Most Recent News from the Lab

Wednesday, July 9, 2014

Trojan:W32/Lecpetex: Bitcoin miner spreading via FB messages Posted by FSLabs @ 03:22 GMT

In early March this year, while investigating various threats as part of our Facebook malware cleanup effort, we ran across an interesting one that was spreading in zipped files attached to messages.

The messages themselves were classic social engineering bait that lead the users to install the executable file in the attachment, which turned out to be a Bitcoin miner, which we identify as Trojan:W32/Lecpetex.

Some of the more interesting details of our analysis are presented in our Lecpetex whitepaper.

lecpetex_cover (66k image)

Facebook's own investigation into Lecpetex lead to an operation to take down the botnet. More details about their takedown effort, and the results from their parallel analysis of the malware, are available here.

Post by — Mangesh

Updated to add details and link to Facebook's takedown post.


Thursday, July 3, 2014

Do you take your coffee with "Free" Wi-Fi? Posted by Sean @ 15:20 GMT

Colleagues of ours recently visited a Starbucks in San Francisco and used the Wi-Fi.

Starbucks WiFi, Welcome

And while there, they grabbed a copy of AT&T's T&C. It's rather standard stuff, nothing there as surprising as last week's post.

Here's the bit about security:

Starbucks WiFi, AT&T Terms and Conditions

"The unsecured nature and ease of connection to public Wi-Fi hotspots increases the risk that unauthorized persons can access your phone, laptop or other device or your communications over the Wi-Fi network. Wi-Fi customers should take precautions to lower the security risks. If you have VPN, AT&T recommends that you connect through it for optimum security."

So there you have it… AT&T recommends that you use a VPN for "optimum" security.

But wait! AT&T Wi-Fi? That's on the way out… coming soon: Google.

Google Starbucks
Starbucks' WiFi goes Google

Google Wi-Fi at Starbucks?

Those Terms and Conditions are undoubtedly worth a read — we'll try to "track" them down.



Wednesday, July 2, 2014

CosmicDuke: Cosmu With a Twist of MiniDuke Posted by Timo @ 15:55 GMT

The backdoor known as "MiniDuke" was identified in Feburary 2013, discovered in a series of attacks against NATO and European government agencies. During MiniDuke analysis in April 2014, we determined that another malware family was using the same loader as MiniDuke stage 3. That malware is part of the Cosmu family of information-stealers which have been around for years.

What makes the connection to MiniDuke interesting is that, based on compilation timestamps, it was Cosmu, not MiniDuke, which originally used the common shared loader. Moreover, we found that the loader was updated at some point, and both malware families took the updated loader into use. Since Cosmu is the first malware known to share code with MiniDuke, we decided to name the samples showing this amalgamation of MiniDuke-derived loader and Cosmu-derived payload as CosmicDuke.

Duke on the Craters Edge, GPN-2000-001132
(Image: NASACharles M. Duke, lunar module pilot of Apollo 16.)

The filenames and content used in CosmicDuke's attack files to lure victims contain references to the countries of Ukraine, Poland, Turkey, and Russia, either generally in use of language or included detail, or in allusions to events or institutions. The filenames and content chosen seem to be tailored to their target’s interests, though we have no further information on the identity or location of these victims yet.

CosmicDuke infections start by tricking targets into opening either a PDF file which contains an exploit or a Windows executable whose filename is manipulated to make it look like a document or image file. Some of the samples display a decoy document to the user. This one was named Ukraine-Gas-Pipelines-Security-Report-March-2014.pdf:

CosmicDuke decoy

Here's a rather different kind of a decoy, showing a receipt of a payment in Russian. An interesting detail about the image file is that it contains EXIF metadata, including the date when the photo was taken and the model of the mobile phone that was used to take the photo.

CosmicDuke decoy

Once the target opens the malicious file, CosmiDuke gains persistence on the system and starts collecting information. The data collection components include a keylogger, clipboard stealer, screenshotter, and password stealers for a variety of popular chat, e-mail and web browsing programs. CosmicDuke also collects information about the files on the system, and has the capability to export cryptographic certificates and the associated private keys.

Once the information has been collected, it is sent out to remote servers via FTP. In addition to stealing information from the system, CosmicDuke allows the attacker to download and execute other malware on the system.

F-Secure has detections for all of the different malicious components used by the CosmicDuke samples known to us.

To learn more about the technical details, please see our CosmicDuke malware analysis report.

Post by — Timo


Monday, June 30, 2014

Beware BlackEnergy If Involved In Europe/Ukraine Diplomacy Posted by Brod @ 05:08 GMT

The universe is full of "Black Energy" and so is cyberspace. Not so very long ago, we wrote about a sample of the BlackEnergy family discovered via VirusTotal. The family is allegedly the same malware used in the cyber-attack against Georgia in 2008. Last Friday, another fresh variant was submitted to VirusTotal. And this time it is more obvious on how it was being distributed: a zip file containing an executable. Again, as was the case earlier this month, the sample was submitted from Ukraine.

Zip file screenshot

The filename of the zip file means "password list" spelled out in the Cyrillic alphabet. For the executable, it means the same but spelled out in the Latin alphabet. Take note that the executable has a .doc extension. It is not clear how the sample can be run by the victim. Our guess is that there might be a zip application used by the intended target which supports opening samples based on their true file type regardless of their extension. Of course it is also possible that the attackers just made a mistake.

Checking the instance of the executable in VirusTotal, it was submitted from Belgium just a few minutes earlier. Given the current situation in Ukraine, and that Belgium is the center of the European Union government (and where NATO Headquarters is located), we cannot discount the theory that they are related.

We think the sample is possibly sent as attachment in spear-phishing e-mails pretending to be IT advisories warning people to avoid certain passwords.

Unlike the earlier variant, the sample no longer uses a kernel mode component to inject the user mode DLL into svchost.exe. This time it just uses a user mode dropper to load the DLL via rundll32.exe. Ditching the kernel mode component might be an attempt to get around the driver signing enforcement protection found in modern Windows systems.

The user mode DLL has also been rewritten (timestamp of June 26, 2014) to support the change. It now has a different configuration format but still uses a C&C that falls under the same IP address block:

New BlackEnergy configuration

The dropper will also open a decoy document to hide its malicious activity:

Decoy document

Take note that there is no software vulnerability or exploit involved. The decoy document is created and opened by the dropper programmatically. This is something similar to what we have seen before in what might be the first documented APT attempt in OS X. The malware did however exempt its host process (rundll32.exe) from DEP, which may open up an attack surface for future exploitation:

Routine that disables DEP via registry

Bottom line: if you're involved in European/Ukrainian diplomacy… beware BlackEnergy.


Friday, June 27, 2014

ICS-CERT "Amber" ALERT-14-176-02 Posted by Sean @ 15:04 GMT

ICS-CERT has posted a TLP Amber report to its secure portal related to our analysis of ICS/SCADA-focused Havex components.


For more information…

Dark Reading: As Stuxnet Anniversary Approaches, New SCADA Attack Is Discovered


Thursday, June 26, 2014

You Are Responsible For Your Security And Privacy Posted by Sean @ 12:46 GMT

I visited London on Monday. And I decided to try Heathrow Express (HEX) to get from the airport to London's center. I'm glad that I did — it was a smooth, fast, and quiet ride. Oh! Also, HEX offers "free" Wi-Fi…

Me being me, I decided to actually read the Terms & Conditions.

Heathrow Express


Consent To Monitoring



You Are Responsible For Your Security And Privacy

You know what? Yeah, that's true, you are in fact responsible for your own security and privacy.

Protip: there's no such thing as free Wi-Fi.

To utilize open Wi-Fi without your content being monitored while you do so… try Freedome.

Regards! @5ean5ullivan

P.S. I plan to post more terms and conditions as I discover them. I welcome your submissions.


Monday, June 23, 2014

Havex Hunts For ICS/SCADA Systems Posted by Daavid @ 14:46 GMT

During the past year, we've been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector.

The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. The name "Havex" is clearly visible in the server source code:

Havex server source code

During the spring of 2014, we noticed that Havex took a specific interest in Industrial Control Systems (ICS) and the group behind it uses an innovative trojan horse approach to compromise victims. The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to.

We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.

The attackers use compromised websites, mainly blogs, as C&C servers. Here are some examples of command and control servers used:

Havex C2 servers

We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations. The source of this motivation is unclear to us.

Trojanized Software as an Infection Vector

The Havex RAT is distributed at least through following channels:

  • Spam email
  • Exploit kits
  • Trojanized installers planted on compromised vendor sites

The spam and exploit kit channels are fairly straightforward distribution mechanisms and we won't analyze them in more detail here.

Of more interest is the third channel, which could be considered a form of "watering-hole attack", as the attackers chose to compromise an intermediary target - the ICS vendor site - in order to gain access to the actual targets.

It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers.

Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.

Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organizations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software.

As an example, we can see the partial results of dynamic analysis for one of the trojanized installers:

Trojanized installer

The normal, clean installer does not include a file called "mbcheck.dll". This file is actually the Havex malware. The trojanized software installer will drop and execute this file as a part of the normal installation. The user is left with a working system, but the attacker now has a backdoor to access and control the computer.

Target Organizations

We were able to locate some of the infected systems and identify the organization affected by the samples analyzed in this report by tracing the IP addresses communicating to the C&C servers used by the Havex RAT.

All of these entities are associated in some way with the development or use of industrial applications or machines. The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering.


Our analysis of Havex sample codes also uncovered its "ICS/SCADA sniffing" behavior. The C&C server will instruct infected computers to download and execute further components, and one of these components appeared very interesting. While analyzing this component, we noticed that it enumerates the local area network and looks for connected resources and servers:

Havex scans LAN

We then noticed that it uses Microsoft Component Object Model (COM) interfaces (CoInitializeEx, CoCreateInstanceEx) to connect to specific services:

Havex calls COM

To identify which services the sample is interested in, we can simply search for the identifiers seen above, which tell us what kind of interfaces are being used. A bit of googling gives us these names:

  • 9DD0B56C-AD9E-43EE-8305-487F3188BF7A = IID_IOPCServerList2
  • 13486D51-4821-11D2-A494-3CB306C10000 = CLSID_OPCServerList

Note the mention of "OPCServer" in the names. There are more hints pointing in the same direction -- the strings found in the executable also make several references to “OPC”:

Havex OPC strings

It turns out that OPC stands for OLE for Process Control, and it's a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.


The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.

The method of using compromised servers as C&C's is typical for this group. The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors.

The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.

SHA-1 hashes of the samples discussed:


F-Secure detects this threat as Backdoor:W32/Havex.A.

Post by — Daavid and Antti