Small but powerful — shortened URLs as an attack vector

Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware.

Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report.

The New GameOver Zeus Variant (newGOZ) Spams Again

Almost two weeks ago, PhishMe identified a new Trojan based almost entirely on the notorious GameOver Zeus variant. The new GameOver Zeus variant demonstrated many of the same behaviors and characteristics of the original. The most notable change between these two Trojans was the abandonment of the peer-to-peer botnet used by the older GameOver Zeus. Instead, the new variant used a new fast-flux infrastructure. However, much of the behavior—and malicious capabilities— of the original was retained in this newer form of the malware.

Today, a large number of spam emails were received and analyzed by PhishMe in one of the most intense attacks of recent days. Furthermore, analysis of this emerging threat demonstrated that criminals are not only attempting to capitalize on the heritage of functionalities associated with GameOver Zeus but, they are also making incremental advancements.

The new GameOver Zeus malware variant utilized new spam email templates, with the emails distributed by the Cutwail spam botnet. These entirely new sets of message content present the greatest likelihood of evading spam detection and mitigation—thereby increasing the likelihood that the hostile emails will be delivered to end users and the malware payload will be delivered.

The spam email messages distributing this malware make use of common malicious spam themes. The new spam email templates were recently confirmed by Brett Stone-Gross of Dell SecureWorks as having been distributed by the Cutwail botnet.

The file attached to these spam messages is downloader that was once specific to the peer-to-peer GameOver Zeus Trojan. This downloader has previously been known to make use of as many as 50 locations to obtain payload files. This helps to ensure the malicious payload is delivered. If one location is blocked, there are 49 other possible download locations that can be used.  Today’s sample was delivered with a single hard-coded payload URL rather than the large list seen in previous deployments of this downloader.

The risk of infection – and the chance of infections spreading like wild fire – is considerable. Only 5 of 53 antivirus software vendors – as reported by VirusTotal – correctly identified the downloader as malware. Furthermore, the GameOver payload obtained by this downloader was only marked as malicious software by only 4 of 53 antivirus software products. Like its predecessor, the new malware variant drops a modified copy of itself that generates a unique checksum for every new infection.

Once the newGoZ binary has been executed, it begins to cycle through domain names produced by a domain generation algorithm seeking out an active command and control host. At the time of analysis, four such hosts were active and distributing configuration data to infected bots.

dwgu4j8n210w18spq9rsz0uzj[.]biz
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
hmeyx8mxqrxe1uwcn5w1win68w[.]net
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
szaj031k3ha447pniqr1003qx6[.]org
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
1stze0f1u7of3z18wu4in5prafy[.]net
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88

One of the most notable aspects of this malware’s behavior is its list of targeted URLs, obtained from the command and control infrastructure following infection. These URLs primarily represent those locations on the Web at which the threat actor hopes to steal private information from victims. Many of these URLs are locations involved with online banking and are specific to certain banking institutions. Others are related to online shopping, the intention being to obtain card details that are used to pay for goods purchased online. The following represent examples of some of those targeted URLs.

Some of those URLs are included with nomenclature used by the older GameOver Zeus Trojan, which denotes that a specific activity is to be carried out at those URLs such as the taking of screenshots or the addition of malicious content to a webpage via web inject.

When we first announced the new GameOver Zeus variant – we have named it newGOZ internally -the malicious actors behind the malware were using a fairly limited spam distribution method.  The light spam volume may have been in part due to a desire to take a test run with the new malware. With today’s higher volume spam campaign, we believe we will be seeing much more of the newGOZ malware in the coming days and weeks.  While it is too early to tell if this will become a dominant malware system like the old GameOver Zeus, PhishMe is sharing information widely about the new threat in the hope that we can stop this botnet before it grows out of control.

Phishing: Stop Paving the Cow Path

Paving the cow path—why are we still using the same technologies to combat modern phishing attacks?

When the city of Boston was new and unpaved, the city fathers decided against laying out a regular street plan. Instead, they merely paved the paths that had been worn by cattle. The results? A chaotic and inefficient street plan that lacks logic. The admonition not to “pave the cow path” is supposed to remind us not to enshrine an existing way of doing something.

However, when combating phishing, the #1 threat vector in security*, we are paving the cow path.

Let’s start with some facts about email-based threats and their effectiveness:

  • 144 Billion emails every day/120 per person
  • 1 out of every 2 emails contains a threat
  • 10% of all email threats get through current defenses
  • 1 out of every 200 are effective

If we were building cars, computers or producing a ‘widget’ and had a 10% ‘defect’ rate, we would be out of business. Period. And yet what do we do today?

We pave the cow path.

To some degree or another, major enterprises recognize the need for combating all types of email-based threats, including phishing, spam and email-based malware.  As a result, we have many existing technologies in the ‘food chain’ for providing protection against phishing, including:

  • Security Awareness Training (Education & Training)
  • Filters (spam, phishing)
  • Web filtering
  • Forensic services
  • Takedown services
  • Standards/DMARC

If we look at these technologies as anti-phishing solutions, they all have one thing in common: they deal with the symptoms of phishing. They do not address the root source/ root cause issues. As a result, each provides some deterrent or protection against phishing issues. None address the cause: the source and nature of the cyberattack. Therefore, none of the current technologies can holistically address the countermeasures to prevent, detect and respond to existing and future phishing attacks.

We recently spoke with one of world’s most phished companies/brands. How were they attempting to solve the ever-increasing phishing problem (up 87% since 2012 according to Kaspersky) that they (and most others) are experiencing?

They planned to do more of the same.

Specifically, they planned to continue with their take down strategy. (For those of you unfamiliar with takedown or mitigation, there are companies that offer banks and other organizations round-the-clock services to assist in shutting down phishing websites)

First, they enlisted external resources (vendor)s for takedown.

Then, they began taking care of their takedown efforts internally.

Then, they adopted a hybrid approach, using both internal and external resources.

And now, they were planning to do more of both.

Do you see a pattern?

Yes, that’s right, it’s not working. Yet, they are planning to increase the use of ineffective tactics.

The status quo is not solving the problem. Whether you are utilizing internal or external resources, you are paving the cow path. The dirty secret of takedown vendors that every security professional knows is that most credential theft occurs within the first four hours of a phishing campaign. If your takedown time is greater than two hours, the phisher has already collected enough information to consider his mission a success. In short, no matter how fast the takedown promises to be, the phishers are faster. The damage is done. And spending more time and money on a fundamentally broken process doesn’t make it better. Adding more people to a broken process doesn’t make it better either. Takedown doesn’t solve the problem. It could, if it was done intelligently. But today, these services are the one-eyed man in the land of the blind for those looking for eliminate phishing servers.

Phishing can’t be solved by one technology, so the good news is there are multiple processes and technology in existence today to address the challenge. However, cybercriminals are moving ahead of many of the existing layers of defense, and becoming more successful.  We read about it every day, from the Target attack to Bank of America, Comerica, PayPal, Wells Fargo, Michael’s stores (and many, many others we don’t hear about.)

I think it is a natural tendency to want to pave the cow path; after all, what is wrong with how we are doing business today? Or, we may look at it from the perspective: we don’t have time to look at improving our processes, so by default we will have to pave the cow path. But by paving the phishing cow path, you will lose. It’s that simple. Continuing to play ‘whac-a-mole’ with the cybercriminals, and using tools from the ‘last war’ is not a winning. It’s losing. And with the cost of each phishing attack approaching $150,000, can you afford to lose even once?

The E-ZPass Scam: More Information On This Week’s Attacks

Earlier this week, reports surfaced about a new E-Z Pass scam. The spam campaign used the E-ZPass branding to fool recipients into visiting a malicious website. E-Z Pass is the electronic toll collection system used by several state departments of transportation.

The E-Z Pass scam emails are likely to be sent to a large number of individuals who use the system, after all, the toll system is used in many cities. One of the emails we captured is shown in the image below. As you can see, the E-Z Pass scam emails use appropriate branding, and warn the recipient that they have not paid for driving on a tol road. A link to an invoice is included that will allow the recipient to view their invoice.

A quick search of PhishMe’s threat intelligence database shows that this is not the only email of this type that has been intercepted. The following related emails were also captured:

date    |                subject                |           sender_name
————+—————————————+———————————
2014-07-08 | In arrears for driving on toll road   | E-ZPass Collection Agency
2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
2014-07-08 | In arrears for driving on toll road   | E-ZPass Customer Service Center
2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Collection Agency
2014-07-08 | Indebted for driving on toll road     | E-ZPass Customer Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Info
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Pay for driving on toll road          | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info

As you can see, while the E-Z Pass scam uses appropriate branding, the destination websites of the links are certainly not genuine. None of these are used for E-Z Pass.

machine          |                               path
—————————+——————————————————————-
www.federalparts.com.ar   | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
www.fiestasnightclub.com  | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
www.fleavalley.com        | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
www.frazeryorke.com       | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
www.fsp-ugthuelva.org     | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
www.fyaudit.eu            | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
www.giedrowicz.pl         | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
www.gostudy.ca            | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
www.graphiktec.com        | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
www.h2oasisinc.com        | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
www.habicher.eu           | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
www.grupoancon.com        | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
www.happymaree.com.au     | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
www.headspokerfest.com    | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
www.headspokerfest.com    | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll

Naturally, we visited the one of the URLs to find out what would happen. Clicking on the link would result in a prompt to download a zip file, which presumably would contain the invoice. Instead of a Word file, Excel spreadsheet, or PDF file, the zip file contained an  executable (.exe) file.

Both are named for the city and ZIP code to which we are connected.

For example, this relates to an E-Z Pass charge in Birmingham, Alabama.

When we run this malware, it attempts to make contact command and control servers at the following locations:

76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080

PhishMe has been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnetand have been used for some time. In fact, this botnet was used to send the Holiday Delivery Failure spam emails that imitated Walmart, CostCo, and BestBuy during the holiday season, and also Court Related Malware in early 2014.

Breaking: GameOver Zeus Mutates, Launches Attacks

Today, PhishMe’s analysts identified a new banking Trojan that is based heavily on the GameOver Zeus binary. The GameOver Zeus mutation was distributed as an attachment in three spam email templates, utilizing the simplest method of infection to compromise end users’ systems.

The E-mail spam campaign

From 9:06 AM to 9:55 AM we intercepted spam messages claiming to have been sent from NatWest Bank.

One of the email messages used to distribute the new GameOver Zeus variant is listed below. As you can see, the message uses a common social engineering technique. It alerts the recipient to the risk of bogus emails and advises the recipient to be on their guard. It even provides information to help the bank’s customers avoid becoming a victim of cybercrime. Of course, the email does not mention not opening email attachments from unknown or suspicious sources, such as 4-arts.com.

From 9:34 AM to 10:50 AM we saw spam messages with the subject “Essentra PastDue” like these:

This message was far more succinct and to the point. Claiming that the attached file had actually been requested by the recipient of the message.

The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of “E100 MTB ACH Monitor Event Notification. That campaign is still ongoing at the time of writing.

The final message was also sent from a suspicious domain. The email is poorly formatted, there is no branding, and there is no signature on the email – all common signs that the email is not genuine. However, a curious M&T bank customer who lacks security awareness may open the email attachment following the instructions provided. Opening the file in a web browser will result in infection with the Trojan.

The malicious payload

The three spam campaigns each had a .zip attachment. Each of those compressed files contained the same file, which was a form of “.scr” file with the hash:

MD5:   5e5e46145409fb4a5c8a004217eef836

At this timestamp (1600 Central time, 7 hours after we first noticed the spam campaign) the detection rate at VirusTotal was 10/54 – Still very low. Relatively few anti-virus vendors had identified the file as malicious.

When the attachment is opened the malware payload is executed. The malware attempts to make contact with certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to connect to a server that provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing. Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used to launch the new Zeus Trojan and download its bank information “webinject” files from the attackers C&C server.

The Domain Generation Algorithm is a method used by cybercriminals to regain access to their chosen botnet. Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists. Examples of these are listed below:

bmo0ve7lxujkiid9sycsfxb.biz
borwxz16ctey4fmc99y1t8nw9s.biz
bttkygongoew1himlrd1889yui.net
bzi7vw1f0iw5r1qy1pax1sgl3z0.biz
c1xjo91vug07xhbrht291yzkb.com
c1yc37z0h5rf18h0aw7nib2f.org
c4j59h1voxihj4rntttdl7cn.org
c6p7902ciu9y5hiqgcn2xlqz.net
c77nf4hwksy8iy325isrrjo.net
cc5y751uyzepi1wud8mk1iwksux.com
cfdw9oj4vhr1ktr2je1pf2rq8.org
cfs50p1je5ljdfs3p7n17odtuw.biz
ci0zfurp5trgvec4mn1tvlong.net
cjjnhq19ux8jm71iekc1lnkqai.biz
cjn50rx5y60b1o4d3xiibdkhl.net
ckjxnwhjbp8tcg1rb351wqed.net
cnhi1zulqoekn08s8oibii8i.org
coaa131phdgaq1wpj3a31gdcqjp.net
cx8y001jigv7y1pjnlcw452pv0.net
cxotoovt355vgearpv1xi2jdy.biz
cy0bj11yfrfma137tqlqh2fryo.net
cz7fn21k15vgkmem3j2p0ip7q.org
czz0wl1uxb3dk1niyev410qqhk.biz
d6y5enamrkg4zavi2t146s40h.biz

PhishMe’s analysts have confirmed with the FBI and Dell SecureWorks that the original GameOver Zeus is still “locked down”.  This new DGA list is not related to the original GameOver Zeus, although it bears a striking resemblance to the DGA utilized by that Trojan, suggesting this is a new GameOver Zeus variant. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux-hosted C&C strategy.

The successful domain: cfs50p1je5ljdfs3p7n17odtuw.biz was registered this morning in China with the registrar “TodayNIC.com”:

Domain Name: CFS50P1JE5LJDFS3P7N17ODTUW.BIZ
Domain ID: D61087891-BIZ
Sponsoring Registrar: TODAYNIC.COM, INC.
Sponsoring Registrar IANA ID: 697
Registrar URL (registration services): www.todaynic.biz
Domain Status: clientTransferProhibited
Variant: CFS50P1JE5LJDFS3P7N17ODTUW.BIZ
Registrant ID: TOD-43737096
Registrant Name: Whois Agent
Registrant Organization: Whois Privacy Protection Service
Registrant Address1: Xiamen
Registrant City: Xiamen
Registrant State/Province: FUJIAN
Registrant Postal Code: 361000
Registrant Country: China
Registrant Country Code: CN
Registrant Phone Number: +57.59222577844
Registrant Facsimile Number: +57.59222577844
Registrant Email: whois-agent@gmx.com
Name Server: NS1.ZAEHROMFUY.IN
Name Server: NS2.ZAEHROMFUY.IN
Created by Registrar: TODAYNIC.COM, INC.
Last Updated by Registrar: TODAYNIC.COM, INC.
Domain Registration Date: Thu Jul 10 09:26:06 GMT 2014
Domain Expiration Date: Thu Jul 09 23:59:59 GMT 2015
Domain Last Updated Date: Thu Jul 10 09:26:07 GMT 2014

In the original GameOver Zeus, the domain generation algorithm and its associated command and control resources, serve the botnet as a fallback to the peer-to-peer botnet which is this malware’s primary means of distributing instructions to infected machines. Using the websites associated with the domain generation algorithm, the GameOver botnet operators are able to distribute commands to infected machines that have lost contact with the peer-to-peer botnet.

The binary that is dropped and injected into Internet Explorer after contacting the C&C receives a random name. The version seen this afternoon is currently detected by 8 of 54 AV products at VirusTotal, although others may detect it using non-signature based methods.

A little over a month ago, the GameOver Zeus botnet suffered a major blow as law enforcement carried out a takeover of the domains associated with the domain generation algorithm and made efforts to remove this malware from infected machines. Both actions severely limited the ability of the botnet operators to issue commands to victims’ machines.

Those efforts seemed to halt the spread of this dangerous malware and led to its disappearance from malicious spam emails, albeit only temporarily.

PhishMe was able to identify a number of the command-and-control hosts believed to be involved in the attacker’s attempt to revive the GameOver botnet. Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver Trojan—including using the characteristic list of URLs and URL substrings used for Web injects, form-grabs, and its other information stealing capabilities.

This discovery indicates the criminals responsible for GameOver’s distribution do not intend to give up on their botnet, even after suffering one of the most expansive botnet takeovers/takedowns in history.

As always, PhishMe researchers are closely monitoring the situation and will provide meaningful threat intelligence when there are further developments with the GameOver Zeus Trojan and its new variants.

2nd Annual Phish Throwdown: This Time It’s Personal

We had a lot of fun with our Black Hat email contest last summer, but this year, it’s time to get personal. No, we’re not talking about chatting over dinner and a movie. We’re talking about a contest that takes off the gloves and brings the best recipe for a highly personalized spear phishing email.

Attackers using Dropbox to target Taiwanese government

While we have previously mentioned cyber-crime actors using Dropbox for malware delivery, threat actors are now using the popular file-sharing services to target nation-states. According to The Register, attackers targeted a Taiwanese government agency using a RAT known as PlugX (also known as Sogu or Korplug).

From an anti-forensics perspective, PlugX is a very interesting piece of malware. One of the main ways it loads is by using a technique similar to load order hijacking.