News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed

Websense® Security Labs™ has received reports about the new "Point Of Sale" malware dubbed "BackOff" as published by The US Homeland Security office. We have decided to explore the activity through ThreatSeeker® Intelligence Cloud. Our research shows some interesting finds that conform with what was shared in the original "Backoff" publication, but also adds some intelligence information that sheds more light about the industries targeted in this campaign. It shows that the actors behind it could be potentially targeting more than just POS retailers, and that toolkits used in this campaign are not limited to "memory scrapers" but also include other toolkits like the infamous Zeus, Spyeye, Citadel malware, and also a worm that spreads through peripheral devices called Gamarue.


(Please note: hosts that are part of this campaign are blurred at this time to not disrupt any concurrent active investigation committed by the authorities.)


Research From The Bird's Eye View


Looking at one of the first samples according to the paper published by the US Dept. of Homeland Security (SHA1:caf546e3ee1a1d2768ec37428de1ff7032beea94),  we verified the version of the malware in one of its earlier versions: 1.4 and that the command and control point was at dom<*snipped*> This command and control host seems to be one of the most popular ones in this campaign and got one of the highest numbers of hits as observed from our telemetry data.


One of the interesting observations we made is that this domain wasn't registered through any services that are meant to hide the identity of the registrant; this was unlike subsequent domains used in this campaign that were registered through an anonymizing Chinese registrar. The domain dom<*snipped*> was registered on the 13th of October 2013 for one year, which ties perfectly with the start of the campaign according to the paper. Here is a snapshot of the registry information of dom<*snipped*>




Looking at Threat Intelligence sources, we've found more hosts registered by the same registrant; the activity that we've spotted involved with those domains was exclusively associated with CyberCrime (you can also find the list attached to this blog):




Lateral Targets: Retailers +
The Tools:  POS + Zeus, SpyEye, Citadel, Gamarue


By mining our data repositories of global security catches and correlating across these vectors, we confirmed that the actor behind this campaign started their activity in October 2013 and appears active until today. Most of the targeted industries have been confirmed as retailers, but there were also other industries which show that the actor behind this campaign may have a broader agenda in mind. The top 5 targeted industries showed in addition to retailers were industries that are usually seen as the targets of more sophisticated targeted attacks, including Agriculture, Mining & Construction, and Oil & Gas Exploration & Production. We've essentially confirmed that the activities on the additional set of hosts registered by the same registrant were also active from around October 2013 in addition to each holding a direct link to cybercrime.






Our research also determined that the hosts involved in the observed activity are not only related to "Point Of Sale" malware but to other malware types/toolkits like Zeus, Citadel, SpyEye, and Gamarue. This suggests that the actors behind this campaign don't just limit themselves to one toolkit but employ several that are probably utilised based on specific needs of data theft functionality required per target. In the next graph are the top 5 most active domains seen through our telemetry that were registered by that same registrant:





In this blog we covered how threat intelligence can uncover more interesting points that are linked to a certain attack in order to expand the view of the attacks and get more information on affected target verticals and the type of malware toolkits that are used part of that broader context. It appears that cyber criminal actors utilise malware campaigns that spread across different target laterals to steal information and benefit from it financially or by other means. The malware toolkits used by the actors behind the "BackOff" POS campaign suggest that they are diverse, and unleashing or experimenting with different toolkits, most likely to allow different functionality as required per target, increase their chances of successfully staying persistent on targeted networks and successfully stealing data.



Blog Contributor: Nick Griffin, Ran Mosessco



Read more »


Websense Security Labs™ Websense ThreatSeeker® Intelligence Cloud has discovered that attacks utilizing the most recent Internet Explorer zero-day (CVE-2013-3893) are more prevalent than previously thought.  In this write up we shall analyze the exploit code and perform analysis on the dropped malicious file.


Executive Summary

  • We have seen the CVE-2013-3893 exploit targeting Japanese firms in the financial industry hosted on a Taiwanese IP address.
  • Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command and control server as far back as July 1, 2013. These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan.
  • Commonalities in C&C infrastructure, domain registrations, exploit techniques and malware link this threat actor to the Operation DeputyDog and Hidden Lynx attack crew.
  • This alleged hackers-for-hire crew has committed ongoing attacks against businesses, stealing vital information, allegedly dating back to 2009.
  • Our telemetry indicates that these attacks have enough variations to indicate that different high-profile attack teams may be using the same tool sets.
  • Websense has protected our customers from the CVE-2013-3893 exploit observed in the wild using real-time analytics that have been in place for nearly three years.


A Reminder...

In our previous post (Up to 70% of PCs Vulnerable to Zero-Day: CVE-2013-3893) we covered a remote code execution vulnerability (CVE-2013-3893) that exists across all versions of Internet Explorer. This vulnerability exploits the way that Internet Explorer accesses an object in memory that has been deleted or not properly allocated, allowing an attacker to execute arbitrary code affecting current users with Internet Explorer.

An exploit leveraging this vulnerability was first discovered in very targeted attacks located in Japan. First disclosed in a Wepawet security advisory on August 29th, 2013, Microsoft released a security advisory (KB2887505) providing details on the vulnerability and a Fix-It solution on September 17th, 2013. Websense researchers reviewed our third-party telemetry feeds to determine the potential attack surface and risk associated with this exploit, and determined that nearly 70% of Windows-based PCs are vulnerable. While the vulnerability can theoretically affect all versions of Internet Explorer, the exploit is targeting only users of IE8 and IE9 who are running the Windows 7 and XP operating systems.

The Exploit

On September 25th, 2013, at 00:39 PST, Websense real-time security analytics stopped an exploit against one of our customers (a major financial institution based in Japan) leveraging CVE-2013-3893 being hosted on a Taiwanese IP address ( The exploit was hosted at the following URL (hxxp:// It is worth noting that in addition to specific analytics designed to stop this exploit, three different Websense real-time analytics protected our customers from this threat dating back for more than 3 years.

Below is a screenshot of the Exploit code for CVE-2013-3893 that is hosted on the Taiwanese IP ( It is interesting that the JavaScript exploit is not obfuscated and is delivered in clear-text, while the shell code and dropper discussed below are both obfuscated.



Screen shot of the exploit's obfuscated shell-code:



We were quickly able to recover the XOR key (9F) and de-obfuscate the shellcode with a clear-text  attack to reveal the dropper file. While the delivery mechanisms are very similar, it is interesting to note that the URI path, IP address and image file names are different than those noted in the analysis of the Operation DeputyDog attacks, as this shell code attempts to drop "./tn/logo.jpg" from the IP address (

Analysis of the JPG file, when XORed with 0x95 reveals an executable titled "runrun.exe" (38db830da02df9cf1e467be0d5d9216b):



A clear-text attack on the logo.jpg file revealed that it is actually a Windows executable (when XORed with 0x95) with the following attributes:

$ time ~/obfuscation/ logo.jpg 

Opening file: "logo.jpg"

  94BC: [^95] "runrun.exe"

  782C: [^95] "user32.dll"

  79D6: [^95] "KERNEL32.dll"

  7A14: [^95] "ADVAPI32.dll"

    E0: [^95] "PE"

    4D: [^95] "!This program cannot be run in DOS mode."

  776C: [^95] "Microsoft Visual C++ Runtime Library"

  7C76: [^95] "GetProcAddress"

Network Analysis

The runrun.exe immediately performs a DNS lookup for



Next, runrun.exe initiates an HTTPS connection handshake to (, which is terminated by the server. For some reason, the client never sends a SYN/ACK to continue the HTTPS handshake. More on this when we finish reversing the malware. 



Interestingly, was registered on March 16, 2013, by the registrant listed above. This domain is unusually old (6 months) in the context of the other C&C domains that we have seen associated with the malware and that were registered just days before the attacks.


Telemetry Data

Websense Labs researchers are currently confirming telemetry from the ThreatSeeker network with possibly compromised Taiwanese hosts communicating to the C&C server ( associated with malware variants (8aba4b5184072f2a50cbc5ecfe326701 and bd07926c72739bb7121cec8a2863ad87) dating back to July 1st, 2013, indicating that attacks from the threat actor identified in the Operation DeputyDog report may have started earlier than previously thought and may not be limited only to Japan.  More on this soon.



1. We have seen the CVE-2013-3893 exploit targeting Japanese firms in the financial industry, being hosted on a Taiwanese IP address (hxxp:// as of September 25th at 00:39 PST.

2. Websense has three real-time analytics (one has been in place for nearly three years) that blocked the CVE-2013-3893 exploit from compromising customers.

3. ThreatSeeker Intelligence Cloud reports a potential victim organization in Taiwan attempting to communicate with the malicious C&C server ( associated with the CVE-2013-3893 exploit as early as July 1st, 2013.

4. The C&C server above can be associated with the Bit9 compromise. The contact email address was used to register the domain blankchair(dot)com which points to the malicious C&C server ( The same email address was used to register a C&C server downloadmp3server(dot)servemp3(dot)com ( associated with the Bit9 attacks.  

5. Websense Threat Intelligence indicates that the threat actor's attacks were not limited only to Japan as previously reported. The use of separate IP addresses, domain registrations, and permutations to dropper locations indicates a high degree of segmentation between attacks and different teams using the same tool sets, exploits and C&C infrastructure.


The real-time analytics deployed in ACE (our Advanced Classification Engine) were able to detect and stop the attack above at three stages independent of the zero-day exploit (CVE-2013-3893) for which we had built specific protection. These analytics were able to detect the techniques used to deliver and obfuscate the exploit and malware, protecting our customer from being compromised. This is a great example of how offering protection from multiple stages of an attack can stop even highly targeted, low volume threats with cutting edge exploits.

Read more »