IC3 Issues Alert on CryptoWall Ransomware

Original release date: June 23, 2015

The Internet Crime Complaint Center (IC3) has issued an alert warning that U.S. individuals and businesses are still at risk of CryptoWall ransomware fraud. Scam operators use ransomware—a type of malicious software—to infect a device and restrict access until a ransom fee is paid­­. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee files will be released.

US-CERT encourages users and administrators to review the IC3 Alert for details and refer to the US-CERT Alert TA-295A for information on crypto ransomware.

This product is provided subject to this Notification and this Privacy & Use policy.

WikiLeaks publishes top secret NSA briefs showing US spied on France

On Tuesday, WikiLeaks published five top secret documents definitively showing that the National Security Agency has been spying on French President François Hollande, and his two immediate predecessors, Nicolas Sarkozy, and Jacques Chirac, among other top officials.

The documents, as WikiLeaks released them, include excerpts of five intelligence briefs, that contain descriptions of what was intercepted, "taken from various editions of the National Security Agency's Top Secret Global SIGINT Highlights executive briefings." This wording suggests that WikiLeaks has even more complete intelligence briefs that it did not publish, an unusual move for the group. WikiLeaks also published a chart showing a list of redacted phone numbers of those officials.

One, dated March 24, 2010, includes notes from a conversation between two top French officials:

Read 8 remaining paragraphs | Comments

Stealthy Cyberespionage Campaign Attacks With Social Engineering

Cyberespionage attacks pose a challenge for the security industry as well as for the organizations trying to protect against them. Last year, McAfee Labs predicted that in 2015 these attacks would increase in frequency and become stealthier, and we have seen this occur. Cyberespionage aims at specific organization or sectors that are high-value targets, with most attacks flying under the radar.

The McAfee Labs research team has tracked an advanced persistent threat for the past couple of months. This group has evolved a lot in sophistication and evasion techniques to defeat detection by security products. This group has been active since at least 2014 and uses spear-phishing campaigns to target enterprises. We have observed this group targeting defense, aerospace, and legal sector companies.


The Attack

The preceding email provides a clear indication that the attackers have researched their target and its employees. Social media sites such as LinkedIn, Twitter, and Facebook are good sources of such valuable information, which can be used for social-engineering attacks.

The Excel attachment opens with a “password protected” window, tricking the victim into believing the file requires a password to display the content.

Password prompt

The Excel file is laced with a malicious macro that runs in the background. To prevent easy detection, the macro is obfuscated using Base64. The Excel file drops an .hta file, which contains the backdoor functionality.

This attack uses some novel techniques:

  • A JavaScript backdoor component, unlike most exploits or malicious Office files, which use an embedded or a direct download of a binary.
  • The JavaScript backdoor is obfuscated and dropped to %Appdata%MicrosoftProtectCRED. It persists on the machine using a registry run entry created by the mshta application.
  • The launched window is hidden using the JavaScript command “window.moveTo(-100,-100), window.resizeTo(0,0).”


JavaScript backdoor capabilities

The attack minimizes its footprint by running only a script, which has lower chance of being flagged as malicious. Some of the backdoor capabilities:

  • Querying system information using WMI.
  • Using a proxy server for connections.
  • Downloading and executing remote files.
  • Using file/directory/network/process/registry and system operations.


Control servers

The WMI queries collect system-related data. The following parameters are collected and Base64 encoded before posting to the control servers:

  • Hash of volume serial number
  • Computer name
  • IP address
  • Current username
  • Operating system
  • Proxy server

The JavaScript backdoor connects to a gateway that receives additional commands from the attacker. Some of the control servers:

  • hxxp://humans.mooo[.]info/common[.]php
  • hxxp://mines.port0[.]org/common[.]php
  • hxxp://eholidays.mooo[.]com/common[.]php

One of the attacker’s first actions is to profile the infected host by executing commands that display a list of domains, computers, or resources shared by the specified computer (using the net view command). This is followed by gathering more information about the files on the desktop and other drives. An attacker can use this information for further lateral movement. All the data is posted to the control server as Base64-encoded data.




Defending against these highly targeted social-engineering attacks involves a human element. Although technical controls mitigate the risks, it’s imperative that organizations establish policies to help employees spot suspicious events.

McAfee Advanced Threat Defense provides zero-day protection against this attack based on its behavior.

The following Yara rule detects the OLE attack vector:

rule APT_OLE_JSRat
author = “Rahul Mohandas”
Date = “2015-06-16″
Description = “Targeted attack using Excel/word documents”

$header = {D0 CF 11 E0 A1 B1 1A E1}
$key1 = “AAAAAAAAAA”
$key2 = “Base64Str” nocase
$key3 = “DeleteFile” nocase
$key4 = “Scripting.FileSystemObject” nocase

$header at 0 and (all of ($key*) )

I thank my colleague Kumaraguru Velmurugan of the Advanced Threat Defense Group for his invaluable assistance.

The post Stealthy Cyberespionage Campaign Attacks With Social Engineering appeared first on McAfee.