Cisco has worked through data centre and switch products that may have been vulnerable to the Row Hammer vulnerability, and decided there's nothing with the bridge brand on the front that's subject to the bug.…
Posted: 30 Mar 2015 | 5:58 pm
Recently, we’ve come across an interesting spam campaign aimed at French users. The campaign itself uses a well-crafted lure that is likely to catch the attention of its would-be victims. In addition, the malware used – the GootKit backdoor – contains several unusual technical characteristics. Both of these highlight how this campaign was quite well thought-out on the part of the attackers.
Spam: Using the French Ministry of Justice
This campaign starts with email in French that uses varying subject lines:
The email’s text reads as follows:
Selon la décision du tribunal n° 184, afin de recouvrir les sommes dues auprès du débiteur, et en vertu des procédures d’exécution n° 135-01, la saisie de votre propriété a été prononcée.
Vous pouvez obtenir une copie de cette décision auprès du greffe du tribunal.
Une copie du jugement se trouve dans le fichier ci-joint.
This content can be roughly translated as:
According to the court decision No. 184, to cover the amounts due from the debtor, and under enforcement proceedings No. 135-01, seizure of your property has been pronounced.
You can obtain a copy of the decision to the court registry.
A copy of the judgment is in the attached file.
The email contains a Microsoft Word document (alternately named copy du jugement.doc or paiment.doc) which the user is asked to open. This file has the SHA1 hash of 9b7cf1b6255a7dc26b346fdcccbfc4755db020bf.
Once opened, this document downloads and opens a decoy image from the file hosting site savepic.su (which is displayed below). It also contains a macro which downloads and runs a backdoor.
Figure 1. Decoy image shown when opening the Microsoft Office document
The image is a reproduction of a letter from the French Ministry of Justice. It is a letter typically sent to individuals stating that the Ministry cannot assist with cases that are already before courts. This letter could have been obtained from a compromised system or email inbox, or by an accomplice working on behalf of the attackers. (References to the individual who originally received this letter were already blurred when downloaded.)
It’s worth noting that the text used in the email contained no typos or grammar mistakes. This is unusual, as spammed messaged frequently included such mistakes (whatever language they use). This suggests that a French speaker, or someone well-versed in French was responsible for writing the above text. Combined with the authentic decoy image, it’s not difficult to see how a French user would not instantly realize he had been a victim of spam.
Size and scope of campaign
Over a two-day period in the middle of March, we estimate that the images were downloaded and viewed more than 1,700 times. Based on the email addresses, both corporate and home users were targeted by this threat. We are unaware of any public or private data breaches that contained the list of recipients, which suggests that the addresses were gathered from various online sources.
We also found other spam campaigns that used the same malware families for their malware droppers and payloads. Other countries, such as Italy, are now being targeted as well. For instance, we noted a sample email with an attachment named documente copy.doc, which had the following subject names:
These malware samples consistently used images uploaded to savepic.su. This made it easy to count the number of times each picture was downloaded. We found that each image was viewed between 1,700 and 10,000 times.
After the user opens the malicious document and executes the embedded macro, it then downloads and executes the dropper (SHA1 hash: f9772fcfbcaac9c4873989a1759a5c654eec440e). First, it first creates an Application Compatibility Database with an .SDB extension containing its own patch code, which is installed via the sdbinst command. Explorer.exe is then started with the command-line parameter issdb. The patch code is then injected by shim and then executed.
The exact method used here is unusual, and was first described in a research paper titled Persist It: Using and Abusing Microsoft’s Fix It Patches published by Jon Erickson at Black Hat Asia 2014. The paper described how developers could create an .SDB file that modifies or changes its behavior during its execution. We have seen how this particular method sideloads .DLLs, but this is the first time it has been used to patch a loader.
Figure 2. SDB overview via sdb-explorer
This patch is about 6 kilobytes in size, and patches memory at 5 different memory locations within kernel32.dll in order to run its patched code on the fly. This technique is used not only to patch explorer.exe, but other processes as well.
The patch code will detect the operating system version in order to get the appropriate version of GootKit (as both 32- and 64-bit versions are available.) They can be downloaded from two distinct URLs:
It’s worth noting that the download server uses HTTPS. To do this, it uses a self-signed certificate that identifies the site as My Company Ltd, while the real file names of the downloaded files are node32.dll.rk or node64.dll.rk, respectively.
Figure 3. HTTP headers of download server
Once the .DLL file is downloaded and loaded, the malware is ready to perform its routines and it now communicates to its command-and-control (C&C) server located at hxxps://VersatileGreenwood[dot]net:80/200.
Figure 4. HTTP headers of C&C server
Two things about the C&C server are apparent. While it has a different URL, it has the same IP address as the download server. Also, the HTTP reply leaks some information about the server: the X-Powered-By: Express header indicates it is powered by the Express web framework for the Node.js platform.
Adding a Fake Certificate Authority
One of GootKit’s abilities is to monitor network traffic, even when encrypted. How does it do this? In a similar manner to the recent Superfish incident: it adds a fake root certificate authority to the system. However, it does this in an unusual way.
GootKit essentially takes an existing root certificate on the system and adds a duplicate certificate (of its own creation) with the same name. However, upon closer examination, we noted two key differences: the fake certificate expires in 2020, and its RSA key length is only 1024 bits.
Figure 5. Fake certificate – 1024-bit key on the left, private key on the right
GootKit uses the fake certificate to perform man-in-the-middle (MITM) attacks against any HTTPS traffic. Because the fake certificate uses the same name as a randomly chosen legitimate certificate already present on the system, it is very hard to detect this problem.
Remote Access Capabilities
While the remaining capabilities of GootKit are in line with its known features, it does seem to have added one new feature: the command RunVNC. This suggests it can now make use of the VNC protocol to give an external user (presumably the attacker) direct access to the victim’s machine.
Figure 6. List of available functions
We monitored the dropper to see if it was used to spread threats other than GootKit. We found that the malware also drops and also spreads CryptoWall and online banking malware.
This entire campaign was quite well thought out, with one exception. The social engineering used in the email was a cut above most. Gootkit appears to have picked up some fairly interesting and advanced behavior. However, requiring that macros be turned on for the user to be affected is very much the sign of an amateur. The mix is an odd one, to say the least.
Whatever the case, these attacks are still ongoing. We expect these to continue and victimize more users. It is also likely that future attacks will remove the need for macros to be enabled by default.
Users are protected from this threat via Trend Micro™ Security software, which safeguards against malware, phishing, and other Internet threats. Businesses are also protected with Endpoint Security in Trend Micro™ Smart Protection Suite as it offers multiple layers of protection.
Indicators of compromise
|SHA1 hash||Detection Name||Notes||C&C server(s)|
|9b7cf1b6255a7dc26b346fdcccbfc4755db020bf||W2KM_EMDROP.AA||GootKit final payload|
|19ff788685ce9c8ec48848dfc4ef56abe99d657b||W2KM_DROPR.ED||GootKit final payload|
|fb2ed685fc58077a7849eb4b000e2cf320cf5181||W2KM_BARTALEX.CE||GootKit final payload|
|4d56c9b7e40e0c0916e5f1468e650f66a4ccee87||W2KM_DROPR.ED||GootKit final payload|
|2a84a60e7596de95940834779ce49a5d598800d0||W2KM_BARTALEX.CE||CryptoWall Final payload|
|24aeb8369a24c5cfd6a9c9bfef1d793ae80fd854||W2KM_BARTALEX.CE||CryptoWall Final payload|
Posted: 30 Mar 2015 | 5:20 pm
Posted: 30 Mar 2015 | 4:04 pm
Last week, we had the privilege to participate in and present at the 15th edition of CanSecWest in beautiful Vancouver, BC, along with its famous accompaniment, the ever famous Pwn2Own competition. Yes, once again all major browsers were hacked, but they were not alone! BIOS and UEFI, 4G modems, fingerprints, credentials, virtual machines, and operating systems were among the victim systems successfully hacked by our fellow presenters.
The event gathers a very technical audience with a shared interest in the most recent attacks and the presenters delivered with a variety of demos that showcased their intended vulnerabilities beautifully and thus reinforced the conclusion that digital voodoo can turn obscure and seemingly innocuous vulnerabilities into mind-numbingly cunning attacks.
One of the most discussed presentations, and certainly one of our favorites, showcased the power of BIOS and UEFI hacking: two guys, Corey Kallenberg and Xeno Kovah of Legbacore, armed with $2,000 and 4 weeks of hard work were able to show how a long list of vendor BIOSes were not only vulnerable but could successfully be loaded with LightEater, an SMM implant capable of pilfering sensitive information from Tails OS and even exfiltrating that information in such a way as to bypass the OS entirely. We clearly agree with their conclusion, it´s time to start taking a harder look at firmware!
Firmware insecurity: absence of evidence is not evidence of absence
One of the very possible attack is the well-known 'evil maid' or the 'border guard' approach: someone with physical access to your computer can just plug a small device (see below) and successfully reflash your system's BIOS, rewriting it with malicious code, without so much as booting up the system.
Press a button and in a few seconds the handy green light will indicate the BIOS is p0wned
Another very interesting presentation by Jan "starbug" Krissler showed how high resolution photos could bypass biometric authentication. Pictures acquired through high-resolution cameras from a safe distance amounted to the successful theft of fingerprints, faces, and irises used by current biometric systems for authentication. The distance can even be extended through the use of infrared imagery! We spent the talk imagining the breach possibilities as an increasing number of ATMs nowadays rely on biometric input.
Please authenticate access to your bank account using a password you can never change: your fingerprint
We also saw presentations on MacOS DLL (dylib) hijacking, userland exploits on iOS 8, attacks using Windows PowerShell, and even the installation of a bootkit in a 4G modem by simply sending an SMS! All sandwiched between explanations of the work of the ever fascinating Google Project Zero Team. In one of these, Chris Evans walked the audience through how a 'simple' crash caused by a call with a negative length became an exploit on Adobe Flash Player.
Our own presentation was a walkthrough of the misuse of whitelisted tools to further all kinds of attacks, from APTs and Targeted attacks to banking trojans and ransomware. This ongoing project is intended to highlight the faulty foundations of the whitelisting approach to security and how whitelisting alone simply won't protect you, from advanced and intermediary attackers alike! Stay tuned for a post on our findings.
In the end, we expanded our view as to the true breadth of vulnerable software and hardware. on which we depend daily. Security is a truly elusive state in an ecosystem composed of interwoven, dependent systems, each responding to the diverging priorities of a developer, an administrator, a user, and, of course, an attacker as well. The role of the security researcher that lives and breathes attack vectors and obscure vulnerabilities in search of the right digital voodoo has never been more important. And we can't help but echo the sentiments of Dragos Ruiu and our own Eugene Kaspersky in thanking CanSecWest for bringing all these researchers under one roof and one banner to share that digital voodoo and successfully stave off the balkanization of our industry just a while longer.
Posted: 27 Mar 2015 | 6:48 am
|Exploit Pack Table Update 20|
|Click to view or download from Google Apps|
|Gong Da / GonDad||Redkit 2.2||x2o (Redkit Light)||Fiesta (=Neosploit)||Cool Styxy||DotkaChef|
|Angler||FlashPack = SafePack||White Lotus||Magnitude (Popads)||Nuclear 3.x||Sweet Orange|
|CK||HiMan||Neutrino||Blackhole (last)||Grandsoft||Private EK|
|CVE-2012-4792*||CVE-2013-2465||CVE-2013-2465*||and + all or some||CVE-2013-2423||CVE-2013-1347|
|CVE-2013-0634||* switch 2463*<>2465*||from the previous||CVE-2013-2423|
|CVE-2013-3897||Possibly + exploits||version||CVE-2013-2460|
|* removed||from the previous|
|Sakura 1.x||LightsOut||Glazunov||Rawin||Flimkit||Cool EK (Kore-sh)||Kore (formely Sibhost)|
|and + all or some||CVE-2013-1690||CVE-2013-2423||CVE-2013-2471||CVE-2013-2463|
|from the previous|
|Styx 4.0||Cool||Topic EK||Nice EK|
|CVE-2013-2423||and + all or some|
|CVE-2013-2463||from the previous|
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .
- Blackhole 1.2.1 (Java Rhino added, weaker Java exploits removed)
- Blackhole 1.2.1 (Java Skyline added)
- Sakura Exploit Pack 1.0 (new kid on the block, private pack)
- Phoenix 2.8. mini (condensed version of 2.7)
- Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
Merry Christmas Packread analysis at
read analysis at
|Sava Pack |
read analysis at
Old (2009), added just for
|Zero Pack |
62 exploits from various packs (mostly Open Source pack)
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.
It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
Go1Pack (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack
- Eleonore 1.6.4
- Eleonore 1.6.3a
Posted: 20 Mar 2015 | 8:48 pm
On 19/03/15 At 03:26 PM
Posted: 19 Mar 2015 | 6:30 am
There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.
Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”
Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”
Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.
Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.
Let’s try it with OleDump. It nicely shows the objects inside of the document.
We can also dump the ‘ThisDocument’ object.
Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.
A quarter ways in, there’s some URLs to take note of.
Basically the VBA macro builds a VBS script and writes it out.
Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.
Let me download the file…
And see what VirusTotal has to say…
Regarding that image download, here’s what it is:
The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.
Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.
The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.
The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.
Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.
Posted: 6 Mar 2015 | 8:24 pm
Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.
FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.
We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.
The techniques used by this group have evolved over the years.
Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:
As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.
We cover these tools using the following rules with USM:
- Web compromises
The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:
The following rule detects activity related to this exploit kit:
- Phishing campaigns
This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.
Inspecting the content of the malicious redirect we can alert on this activity using the following rule:
Posted: 28 Oct 2014 | 9:30 pm
A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.
The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.
Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.
At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.
If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.
Posted: 19 Sep 2014 | 2:44 pm