Over the last few months, we’ve been tracking Dyre and reporting changes to the malware on this blog. Dyre’s latest iteration shows yet another shift in tactics – one that combines characteristics of Dyre with Upatre code to create a new downloader… Figures 1, 2, 3 and 4 shows three different emails, all with the same content but with different malicious links, which we we’ll use interchangeably in our examples. [Read more…]
’Tis the season for phishing emails, scams, and fake tech support calls. We recently investigated such a call received by one of PhishMe’s employees. After saying that he would call the “technician” back, the employee passed the number over to us and we began to investigate.
The number the technician provided us was “646-568-7609.” A quick Google search of the number shows that other users have received similar calls from the same number. In one example, “Peter from Windows” was the person calling. In our case, it was Alex Jordan from Seattle.
Once connected, I was directed to a website, “www.pcefix.webs[d]com” where I could download the information to allow the computer technicians to “fix” my system. These downloads were riddled with viruses.
Next, the technician instructed me to download Ammyy, a free tool for remote assistance. Downloading this file allowed the attackers to establish a remote connection back to their systems.
For a more secure system, they switched to team viewer, which allowed a technician to take a look at the system. Once there, they opened Event Viewer in an attempt to show the number of viruses I had on the system. The screenshot is rather comical; as it’s blatantly obvious this is running in VMWare.
“Alex” also told me that hackers were in my system. I asked, “You mean like the ones from North Korea that hacked Sony?” With a chuckle…he confirmed that North Korean hackers were attacking my system. He even pulled up my INF files (Figure 5) to show me all of the files that the hackers added. (Figure 6)
He even went to the extent of opening one of the files and asking if I recognized it. When I didn’t know what the file was, he said, “This was added by the hacker.” He instructed me to run the scanning file “Router Tracer.bat” which would scan the system. From more of his analysis, it turns out I had 130 critical system files, expired protection, active hacking from China, as well as seven different hacking attempts. Not to mention that the file “hax.exe” was executed from startup h4x, as well as 100 viruses being sent by “Hacker”. (Figure 7)
It turns out this was a simple batch script that did nothing except echo these things out to the terminal.
Once Alex “convinced” me that my computer was infected, he offered me a few different payment options. The basic option was $199 for a 2-year warranty to fix my computer, $299 bought another 2 years, and $399 bought lifetime service for fixing every system in my house. What a deal! I agreed to the lifetime support, and he quickly presented me with a screen to enter my information, including a Government-issued ID number.
He was so kind as to fill in the token key as well.
Next, I filled in credentials for a credit card for them to take a payment.
It turns out that “Dine-Media Interactive”, the payment center who was taking the payment, has a Facebook page, and they are a startup in Bangalore, India that does rails development.
It looks like the company is doing pretty well for themselves, given that they are taking $399 dollars at a clip.
All in all, no money was lost, and they lost a $399 dollar sale to fix my computers for life. Even through my many attempts at messing with them, they still continued through many iterations of me loudly playing Youtube clips of trollolol, nyan nyan cat, and “Gangnam Style”. Alex even said “Gangnam Style? This is one of my favorite songs!” “You mean the hackers are playing that through my computer?” “Yes, the hackers are playing that through the computer speakers.”
With December upon us and 2014 almost in the books, it’s a perfect time to take a look back at the year that was, from a phishing standpoint of course. If you’ve been following this blog, you know that we are constantly analyzing phishing emails received and reported to us by PhishMe employees. What was the most interesting phishing trend we observed in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content. [Read more…]
Most of us have been in an airport and heard the announcement over the loud speaker; “If you see something, say something.” The airport has security personnel; however, their agents cannot be everywhere at once. They collectively rely on travelers passing through the airport to be their eyes and ears in places agents cannot be. In this way, as an airport traveler, you are a “sensor” watching for, detecting, and alerting on suspicious behavior such as unoccupied luggage.
What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a data breach by reporting suspicious email. The key to unlocking this valuable source of threat intelligence is to simplify the reporting process for employees, and to measure the results of your program to prioritize reports from savvy users.
Phishing and malware techniques have been evolving since the time they were detected, conceptualized and recognized. Even though the malware payload or a phishing website URL is considered as the most important part from a detection and prevention perspective, we have observed a number of changes within the past few months in the phishing delivery mechanisms.
Our new whitepaper, “The Evolution of a Phish: Phishing Delivery Mechanisms,” covers an example of how obfuscation and file creation changes the detection process, and examines how attackers have gone from using simple malicious file uploads to more advanced techniques such as hiding a malicious file or link in plain sight.
Over the past few months, Ronnie Tokazowski has analyzed various malware campaigns that have used phising as the delivery method. The malware has evolved from attachments to links to 3rd party websites such as Dropbox. He’s also provided in-depth analysis of Dyre, which used a fax-themed phishing email similar to the one discussed in the whitepaper.
The interesting trend, however, is not that both phishing campaigns used similar themes, but the underlying methods of how attackers are trying to evade detection, and how there is no way to test the file until and unless the file gets formed in the browser. As an industry, we must acknowledge the reality of this evolution, and understand that new delivery mechanisms will continue to challenge all defense layers. This reality makes the last line of defense – employees – essential.
Over the last few days, we have seen two waves of Dyre. The attackers have changed things up a bit and made it harder to analyze. By using memory forensics techniques, we took a peek into their command and control (C2) infrastructure. The #1 rule of memory forensics…everything has to eventually be decoded, and we’re going to use this to our advantage. Here’s a quick look at the waves of emails we received. (Figures 1 and 2)
On October 28th, several of our employees reported a wave of suspicious emails. The most peculiar of the bunch originated from an American university. Here is a screenshot of the phishing email:
Throughout life, there are several things that make me smile. Warm pumpkin pie, a well-placed nyan nyan cat, and most of all – running malware online – never fail to lift my mood. So imagine my surprise to see, after running a malware sample, that the attackers were watching me. Here’s a screenshot of a phishing email we received, which contained a keylogger written in .NET.