Tuesday, December 22, 2015

2016 Security Predictions

As the year comes to a close and winter sets in, we like to look back at the year that was and do our best to prepare for the year ahead. What would the holiday season be without yuletide cheer, excessive commercialization and of course…security predictions? Yes, it’s time to join my colleagues in the security industry, peer into my magical crystal ball and provide a glimpse of what is to come. Grab a nice hot beverage, curl up next to the fire and enjoy!

PII is the new hotness

2015 continued the trend of major retail data breaches resulting in bulk debit and credit card theft, but it also marked a shift that will accelerate in 2016. In the coming year, expect attackers to move away from targeting financial information and instead target personally identifiable information (PII). In 2015, we continued to see credit/debit card theft at the likes of America’s Thrift Stores, The Trump Hotel Collection, Hilton Hotel properties, Service Systems Associates, Hershey Park, Harbortouch and White Lodging, but in 2015 we also learned of major breaches in the healthcare (Anthem and CareFirst BlueCross BlueShield) and government (Office of Personnel Management) sectors that targeted PII. The quest for PII is being driven by two separate groups of attackers. While nation states desire PII for espionage, criminals are also shifting to PII as it is generally more valuable than credit and debit cards, which are getting more challenging to harvest in bulk due to greater awareness of the problem and new technology. Why would a social security number be of greater value than a credit card number, which can be used directly to procure goods and services? PII is highly sought after in the underground as it can be leveraged to commit financial fraud such as applying for credit, submitting false medical/insurance claims or filing fraudulent tax refunds. Whereas credit cards can be easily cancelled, changing one’s name, address and social security number generally isn’t an option, so the stolen data remains valuable for a longer period of time. The shift will be motivated in part by the push to move to Chip and PIN (aka EMV) debit and credit cards, which combat RAM scraping malware with tokenization. Don’t however expect credit and debit card fraud to disappear entirely as EMV technology has seen slow adoption in the US, despite an October 2015 deadline and the technology does nothing to combat card not present (online) theft. In 2016, attackers will increasingly target sectors known to store bulk PII including finance, healthcare and government entities to harvest valuable PII.

Trusted Partner Attacks 

Breaking in through the front door isn’t always the best option as it tends to be be well defended. The same is true in cyber attacks. A head on assault is expected, but companies rely on a plethora of technology partners and often communicate with them through trusted digital channels. History suggests that enterprises aren’t doing enough to ensure that trusted partners maintain their security to the same standards that would be demanded if those services were delivered internally. In the past we have seen this with the Target breach which occurred when Fazio Mechanical, an HVAC vendor was compromised. Likewise, the OPM breach began with a compromise at KeyPoint Government Solutions. Compromised partner networks aren’t always used to directly access another network but can also play an indirect role in a broader attack. For example, attackers that ultimately targeted JPMorgan Chase, Scottrade and E-Trade for money laundering also compromised G2 Web Services LLC, which specialized in monitoring and blocking fraudulent banking transactions. Once inside the G2 network, they could ensure that their money laundering schemes went undetected. Enterprises are increasingly outsourcing technology to streamline costs in areas that are not a core focus. For attackers targeting a supplier that often has lesser security controls than the larger entity that it serves, a successful compromise can be a gold mine. Not only does the breach provide a backdoor into the original target, but it also opens doors to other enterprises being serviced by the same vendor. Hackers have learned from successful attacks exploiting such relationships and will accelerate their focus in this area in 2016. Enterprises need to extend security policies and procedures beyond their own systems and personnel. Trusted partners should be expected to adhere to the same security controls and be subjected to audit and penetration tests to ensure that they are adhering to agreed upon standards.

Ransomware 2.0 goes corporate

Ransomware has managed to hit a sweet spot. Users are all too willing to begrudgingly pay an expensive but not excessive ransom in exchange for the return of their precious data. Even the FBI are recommending that it’s easier to pay than fight. The wildly profitable CryptoLocker has attracted many clones since it was largely knocked offline following Operation Tovar. Many of these clones, including more popular variants such as CryptoWall and TorrentLocker largely followed the proven formula but we’re starting to see variations such as ransomware focused on Linux and mobile platforms. The former is especially important as it’s more likely to impact the websites and code repositories of enterprises, who in our experience are also very willing to pay up rather than risk losing critical intellectual property. Expect ransomware to become increasingly corporate focused in 2016 and as it does, enterprises won’t get away with paying consumer rates. The criminals behind the ransomware campaigns are savvy and once they realize that they’ve locked up source code and financial documents that haven’t been properly backed up, you can expect prices to skyrocket…and be paid.

The extortion data breach

The Sony Pictures, Ashley Madison and Hacking Team breaches all share a common theme – the goal of the attacks was to humiliate the respective companies and perhaps inflict financial damage. There did not however appear to be a profit motive in any of the attacks. Sony Pictures, after already having proven to be a vulnerable target after two successful attacks against the Play Station Network, had it’s dirty laundry aired by hackers allegedly backed by the North Korean government as retaliation for producing a satirical movie about their leader. Ashley Madison and Hacking Team are believed to be the victims of hacktivists that disagreed with their corporate philosophies. Despite what has been stated by the media, there is little to suggest that these were sophisticated attacks. Rather, once the attackers were able to gain access to the internal network, they were able to roam freely and collect troves of sensitive data from email and file servers, which was then dumped online. Criminals have no doubt taken notice of the extreme damage that small teams have been able to achieve and know all too well that some would be willing to pay millions to stay out of the headlines. This is one prediction that is likely already taking place but we’ve yet to hear about it as the attackers have held up their part of the bargain to remain quiet in exchange for the hush money.

No AV? No problem.

Foreshadowing the death of antivirus (AV) is hardly a bold prediction. Even AV executives are calling for it. While you won’t see a sudden wholesale move away from AV, as it remains the first line of defense for corporate PCs, we’re now hearing with some regularity, CTOs shifting away from paid AV solutions to ‘good enough’ free AV or solutions baked in at the O/S level, such as Microsoft’s Windows Defender or Apple’s File Quarantine (aka XProtect). As enterprises adapt to the Post-PC era, running an end user device without AV is no longer seen as a risky bet. OS X machines rarely run AV in a corporate environment and on iOS devices it’s not even an option. Enterprises realize that AV is focused on known vulnerabilities and they must free budget dollars to shift to more dynamic security controls capable of identifying and protecting against 0day and targeted attacks. With limited budgets, expect fewer enterprises to open the checkbook for host based AV, instead reallocating the funds to solutions such as network/cloud based sandboxing solutions.

Android finally cleans up it’s act

Android is well on it’s way to becoming the Windows of the mobile malware world. With 99% of mobile infections, Android is the only game in town when it comes to infected tablets and smartphones. Love it or hate it, Apple’s walled garden and refusal to allow downloads from third party app stores has paid security dividends. Sure, Google Play has Bouncer and he’s done a fine job of keeping the miscreants out, but that’s of limited value when users are willing to go to shady Chinese app stores to save a buck on Candy Crush. Google clearly knows that this will hurt them in the long run, especially in the enterprise space and began making changes with Marshmallow, the latest Android flavor when they switched to Granular App Permissions to make it more clear what control an app ultimately gains when installed. This however was a small step and Google will need to get much more aggressive going forward. Not wanting to lose ground in the enterprise, where Apple has now pivoted, they have little choice. While cutting off third party app store access altogether would alienate too much of the user base, expect the next iteration of Android to to start cracking down on third party app stores. Since Jelly Bean 4.2, embedded cloud based anti-virus scanning was added through the Verify Apps feature. While yet another improvement, this is clearly not enough as we regularly identify and blog about apps from alternate Android app stores that are malicious in nature. Google will need to take more drastic steps and a likely change is restricting the permissions available to apps not vetted through the Google Play submission process.  Expect side-loaded apps requesting Administrator permissions to become a thing of the past.  Some developers will push back, but Google will have little choice if they want to get malware under control. Google will also begin to mandate acceptable timeframes for patches and firmware upgrades, which are now largely under the control of the OEM partners. It does little good when new security features are added, but they’re unavailable to users with non-Nexus devices. These steps won’t eliminate Android malware, especially with Android’s slow O/S upgrade cycle, but they will raise the bar for third party app stores, just as Bouncer did for Google Play.

Terrorists catch the hacking bug

This last prediction is one that saddens me to write, but I feel is inevitable and one that can’t be ignored. Terror organizations are continually searching for new avenues to instill fear and they require significant funding to further their hateful agendas. Skilled hackers can aid on both fronts. Cyber attacks can clearly be used by terrorists to obtain intelligence for future attacks and we’re already seeing early signs of cyber attacks being used to cause physical damage. Last year, hackers caused significant damage to a German steel mill when they disabled systems responsible for controlling a blast furnace. This wasn’t just kids playing around either, as the attacks reportedly required substantial knowledge of industrial control systems in order to succeed. With almost all industries reliant on computerized systems, the potential attack surface is enormous. Hacking is also extremely lucrative. The CrytoLocker ransomware authors for example were able to make millions in just a few short months. Such potential is surely in the sights of terror organizations, especially those such as ISIS, which have shown a new affinity for being tech savvy when it comes to recruiting and propaganda. Sadly, terrorists won’t necessarily need to acquire the necessary skills themselves as there are no shortage of cyber criminals all too willing to rent their skills out to the highest bidder and look the other way.

Password reuse attacks decline

And now for some good news. Password reuse attacks will begin to decline. Attackers are quite happy to compromise virtually any site even if it’s not the endgame as they can generally recover information and resources that will aid in other attacks. It’s always of great benefit for an attacker when they’re able to uncover a database of unencrypted usernames and passwords, because human nature suggests that those same credentials are used at many, many other sites. Most people use a handful of passwords at best, therefore attackers will write scripts to attempt automated logins at popular social networking, banking, etc. sites to see if the credentials can be reused. This presents a real challenge for end users as they have no control over how their credentials are stored or secured once they’re turned over and in the event of a compromise, changing passwords to every site where those same credentials were used is generally an impossibility. Think of your favorite password that you’ve used over the years. How many sites have you used it on? You lost count, didn’t you. Fortunately, this is starting to change thanks in large part to the smartphone. Smartphones can be many things but they make for a handy secure, always with you, data repository. As such, people are starting to adopt password managers such as 1Password, LastPass, etc., as they have user friendly smartphone apps that present a convenient option for always having sensitive data such as passwords within easy reach. Advancements in biometrics are also helping the cause with consumer grade fingerprint scanners now becoming a standard feature on modern smartphones. This not only makes accessing that password repository quicker and more user friendly, but also finally makes it an option to do away with passwords altogether. While not as user friendly, most major Internet layers are also adding two-factor authentication as a standard option. Finally, the average user has realistic authentication options that don’t involve sticky notes.

Say goodbye to browser plugins

The love affair with browser plugins has been on the decline and we’re finally at a point where the average user can do away with them once and for all. Flash had a particularly tough year after Firefox disabled the plugin by default after the Hacking Team breach revealed the existence of new Flash 0days. Facebook’s Security Chief also piled on asking “Adobe to announce an end-of-life date for Flash”. This after Steve Jobs famously refused to include Flash on iOS, claiming that it had been the “number one reason Macs crash” and had “one of the worst security records”. The bashing certainly isn’t unfounded with browser plugins remaining the number one way that Exploit Kit authors target PCs, primarily targeting Java, Flash and PDF vulnerabilities. At least for websites, Flash is on life support, Java died a couple of years ago and PDF plugins are no longer required as bowser vendors have baked in native support. Competitors like SilverLight never fully caught on and web apps that would historically have used custom plugins for playing video or screen sharing, have now migrated to HTML5. Not supporting plugins was one things that mobile browsers got right from the get go. In 2016, expect all major browsers to get serious about finally killing off plugin support by default.

The encryption showdown

Encrypted communications have long been the bane of law enforcement and those in the intelligence communities. As privacy concerns mount, thanks in part to the Snowden revelations, leveraging strong encryption for messaging and data storage is no longer the realm of geek speak. It is an expected feature and is quickly becoming a differentiating feature. iOS now encrypts data by default and Android while lagging behind, is fighting to get there. Popular chat applications like WhatsApp tout encryption as a key feature and Apple’s iMessage app, which features end-to-end encryption and no central key store, is often referenced by law enforcement when arguing for a ‘back door’. 2016 will be the year this battle comes to a head. While politicians used to dance gingerly around the topic given the privacy abuses exposed by the Snowden revelations, recent terrorist attacks have brought this issue front and center. Multiple pieces of legislation are sure to be introduced that will propose weakened encryption protocols or procedures to grant law enforcement access to decrypted communications as needed. As we’ve learned however, you can’t be ‘mostly secure’ any more than you can be ‘kind of pregnant’. Weakening encryption to benefit law enforcement will also reduce security for everyone and if the US government mandates a ‘backdoor’, you can be rest assured that China, Russia, [pick a country] will be demanding the same for their citizens. This is one battle that will have serious repercussions for years to come. Here’s to hoping that Apple, Google, Microsoft, Yahoo! and the like manage to prevail.

Should be another action packed year on the cyber security front. See you next year!

Michael Sutton

Thursday, December 10, 2015

New Spy Banker Trojan Telax abusing Google Cloud Servers


Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil. The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which is responsible for downloading and installing Spy Banker Trojan Telax.

The attackers are using social engineering tactics, such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus, to lure the end user into downloading and installing the malicious payload. Social networking sites Facebook and Twitter are primarily being used to spread a shortened URL (using bit.ly service) that points to a Google Cloud Server hosting the malicious payload with .COM or .EXE file extensions.

Campaign Details

The attack starts with a shortened URL posted on a social networking site or via drive by download from malicious sites posing to offer premium software or coupons. Below is a recent attack chain where the user clicked on a link shared via Facebook that lead to the download of Telax payload:

Figure 1: Spy Banker Telax served via Facebook

The bit.ly link points to a PHP file hosted on the Google Cloud Server that does a 302 redirect to download the initial Spy Banker Downloader Trojan payload.

The executable file receitanet.com is posing to be Brazil's federal revenue online tax returns service. We have also seen other themes offering fake premium software applications and discount vouchers as seen from the file names below.

Malicious payload file names:
  • americanas.com
  • americanas.exe
  • app.ricardoeletro.com
  • atube.com
  • avast.com
  • AvastPro.exe
  • baixaki.com
  • receitanet.com
  • ricardoeletro.com
  • setup.exe
  • submarino.com
  • voucher.americanas.com
  • voucher.mercadolivre.com
  • voucher.ricardoeletro.com
  • walmart.com
  • web.whatsapp.com
  • whatsapp_setup.exe
  • WhatsApp_Setup.exe
Below are the statistics (credit: Bit.ly) on the number of users clicks that were recorded for the attack campaign shared in Figure 1:

Figure 2: User clicks on the malicious bit.ly link
Majority of the target users were lead to the malicious bit.ly link from Facebook as seen below:

Figure 3: Source for the bit.ly link visits

In addition to social networking sites, we also saw users arriving to the Spy Banker Telax payloads hosted on Google Cloud servers from the following sites:
  • aquinofinal[.]com
  • aquiredire[.]com
  • brasildareceita[.]com
  • mundodareceita[.]com
  • ofertasplusdescontos[.]com
All but one of the domains listed above are repossessed by Go Daddy and are no longer active. A quick WhoIs look up of the active domain shows that it was recently registered to 'kleyb maxbell' with following information:

Figure 4: Whois information for an attack domain
We found another domain 'ofertasmaxdescontos[.]com' registered by the same user that also appears to be actively redirecting users to the malicious payload hosted on a predetermined Google Cloud Server as seen below:

Figure 5: Active attack domains

It is important to note that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message.

Geographic distribution of the users attempting to download the end malicious payload from Figure 1 is shown below:

        Figure 6: Geographic distribution of target users

As expected, majority of the users targeted by this malware campaign are from Brazil. It is important to note that the success of this attack depends primarily on the social engineering tactics in convincing the end user into opening the downloaded payload.

Spy Banker Trojan Telax analysis

The initial file that gets downloaded is the Spy Banker Downloader Trojan. The Downloader Trojan is responsible for downloading & executing the final payload from a list of predetermined URLs as seen below:

Figure 7: Downloader Trojan hardcoded URLs
The final payload, Spy Banker Trojan Telax, is a Delphi executable that is capable of stealing Banking credentials targeting Portuguese users. Upon execution, Telax injects malicious code into legitimate Visual Basic Compiler (vbc.exe) process. The injected code first checks for the presence of virtual environment like VMWare, Virtual Box, Wine and Virtual PC on the target system.

Telax executable contains following additional files embedded in it's resource section:
  • SQLLite.dll - legitimate SQL Lite binary
  • 32-bit rootkit component
  • 64-bit rootkit component
  • 64-bit copy of itself
Depending on the bit-ness of the target operating system, Telax will register the appropriate rootkit driver:
HKLM\SYSTEM\CurrentControlSet\Services\hookmgr\ImagePath: "<User>\<CurrentLocation>\hookmgr.sys"
The main form that we extracted from the malicious Delphi binary is named 'Telax' by the author and can be seen below:

Figure 8: Spy Banker Telax main form

Here is the translation for the pre-configured features found in this bot:

  • Auto Reconectar se perder conexao -> Auto Reconnect lost connection
  • bloquear VM -> VM block
  • Proteger Processo -> Protect Process
  • Mensagem de instalacao -> Message installation
  • Gerar infect -> Generate infect
  • Ativar host -> Enable host
  • ativar update -> Activate update
  • ativar killer -> Activate killer
  • ativar Worm -> Activate Worm
  • Versao -> Version
  • Porta -> Port

Following are the additional Telax modules that we looked at during our analysis:

A. Modulename: TnHulk.MITO
Detects installed Antivirus applications on the system. It specifically looks for following antivirus executables on the target system:
BavUpdater.exe - Baidu Antivirus
instup.exe - Avast
avgmfapx.exe - AVG
Update.exe - Symantec

B. Modulename: TTitulo.IPTX
Responsible for decrypting embedded strings in the file.

C. Modulename: TXRPD
Responsible for installing malware on the system.

D. Modulename: TLISTING
Contains the rootkit functions

Network Communication
Upon successful installation, Telax sends following information to a remote Command & Control (C&C) server:

  • ID_MAQUINA - Machine ID
  • VERSAO - Bot version
  • WIN - Operating system
  • NAVEGADOR - Default browser
  • PLUGIN - Presence of G-Buster Browser Defense (gbieh.dll) plugin
  • AV - Antivirus installed

Figure 9: Telax C&C communication

Following are the C&C commands that are used by Telax for its communication:

<|PING|>Checking status of connection
<|Info|>Sends infected OS details and bot version
<|Close|>Close all connections
<|DESI|>Uninstall itself
<|reini|>Restart system
<|REQUESTINFO|>Request for information regarding installed AntiVirus, AntiSpyware and Firewall
<|REQUESTKEYBOARD|>Sends keystrokes to active application window
<|HjiopPos|>Set mouse position
<|HjiopLD|>Set mouse left button down
<|HjiopLU|>Set mouse left button up
<|POWT|>Type given string in current window
{DESMON}Sets the state of the display using WM_SYSCOMMAND window message

We also found fake panels for two-factor authentication that will presumably be used to capture and bypass the two-factor authentication mechanism.

Figure 10: Fake two factor authentication panel

Telax Downloader Hashes


Spy Banker Telax is a Banking Trojan that has specifically targeted Portuguese users. The malware authors are actively pushing out new versions of Telax (latest version 4.7) binaries and are abusing Google Cloud Servers to host the payload for infection. There is no vulnerability exploit being used in this campaign and the attackers are solely relying on social engineering to infect the end users.

Zscaler’s ThreatLabZ has confirmed coverage for the initial downloader and Telax payloads, ensuring protection for organizations using Zscaler’s Internet security platform.

Research by: Deepen Desai, Nirmal Singh, Lenart Brave