Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • Email Subscription

  • About Us


    Author Archive - Trend Micro




    A pro-Russian group called CyberBerkut claimed responsibility for a recent hack on certain German government websites in early January. We were able to gather some information on some of its members based on Pastebin data that had been leaked by the Ukrainian nationalist political party (Pravy Sektor).

    A Background on CyberBerkut

    CyberBerkut is an organized group of pro-Russian and anti-Ukrainian hacktivists. The group’s name was derived from Ukraine’s special police force named Berkut (or “golden eagle” in Ukrainian), which was created in 1992 under the Ministry of Interior Affairs. Not only did the CyberBerkut group use the Special Forces’ designation, they also imitated their insignia. Below the CyberBerkut name reads their slogan “We Won’t forget, We won’t forgive.”

    Figure 1. Left: Ukraine’s special police force insignia; Right: CyberBerkut insignia

    Berkut was created for high-risk interventions during riots and hostage situations, similar to the SWAT (Strategic Weapons and Tactics) team in the United States. It was rumored, however, that the former president of Ukraine, Viktor Yanukovych, had been using the Berkut for various violent intents against Ukrainian protesters. The Berkut unit is remembered for its violent intervention during the Euromaidan protest last November 2013.

    The Euromaidan protest marked the beginning of group CyberBerkut, which has since been involved in different cyber attacks toward different western government entities. They claimed responsibility for all of their attacks on their website and social network profiles.

    Taking Credit for Attacks on German Government websites

    On January 7th 2015, CyberBerkut made an announcement on their website, Twitter, and Facebook accounts that they brought down websites for Germany’s parliament and Chancellor, Angela Merkel. According to reports, the websites did not load for several hours, but the German government announced two days after the attack that “they’re in the midst of getting things back to normal.”

    Figure 2. Announcement of the German government website hack on the CyberBerkut website.

    The pro-Russian cyber hacktivism group expressed their opposition against the independence of Ukrainians and its current government, accusing them of being behind the creation of the ongoing conflict in Crimea. CyberBerkut also accused Germany and the United States for helping Ukraine in this matter.

    Other organizations have also been targeted and accused of the same counts. Take for instance, the attack on NATO websites last March 2014, Polish websites last August 2014, as well as the Ukrainian Ministry of Defense last October 2014. CyberBerkut claimed that the Ukranian Government received secret information about the MH17 investigation and posted leaked document on their website.

    The Cyrillic version of the CyberBerkut website includes a section called “BerkutLeaks” that doesn’t show up on the English version of the site. The URL is listed as the following:

    Figure 3. The ‘BerkutLeaks’ section of the CyberBerkut website lists several documents leaked regarding specific individuals considered as traitors.

    Who is part of CyberBerkut?

    It is difficult to exactly identify the individuals involved in a hacktivist group as the group is usually composed of several people using different monikers. For this CyberBerkut, we know for a fact that there are at least 4 members, and their handles are “Mink,” “Artemov,” “MDV,” and “KhA.”

    On January 7th 2015, the same day the German attack happened, personal information about certain members of the cyber group had been posted on Pastebin by “PravyjSektorUANationalistsUkraineAnon ” of the Pravy Sektor (Ukrainian right wing activists). The Pastebin post has since been removed but we were able to take a screenshot.

    Figure 4. Pastebin post containing information on CyberBerkut members

    Below is a rough translation of the text:

    / **

    * Members CyberBerkut tasks

    * Here are the key members CyberBerkut exposed

    * (CyberBerkut @ Cyberberkut1)

    *

    * Brought to you right quadrant

    * ##PravyjSektorUANationalistsUkraineAnon ##

    ** /

     —

    Full name: Alexander Ulyanov

    Aliases: MDV

    Date of Birth: 24/03/1986

    Country: Russia

    Residence: 14 Polozova Street, St. Petersburg

    I.T.B Identification: 649

    Twitter: http://twitter.com/CyberBerkut

    Notes: Found at ITB database, he lead the operation Privat. Interference in the work of the Central Election Commission of Ukraine by IFES damage to the system before the election. Temporarily blocked the work of MOI of Ukraine and the Prosecutor General of Ukraine. Temporarily blocked the work sites of TV channels “Inter” and “1 + 1″. The attacks on the NATO website. The attack on the websites of private military companies in the US.

    Full Name: Zac Olden

    Aliases: Mink, M. Rodchenko

    Date of Birth: Unknown

    Country: Australia

    Residence: Unknown

    VKontakte: http://vk.com/infiltrate

    Twitter: http://twitter.com/zacolden

     Notes: Hacking mailbox and publication of correspondence IV Kolomoiskiy with the prosecutor in Lviv region, and computer hacking and e-mail Assistant oligarch. Also lined with the contents of the archives 89 email accounts of employees of the Lviv regional prosecutor’s office. He is the leader of retribution network (http://retribution.in).

     —

    Full name: August “Artemov” Pasternak

    Aliases: Artemova, Artemov

    Date of Birth: 07/04/1994

    Country: UKRAINE

    Residence: 194, 15 Pushkin, Megeve, Dnipropetrovsk region

    I.T.B Identification: 151403

     Notes: Putting public access telephone recording Supreme representative of the European Union for Foreign Affairs and Security Policy Catherine Ashton and Foreign Minister Urmas Paet. Hacking and publication of the correspondence of the Acting Minister of Internal Affairs of Ukraine AB Avakova.

     Zac Olden aka ”Mink”

    The member named Zac Olden (alias: “Mink”) caught our attention so we decided to dig up a little more information on him. The initial data we had from the Pastebin post was:

    Full Name: Zac Olden

    Aliases: Mink, M. Rodchenko

    Date of Birth: Unknown

    Country: Australia

    Residence: Unknown

    VKontakte: http://vk.com/infiltrate

    Twitter: http://twitter.com/zacolden

    Notes: Hacking mailbox and publication of correspondence IV Kolomoiskiy with the prosecutor in Lviv region, and computer hacking and e-mail Assistant oligarch. Also lined with the contents of the archives 89 email accounts of employees of the Lviv regional prosecutor’s office. He is the leader of retribution network (http://retribution.in).

    Our findings revealed that he has been involved in more than just what it is mentioned in the Pastebin post.

    Figure 5. Graph that summarizes different information about “Mink.” (Click the image above to zoom in)

    Mink uses different monikers such as “Videsh”, “Videshkin” and “Gmr.” We found that he is part of different Russian underground forums such as inattack.ru, antichat.ru, damagelab, and an old security focused forum named rootkit.com.

    He also owns a website that is a fake version of a legitimate Australian Bead online store.

     Real store: http://www.beadcotasmania.com.au

    Fake Store: https://zacolden.com/

    Here are the emails addresses he uses:

    • minkrr@yandex.ru
    • alexandernot@mail.ru
    • mink@retribution.in
    • appalled@outlook.com
    • retribution@null.net
    • support@xakep.ru
    • x@k0d.biz
    • videshkin@ya.ru

    On the Russian social network Vkontakte.ru he advertises the forum k0d.cc and a website named crypting.net.

    Domains:

    • net
    • cc
    • sx
    • com
    • in

    The fake names he uses are “Kolesnikov Alexandr“ and  “MIKHAILOVICH RODCHENKO.” His other online profiles can be found here:

    •  http://my.mail.ru/mail/alexandernot/
    • Skype: CyberBerkut

    Mink has a Pastebin account where you can find his different posts. He appears to be a bit paranoid about his fellows colleagues and on Oct 14th 2014, he declared “MDV” a traitor and released information about him, which can be found at the following Pastebin link: http://pastebin.com/DYhPfTSx

    He also did the same thing to “artemova” on Jun 16th 2014, with the information found at this Pastebin link: http://pastebin.com/2LY7isZ8

    Regarding CyberBerkut websites, we found the following information:

    Figure 6. CyberBerkut.net has been registered using the above information.

    Figure 7. Information about the domains associated with CyberBerkut.net. Click the image above to zoom in.

    There is only little information about the domains as they are behind a CloudFlare infrastructure.

    How does CyberBerkut Perform Their DDoS Attacks?

    Last May 14 2014, CyberBerkut posted a new message on their VK profile and asked for volunteers to join the battle against Ukraine by running a DDoS tool dubbed as ClientPort. The tool came in two versions: one for Windows and one for Linux. The attack was allegedly executed on May 14, 2014 at 10 AM. In addition, the group also asked the persons joining the said attack to visit their website (http://cyber-berkut.org/army.php)  to download the tool.

    fig8_cyberkut

    Figure 8. Original VK post

    fig9_cyberkut

    Figure 9. Original page of http://cyber-berkut.org/army.php

    We were able to get a copy of both versions of the ClientPort tool. The ClientPort tool connects to Tor and then connects to epwokus5rkeekoyh.onionto get the domain name that should be targeted. The ClientPort tool can perform routines such as HTTP connection flooding, UDP flooding, and TCP flooding. This is a typical case of botnet by agreement. We also suspect that the latest DDoS attacks may have been perpetrated the same way, by recruiting Pro-Russia volunteers to join the cause. Volunteers are recruited via their several social networks profiles such as VK and Odnokalsninki and any other social networks where CyberBerkut has pages:

    • http://ok.ru/kiberberkut
    • http://vk.com/cyberberkut1
    • https://twitter.com/cyberberkut2
    • https://www.facebook.com/cyberberkut3

    Conclusion

    CyberBerkut members are first and foremost Pro-Russians cyber-criminals, fighting for a political cause. As with most hacktivist groups, they used distributed denial-of-service (DDoS) attacks to take down and disturb official government websites, as well as infect specific targets. This is all done in order to gather email credentials to read their target’s communication and documents. The malware used could either be a Trojan, keylogger or other forms of badness they would leverage to gain their victims’ email credentials.

    CyberBerkut’s attacks are definitely falling into the targeted attack umbrella type of threats as they are politically motivated and have targeted operations.

     
    Posted in Targeted Attacks | Comments Off on Hacktivist Group CyberBerkut Behind Attacks on German Official Websites



    We noticed a recent influx of crypto-ransomware spreading in Australia. This recent wave rings similar to the hike of infections in the Europe/Middle East/Africa (EMEA) region we wrote about in early December. Upon further research and analysis, we concluded that the attackers behind these incidents could possibly belong to the same cybercriminal gang due to the similarity in their IP addresses.

    Infection Vectors

    Our analysis shows that the family-based pattern that identified the TorrentLocker malware that hit Australia also identified the outbreaks in Turkey, Italy, and France.

    We observed that the TorrentLocker malware is configured for both Australia and countries in EMEA and shows similar payment pages for thesecountries. If users are not located in a targeted country, a generic English-language web page appears, and the ransom demand is made in US dollars. Below is a series of screenshots displayed by the TorrentLocker malware that incorrectly tells victims that it is the “CryptoLocker virus.”

    Figure 1. Payment demands for various victims depending on their geo-locations.

    In Australia, the base price is A$598 and displays a warning that the price will double after four days after the user is given the Bitcoin address.

    Some examples of the IPs hosting fake domains from various counties TorrentLocker sites include 31.41.218.229, which hosts phishing pages for both Australia Post and Turkey’s TTNET. 193.124.16.16 hosted SDA Express TorrentLocker domains.

    Read the rest of this entry »

     
    Posted in Malware | Comments Off on Recent Crypto-Ransomware Attacks: A Global Threat



    Earlier this month, security researchers discovered a new PoS malware family, which they named “LusyPOS” after a reference in Russian underground forums. We detect this as TSPY_POSLUSY.A. In their analysis, they mentioned that it had some characteristics linked to the Dexter family of PoS malware. It also had behavior similar to the Chewbacca PoS malware (which we detect as TSPY_FYSNA.A), which is known to use the Tor network to connect to its command-and-control (C&C) servers.

    However, we believe that LusyPOS is more clearly related to Dexter than it is to Chewbacca, despite the usage of Tor. Dexter and Chewbacca have very distinct text strings used within their code. For example, some variable names are used in Dexter’s code which are not found in Chewbacca. Dexter is one of the most popular and long-running PoS malware families, and we closely monitor this particular threat in order to help protect our customers.

    We’d earlier documented these names – and their uses – in our previous paper analyzing existing PoS malware families. Some of the strings that were identified in LusyPOS were also found in Dexter. For example, the following strings are known to be HTTP POST variables used by Dexter:

    • page
    • ump
    • ks
    • opt
    • unm
    • cnm
    • view
    • spec
    • query
    • val
    • var
    • nbsp

    Similarly, the following are commands that are known to be processed by Dexter:

    • download
    • update
    • checkin
    • scanin
    • uninstall

    The same paper also contains strings used by Chewbacca; however the analysis of LusyPOS did not indicate these strings are present.

    So what does this mean? The information suggests that this new LusyPOS malware family is more closely related to Dexter than Chewbacca. It’s possible that LusyPOS may be a new Dexter variant that has copied the TOR behavior of the newer PoS malware family. Considering the recognized threat that Dexter poses, this is a significant addition to the repertoire of existing PoS threats. Such a capability would be welcomed by cybercriminals, particularly during this time of year.

    The original researchers note that it would be highly abnormal for PoS systems to connect to the TOR network, which is correct. Appropriate firewalls and other network solutions can be used to spot and block this activity as they are found.

    Update as of 1:00 A.M. PST, December 10, 2014

    We have edited this entry to clarify the reference to the relationship between LusyPOS and Chewbacca.

     



    Our report on the threats seen in 3Q 2014 shows us that once again, software vulnerabilities are the most favored cybercriminal targets. Following the second quarter’s infamous Heartbleed vulnerability came another serious vulnerability in open-source software: Shellshock. Having gone unnoticed for years, the Shellshock incident suggests that there might be more vulnerabilities in Bash or in applications previously thought safe. Below is a timeline of events that Shellshock unraveled.

    Figure 1. A timeline of events that illustrate the Shellshock exploitation that took place last quarter.

    Apart from threatening to wreak havoc on over half a billion servers and Linux and UNIX systems worldwide, Shellshock also proves that cybercriminals and attackers still target systems that users may tend to overlook. Case in point, the third quarter also exposed several loopholes in point-of-sale (PoS) systems, whose threats appear to be growing as evidenced by last quarter’s Home Depot data breach.

    Vulnerabilities were also seen in Android-based devices with over 75% of Android users affected by both FakeID vulnerability and Android browser flaws. Here’s a breakdown of the  Android OSes affected by these vulnerabilities that we’ve also included in our report:

    Figure 2. Android Operating Systems Affected by FakeID and Android Browser Vulnerabilities.

     

    Apart from targeting the mobile platform, threat actors also utilized vulnerabilities to launch attacks, which signaled a dire need for network administrators to be able to spot indicators of compromise (IOCs) and implement effective network monitoring.

    For more details about these and other security threats in the third quarter, check our security roundup titled Vulnerabilities Under Attack: Shedding Light on the Growing Attack Surface.

     
    Posted in Bad Sites, Exploits, Malware, Mobile, Targeted Attacks, Vulnerabilities | Comments Off on 3Q 2014 Security Roundup: Vulnerabilities Under Attack



    Recent reports have implicated a sophisticated piece of malware known as Regin in targeted attacks in various countries. Regin was described as being highly sophisticated and designed to carry out long-term stealthy surveillance on would-be victims at the behest of its creators, who have been suggested to be nation-states. Telecommunication companies are believed to have been the primary targets of this attack.

    How long Regin has been active is unclear. Timestamps of files associated with Regin vary in some reports. Some place the attack in 2003, while others say it started in 2006, 2008, or 2011. Known victims include a Belgian telephone company, leading to suspicions about the threat actors behind this attack.

    While overall Regin is a well-crafted and designed attack, in our threat monitoring, we note that many of its techniques have been used in other attacks before. In addition, the overall goal of this attack remains the same: to steal information from the target and do so while remaining stealthy.

    The graphic below outlines some of the advanced techniques we believe that were used by Regin:

    Figure 1. Advanced techniques used by Regin

    As one can see, very few of the techniques that were used by Regin were completely without precedent in one form of another. The techniques chosen by the creators of Regin appear to have been chosen to maximize its stealth features; this would allow an attacker to maintain a long-term presence on an affected system, which would be an effective tool for gathering stolen information.

    We will continue to watch out for developments related to this threat and release updates as necessary.

     

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice