Wednesday, November 26, 2014

Defaced websites leading to Dokta Chef Exploit Kit and CVE-2014-6332

Defacing websites has been the main stay for hacktivist groups to spread their message.  During recent research, we found multiple compromised websites containing a malicious link to a "lulz.htm" page, which in turn leads the user to a Dokta Chef Exploit Kit (EK) hosting site. This appears to be  a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites.  This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.

The contact information provided on the defacement page shows that the culprits of this attack are claiming to be part of the "AnonGhostTeam" group, based on the associated Twitter account.  This group has targeted numerous Government and Mass Media websites in the past including:
The defaced pages have been lifted in most cases, leaving only a Zone-H mirror

Written in Beautiful Comic Sans
The defaced websites were found to be hosting a page called "lulz.htm", that contains highly obfuscated JavaScript code leading the users to a Dotka Chef EK infection cycle.

Obfuscated JavaScript on the compromised sites

CVE-2014-6332 exploit

The Dokta Chef EK, was serving a malicious payload for a recently disclosed Microsoft Vulnerability CVE-2014-6332, that causes remote code execution when the user visits a specially crafted webpage using Internet Explorer (IE). The vulnerability is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory. The vulnerable code has been present in OleAut32 library since IE version 3.0 and was recently fixed - MS14-064

The attacker is targeting only the 32-bit Windows Operating systems and also ensuring that the user's browser is IE, as seen in the exploit code snippet above. The exploit cycle will terminate if any of the following conditions are true:
  • User is browsing from a 64-bit Windows Operating system
  • User is browsing from a non-Windows Operating system, 
  • User's browser is not IE

If the IE version used by the victim is lower than 4, the runshellcode() routine will be invoked, skipping the CVE-2014-6332 exploit cycle.  If the version used is higher than 3, setnotsafemode() routine is invoked to exploit the CVE-2014-6332 vulnerability.

The CVE-2014-6332 vulnerability is triggered by using an abnormally large array in conjunction with the redim Preserve function, as shown in the VBScript exploit code snippet above.

At the time of research, the end payload was not reachable, but the VirusTotal Scan of the hostname shows a history of dubious activity.

The Zscaler ThreatLabZ team has deployed multiple protections against this threat and is actively monitoring the malicious activity surrounding this mass compromise.

Tuesday, November 25, 2014

Beware of Phishing Attacks and Other Scams during the Thanksgiving Shopping Season

Black-Friday-Cyber-Monday-deals.jpgThanksgiving Day is one of the major holidays celebrated in the United States on the fourth Thursday in November. The following Friday, referred to as Black Friday, marks the start of the Christmas holiday shopping season. Almost every retailer large and small offers huge discounts on Black Friday, often extending through the weekend and the following Monday, now known as Cyber Monday.

As we near Thanksgiving and the start of the holiday shopping frenzy, we’re observing a sharp increase in cyber scams and phishing activities targeting online shoppers. As shoppers look for the best deals available, cybercriminals are quick to take advantage of unsuspecting users.

Increase in online shopping transactions

Every year during this timeframe, we observe a noticeable spike in the total number of web transactions within the Shopping category. We have shared this trend in our previous blogs as well ([1],[2]).

Last year, we saw around 2.71% of all the web transactions categorized as Shopping and this year is no different. We currently see that 2.63% of total web transactions belong to the Shopping category and we expect this number to rise as we approach the end of the month. The following chart shows that the number of Shopping transactions has increased steadily throughout November.

Cyber Scams and Phishing attacks

The increase in Shopping activity comes with an unwelcome increase in phishing attempts. Phishing is a well known attack method, often used by attackers to steal sensitive information like authentication credentials, credit card numbers and personal information. We have already seen a large spike in Phishing and Spam activity, specifically targeting Thanksgiving, Black Friday, and Cyber Monday events. The following graph shows the phishing transactions for this month that have been blocked by Zscaler:

We caution consumers to be extra vigilant this holiday season when shopping online. Here are some examples of phishing attempts that we have blocked:

Walmart phishing attempt:


Amazon phishing attempt:

Ebay phishing attempt:


The motive behind these attempts is to steal sensitive user information which includes personal credentials and financial data. Cybercriminals often use this stolen information for illicit activities resulting in monetary gain.

More phishing sites targeting online retailers:
  • Ebay - hxxp://124[.]150[.]140[.]133/~ritenfad/viewitem/dll/88322933932/
  • Walmart - hxxp://ofertaswalmart[.]
  • Walmart - hxxp://walmartfriday[.]net/
  • Amazon - hxxp://zekocase[.]com/._ama_c0nf1rm/info_bill/login.php
  • Amazon - 213[.]13[.]119[.]152/am/

Fake Black Friday/Cyber Monday/Thanksgiving related sites:
  • hxxp://sfspr[.]org/?hid=hollister-cyber-monday-cyber-monday-sale
  • hxxp://cyber-shop[.]net
  • hxxp://www[.]ocdiagnostics[.]net/?id=louboutin-loafers-cyber-monday-deals
  • hxxp://koeriersdienstdemolen[.]nl/wp-content/languages/?page=toms-soap-cyber-monday-2014
  • hxxp://devillevacaville[.]com/?tid=cyber-monday-toms-canada
  • hxxp://[.]uk/?mid=mulberry-bags-cyber-monday-deals
  • hxxp://[.]br/?hid=hollister-girls-cyber-monday-2014
  • hxxp://dl5.iq11download[.]com/lm/lmdisc2/thanksgivingss.exe
  • hxxp://www[.]americanasblackfriday[.]esy[.]es
  • hxxp://www[.]systempackaging[.]com/images/ugg/black-friday-uggs-p-35.html
  • hxxp://busycatholicmoms[.]com/2013/11/26/new-articles-and-happy-thanksgiving/

Sample of subjects used in spam e-mail messages targeting online shoppers:

  • Get Stylish-furniture At Discount
  • Checkout tire sales for Black Friday
  • Make the Most of Black Friday, with A New smart-phone
  • Brand name laptops on sale for BlackFriday
  • [Black Friday Starts EARLY]Saveup to 90% +FREE BonusItems!
  • Walmart One Day Specials BlackFriday
  • Shop Black Friday sales to upgrade furniture
  • Thanksgiving Specials and BlackFriday Discounts!
  • New Early BlackFriday Door busters are Added EveryDay
  • Shop Black Friday to find discounts on electronics
  • Search major Savings on laptops...On black-friday
  • Limited Time Black Friday Deal
  • 10% off Site-Wide. Get Your Black Friday Shopping Started Today!
How can online shoppers protect themselves?

Thanksgiving marks the start of the holiday shopping season which continues until Christmas. The Zscaler ThreatLabZ team is working round the clock to ensure that our customers do not fall prey to such malicious activity.

We highly recommend that all online shoppers exercise extreme caution and follow our holiday season shopping security checklist:  

  • Inspect the source of emails with shopping deals

  • Ensure HTTPS/secure connections to online retailers and Banking sites

  • Check the authenticity of the URL or website address before clicking on a link

  • Stay away from e-mailed invoices - this is often a social engineering technique used by cybercriminals

  • Do not use insecure public WiFi for shopping

  • Use two-factor authentication whenever possible especially on sensitive accounts such as those used for banking

  • Always ensure that your Operating System and Web Browser have the latest security patches installed

  • Use browser add-ons like Adblock Plus to block popups and potential malvertisements

  • Backup your documents and media files

Wishing you all a very Happy Thanksgiving and don’t spend too much!

Credit for analysis: Rubin Azad, Uday Pratap Singh

Wednesday, November 12, 2014

Evolution of Upatre Trojan Downloader


Upatre is a Trojan Downloader family that once installed, is responsible for stealing information and downloading additional malware onto the victim machine. It typically arrives via spammed e-mail messages from the Cutwail Botnet, either as an attachment or via a URL pointing to a remote hosting site. We are also seeing Exploit Kits being used as a vector for Upatre infections in the wild.

Upatre Downloader cybercrime network

Upon successful infection, Upatre has been responsible for downloading malicious payloads from known malware families such as:
  • Zeus (Zbot) banking Trojan
  • Rovnix Volume Boot Record (VBR) bootkit
  • Dyreza (DYRE) banking Trojan
The Upatre malware family was first discovered in August 2013 and exponentially increased its infection rates by October, 2013. With the demise of the popular Blackhole Exploit Kit in October 2013, many malware authors resorted to traditional spam with the Upatre Trojan downloader as a medium for delivery of the ultimate payload, which also contributed to the increase in infections.

The Upatre malware authors have deployed multiple new techniques over the past year, which is the reason why it is one of the most prevalent malware families today. Some of the features that we have tracked include:
  • Password protected attachments - This makes the e-mail look more legitimate and confidential
  • Spammed as an attachment inside an attachment - The spammed e-mail messages contained another e-mail message (*.msg, *.eml) as an attachment which contains the actual Upatre archive attachment
  • Email messages containing a URL pointing to the actual payload
  • Randomized header bytes and encrypted malware downloads to evade detection
  • Usage of SSL encryption for Command & Control (C2) communication and subsequent malware downloads
Recent Attacks

We have seen an increase in the number of Upatre Downloader infections occurring through spammed messages containing fake invoices or voice-mail messages in the past month. The final payload being downloaded from these recent Upatre infections tends to be the Dyreza Banking Trojan. Below is a sample e-mail message from this campaign:

Cutwail spam e-mail leading to Upatre

If the user clicks on the link in the e-mail, they will be redirected to the same site with additional information identifying the operating system in the URI before serving the payload as seen here:
GET /documents/invoice_101114_pdf.php?h=[3 digit integer]&w=[4 digit integer]&ua=[User-Agent String]&e=1 HTTP/1.1
The user will then be prompted to download a zipped archive file, which contains a new variant of the Upatre Trojan downloader as seen below:

Upatre download in an archive

The user is redirected to a legitimate site (i.e ""), if the operating system is not supported or is redirected at the end of the download cycle.

The Upatre executable masquerades as a PDF document as seen here:

Upatre executable with PDF icon

The infection cycle begins once the user opens the enclosed executable file. It makes a copy of itself as "%Temp%\pvavq.exe" and runs it. The newly launched process "pvavq.exe", will then delete the original executable "invoice10-11-14_pdf.exe". It connects to a remote C2 server over TCP port 40007 to report the infection and supply information about the Month and Year of spammed binary, victim computer name, operating system information, etc.

Upatre network communication

It further downloads the Dyreza banking Trojan in an encrypted form as "%Temp%\utt214.tmp" on the victim machine to evade network detection. It then decrypts the downloaded payload as "%Temp%\EXE1.exe" and executes it. This will initiate the Dyreza banking Trojan infection cycle.

Dyreza banking Trojan encrypted and decrypted payload

This variant uses an incremental 4-byte XOR key in the decryption routine as opposed to the hardcoded key we have seen before.

Part of Upatre decryption routine for downloaded payload

The following screenshot shows the custom User-Agent string and hard coded remote server locations we found during our Upatre binary analysis:

unpacked Upatre binary

Indicators of Compromise

Here is a sample list of HTTP requests that will provide a good indication of an Upatre and Dyreza compromise on your network:

Upatre indicators of compromise

Additionally, we have seen the following three hardcoded User-Agent strings being used for the HTTP requests in the Upatre variants that we have analyzed:

The Upatre Trojan downloader family continues to evolve and is one of the most prevalent malware families at present. It continues to add new malware to its cyber crime pay-per-install nexus, serving as a vector for downloading and installing additional malware family payloads.

Zscaler ThreatLabZ is actively monitoring this threat and ensuring full security coverage for our customers.