The universe is full of "Black Energy" and so is cyberspace. Not so very long ago, we wrote about a sample of the BlackEnergy family discovered via VirusTotal. The family is allegedly the same malware used in the cyber-attack against Georgia in 2008. Last Friday, another fresh variant was submitted to VirusTotal. And this time it is more obvious on how it was being distributed: a zip file containing an executable. Again, as was the case earlier this month, the sample was submitted from Ukraine.
The filename of the zip file means "password list" spelled out in the Cyrillic alphabet. For the executable, it means the same but spelled out in the Latin alphabet. Take note that the executable has a .doc extension. It is not clear how the sample can be run by the victim. Our guess is that there might be a zip application used by the intended target which supports opening samples based on their true file type regardless of their extension. Of course it is also possible that the attackers just made a mistake.
Checking the instance of the executable in VirusTotal, it was submitted from Belgium just a few minutes earlier. Given the current situation in Ukraine, and that Belgium is the center of the European Union government (and where NATO Headquarters is located), we cannot discount the theory that they are related.
We think the sample is possibly sent as attachment in spear-phishing e-mails pretending to be IT advisories warning people to avoid certain passwords.
Unlike the earlier variant, the sample no longer uses a kernel mode component to inject the user mode DLL into svchost.exe. This time it just uses a user mode dropper to load the DLL via rundll32.exe. Ditching the kernel mode component might be an attempt to get around the driver signing enforcement protection found in modern Windows systems.
The user mode DLL has also been rewritten (timestamp of June 26, 2014) to support the change. It now has a different configuration format but still uses a C&C that falls under the same IP address block:
The dropper will also open a decoy document to hide its malicious activity:
Take note that there is no software vulnerability or exploit involved. The decoy document is created and opened by the dropper programmatically. This is something similar to what we have seen before in what might be the first documented APT attempt in OS X. The malware did however exempt its host process (rundll32.exe) from DEP, which may open up an attack surface for future exploitation:
Bottom line: if you're involved in European/Ukrainian diplomacy… beware BlackEnergy.
I visited London on Monday. And I decided to try Heathrow Express (HEX) to get from the airport to London's center. I'm glad that I did — it was a smooth, fast, and quiet ride. Oh! Also, HEX offers "free" Wi-Fi…
During the past year, we've been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector.
The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. The name "Havex" is clearly visible in the server source code:
During the spring of 2014, we noticed that Havex took a specific interest in Industrial Control Systems (ICS) and the group behind it uses an innovative trojan horse approach to compromise victims. The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to.
We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.
The attackers use compromised websites, mainly blogs, as C&C servers. Here are some examples of command and control servers used:
We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations. The source of this motivation is unclear to us.
Trojanized Software as an Infection Vector
The Havex RAT is distributed at least through following channels:
Spam email
Exploit kits
Trojanized installers planted on compromised vendor sites
The spam and exploit kit channels are fairly straightforward distribution mechanisms and we won't analyze them in more detail here.
Of more interest is the third channel, which could be considered a form of "watering-hole attack", as the attackers chose to compromise an intermediary target - the ICS vendor site - in order to gain access to the actual targets.
It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers.
Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.
Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organizations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software.
As an example, we can see the partial results of dynamic analysis for one of the trojanized installers:
The normal, clean installer does not include a file called "mbcheck.dll". This file is actually the Havex malware. The trojanized software installer will drop and execute this file as a part of the normal installation. The user is left with a working system, but the attacker now has a backdoor to access and control the computer.
Target Organizations
We were able to locate some of the infected systems and identify the organization affected by the samples analyzed in this report by tracing the IP addresses communicating to the C&C servers used by the Havex RAT.
All of these entities are associated in some way with the development or use of industrial applications or machines. The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering.
ICS/SCADA Sniffer
Our analysis of Havex sample codes also uncovered its "ICS/SCADA sniffing" behavior. The C&C server will instruct infected computers to download and execute further components, and one of these components appeared very interesting. While analyzing this component, we noticed that it enumerates the local area network and looks for connected resources and servers:
We then noticed that it uses Microsoft Component Object Model (COM) interfaces (CoInitializeEx, CoCreateInstanceEx) to connect to specific services:
To identify which services the sample is interested in, we can simply search for the identifiers seen above, which tell us what kind of interfaces are being used. A bit of googling gives us these names:
Note the mention of "OPCServer" in the names. There are more hints pointing in the same direction -- the strings found in the executable also make several references to �OPC�:
It turns out that OPC stands for OLE for Process Control, and it's a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.
Summary
The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.
The method of using compromised servers as C&C's is typical for this group. The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors.
The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.
Necurs is a kernel mode driver best known at the moment for being used by Gameover Zeus (GOZ) to hinder attempts to detect and remove the malware. The technical details of the Necurs driver have already been exhaustively covered in a writeup by Peter Ferrie, but during our analysis we came across some interesting details of Necur's gradual uptake as a "crimeware for sale" module.
We saw the earliest version of the Necurs driver as a standalone malware in May 2011; it didn't become associated with another malware until early 2012, when we observed it being dropped by a trojan-downloader, also called Necurs since it was the only user mode component the driver was seen with at the time.
It was only in February 2014 that we saw the driver included in GOZ, which raised its profile considerably. The GOZ botnet is estimated to run into hundreds of thousands of infections and it is mainly used for online banking theft.
Before Necurs was incorporated, GOZ had been operating without an associated driver. Its addition to the botnet's operations was rather curious, as it occurred about 2.5 months before the United States' Federal Bureau of Investigations (FBI) started their takedown operations.
The Necurs driver's design is interesting in that it doesn't require any changes by the authors for use by a third party. The dropper code used by both the Necurs trojan-downloader and GOZ to create and install the Necurs driver is the same, so the author has provided everything needed for the driver to be taken into use.
The dropper code has been written in the style of shellcode, so it can be executed as is, and as such it can be easily included into the source code of whatever malware will end up using the driver.
No source code needs to be given to the customers, and the driver can be easily configured to protect any executable just by correctly setting its service key values. The name of the file to be protected is taken from the DisplayName value of the driver's service key.
The Necurs driver also includes a control interface that allows the user mode component to give commands to the driver, regardless of the actual family. Controlling is done with specific IRP_MJ_DEVICE_CONTROL requests, which can be sent with the DeviceIoControl user-mode API.
The first control code the user-mode component must send is 0x220000; on receiving this, the Necurs driver will store the handle of the process that sent that request as the process that will be able to control the driver. This command is only accepted once per bootup.
To be stored as the controlling process, the IRP.AssociatedIrp.SystemBuffer for that request must be 12-bytes long and adhere to two checks:
• first_dword ^ 0xdeadc0de == second_dword • first_dword ^ third_dword == pid of process that sends the request
An additional check is that the name of the process that sends the control code must be the same as the DisplayName field in the Necurs service key. This prevents unwanted processes from sending the commands, as any kind of access to a file with that name will be prevented by the driver.
Necurs listens for a total of 15 different IoControlCodes, including:
• 0x220000 register process as Necurs master • 0x22000c get Necurs driver path • 0x220010 get Necurs service key name • 0x220018 update Necurs driver (driver file content is replaced by data in IRP.AssociatedIrp.SystemBuffer) • 0x22001c uninstall Necurs driver • 0x220028 terminate process by process identifier • 0x22002c terminate process by name
The code for calling all of the commands is included in the dropper code that also handles the installation of the driver.
These features essentially make the Necurs driver well suited for resale and use by third parties, as is evident by its use in the GOZ trojan. Though the current takedown effort against the botnet is likely to put a crimp in the operations of Necurs' biggest "customer", at least for a while.
We detect Necurs driver variants as Rootkit.Necurs.
A little over two weeks ago, we found a new family of Android ransomware: SLocker.
We have no evidence that SLocker is related to Koler, the most recently discovered Android ransomware. It does however carry through on the threat Koler made. Unlike Koler — which pretended to, but didn't actually encrypt files — SLocker will actually scan the device's SD card for specific file types:
When the SLocker app is launched, it encrypts these files and then displays a ransom message:
The message informs the user they must transfer a payment via an online money transfer service in order to recover the files. The phone number listed in the message on the left is based in Ukraine.
Currently there are two versions of this family. The first version uses the Tor anonymizing network to communicate between infected phones and the malware's C&C-server. We suspect this version might be a testing revision because all debug information is available.
The second SLocker version appeared at the same time as the Tor-enabled version but is simplified. This version shares much the same code (including encryption and the same hardcoded decryption key) but the debugging parts are no longer present. The main difference though is that this version doesn't use Tor. Instead, it takes its commands via SMS messages:
Also notable is that unlike the Tor-enabled version, this one lists a Russian phone number and demands Russian currency in the ransom message:
Digging deeper into retracing the C&C server, we found its IP address had been registered as far back to 2005 to a private person. Currently, a Russian-based webhosting service is running there.
Though this version of SLocker is less sophisticated in that it does not use Tor for its C&C communications, it still seems to be under active development, as the latest sample we have of this version now includes capability to take photographs using the device's camera. It seems likely that SLocker's author(s) will continue to develop it in the future.
A sample of the BlackEnergy family was recently uploaded to VirusTotal from Ukraine. The family is allegedly the same malware used in the cyber attack against Georgia in 2008. The malware provides attackers full access to their infected hosts. Check out SecureWorks' detailed analysis from 2010 for more information about the family.
The new sample is not much of a rootkit anymore, in the sense that it no longer hides files, registries, etc. The build is now "0D0B15aaa" according to the embedded XML:
Although not used, the sample still has a routine which hides processes. This time it uses DKOM. Because of this (and to check whether svchost.exe is in an alertable state), the malware keeps a hard coded list of offsets in kernel structures that it uses for the different Windows versions. What is interesting is that the sample was designed with Windows 8 in mind:
Since the sample is not signed, the driver signing enforcement in modern Windows must be disabled to work.
Today we've published a new, quick way to check if your computer is infected by GameOver ZeuS (GOZ). Last week the GOZ botnet was disrupted by international law enforcement together with industry partners, including ourselves.
It is of critical importance to realize GOZ was disrupted — not dismantled. It's not technically impossible for the botnet administrators to reclaim control in the near future. More than one million computers are infected by GOZ, time is of the essence.
To assist with remediation, starting today, you can simply visit — www.f-secure.com/gameoverzeus — to see if your browser has signs of a GameOver ZeuS infection. The nice part is you don't have to install any software and it takes only a few seconds!
Our more technical readers might be wondering how the check works. It's something we haven't done before, and we thought we'd describe it in more detail here. In the end, we get to play a little trick on the malware itself, which is always fun.
GOZ, or in fact almost any other banking trojan for Windows, infects the browser in order to steal usernames, passwords, and other credentials. Let's say you are going into Amazon.com:
GameOver ZeuS will notice that you are about to sign in to a site it's interested in and steals your credentials straight from inside the browser. How does it do this? By including a configuration file which lists all the addresses it's interested in. Here's a partial list of what GameOver Zeus is tracking:
As you notice, the list contains many addresses of banks and other financial institutions. GameOver ZeuS even supports regular expressions to make creating new rules flexible. Some addresses which use regular expressions turn out to be very aggressive:
What do I mean by "aggressive"? Well, for example, visiting a site with the address https://www.f-secure.com/amazon.com/index.html would make GameOver think that you are actually visiting Amazon, because the regular expression still matches. Turns out, we can use this to "trick" GameOver bots and make an easy check to see if an infection is present in your browser!
So what does GameOver actually do when a user is going to Amazon.com? Since the malware lives inside the browser, not only can it see what you type into the login page, but it can also modify the webpage before you see it. When a user with an infected browser goes to Amazon, ZeuS will "inject" more content onto the page. Here's a partial snippet of the code which gets injected:
Often this extra code adds new fields to the login page and then sends the content to a server the attacker controls. We'll make use of the highlighted string ("LoadInjectScript") later.
How do we put all of this together to make a quick scan for the malware?
Our detection page at www.f-secure.com/gameoverzeus loads a webpage from an address which has the string "amazon" in it, even though it's just a page from our own site:
If you are infected, visiting our page makes GameOver ZeuS think you are going to Amazon, even if you're not! This in turn causes GOZ to add its own code to the webpage. When our "fake" Amazon page is loaded, it does a "self-check" and simply searches the page for the modification that GameOver makes. We search for the string "LoadInjectScript" we showed above (note that we have to split it up, so we don't just end up finding our own string!):
If the string is found on the page, we know GameOver ZeuS has infected your browser!
As always, there are some limitations. If you are using a browser which GameOver doesn't support (Lynx anyone?, or a native 64-bit browser), it may be that your computer is infected, but the browser has no traces of the malware. In such cases, we still recommend running our free Online Scanner to be sure. Also, if you do actually have an infection, you'll need to remove it with the scanner.
Today we've been (eagerly) going through the associated documents — and the costs attributed to GOZ are very striking.
Examples of GameOver victims:
SEVEN MILLION dollars from one Florida bank? Wow.
Examples of CryptoLocker (ransomware dropped by GOZ) victims:
A restaurant in Florida had its recipes encrypted?
Now THAT is some "secret sauce"!
$30,000 in damage is really a significant cost for such a business.
According to this FBI graphic, CryptoLocker made $30 million in payments during the last four months of 2013:
So here's the thing about GOZ… it's a peer-to-peer botnet and is highly resistant to "takedowns". Law enforcement action is currently blocking critical command and control infrastructure — but it could be only a matter of time before slavik regains ownership via side channels. In the meanwhile, remediation efforts are underway. IP addresses related to GOZ are being directed to removal tools.