Several programs have been updated. You can find them on the Tools page.
Notable changes since the last version:
– Changed textbox font to Courier to improve readability
– Added reverse file option
– Added compare files option
– Consolidated extract and swap functions
– Added count of rows
– Added keep and strip differences to filter menu
– Replaced Hex Format %00 option with %u00
– Replaced Toggle Case format to separate lower/upper case
– Improved Mixed CHR() to Text function
– Added additional options to count delimiters
– Fixed hex-to-text function to better handle nulls
I was asked by a reader to suppress the multiple error popups that occur when scanning certain keys with SYSTEM privileges. In this release, only one error will appear then it won’t show up again.
Text Decoder Toolkit
This release is almost a complete re-write of the original version. A lot of things were moved around and included to make it more useful for CTF challenges. The startup takes a bit longer than usual because of the number of textboxes it has to render on the character substitution table form.
This version now includes the ability to show headers instead of just the URLs. Here’s two examples, a Locky downloader and script (thank you to Malware-Traffic-Analysis and VirusTotal Intelligence for samples). By default, only the URLs are displayed but you can enable the switch to show the headers.
Posted: 30 Sep 2016 | 4:31 pm
It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.…
Posted: 30 Sep 2016 | 4:16 pm
Posted: 30 Sep 2016 | 8:58 am
In an earlier blog post, we talked about the Haima app store on iOS. Here, we found that official apps were repacked and advertising modules added to generate revenue for the owners.
One reason for this store’s popularity is its relative ease of use, thanks to the “Haima iOS Helper”. This app is meant to complement the rest of the store by making it easier to install apps and manage the user’s device. This can be considered analogous to the roles that iTunes performs for most iOS users.
Unfortunately, this particular helper app brings its own share of malicious code to the table. We detect this as TSPY_LANDMIN.A.
First up: legitimate iTunes version
This helper is offered as a download from the Haima website. It prompts the user to download a specific version of iTunes (22.214.171.124) directly from Haima. This file is identical to the official version from Apple, although it is no longer the newest version of iTunes.
Figure 1. iTunes download prompt
Figure 2. Download from Haima server
The helper doesn’t use iTunes directly; its only goal here is to install the iPhone drivers that come with this particular version of iTunes.
Adding the patch package
Once iTunes has been installed, a patch package is then downloaded from the Haima servers:
Figure 3. Download of patch package
Figure 4. Patch package contents
The contents of the package are unzipped into the Haima directory.
Figure 5. Patch package in Haima directory
The files in this patch actually come from Apple. Haima analysed the iTunes protocol based on version 126.96.36.199 of iTunes, so the helper relies on DLLs from this particular version. Even if iTunes is upgraded later, it can still install apps or sync data to and from iOS devices.
Figure 6. DLL version
How to install apps
Haima offers two ways to install apps. On iOS, all apps that are installed need to be signed, so Haima uses two methods: one involves using enterprise provisioning certificates, while the other involves apps provided by Apple via the App Store. The image below shows the helper app, which functions more or less as an app store as well:
Figure 7. Haima helper app
The helper app has all the features expected of an app store – categories, must-have lists, recommended apps, etcetera. Some of these apps are the same as those on the original iOS App Store, and those have been flagged by us in the above screenshot.
The helper can directly install apps signed with an enterprise certificate, and it can also install apps from Apple via the App Store. We will discuss the use of enterprise certificates later on in this post. How does it do the latter? It connects back to Haima and “acquires” an Apple ID:
Figure 8. Request for Apple ID
The above screen shows the user that Haima requires an Apple ID, and to click the button to get one and enjoy a better experience.
Figure 9. Getting an Apple ID
The above window states that a verification process is ongoing, including a check of the security environment,
Figure 10. Successful Acquisition of Apple ID
The above window appears when an Apple ID has been successfully acquired. The user doesn’t even know the password of this particular Apple ID account, but the helper app can install any iOS app onto the user’s iPhone using this Apple ID.
Figure 11. Installation of app with Apple ID
If the user already installed an app via the App Store, the helper will ask the user to remove this version first. The helper will update the enterprise certificate on the device, and then (re)install the app on the phone.
Figure 12. Request to uninstall app
Figure 13. Update for enterprise certificate
Dynamic App Signing To Bypass Apple Revocation
As we mentioned earlier, the helper app can also use enterprise certificates to install apps onto devices. Apple is well aware of how enterprise provisioning and certificates can be abused, and they are constantly revoking any such certificates which have been abused. Haima replaces the enterprise certificates they use every few days. In addition to that, they also use dynamic app signing to reduce the exposure of the enterprise certificates.
Before the helper app installs the enterprise certificate app onto the phone, it is signed with a new (and valid) enterprise certificate. This is to prevent Apple from revoking the original enterprise certificate.
Figure 14. Downloaded Original Enterprise Certificate App and New Provisioning Profile
Figure 15. Original and New Enterprise Certificate Mach-O Files
Figure 16. From Original Certificate to New
Leaking the user’s Apple ID
There’s a third way to install apps. If you don’t want to use the Haima-provided Apple ID, you can use yours – you just need to enter your own Apple ID and password.
Figure 17. Login screen asking for Apple ID
Unfortunately, this not a good idea. Why? Because the helper app steals the user’s own username and password.
Figure 18. Code leaking Apple ID
Photos Synced to PC
By default, the photos on an iPhone are not synced to the PC. The helper app, however, automatically syncs the user’s photos to the user’s computer:
Figure 19. Synced pictures
Malicious Codes in Helper App
The helper app also contains malicious code for various information-stealing function calls. However, these are either non-functional or not called.
Figure 20. Malicious code
The Haima helper app is a key part of making this third-party store more usable for its users. By managing both enterprise certificates and Apple App Store logins, it makes the user experience much more seamless.
However, it also introduces serious security risks. The apparent theft of the user’s Apple ID credentials is a serious risk in and of itself. The apparent inclusion of malicious functions in the code itself is also worrying. We recommend not using third-party app stores as they pose a security risk in general, and this case shows why we recommend that.
We detect the following files as TSPY_LANDMIN.A:
|SHA1 hash||File name|
Posted: 30 Sep 2016 | 2:32 am
The Industrial Internet Consortium (IIC) has released the initial version of its Security Framework for industrial Internet of Things (IIoT) development. The Framework, an adjunct to the IIoT Reference Architecture the Consortium released last year, seeks to initiate a process that will result in broad industry consensus on how to secure IIoT systems. The goal is to ensure that security is a fundamental part of an IIoT system’s architecture, not simply bolted on, and covers the system end-to-end including endpoint devices and the links between system elements.
The IIC is an open membership organization, formed in 2014 to accelerate the development, adoption, and wide-spread use of interconnected machines and devices along with intelligent analytics. From its founding by AT&T, Cisco, General Electric, IBM, and Intel, the Consortium has grown to more than 160 members from 24 countries and is now under management by the Object Management Group standards organization.
“The Security Framework looks at IIoT security from three different perspectives,” Hamed Soroush, the IIC’s security working group chair, told EE Times in an interview. “Chip makers, equipment developers, and end users all have an important role in security for the IIoT, but often work without knowing one another’s perspectives. The Framework will help them talk to each other.” It also provides guidance to management on risk management when considering security, he added.
The post Consortium Forms Framework for Industrial Cybersecurity appeared first on CyberESI.
Posted: 29 Sep 2016 | 1:33 pm
Brazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to focus their efforts in new areas, including ransomware. We discovered a new variant of a Brazilian-made ransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files using the extension “.___xratteamLucked” and asking to pay the ransom.
The Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in Brazil that had fallen victim to this Ransomware family.
Actually, this is not the first ransomware to come out of Brazil. In the past, we investigated TorLocker and its flawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal. We also saw a lot of copycats use HiddenTear in local attacks. Trojan Ransom Xpan was created by an organized gang, which used targeted attacks via RDP that abused weak passwords and wrong implementations.
In this post, we’ll explain this new Ransomware family and how Brazilian coders are creating new ransomware from scratch.
The group identifies itself as “TeamXRat“and “CorporacaoXRat“.
(Translating from Portuguese to English as “CorporationXRat”)
Their first ransom trojan consisted of using a simple XOR based encryption, described by some victims here (most of the victims are from Brazil). The new version of Xpan Ransomware shows that the cybercriminals behind it have improved the code to make it more complex, also switching the encryption scheme.
The ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much the victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead, they instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg. For example, email@example.com, xRatTeam@mail2tor.com and firstname.lastname@example.org providing the public key used by the ransomware to encrypt the files. Older versions of this ransomware also used e-mail accounts from another Email service – Protonmail, such as email@example.com, currently deactivated.
When the victim gets in touch with the group, they start to negotiate the ransom payment. All communication is in Portuguese and they request 1 btc (about 603 USD) to decrypt the files. The group also claims that the payment is a “donation” arguing that “they exploited flaws in your system and carried out the attack in order to make sure you increase your security”. Finally, the cybercriminals also offer to decrypt one file for free:
“For me only the ‘donation’ is important. Not your files. If your files are important to you, I advise you to make the donation; otherwise, you’ll lose all your files”
The sample is UPX packed. Once executed it checks the default language of the infected system set in the following registry key: HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE
In addition, it’s able to query local time and obtain the computer name from the registry using several commands like net.exe, sc.exe, and taskkill.exe. Interestingly, it also deletes any Proxy setting defined in the system, located in: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP.
Since the targets are companies and corporations, the group might use proxies blocking access to certain Web resources. It is highly probable that this technique is used to “set victim’s free” while emailing the attackers or accessing BTC resources online.
After completing its execution, the ransomware displays the following image in the affected system:
“All your files were encrypted using a RSA 2048 bits encryption”
The sample is written in C++ and uses STL, being built as a console application. During the lenght of its execution, it logs all its actions to the console, only to clear it once the encryption process has finished.
The operation of this malware is ‘guided’ by the configuration data block stored inside the body of the Trojan:
Decrypted configuration block
The configuration contains the following details:
Part of the pseudocode of the main procedure
A previous ransomware sample that was believed to be part of the TeamXRat ransomware campaign used a simple encryption algorithm known as TEA (or Tiny Encryption Algorithm). After comparing this original version (dubbed Xorist) against this new Xpan variant, we could observe that now they are using an AES-256 encryption scheme.
Xorist ransomware TEA constant
Xpan ransomware now has evolved to use AES-256 encryption
|Will automatically start when user is logged in. It uses the following registry key for persistence: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run||No persistence used.|
|Tiny Encryption Algorithm||AES-256|
|ASM, MS Linker||C++, MinGW compiler|
|Includes a list of files that are to be encrypted.||Will encrypt everything except .exe and .dll files and files with blacklisted substrings in the path.|
The developers have clearly shifted their development procedures in the Xpan malware. It’s typical for cybercriminals to evolve their techniques once a decryption method has been found for their ransomware, or that specific variant is widely detected.
List of file extensions that Xorist ransomware will search and encrypt
The trojan uses the implementation of cryptographic algorithms provided by MS CryptoAPI. The files are encrypted by AES-256 in CBC mode.
There are 2 known versions of this trojan that can be distinguished by their extensions. The 1st one uses “___xratteamLucked” (3 ‘_’ symbols) and the second one – “____xratteamLucked” (4 ‘_’ symbols).
These 2 versions employ different techniques to encrypt the files, which we will describe in more detail.
Version 1 (3 ‘_’ symbols in the extension)
The trojan generates a single 255-symbol password for all files. This password is encrypted by RSA-2048 and put into the ransom note (concatenated with the public key). Then the trojan produces a 256-bit key from this password using the API CryptDeriveKey; this key will be used to encrypt all files.
When processing each file, the malware adds the string ‘NMoreira’ to the beginning of the original file and encrypts the file content by 245-byte blocks using the AES-256 algorithm in CBC mode. Each block is additionally XOR’ed with a random byte which is stored before the padding of the corresponding block.
Version 2 (4 ‘_’ symbols in the extension)
For each file, the trojan generates a new 255-symbol password, encrypts this password by RSA-2048 and puts this data into the beginning of each encrypted file. Then, the trojan produces a 256-bit key from this password using the API CryptDeriveKey, and uses this key to encrypt the original file content (AES-256 CBC).
File search and encryption is carried out by multiple threads, each thread processes its disk.
Ransomware in action: console output inform the files encrypted
After encryption is completed, the malware will change the wallpaper in the desktop and display this file, with the ransom note:
The ransom note, in Portuguese
Before encrypting the data in the affected system, the ransomware executes the following commands, aiming to stop popular database services, to be sure that database files will be encrypted as well, so they cause a greater damage to the victim:
echo Iniciando pre comandos
echo Parando Firbird
sc config FirebirdServerDefaultInstance start=disabled
taskkill /IM fb_inet_server.exe /F
net stop FirebirdServerDefaultInstance
echo parando SQL SERVE
taskkill /IM sqlservr.exe /F
sc config MSSQLSERVER start=disabled
sc config MSSQL$SQLEXPRESS start=disabled
net stop MSSQLSERVER
net stop MSSQL$SQLEXPRESS
echo parando poostgree
taskkill /IM pg_ctl.exe /F
sc config postgresql-9.0 start=disabled
net stop postgresql-9.0
After the execution, the ransomware deletes itself from the system, to remove the original infector:
if exist “path\sample_name.exe”
After the encryption has finished, the trojan modifies the registry to add a custom handler for the action of double-clicking on any of the encrypted files. As a result, when the victim clicks on a file with the extension “.____xratteamLucked“, the command stored in the registry is executed, and this command shows the ransom notes in a new window using msg.exe (a standard utility which is a part of Windows distribution).
Windows Registry modified by the ransom
Most of the attacks performed by TeamXRat are performed manually, installing the ransomware in the hacked server. To achieve that, they perform RDP (Remote Desktop Protocol) brute force attacks. Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy. Once the server is compromised, the attacker manually disables the Antivirus product installed on the server and proceeds with the infection itself.
We are also aware that vulnerabilities such as MS15-067 and MS15-030 in the RDP protocol, which allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system, can be used by cybercriminals if a server is not patched and exposed to attacks.
As we saw in the recent xDedic research, vulnerable servers with exposed RDP connections are very valuable assets in the hands of cybercriminals. Not surprisingly, Brazil was the country with the most compromised servers being offered in the underground market to any cybercriminal.
xDedic: compromised Brazilian RDP servers were available in the underground market
If the victim pays the ransom, the cybercriminals will send this tool to decrypt the files:
Decryption tool sent by the bad guy after payment
But the good news is that the Kaspersky Anti-Ransom team was able to break the encryption used by the Xpan Trojan. This effort made possible the decryption of files belonging to a Hospital in Brazil, which was hit by this Ransomware family.
If you’re a victim of this new Ransomware family and need help to decrypt your files, please DON’T PAY the ransom. Instead, contact us via support.
As we can see, Brazilian bad guys are now diversifying their “business” with new ransomware families developed from scratch, abandoning older versions that used XOR encryption and adopting new, more robust encryption algorithms. This is a clear signal that they have started to explore new schemes with new targets and newer types of attacks.
As we forecasted in the beginning of this year, we expect ransomware attacks to gain ground on banking trojans and to transition into other platforms. Ransomware has two advantages over traditional banking threats: direct monetization using an anonymous payment system (usually Bitcoin), and relatively low cost per victim. Certainly, this is very attractive to Brazilian crooks, well-known for their banking trojans development. Brazilian law enforcement is very good at catching criminals (although they are not always convicted and imprisoned) by “following the money”, something that we know it’s not entirely possible for Bitcoin payments.
We detect this new threat as
Trojan-Ransom.Win32.Xpan.a and PDM:Trojan.Win32.Generic.
We’ll keep an eye out or new variants, which surely will appear from same or other threat actors.
MD5 reference: 34260178f9e3b2e769accdee56dac793
Posted: 29 Sep 2016 | 9:42 am
Posted: 23 Aug 2016 | 9:19 pm
The AlienVault Labs team does a lot of malware analysis as a part of their security research. I interviewed a couple members of our Labs team, including Patrick Snyder, Eddie Lee, Peter Ewane and Krishna Kona, to learn more about how they do it.
Here are some of the approaches and tools and techniques they use for reverse engineering malware, which may be helpful to you in your own malware hunting endeavors. Please watch the webcast they did recently with Javvad Malik on reverse engineering malware and hear details and examples of how the Labs team investigated OceanLotus, PowerWare and Linux malware in recent situations.
Now, let’s look at techniques that can be utilized while analyzing malware.
Here’s IDA Pro:
Here’s the file utility:
Generally, when we get a bunch of samples or an archive of samples from open-source feed, we use a file utility to find out if the file is a regular executable or for a Windows platform or OSX or Linux, or is it just a text file or a script.
Here’s Immunity Debugger:
For monitoring the activity on the system, we use system monitor and Regshot.
Sandboxes are another important step in reverse engineering malware, as often there are functionalities malware doesn't exhibit unless it is running in a suitable environment. One sandbox, malwr, comes from the people who built Cuckoo Sandbox. With malwr, you submit a sample and run it inside a VM. You can then run various dynamic analysis tools and static analysis tools referenced above and turn this into a nice, readable report.
Here is malwr:
Here is Hybrid-Analysis:
Another major Sandbox tool for identifying malware is VirusTotal. VirusTotal is owned by Google, and they arguably have the biggest repository of both malware and known file types in general layout. If you are looking for any particular malware, it typically shows up in VirusTotal.
Here is VirusTotal:
Another new contender is DeepViz. DeepViz is being developed very actively, with new features on a regular basis. DeepViz functions very similarly to other Sandboxes, but sometimes it is beneficial to submit the same sample to multiple sandboxes to see if the behavior matches up or if it reacts differently.
Here is DeepViz:
Which brings us to Cuckoo. Cuckoo is a malware analysis system. It contains many different tools, including some of the dynamic and static analysis tools that we mentioned earlier. Also, it is free. While other sandboxes are free, you are sharing your data by using them. If you set up Cuckoo on your own system you can keep everything localized and keep it to yourself, especially if you are analyzing something you don't want the world to know about yet.
Here is Cuckoo:
Open Threat Exchange (OTX) is another key component we use in malware analysis.
To find out more about OTX there is a documentation center. You can also see information on our forums. There is a section specifically for OTX where you can see pulses. Also, just a few weeks ago we announced some enhancements to the OTX API. If you are a blogger, please note you can now embed pulses. So if you write a blog, you can just simply embed it within so users can read it and directly download the IoCs and other information. Read more.
Connecting OTX to your USM platform helps you to manage risk better and effectively take action on threats. A free trial of AlienVault USM is available.
Posted: 27 Jun 2016 | 8:58 am