Palo Alto Networks researchers Tongbo Luo and Bo Qu are credited with discovering a new vulnerability (CVE-2015-7066) in OpenGL and Webkit that impacts all of Apple’s major products, including: Continue reading "Palo Alto Networks Researchers Discover High Severity Vulnerability Impacting Apple’s Major Products"
BackStab: Mobile Backup Data Under Attack from Malware
Today we are releasing a whitepaper describing how malicious actors are stealing private mobile device data by accessing local backup files stored on PC and Mac computers. We have identified 704 samples of six Trojan, adware and HackTool families for Windows® or Mac® OS X® systems that used this technique to steal data from iOS and BlackBerry® devices. These attacks have been in the wild for over five years, and we have observed them deployed in over 30 countries around the world.
Since these families use a common attack technique to access the backup files, we categorize all of them as using the “BackStab attack,” defined as “an attack approach that captures private mobile device data through the theft of local backup files stored on PC and Mac computers.”
The BackStab attack technique poses a risk to many mobile users for the following reasons: Continue reading "BackStab: Mobile Backup Data Under Attack from Malware"
Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
We recently analyzed a Trojan named "Rootnik" which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and earlier. Root Assistant was developed by a Chinese company to help individuals gain root access to their own devices. However, Rootnik uses this tool to attack phones all over the world. Based on the data we have collected, Android users in United States, Malaysia, Thailand, Lebanon and Taiwan have been affected by the Trojan thus far.
Rootnik was able to spread by being embedded in copies of legitimate applications: Continue reading "Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information"
Adversaries and Their Motivations (Part 3)
In part three of the Adversaries and Their Motivations blog series, we’ll explore the following top-level actor motivations: Cyber Warfare, Cyber Terrorism, and Cyber Mischief.
Even Fuzzier Boundaries
The high-level actor motivations covered earlier in this blog series introduced challenges in identifying and attributing activity between Cyber Espionage, Cyber Crime, and Cyber Hacktivism.
Analysis of the remaining motivations covered in this blog post can be even fuzzier considering the following: Continue reading "Adversaries and Their Motivations (Part 3)"
Attack Campaign on the Government of Thailand Delivers Bookworm Trojan
Unit 42 recently published a blog on a newly identified Trojan called Bookworm, which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors’ campaigns.
In this blog, we will discuss the current attack campaign along with the associated threat infrastructure and the actor’s tactics, techniques and procedures (TTPs). The following list provides a summary of the threat actors TTPs, which we will cover in this blog:
Continue reading "Attack Campaign on the Government of Thailand Delivers Bookworm Trojan"
Inside TDrop2: Technical Analysis of new Dark Seoul Malware
Palo Alto Networks recently identified a new campaign targeting the transportation sector in Europe with ties to the Dark Seoul and Operation Troy campaigns that took place in 2013. This new campaign used updated instances of the Tdrop malware family discovered in the Operation Troy campaign. For more information on the new campaign discovered by Unit 42, please refer to our recent blog post.
In this attack, attackers embedded the TDrop2 malware inside a legitimate video software package hosted on the software distributor’s website. By doing this, they were able to target organizations that relied on the distributor’s security camera solution and infect their systems with malware. They created a true Trojan horse, which sneaks into a network as a gift, but when opened, the attacker’s army leaps out.
Continue reading "Inside TDrop2: Technical Analysis of new Dark Seoul Malware"
Our Commitment to Sharing Threat Intelligence
Part of my role as the Director of Threat Intelligence for Palo Alto Networks is to share the intelligence we produce with others who can put it to use in defending their networks. We believe wholeheartedly that having better information about the threats you face will help you defend yourself from harm. Knowing what kinds of actors are targeting you, what tools they have available, and what tactics they employ allows you to structure your defenses more effectively than against a generic, non-specific threat.
As a global security vendor, we have insight into attacks occurring across every industry and all around the world. Rather than hold this information close to our chest, we choose to share much of it with the security community. In the last 18 months, we’ve published over 100 entries to our threat intelligence blog, detailing new attacks, revealing attacker infrastructure, and educating our readers on what they can do to defend themselves. Some recent examples include: Continue reading "Our Commitment to Sharing Threat Intelligence"
Upatre: Old Dog, New [Anti-Analysis] Tricks
Malware authors must constantly iterate on their techniques in order to stay relevant in today’s fast moving Information Security environment. The Upatre downloader has been around for nearly three years and has consistently evolved its anti-analysis capabilities to better ensure payload delivery. Using Palo Alto Networks AutoFocus, we identified several thousand functionally identical Upatre binaries with unique hashes that exhibited unusual anti-analysis behaviors. We dove into the most recent phishing campaign to identify the new anti-analysis routines designed to maneuver around behavioral analysis systems.
Diving In
Upatre’s new technique takes advantage of undocumented NtQuerySystemInformation structures. It attempts to call the ZwQuerySystemInformation API a few times to determine the idle time of the system. The ZwQuerySystemInformation API takes a SYSTEM_INFORMATION_CLASS as an argument for what to query. There are several options to query for, all with respective structures. Continue reading "Upatre: Old Dog, New [Anti-Analysis] Tricks"
TDrop2 Attacks Suggest Dark Seoul Attackers Return
While researching new, unknown threats collected by WildFire, we discovered the apparent re-emergence of a cyber espionage campaign thought to be dormant after its public disclosure in June 2013. The tools and tactics discovered, while not identical to the previous Dark Seoul campaign, showed extreme similarities in their functions, structure, and tools. In this post, we will provide an overview of the original Dark Seoul campaign in 2013, the similarities and differences in tactics, the malware used, as well as attempt to answer the question of ‘why now’? Continue reading "TDrop2 Attacks Suggest Dark Seoul Attackers Return"
Dormant Malicious Code Discovered on Thousands of Websites
Note: This post was updated on November 18, 2015 to reflect new information about the initial discovery of the injected code.
On November 3, 2015, ZScaler reported that a Chinese government website hosting the Chuxiong Archives, www.cxda[.]gov.cn, had been compromised and contained injected code leading to the Angler Exploit Kit. The compromise was apparently remediated within 24 hours of discovery, but is once again exhibiting signs of infection. Continue reading "Dormant Malicious Code Discovered on Thousands of Websites"
Adversaries and Their Motivations (Part 2)
This post is the second in a blog series describing adversaries and their motivations. In part two of the series, we’ll explore the following top-level actor motivations: Cyber Espionage, Cyber Crime, and Cyber Hacktivism.
Adversary Operational Maturity, Targeting, and Key Roles
Before we start, there are some additional concepts that add context to exploring malicious actor motivations: Continue reading "Adversaries and Their Motivations (Part 2)"
Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Internet Explorer and Microsoft Edge
Palo Alto Networks researcher Bo Qu was credited with discovery of six new critical Microsoft vulnerabilities affecting Internet Explorer (IE) versions 7, 8, 9, 10 and 11 and Microsoft Edge. These vulnerabilities are covered in Microsoft’s November 2015 Security Bulletin and documented in Microsoft Security Bulletins MS15-112 and MS15-113.
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from security vendors.
Palo Alto Networks is a regular contributor to vulnerability research. Previous critical Microsoft vulnerability discoveries from the past 18 months included: Continue reading "Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Internet Explorer and Microsoft Edge"
Bookworm Trojan: A Model of Modular Architecture
Recently, while researching attacks on targets in Thailand, Unit 42 discovered a tool that initially appeared to be a variant of the well-known PlugX RAT based on similar observed behavior such as the usage of DLL side-loading and a shellcode file. After closer inspection, it appears to be a completely distinct Trojan, which we have dubbed Bookworm and track in Autofocus using the tag Bookworm.
Bookworm’s functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42. Bookworm has little malicious functionality built-in, with its only core ability involving stealing keystrokes and clipboard contents. However, Bookworm expands on its capabilities through its ability to load additional modules directly from its command and control (C2) server. This blog will provide an analysis of the Bookworm Trojan and known indicators of compromise. A later blog will explore the associated attack campaigns and attributions surrounding Bookworm. Continue reading "Bookworm Trojan: A Model of Modular Architecture"
CryptoWall v4 Emerges Days After Cyber Threat Alliance Report
Less than a week after the publication of a thorough report by the Cyber Threat Alliance on the CryptoWall version 3 malware family, it appears that the actors behind the malware have updated the underlying code.
Beginning on October 30, 2015, Palo Alto Networks began seeing instances of this new version of CryptoWall, which some researchers have begun calling version 4. This new version of CryptoWall includes multiple updates, such as a more streamlined network communication channel, modified ransom message, and the encryption of filenames. These changes not only make it more difficult for the victim to identify what files have been encrypted, but also may thwart security protections currently in place for the CryptoWall threat. Continue reading "CryptoWall v4 Emerges Days After Cyber Threat Alliance Report"
Connecting the Dots in Cyber Threat Campaigns, Part 2: Passive DNS
This is the second part of our series on “connecting the dots,” where we investigate ways to link attacks together to gain a better understanding of how they are related. In Part 1, we looked at how domain WHOIS information can be used to identify connections between malicious domains and potentially the actors who own them. In Part 2 we dive into Passive DNS (PDNS), which allows analysts to look back in time and discover how a domain has been used in the past.
Why Passive DNS?
Before we jump into PDNS, we need to understand DNS, or the Domain Name System. DNS is often described as the phonebook of the Internet (For our younger readers who may be wondering what a phonebook is, Wikipedia can explain.) Rather than ask users to remember individual IP addresses, DNS instead maps numerical addresses to easy-to-remember domain names, much like a person’s name might be associated with a specific phone number. So instead of memorizing that Google hosts their search engine on 65.199.32.22, you simply need to remember www.google.com. The system solved an enormous usability issue at the onset of the Internet, but unfortunately left room for abuse as well. Continue reading "Connecting the Dots in Cyber Threat Campaigns, Part 2: Passive DNS"
Get updates from Unit 42 