Recently, Microsoft issued an Emergency patch for a zero-day vulnerability in Internet Explorer that is being exploited to deploy Korplug malware on vulnerable PCs.
Korplug, a known variant of PlugX, is a Trojan that creates a backdoor used for information stealing on infected computers.
In one of the most publicized cases, an evangelical church in Hong Kong was compromised to deliver the malware. Attackers were able to breach the church’s website and inject a malicious iFrame overlay designed to look like the site itself.
The iFrame was then used to redirect visitors to a site hosting the IE exploit. Once users land on the website, they are served a java.html which installs Korplug on their computers.
To defend against Korplug, system administrators, and security engineers should educate users of corporate assets about these types of hacking techniques.
In many cases, organizations are breached because of the lack of internal education around how to identify threats.
All too often breaches are successful when users execute malicious email attachments, download files from suspicious websites, or install cracked software.
However, even with the right kind of education, users will still sometimes inadvertently compromise company assets.
This usually occurs when a user accidentally exposes the network to a piece of malware posing as a legitimate spreadsheet, word doc in an email, or in the case of the evangelical church described above, an iFrame designed to look like a page in a website.
Acting like a backdoor, malware like Korplug can be used by an attacker to have complete control over a user’s computer.
This allows the attacker to create privilege escalation, exfiltrate data on the user’s machine, or act as a pivot point to access more sensitive systems.
AlienVault Unified Security Management (USM) provides asset discovery, threat detection (IDS), vulnerability assessment behavioral monitoring and SIEM in a single console, plus weekly threat intelligence updates developed by the AlienVault Labs threat research team.
The Labs team has released IDS signatures and a correlation rule to the AlienVault USM platform so customers can identify activity related to Korplug.
Learn more about AlienVault USM:
2014-09-16T01:10:00-11:00Tuesday, September 16, 2014 Swati Khandelwal
malware operation in history.
The campaign is dubbed as 'Harkonnen Operation' and involved more than 800 registered front companies in the UK — all using the same IP address – that helped intruder installs malware on victims' servers and network equipments from different organizations, mainly banks, large corporations and government agencies in Germany, Switzerland and Austria.
In total, the cyber criminals made approximately 300 corporations and organisations victims of this well-organised and executed cyber-espionage campaign.
CyberTinel, an Israel-based developer of a signature-less endpoint security platform, uncovered this international cyber-espionage campaign hitting Government institutions, Research Laboratories and critical infrastructure facilities throughout the DACH (Germany, Austria, Switzerland) region.
From the analysis and research work done by CyberTinel, it is believed that the hackers had first penetrated computer networks as far back as 2002 and, according to Elite Cyber Solutions chief executive Jonathan Gad, the damage done to companies since then was "immeasurable".
"The network exploited the UK’s relatively tolerant requirements for purchasing SSL security certificates, and established British front companies so they could emulate legitimate web services," said Jonathan Gad, chief executive of distributor Elite Cyber Solutions, Cybertinel’s UK partner.
"The German attackers behind the network then had total control over the targeted computers and were able to carry out their espionage undisturbed for many years." He added, "At this point, we are aware of the extent of the network, but the damage to the organisations who have been victims in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable."
The Harkonnen Operation attack was detailed in a special report [pdf] titled, "HARKONNEN OPERATION CYBER-ESPIONAGE," in which the researchers analysed and discovered companies that were compromised by seemingly generic trojans foisted through spear-phishing attacks.
The fact that the malware was installed via spear-phishing attacks from companies that appear legitimate — with the appropriate digital security certificates — gave the cyber criminals even more anonymity, enabling them to hit very secure servers and steal all types of top-secret documents.
The trojans detected in the attacks were GFILTERSVC.exe from the generic trojan family Trojan.win7.generic!.bt and wmdmps32.exe.
It is still unclear that who or what is behind the hack, but researchers believe that the malware campaign seems to be more like an organised crime operation than something a government intelligence agencies would do.
The scammers invested over $150,000 — a kingly sum for hackers — on hundreds of domain names, IP addresses and wildcard certificates to make its UK businesses appear legitimate. and in keeping the operation going.
2014-03-07T21:37:00-11:00Friday, March 07, 2014 Swati Khandelwal
Last week, the Researchers at the German security company G Data Software have reported about the most complex and sophisticated rootkit malware, Uroburos which is designed to steal data from secure facilities and has ability to take control of an infected machine, execute arbitrary commands and hide system activities.
Recently, British cyber specialist BAE has disclosed the parent Russian malware campaign dubbed as ‘SNAKE’ that remained almost undetected for least eight years while penetrating highly secured systems. Uroburos rootkit was one of the components of this campaign.
In a separate Investigation, Western intelligence officers have found another piece of spyware , infecting hundreds of government computers across Europe and the United States, known as 'Turla'. Researchers believed that Turla campaign is linked to a previously known campaign 'Red October', a massive global cyber spying operation targeting diplomatic, military and nuclear research networks.
"It is sophisticated malware that's linked to other Russian exploits, uses encryption and targets western governments. It has Russian paw prints all over it," said Jim Lewis, a former U.S. foreign service officer.
Yesterday, BAE Systems Applied Intelligence unfolds the ‘extent of venomous’ nature of Snake that uses the novel tricks to by-pass Windows security, including its ability to hide in the victim's web traffic, bearing all the hallmarks of a highly sophisticated cyber operation, exploiting vulnerabilities with the intervention of the user and also has ability to exploit a privilege escalation vulnerability which enables it to bypass Windows 64-bit security which is alike to a ‘zero-day' exploit.
"Its design suggests that attackers possess an arsenal of infiltration tools and bears all the hallmarks of a highly sophisticated cyber operation. Most notable is the trick used by the developers to load unsigned malware in 64-bit Windows machines, by-passing a fundamental element of Windows security," said BAE.
The practice was previously known as Agent.BTZ that came to the surface in 2008 when US Department of Defense sources claimed that its classified networks had been breached by an early version of the same virus. It has since been developed with many advanced features that make it even more flexible and sophisticated than before, BAE said.
According to BAE Systems Applied Intelligence, the malware campaign has been seen mostly in Eastern Europe, but also in the US, UK and other Western European countries. The malware can infiltrate Windows XP, Vista, 7 and 8-based systems.
"Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously," said Martin Sutherland, BAE Systems' applied intelligence managing director.
“The threat described in this report really does raise the bar in terms of what potential targets, and the security community in general, have to do to keep ahead of cyber attackers. As the Snake research clearly illustrates, the challenge of keeping confidential information safe will continue for many years to come,” he claimed.
2014-02-11T00:59:00-11:00Tuesday, February 11, 2014 Sudhir K Bansal
The Researchers believe that the program has been operational since 2007 and is seems to be sophisticated nation-state spying tool that targeted government agencies and diplomatic offices and embassies before it was disclosed last month.
In the unveiling document published by Kaspersky, they found more than 380 unique victims, including Government institutions, diplomatic offices/embassies, private companies, research institutions, activists etc.
The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules.
Developers of the ‘Mask’ aka ‘Careto’ used complex tool-set which includes highly developed malware, bootkit, rootkit etc. that has the ability to sniff encryption keys, VPN configuration, SSH keys and RDP file via intercept network traffic, keystrokes, Skype conversation, PGP keys, WI-Fi traffic, screen capturing, monitoring all file operations, that makes it unique and dangerous and more sophisticated than DUQU malware.
The malware targets files having an extension:
*.AKF, *.ASC, *.AXX, *.CFD, *.CFE, *.CRT, *.DOC, *.DOCX, *.EML, *.ENC, *.GMG, *.GPG, *.HSE, *.KEY, *.M15, *.M2F, *.M2O, *.M2R, *.MLS, *.OCFS, *.OCU, *.ODS, *.ODT, *.OVPN, *.P7C, *.P7M, *.P7Z, *.PAB, *.PDF, *.PGP, *.PKR, *.PPK, *.PSW, *.PXL, *.RDP, *.RTF, *.SDC, *.SDW, *.SKR, *.SSH, *.SXC, *.SXW, *.VSD, *.WAB, *.WPD, *.WPS, *.WRD, *.XLS, *.XLSX.
Victims of this malware found in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
The malware remains untraceable for about 7 years and was able to infect Mac OS X version, Linux, Windows, iPad/iPhone and android running devices.
According to the researchers, the Mask Malware was designed to infect the 32- and 64-bit Windows versions, Mac OS X and Linux versions, but researchers believe that possibly there may be more versions for Android and iPhones (Apple iOS) platforms.
In its main binary a CAB file having shlink32 and shlink64 dll files are found during the research from which the malware extract one of them, depending upon the architecture of the victim’s machine and install it as objframe.dll.
It includes the most sophisticated backdoor SGH, which is designed to perform a large surveillance function and except this it has DINNER module which gets executed via APC remote calls and reload ‘chef’ module responsible for network connectivity and ‘waiter’ modules responsible for all logical operations.
Another backdoor called SBD (Shadowinteger's Backdoor) which uses open source tools like netcat is included in the malware. To infect Linux versions, Mozilla Firefox plugin “af_l_addon.xpi” was used and was hosted on “linkconf[dot]net”
Spear phishing, a favorite attack used by most cyber attackers like SEA, was used to distribute this malware. Users were lured to click some malicious websites that contain a number of exploits to compromise their systems.
Kaspersky research found linkconf.net, redirserver.net and swupdt.com as hosting exploits. These websites don’t infect the visitor, instead attacker hosts the exploit in a folder which cannot be navigated using the web, but they direct the link to that exploit in the phishing email.
To mask the attack into real, attackers use a fake SSL certificate of some unknown company TecSystem Ltd valid since 2010 and sometimes they also use subdomains to mask the attack appear more real; in which they simulate newspaper subsections that may include SPAIN’s main Newspaper, The Washington Post and The Register etc.
Kaspersky had performed this research with more interest due to the reason that the malware has tried to exploit the vulnerability in its product i.e. Workstation products prior version 6.0.4.*, and KAV/KIS 8.0 versions.
“In case of the Careto implant, the C&C communication channel is protected by two layers of encryption. The data received from the C&C server is encrypted using a temporary AES key, which is also passed with the data and is encrypted with an RSA key. The same RSA key is used to encrypt the data that is sent back to the C&C server. This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign.” they said.
During the research and investigation of this malware, CC servers were found down, which shows that attacker group was monitoring all aspects related to the malware activity. Since there are no identified patterns in these attacks and who is behind these activities is yet a matter of investigation for the researchers out there.
2013-02-10T01:15:00-11:00Sunday, February 10, 2013 Mohit Kumar
Malwares are getting updated during the age of social networking. FortiGuard Labs researchers have discovered a new malware called 'Rodpicom Botnet' that spreads via messaging applications such as Skype and MSN Messenger.
Dubbed W32/Rodpicom.A - Rodpicom Botnet sends a message to the victim with a link to a malicious site that leads to downloadable content. When the user clicks the link, the attack downloads another strain of malware, known as Dorkbot. Once the target machine is infected, it checks to see if the victim is using any messaging applications such as Skype or MSN Messenger.
It is revealed that, the malware employs new stealth tactics, including an exception handling technique that generates its own error to dodge analysis and relies on an anti-emulator that attacks the heuristic-scanning capabilities in antivirus software and enables its code to jump around several hundred times.
The malware is enough smart to checks the language of the installed operating system on the computer by scanning the country code and then customize the message sent to all of the victim’s Skype contacts.
For example, If the infected computer is sourced to the U.S., the malicious link will send a message “lol is this your new profile pic? http:// goo.gl/[removed]”.
The Whole objectives of modules implemented in this malware is to downloading more malicious code, contacting the Command and Control server, spamming and a host of other bot-related activities.
Recommendation : Be careful what you click on.
2012-11-12T08:53:00-11:00Monday, November 12, 2012 Mohit Kumar
Multiple malware attacks against both Israeli and Palestinian systems, likely to be coming from the same source, have been seen over the last year. Researchers in Norway have uncovered evidence of a vast Middle Eastern espionage network that for the past year has deployed malicious software to spy on Israeli and Palestinian targets.
Israel has banned its police force from connecting to the Internet and from using memory sticks or disks in an effort to curb a cyberattack. The ban, enacted last week, is meant to prevent a malware program called Benny Gantz-55 named after Benny Gantz, Israel's Chief of General Staff from infecting the police's computer network
Trend Micro has obtained samples of malware implicated in a recent incident, The attack began with a spammed message purporting to come from the head of the Israel Defense Forces, Benny Gatz. The From field has the email address, bennygantz59(at)gmail.com and bore the subject IDF strikes militants in Gaza Strip following rocket barrage to make it more legitimate.'
The attackers were serving up the XtremeRat trojan, which was infamously used in surveillance campaigns against Syrian activists. XtremeRat trojan a Remote Access Trojan that can be used to steal information and receive commands from a remote attacker. According to Trend, the latest iterations of Xtreme Rat have Windows 8 compatibility, improved Chrome and Firefox password grabbing, and improved audio and desktop capture capabilities features.
Looking into the source of the attacks, Norman said “What is behind these IP addresses is hard to establish. It is possible they are hacked boxes and as such do not give much valid information. If that were the case, one might have expected a greater IP range and geographical distribution, but nothing is certain,”.
"In the following investigation we first found several other trojans similarly signed, then many more trojans connecting to the same command & control structure as the first batch.".
"The Command & Control structure is centered around a few dynamic DNS (DynDNS) domains that at the time of writing point to hosting services in the US."
Officials have yet to determine whether the virus is a prank or was generated by Iran's cyberwarfare program, which had been rapidly expanded since Tehran's nuclear program was hit by the Stuxnet virus in 2010.