Dec 18 2017

Operation Dragonfly Analysis Suggests Links to Earlier Attacks

On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014.

Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any further information regarding the source and possible motivations of those behind the campaign. The campaign targets energy companies around the world by leveraging spear-phishing emails that, once successful, allow the attackers to download Trojan software. The Trojans provide access to the victims’ systems and networks.

Going Beyond Energy

Although initial reports showed Dragonfly attacks targeting the energy sector, investigations by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries. Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets.

We saw the group use several techniques to get a foothold in victims’ networks, including spear phishing, watering holes, and exploits of supply-chain technologies via previous campaigns. By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.

Once the attackers have a foothold, they create or gain user accounts to operate stealthily. Using the remote-desktop protocol to hop among internal or external systems, they connect either to a control server if the risk is minimal or use an internal compromised server to conduct operations.

The last wave of attacks used several backdoors and utilities. In analyzing the samples, we compared these with McAfee’s threat intelligence knowledge base of attack artifacts.

One of the starting points was a Trojan in the 2017 campaign with the following hashes:

  • MD5: da9d8c78efe0c6c8be70e6b857400fb1
  • SHA-256: fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9

Comparing this code, we discovered another sample from the group that was used in a July 2013 attack:

  • MD5: 4bfdda1a5f21d56afdc2060b9ce5a170
  • SHA-256: 07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4
  • Filename: fl.exe

The file was downloaded after a Java exploit executed on the victim’s machine, according to the 2013 attack report. After analyzing the 2013 sample, we noticed that some of the executable’s resources were in Russian.

Comparing the code, we find the 2017 sample has a large percentage of the same code as the backdoor used in the 2013 attacks. Further, some code in the 2017 backdoor is identical to code in the application TeamViewer, a legitimate remote administration tool used by many around the world. By incorporating the code and in-memory execution, the attackers avoid detection and leave no trace on disk.

The correlating hash we discovered that contained the same TeamViewer code was reported by Crysys, a Hungarian security company. In their report on about ‘“TeamSpy,” they mentioned the hash we correlated as well: 708ceccae2c27e32637fd29451aef4a5. This particular sample had the following compile date details: 2011:09:07 – 09:27:58+01:00

The TeamSpy attacks were originally aimed at political and human right activists living in the Commonwealth of Independent States (the former Soviet Union) and eastern European countries. Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?

But that’s not all of interest. We also discovered that the 2017 sample contained code blocks associated with another interesting malware family: BlackEnergy. Let’s look at an example of the code similarities we discovered:

A BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017.

Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.

The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.

Actor Sophistication

Our analysis of this attack tells a story about the actors’ capability and skills. Their attack precision is very good; they know whom and what to attack, using a variety of efforts. Their focus is on Windows systems and they use well-known practices to gather information and credentials. From our research, we have seen the evolution of the code in their backdoors and the reuse of code in their campaigns.

How well do the actors cover their tracks? We conclude they are fairly sophisticated in hiding details of their attacks, and in some cases in leaving details behind to either mislead or make a statement. We rate threat actors by scoring them in different categories; we have  mentioned a few. The Dragonfly group is in the top echelon of targeting attackers; it is critical that those in the targeted sectors be aware of them.

The Dragonfly group is most likely after intellectual property or insights into the sector they target, with the ability to take offensive disruptive and destructive action, as was reported in the 2015 attack on the Ukrainian power grid by a BlackEnergy malware family.

 

We would like to thank the team at Intezer for their assistance and support during our research.

The post Operation Dragonfly Analysis Suggests Links to Earlier Attacks appeared first on McAfee Blogs.

Dec 13 2017

Chinese Cybercriminals Develop Lucrative Hacking Services

Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according to one report. Advanced hacking tools such as botnet, control server infrastructure, remote access tools, malware creation and obfuscation services, source-code writing services, and targeted exploitation toolkits are available on underground markets.

Other popular malicious tools and hacking services—such as spam and flooding services, denial-of-service or distributed denial-of-service attack scripts, compromised routers, and hijacked accounts—are also available in China on the black market. Criminal groups are well-organized and establish discreet buying and selling processes for malware and hacking services through QQ networks. (Tencent QQ is one of China’s most popular online communication and Internet service portals. It had more than 870 million active monthly users as of 2016. QQ users can communicate with each other or publish comments through QQ forums, shared space, QQ groups, and private chatrooms.)

Criminal groups also establish master-apprentice relationships to recruit and train new members to expand their criminal enterprise operations. All of these trends cost businesses in China and around the world tens of billions of dollars, as hacking tools sold online can be used to steal intellectual property or create social engineering attacks.

Operating Structure

The Chinese cybercriminal underground market has become more sophisticated and service-oriented as China’s economy becomes more digital. Cybercriminal groups are well-structured with a clear division of work. Contrary to their American and Russian counterparts, Chinese cybercriminals do not rely on the Deep Web. McAfee research indicates that there has been an increasing number of organized crime groups that take advantage of burgeoning QQ networks. These organized crime groups typically possess clear mechanisms for their cybercrime operations. Malware developers usually profit by creating and selling their products online; they do not get involved in underground criminal operations. Their code often includes “backdoors” that offer them continued access to their software.

QQ hacking group masters (qunzhu, 群主), also known as prawns (daxia, 大虾) or car masters (chezu, 车主) by those in Chinese cybercriminal underground networks, are the masterminds of cybercrime gangs. QQ hacking group masters purchase or acquire access to malware programs from a malware writer or wholesaler. As shown in the following graph, QQ hacking group masters recruit members or followers, who are commonly known as apprentices, and instruct apprentices on hacking techniques such as setting up malicious websites to steal personally identifiable information or bank accounts. In most cases, QQ hacking group masters collect “training fees” from the apprentices they recruit. The apprentices later become professional hackers working for their masters. Apprentices are also required to participate in multiple criminal “missions” before they complete the training programs. These hacker groups are usually private: The group masters can accept or deny membership requests on QQ networks.

 

Master-Apprentice Mechanism

Black-hat training is growing in popularity on the black market due to high profit margins in the hacking business. Some hacker groups use these training programs to recruit new members.  Once they complete the training, selected members will be offered an opportunity as apprentices or “hackers in training,” who later become full-time hackers responsible for operations such as targeted attacks, website hacking, and database exfiltration. (See the preceding graph.) The apprentices gain further experience by taking part in cybercrime schemes, including stealing bank account passwords, credit card information, private photos, personal videos, and virtual currency such as Q coins. The following screenshot is an example of black-hat hacker training materials offered by an underground hacker.

Training program offered by an underground hacker.

Products

The Chinese cybercriminal underground business has become more structured, institutional, and accessible in recent years. A great number of QQ hacking groups offer hacking services. Just as in the real world, cybercriminals and hackers take online orders. Prospective customers can fill out their service requests—including types of attacks, targeted IP addresses, tools to be deployed—and process the payments online. For example, some QQ groups provide website takedown services, which can cost up to tens of thousands of yuan, depending on the difficulty of the tasks and the security level of a targeted system. There are also QQ groups that hire black-hat hackers to conduct attacks against commercial and government targets for profit. The following list shows many of the top activities:

  • DDoS services
  • Black-hat training
  • Malware sales
  • Advanced persistent attack services
  • Exploit toolkits sales
  • Source-code writing services
  • Website hacking services
  • Spam and flooding services
  • Traffic sales
  • Phishing website sales
  • Database hacking services

Buying Hacking Services and Malware

Some hacking groups provide 24/7 technical support and customer service for customers who do not have a technical background. A hacking demonstration is also available upon request. Prices are negotiable in some cases. After agreeing on the price, the hacker-for-hire sends an email confirmation with detailed payment information. Prospective clients can transfer payments online through Taobao or Alipay.  However, prospective customers are usually required to submit an upfront deposit, which can be as much as 50% of the agreed price. Once the service is complete, the hacker-for-hire will request payment on the remaining balance.

Steps in the hacking service transaction process:

  • Negotiating price
  • Making a deposit
  • Demonstration (if requested)
  • Beginning the hacking services
  • Paying the balance

Buyers must submit full payment for software purchases such as malware, attack tools, and exploit toolkits.

Steps in the malware purchase transaction process:

  • Negotiating price
  • Paying in full for malware
  • Receiving product or exploit kit

Conclusion

The Chinese cybercriminal underground mostly targets Chinese citizens and businesses. However, a growing number of criminal groups offer hacking services that target foreign websites or businesses. These underground criminal groups are stealthy and have gradually grown in sophistication through an institutionalized chain of command, and by setting master-and-apprentice relationships to expand their business operations.  They offer a variety of malicious tools and hacking services through QQ networks and have established successful surreptitious transaction processes.

 

Follow all our research and stories like these on Twitter at @McAfee_Labs.

The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.

Nov 10 2017

Latest Intelligence for October 2017

Symantec research shows users to be twice as likely to encounter threats through email as any other infection vector, and the spam rate declines slightly for the second month in a row.

続きを読む
Oct 12 2017

Taiwan Bank Heist and the Role of Pseudo Ransomware

Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wire US$60 million to destinations such as Sri Lanka, Cambodia, and the United States. Recent reports from Sri Lanka say that two individuals have been arrested for suspected money laundering after a tip-off from the Bank of Ceylon, which reported a suspicious transfer of $1.2 million from the Far Eastern International Bank.

On Saturday October 7, Far Eastern International Bank reported that it had recovered most of the money and that overall losses could reach $500,000.

How did the attack happen?

Based on the initial intelligence we have received, the first direct interaction with the victim began with spear phishing attacks that contained “backdoor” attachments.

Figures 1 and 2 provide some examples of the attachments.

Figure 1: Spear phishing attachment.

Figure 2: Spear phishing attachment.

When the victim clicks on the link, they are redirected to a malicious site that downloads additional files to the victim’s computer. One example of these malicious sites is hxxps://jobsbankbd.com/maliciousfilename.exe.

This site hosts another backdoor that gives the criminals access to the victim’s system in the bank.

Once the criminals gain access to the systems, our initial analysis reveals that the attackers harvested credentials. This was confirmed by evidence we found in a sample that contained the following credentials from the bank:

  • FEIB\SPUSER14
  • FEIB\scomadmin

These credentials are used to create a scheduled task on the system and monitor the running of endpoint security services. (This does not indicate a problem with the security software, only that the attackers did their research and took measures to take out the security software being run within the bank.) We have notified the security provider, and have provided all of our research to date.

Besides the scheduled task and credentials, we discovered another interesting piece of code. Inside the sample was the resource “IMAGE,” which seemed to be a zip file. Once extracted, we found the file aa.txt. Although this appeared to be a text file, it was really an executable.

The file contains code that scans for the installed languages, especially:

  • 419 (Russian)
  • 422 (Ukrainian)
  • 423 (Belarusian)

If these languages are detected, the file will not run. We have seen this behavior before in ransomware families.

When analyzing the strings of this particular file, we discovered some interesting ones:

  • HERMES 2.1 TEST BUILD, press ok
  • HERMES

When executed, the file proved to be ransomware. However, no note or wallpaper indicated that this was ransomware. After the file finished running, only one thing appeared on the desktop:

Figure 3: The final screen of this pseudo ransomware.

And in every directory a file:

The original Hermes ransomware note points toward this file; but in our case, we saw no note, nor demand for ransom. The Hermes ransomware family surfaced in February:

We suspect that this is another example of pseudo ransomware. Was the ransomware used to distract the real purpose of this attack? We strongly believe so.

Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.

Where next?

Clearly this was a very carefully crafted attack, and specifically targeted at one bank. The attackers identified specific individuals to email, and understood the security measures being deployed. Although the samples we identified are now covered by our security products, we urge caution in anyone assuming that “I am protected.” The criminals took their time to understand how the bank works and developed the necessary code to enable them to steal millions. An effective security posture must anticipate such highly skilled attackers.

Because this is related an active law enforcement investigation, we are limiting what information we publicly share and will publish further updates only if that does not conflict with a current investigation.

The post Taiwan Bank Heist and the Role of Pseudo Ransomware appeared first on McAfee Blogs.