Cyber Criminals Ramp Up Use of Exploit Kits in Fake Skype, Evernote Themed Attacks
Posted by Ran Mosessco on 19 February 2014 09:15 AM
Data from Websense® ThreatSeeker® Intelligence Cloud indicates that over the last few weeks, cyber criminals leveraging the "Angler" and "Goon" Exploit Kits to deliver malware via email borne attacks, have ramped-up their efforts.
These recent campaigns were themed around fake Skype voicemail notifications (Feb 19, 2014), and fake Evernote image notifications (Feb 7, 17-18, 2014).
The emails try to lure the victim to click a link that will redirect through an intermediate site into pages that host the Angler Exploit Kit (later switched to "Goon" Exploit kit). The kits will exploit Java, Flash or Silverlight vulnerabilities and try to load an encrypted executable, to help evade detection.
Although the attacks are large scale (Websense Cloud Email Security have detected and blocked a few hundreds of thousands of these messages per campaign burst), our telemetry shows a heavier focus on UK targets in the lure stage.
These campaigns might be attributed to the "ru:8080" a.k.a "/news/" gang which have been prominent users of BlackHole Exploit Kit, then Magnitude Exploit Kit, as described in our previous blog.
The related campaigns we have observed so far start with these lures:
Fake Skype messages
with subjects such as:
You received a new message from Skype voicemail service
Fake Evernote Messages
With subjects such as:
"Image has been sent"
"Image has been sent <email@example.com>"
They carry URLs such as:
The next stage is where the switch from Angler Exploit Kit to Goon Exploit Kit can be seen
Redirected to the Angler Exploit Kit page, with the typical .ru:8080 hosts:
Contains obfuscated code that checks for browser and plug-in versions, serves a corresponding exploit, then loads an executable encrypted using 64 bit Xor key encryption.
On the other hand, an attack leading to Goon Exploit Kit shows a different code in the redirect stage:
The same URL as before:
Loads Java or SilverLight exploits
This ultimately downloads an encrypted executable disguised as an mp3, such as:
A Visual Basic script (named papa.vbs) is downloaded into the browser's temporary file directory. When executed, the VB script decrypts the "mp3" file to an executable:
The executable decrypted from the "mp3" file has the following details (the name and hash are likely different upon each attack)
Websense Threatscope behavioral analysis detects the executable as Malicious, see report here
Checking in Virus Total to provide context about AV coverage for this malware, we can see detection when first seen is 7/50, and it looks like a Zeus variant.
For analysis of a similar SilverLight exploit, see our previous blog post
We have seen evidence and reports of the "ru:8080" gang switching to Angler Exploit Kit as far back as December 2013, as independent researcher "Kafeine" mentioned in this post, but we have not noticed any large scale email attacks until recently (we have seen some web based attacks, in somewhat small scale). The "ru:8080" criminal gang typically pushes trojans such as Cridex, Zeus GameOver, Click-Fraud trojans like ZeroAccess, and we have seen instances in the past of Ransomware such as RansomLock and worms like Andromeda.
It looks like after a period of relatively little use of exploit kits, cyber criminals resume use of different exploit kits to deliver malware in email based attacks. However, the switch from one exploit kit to the other indicates several possibilities, one being that continuing to use a single Malware-as-a-Service for a long period is deemed too risky to maintain a profitable operation. Alternatively, the attackers are evaluating multiple exploit kits to determine which works the best, or multiple attackers may be leveraging the same bot-net and redirect structures.
Another somewhat interesting detail - according to Websense email telemetry, we see a relatively heavy bias from the attackers towards targets located in the UK, followed by US and Germany
Websense customers are protected with ACE™, our Advanced Classification Engine in these stages of the attacks:
What is more important is that the attackers need to change ALL their techniques to try to slip by Websense Triton protection, since it's enough to disrupt the attack in one stage to prevent infection.
Contributors: Ran Mosessco, Tamas Rudnai, Jose Barajas - Websense Security Labs
Read more »
Eight Security Predictions for 2014
Posted by Elisabeth Olsen on 15 November 2013 04:48 AM
2013 was not an easy year in cybersecurity—and we expect 2014 attacks will be even more complex. In a new report out today, Websense Security Labs researchers collectively outlined eight predictions and recommendations for 2014. To read the full report, please visit www.websense.com/2014predictions. In addition, below is an infographic for quick reference.
Here are the highlights:
1. Advanced malware volume will decrease.
According to the real-time telemetry feeds in Websense ThreatSeeker® Intelligence Cloud, the quantity of new malware is beginning to decline. Unfortunately, this is bad news for organizations.
Cybercriminals will rely less on high-volume advanced malware because over time it runs a higher risk of detection. They will instead use lower volume, more targeted attacks to secure a foothold, steal user credentials and move unilaterally throughout infiltrated networks. Although the volume of attacks will decrease, the risk is even greater.
2. A major data-destruction attack will happen.
Historically, most attackers have used a network breach to steal information for profit. In 2014, organizations need to be concerned about nation-states and cybercriminals using a breach to destroy data.
3. Attackers will be more interested in cloud data than your network.
Cybercriminals will focus their attacks more on data stored in the cloud vs. data stored on the network. This tactical shift follows the movement of critical business data to cloud-based solutions. Hackers will find that penetrating the data-rich cloud can be easier and more profitable than getting through the “castle walls” of an on-premises enterprise network.
4. Redkit, Neutrino, and other exploit kits will struggle for power in the wake of the Blackhole author arrest.
We will see a fight for market leadership between a number of new entrants and existing exploit kits in 2014. We anticipate Redkit and the Neutrino exploit kit will secure a strong foothold in the coming year.
5. Java will remain highly exploitable and highly exploited—with expanded repercussions.
Most end points will continue to run older versions of Java and therefore remain extremely exposed to exploitation. In 2014, cybercriminals will devote more time to finding new uses for tried-and-true attacks and crafting other aspects of advanced, multi-stage attacks.
6. Attackers will increasingly lure executives and compromise organizations via professional social networks.
As social networking continues to appeal to the business community in 2014, attackers will increasingly use professional websites, such as LinkedIn, to research and lure executives. This highly targeted method will be used to gather intelligence and compromise networks.
7. Cybercriminals will target the weakest links in the “data-exchange chain.”
Attackers will go after the weakest links in the information chain and target the consultants outside the network who have the most information. This includes consultants, contractors, vendors and others who typically share sensitive information with the large corporate and government entities. And, it turns out, few of these partners have sufficient defenses.
8. Mistakes will be made in “offensive” security due to misattribution of an attack’s source.
For several years, we’ve been hearing more about “offensive” security, where global governments and enterprises have been threatening retaliatory strikes against anyone caught attacking them or their interests. Failure to accurately identify a cyber-perpetrator could result in an innocent organization being caught in the crossfire.
Read more »