The Sofacy group, also known as APT28, is a well-known threat group that frequently conducts cyber espionage campaigns. Recently, Unit 42 identified a spear phishing e-mail from the Sofacy group that targeted the United States government. The e-mail was sent from a potentially compromised account belonging to the Ministry of Foreign Affairs of another government entity and carried the Carberp variant of the Sofacy Trojan. The developer implemented a clever persistence mechanism in the Trojan, one which had not been observed in previous attacks. The focus of this blog will be on the attacks and the infrastructure associated with Sofacy using the new persistence mechanism as a correlation point. Continue reading "New Sofacy Attacks Against US Government Agency"
Using IDAPython to Make Your Life Easier: Part 6
In Part 5 of our IDAPython blog series, we used IDAPython to extract embedded executables from malicious samples. For this sixth installment, I’d like to discuss using IDA in a very automated way. Specifically, let's address how we’re going to load files into IDA without spawning a GUI, automatically run an IDAPython script, and extract the results. Using this technique, we’ll be able to process many samples very quickly without needing to manually open each file in a new instance of IDA and run the IDAPython script.
Many may be surprised to learn that IDA can be executed purely on the command-line without spawning a GUI. In order to do so, the user must run the IDA executable with the ‘-A’ switch. This particular switch will instruct IDA to run in autonomous mode, ensuring that no windows or dialog boxes are presented to the user.
Continue reading "Using IDAPython to Make Your Life Easier: Part 6"
Understanding Angler Exploit Kit - Part 2: Examining Angler EK
This is the second part of a two-part blog post for understanding Angler exploit kit (EK). The first part covered EKs in general. This blog focuses on the Angler EK.
Angler is currently one of the most advanced, effective, and popular exploit kits in the cyber criminal market. It generally uses the most recent exploits based on the latest vulnerabilities. Like most leading EKs, the authors behind Angler use Software as a Service (SaaS) as their business model, and Angler can be rented in the cyber underground for a few thousand dollars a month. Continue reading "Understanding Angler Exploit Kit - Part 2: Examining Angler EK"
Understanding Angler Exploit Kit - Part 1: Exploit Kit Fundamentals
Generally speaking, criminal groups use two methods for widespread distribution of malware. The most common method is malicious spam (malspam). This is a fairly direct mechanism, usually through an email attachment or a link in the message to the malware. However, malspam requires some sort of action by the user to be successful (for example, opening an attached file).
The other method for widespread malware distribution is an exploit kit (EK). EKs are designed to work behind the scenes while a potential victim is browsing the web. An EK does not require any additional action by the end user.
EKs are a sophisticated delivery method. Malware distribution through an EK involves other components in the chain of events that lead to a malware infection. Continue reading "Understanding Angler Exploit Kit - Part 1: Exploit Kit Fundamentals"
Palo Alto Networks Researchers Uncover Critical Apple Product Vulnerabilities
Palo Alto Networks researchers were recently credited with discovery of two new Apple product vulnerabilities.
Researchers Tongbo Luo and Bo Qu discovered a webkit vulnerability (CVE-2016-1855) affecting Safari in OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 and OS X El Capitan v10.10.5. Continue reading "Palo Alto Networks Researchers Uncover Critical Apple Product Vulnerabilities"
The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor
In May 2016, Unit 42 observed targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia, which appears to be related to an earlier wave of attacks carried out in the fall of 2015. We have grouped these two waves of attacks into a campaign we have named ‘OilRig’.
In recent OilRig attacks, the threat actors purport to be legitimate service providers offering service and technical troubleshooting as a social engineering theme in their spear-phishing attacks. Earlier OilRig attacks appear to use fake job offers as a social engineering theme. The campaign appears highly targeted and delivers a backdoor we have called ‘Helminth’. Over the course of the attack campaign, we have observed two different variations of the Helminth backdoor, one written in VBScript and PowerShell that was delivered via a macro within Excel spreadsheets and the other a standalone Windows executable. Continue reading "The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor"
New Wekby Attacks Use DNS Requests As Command and Control Mechanism
We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit.
The malware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a command and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers during analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware family ‘pisloader’. Continue reading "New Wekby Attacks Use DNS Requests As Command and Control Mechanism"
Operation Ke3chang Resurfaces With New TidePool Malware
Introduction
Little has been published on the threat actors responsible for Operation Ke3chang since the report was released more than two years ago. However, Unit 42 has recently discovered the actors have continued to evolve their custom malware arsenal. We’ve discovered a new malware family we’ve named TidePool. It has strong behavioral ties to Ke3chang and is being used in an ongoing attack campaign against Indian embassy personnel worldwide. This targeting is also consistent with previous attacker TTPs; Ke3chang historically targeted the Ministry of Affairs, and also conducted several prior campaigns against India. Continue reading "Operation Ke3chang Resurfaces With New TidePool Malware"
Ransomware Is Not a “Malware Problem” – It's a Criminal Business Model
Today Unit 42 published our latest paper on ransomware, which has quickly become one of the greatest cyberthreats facing organizations around the world. As a business model, ransomware has proven to be highly effective in generating revenue for cybercriminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – all are potential targets.
Ransomware has existed in various forms for decades; but, in the last three years, criminals have perfected the key components of these attacks. This has led to an explosion of new malware families, which make the technique work, and drawn new actors into participating in these lucrative schemes.
To execute a successful ransomware attack, an adversary must be able to do the following: Continue reading "Ransomware Is Not a “Malware Problem” – It's a Criminal Business Model"
KRBanker Targets South Korea Through Adware and Exploit Kits
Online banking services have been a prime target of cyber criminals for many years and attacks continue to grow. Targeting online banking users and stealing their credentials has yielded huge profits for the criminals behind these campaigns. Unit 42 has been tracking "KRBanker" AKA 'Blackmoon', since late last year. This campaign specifically targets banks of the Republic of Korea. On April 23, researchers at Fortinet published a blog describing the functionalities of the recent 'Blackmoon' campaign. Our objective in this blog is to share additional details on the distribution of the KRBanker or Blackmoon malware campaign and indicators of KRBanker samples.
Early variants of this campaign started surfacing in late September 2015. Though the number of KRBanker infection attempts was relatively low in 2015, we have noticed a gradual increase in the number of sessions since the start of 2016, and identified close to 2,000 unique samples of KRBanker and 200+ pharming server addresses in the last 6 months. Continue reading "KRBanker Targets South Korea Through Adware and Exploit Kits"
Bucbi Ransomware Is Back With a Ukrainian Makeover
The Bucbi ransomware family, which dates back to early 2014, has received a significant update. In a recently observed attack, we also noted new tactics used to infect systems. The malware has historically been delivered via an HTTP download, most likely via an exploit kit or phishing email. However, in recent weeks, Palo Alto Networks researchers have observed attackers brute-forcing RDP accounts on Internet-facing Windows servers to deliver their malware. Additionally, the malware itself has been modified to no longer require an Internet connection.
Recent ransom notes left on infected systems identify the malware as belonging to the “Ukrainian Right Sector,” a far-right Ukrainian nationalist political party with paramilitary operations that opposes Russia but operate outside of the Ukrainian government’s authority. However, there are a number of Russian identifiers in the recent attacks. Consequently, it is unclear if the claims of responsibility by the “Ukrainian Right Sector” are accurate, and if so, what the reason behind and significance of the Russian identifiers. Continue reading "Bucbi Ransomware Is Back With a Ukrainian Makeover"
AutoFocus Lenz: Taking the Blue (Team) Pill
The Palo Alto Networks AutoFocus threat intelligence services accelerates analysis and response workflows for unique, targeted attacks. The services further make an immense set of threat intelligence available via the AutoFocus API, which can enrich existing security systems or workflows. Today, security teams can easily build scripts on top of this data using the AutoFocus Python Client Library (af_lenz.py) script, providing an even simpler way to extract and automate actionable information from AutoFocus, which can be used to respond or proactively take action, against security threats.
The AutoFocus Lenz script builds on top of the Python client library by providing a set of outputs that enable rapid extraction of relevant information that can be used for operational intelligence, or further research, by performing various analytical tasks for you.
To demonstrate some of the scenarios where this tool may be helpful, we’ve put together a short video showing it in action. Continue reading "AutoFocus Lenz: Taking the Blue (Team) Pill"
Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Attack campaigns that have very limited scope often remain hidden for years. If only a few malware samples are deployed, it’s less likely that security industry researchers will identify and connect them together.
In May 2015, Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account, sent to an Israeli industrial organization. One e-mail carried a Microsoft PowerPoint file named “thanks.pps” (VirusTotal), the other a Microsoft Word document named “request.docx”.
Around the same time, WildFire also captured an e-mail containing a Word document (“hello.docx”) with an identical hash as the earlier Word document, this time sent to a U.S. Government recipient. Continue reading "Prince of Persia: Infy Malware Active In Decade of Targeted Attacks"
Afraidgate: Major Exploit Kit Campaign Swaps Locky Ransomware for CryptXXX
In mid-April 2016, a campaign using Nuclear Exploit Kit (EK) to distribute Locky ransomware switched to using the Angler EK to install CryptXXX ransomware. This campaign uses gates registered through FreeDNS at afraid.org. We are calling this the Afraidgate campaign. Although we continue to see Locky distributed through malicious spam, we have not noticed Locky from EK traffic since mid-April.
An Evolving Campaign
In March 2016, we observed Nuclear EK from the Afraidgate campaign spreading Locky ransomware. A consistent gate pattern in the infection chain pointed to the same campaign using Neutrino EK the previous month. Now this campaign points to Angler EK. Also with the change in EKs, the malware has switched from Locky to CryptXXX. Both of these malware families employ the ransomware business model, in which they encrypt a user’s files and demand a ransom in return for the decryption keys. The following chart illustrates the changes in this particular campaign: Continue reading "Afraidgate: Major Exploit Kit Campaign Swaps Locky Ransomware for CryptXXX"
2016 Verizon Data Breach Investigations Report (DBIR): Insights from Unit 42
The ninth annual edition of Verizon’s Data Breach Investigations Report (DBIR) has just been released, and Palo Alto Networks is proud to have contributed data and analysis to help make the report as comprehensive as possible. Palo Alto Networks is committed to sharing threat intelligence across the security industry, exposing the evolving nature of threats, in order for organizations to better protect themselves.
This year we extracted a massive dataset from the AutoFocus threat intelligence service on over 38 million sessions carrying over 2.7 million unique malware samples. We worked with the Verizon team to add context to these samples with AutoFocus tag data, illuminating what campaign or family they were associated with. Continue reading "2016 Verizon Data Breach Investigations Report (DBIR): Insights from Unit 42"
Get updates from Unit 42 