Most Recent News from the Lab

Friday, October 31, 2014

Multi-language support: Not your everyday spam Posted by Patricia @ 16:01 GMT

Sometime during the beginning of the year, we have encountered a surge in Fareit spams. Fareit is a downloader used to deliver Zeus and Cryptowall.

Lately, we have been noticing yet another downloader being spammed. It seems that the spammer for this downloader has spent more effort to trick the user into believing that it’s a legitimate email.

A recent spam was a fake KLM e-ticket which was tailored to pretend to come from the Sales & Service Center of Air France KLM.

klm_eticket_ready (39k image)

However, this spammer did not only tend to English language speakers. Recently, we also saw quite a number of its spam sent in Polish.

This email, for example, supposedly comes from, a service for online transaction payment that is based in Poland.

dotpay_blurred_ready (34k image)

While this one uses an ISP that’s popular in Poland.

nowy_kontrakt_listopad_ready (23k image)

And just when we thought the spammer’s language skills ends there, it gave us a sample of its Finnish-themed spam.

lomake_ready (24k image)

The grammar seems to be quite convincing enough considering that even the subject and attachments are using the correct Finnish terms. Not only that, the email address used, “”, is one of Finland’s most popular websites.

Obviously, spammers are also doing their research in customizing their messages to produce more effective scams. Not only do they use the language of the target country or people, but they have also achieved to make use of popular email or service providers.

The payload of these spams is a Trojan Downloader known as Wauchos.

Here are its recent filenames:

attachments_ready (3k image)

For the two sample attachments, it confirms internet connection by trying to connect to

It makes the following network connections:

• http://188. 225.32.207/ssdc32716372/login.php
• http://188. 225.32.208/ssdc32716372/file.php
• http://188. 225.32.209/ssdc32716372/file.php
• http://188. 225.32.209/ssdc32716372/file.php
• http://188. 225.32.209/ssdc32716372/file.php
• http://92. 53.97.194/ssdc32716372/file.php
• http://46. 28.55.113/ssdc32716372/file.php

And it downloads these additional trojans from the following:

• http://auto*.it/*/jeve.exe
• http://dd*.ru/old.exe

The Wauchos variants we’ve seen in these emails downloaded either Zbot or Cridex, which are both information stealers.

We detect these families as Trojan-Downloader:W32/Wauchos, Trojan-Spy:W32/Zbot, and Trojan:W32/Cridex.


Wednesday, October 29, 2014

It's Not a Game - It's a Violation of Human Dignity Posted by Sean @ 15:14 GMT

Still don't set a passcode on your phone?

From Matthias Gafni and Malaika Fraley at the Contra Costa Times:

The California Highway Patrol officer accused of stealing nude photos from a DUI suspect's phone told investigators that he and his fellow officers have been trading such images for years

The five-year CHP veteran called it a "game" among officers, according to an Oct. 14 search warrant affidavit.

CHiPs, theft of images
Source: Contra Costa Times

A game?

IT'S A CRIME. (Or it certainly ought to be.)

Again from the Contra Costa Times:

CHP Commissioner Joe Farrow said in a statement that his agency too has "active and open investigations" and cited a similar case several years ago in Los Angeles involving a pair of officers.

"The allegations anger and disgust me," Farrow said. "We expect the highest levels of integrity and moral strength from everyone in the California Highway Patrol, and there is no place in our organization for such behavior."

Let's hope Commissioner Farrow, who began his tenure in 2008, truly means what he says.

Here's an incident from 2006 for him to consider:

CHiPs, violation of dignity
Source: The New Yorker

It appears that the CHP has a culture problem which goes back quite some time.

With great power comes great responsibility.

Anybody who thinks violating the dignity of another human being is "a game" doesn't deserve to be a cop.


Offer the California Highway Patrol your feedback here and/or here.


Tuesday, October 28, 2014

101 Bad Android Apps Posted by Sean @ 12:54 GMT

Flash Player installers, so-called Android security updates, pirated games, and XXX-video players… there's almost never a shortage of suspicious Android apps. We have automation which analyzes such apps and takes screenshots in the process.

Some examples:

101 bad Android apps
101 Bad Android Apps

Here's one particular example: Activate device administrator?

Activate device administrator?

Erase all data; Reset password; Limit password.

China Mobile customers should select… "Cancel".


Friday, October 24, 2014

A Tale of Two Powerpoint Vulnerabilities Posted by FSLabs @ 13:10 GMT

It's been already a week after the announcement of the CVE-2014-4114 vulnerability, and the tally of the exploiters have only increased.

There are even files where the metadata has remained the same, which clearly shows that they have been copied from the original as in the case of Mirtec and Cueisfry (a trojan linked to Japanese-related APT attacks). Authors behind these malware copied the PowerPoint Document originally used by BlackEnergy and just replaced the payload and the content with legitimate material found online.

file_properties (110k image)
BlackEnergy, Mirtec, Cueisfry document metadata, respectively

Well, if another party's winning formula already worked, there is no need to reinvent the wheel. Until a patch is pushed out, that is. Which brings us to Taleret, a malware family known to be behind certain Taiwanese APT attacks. After CVE-2014-4114 was patched, there was a need to improvise and as such, Taleret this time grabbed a clean PowerPoint and embedded its payload to get it executed via the CVE-2014-6352, a weakness left over from CVE-2014-4114.

file_properties_update (49k image)

Although Microsoft has released a patch for CVE-2014-4114, CVE-2014-6352 has yet to be patched.

However, a Fix it tool is available here.

It seems that most of the content used by the malicious PowerPoint documents have been harvested from educational institutions or R&D materials that are available in the Internet, thus making it quite challenging to tell them apart.

Here are some examples of both the clean documents and their malicious counterparts:

clean_malware (145k image)

While, there isn't a patch for the other vulnerability yet, if you couldn't tell which one is clean and malicious, please verify the documents received from the source. Or, you can update your antivirus signatures to check if they are detected.

product_scan (60k image)

8f31ed3775af80cf458f9c9dd4879c62d3ec21e5 - Mirtec - C&C:
66addf1d47b51c04a1d1675b751fbbfa5993a0f0 - Cueisfry - C&C:
488861f8485703c97a0f665dd7503c70868d4272 - Taleret - C&C:


Wednesday, October 22, 2014

Wanted: Testers For The Greatest Android App Ever Posted by Sean @ 19:20 GMT

Okay… so the greatest Android app "ever" is a bit of friendly hyperbole. But still, it's a really is a great app. What app? Well, F-Secure Freedome of course (currently available for Android and iOS).

The Freedome team (along with a Labs team) is developing a new Android feature — cloud-based reputation scanning. And we need numerous testers for the beta app. (You?)

Here's a preview:

Freedome beta, App security
"See it in action"

The function is entirely cloud-based, i.e., no database updates to download. So it's very light.

People wanting to exercise their freedom of speech are increasingly turning to VPN services to circumvent censorship. And in return, many are being targeted by government-sponsored malware.

We need your help. Even just using the beta contributes.

Participants will receive three months of free service, and active participants are eligible to receive Freedome hoodies.

But wait, there's something more…

We've designed a new "labs sticker". And testers will be the first people offered a chance to get one.

So join the beta now!

Don't worry if you already have Freedome installed, this beta can be installed side-by-side, so you can also participate.



F-Secure's Privacy Principles.


Wednesday, October 15, 2014

RATs threatening democracy activists in Hong Kong Posted by Micke @ 07:00 GMT

Hong Kong has been in the headlines lately thanks to the Occupy central campaign (#occupycentral, #OccupyHK) and the umbrella revolution (#umbrellarevolution, #UmbrellaMovement). DPHK, Democratic Party Hong Kong and Alliance for True Democracy (ATD) are central players in this movement. Recent development has turned this into more than a fight for democracy. The sites of these organizations were infected with malware, and that turned it into a fight for #digitalfreedom as well. Volexity has the story with all the technical details. It seems to be RATs (Remote Access Trojans) that could be used for a variety of purposes. And the purpose of this is really the interesting question. Who did it and why?

• Cybercrime of today is to a large extent social engineering aiming to lure victims to run malware and infecting their devices. It’s very common for cybercriminals to drive more users to infected sites or phishing pages by riding on shocking headlines. So infecting sites that are in the middle of global attention is attractive for any cybercriminal, even without any kind of political motivation.

• These organizations are involved in a political struggle against one of the world’s leading cyber-superpowers. So it sounds very plausible that China would be behind this malware attack out of political motives. A lot of the visitors on these sites are involved in the movement somehow, either as leaders or at grass root level. Their enemy could gain a lot of valuable information by planting RATs even in a small fraction of these peoples’ devices.

• The publicity around the issue will also scare people away from the sites. Twitter can be used efficiently to orchestrate the protests, so an infected site will probably have little practical impact. Blocking services like Twitter is possible but a very visible and dramatic action, and even that can be circumvented with VPNs like F-Secure Freedome. But the site is more important for spreading the protesters’ message to a global audience. The impact may be significant at this level. Here again, China would be the one who benefits.

The moral of the story is naturally that political activists are attractive targets for cyber-attacks. There’s no evidence that these cases have political motives. But you don’t have to be a genius to figure out that China is the prime suspect. And that makes this case noteworthy. Criminals usually target private people and states other states. But here we seem to have a state targeting ordinary people belonging to a political organization. This kind of attack is a very real threat for people running opposition movements. And the threat is not limited to less democratic countries. The police forces in many western countries already have both technology and legal support for using malware against suspects. And usually without proper transparency and control of its usage.

Frankly speaking, I would not be very surprised if a similar case was discovered here in Europe. We do currently not have democratic movements of the same magnitude as the Umbrella movement. But we do have a lot of organizations that are being watched by the authorities. Ultra-right groups is an obvious example.



Tuesday, October 14, 2014

One Doesn't Simply Analyze Moudoor Posted by Timo @ 16:06 GMT

Today we are pleased to see an important milestone reached in a coordinated campaign against a sophisticated and well-resourced cyber espionage group. We have recently been participating in a Coordinated Malware Eradication initiative led by Novetta, in cooperation with other security vendors particularly iSight, Cisco, Volexity, Tenable, ThreatConnect, ThreatTrack Security, Microsoft and Symantec, in the aims of disrupting the operations of this particular group. Today, we are jointly releasing an improved level of coverage against the threats utilized by the group.

This espionage group, which we believe to have a strong Chinese nexus, has been targeting several industry sectors from finance, education and government to policy groups and think tanks. They have been operational at least since 2010.

The attackers use several different tools to conduct their operations. One of the tools used by these criminals is Moudoor.

Moudoor is a derivative of the famous Gh0st RAT (remote access tool) that spawned many derivatives over time. In fact, its source code has been circulating across the internet at least since 2008.

Moudoor was named after the functions that were exported by the malware components.

screenshot1_mydoor (21k image)

screenshot2_door (21k image)

Later versions of this malware have dropped such explicit strings, however, the name of the threat remains.

One of the things that allows us to distinguish between Moudoor from other many derivatives of Gh0st is the particular magic value that it uses to communicate with its C&C. This value has been consistently set to "HTTPS", and that is one of the key distinguishers that we have used to track this particular strain over time.

At its core, Moudoor is a powerful remote access tool. The chain of events that lead to Moudoor infections usually begins with the exploitation of 0-day vulnerabilities through watering hole attacks. For example, the attackers used CVE-2012-4792 before to eventually have Moudoor land on the victim machines.

Moudoor has an impressive list of capabilities, some of which are inherited from being a derivative of the Gh0st RAT. Gh0st features extensive file system manipulation functionalities, advanced spying, monitoring features and more.

Of course, Moudoor's authors have continued to customize their "fork" over time by adding new features and removing those which were not needed. For example, earlier variants of Moudoor kept Gh0st's ability to open a remote shell, but this capability has disappeared in the newer versions. On the other hand, the attackers have worked to tailor which information is extracted from the victim machines to their specific needs and interests.

Analysis of the code of Moudoor also gave us hints that the authors of this threat are of Chinese origin. During its execution, the malware builds a string containing the current time information; such string uses Chinese characters to represent the time in human-readable format.

screenshot3_chinese (24k image)

You can read a more detailed summary of the whole operation here. Microsoft has also published information about this operation, which is available from this link.

We are detecting this family as Backdoor:W32/Moudoor. Our customers have received automatic updates to detect the tools known to be used by the attackers. You can also use our Online Scanner to check for signs of compromise. Our Online Scanner is a stand-alone tool that does not require installation, thus will allow you to quickly check for infections simply by downloading and running it.

Moudoor hashes: