Hong Kong has been in the headlines lately thanks to the Occupy central campaign (#occupycentral, #OccupyHK) and the umbrella revolution (#umbrellarevolution, #UmbrellaMovement). DPHK, Democratic Party Hong Kong and Alliance for True Democracy (ATD) are central players in this movement. Recent development has turned this into more than a fight for democracy. The sites of these organizations were infected with malware, and that turned it into a fight for #digitalfreedom as well. Volexity has the story with all the technical details. It seems to be RATs (Remote Access Trojans) that could be used for a variety of purposes. And the purpose of this is really the interesting question. Who did it and why?
• Cybercrime of today is to a large extent social engineering aiming to lure victims to run malware and infecting their devices. It’s very common for cybercriminals to drive more users to infected sites or phishing pages by riding on shocking headlines. So infecting sites that are in the middle of global attention is attractive for any cybercriminal, even without any kind of political motivation.
• These organizations are involved in a political struggle against one of the world’s leading cyber-superpowers. So it sounds very plausible that China would be behind this malware attack out of political motives. A lot of the visitors on these sites are involved in the movement somehow, either as leaders or at grass root level. Their enemy could gain a lot of valuable information by planting RATs even in a small fraction of these peoples’ devices.
• The publicity around the issue will also scare people away from the sites. Twitter can be used efficiently to orchestrate the protests, so an infected site will probably have little practical impact. Blocking services like Twitter is possible but a very visible and dramatic action, and even that can be circumvented with VPNs like F-Secure Freedome. But the site is more important for spreading the protesters’ message to a global audience. The impact may be significant at this level. Here again, China would be the one who benefits.
The moral of the story is naturally that political activists are attractive targets for cyber-attacks. There’s no evidence that these cases have political motives. But you don’t have to be a genius to figure out that China is the prime suspect. And that makes this case noteworthy. Criminals usually target private people and states other states. But here we seem to have a state targeting ordinary people belonging to a political organization. This kind of attack is a very real threat for people running opposition movements. And the threat is not limited to less democratic countries. The police forces in many western countries already have both technology and legal support for using malware against suspects. And usually without proper transparency and control of its usage.
Frankly speaking, I would not be very surprised if a similar case was discovered here in Europe. We do currently not have democratic movements of the same magnitude as the Umbrella movement. But we do have a lot of organizations that are being watched by the authorities. Ultra-right groups is an obvious example.
Today we are pleased to see an important milestone reached in a coordinated campaign against a sophisticated and well-resourced cyber espionage group. We have recently been participating in a Coordinated Malware Eradication initiative led by Novetta, in cooperation with other security vendors particularly iSight, Cisco, Volexity, Tenable, ThreatConnect, ThreatTrack Security, Microsoft and Symantec, in the aims of disrupting the operations of this particular group. Today, we are jointly releasing an improved level of coverage against the threats utilized by the group.
This espionage group, which we believe to have a strong Chinese nexus, has been targeting several industry sectors from finance, education and government to policy groups and think tanks. They have been operational at least since 2010.
The attackers use several different tools to conduct their operations. One of the tools used by these criminals is Moudoor.
Moudoor is a derivative of the famous Gh0st RAT (remote access tool) that spawned many derivatives over time. In fact, its source code has been circulating across the internet at least since 2008.
Moudoor was named after the functions that were exported by the malware components.
Later versions of this malware have dropped such explicit strings, however, the name of the threat remains.
One of the things that allows us to distinguish between Moudoor from other many derivatives of Gh0st is the particular magic value that it uses to communicate with its C&C. This value has been consistently set to "HTTPS", and that is one of the key distinguishers that we have used to track this particular strain over time.
At its core, Moudoor is a powerful remote access tool. The chain of events that lead to Moudoor infections usually begins with the exploitation of 0-day vulnerabilities through watering hole attacks. For example, the attackers used CVE-2012-4792 before to eventually have Moudoor land on the victim machines.
Moudoor has an impressive list of capabilities, some of which are inherited from being a derivative of the Gh0st RAT. Gh0st features extensive file system manipulation functionalities, advanced spying, monitoring features and more.
Of course, Moudoor's authors have continued to customize their "fork" over time by adding new features and removing those which were not needed. For example, earlier variants of Moudoor kept Gh0st's ability to open a remote shell, but this capability has disappeared in the newer versions. On the other hand, the attackers have worked to tailor which information is extracted from the victim machines to their specific needs and interests.
Analysis of the code of Moudoor also gave us hints that the authors of this threat are of Chinese origin. During its execution, the malware builds a string containing the current time information; such string uses Chinese characters to represent the time in human-readable format.
You can read a more detailed summary of the whole operation here. Microsoft has also published information about this operation, which is available from this link.
We are detecting this family as Backdoor:W32/Moudoor. Our customers have received automatic updates to detect the tools known to be used by the attackers. You can also use our Online Scanner to check for signs of compromise. Our Online Scanner is a stand-alone tool that does not require installation, thus will allow you to quickly check for infections simply by downloading and running it.
The following is a true story. The names have been changed because the identity of those involved is none of your business.
Bob uses Linux. Alice uses Mac. Bob gave Alice a file via FAT32 formatted USB drive. Alice inserted the USB drive into her Mac, copied the file, and then gave the USB drive back to Bob. Later, Bob inserted the USB drive into his Linux computer and saw Mac files. Lots and lots of Mac files. And that's typical.
Anybody who has exchanged files with a Mac user knows that Mac OS X copies various "hidden" files to USB drives.
Here's the interesting part…
Bob was curious about the function of the files. (And why so many, what do they do?) Being a reverse engineer, Bob naturally examined the files with a hex editor. And that's when he discovered that a file called ".store.db" contained e-mail addresses, subject lines, and in a few cases, the opening sentence of Alice's messages.
Alarmed that such data/metadata was copied to his USB drive, Bob investigated further and found that the information couldn't be seen using a forensic tool designed specifically for viewing such .db files. From a conventional view, ".store.db" appeared to be identical to "store.db". Only a hex editor view revealed the leaked info embedded within .store.db — so it isn't at all obvious with standard forensic tools.
We have examined Bob's USB drive and can confirm that there is data in the .store.db file that really shouldn't be there. We have been unsuccessful in reproducing the issue with our own Mac computers. We don't have access to Alice or her computer, so we can only speculate. The data may have leaked due to an unknown configuration, it may have leaked due to third-party software, or it may have leaked due to malware.
Here's the concern…
Imagine you're a reporter. Do you want data about the e-mail to your sources leaking to somebody else's USB drive? Definitely not! In some countries, an OPSEC failure such as this could easily land people in jail.
We don't normally write about unknowns. But we do so in this particular case in the hope that somebody will be able to identify the source of the issue. And if somebody does — we'll update this post.
Nicholas Ptacek has pointed out that Mac users can prevent Spotlight from indexing via: System Preferences, Spotlight, Privacy.
Unfortunately, while disabling Spotlight indexing will prevent a leak of data to USB drives, the configuration will limit functionality on the Mac itself. Nicholas suggested that details found here may offer some additional workarounds.
Dr. Jimmy Wall recommended a tool called CleanMyDrive which includes a feature to automatically clean "junk" from your drives. The app is available from the Mac App Store.
Want to see what is hidden away in your Spotlight index?
A recent ATM breach in Malaysia has caused havoc for several local banks. According to reports, approximately 3 million Malaysian Ringgit (almost 1 million USD) was stolen from 18 ATMs. There is no detailed information on how the attack was performed by the criminals, but according to one local news report, police claimed the criminals installed malware with the file name "ulssm.exe" which was found on the compromised ATMs. Based on the file name, we know that the malware in question was first discovered by Symantec and it is known as "PadPin". The basic technical information of this malware can be found here. We have no confirmation that PadPin is the same malware used in the Malaysian ATM hacks. But even so, we have discovered something interesting by doing our own analysis of PadPin's code.
We searched through our backend sample collection system and quickly located a few samples related to the aforementioned file name. Our automated sample analysis system did not determine the samples to be malicious because the sample will not work on a typical Windows computer; it requires a DLL library which appears to be available on machines such as ATMs or self-service terminals running Windows Embedded operating system. The DLL library is known as Extension for Financial Services (XFS):
Image: Malware import Extension for Financial Services library
When we took a look at the code, we saw some unfamiliar API functions which are apparently imported via MSXFS.dll as shown in the image above. Unfortunately Microsoft does not provide official documentation for these APIs which makes understanding of the malware code more difficult. Questions continued until we came across a part of the malware code in which the malware attempts to establish a communication channel with the ATM pin pad device via one of the APIs. Basically, its purpose is to listen and wait for the key entered into the pin pad by the criminals in order to carry out different tasks as described in Symantec's write-up. In other words, the commands supported by the malware are limited to the keys available on the pin pad device. For instance, when the criminal enters "0" on pin pad, it will start dispensing money from the ATM machine. Analyzing the code, we started wondering how the malware author knows which pin pad service name to provide to the API so that the program is able to interact with the pin pad device. It's a valid question because the pin pad service name used in the code is quite unique and it is very unlikely one can figure out the service name without documentation.
Therefore, we did some web searches for the API documentation using the API name and the pin pad service name. And the result? We easily found the documentation from a dedicated ebooks website hosted on Baidu which appears to be the NCR programmer's reference manual.
After skimming through the documentation, we concluded that writing a program interacting with the ATM machine becomes handy even for someone without any prior knowledge on how to write software communicating with these ATM devices. The documentation is helpful enough to give programmers some sample code as well. Coincidentally, we also found that the alleged malware targeting Malaysian banks' ATM machines attempt to remove the "AptraDebug.lnk" shortcut file from the Windows startup folder as well as the launch point registry key "AptraDebug" on the infected machine. Its purpose is presumably to disable the default ATM software running on the machine and replaced it with the malware when the machine is rebooted. This file and registry key seem to be referring NCR APTRA XFS software, so it is safe to assume that the malware aims to target only the machine running this self-service platform software.
In conclusion, it's possible this documentation was leaked and uploaded by somebody other than PadPin's authors. And we should not rule out that the malware could be written by some experienced programmers who are or were bank employees.
It is practically impossible to stop somebody from viewing or downloading the documentation once it is available on the Internet, but there are some countermeasures banks can use to prevent such breaches from happening again. One of the most straightforward mitigation methods is to prevent the ATM machine from running files directly from USB or CD-ROM.
One of this summer's most followed ransomware families is CryptoWall. Over time CryptoWall has seen minor updates and changes but its core functionality has stayed pretty much the same. Once a machine has been infected, CryptoWall will attempt to encrypt the contents of the victims hard drive and then demand a ransom payment in exchange for the decryption key required to get the contents back.
The only major break from this was a few months ago when we observed a few CryptoWall samples that were using a custom Tor-component to communicate with their command & control servers. This Tor component was downloaded as an encrypted binary file from compromised websites. It was then decrypted and used to set up a connection to the Tor network through which the C&C server could be reached. Interestingly, we only observed a few of these "Torified" versions of CryptoWall. The majority of the samples we have seen have stuck to the original C&C communication method.
That may now have changed. Just yesterday, the first samples of ransomware calling itself "CryptoWall 2.0" were spotted in the wild.
The CryptoWall 2.0 ransom page
CryptoWall 2.0 appears to use a new packer/obfuscator with an increased amount of anti-debugging and anti-static analysis tricks. Upon reaching the final malicious payload, however, CryptoWall 2.0 is almost identical to the Torified CryptoWall 1.0 samples seen earlier this summer.
On the left, Torified CryptoWall 1.0 and on the right the same function in CryptoWall 2.0
Perhaps it was the efforts of security researchers to shut down CryptoWall C&C servers that was hurting the gangs business. Or maybe they just felt it was time for change. In any case the author(s) clearly felt a new C&C communication method was needed. And like professional software developers, the CryptoWall author(s) seem to believe in first testing new versions thoroughly alongside previous versions before completely switching over to the new one. We believe the Torified versions of CryptoWall 1.0 were exactly that, testing. Therefore we expect to see a lot more of CryptoWall 2.0 in the near future.
List of compromised Tor-component download locations:
The project required a "terms of service" and so for a bit of fun we added something… out of the ordinary.
Do you see it above?
Your First Born Child
In using this service, you agree to relinquish your first born child to F-Secure, as and when the company requires it. In the event that no children are produced, your most beloved pet will be taken instead. The terms of this agreement stand for eternity.
We spotted an interesting case of a person complaining about e-mail malware with social engineering content which hits home almost too well, and decided to investigate a bit.
The person had been talking to his friend about possibly booking tickets to San Francisco in near future. And 6 hours after the phone call he got an e-mail about an electronic plane ticket to San Francisco with an attachment. The person was cautious enough not to touch the attachment, which was a good decision, as in our analysis it was identified as a variant of Trojan.Krypt.AU.
This may be just a case of mass spammed malware and with social engineering text which hit this particular user at just exactly the right moment. But when we checked our sample collection, there was only 1250 instances of related malware, which would indicate that this particular malware is not being spammed to large audiences. And thus possibilities of getting exactly the right hit are very small.
Over the last year providers of targeted advertising have become a lot better at profiling users. For example, when I have been browsing for flight or hotel information. I have started to receive e-mail about flight and hotel offers in that particular destination from Trip advisor and other companies. Of course in order to experience this one has to have Freedome disabled, so that I can be tracked, but that is the price of wanting to experience the net like a regular user.
So this case looks very much like some targeted advertising services were misused for victim discovery by malware authors. We have seen advertising misused a lot with search engines, but this is the first case where we have indications that e-mail advertising services would be used in similar manner.
So far there is no proof the victim selection was done by abusing targeting profiling, and if profiling was used, was it based on phone call analysis. Perhaps the person searched for something which provided a match for profilers. But this is an interesting case and we will be keeping an eye out for future developments.