Tuesday, December 22, 2015

2016 Security Predictions

As the year comes to a close and winter sets in, we like to look back at the year that was and do our best to prepare for the year ahead. What would the holiday season be without yuletide cheer, excessive commercialization and of course…security predictions? Yes, it’s time to join my colleagues in the security industry, peer into my magical crystal ball and provide a glimpse of what is to come. Grab a nice hot beverage, curl up next to the fire and enjoy!

PII is the new hotness

2015 continued the trend of major retail data breaches resulting in bulk debit and credit card theft, but it also marked a shift that will accelerate in 2016. In the coming year, expect attackers to move away from targeting financial information and instead target personally identifiable information (PII). In 2015, we continued to see credit/debit card theft at the likes of America’s Thrift Stores, The Trump Hotel Collection, Hilton Hotel properties, Service Systems Associates, Hershey Park, Harbortouch and White Lodging, but in 2015 we also learned of major breaches in the healthcare (Anthem and CareFirst BlueCross BlueShield) and government (Office of Personnel Management) sectors that targeted PII. The quest for PII is being driven by two separate groups of attackers. While nation states desire PII for espionage, criminals are also shifting to PII as it is generally more valuable than credit and debit cards, which are getting more challenging to harvest in bulk due to greater awareness of the problem and new technology. Why would a social security number be of greater value than a credit card number, which can be used directly to procure goods and services? PII is highly sought after in the underground as it can be leveraged to commit financial fraud such as applying for credit, submitting false medical/insurance claims or filing fraudulent tax refunds. Whereas credit cards can be easily cancelled, changing one’s name, address and social security number generally isn’t an option, so the stolen data remains valuable for a longer period of time. The shift will be motivated in part by the push to move to Chip and PIN (aka EMV) debit and credit cards, which combat RAM scraping malware with tokenization. Don’t however expect credit and debit card fraud to disappear entirely as EMV technology has seen slow adoption in the US, despite an October 2015 deadline and the technology does nothing to combat card not present (online) theft. In 2016, attackers will increasingly target sectors known to store bulk PII including finance, healthcare and government entities to harvest valuable PII.

Trusted Partner Attacks 

Breaking in through the front door isn’t always the best option as it tends to be be well defended. The same is true in cyber attacks. A head on assault is expected, but companies rely on a plethora of technology partners and often communicate with them through trusted digital channels. History suggests that enterprises aren’t doing enough to ensure that trusted partners maintain their security to the same standards that would be demanded if those services were delivered internally. In the past we have seen this with the Target breach which occurred when Fazio Mechanical, an HVAC vendor was compromised. Likewise, the OPM breach began with a compromise at KeyPoint Government Solutions. Compromised partner networks aren’t always used to directly access another network but can also play an indirect role in a broader attack. For example, attackers that ultimately targeted JPMorgan Chase, Scottrade and E-Trade for money laundering also compromised G2 Web Services LLC, which specialized in monitoring and blocking fraudulent banking transactions. Once inside the G2 network, they could ensure that their money laundering schemes went undetected. Enterprises are increasingly outsourcing technology to streamline costs in areas that are not a core focus. For attackers targeting a supplier that often has lesser security controls than the larger entity that it serves, a successful compromise can be a gold mine. Not only does the breach provide a backdoor into the original target, but it also opens doors to other enterprises being serviced by the same vendor. Hackers have learned from successful attacks exploiting such relationships and will accelerate their focus in this area in 2016. Enterprises need to extend security policies and procedures beyond their own systems and personnel. Trusted partners should be expected to adhere to the same security controls and be subjected to audit and penetration tests to ensure that they are adhering to agreed upon standards.

Ransomware 2.0 goes corporate

Ransomware has managed to hit a sweet spot. Users are all too willing to begrudgingly pay an expensive but not excessive ransom in exchange for the return of their precious data. Even the FBI are recommending that it’s easier to pay than fight. The wildly profitable CryptoLocker has attracted many clones since it was largely knocked offline following Operation Tovar. Many of these clones, including more popular variants such as CryptoWall and TorrentLocker largely followed the proven formula but we’re starting to see variations such as ransomware focused on Linux and mobile platforms. The former is especially important as it’s more likely to impact the websites and code repositories of enterprises, who in our experience are also very willing to pay up rather than risk losing critical intellectual property. Expect ransomware to become increasingly corporate focused in 2016 and as it does, enterprises won’t get away with paying consumer rates. The criminals behind the ransomware campaigns are savvy and once they realize that they’ve locked up source code and financial documents that haven’t been properly backed up, you can expect prices to skyrocket…and be paid.

The extortion data breach

The Sony Pictures, Ashley Madison and Hacking Team breaches all share a common theme – the goal of the attacks was to humiliate the respective companies and perhaps inflict financial damage. There did not however appear to be a profit motive in any of the attacks. Sony Pictures, after already having proven to be a vulnerable target after two successful attacks against the Play Station Network, had it’s dirty laundry aired by hackers allegedly backed by the North Korean government as retaliation for producing a satirical movie about their leader. Ashley Madison and Hacking Team are believed to be the victims of hacktivists that disagreed with their corporate philosophies. Despite what has been stated by the media, there is little to suggest that these were sophisticated attacks. Rather, once the attackers were able to gain access to the internal network, they were able to roam freely and collect troves of sensitive data from email and file servers, which was then dumped online. Criminals have no doubt taken notice of the extreme damage that small teams have been able to achieve and know all too well that some would be willing to pay millions to stay out of the headlines. This is one prediction that is likely already taking place but we’ve yet to hear about it as the attackers have held up their part of the bargain to remain quiet in exchange for the hush money.

No AV? No problem.

Foreshadowing the death of antivirus (AV) is hardly a bold prediction. Even AV executives are calling for it. While you won’t see a sudden wholesale move away from AV, as it remains the first line of defense for corporate PCs, we’re now hearing with some regularity, CTOs shifting away from paid AV solutions to ‘good enough’ free AV or solutions baked in at the O/S level, such as Microsoft’s Windows Defender or Apple’s File Quarantine (aka XProtect). As enterprises adapt to the Post-PC era, running an end user device without AV is no longer seen as a risky bet. OS X machines rarely run AV in a corporate environment and on iOS devices it’s not even an option. Enterprises realize that AV is focused on known vulnerabilities and they must free budget dollars to shift to more dynamic security controls capable of identifying and protecting against 0day and targeted attacks. With limited budgets, expect fewer enterprises to open the checkbook for host based AV, instead reallocating the funds to solutions such as network/cloud based sandboxing solutions.

Android finally cleans up it’s act

Android is well on it’s way to becoming the Windows of the mobile malware world. With 99% of mobile infections, Android is the only game in town when it comes to infected tablets and smartphones. Love it or hate it, Apple’s walled garden and refusal to allow downloads from third party app stores has paid security dividends. Sure, Google Play has Bouncer and he’s done a fine job of keeping the miscreants out, but that’s of limited value when users are willing to go to shady Chinese app stores to save a buck on Candy Crush. Google clearly knows that this will hurt them in the long run, especially in the enterprise space and began making changes with Marshmallow, the latest Android flavor when they switched to Granular App Permissions to make it more clear what control an app ultimately gains when installed. This however was a small step and Google will need to get much more aggressive going forward. Not wanting to lose ground in the enterprise, where Apple has now pivoted, they have little choice. While cutting off third party app store access altogether would alienate too much of the user base, expect the next iteration of Android to to start cracking down on third party app stores. Since Jelly Bean 4.2, embedded cloud based anti-virus scanning was added through the Verify Apps feature. While yet another improvement, this is clearly not enough as we regularly identify and blog about apps from alternate Android app stores that are malicious in nature. Google will need to take more drastic steps and a likely change is restricting the permissions available to apps not vetted through the Google Play submission process.  Expect side-loaded apps requesting Administrator permissions to become a thing of the past.  Some developers will push back, but Google will have little choice if they want to get malware under control. Google will also begin to mandate acceptable timeframes for patches and firmware upgrades, which are now largely under the control of the OEM partners. It does little good when new security features are added, but they’re unavailable to users with non-Nexus devices. These steps won’t eliminate Android malware, especially with Android’s slow O/S upgrade cycle, but they will raise the bar for third party app stores, just as Bouncer did for Google Play.

Terrorists catch the hacking bug

This last prediction is one that saddens me to write, but I feel is inevitable and one that can’t be ignored. Terror organizations are continually searching for new avenues to instill fear and they require significant funding to further their hateful agendas. Skilled hackers can aid on both fronts. Cyber attacks can clearly be used by terrorists to obtain intelligence for future attacks and we’re already seeing early signs of cyber attacks being used to cause physical damage. Last year, hackers caused significant damage to a German steel mill when they disabled systems responsible for controlling a blast furnace. This wasn’t just kids playing around either, as the attacks reportedly required substantial knowledge of industrial control systems in order to succeed. With almost all industries reliant on computerized systems, the potential attack surface is enormous. Hacking is also extremely lucrative. The CrytoLocker ransomware authors for example were able to make millions in just a few short months. Such potential is surely in the sights of terror organizations, especially those such as ISIS, which have shown a new affinity for being tech savvy when it comes to recruiting and propaganda. Sadly, terrorists won’t necessarily need to acquire the necessary skills themselves as there are no shortage of cyber criminals all too willing to rent their skills out to the highest bidder and look the other way.

Password reuse attacks decline

And now for some good news. Password reuse attacks will begin to decline. Attackers are quite happy to compromise virtually any site even if it’s not the endgame as they can generally recover information and resources that will aid in other attacks. It’s always of great benefit for an attacker when they’re able to uncover a database of unencrypted usernames and passwords, because human nature suggests that those same credentials are used at many, many other sites. Most people use a handful of passwords at best, therefore attackers will write scripts to attempt automated logins at popular social networking, banking, etc. sites to see if the credentials can be reused. This presents a real challenge for end users as they have no control over how their credentials are stored or secured once they’re turned over and in the event of a compromise, changing passwords to every site where those same credentials were used is generally an impossibility. Think of your favorite password that you’ve used over the years. How many sites have you used it on? You lost count, didn’t you. Fortunately, this is starting to change thanks in large part to the smartphone. Smartphones can be many things but they make for a handy secure, always with you, data repository. As such, people are starting to adopt password managers such as 1Password, LastPass, etc., as they have user friendly smartphone apps that present a convenient option for always having sensitive data such as passwords within easy reach. Advancements in biometrics are also helping the cause with consumer grade fingerprint scanners now becoming a standard feature on modern smartphones. This not only makes accessing that password repository quicker and more user friendly, but also finally makes it an option to do away with passwords altogether. While not as user friendly, most major Internet layers are also adding two-factor authentication as a standard option. Finally, the average user has realistic authentication options that don’t involve sticky notes.

Say goodbye to browser plugins

The love affair with browser plugins has been on the decline and we’re finally at a point where the average user can do away with them once and for all. Flash had a particularly tough year after Firefox disabled the plugin by default after the Hacking Team breach revealed the existence of new Flash 0days. Facebook’s Security Chief also piled on asking “Adobe to announce an end-of-life date for Flash”. This after Steve Jobs famously refused to include Flash on iOS, claiming that it had been the “number one reason Macs crash” and had “one of the worst security records”. The bashing certainly isn’t unfounded with browser plugins remaining the number one way that Exploit Kit authors target PCs, primarily targeting Java, Flash and PDF vulnerabilities. At least for websites, Flash is on life support, Java died a couple of years ago and PDF plugins are no longer required as bowser vendors have baked in native support. Competitors like SilverLight never fully caught on and web apps that would historically have used custom plugins for playing video or screen sharing, have now migrated to HTML5. Not supporting plugins was one things that mobile browsers got right from the get go. In 2016, expect all major browsers to get serious about finally killing off plugin support by default.

The encryption showdown

Encrypted communications have long been the bane of law enforcement and those in the intelligence communities. As privacy concerns mount, thanks in part to the Snowden revelations, leveraging strong encryption for messaging and data storage is no longer the realm of geek speak. It is an expected feature and is quickly becoming a differentiating feature. iOS now encrypts data by default and Android while lagging behind, is fighting to get there. Popular chat applications like WhatsApp tout encryption as a key feature and Apple’s iMessage app, which features end-to-end encryption and no central key store, is often referenced by law enforcement when arguing for a ‘back door’. 2016 will be the year this battle comes to a head. While politicians used to dance gingerly around the topic given the privacy abuses exposed by the Snowden revelations, recent terrorist attacks have brought this issue front and center. Multiple pieces of legislation are sure to be introduced that will propose weakened encryption protocols or procedures to grant law enforcement access to decrypted communications as needed. As we’ve learned however, you can’t be ‘mostly secure’ any more than you can be ‘kind of pregnant’. Weakening encryption to benefit law enforcement will also reduce security for everyone and if the US government mandates a ‘backdoor’, you can be rest assured that China, Russia, [pick a country] will be demanding the same for their citizens. This is one battle that will have serious repercussions for years to come. Here’s to hoping that Apple, Google, Microsoft, Yahoo! and the like manage to prevail.

Should be another action packed year on the cyber security front. See you next year!

Michael Sutton

Thursday, December 10, 2015

New Spy Banker Trojan Telax abusing Google Cloud Servers


Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil. The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which is responsible for downloading and installing Spy Banker Trojan Telax.

The attackers are using social engineering tactics, such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus, to lure the end user into downloading and installing the malicious payload. Social networking sites Facebook and Twitter are primarily being used to spread a shortened URL (using bit.ly service) that points to a Google Cloud Server hosting the malicious payload with .COM or .EXE file extensions.

Campaign Details

The attack starts with a shortened URL posted on a social networking site or via drive by download from malicious sites posing to offer premium software or coupons. Below is a recent attack chain where the user clicked on a link shared via Facebook that lead to the download of Telax payload:

Figure 1: Spy Banker Telax served via Facebook

The bit.ly link points to a PHP file hosted on the Google Cloud Server that does a 302 redirect to download the initial Spy Banker Downloader Trojan payload.

The executable file receitanet.com is posing to be Brazil's federal revenue online tax returns service. We have also seen other themes offering fake premium software applications and discount vouchers as seen from the file names below.

Malicious payload file names:
  • americanas.com
  • americanas.exe
  • app.ricardoeletro.com
  • atube.com
  • avast.com
  • AvastPro.exe
  • baixaki.com
  • receitanet.com
  • ricardoeletro.com
  • setup.exe
  • submarino.com
  • voucher.americanas.com
  • voucher.mercadolivre.com
  • voucher.ricardoeletro.com
  • walmart.com
  • web.whatsapp.com
  • whatsapp_setup.exe
  • WhatsApp_Setup.exe
Below are the statistics (credit: Bit.ly) on the number of users clicks that were recorded for the attack campaign shared in Figure 1:

Figure 2: User clicks on the malicious bit.ly link
Majority of the target users were lead to the malicious bit.ly link from Facebook as seen below:

Figure 3: Source for the bit.ly link visits

In addition to social networking sites, we also saw users arriving to the Spy Banker Telax payloads hosted on Google Cloud servers from the following sites:
  • aquinofinal[.]com
  • aquiredire[.]com
  • brasildareceita[.]com
  • mundodareceita[.]com
  • ofertasplusdescontos[.]com
All but one of the domains listed above are repossessed by Go Daddy and are no longer active. A quick WhoIs look up of the active domain shows that it was recently registered to 'kleyb maxbell' with following information:

Figure 4: Whois information for an attack domain
We found another domain 'ofertasmaxdescontos[.]com' registered by the same user that also appears to be actively redirecting users to the malicious payload hosted on a predetermined Google Cloud Server as seen below:

Figure 5: Active attack domains

It is important to note that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message.

Geographic distribution of the users attempting to download the end malicious payload from Figure 1 is shown below:

        Figure 6: Geographic distribution of target users

As expected, majority of the users targeted by this malware campaign are from Brazil. It is important to note that the success of this attack depends primarily on the social engineering tactics in convincing the end user into opening the downloaded payload.

Spy Banker Trojan Telax analysis

The initial file that gets downloaded is the Spy Banker Downloader Trojan. The Downloader Trojan is responsible for downloading & executing the final payload from a list of predetermined URLs as seen below:

Figure 7: Downloader Trojan hardcoded URLs
The final payload, Spy Banker Trojan Telax, is a Delphi executable that is capable of stealing Banking credentials targeting Portuguese users. Upon execution, Telax injects malicious code into legitimate Visual Basic Compiler (vbc.exe) process. The injected code first checks for the presence of virtual environment like VMWare, Virtual Box, Wine and Virtual PC on the target system.

Telax executable contains following additional files embedded in it's resource section:
  • SQLLite.dll - legitimate SQL Lite binary
  • 32-bit rootkit component
  • 64-bit rootkit component
  • 64-bit copy of itself
Depending on the bit-ness of the target operating system, Telax will register the appropriate rootkit driver:
HKLM\SYSTEM\CurrentControlSet\Services\hookmgr\ImagePath: "<User>\<CurrentLocation>\hookmgr.sys"
The main form that we extracted from the malicious Delphi binary is named 'Telax' by the author and can be seen below:

Figure 8: Spy Banker Telax main form

Here is the translation for the pre-configured features found in this bot:

  • Auto Reconectar se perder conexao -> Auto Reconnect lost connection
  • bloquear VM -> VM block
  • Proteger Processo -> Protect Process
  • Mensagem de instalacao -> Message installation
  • Gerar infect -> Generate infect
  • Ativar host -> Enable host
  • ativar update -> Activate update
  • ativar killer -> Activate killer
  • ativar Worm -> Activate Worm
  • Versao -> Version
  • Porta -> Port

Following are the additional Telax modules that we looked at during our analysis:

A. Modulename: TnHulk.MITO
Detects installed Antivirus applications on the system. It specifically looks for following antivirus executables on the target system:
BavUpdater.exe - Baidu Antivirus
instup.exe - Avast
avgmfapx.exe - AVG
Update.exe - Symantec

B. Modulename: TTitulo.IPTX
Responsible for decrypting embedded strings in the file.

C. Modulename: TXRPD
Responsible for installing malware on the system.

D. Modulename: TLISTING
Contains the rootkit functions

Network Communication
Upon successful installation, Telax sends following information to a remote Command & Control (C&C) server:

  • ID_MAQUINA - Machine ID
  • VERSAO - Bot version
  • WIN - Operating system
  • NAVEGADOR - Default browser
  • PLUGIN - Presence of G-Buster Browser Defense (gbieh.dll) plugin
  • AV - Antivirus installed

Figure 9: Telax C&C communication

Following are the C&C commands that are used by Telax for its communication:

<|PING|>Checking status of connection
<|Info|>Sends infected OS details and bot version
<|Close|>Close all connections
<|DESI|>Uninstall itself
<|reini|>Restart system
<|REQUESTINFO|>Request for information regarding installed AntiVirus, AntiSpyware and Firewall
<|REQUESTKEYBOARD|>Sends keystrokes to active application window
<|HjiopPos|>Set mouse position
<|HjiopLD|>Set mouse left button down
<|HjiopLU|>Set mouse left button up
<|POWT|>Type given string in current window
{DESMON}Sets the state of the display using WM_SYSCOMMAND window message

We also found fake panels for two-factor authentication that will presumably be used to capture and bypass the two-factor authentication mechanism.

Figure 10: Fake two factor authentication panel

Telax Downloader Hashes


Spy Banker Telax is a Banking Trojan that has specifically targeted Portuguese users. The malware authors are actively pushing out new versions of Telax (latest version 4.7) binaries and are abusing Google Cloud Servers to host the payload for infection. There is no vulnerability exploit being used in this campaign and the attackers are solely relying on social engineering to infect the end users.

Zscaler’s ThreatLabZ has confirmed coverage for the initial downloader and Telax payloads, ensuring protection for organizations using Zscaler’s Internet security platform.

Research by: Deepen Desai, Nirmal Singh, Lenart Brave

Friday, November 27, 2015

Black Friday Deals on Malware & Scams

The holiday season means different things to a lot of people. For some, it’s a time for family and extravagant meals. For others, it’s a time for charity and giving more than your best to your partner. Yet for others still...it’s time to shop. Black Friday is once again upon us. That magical time of the year when we take to the high street or internet, hoping to find a good deal on that new device you’ve been window shopping for the last month. Users beware! There is more harm than good that can be done from clicking on what appears to be a good deal. During this time of the year, the internet runs amok with an increase of phishing and scam websites looking to exploit your consumer instincts.

The Zscaler ThreatLabZ team has been monitoring a subset of opt-in data to discover a correlation between shopping activity and scams. As an effect of increased shopping behavior, we've observed a steady number of scams clicked on by users. Scammers take notice of trending topics as well and us consumer’s impaired judgement to cast a wide net of phishing, fraud, and scam attacks meant to capitalize on the shopping season. Whether you are using a mobile device or your home PC, the uptick in shopping trends remains relevant.

As shown in the graphs, the trend in phishing activity tends to rise with the amount of online shopping traffic, which comes with the added risk of scammers taking advantage of a consumers better judgement.

Vawtrak Botnet Scam

Our first case study illustrates the danger of these fraudulent deals. The botnet, Vawtrak (also known as NeverQuest and Snifula), is a powerful information stealing backdoor Trojan that has been gaining momentum over past few months. It primarily targets user's bank account via online banking websites. We’ve come across numerous reports, where users begin the infection cycle through spam e-mails promising a sales deal. This case appears to be no different, as we see the Pony Trojan Downloader being leveraged to download the Vawtrak payload.
  • salesdeal.magentochile[.]cl/f1.exe
VirusTotal has this threat marked as a fairly well known sample with a score of 32/55 at the time of research. Vawtrak is a treacherous botnet that is known to target the user’s saved banking credentials or even keylog for other passwords. Vawtrak achieves this by manipulating key Windows processes and lowering security settings to ensure that its Command and Control traffic can be reached.

Savvy users that suspect themselves to be afflicted with this threat should look for similar suspicious files:
  • C:\Users\[COMPUTERNAME]\AppData\Local\Temp\~DFECDDE19F2005BD31.TMP
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Kapag
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.dll
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.exe
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Qucuz
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Sofolq
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Uoqet
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\YidaLboz
The folder name in the ‘Local’ Directory will be named randomly. The fastest option to make sure you are targeting the right directory is to have a quick look at what programs are AutoStarting in the registry. In this instance, the following location was observed:
  • HKU\[USER-ID]\Software\Microsoft\Windows\CurrentVersion\Run\WopuVdax: "regsvr32.exe "C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.dll""

Once the infection is successful, the Internet Settings are lowered to accommodate suspicious beaconing activity. The following was observed in our execution of the malicious sample:
  • HKU\S-1-5-21-4274511564-889519498-3811658521-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000000
  • HKU\S-1-5-21-4274511564-889519498-3811658521-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000003
 Upon successful manipulation of the Internet Settings, command and control attempts are made.


The threat responds with a list of locations to fetch configuration files as well as other malicious payloads. In the instance we observed, we received the keylogging Botnet, NetWired.

NetWired leaves two files actively running which beacon to suspicious destinations. These processes collect and exfiltrate stolen data to the threat actors.

The NetWired botnet communicates with the following server IPs from our research:
  • 109[.]163[.]226[.]153
  • 213[.]152[.]162[.]99
  • 31[.]184[.]194[.]138
  • 46[.]161[.]1[.]172
  • 46[.]165[.]208[.]108
  • 46[.]20[.]33[.]82
  • 62[.]102[.]148[.]181
  • 95[.]211[.]229[.]148

Free iPhone6 scams

Lots of scam sites are offering a free iPhone 6 to lure victims into click fraud attacks. Scam sites also ask for personal information like phone number, address, or e-mail address. Victims end up losing their personal information that can be further leveraged into future scams. The below screenshot shows scammers doing their best to make a site look like an official Apple site.

Some scams also ask for shipping fees to collect additional funds as well as sensitive information.

Scammers leverage brand names to provide an air of legitimacy to their scam websites. Some examples we have seen:
  • http[:]//apple[.]com[-]freegiveaway[.]com
  • http[:]//applestore[.]officialfreegiveway[.]com/
  • http[:]//facebook[.]officialfreegiveway[.]com/
  • http[:]//8sd5ug[.]getafreeiphone6splustoday[.]com/
  • http[:]//giveaways[.]xyz/iphone[-]giveaway/
  • http[:]//iphone6[.]howtogetafree[.]eu/

We recently covered a fake app offering early access to Amazon.com Black Friday and Cyber Monday offers and deals. With the rise in mobile device usage for browsing and shopping activities, we expect to see more and more instances of such fake applications with exciting offers targeting mobile users.

How can online shoppers protect themselves?

Thanksgiving marks the start of the holiday shopping season which continues through Christmas. The Zscaler ThreatLabZ team is working around the clock to ensure that our customers do not fall prey to such malicious activity.

We highly recommend that all online shoppers exercise extreme caution and follow our holiday season shopping security checklist:
  • Inspect the source of emails with enticing shopping deals. Be wary of any suspicious attachments
  • Steer clear of unofficial mobile application stores
  • Ensure HTTPS/secure connections to online retailers and banking sites
  • Check the authenticity of the URL or website address before clicking on a link
  • Stay away from e-mailed invoices - this is often a social engineering technique used by cyber criminals
  • Do not use insecure public WiFi for shopping
  • Use two-factor authentication whenever possible especially on sensitive accounts such as those used for banking
  • Always ensure that your operating system and web browser have the latest security patches installed
  • Use browser add-ons like Adblock Plus to block popups and potential malvertisements
  • Backup your documents and media files
  • Review the Identity Theft Guide and FAQ from the Federal Trade Commission.
Wishing you all a very Happy Thanksgiving!

Tuesday, November 24, 2015

This Thanksgiving, deals on your private data too

In a matter of years, we’ve seen Black Friday and Cyber Monday become two of the most anticipated days of the calendar year. While consumers eagerly await the chance to buy this season’s hottest gifts, what they don’t realize is that hackers are also anticipating a holiday treat: their personal data. This weekend, Zscaler uncovered a campaign where malware turning the holiday shopping season into an opportunity to scam large number of people by creating fake apps offering early access to Amazon.com Black Friday and Cyber Monday offers and deals.

The Zscaler research team recently came across one such fake amazon app which was masked as an Amazon.com Black Friday deals app, but actually intended to collect victim's personal data. The URL from where this fake app is downloaded is as shown below:
  • URL :  http[:]//amazon[.]de[.]offer47263[.]cc/amazon[.]apk
From the URL it can be observed that the malware authors are using cyber squatting to fool the victim and portraying itself as a legitimate Amazon site.

Once the application gets installed it disguises itself as a legit Amazon app.
When the user starts this installed fake Amazon app, it loads another app named "com.android.engine" as seen below.

Loading application dynamically
This newly loaded child application asks for administrative privileges and other risky permissions like sending SMS and dialing phone numbers.
This newly loaded app will first register itself as a service. Even if we remove the fake Amazon app, the "com.android.engine" app will stay persistent and keep doing its activity in the background. Once this malicious app is installed on the victim's phone, the fake Amazon application will start giving the error message: "Device not supported with App". This forces the victim to delete the fake amazon app thinking that there were some errors while installing it. As the malicious child app does not have any icon, it is quite difficult for the common users to remove the app.

The presence of this app can be seen in Settings>Apps>Running Applications section of device as shown below. 
Silently working in backgroud

Administrative access
This loaded malicious application has code for harvesting user's personal data.
The following code routine present in the app is used to collect victim's browser history and bookmarks.
Browser data
It is also able to harvest the call logs, received inbox messages and segregate it into sender's numbers, SMS body, received incoming call number and contact name etc as shown below.
Call logs
Inbox messages
The malicious app also gathers victims contact details.
This particular piece of malware was also found to be communicating with an IP address in Canada, "198[.]50[.]169[.]251" on port 4467 probably sending the harvest data through network socket.

Hard coded IP
The following packet capture shows the malware communication with its C&C(Command and Control Center).

Packet Capture

Data being sent
Especially during this holiday season, consumers need to be aware of the applications they’re downloading and stay away from such fake apps. Always install applications from legitimate app stores and websites. Be aware of the permissions asked by the application during installation. Shopping apps should not be asking for access to your contacts or SMS. Keeping an eye on the permissions used by the app can save you from installing such fake apps.

Happy Thanksgiving to all !!

Monday, November 23, 2015

Pornography - A Favorite Costume For Android Malware

30% of Internet traffic is in some way related to pornography and this is the primary reason why malware authors are using porn apps to infect large numbers of users. During recent data mining, we noticed an increasing volume of mobile malware using pornography (disguised as porn apps) to lure victims into different scams and stealing personal data or locking phones and demanding ransom payments. We recently wrote about Android Ransomware and an SMS Trojan leveraging pornography to scam victims. In this blog we share the analysis of two adult themed malicious apps - SMS and Infostealer Trojans that we recently spotted.

Case 1: SMS Trojan

Here we look at a Chinese SMS Trojan disguised as porn app. Upon installation, the malware fools the victim by displaying random adult sites, steals sensitive information and sends SMS to predetermined Chinese numbers in the background.
  • Name : 浴室自拍
  • URL:  http://yg-file.91wapbang[.]com/apk/appad/14461771841467103.apk?uid=ef2592f22af8c568f2b2993467a1e21a
  • Package Name : com.uryioen.lkhgonsd
  • Flagged by 6/53 AVs on VirusTotal at the time of analysis.
The malware installs the app with a lewd icon as shown below.
Once a user clicks on the icon, the user will be directed to a random URL from an array defined in the main code module. Interestingly, all the URLs are encoded in base64 format. 

Base64 URLs
List of URLs:
  •  http://www.4493[.]com/star/sifang/(aHR0cDovL3d3dy40NDkzLmNvbS9zdGFyL3NpZmFuZy8=)
  •  http://m.mnsfz[.]com/h/meihuo/(aHR0cDovL20ubW5zZnouY29tL2gvbWVpaHVvLw==)
  •  http://m.4493[.]com/gaoqingmeinv/(aHR0cDovL20uNDQ5My5jb20vZ2FvcWluZ21laW52Lw==)
  •  http://www.mm131[.]com/xinggan/(aHR0cDovL3d3dy5tbTEzMS5jb20veGluZ2dhbi8=)
  • http://www.5542[.]cc/xingganmeinv/(aHR0cDovL3d3dy41NTQyLmNjL3hpbmdnYW5tZWludi8=)
  • http://www.100mz[.]com/a/xingganmeinv/(aHR0cDovL3d3dy4xMDBtei5jb20vYS94aW5nZ2FubWVpbnYv)
  • http://m.xgmtu[.]com/( aHR0cDovL20ueGdtdHUuY29tLw==)
The malware is collecting all the device information in the background and sending it to a remote Command & Control (C&C) server as seen below.
Post Request
The C&C server responds back to the bot with further instructions as seen below.
The C&C response in screenshot shows the malware receiving a phone number with content that needs to be sent to that number via SMS. The following code shows how the malware will parse this response and start sending SMS messages.

Send SMS code
After sending the message, the malware sends another POST request notifying the C&C server about the sent SMS activity.

Post Request
  • C&C server - http[:]//www[.]mscdea[.]com:7981

This activity occurs once a day at a random time interval where the malware sends a post request to the C&C server and receives phone numbers with SMS content to be sent out. 

The continuous SMS activity can lead to a significant financial loss for the victim. 

Case 2: Fake Ransomware stealing personal data

The malware in this case is trying to scare the user with a warning screen accusing them of watching child porn. The malware steals victim's personal data in background and send it to C&C server.
  • URL: http://maturefuckporn[.]info/download/kyvcuwc/diper/video.apk (down as of now)
  • App Name :  video
  • Package Name : com.gi.to
  • Flagged by 12/53 AV vendors on VirusTotal.

Upon installing the app on device, the user will see a video player icon on the screen.
Once the user clicks on the icon, the malware displays a fake warning page as seen below. The warning page pretends to be from the Industrial Control Systems - Cyber Emergency Response Team (ICS-CERT) but is different from the classic FBI/Police Ransomware pages.
Warning page
The malicious app does not ask for administrative privileges to lock the device and is fairly easy to remove. We did not find any code for locking the device. The malware harvests inbox messages, contacts & e-mail addresses, which are then relayed to a remote C&C server in the background.

Collecting data
The malware logs the harvested SMS messages & sender's phone number in a specific format to a temporary file as seen in the code snippet above.

C&C construction.
The screenshot above shows the C&C URI construction code. The file containing the stolen data is then sent to the remote C&C server as seen in the network capture below.

Post capture.
The stolen SMS messages being sent to the C&C server in a file.
Inbox messages
The stolen contacts & e-mail addresses being sent to the C&C in a file
  • C&C server - http[:]//maturefucklist[.]com


We are seeing an increasing number of adult themed Android malware apps using pornography to lure victims. To avoid being  a victim of such malware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the "Unknown Sources" option under the "Security" settings of your device.

Friday, November 6, 2015

International Council of Women site leading to Nuclear & Kelihos


We recently wrote about a compromised Chinese government site leading to an Angler Exploit Kit (EK) infection cycle. Nuclear EK operators are on par with their Angler EK peers in terms of the activity we are seeing in the wild. During our course of EK hunting, we came across a popular multinational organization, the International Council of Women (ICW), being compromised and leading users to a Nuclear EK landing site. The end user will get infected with the information stealing Kelihos bot if the exploit cycle is successful.

Compromised site - ICW

The following screenshot shows the malicious iframe injected on the compromised website.

Compromised ICW web page

The malicious iframe leads users to a Nuclear EK landing site as seen below.

Nuclear EK redirection

The Nuclear EK landing page is heavily obfuscated to evade security software detection as shown below.

Nuclear EK landing page

Upon successful execution of the obfuscated JavaScript, a malicious Flash file is downloaded on the victim's machine as seen below.

Flash Exploit Download

Kelihos Payload Analysis

Upon successful exploitation, a new variant of the Kelihos bot is downloaded and installed on the victim machine. Here are some of the download locations for the Kelihos bot that we have seen in this campaign:


Final Payload Download

Kelihos is a Trojan family that distributes spam email messages. The malware communicates with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.

The malware executable file is a Microsoft Visual C++ 6.0 compiled binary with custom packed content stored in the executable's overlay section. Kelihos installs WinPcap, a legitimate and commonly used Windows packet capture library at the following locations:
  • %system32%\winpcap.dll
  • %system32%\Packet.dll
  • %system32%\drivers\npf.sys
Note: %system32% is c:\windows\system32

It uses hard coded User-Agents from the following list when communicating with the remote host:

Crafted User-Agent
Kelihos tries to steal the login credentials of FTP and POP3 applications by monitoring the network traffic of the victim's machine using the installed WinPcap libraries. The bot checks for the presence of the following applications on the victim machine and attempts to steal login credentials, digital currency and other information:
  • 3D-FTP
  • Bitcoin
  • BitKinex
  • BlazeFtp
  • Bullet Proof FTP
  • Classic FTP
  • Core FTP
  • CuteFTP
  • Cyberduck
  • Directory Opus
  • FileZilla
  • Frigate3
  • FTPGetter
  • LeapFTP
  • FTPRush
  • xterm
  • PuTTY
  • SecureFX
  • SmartFTP
  • Bitcoin
  • BitKinex
The malware extracts stored information such as usernames, passwords and host names from the following browsers:
  • Google\Chrome
  • Chromium
  • ChromePlus
  • Bromium
  • Nichrome
  • Comodo
  • RockMelt
  • CoolNovo
  • MapleStudio\ChromePlus
  • Yandex
Kelihos communicates to Command & Control (C&C) servers using HTTP via messages encrypted using the Blowfish symmetric-key algorithm.

Post Infection Communication


Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads. The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.

ThreatLabZ is actively monitoring new Nuclear EK infections in the wild and ensuring that Zscaler customers are protected.

Research by Dhanalakshmi PK and Rubin Azad