Page 76 – Unit 42

CoolReaper Revealed: A Backdoor in Coolpad Android Devices

Posted on December 17, 2014March 17, 2021 by Claud Xiao

Coolpad is the sixth largest manufacturer of smartphones in the world, and the third largest in China. We recently discovered that the software installed on many of Coolpad’s high-end Android phones includes a backdoor which was installed and operated by Coolpad itself. Today we released a new report detailing the backdoor, which we’ve named “CoolReaper.”

After reviewing Coolpad complaints on message boards about suspicious activities on Coolpad devices, we downloaded multiple copies of the stock ROMs used by Coolpad phones sold in China. We found the majority of the ROMs contained the CoolReaper backdoor. Continue reading "CoolReaper Revealed: A Backdoor in Coolpad Android Devices"

Google Chrome Exploitation – A Case Study

Posted on December 14, 2014 by Palo Alto Networks

google chrome1

In this write-up, we will present several techniques used in exploiting a vulnerability in Google Chrome, and the various difficulties presented by its security mechanisms and considerations. We also offer some reflections regarding how some of the techniques used were made irrelevant by mitigations introduced since.

The exploit was developed to exploit a bug in Chrome 33, a winning submission to Pwn2Own 2014 by geohot, which later also awarded him the Best Client-Side Bug pwnie award.

The Bug

The vulnerability existed in Chrome's implementation of ArrayBuffers, and is described in some detail in this issue page in the Chromium repository, along with an impressively concise exploit implemented by geohot himself. Continue reading "Google Chrome Exploitation – A Case Study"

Unit 42 Explores Malware Attack Vectors in Key Industries

Posted on December 11, 2014September 6, 2018 by Palo Alto Networks

This week Unit 42 released its first Threat Landscape Review, looking at how malware trends affect key industries, from healthcare to high tech, around the world, and the particular persistence of the Kuluoz, or Asprox, campaign.

This infographic represents some of the key data from the full report, which you can download from the Unit 42 page. Does anything shown here surprise you?

Unit 42 Threat Landscape Review Infographic from PaloAltoNetworks

DTLS Vulnerabilities in CVE-2014-6321

Posted on December 10, 2014November 1, 2018 by Jin Chen

Microsoft recently released a patch for a critical vulnerability in Microsoft Secure Channel (aka Schannel). This vulnerability is being referred to as MS14-066. The patch addressing CVE-2014-6321 fixed many areas within schannel.dll, including at least two vulnerabilities related to the handling of the Datagram Transport Layer Security (DTLS) protocol.

DTLS is used by Microsoft Remote Desktop Protocol (RDP) to provide communications privacy for datagram protocols. The DTLS protocol is used by Microsoft Windows Remote Desktop Gateway (RDG) to establish a secure channel between the RDG client and RDG server (described in detail in [MS_TSGU].pdf).

DTLS Handshake

Continue reading "DTLS Vulnerabilities in CVE-2014-6321"

How Malware Trends Affect Key Industries, From Healthcare to High Tech

Posted on December 10, 2014 by Ryan Olson

Today we released our first Threat Landscape Review, which takes a high-level view of how malware is delivered to networks across major industries around the world. The data used for this report was derived from Palo Alto Networks WildFire™, which automatically identifies threats from malware over a wide array of applications by executing them in a virtual environment, observing their behavior. This data was collected from live systems in networks belonging to 2,363 different companies operating in 82 different countries.

While there are currently over 4,000 organizations using WildFire to defend their networks the data for this report was specifically collected from organizations in 10 key verticals: Continue reading "How Malware Trends Affect Key Industries, From Healthcare to High Tech"

Learn More About WireLurker and the Impact to OS X and iOS

Posted on December 5, 2014August 25, 2025 by Chad Berndtson

Recently Palo Alto Networks researcher Claud Xiao discovered WireLurker, a new family of Apple OS X and iOS malware with characteristics unseen in any previously documented threats targeting Apple's popular desktop and mobile platforms. Much has happened since Claud's discovery, so we're pleased to present a new webinar covering WireLurker information and the potential impact of this malware family on enterprise organizations.

blog-title-unit42

Wirelurker Webinar: A New Era in OS X and iOS Malware

Continue reading "Learn More About WireLurker and the Impact to OS X and iOS"

Code to Trigger MS14-066 ECDSA Server BOF Vulnerability

Posted on December 4, 2014 by IPS Team

Microsoft recently released a patch for a critical vulnerability in Microsoft Secure Channel (aka Schannel). This vulnerability is being referred to as MS14-066.

A description of how to trigger the MS14-066 ECDSA Heap Buffer Overflow vulnerability was posted by BeyondTrust, which also explained the research method used in narrowing down where this vulnerability presented itself. Their article mentions leveraging the OpenSSL s_client to authenticate to an IIS server, and by patching the s3_cInt.c file to fuzz the particular code path they were able to trigger a crash in memcpy. (BeyondTrust’s research team is to be thanked for saving others in our community a lot of work and time!)

Our researchers were able to write a demonstration program by patching the OpenSSL 1.0.1 source code to trigger this specific vulnerability and show how this could be used for exploitation.

The diff output is provided below: Continue reading "Code to Trigger MS14-066 ECDSA Server BOF Vulnerability"

Follow-On to VBA-Initiated Infostealer Campaign: Exploring Related Malware and Actors

Posted on December 3, 2014 by Rob Downs

In late October, we began examination of a VBA-initiated Infostealer campaign. This blog post follows up on additional information we gathered on related malware and associated actors.

Pivot On Initial Predator Pain Sample C2

In our previous post, we identified two Command and Control (C2) fully qualified domain names (FQDNs) for the initial Predator Pain sample analyzed: mail.rivardxteriaspte.co[.]uk and ftp.rivardxteriaspte.co[.]uk. We were interested in seeing whether any other malware samples had been observed communicating with these FQDNs and, if so, to which malware family they belonged.

Leveraging the Palo Alto Networks WildFire platform, we found an additional 14 samples that communicated with one or both of these C2 FQDNs between December 27, 2013, and August 1, 2014 (Table 1).

Continue reading "Follow-On to VBA-Initiated Infostealer Campaign: Exploring Related Malware and Actors"

Addressing CVE-2014-6332 SWF Exploit

Posted on November 26, 2014January 28, 2022 by Palo Alto Networks

Continuing a recent trend in which Internet Explorer vulnerabilities are exploited using Flash, samples of an SWF purportedly used in conjunction with CVE-2014-6332 have appeared in several places. The most famous examples of this trend are the exploits for CVE-2014-0322 and CVE-2014-1776.

We have yet to encounter the SWF sample with its original exploit attached, but by looking at the SWF, it is clear that it is constructed to function with several forms of memory corruption, making the vulnerability itself less interesting. That is a great example of why our Advanced Endpoint Protection approach, which focuses on the core techniques used in attacks, works well. It will prevent uses of this SWF framework, regardless of the vulnerability it is used with.

The interesting part in this exploit is the Flash component. At first glance at the decompiled ActionScript shown here, it seems fairly straightforward, sharing much of its code with the previously seen exploits: Continue reading "Addressing CVE-2014-6332 SWF Exploit"

Protecting Users from iOS App Provisioning Profile Abuse

Posted on November 24, 2014August 17, 2022 by Zhi Xu

Recently, we announced the discovery of WireLurker, a new family of malware that abuses app provisioning profiles to install potentially malicious apps on any iOS device, regardless of whether it is jailbroken. Shortly after, FireEye highlighted the Masque Attack, which also relies on malware apps signed by provisioning profiles and had previously been disclosed by Steffen Esser. Both attacks highlight the importance of provisioning profile management in Mobile Device Management (MDM) solutions. In this post, we explain how to protect users from iOS app provisioning profile abuse attacks with Palo Alto Networks GlobalProtect Mobile Security Manager product.

Provisioning Profiles on iOS

As stated in the iPhone Developer Program: Continue reading "Protecting Users from iOS App Provisioning Profile Abuse"

Don’t Forget to Subscribe to Unit 42 Threat Intelligence Alerts

Posted on November 21, 2014 by Chad Berndtson

Want to have all of the latest insights, research and threat intelligence from our research team delivered right to your inbox? You can.

Provide us your e-mail here in the "Get Updates" box, and you’ll receive updates to the Unit 42 threat intelligence blog as they happen, as well as information on upcoming Unit 42 whitepapers and appearances at industry events. Continue reading "Don’t Forget to Subscribe to Unit 42 Threat Intelligence Alerts"

Tracking the WireLurker Arrests

Posted on November 17, 2014 by Jen Miller-Osborn

Well that was fast.

Not quite ten days after we released our white paper on WireLurker, arrests have already been made in China. WireLurker is a new family of malware specifically targeting iOS devices via USB. There is WireLurker malware for both Mac OS X and Microsoft Windows operating systems.

WireLurker works by looking for any iOS devices connected via USB with an infected OS X or Windows computer. When it detects one, it installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jail broken. This is the reason we call it “wire lurker”. Continue reading "Tracking the WireLurker Arrests"

Palo Alto Networks Identifies 3 Critical Internet Explorer Vulnerabilities

Posted on November 11, 2014 by Ryan Olson

Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities impacting IE versions 8, 9, 10 and 11. The discoveries include two IE Memory Corruption Vulnerability and an IE ASLR Bypass Vulnerability. All three are part of the November 2014 Security Bulletin and documented in Microsoft Security Bulletin MS14-065. Continue reading "Palo Alto Networks Identifies 3 Critical Internet Explorer Vulnerabilities"

The Question of WireLurker Attribution: Who Is Responsible?

Posted on November 10, 2014 by Jen Miller-Osborn

After news of WireLurker began circulating in handful Chinese-language tech forums over the summer, a Chinese-language technology blogger conducted online research in an attempt to track down the author of WireLurker and engage him in an online chat. While it is unclear whether he found the actual author, it appears he was able to locate someone associated with the company that produced WireLurker and controlled the Command and Control (C2) domain.

The following is a translated summary of the Chinese blogger’s investigation with supplemental research and analysis conducted by Unit 42. Due to the amount of personal information the original blog contains, we will make the blog address available only upon request.

Continue reading "The Question of WireLurker Attribution: Who Is Responsible?"

Kuluoz Trends – October 2014

Posted on November 7, 2014 by Rob Downs

The Asprox/Kuluoz malware family has a special place in our hearts at Palo Alto Networks. This botnet-related Trojan malware has evolved from its 2007 roots into a simple and yet robust mass e-mail phishing threat that is the origin of a significant percentage of Internet spam today. This post further explores trends for this malware family, based on October 2014 data from our WildFire platform.

Some Background

The modern Kuluoz is known for the following:

High distribution volume through geolocation-associated spam e-mail templates
Use of e-mail attachments and Web links that masquerade as document or media files
Modular design, promoting extensibility
Distinct, default botnet node roles of spam generator for continued botnet propagation, downloader of additional malware and distributor of generalized commercial spam
Platform-specific malware delivery based on user agent detection

Themes for Kuluoz propagation spam have ranged across legal notices (e.g., court order), package delivery messages (e.g., FedEx, UPS, DHL), voicemail service notifications (e.g., WhatsApp), general current events (e.g., 2014 polar vortex), and online deals (e.g., free pizza from Pizza Hut) – to name a few. Continue reading "Kuluoz Trends – October 2014"