One of our 2014 security predictions is that cyber criminals will more frequently leverage targeted attack methodologies. Some of these tactics include using spear phishing attacks, as well as well-known vulnerabilities that have been used successfully in targeted attacks.

Let’s see why cybercriminals are taking a closer look at these techniques, and how this can affect their actions in the near future.

In underground forums, we have seen more interest in learning how to create exploits using vulnerabilities seen in targeted attacks. The individuals who express interest are involved in creating RATs (remote access Trojans) which are used in criminal operations.

Figure 1. Post showing interest in vulnerability

There are similar levels of interest in information related to PDF exploits and vulnerabilities. Again, these are commonly seen in targeted attacks.

Figure 2. Post showing interest in vulnerability

Some of the vulnerabilities that criminals have shown interest in include:

• CVE-2010-3333 (Microsoft Office)
• CVE-2012-0158 (Microsoft Office)
• CVE-2013-0640 (Adobe Acrobat/Reader)
• CVE-2013-3906 (Microsoft Office and Windows)

New attack methods

We cannot be 100% sure about why cybercriminals have adapted these methods. However, we can say that cybercriminals will start looking into attack methods, commonly seen in targeted attacks, which may make the following possible:

• Attacking the weakest link in the chain – humans – is relatively successful. If attackers are selecting targets with relatively little IT experience, they are more likely to open an attachment that appears to come from their bosses, for instance.
• The attackers know that many systems aren’t patched. Many vulnerabilities in existence today that targeted attackers attempt exploitation on work because the systems they target aren’t patched. This makes the exploit relatively successful when utilized against unpatched systems.
• Easy access to builders and other tools make carrying out attacks easier. Even a layman or script kiddie can create malicious PDF or DOCX files, which can then be used in spear phishing attacks.
• A cybercriminal can more precisely target individuals with access to information they want. For example, if they want to gain access to personal information of a company’s employees, they would target HR personnel directly.
• These improvements can be implemented easily and at relatively little cost. Chaining together exploit documents and infostealers like the Citadel banking Trojan is fairly simple; similarly, an infrastructure similar to that used in targeted attacks can be cheaply added. They both improve the effectivity of these attacks.

In this post, we looked at the big picture as to why criminal actors are now using methods associated with targeted attacks. In a later post, we will look into an example of how a cybercriminal used these methods, and explore how he was able to gain access to his target.

In this post, we probed into why criminal actors are now using methods associated with targeted attacks. This is part of Trend Micro’s predictions for 2014, in which we present an expert’s view of the current threat landscape and how it will likely change in the near future. To know more about these, you may read Blurring Boundaries: Trend Micro Security Predictions for 2014 and Beyond.

Recently, Trend Micro published findings on a new campaign called EvilGrab that typically targets victims in Japan and China. This campaign is still attacking users, and we have now acquired a builder being used to create binaries of this campaign.

EvilGrab Builder In The Wild

What led us to the builder for EvilGrab was a binary file camouflaged as a Microsoft Word file named 最新版本的请愿书-让我们一同为书记呐喊（请修改指正).doc.exe. This is in Simplified Chinese, and roughly translates to The latest version of the petition-let us cry along with Secretary (Please correct the corrections). doc.exe. (Its MD5 hash is b48c06ff59987c8a6c7bda3e1150bea1 and we detect it as BKDR_EVILOGE.SM.) It communicates to command-and-control servers (203.186.75.184 and 182.54.177.4) which are located in Hong Kong and Japan. It also installs copies of itself at startup and makes several changes to the Windows registry. All this is fairly typical for malware of this type.

However, some of the added registry entries were of special relevance:

HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\settings
HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\environment

These registry entries appear to be an attempt to inject itself into the processes of anti-virus products. This malware doesn’t just inject one anti-virus engine; AVG, Trend Micro, Kaspersky, NOD32, Avast, Avira, and Symantec are all affected. Similar to the EvilGrab samples we previously discussed, this malware performs the same checks for Tencent QQ, a popular Chinese instant messaging system.

While the malware in and of itself is not particularly unusual, analyzing it did lead us to find a builder being used to generate these pieces of malware. The builder was identified in the wild and named Property4.exe.

We can see several fields that the attacker can enter in the builder. Some of the fields include:

• Assign C&C server (either IP or domain name) with port and connection interval.
• Choose a file icon (installation package icon, folder icon and document icon)
• Delete itself
• Keyboard logging
• Key logging

In addition, on the second tab of the builder, the attacker can choose which AV product they will attempt to bypass:

Figure 2. Bypassed AV software

Testing With The EvilGrab Builder

At this point, we decided to test the functionality of the builder and compare the generated binary against the versions of EvilGrab we identified earlier.

First, we fired the builder up and entered some basic settings for the test version of EvilGrab that would be generated.

Figure 3. EvilGrab Builder

We selected the output icon to mimic a Microsoft Word document titled New.doc.exe, as seen here. Note that the Microsoft Word document icon is accurately portrayed.

Figure 4. EvilGrab test sample

In addition to the created binary,  a configuration file dropped for connection details.

Figure 5. EvilGrab configuration file

We then analyzed the test binary we had just created. We saw the same functionality demonstrated by the EvilGrab malware identified in our original blog post, including the checks for with Tencent QQ checks included. We also saw it injects its code into the legitimate svchost.exe process.

Similarities

Comparing the EvilGrab samples that were found in the wild with samples generated from the builder shows they are nearly identical in functionality.

The registry entries for instance, are nearly identical. Taking a quick sample of the registry edits  shows the similarity between the samples.

Table 1. Edited Windows registry keys

Likewise, both samples prove to have nearly identical import functions. Below, you can see a sample of some of the import functions.

Table 2. Import functions

Conclusion

We’ve found multiple samples of EvilGrab in the wild for some time now. However, with the builder available, we can develop stronger forms of protections and continue to keep our customers protected against this malware family. It also allows us to improve our threat intelligence against the actors that are using and developing it.

Some of the information we previously disclosed about EvilGrab may be found in our previous report on targeted attacks, which also covered EvilGrab.

The concern on ICS/SCADA security gained prominence due to high-profile attacks targeting these devices, most notably Flame and Stuxnet. However, we noted recent findings, which prove that the interest in ICS/SCADA devices as attack platforms is far from waning.

We’ve all read about how insecure ICS/SCADA devices are and how certain threat actors are targeting these systems. As proof, we noted numerous attempts aimed at the dummy ICS and SCADA devices we created during our initial research. The insights gathered from this were the basis of my talk during the Blackhat Europe 2013 last March, which later became the paper Who’s Really Attacking Your ICS Equipment?.

More importantly, this study gave us a look at the possible consequences that may occur once these devices are attacked successfully.

This time around, my latest research The SCADA That Cried Wolf: Who’s Really Attacking Your ICS Devices takes the issue of ICS/SCADA attacks further. While in my first paper we saw several threat actors attempt attacks on these fake ICS systems, this time we are now seeing several noteworthy trends. One of these is the increase in “targeted” attacks – i.e., attacks that appear to be looking into ICS devices more closely prior to executing the attack. During the study, we found malware targeting very specific applications, which can be considered more “targeted” as threat actors are now Trojanizing valid applications traditionally seen as “proprietary”.

Continuing in the same vein, we saw several attacks listed below that are interesting. The following graph shows the the origins of attack against our ICS honeypots.

Figure 1: Percentage of attacks per country

This new research also includes new details and architecture into the virtualized installments worldwide; to eight different countries and 12 different cities. I also cover the in-depth usage of Browser Exploitation Framework (BeEF) for use in attribution of attackers.

We expect that attack trends will continue to increase in the ICS arena, with increased motivation and aim. In addition, we expect that possible ransomware may start to affect the ICS arena, possibly holding devices hostage in return for payment (or ransom). With continued diligence and utilizing secure computing techniques, your ability to deflect and defend these attacks will help secure your organization. To know more about how to defend these devices, you may refer to my previous posting Protecting Your ICS/SCADA Environment.

The findings on this research provide great insight into the world of ICS/SCADA attacks. You may read the full report here.

Recently, I spoke at the Forum of Incident Response and Security Teams (FIRST) in Bangkok, Thailand on threat intelligence and incident response. The mantra throughout FIRST was “sharing to win”, the concept of which echoes throughout security got me to thinking about information sharing in the ICS/SCADA security arena. This idea of sharing thoughts and experiences led me to contribute an article in the US Department of Homeland Security’s ICS-CERT April-June 2013 Monthly Monitor.

This piece is related to the paper I wrote last March about Internet-facing SCADA systems. The issue gained prominence due to high-profile attacks such as FLAME and Stuxnet. Nonetheless, ICS/SCADA systems security remains an important topic as they are commonly used to operate important industries e.g. vehicle manufacturing, transportation, energy and water treatment plants. Attempts to attack these systems may lead to significant damages.

For this research, I developed a honeypot architecture that emulated several types of SCADA and ICS devices. These honeypots include vulnerabilities found in across similar or same systems to showcase a realistic environment.

During the research, we found some interesting information on how these attacks were conducted and where these attacks are coming from. Some of the most prominent of these attacks were attempts to bypass authentication mechanisms. An attacker also attempted to used spear-phising by sending an email to the “administrator” of the system. We noticed that the attackers demonstrated knowledge of Modbus communications protocol. However, the most worrisome part is that out of these attacks, 17 can be considered “catastrophic”.

Fortunately, there are some basic configurations considerations that can improve ICS/SCADA systems security which includes the following:

• Disable Internet access to your trusted resources, if possible.
• Ensure that your trusted resources have the latest updates and that new patches/fixes are monitored.
• Use real-time anti-malware protection and real-time network scanning locally on trusted hosts and where applicable.
• Require user name/password combinations for all systems, even those deemed “trustworthy.”
• Set secure login credentials and do not rely on defaults.
• Implement two-factor authentication on all trusted systems for any user account.
• Disable remote protocols that are insecure.
• Disable all protocols that communicate inbound to your trusted resources but are not critical to business functionality.
• Utilize network segmentation to secure resources like VES systems, ICS, and SCADA devices. See a great write-up on network segmentation here.
• Develop a threat modeling system for your organization. Understand who’s attacking you and why.

For more security measures you can implement for ICS/SCADA systems and information about my research, you can read the paper here.

In addition to my contribution, Reid Wightman of IO Active published an article that also warrants a read for those interested in ICS security.

With added text by Threat Researcher Nart Villeneuve 

Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

This research paper documents the operations of a campaign, which was able to compromise the following types of organizations:

• government ministries
• technology companies
• media outlets
• academic research institutions
• nongovernmental agencies

The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.

This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper, which can be downloaded here.

Please note that there are references in the attack itself to “SafeNet”; there is no connection between this attack and SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro.