Unit 42 Technical Analysis: Seaduke

Posted on by Josh Grunzweig

Earlier this week Symantec released a blog post detailing a new Trojan used by the ‘Duke’ family of malware. Within this blog post, a payload containing a function named ‘forkmeiamfamous’ was mentioned. While performing some research online, Unit 42 was able to identify the following sample, which is being labeled as ‘Trojan.Win32.Seadask’ by a number of anti-virus companies.

MD5 A25EC7749B2DE12C2A86167AFA88A4DD
SHA1 BB71254FBD41855E8E70F05231CE77FEE6F00388
SHA256 3EB86B7B067C296EF53E4857A74E09F12C2B84B666FC130D1F58AEC18BC74B0D
Compile Timestamp 2013-03-23 22:26:55
File type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Our analysis has turned up more technical details and indicators on the malware itself that aren’t mentioned in Symantec’s post. Here are some of our observations:

Continue reading "Unit 42 Technical Analysis: Seaduke"

APT Group UPS Targets US Government with Hacking Team Flash Exploit

Posted on by Bryan Lee

On July 8, 2015, Unit 42 used the AutoFocus Threat Intelligence service to locate and investigate activity consistent with a spear-phishing attack targeting the US Government. The attack exploited an Adobe Flash vulnerability that stems from the zero-day vulnerabilities exposed from this month’s Hacking Team data breach.

The spear-phishing attack used a link to a Flash exploit hosted on two subdomains of a legitimate website, perrydale[.]com; rpt.perrydale[.]com and report.perrydale[.]com. Both domains resolve to the same Ukraine-based IP 194.44.130.179. Continue reading "APT Group UPS Targets US Government with Hacking Team Flash Exploit"

New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries

Posted on by Zhi Xu

NOTICE: We have updated this blog to clarify that Airpush is not responsible for Gunpoder. Airpush's platform was abused by the malware author to hide malicious activity.

Executive Summary

Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family “Gunpoder” based on the main malicious component name, and the Unit 42 team observed 49 unique samples across three different variants. This finding highlights the fine line between “adware,” which isn’t traditionally prevented by antivirus products, and malware, with its ability to cause harm.

Samples of Gunpoder have been uploaded to VirusTotal since November 2014, with all antivirus engines reporting either “benign” or “adware” verdicts, meaning legacy controls would not prevent installation of this malware. While researching the sample, we observed that while it contained many characteristics of adware, and indeed embeds a popular adware library within it, a number of overtly malicious activities were also discovered, which we believe characterizes this family as being malware, such as: Continue reading "New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries"

Operation Lotus Blossom: A New Nation-State Cyberthreat?

Posted on by Unit 42

Today Unit 42 published new research identifying a persistent cyber espionage campaign targeting government and military organizations in Southeast Asia. The adversary group responsible for the campaign, which we named “Lotus Blossom,” is well organized and likely state-sponsored, with support from a country that has interests in Southeast Asia. The campaign has been in operation for some time; we have identified over 50 different attacks taking place over the past three years.

Background and Findings

Unit 42 has linked more than 50 individual attacks across Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia to the Lotus Blossom group. These attacks share a number of characteristics, including: Continue reading "Operation Lotus Blossom: A New Nation-State Cyberthreat?"

Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website

Posted on by Robert Falcone

On May 12, 2015, Unit 42 observed an apparent watering hole attack, also known as a strategic website compromise (SWC), involving the President of Myanmar's website. Visiting the main page hosted at "www.president-office.gov[.]mm" triggered the malicious content, as the threat actors injected an inline frame (IFRAME) into a JavaScript file used by Drupal for the site's theme.

Unit 42 believes threat actors chose this website to set up a watering hole in order to target and gather information on individuals in Myanmar, individuals involved in political relations with the country and/or organizations doing business in Myanmar. Unit 42 has evidence to suggest the threat actors have had access to the website since November 2014 if not earlier.

Shortly after we reported the infection to the operators of the website, they took it offline. A new website containing the same content is hosted at “www.myanmarpresidentoffice.info”, which has several artifacts and references to the original content hosted at “president-office.gov.mm” but does not contain the exploit code. We believe the use of the new domain may be part of their remediation process.

This blog discusses the known details of the watering hole, interesting characteristics of the delivered Evilgrab sample (AKA Vidgrab) and the threat infrastructure associated with the attack. Continue reading "Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website"

Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities

Posted on by Ryan Olson

Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities affecting IE versions 6, 7, 8, 9, 10 and 11. All three are included in Microsoft’s June 2015 Security Bulletin, and documented in Microsoft Security Bulletin MS15-056.

In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from security vendors. Continue reading "Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities"

KeyBase Keylogger Malware Family Exposed

Posted on by Unit 42

In recent months, our team has been tracking a keylogger malware family named KeyBase that has been in the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.

In total, Palo Alto Networks AutoFocus threat intelligence service identified 295 unique samples over roughly 1,500 unique sessions in the past four months. Attacks have primarily targeted the high tech, higher education, and retail industries.

Malware Distribution and Targets

KeyBase was first observed in mid-February of 2015. Shortly before then, the domain ‘keybase[.]in’,  was registered as a homepage and online store for the KeyBase keylogger. Continue reading "KeyBase Keylogger Malware Family Exposed"

Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit

Posted on by Palo Alto Networks

What follows is a detailed analysis of the root cause of a vulnerability we call CVE-2015-X, as well as a step-by-step explanation of how to trigger it. For more on Flash vulnerabilities, we also invite you to read "The Latest UAF Vulnerabilities in Exploit Kits," published May 28 by Tao Yan. 

Not too long ago we came across a sample from the Angler Exploit kit (MD5: 049ff69bc23f36a78d86bbf1356c2f63c), which allegedly exploits CVE-2015-0359. The obfuscated SWF contains an encoded SWF (MD5: d45808cfa6f3cbfb343fdea269fdc375), which is later decoded and loaded into Flash, without getting saved on disk. Here’s a somewhat beautified example of this process:

gal_1

The embedded SWF is heavily obfuscated, but the code has much in common with the source code for Angler EK’s CVE-2015-0313 exploit.

The first thing to do is determine whether the exploit is indeed for CVE-2015-0359. Some researchers think that it’s not. The embedded SWF contains a function we named CheckEnvironment, which eventually does this: Continue reading "Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit"

The Latest Flash UAF Vulnerabilities in Exploit Kits

Posted on by Tao Yan

Introduction

Recently, several popular exploit kits, including Angler, Flash EK, SweetOrange, Fiesta andNeutrino[1], have included several use-after-free (UAF) vulnerabilities in Adobe Flash to exploit victims’ browsers. Previously, these exploit kits typically used out-of-bounds access (OBA) vulnerabilities in Adobe Flash, as these types of vulnerabilities can be exploited universally and stably [2], and require less effort to exploit compared to UAF vulnerabilities. In order to detect these newly added UAF vulnerabilities, we analyzed the code found in the exploit kits to determine which vulnerabilities are present and how they are exploited.

Obfuscation in exploit kits

Continue reading "The Latest Flash UAF Vulnerabilities in Exploit Kits"

Cmstar Downloader: Lurid and Enfal's New Cousin

Posted on by Robert Falcone

In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid downloader also known as ‘Enfal’. Cmstar was named for the log message ‘CM**’ used by the downloader.

Unit 42 is aware of threat actors using two toolkits - MNKit and the Tran Duy Linh toolkit - to produce malicious documents that exploit CVE-2012-0158 in order to implant Cmstar. The Cmstar downloader itself has several unique and interesting features, as well as substantial infrastructure overlap with other tools worth discussing. Continue reading "Cmstar Downloader: Lurid and Enfal's New Cousin"

Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities

Posted on by Ryan Olson

Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities affecting IE versions 8, 9, 10 and 11. All three are included in Microsoft’s May 2015 Security Bulletin, and documented in Microsoft Security Bulletin MS15-043. Continue reading "Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities"

Trapwot Scareware Activity Spikes in April

Posted on by Josh Grunzweig

In recent weeks, Unit 42 has been monitoring a new e-mail campaign distributing the Trapwot malware family. The Trapwot malware family is considered “scareware” or “rogue antivirus” because it attempts to mislead victims into believing their machine is infected with malware. It disguises itself as an anti-virus product, and attempts to encourage users into purchasing a non-existent protection.

In total, our AutoFocus threat intelligence service has identified 380,000 emails carrying Trapwot in the past 30 days. These 380,000 e-mails have contained over 5,400 unique malware samples. These attacks have primarily targeted the insurance, higher education, and healthcare industries.

Trapwot is just one of many variants of Rogue Antivirus programs that currently plague users. Readers should be skeptical of pop-ups that suggest their system is infected with malware and ask them to purchase a new product. As always, users should also avoid opening attachments delivered over e-mail that they are not expecting, no matter how enticing the content may be. Continue reading "Trapwot Scareware Activity Spikes in April"

PlugX Uses Legitimate Samsung Application for DLL Side-Loading

Posted on by Robert Falcone

Summary

While threat actors using the PlugX Trojan typically leverage legitimate executables to load their malicious DLLs through a technique called DLL side-loading, Unit 42 has observed a new executable in use for this purpose. Threat actors are now using this previously unseen executable, created by Samsung, to load variants of the PlugX Trojan.

Using our AutoFocus threat intelligence service, we have flagged these variants to help users identify related attacks.

Malware Details

This story starts with the analysis of a malicious Word document named 雨傘達動後教會生 態.doc (which translates to “Church ecology after the Umbrella Movement”) that was created with the infamous “Tran Duy Linh” exploit kit. This malicious document exploits CVE-2012-0158 to open a decoy document and execute a custom dropper Trojan named word.exe. Continue reading "PlugX Uses Legitimate Samsung Application for DLL Side-Loading"

2015 Verizon Data Breach Investigations Report (DBIR): Insights from Unit 42

Posted on by Scott Simkin

The 2015 Verizon Data Breach Investigations Report (DBIR) represents the first time Palo Alto Networks has contributed data to this important publication, and we are proud to be part of an intelligence-sharing ecosystem that, in the end, raises the collective bar for everyone in the industry.

While reviewing the findings, a few key points stood out to the Unit 42 team: Continue reading "2015 Verizon Data Breach Investigations Report (DBIR): Insights from Unit 42"

Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets

Posted on by Jen Miller-Osborn

Summary

Palo Alto Networks Unit 42 used the AutoFocus threat intelligence service to identify a series of phishing attacks against Japanese organizations. Using AutoFocus to quickly search and correlate artifacts across the collective set of WildFire and other Palo Alto Networks threat intelligence, we were able to associate the attacks with the group publicly known as “DragonOK.” [1] These attacks took place between January and March of 2015.

DragonOK has previously targeted Japanese high-tech and manufacturing firms, but we’ve identified a new backdoor malware, named “FormerFirstRAT,” deployed by these attackers. See the “Malware Details” section for analysis of the three RATs and two additional backdoors deployed in this persistent attack campaign. Continue reading "Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets"

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow