Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Email Subscription

  • About Us


    Author Archive - Feike Hacquebord (Senior Threat Researcher)




    Long-running APT campaign Operation Pawn Storm has begun the year with a bang, introducing new infrastructure and zeroing in on targets including North Atlantic Treaty Organization (NATO) members and even the White House. This is according to the latest intelligence gleaned from Trend Micro’s ongoing research into the attack group, and comes as a follow-up to our widely publicized October 2014 report.

    Operation Pawn Storm: A Background

    Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media.

    The group is composed of a determined group of threat actors active since at least 2007 with a very specific modus operandi. We so named it due to the attackers’ use of multiple connected tools and tactics to hit a specific target – a strategy mirroring the chess move of the same name.

    The group used three very distinct attack scenarios. One was to send spear-phishing emails with malicious Microsoft® Office documents containing the information-stealing SEDNIT/Sofacy malware. Another was to inject selective exploits into legitimate Polish government websites, leading to the same malware. A final strategy was to send out phishing emails redirecting users to fake Microsoft Outlook Web Access (OWA) login pages.

    Pawn Storm targeted mainly military, government and media organizations in the United States and its allies. We determined that the group also aimed its attacks on Russian dissidents and those opposing the Kremlin, as well as Ukrainian activists and military, which has led some to speculate that there might be a connection with the Russian government.

    We also observed another update to Pawn Storm’s operations in February this year and found an iOS espionage app targeting Apple users.

    What’s New with Operation Pawn Storm?

    The first quarter of 2015 has seen a great deal of activity from the group. Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.

    In a slightly different modus operandi from the usual, we observed Pawn Storm attackers sending out specially-crafted emails designed to trick users into clicking on a malicious link.

    Figure 1. Sample spear-phishing email

    In one case, the subject of the spam e-mail is the Southern Gas Corridor that the European Union initiated to become less dependent on Russian Gas. Other e-mails have similar geopolitical subjects, for example the Russian-Ukrainian conflict and the Open Skies Consultative Commission of the OSCE.

    The emails usually have a link to what looks like a legitimate news site. When the target clicks on the link he will first load a fingerprinting script that feeds back details like OS, time zone, browser and installed plugins to the attackers. When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site. The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.

    Figure 2. Screenshot of malicious HTML5 plugin

    Same Old Tricks

    Pawn Storm threat actors are also continuing with their phishing strategy. In fact, in autumn 2014 they set up a fake OWA webmail for a large US company which sells nuclear fuel to power stations.

    Figure 3. Fake webmail login page of US company selling nuclear fuel

    It’s not hard to see that a successful breach of this firm could lead to serious consequences. Other fake OWA servers include new ones targeting the armed forces of two European NATO members. A fake version of the webmail system of the NATO Liaison in the Ukraine was also put online in February this year.

    White House Under Attack

    Trend Micro has gathered evidence that the same group is eyeing the White House as a target. They targeted three popular YouTube bloggers with a Gmail phishing attack on January 26, 2015, four days after the bloggers had interviewed president Obama at the White House. This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place.

    In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.

    Organizations must remain on high alert for these kinds of attack, as Operation Pawn Storm hackers go to great lengths to make their emails appear legitimate. Military and government bodies in the US, Europe and Asia especially must invest in the right advanced cyber security tools to block phishing and malware downloads, and improve user training and education to mitigate the risk of attack.

     



    In our recently released report, Operation Pawn Storm, we talked about an operation that involved three attack scenarios. For this post, we will talk about the third scenario: phishing emails that redirect victims to fake Outlook Web Access login pages.

    What’s most notable about this is that it is simple, effective, and can be easily replicated. Through one line of simple Javascript code, the millions of Outlook Web Access (OWA) users are placed at risk of becoming a victim of a clever but simple phishing attack. No exploits and vulnerabilities are used here. A feature of JavaScript, the preview pane of Microsoft’s OWA and two typo-squatted domains are used. We have seen this kind of phishing attack being used against US defense companies like Academi (formerly known as Blackwater), SAIC and the OSCE.

    How it works

    To target defense company Academi, the attacker registered two typosquatted domain names:

    1. tolonevvs[dot]com (real news domain: tolonews.com (news site about Afghanistan))
    2. academl[dot]com (real company domain: academi.com)

    A link to the typosquatted domains are then sent to Academi through spear-phishing emails — to a very limited number of employees who might actually expect to receive email notifications from tolonews.com.

    When the target opens the email through the preview pane of Microsoft Outlook Web Access and clicks on the typosquatted domain, a new tab will be opened which loads the original news site. From the target’s perspective, their browser will look like this:

    PawnStorm1

    Figure 1. The real news site opened in a new tab after clicking the typosquatted domain (Click to enlarge)

    This may seem harmless, but there is more to this than just an opened tab to a news site. The typosquatted domain tolonevvs.com actually contained a mildly obfuscated JavaScript code:

    PawnStorm2

    Figure 2. JavaScript code in the typosquatted domain, tolonevvs.com

    This JavaScript is not malicious because it simply sets the windows open property to point to a URL:

    window.opener.location = “hxxps://mail[dot] academl[dot]com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.academi.com%2fowa%2f&tids=lkdmfvlkd”

    What this means is that the legitimate URL of the original OWA session in the first tab of the browser gets changed to the URL of the fake OWA server set up by the attacker, which in this case is mail[dot]academl[dot]com. When the victim is done with reading the news and he returns to his OWA session, he will see this:

    PawnStorm3

    Figure 3. Phishing site opened in the original OWA tab

    At this point, the target is likely to believe that while reading the news on the legitimate website tolonews.com, the OWA server logged him out. The truth, however, is that if the target enters his/her credentials again, his/her information will then be captured by the attacker.

    For the complete details on the attacks we saw using this technique, please check out our paper, Operation Pawn Storm.

    Not Limited to Operation Pawn Storm or OWA

    Although we did see this technique used in a certain operation, basically any company having an OWA web server is at risk becoming a victim of this kind of phish attack. Even two factor authentication might not prevent a one-time complete download of the mailbox of the victim. The only safe way to prevent this kind of attack is to turn off the preview pane in OWA.

    Users of other web mail services than OWA are also are at risk. For example, we verified that Gmail users who read their e-mail in Safari, and Yahoo e-mail users who read their e-mail in Safari or Firefox could become victims of a similar phishing trick. Users are strongly recommended to be very careful when entering their information into login pages, and to make sure that they are logging into the correct site and not a typosquatted one.

     



    An iPad with a retina display, a blue iPhone and a Beats by Dr. Dre headphone set, please.

    This may read like a Christmas wish list of a spoiled child, but there’s more: a red dot aimpoint for a rifle, six high-end hard drives from Intel, a GPS rescue device for sailors. These are uncommon requests for Santa Claus to receive, even from adults. This list is real though, and part of a much longer wish list of money launderers who instruct mules to ship expensive goods to Russia.

    We’ve been following a group of cybercriminals who launder stolen money in a couple of ways.  Typically, a money mule receives a wire transfer from a compromised account. Then, he is instructed to send the money overseas, using a legitimate money transfer system like Western Union. The other method they use tricks Internet users into believing they are going to work for a legitimate company that ships expensive goods like iPhones out of the US. In reality, these users will start to work for cybercriminals.

    fraudpage_moneymule_1

    Figure 1. Typical reshipping fraud site

    They are asked to receive expensive equipment at their US home address and then ship these goods to a second address, which is also in the US. From there, the goods are repackaged and sent to an address in Russia by a second mule. Initially, the mules are requested to pay the costs of the shipments themselves. After 10 successful shipments, they supposedly can reimburse expenses and are promised an extra bonus on top of their base salary. We think these reimbursements and salary payments never happen.

    Internal documentation of the money launderers suggests that their employees are indeed not treated very well. First, they are described as “drops” and second, they cannot expect to keep their job longer than 20 days. An internal note says: “the optimal time to work with a drop is 20 days.  An order made close to or after 20 days is not likely to succeed.” After 20 days the drops get dropped themselves.

    This cynical way of using throw-away workers extends to Russia. All steps for dealing with the drops in the West are clearly written in Russian documentation, which we were able to download. This documentation could be for a cybercriminal who cannot memorize a thing, but we think they are meant as a guideline for temporary Russian-speaking personnel that constantly get renewed, just like their unfortunate colleagues in the US. Also, somebody has to be on the receiving end of the parcels that are sent to Russia and the Ukraine. It is likely these workers are temporary and get replaced when the money launderers think they pose a risk to their operations.

    The internal documentation of the money launderers clearly explains in Russian how to instruct drops in the West. A new drop should first complete a test order. If that doesn’t happen within 5 days, the drop is considered “dead”. All goods that get ordered should be worth more than $300. Internet users who realize they got hired as drops for illegal purposes are clearly marked as “not trustworthy” or “not willing to work”: no parcels should be sent to them.

    In table 1 we summarized the items that were shipped by a couple of hundreds of mules. In total, shipped items are worth about $500,000 and as far as we can tell, all parcels were either sent to a suburb of Moscow or to Kiev, Ukraine.

    money-launderers-list

    Table 1. Money Launderers’ list of popular items

    The money launderers seem to take special orders too. Some months ago, they shipped hundreds of aimpoints for close range combat. These aimpoints are the more expensive red dot models for which export restrictions apply. More recently, numerous GPS units are being shipped to Russia. For these units there are export restrictions as well. Because of the export restrictions, the aimpoints and GPS units could be sold at a premium outside the US by the money launderers.

    These launderers have an extensive network of reverse proxies where they host their mule recruitment sites. Trend Micro’s Smart Protection Network blocks these sites, so that customers won’t become a victim of reshipping fraud.

     
    Posted in Bad Sites | Comments Off on The Wish List of Money Launderers



    Four men were arrested a week ago in the Netherlands for spreading the so-called TorRAT malware. This malware only targeted Dutch speaking users and utilized the Tor for is command and control (C&C) servers. Its primary goal was financial theft from online banking accounts. Our Threat Encyclopedia entry for TROJ_INJECT.LMV provides a more in-depth description of the malware. Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages. These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers.

    Leave No Trace

    The Dutch threat actors were careful in hiding their tracks. As mentioned earlier, they used Tor hidden C&C servers. They had a tormail.org account for e-mail communications and they used underground crypting services to evade detection from antivirus software. The digital currency Bitcoin was used to launder their stolen money and make payments to fellow cybercriminals.

    These made investigation into the identity of the actors difficult; however, the Dutch National High Tech Crime Unit (NHTCU) was able to arrest them. We don’t know exactly what fatal errors the gang made, but we know that just a couple of mistakes on their end can reveal their true identities.

    Masked and (Not So) Anonymous

    We have been following the gang for some time and we were able to draw a few useful conclusions. The first obvious one was that we were really dealing with a native Dutch speaker. Looking at one of the 300+ malware binaries the gang has spread, we believe they made use of an Armenian crypting service called “SamArt”. Crypting malware makes detection by antivirus companies more difficult, but when you want to hide your identity, contact with a third-party tool puts you at risk. In addition, during the fall of 2012, some of the C&C servers were not hosted on Tor hidden services, but in a Turkish data center.

    More importantly, the gang faced a classic problem, which their pre-Internet fellow thieves have also faced: stealing money is the easy part. Getting stolen money in your pocket as your own is the difficult part. It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money. The Dutch gang allegedly laundered money through bitcoin transactions and even set up their own bitcoin exchange service, FBTC Exchange that went dark after the arrests.

    Buying a service from a crypting service, using tormail.org, and recruiting and abusing money mules puts cybercriminals at risk of getting caught. A single error can lead to the unraveling of the whole cybercrime operation. Tor offers a high degree of anonymity, but Tor tools are not immune to data leaks.

    Additionally, at some point the bad actor has to appear from behind the Tor curtain to put stolen assets to actual use. This means that the cybercriminals hiding behind Tor are not untraceable per se. This was proven by the recent arrest of the operator of Silk Road, an underground marketplace for illegal drugs. The Silk Road owner used Tor, but was caught by the FBI by a thorough investigation of bits of evidence left on the Internet.

    The Mevade botnet, responsible for a sudden increase of Tor users in August 2013, was traced back by us to be the work of a Ukrainian/Israeli adware company. And now, the Dutch NHTCU has tracked down a gang who abused Tor for stealing money from Dutch Internet users. We congratulate our friends at NHTCU with this great and impressive result.

     
    Posted in Malware | Comments Off on Dutch TorRAT Threat Actors Arrested



    Since August 19, 2013, there has been remarkable growth in the number of Tor users, which caused much speculation. Was August 19 the starting date to run en masse from the NSA’s PRISM project? Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs? Neither was very likely, so some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users.

    Yesterday, Fox-IT published evidence for this plausible explanation. The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications. (We will release a second blog post describing in more detail the behavior of the Mevade variants we have encountered.)

    Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September. Tor can be used by bad actors to hide their C&C servers, and taking down a Tor hidden service is virtually impossible.

    The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.

    We strongly associate these actors with installations of adware and hijacking search results. Therefore, we suspect that one of the ways the Mevade botnet is monetized is by installing adware and toolbars onto affected systems. In fact, we have seen Mevade downloading adware. Adware and toolbars might seem less harmful than e.g. data stealing malware, but the reality is that there is a lot of money to be made in fraudulent advertising.

    We would also like to point out that Mevade also has a backdoor component and communicates over SSH to remote hosts. Therefore, the risk for data theft is still very high.

     
    Posted in Bad Sites, Malware | Comments Off on The Mysterious Mevade Malware


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice