Posted by ngriffin on 03 June 2014 10:06 PM
Zeus is a malware family that we encounter frequently, due to its popularity with cyber-criminal groups. Ever since the Zeus source code was leaked in 2011, there have been many new variants. One such variant is dubbed ‘GameOver’, which recently made a mark in the media after its infrastructure was seized by authorities.
The Websense® ThreatSeeker® Intelligence Cloud actively monitors this specific type of threat. In this blog, we illustrate some key metrics about Zeus GameOver.
Contributors: Nick Griffin, Elad Sharf, Ran Mosessco
Update: Do you have 3 minutes? See how Zeus Gameover steals your data in our new video. Better still; find out how to protect.
(Please visit the site to view this media)
Update 2 [July 14 , 2014]: As we expected to see, Zeus GameOver has returned and evolved. The new variant has replaced the old peer-to-peer networking in favour of a Fast-Flux based infrastructure. In addition, the new domain generation algorithm (DGA) now generates domains using digits as well as letters, but no longer uses the .info or .ru TLDs. Websense customers continue to be protected from this threat at the same stages of the threat lifecycle as listed at the foot of this blog.
Background & Information
Zeus GameOver was first seen in 2011 and is very similar to the original Zeus malware. Its main use is for Crimeware purposes, such as seeking financial gain by stealing credentials and even transferring funds from victims accounts. We have also seen GameOver subsequently download malware such as Cryptolocker.
There is an important difference between GameOver and other Zeus variants, though. In a typical Zeus (or Zbot) malware, a central Command and Control (C&C) point is used to send out data and receive commands. In GameOver, however, the infrastructure is decentralized and instead relies on peer-to-peer (P2P) technology for its C&C capabilities.
This change in C&C infrastructure has become a big challenge for the security industry, because there is no single point of failure, such as the ability to take down a single command and control node. The Websense® ThreatSeeker® Intelligence Cloud is actively aware of this network and defends against it across the majority of the 7 stages of advanced threats model.
It's very important to note that Zeus GameOver is not directly sent to a potential victim. Instead, a downloader is involved in the initial infection, such as Pony Loader, and more recently, Upatre. Historically, the attack vectors have been mostly emails, usually sent by the Cutwail spam botnet. In the past, a mix of direct attachments, as well as URLs leading to exploit kits, would drop downloaders onto a victim's computer. More recently, with Upatre gaining momentum due to its ability to evade AV detection, the focus has been mostly on attachments, but in the past few weeks we have seen email lures containing URLs using sites such as Dropbox to serve Zip files containing Upatre. What's particularly nasty about Upatre is that it downloads Zeus GameOver in an encrypted form that bypasses most firewall and intrusion prevention system file-type detection. Another artifact that often gets bundled is the Necrus rootkit trojan, which helps to keep the infection persistent.
In the last two months we have seen increasing activity in the GameOver malware downloads via Upatre, with the last week being particularly active. The next table shows the top 10 affected countries we have seen affected by Zeus GameOver. While the United States has been the most targeted country of this campaign, the threat has moved toward a wider global reach recently.
The next heatmap video shows how dominant the GameOver variant has been in April and May of this year.
(Please visit the site to view this media)
Interestingly (and you might say very much expected), the main target of Zeus GameOver campaigns has been the financial industry, with a trend towards targeting victims at companies in the pension management sector of the financial industry. The next table shows the top 5 industries that Zeus GameOver targets:
Here's a recent example of an email attack stopped by Websense Cloud Email Security (CES). The attack tried to entice victims to open a ZIP attachment containing the Upatre downloader on their computer, which would later infect the users with Zeus GameOver.
Websense ThreatScope behavioral analysis recognizes Upatre as malicious:
The target URL containing the encrypted binary is categorized as MWS, therefore stopping the infection before Zeus GameOver even gets to the victim's computer:
Websense customers are protected with ACE™, our Advanced Classification Engine, at the stages detailed below:
GameOver has been around for several years, and since its inception has been a challenge for the security industry to defend against, because different variants have appeared, and also because its source code was leaked. Websense researchers recommend utilizing a strong email security product, which will proactively block campaigns and prevent infection from GameOver from ever happening. The Websense® ThreatSeeker® Intelligence Cloud has seen a notable increase in its activity over the last two months leading up to the takedown of GameOver, and continue to monitor closely.
Read more »
Exploit Kits "Lacking P(a)unch"
Posted by Ran Mosessco on 17 December 2013 02:00 PM
Criminal groups formerly using the Blackhole exploit kit experiment with the Magnitude exploit kit, social engineering techniques, direct attachments, phishing, and fraud
Over the past two months, the criminal gangs that were using malicious email redirecting to the BlackHole exploit kit have made major changes to their tactics, techniques, and procedures, providing some interesting insights into the financially motivated cyber criminal community. While there has been a considerable amount of discussion about "what is the next big exploit kit?," after the arrest of Blackhole creator Paunch, data from the Websense® ThreatSeeker® Intelligence Cloud (described in detail below) shows that a major criminal group is trending away from Blackhole, and instead experimenting with the up-and-coming Magnitude exploit kit, but not at the volume and frequency we have come to expect from them. In addition, we have observed another major group using Cutwail that appears to have shifted from originally using Blackhole to deliver Pony and ZeuS GameOver malware to focusing increasingly on direct attachments for delivery.
Below is a timeline describing email-based attack trends that we have observed during the recent decline of Blackhole
One of the most prolific botnets in existence, Cutwail, at one time had the capacity to produce up to 46% of global spam (according to research reports). Cutwail is commonly used by criminal groups to distribute spam targeting the financial industry via malware capable of stealing banking credentials and credit card numbers. Historically, malicious email sent from the Cutwail botnet has contained a mixture of URLs and ZIP attachments with executables.The intent of Cutwail campaigns is typically to focus on stealing banking credentials and credit card numbers, the email typically impersonate popular banks and financial institutions, major social networks, news organizations, and online retail sites. URL links contained in these email have typically redirected to the Blackhole exploit kit, which deliver downloaders for malware (with ZeuS GameOver variants being the majority). A second approach uses malicious ZIP attachments in Cutwail email that contains executables that eventually download ZeuS GameOver variants. However, this approach is not as technically sophisticated as the previous technique of a URL leading to the Blackhole exploit kit that does not require a user to "double-click" an executable to infect their computer.
In early October 2013, Paunch, the proprietor of the infamous Black Hole exploit kit, was arrested by Russian authorities which affected the business model of a few cyber criminal gangs. In the wake of Paunch's arrest, there has been quite a bit of discussion about the future of Blackhole and competitive exploit kits. Security researcher Kafeine has a detailed analysis of the different gangs that were using Black Hole and their activities before and after the arrest.
A shift in tactics
According to Websense telemetry, it appears that since Paunch's arrest in October 2013, the focus of large-scale malicious email campaigns sent via Cutwail has shifted to using attachments, with a short fling using the up-and-coming Magnitude exploit kit seen in October and November (/news/ gang), phishing campaign in December (/topic/ gang).
The data above is generated from one of the Websense real-time analytics that detects Cutwail spam bot campaigns. The analytic operates both in our honeypot and production environments, and outputs both the total number of email that it detects (containing both malicious links and ZIP attachments), and the subset of email containing attachments (ZIP mostly). While this particular real-time analytic captures only a sample of the Cutwail SPAM that we block, the breakdown of SPAM email with attachments with our real-time analytics to detect exploit kits illustrates a clear trend, initially moving away from Blackhole after Paunch's arrest, experimenting with Magnitude but at lower volume than before, and then moving almost entirely to direct email attachments. It is important to remember that more than one criminal group is using Cutwail. We differentiate gangs based on their malware delivery techniques and targets.
Why the shift?
It is important to remember that cyber criminals are financially motivated. The business arrangements between the criminal gangs and Paunch were lucrative, and it may be the case that Magnitude's business model or effectiveness (most likely measured by infection rate) did not justify the cost for the gang ("/news/" or "ru:8080 gang") that experimented with it, to go full bore as we have seen in their earlier campaigns. Another surprising conclusion could be that the "/topic/" or "Zeus GameOver" gang have seen that direct attachments to email are still effective, and they have decided to invest their resources in other areas.
Similarly, use of existing attack infrastructure for redirection to phishing pages or to less sophisticated malware download sites can be the criminals' way of experimenting with new techniques until a good working relationship is established with the people behind one or more of the existing (or upcoming) exploit kits.
Incidentally, we have seen that some of the ZeuS variants that are delivered through attachments, such as the Upatre downlader, continue to download other malware. Given enough time to run on a victim machine, Upatre sometimes downloaded ransomware such as CryptoLocker, which may have been generating increased revenue for criminal gangs, even with lower infection rates after the decline of Blackhole.
We predict that in the next months, there will be a return to URL-based email attacks utilizing exploit kits that offer "malware as a service" on a larger scale. The use of exploit kits is simply a more effective delivery mechanism—especially with an increasingly security-aware target audience.
Read more »