FRE2325D5E0CC4. This particular data is a memory address, used in malware code.

Special address values could also be hidden in strings that would be processed dynamically. Such a method could be used to evade signature detection by way of checking information in the constant pool. The constant pool saves important information that could be used by Flash Player—which can be used as a detection method.

Figure 2. Sample strings

In Figure 2, the value of _loc23_ is 0x9FRE2R9FRE2R9FRE2R9FRE2R. In reality, the value of _loc23_ is actually 0x90909090, which could be used as a NOP instruction in shellcode. The NOP instruction is often just a placeholder but this is often used in heap spraying. Thus, one simple detection technique would be to check for the value 0x90909090. Replacing it with 0x9FRE2R9FRE2R9FRE2R9FRE2R is a way of avoiding detection.

Array-based Embedded Flash

In this type of obfuscation, the malicious SWF content is stored in an Array object, which is built in a sub function, such as the function cartd() in the screenshot below. If they analyze the decompiled code, security products will not detect any malicious behavior (as the malicious SWF content did not load).

Figure  3. Sample from the Fiesta Exploit Kit

In Figure 3, the embedded SWF content is saved into the Array object. Once the array is deobfuscated,  the content is decoded and the embedded SWF content is loaded by the loadBytes API.

This sample also displays the string replacement technique. The strings writeUnsignedInt and addEventListener are used in decoding obfuscated data in SWF content. Here, they are processed via string concatenation. String concatenation is the process of appending one string to the end of another string. It would be hard to find evidence of malicious routines via string matching as concatenation would result in modified strings.

Control Flow Obfuscation

This type of obfuscation changes the control flow by the goto instruction. Control flow refers to “the order in which the individual statements, instructions, or function calls of an imperative or a declarative program are executed or evaluated.” Changing the control flow makes it difficult to literally read and process the malicious Flash file in p-code detections.

Figure 4. Changes in flow of code in the sample from the Angler Exploit Kit

Obfuscation in DoSWF Packer

As one of the more well-known exploit kits, the Magnitude Exploit Kit uses highly obfuscated malware. In this particular sample, it’s packed by a commercial Flash packer named DoSWF. A close look shows that the obfuscated data (the embedded .SWF file and some control data) is saved in the binary data tag.

Figure 5. Malicious SWF file saved in binary data; highlighted portion is the trademark of the packer used

The code below is used to extract content from the binary data shown in Figure 5. Here, ZG is a ByteArray that represents the obfuscated data. It defines its own memory domain—the Flash file runtime environment—by using flash.utils.ByteArray. Modifying its domain not only makes it harder for AV products to detect it but also make it easier for the malware to perform its routines. It then uses op_li8/op_li32 to use direct memory access through the avm2.intrinsics package. These could be used to evade emulators as most VM software do not implement these instruments. The intrinsic instruments are implemented by Tamarin, which is the ActionScript Virtual Machine (AVM) in Adobe Flash Player.

Figure 6. Code used to extract the binary data

Looking at the uncompressed data, we can see that some garbage .SWF files will be created in memory, which can disturb memory searches and make it harder for products and researchers to find the malware. It will then load the malicious .SWF file by calling the loadBytes API to execute the said file.

Figure 7. Garbage files generated

The Future of Flash Files

We predict that we will continue to see malicious Flash files be used in exploit kits. As Flash packers can easily obfuscate SWF files easily, we can predict that these will be used more in cybercriminals’ schemes. Of course, the increased use of Flash packers could also mean more difficulty in detecting the malicious files.

Trend Micro detects and blocks the malware (detected as SWF_EXPLOYT.MJE) mentioned in this entry.

Hashes for the samples mentioned in this entry are as follows:

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Obfuscated Flash Files Make Their Mark in Exploit Kits

Posted: 24 Nov 2014 | 10:32 am

Google Contributor: would you pay to remove ads on websites? [POLL]

Google has invited web users to pay a monthly fee instead of continuing to see Google-served adverts on their favourite websites.

Posted: 24 Nov 2014 | 8:27 am

Regin: Nation-state ownage of GSM networks

Motto: "Beware of Regin, the master! His heart is poisoned. He would be thy bane..."
"The Story of Siegfried" by James Baldwin
 

Introduction, history

Download our full Regin paper (PDF).

In the spring of 2012, following a Kaspersky Lab presentation on the unusual facts surrounding the Duqu malware, a security researcher contacted us and mentioned that Duqu reminded him of another high-end malware incident. Although he couldn't share a sample, the third-party researcher mentioned the "Regin" name, a malware attack that is now dreaded by many security administrators in governmental agencies around the world.

For the past two years, we've been tracking this most elusive malware across the world. From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context.

It's unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.

The victims of Regin fall into the following categories:

So far, we've observed two main objectives from the attackers:

While in most cases, the attackers were focused on extracting sensitive information, such as e-mails and documents, we have observed cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks. More about this in the GSM Targeting section below.

Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.

Another interesting victim of Regin is a computer we are calling "The Magnet of Threats". This computer belongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.

Initial compromise and lateral movement

The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement. So far, we have not encountered any exploits. The replication modules are copied to remote computers by using Windows administrative shares and then executed. Obviously, this technique requires administrative privileges inside the victim's network. In several cases, the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple way of achieving immediate administrative access to the entire network.

The Regin platform

In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.

The platform is extremely modular in nature and has multiple stages.

Regin-graph-three

Regin platform diagram

The first stage ("stage 1") is generally the only executable file that will appear in victim' systems. Further stages are stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries. We've observed many different stage 1 modules, which sometimes have been merged with public sources to achieve a type of polymorphism, complicating the detection process.

The second stage has multiple purposes and can remove the Regin infection from the system if instructed so by the 3rd stage.

The second stage also creates a marker file that can be used to identify the infected machine. Known filenames for this marker are:

Stage 3 exists only on 32 bit systems - on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third stage.

Stage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the user-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or extracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.

The dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines. In essence, the dispatcher is the brain that runs the entire platform.

A thorough description of all malware stages can be found in our full technical paper.

Virtual File Systems (32/64-bit)

The most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File Systems (VFSes).

During our analysis we were able to obtain 24 VFSes, from multiple victims around the world. Generally, these have random names and can be located in several places in the infected system. For a full list, including format of the Regin VFSes, see our technical paper.

Unusual modules and artifacts

With high-end APT groups such as the one behind Regin, mistakes are very rare. Nevertheless, they do happen. Some of the VFSes we analyzed contain words which appear to be the respective codenames of the modules deployed on the victim:

Another module we found, which is a plugin type 55001.0 references another codename, which is U_STARBUCKS:

regin_starbucks

GSM Targeting

The most interesting aspect we found so far about Regin is related to an infection of a large GSM operator. One VFS encrypted entry we located had internal id 50049.2 and appears to be an activity log on a GSM Base Station Controller.

868px-Gsm_structures.svg

From https://en.wikipedia.org/wiki/Base_station_subsystem

According to the GSM documentation (http://www.telecomabc.com/b/bsc.html): "The Base Station Controller (BSC) is in control of and supervises a number of Base Transceiver Stations (BTS). The BSC is responsible for the allocation of radio resources to a mobile call and for the handovers that are made between base stations under his control. Other handovers are under control of the MSC."

Here's a look at the decoded Regin GSM activity log:

regin_gsmlog

This log is about 70KB in size and contains hundreds of entries like the ones above. It also includes timestamps which indicate exactly when the command was executed.

oss_commands

The entries in the log appear to contain Ericsson OSS MML (Man-Machine Language as defined by ITU-T) commands.

Here's a list of some commands issued on the Base Station Controller, together with some of their timestamps:

2008-04-25 11:12:14: rxmop:moty=rxotrx;
2008-04-25 11:58:16: rxmsp:moty=rxotrx;
2008-04-25 14:37:05: rlcrp:cell=all;
2008-04-26 04:48:54: rxble:mo=rxocf-170,subord;
2008-04-26 06:16:22: rxtcp:MOty=RXOtg,cell=kst022a;
2008-04-26 10:06:03: IOSTP;
2008-04-27 03:31:57: rlstc:cell=pty013c,state=active;
2008-04-27 06:07:43: allip:acl=a2;
2008-04-28 06:27:55: dtstp:DIP=264rbl2;
2008-05-02 01:46:02: rlstp:cell=all,state=halted;
2008-05-08 06:12:48: rlmfc:cell=NGR035W,mbcchno=83&512&93&90&514&522,listtype=active;
2008-05-08 07:33:12: rlnri:cell=NGR058y,cellr=ngr058x;
2008-05-12 17:28:29: rrtpp:trapool=all;


Descriptions for the commands:

The log seems to contain not only the executed commands but also usernames and passwords of some engineering accounts:

sed[snip]:Alla[snip]
hed[snip]:Bag[snip]
oss:New[snip]
administrator:Adm[snip]
nss1:Eric[snip]

In total, the log indicates that commands were executed on 136 different cells. Some of the cell names include "prn021a, gzn010a, wdk004, kbl027a, etc...". The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that's why only some older logs were discovered.

Communication and C&C

The C&C mechanism implemented in Regin is extremely sophisticated and relies on communication drones deployed by the attackers throughout the victim networks. Most victims communicate with another machine in their own internal network, through various protocols, as specified in the config file. These include HTTP and Windows network pipes. The purpose of such a complex infrastructure is to achieve two goals: give attackers access deep into the network, potentially bypassing air gaps and restrict as much as possible the traffic to the C&C.

Here's a look at the decoded configurations:

17.3.40.101 transport 50037 0 0 y.y.y.5:80 ; transport 50051 217.y.y.yt:443
17.3.40.93 transport 50035 217.x.x.x:443 ; transport 50035 217.x.x.x:443
50.103.14.80 transport 27 203.199.89.80 ; transport 50035 194.z.z.z:8080
51.9.1.3 transport 50035 192.168.3.3:445 ; transport 50035 192.168.3.3:9322
18.159.0.1 transport 50271 DC ; transport 50271 DC


In the above table, we see configurations extracted from several victims that bridge together infected machines in what appears to be virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out to the "external" C&C server at 203.199.89.80.

The numbers right after the "transport" indicate the plugin that handles the communication. These are in our case:

The machines located on the border of the network act as routers, effectively connecting victims from inside the network with C&Cs on the internet.

After decoding all the configurations we've collected, we were able to identify the following external C&Cs.

C&C server IP Location Description
61.67.114.73 Taiwan, Province Of China Taichung Chwbn
202.71.144.113 India, Chetput Chennai Network Operations  (team-m.co)
203.199.89.80 India, Thane Internet Service Provider
194.183.237.145 Belgium, Brussels Perceval S.a.

One particular case includes a country in the Middle East. This case was mind-blowing so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank.

These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India.

This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president's office are sent through the bank's network, then all the malicious traffic visible for the president's office sysadmins will be only with the bank, in the same country.

Regin-graph-one

Victim Statistics

Over the past two years, we collected statistics about the attacks and victims of Regin. These were aided by the fact that even after the malware is uninstalled, certain artifacts are left behind which can help identify an infected (but cleaned) system. For instance, we've seen several cases where the systems were cleaned but the "msrdc64.dat" infection marker was left behind.

Regin-graph-two

So far, victims of Regin were identified in 14 countries:

In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.

From the map above, Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual. To put this into context, Kiribati is a small island in the Pacific, with a population around 100,000.

More information about the Regin victims is available through Kaspersky Intelligent Services. Contact: intelreports@kaspersky.com

Attribution

Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state. While attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin, certain metadata extracted from the samples might still be relevant.

regin_timestamps

As this information could be easily altered by the developers, it's up to the reader to attempt to interpret this: as an intentional false flag or a non-critical indicator left by the developers.

More information about Regin is available to Kaspersky Intelligent Services' clients. Contact: intelreports@kaspersky.com

Conclusions

For more than a decade, a sophisticated group known as Regin has targeted high-profile entities around the world with an advanced malware platform. As far as we can tell, the operation is still active, although the malware may have been upgraded to more sophisticated versions. The most recent sample we've seen was from a 64-bit infection. This infection was still active in the spring of 2014.

The name Regin is apparently a reversed "In Reg", short for "In Registry", as the malware can store its modules in the registry. This name and detections first appeared in anti-malware products around March 2011.

From some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed.

The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.

Full technical paper with IOCs.

Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin.

If you detect a Regin infection in your network, contact us at: intelservices@kaspersky.com

Posted: 24 Nov 2014 | 6:00 am

The Regin Espionage Toolkit

Regin is the latest in the line of sophisticated espionage toolkits used to target a range of organizations around the world. As already reported, it's one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe.

The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of "pciclass.sys" seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.

Regin File Header

As can be seen from the screenshot above, the driver was apparently compiled already on 7th of March 2008, but other samples with earlier timestamps indicate that the campaign is even older than this.

The driver turned out to be just one component of a multi-stage threat. The embedded configuration in the driver showed it could use either a registry key or the NTFS filesystem Extended Attributes to load the next stage of the malware.

Regin config

We've seen at least the following registry keys being used for the next stage payload:

  •  \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}:Class
  •  \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA58}:Class
  •  \REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList:VideoBase

The following folders containing an NTFS Extended Attribute with the name "_" have also been seen to store the next stage payload, which can actually be split between two different attributes:

  •  %WINDIR%
  •  %WINDIR%\security
  •  %WINDIR%\repair
  •  %WINDIR%\msapps
  •  %WINDIR%\msagent
  •  %WINDIR%\Cursors
  •  %WINDIR%\fonts
  •  %WINDIR%\Temp
  •  %WINDIR%\msagent\chars
  •  %WINDIR%\Help
  •  %WINDIR%\inf
  •  %WINDIR%\Spool\Printers
  •  %WINDIR%\CertSrv

During 2013 and 2014, as we have been analyzing the later versions of Regin, the complexity and the level of sophistication in the attacks has become very evident. We would place Regin in the same category of highly sophisticated espionage campaigns together with the likes of Stuxnet, Flame, and Turla/Snake.

As always, attribution is difficult with cases like this. Our belief is that this malware, for a change, isn't coming from Russia or China.

On 23/11/14 At 10:54 PM

Posted: 24 Nov 2014 | 1:59 am

You stupid BRICK! PCs running Avast AV can't handle Windows fixes

Fix issued, fingers pointed, forums in flames

Security software outfit Avast are trying to figure out why the combination of recent Windows patches and updates to the latter company's software are breaking PCs.…

Posted: 24 Nov 2014 | 12:32 am

AlienSpy Java RAT samples and traffic information



AlienSpy Java based cross platform RAT is another reincarnation of ever popular Unrecom/Adwind and Frutas RATs that have been circulating through 2014.

It appears to be used in the same campaigns as was Unrccom/Adwind - see the references. If C2 responds, the java RAT downloads Jar files containing Windows Pony/Ponik loader. The RAT is crossplatform and installs and beacons from OSX and Linux as well. However, it did not download any additional malware while running on OSX and Linux.

The samples, pcaps, and traffic protocol information  are available below.




File information


I
File: DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
Size: 131178
MD5:  DB46ADCFAE462E7C475C171FBE66DF82

File: 01234.exe (Pony loader dropped by FAB8DE636D6F1EC93EEECAADE8B9BC68 - Transfer.jar_
Size: 792122
MD5:  B5E7CD42B45F8670ADAF96BBCA5AE2D0

II
File: 79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
Size: 125985
MD5:  79E9DD35AEF6558461C4B93CD0C55B76

III
File: B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
Size: 49084
MD5:  b2856b11ff23d35da2c9c906c61781ba


Download


Download. Email me if you need the password
Original jar attachment files
B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar

Pcap files download
AlienSpyRAT_B2856B11FF23D35DA2C9C906C61781BA.pcap
AlienSpyRAT_79E9DD35AEF6558461C4B93CD0C55B76.pcap
Pony_B5E7CD42B45F8670ADAF96BBCA5AE2D0.pcap
AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-OSXLion.pcap
AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-WinXP.pcap

All files with created and downloaded


References

Research:
Boredliner: Cracking obfuscated java code - Adwind 3 << detailed java analysis
Fidelis: RAT in a jar:A phishing campaign using Unrecom May 21, 2014
Crowdstrike: Adwind RAT rebranding
Symantec:Adwind RAT
Symantec: Frutas RAT
Symantec: Ponik/Pony

Java Serialization References: 
https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html
http://www.kdgregory.com/index.php?page=java.serialization
http://staf.cs.ui.ac.id/WebKuliah/java/MasteringJavaBeans/ch11.pdf


Additional File details


Alienspy RAT
The following RAT config strings are extracted from memory dumps. Alienspy RAT is a reincarnated Unrecom/Adwind << Frutas RAT and is available from https://alienspy.net/
As you see by the config, it is very similar to Unrecom/Adwind
File: paymentadvice.jar
Size: 131178

MD5:  DB46ADCFAE462E7C475C171FBE66DF82
    ───paymentadvice.jar
        ├───META-INF
        │       MANIFEST.MF  <<MD5:  11691d9f7d585c528ca22f7ba6f4a131 Size: 90
        │
        ├───plugins
        │       Server.class <<MD5:  3d9ffbe03567067ae0d68124b5b7b748 Size: 520 << Strings are here
        │
        └───stub
                EcryptedWrapper.class <<MD5:  f2701642ac72992c983cb85981a5aeb6 Size: 89870
                EncryptedLoader.class <<MD5:  3edfd511873b30d1373a4dc54db336ee Size: 223356
                EncryptedLoaderOld.class << MD5:  b0ef7ff41caf69d9ae076c605653c4c7 Size: 15816
                stub.dll << MD5:  64fb8dfb8d25a0273081e78e7c40ca5e Size: 43648 << Strings are here


Alienspy Rat Config strings
DB46ADCFAE462E7C475C171FBE66DF82
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>AlienSpy</comment>
<entry key="vbox">false</entry>
<entry key="password">a2e74aef2c17329f0e8e8f347c62a6a03d16b944</entry>
<entry key="p2">1079</entry>
<entry key="p1">1077</entry>
<entry key="ps_hacker">false</entry>
<entry key="install_time">2000</entry>
<entry key="taskmgr">false</entry>
<entry key="connetion_time">2000</entry>
<entry key="registryname">GKXeW0Yke7</entry>
<entry key="wireshark">false</entry>
<entry key="NAME">IHEAKA</entry>
<entry key="jarname">unXX0JIhwW</entry>
<entry key="dns">204.45.207.40</entry>
<entry key="ps_explorer">false</entry>
<entry key="msconfig">false</entry>
<entry key="pluginfoldername">m4w6OAI02f</entry>
<entry key="extensionname">xBQ</entry>
<entry key="install">true</entry>
<entry key="win_defender">false</entry>
<entry key="uac">false</entry>
<entry key="jarfoldername">9bor9J6cRd</entry>
<entry key="mutex">xooJlYrm61</entry>
<entry key="prefix">IHEAKA</entry>
<entry key="restore_system">false</entry>
<entry key="vmware">false</entry>
<entry key="desktop">true</entry>
<entry key="reconnetion_time">2000</entry>
</properties>

IP: 204.45.207.40
Decimal: 3425554216
Hostname: 212.clients.instantdedis.com
ISP: FDCservers.net
Country: United States
State/Region: Colorado
City: Denver



79E9DD35AEF6558461C4B93CD0C55B76
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>AlienSpy</comment>
<entry key="pluginfolder">fy0qFUFuLP</entry>
<entry key="reconnetion_time">3000</entry>
<entry key="ps_hacker">true</entry>
<entry key="restore_system">true</entry>
<entry key="pluginfoldername">fy0qFUFuLP</entry>
<entry key="dns">38.89.137.248</entry>
<entry key="install_time">3000</entry>
<entry key="port2">1065</entry>
<entry key="port1">1064</entry>
<entry key="taskmgr">true</entry>
<entry key="vmware">false</entry>
<entry key="jarname">LcuSMagrlF</entry>
<entry key="msconfig">true</entry>
<entry key="mutex">VblVc5kEqY</entry>
<entry key="install">true</entry>
<entry key="instalar">true</entry>
<entry key="vbox">false</entry>
<entry key="password">7110eda4d09e062aa5e4a390b0a572ac0d2c0220</entry>
<entry key="NAME">xmas things</entry>
<entry key="extensionname">7h8</entry>
<entry key="prefix">xmas</entry>
<entry key="jarfoldername">jcwDpUEpCh</entry>
<entry key="uac">true</entry>
<entry key="win_defender">true</entry>
<entry key="

IP: 38.89.137.248
Decimal: 643402232
Hostname: 38.89.137.248
ISP: Cogent Communications
Country: United States us flag


Created Files

I
 DB46ADCFAE462E7C475C171FBE66DF82  paymentadvice.jar

%USERPROFILE%\Application Data\evt88IWdHO\CnREgyvLBS.txt <<MD5:  abe6ef71e44d2e145033800d0dccea57 << strings are here (by classes)
%USERPROFILE%\Application Data\evt88IWdHO\Desktop.ini
%USERPROFILE%\Local Settings\Temp\asdqw15727804162199772615555.jar << Strings are here
%USERPROFILE%\Local Settings\Temp\iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) <<MD5:  fab8de636d6f1ec93eeecaade8b9bc68 Size: 755017 << Strings are here
%USERPROFILE%\29OVHAabdr.tmp << timestamp file << Strings are here

\deleted_files\%USERPROFILE%\\29OVHAabdr.tmp << timestamp file << Strings are here
\deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\Desktop.ini << Strings are here
\deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\unXX0JIhwW.txt <MD5:  DB46ADCFAE462E7C475C171FBE66DF82 < original jar << Strings are here
\deleted_files\%USERPROFILE%\\Local Settings\Temp\14583359.bat << Strings are here
\deleted_files\%USERPROFILE%\\Local Settings\Temp\asdqw4727319084772952101234.exe << Pony Downloader MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122 < Strings are here
\deleted_files\%USERPROFILE%\\Local Settings\Temp\OiuFr7LcfXq1847924646026958055.vbs <<MD5:  9E1EDE0DEDADB7AF34C0222ADA2D58C9 Strings are here
\deleted_files\%USERPROFILE%\\xooJlYrm61.tmp < timestamp file << Strings are here
\deleted_files\C\WINDOWS\tem.txt - 0bytes

IWIMMQLGPST2624529381479181764.PNG MD5: fab8de636d6f1ec93eeecaade8b9bc68

├───com
│   └───java
│       │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232
│       │   Manifest.mf << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412
│               │   01234.exe << MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122
│               │   15555.jar << MD5:  abe6ef71e44d2e145033800d0dccea57 Size: 50922
│              
│               └───15555
│                   │   ID
│                   │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232
│                   │   MANIFEST.MF << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412
│                   │
│                   ├───META-INF
│                   └───plugins
└───META-INF
        MANIFEST.MF << MD5:  042c2fa9077d96478ce585d210641d9a Size: 171


File types
  1. 14583359.bat (.txt) "Text file"
  2. 29OVHAabdr.tmp (.txt) "Text file"
  3. asdqw15727804162199772615555.jar (.zip) "PKZIP Compressed"
  4. asdqw4727319084772952101234.exe (.exe) "Executable File" 
  5. CnREgyvLBS.txt (.zip) "PKZIP Compressed"
  6. Desktop.ini (.txt) "Text file"
  7. DFR5.tmp (.txt) "Text file"
  8. iWimMQLgpsT2624529381479181764.png (.zip) "Zip Compressed"
  9. iWimMQLgpsT2624529381479181764.png (.zip) "PKZIP Compressed"
  10. OiuFr7LcfXq1847924646026958055.vbs (.txt) "Vbs script file"
  11. tem.txt (.txt) "Text file"
  12. unXX0JIhwW.txt (.zip) "PKZIP Compressed"
  13. xooJlYrm61.tmp (.txt) "Text file"
II

79e9dd35aef6558461c4b93cd0c55b76 Purchase Order.jar
Received: from magix-webmail (webmail.app.magix-online.com [193.254.184.250])
by smtp.app.magix-online.com (Postfix) with ESMTPSA id B626052E77F;
Sun, 16 Nov 2014 14:54:06 +0100 (CET)
Received: from 206.217.192.188 ([206.217.192.188]) by
 webmail.magix-online.com (Horde Framework) with HTTP; Sun, 16 Nov 2014
 14:54:06 +0100
Date: Sun, 16 Nov 2014 14:54:06 +0100
Message-ID: <20141116145406.Horde.YL7L4Bi7ap6_NXm76DDEaw2@webmail.magix-online.com>
From: Outokumpu Import Co Ltd <purchase@brentyil.org>
Subject: Re: Confirm correct details
Reply-to: jingwings@outlook.com
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Content-Type: multipart/mixed; boundary="=_FMdois7zoq7xTAV91epZoQ6"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
This message is in MIME format.
--=_FMdois7zoq7xTAV91epZoQ6
Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Dear Sir,
Please confirm the attached purchase order for your reference.
Please acknowledge Invoice for the final confirmation and confirm  
details are correct so we can proceed accordingly.
Please give me feedback through this email.
IBRAHIM MOHAMMAD AL FAR
Area Manager 
Central Region
Outokumpu Import Co Ltd
Tel:   +966-11-265-2030
Fax:  +966-11-265-0350
Mob: +966-50 610 8743
P.O Box: 172 Riyadh 11383
Kingdom of Saudi Arabia
--=_FMdois7zoq7xTAV91epZoQ6
Content-Type: application/java-archive; name="Purchase Order.jar"
Content-Description: Purchase Order.jar
Content-Disposition: attachment; size=125985; filename="Purchase Order.jar"
Content-Transfer-Encoding: base64

File paths
%USERPROFILE%\Application Data\jcwDpUEpCh\Desktop.ini
%USERPROFILE%\Application Data\jcwDpUEpCh\LcuSMagrlF.txt
%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
%USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\3884
%USERPROFILE%\VblVc5kEqY.tmp
deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor267205042636993976.reg
deleted_files\%USERPROFILE%\VblVc5kEqY.tmp
deleted_files\C\WINDOWS\tem.txt

File types
Desktop.ini (.txt) "Text file"
index.dat (.txt) "Text file"
LcuSMagrlF.txt (.zip) "PKZIP Compressed"
TaskNetworkGathor267205042636993976.reg (.txt) "Text file"
tem.txt (.txt) "Text file"
VblVc5kEqY.tmp (.txt) "Text file"

MD5 list
Desktop.ini     e783bdd20a976eaeaae1ff4624487420
index.dat       b431d50792262b0ef75a3d79a4ca4a81
LcuSMagrlF.txt  79e9dd35aef6558461c4b93cd0c55b76
79e9dd35aef6558461c4b93cd0c55b76.malware       79e9dd35aef6558461c4b93cd0c55b76
TaskNetworkGathor267205042636993976.reg        6486acf0ca96ecdc981398855255b699 << Strings are here
tem.txt         d41d8cd98f00b204e9800998ecf8427e
VblVc5kEqY.tmp  b5c6ea9aaf042d88ee8cd61ec305880b

III
B2856B11FF23D35DA2C9C906C61781BA Purchase Order.jar
File paths
%USERPROFILE%\Application Data\Sys32\Desktop.ini
%USERPROFILE%\Application Data\Sys32\Windows.jar.txt
%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
%USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\1132
%USERPROFILE%\WWMI853JfC.tmp
deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor7441169770678304780.reg
deleted_files\%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat
deleted_files\%USERPROFILE%\WWMI853JfC.tmp
deleted_files\C\DFRA.tmp

deleted_files\C\WINDOWS\tem

File type list
Desktop.ini (.txt) "Text file"
DFRA.tmp (.txt) "Text file"
index.dat (.txt) "Text file"
TaskNetworkGathor7441169770678304780.reg (.txt) "Text file"
tem (.txt) "Text file"
Windows.jar.txt (.zip) "PKZIP Compressed"

WWMI853JfC.tmp (.txt) "Text file"

MD5 list
Desktop.ini     e783bdd20a976eaeaae1ff4624487420
DFRA.tmp        d41d8cd98f00b204e9800998ecf8427e
index.dat       b431d50792262b0ef75a3d79a4ca4a81
purchase.jar    b2856b11ff23d35da2c9c906c61781ba
TaskNetworkGathor7441169770678304780.reg       311af3b9a52ffc58f46ad83afb1e93b6
tem             d41d8cd98f00b204e9800998ecf8427e
Windows.jar.txt b2856b11ff23d35da2c9c906c61781ba
WWMI853JfC.tmp  8e222c61fc55c230407ef1eb21a7daa9



Traffic Information

Java Serialization Protocol traffic info

DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - Windows XP
00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014  00                                               .
00000015  78 70 00 00 03 2a 1f 8b  08 00 00 00 00 00 00 00 xp...*.. ........
00000025  6d 54 dd 8e d3 46 18 1d  12 16 b2 bb 59 40 fc 5d mT...F.. ....Y@.]
00000035  bb 52 2b 71 83 d7 76 1c  3b a1 12 10 58 16 36 2c .R+q..v. ;...X.6,
00000045  14 95 56 1b 24 4b d6 17  7b 9c cc 66 3c e3 ce 8c ..V.$K.. {..f<...
00000055  d7 a6 17 7d 8e 3e 44 1f  a0 12 2f c1 43 f4 b6 ef ...}.>D. ../.C...
00000065  d0 cf 6c 76 1d 2a 22 d9  19 7b be 9f 73 be 73 c6 ..lv.*". .{..s.s.
00000075  7f fd 4b b6 b4 22 77 4f  e1 0c ec d2 30 6e bf 53 ..K.."wO ....0n.S

DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - OSX Lion
00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014  00                                               .
00000015  78 70 00 00 03 33 1f 8b  08 00 00 00 00 00 00 00 xp...3.. ........
00000025  75 54 cd 6e db 46 10 de  c8 b5 2d ff 26 c8 1f 7a uT.n.F.. ..-.&..z
00000035  54 0f 45 7b d1 92 5c d1  94 89 02 4d 94 c0 b1 a5 T.E{..\. ...M....
00000045  d8 4d 51 23 89 73 22 56  dc a5 b5 16 b9 cb ec 2e .MQ#.s"V ........

B2856B11FF23D35DA2C9C906C61781BA on Windows XP
00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014  00                                               .
00000015  78 70 00 00 03 63 1f 8b  08 00 00 00 00 00 00 00 xp...c.. ........
00000025  6d 54 5d 6e db 46 10 de  48 91 2d db 8a 13 24 41 mT]n.F.. H.-...$A
00000035  fa ca 3e 14 08 0a 84 e6  bf a4 16 68 9a c4 75 1b ..>..... ...h..u.
00000045  c3 6e 0d b8 85 13 80 00  31 22 57 d2 5a e4 ee 76 .n...... 1"W.Z..v

79E9DD35AEF6558461C4B93CD0C55B76 - Windows XP
00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014  00                                               .
00000015  78 70 00 00 03 69 1f 8b  08 00 00 00 00 00 00 00 xp...i.. ........
00000025  6d 54 dd 6e db 36 14 66  ed fc 38 89 9b 16 ed d0 mT.n.6.f ..8.....
00000035  de 6a 17 03 8a 01 53 28  d9 92 ed 0d e8 d6 34 71 .j....S( ......4q

00000045  b6 c0 19 02 64 69 3b c0  80 70 2c d1 36 6d 4a 62 ....di;. .p,.6mJb



Serialization Protocol decoding:


The following fields are part of the serialization protocol and are 'benign" and common.

AC ED (¬í) - Java Serialization protocol magic STREAM_MAGIC = (short)0xaced. 
00 05    -  Serialization Version STREAM_VERSION
75    (u) - Specifies that this is a new array - newArray: TC_ARRAY
72          (r) -  Specifies that this is a new class - newClassDesc: TC_CLASSDESC
00 02        - Length of the class name
5B 42 AC F3 17 F8 06 08 54 E0 ([B¬ó.ø..Tà) This is a Serial class name and version identifier section but data appears to be encrypted
02 00   - Is Serializable Flag - SC_SERIALIZABLE 
78 70  (xp)  - some low-level information identifying serialized fields
1f 8b 08 00 00 00 00 00 00 00 - GZIP header as seen in the serialization stream

As you see, all Windows traffic captures have identical fields  following the GZIP stream, while OSX traffic has different data. The jar files that had Pony Downloader payload did not have other OSX malware packaged and I saw no activity on OSX other than calling the C2 and writing to the randomly named timestamp file (e.g VblVc5kEqY.tmp - updating current timestamp in Unix epoch format)

Combination of the Stream Magic exchange, plus all other benign fields in this order will create a usable signature. However, it will be prone to false positives unless you use fields after the GZIP header for OS specific signatures

Another signature can be based on the transfer. jar download as seen below


DB46ADCFAE462E7C475C171FBE66DF82  - downloading fab8de636d6f1ec93eeecaade8b9bc68 
iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) , which contains 15555.jar in Manifest.mf, which contains 15555.exe (Pony loader) in its' Manfest.mf

IHEAKA _000C297  << IHEAKA is the name of the RAT client, it is different in each infection.

00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  77 04                                            w.
00000006  00 00 00 01                                      ....
0000000A  77 15                                            w.
0000000C  00 13 49 48 45 41 4b 41  5f 30 30 30 43 32 39 37 ..IHEAKA _000C297
0000001C  42 41 38 44 41                                   BA8DA
    00000004  77 0e 00 0c 54 72 61 6e  73 66 65 72 2e 6a 61 72 w...Tran sfer.jar
    00000014  7a 00 00 04 00 50 4b 03  04 14 00 08 08 08 00 46 z....PK. .......F
    00000024  0c 71 45 00 00 00 00 00  00 00 00 00 00 00 00 14 .qE..... ........
    00000034  00 04 00 4d 45 54 41 2d  49 4e 46 2f 4d 41 4e 49 ...META- INF/MANI
    00000044  46 45 53 54 2e 4d 46 fe  ca 00 00 4d 8d 4d 0b c2 FEST.MF. ...M.M..

---- snip----

000ABBA0  00 09 00 00 00 31 35 35  35 35 2e 6a 61 72 74 97 .....155 55.jart.
    000ABBB0  43 70 26 8c a2 44 63 db  9c d8 b6 9d 7c b1 6d db Cp&..Dc. ....|.m.
    000ABBC0  c6 c4 b6 6d db b6 6d db  99 d8 76 f2 fe e5 dd bc ...m..m. ..v.....


Pony downloader traffic

 HTTP requests
URL: http://meetngreetindia.com/scala/gate.php
TYPE: POST
USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
URL: http://meetngreetindia.com/scala/gate.php
TYPE: GET
USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
 DNS requests
meetngreetindia.com (50.28.15.25)
 TCP connections
50.28.15.25:80

IP: 50.28.15.25
Decimal: 840699673
Hostname: mahanadi3.ewebguru.net
ISP: Liquid Web
Organization: eWebGuru
State/Region: Michigan
City: Lansing

https://www.virustotal.com/en/ip-address/50.28.15.25/information/




IP-Domain Information
I
DB46ADCFAE462E7C475C171FBE66DF82 paymentadvice.jar 
IP: 204.45.207.40
Decimal: 3425554216
Hostname: 212.clients.instantdedis.com
ISP: FDCservers.net
Country: United States
State/Region: Colorado
City: Denver

meetngreetindia.com (50.28.15.25)
 TCP connections
50.28.15.25:80
Decimal: 840699673
Hostname: mahanadi3.ewebguru.net
ISP: Liquid Web
Organization: eWebGuru
State/Region: Michigan
City: Lansing

II
79E9DD35AEF6558461C4B93CD0C55B76 Purchase order.jar
IP: 38.89.137.248
Decimal: 643402232
Hostname: 38.89.137.248
ISP: Cogent Communications
Country: United States us flag

III
2856B11FF23D35DA2C9C906C61781BA Purchase order.jar
installone.no-ip.biz
IP Address:   185.32.221.17
Country:      Switzerland
Network Name: CH-DATASOURCE-20130812
Owner Name:   Datasource AG
From IP:      185.32.220.0
To IP:        185.32.223.255
Allocated:    Yes
Contact Name: Rolf Tschumi
Address:      mgw online service, Roetihalde 12, CH-8820 Waedenswil
Email:        rolf.tschumi@mgw.ch
Abuse Email:  abuse@softplus.net
   








Virustotal

https://www.virustotal.com/en/file/02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45/analysis/SHA256: 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
MD5 db46adcfae462e7c475c171fbe66df82
SHA1 2b43211053d00147b2cb9847843911c771fd3db4
SHA256 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
ssdeep3072:VR/6ZQvChcDfJNBOFJKMRXcCqfrCUMBpXOg84WoUeonNTFN:LdvCGJN0FJ1RXcgBpXOjOjSNTFN
File size 128.1 KB ( 131178 bytes )
File type ZIP
Magic literalZip archive data, at least v2.0 to extract
TrID ZIP compressed archive (100.0%)
File name: Payment Advice.jar
Detection ratio: 6 / 54
Analysis date: 2014-11-16 20:58:08 UTC ( 1 day, 4 hours ago )
Ikarus Trojan.Java.Adwind 20141116
TrendMicro JAVA_ADWIND.XXO 20141116
TrendMicro-HouseCall JAVA_ADWIND.XXO 20141116
DrWeb Java.Adwind.3 20141116
Kaspersky HEUR:Trojan.Java.Generic 20141116
ESET-NOD32 a variant of Java/Adwind.T 20141116

https://www.virustotal.com/en/file/733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c/analysis/1416194595/
SHA256: 733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c
MD5 fab8de636d6f1ec93eeecaade8b9bc68
File name: iWimMQLgpsT2624529381479181764.png
Detection ratio: 23 / 53
Analysis date: 2014-11-17 03:23:15 UTC ( 0 minutes ago )
AVG Zbot.URE 20141116
Qihoo-360 Win32/Trojan.fff 20141117
ESET-NOD32 Win32/PSW.Fareit.A 20141117
Fortinet W32/Inject.SXVW!tr 20141117
Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141117
AVware Trojan.Win32.Generic!BT 20141117
DrWeb Trojan.PWS.Stealer.13319 20141117
Symantec Trojan.Maljava 20141117
McAfee RDN/Generic Exploit!1m3 20141117
McAfee-GW-Edition RDN/Generic Exploit!1m3 20141117
Sophos Mal/JavaJar-A 20141117
Avast Java:Malware-gen [Trj] 20141117
Cyren Java/Agent.KS 20141117
F-Prot Java/Agent.KS 20141117
Kaspersky HEUR:Trojan.Java.Generic 20141117
Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
Ad-Aware Gen:Variant.Kazy.494557 20141117
BitDefender Gen:Variant.Kazy.494557 20141117
F-Secure Gen:Variant.Kazy.494557 20141116
GData Gen:Variant.Kazy.494557 20141117
MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
Ikarus Exploit.Java.Agent 20141117
Norman Adwind.E 20141116

https://www.virustotal.com/en/file/91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725/analysis/
MD5 b5e7cd42b45f8670adaf96bbca5ae2d0
SHA256: 91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725
File name: asdqw4727319084772952101234.exe
Detection ratio: 12 / 54
Analysis date: 2014-11-17 03:21:30 UTC
AVG Zbot.URE 20141116
AVware Trojan.Win32.Generic!BT 20141117
Ad-Aware Gen:Variant.Kazy.494557 20141117
Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141116
BitDefender Gen:Variant.Kazy.494557 20141117
DrWeb Trojan.PWS.Stealer.13319 20141117
ESET-NOD32 Win32/PSW.Fareit.A 20141117
Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
F-Secure Gen:Variant.Kazy.494557 20141116
GData Gen:Variant.Kazy.494557 20141117
MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
Qihoo-360 Win32/Trojan.fff 20141117




Posted: 18 Nov 2014 | 4:25 am

Drupal 7 SQL Injection Info

There’s a lot of sites covering this vulnerability but I wanted to document some indicators for anyone who might need it.

Resources
Drupal Security Advisory
Drupal Public Service Annoucement
Drupal Documentation on “Your Drupal Site Got Hacked. Now What?”
Drupal Site Audit
Volexity Blog
Sururi Blog

What follows is a brief walk-through of evidence found on a couple of compromised hosts. YMMV.

Incident Response
Logging into phpMyAdmin and checking out the “users” table. Two accounts were created. The “drupaldev” account seems to have been found on many compromised hosts.

2014-11-02_01

There was one host that had hundreds of accounts. What made the malicious accounts stand out was the missing mail field. This would occur if the user could get past the requirement on the registration page or if the account was added directly to the table.

Going to the “sessions” table, there’s one entry with the “uid” that matches the account created by the attacker. You can find out the attacker’s IP address this way.

2014-11-02_02

Here’s info on this IP address:

2014-11-02_03

The firewall logs showed activity over port 8888. If you visit the IP:port, you get this site:

2014-11-02_04

Looking at the webserver logs, we can see POSTs hitting the user/login file on the host. The server 500 errors probably indicate a failed first attempt.

2014-11-02_05

Going back to phpMyAdmin, a quick search for “.php” was done across all of the tables.

2014-11-02_06

There was an entry found in the “menu_router” table which seems to be a very common indicator.

2014-11-02_07

Clicking on the link, you can download the blob.

2014-11-02_08

Going to the file system, there is a directory called “README.txt” with a php file inside. The folder and file names appear to be random but the script itself is the same as what others have reported.

This PHP script is particularly interesting, it’s a simple backdoor that’s triggered by a cookie. Sucuri covered this awhile ago.

Here’s a cleaned up version. If you hit the script straightaway, you will get the results of phpinfo(). If you wish to send your own commands, you need to pass three variables. The “Kcqf3″ variable contains a value that triggers the script. The second variable “Kcqf2″ will be preg_replace. “Kcqf1″ contains the command. I imagine the attackers might send commands along the lines of uname, wget, curl, etc.

2014-11-02_09

I wrote a program to craft HTTP requests and can include my own cookie values into the header. Here, I’m sending the phpinfo command and you can see the result in the background. What stands out is its simplicity and cleverness.

2014-11-02_10

You could create an IDS rule to look for HTTP requests that contain a cookie with the value “preg_replace” and detect/block those coming in. You can then follow up on the targeted host to see if the backdoor is there.

Good luck!

Posted: 2 Nov 2014 | 3:52 pm

From Russia with love: Sofacy/Sednit/APT28 is in town

Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.

- Spearphishing

Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

- Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

The following rule detects activity related to this exploit kit:

- Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:

References:

[1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
[2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
[4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
[5] http://malware.prevenity.com/2014/08/malware-info.html
[6] http://www.fireeye.com/resources/pdfs/apt28.pdf

       

Posted: 28 Oct 2014 | 9:30 pm

A More Realistic Perspective on Cybersecurity from the Director of the NSA

A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.

The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.

Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.

At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.

If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.


NSA Rodgers Urges Cyber-Resiliency

Posted: 19 Sep 2014 | 2:46 pm