On December 11, one of our employees reported a phishing email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document. The malicious payload included PowerShell, VBA, and batch code. Here’s a screenshot of the phishing email:
PhishMe malware researchers have been helping you protect your network by sharing information about the Dyre Trojan and Cridex malware on a daily basis for several months; however, in that time we have not seen any actions as bold as those used by the Cridex malware authors today.
Dyre is the current top banking Trojan being distributed by email, and it poses a significant threat to businesses and consumers. The Trojan steals credentials and the attackers use that information for financial fraud.
Threat Analyst Neera Desai let us know about this new threat from today’s Cridex attack, which uses a malicious Microsoft Word document to infect victims by pretending to be a Failed Fax Transmission. On November 17, 2014, we received approximately 1,000 copies of this spam message before noon. The sending domain in the ‘From’ field was “interfax.net” in all of those samples.
Here’s the thing we’ve never seen before – A warning about Dyre malware FROM THE AUTHORS OF THE CRIDEX MALWARE! If – and only if – you are infected with this version of Cridex malware, and you visit a website at www.lloydsbankcommercia.com, you will receive the following pop-up message when you visit LloydsLink. PhishMe analysts spoke with Lloyds and learned that the message being propagated by Cridex malware was previously used on the Lloyds website in a now discontinued security advisory, but confirmed that if someone is seeing that message now it is a sign of a Cridex malware infection.
The security warning displayed to users that have been infected with Cridex malware is as follows:
IMPORTANT SECURITY INFORMATION
Lloyds Banking Group is aware that the Dyre malware (also known as Dyreza) is currently actively targeting financial institutions across the UK including customers of LloydsLink online.
This is not a vulnerability within LloydsLink online but malware that resides on infected computer systems designed to steal user log-in credentials.
We recommend you:
1. Work with your IT security providers to confirm that your anti-malware solution is capable of detecting and removing the very latest variants of Dyre.
2. Carry out comprehensive scans of any systems used to access LloydsLink, as well as any other financial service institution or financial orientated software that you use and transact on.
3. Change Passwords and memorable information, following the comprehensive scans of your systems.
Please remember it is important to check all beneficiary details, especially bank sort codes and account numbers, before creating and approving all payments.
For more information on protecting your payments please visit our Security Centre.
3) KEEPING YOUR PC SECURE
Protect against viruses
Use anti-virus software and ensure that it is kept up to date – this should protect your computer against the latest viruses
Use up-to-date anti-spyware software to protect against programs that fraudsters can use to collect information about your Internet usage
Keep your software up-to-date
Occasionally publishers discover vulnerabilities in their products and issue \’patches\’ to protect against any security threats. It is important that you regularly visit the website of the company which produces your operating system (e.g. Windows XP) and browser (e.g. Internet Explorer) to check for any patches or updates they may have issued.
While it would appear that the content above is being provided by Lloyds, that is not the case. The content is being pushed into your browser by the Cridex malware in what is known as a “web inject”. The web inject occurs if the malware senses that a user is visiting Lloyds commercial banking services.
Astute network monitoring professionals will want to watch for network traffic to the IP addresses 188.8.131.52 and 184.108.40.206. Both addresses are hosted on OVH France, a network that has great loyalty from the criminals behind this malware.
While nearly 300 other banks are also specifically targeted by this version of Cridex, the only other one with a special “web inject” pop-up message from the criminals are customers of Barclays Bank. They receive this special message:
Your security obligations
Due to our recent security changes you should keep your smart card inserted in your card reader.
This security message will appear periodically.
Please tick the box to acknowledge these security obligations.
In addition to many UK-based banks, banks in Austria, Belgium, Bulgaria, Germany, Hungary, Ireland, Indonesia, Israel, Italy, India, Malaysia, Netherlands, Norway, Qatar, Romania, Singapore, Switzerland, United Arab Emirates, United States of America, and Vietnam have also been targeted.
Several companies offering services to small and regional banks and credit unions are also being targeted, including CardinalCommerce, Electracard.com, ElectraPay.com, and Enstage.com.
PhishMe Intelligence subscribers can review further details of this attack online under Threat ID 2361.
Almost two weeks ago, PhishMe identified a new Trojan based almost entirely on the notorious GameOver Zeus variant. The new GameOver Zeus variant demonstrated many of the same behaviors and characteristics of the original. The most notable change between these two Trojans was the abandonment of the peer-to-peer botnet used by the older GameOver Zeus. Instead, the new variant used a new fast-flux infrastructure. However, much of the behavior—and malicious capabilities— of the original was retained in this newer form of the malware.
Today, a large number of spam emails were received and analyzed by PhishMe in one of the most intense attacks of recent days. Furthermore, analysis of this emerging threat demonstrated that criminals are not only attempting to capitalize on the heritage of functionalities associated with GameOver Zeus but, they are also making incremental advancements.
The new GameOver Zeus malware variant utilized new spam email templates, with the emails distributed by the Cutwail spam botnet. These entirely new sets of message content present the greatest likelihood of evading spam detection and mitigation—thereby increasing the likelihood that the hostile emails will be delivered to end users and the malware payload will be delivered.
The spam email messages distributing this malware make use of common malicious spam themes. The new spam email templates were recently confirmed by Brett Stone-Gross of Dell SecureWorks as having been distributed by the Cutwail botnet.
The file attached to these spam messages is downloader that was once specific to the peer-to-peer GameOver Zeus Trojan. This downloader has previously been known to make use of as many as 50 locations to obtain payload files. This helps to ensure the malicious payload is delivered. If one location is blocked, there are 49 other possible download locations that can be used. Today’s sample was delivered with a single hard-coded payload URL rather than the large list seen in previous deployments of this downloader.
The risk of infection – and the chance of infections spreading like wild fire – is considerable. Only 5 of 53 antivirus software vendors – as reported by VirusTotal – correctly identified the downloader as malware. Furthermore, the GameOver payload obtained by this downloader was only marked as malicious software by only 4 of 53 antivirus software products. Like its predecessor, the new malware variant drops a modified copy of itself that generates a unique checksum for every new infection.
Once the newGoZ binary has been executed, it begins to cycle through domain names produced by a domain generation algorithm seeking out an active command and control host. At the time of analysis, four such hosts were active and distributing configuration data to infected bots.
One of the most notable aspects of this malware’s behavior is its list of targeted URLs, obtained from the command and control infrastructure following infection. These URLs primarily represent those locations on the Web at which the threat actor hopes to steal private information from victims. Many of these URLs are locations involved with online banking and are specific to certain banking institutions. Others are related to online shopping, the intention being to obtain card details that are used to pay for goods purchased online. The following represent examples of some of those targeted URLs.
Some of those URLs are included with nomenclature used by the older GameOver Zeus Trojan, which denotes that a specific activity is to be carried out at those URLs such as the taking of screenshots or the addition of malicious content to a webpage via web inject.
When we first announced the new GameOver Zeus variant – we have named it newGOZ internally -the malicious actors behind the malware were using a fairly limited spam distribution method. The light spam volume may have been in part due to a desire to take a test run with the new malware. With today’s higher volume spam campaign, we believe we will be seeing much more of the newGOZ malware in the coming days and weeks. While it is too early to tell if this will become a dominant malware system like the old GameOver Zeus, PhishMe is sharing information widely about the new threat in the hope that we can stop this botnet before it grows out of control.
Today, PhishMe’s analysts identified a new banking Trojan that is based heavily on the GameOver Zeus binary. The GameOver Zeus mutation was distributed as an attachment in three spam email templates, utilizing the simplest method of infection to compromise end users’ systems.
The E-mail spam campaign
From 9:06 AM to 9:55 AM we intercepted spam messages claiming to have been sent from NatWest Bank.
One of the email messages used to distribute the new GameOver Zeus variant is listed below. As you can see, the message uses a common social engineering technique. It alerts the recipient to the risk of bogus emails and advises the recipient to be on their guard. It even provides information to help the bank’s customers avoid becoming a victim of cybercrime. Of course, the email does not mention not opening email attachments from unknown or suspicious sources, such as 4-arts.com.
From 9:34 AM to 10:50 AM we saw spam messages with the subject “Essentra PastDue” like these:
This message was far more succinct and to the point. Claiming that the attached file had actually been requested by the recipient of the message.
The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of “E100 MTB ACH Monitor Event Notification. That campaign is still ongoing at the time of writing.
The final message was also sent from a suspicious domain. The email is poorly formatted, there is no branding, and there is no signature on the email – all common signs that the email is not genuine. However, a curious M&T bank customer who lacks security awareness may open the email attachment following the instructions provided. Opening the file in a web browser will result in infection with the Trojan.
The malicious payload
The three spam campaigns each had a .zip attachment. Each of those compressed files contained the same file, which was a form of “.scr” file with the hash:
At this timestamp (1600 Central time, 7 hours after we first noticed the spam campaign) the detection rate at VirusTotal was 10/54 – Still very low. Relatively few anti-virus vendors had identified the file as malicious.
When the attachment is opened the malware payload is executed. The malware attempts to make contact with certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to connect to a server that provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing. Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used to launch the new Zeus Trojan and download its bank information “webinject” files from the attackers C&C server.
The Domain Generation Algorithm is a method used by cybercriminals to regain access to their chosen botnet. Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists. Examples of these are listed below:
PhishMe’s analysts have confirmed with the FBI and Dell SecureWorks that the original GameOver Zeus is still “locked down”. This new DGA list is not related to the original GameOver Zeus, although it bears a striking resemblance to the DGA utilized by that Trojan, suggesting this is a new GameOver Zeus variant. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux-hosted C&C strategy.
The successful domain: cfs50p1je5ljdfs3p7n17odtuw.biz was registered this morning in China with the registrar “TodayNIC.com”:
Domain Name: CFS50P1JE5LJDFS3P7N17ODTUW.BIZ
Domain ID: D61087891-BIZ
Sponsoring Registrar: TODAYNIC.COM, INC.
Sponsoring Registrar IANA ID: 697
Registrar URL (registration services): www.todaynic.biz
Domain Status: clientTransferProhibited
Registrant ID: TOD-43737096
Registrant Name: Whois Agent
Registrant Organization: Whois Privacy Protection Service
Registrant Address1: Xiamen
Registrant City: Xiamen
Registrant State/Province: FUJIAN
Registrant Postal Code: 361000
Registrant Country: China
Registrant Country Code: CN
Registrant Phone Number: +57.59222577844
Registrant Facsimile Number: +57.59222577844
Registrant Email: firstname.lastname@example.org
Name Server: NS1.ZAEHROMFUY.IN
Name Server: NS2.ZAEHROMFUY.IN
Created by Registrar: TODAYNIC.COM, INC.
Last Updated by Registrar: TODAYNIC.COM, INC.
Domain Registration Date: Thu Jul 10 09:26:06 GMT 2014
Domain Expiration Date: Thu Jul 09 23:59:59 GMT 2015
Domain Last Updated Date: Thu Jul 10 09:26:07 GMT 2014
In the original GameOver Zeus, the domain generation algorithm and its associated command and control resources, serve the botnet as a fallback to the peer-to-peer botnet which is this malware’s primary means of distributing instructions to infected machines. Using the websites associated with the domain generation algorithm, the GameOver botnet operators are able to distribute commands to infected machines that have lost contact with the peer-to-peer botnet.
The binary that is dropped and injected into Internet Explorer after contacting the C&C receives a random name. The version seen this afternoon is currently detected by 8 of 54 AV products at VirusTotal, although others may detect it using non-signature based methods.
A little over a month ago, the GameOver Zeus botnet suffered a major blow as law enforcement carried out a takeover of the domains associated with the domain generation algorithm and made efforts to remove this malware from infected machines. Both actions severely limited the ability of the botnet operators to issue commands to victims’ machines.
Those efforts seemed to halt the spread of this dangerous malware and led to its disappearance from malicious spam emails, albeit only temporarily.
PhishMe was able to identify a number of the command-and-control hosts believed to be involved in the attacker’s attempt to revive the GameOver botnet. Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver Trojan—including using the characteristic list of URLs and URL substrings used for Web injects, form-grabs, and its other information stealing capabilities.
This discovery indicates the criminals responsible for GameOver’s distribution do not intend to give up on their botnet, even after suffering one of the most expansive botnet takeovers/takedowns in history.
As always, PhishMe researchers are closely monitoring the situation and will provide meaningful threat intelligence when there are further developments with the GameOver Zeus Trojan and its new variants.
The Zeus banking Trojan is a popular topic in the security world these days. It’s not new, but it still garners attention as one of the most successful and prolific Trojans in use today.
Banking Trojans hide on infected machines and intercept activity related to the user’s finances—bank account logins, investment information, even purchases on sites like eBay. This differs from phishing. With phishing, an end user is infected with a banking Trojan like Zeus, but they are not directed to a fake website and made to believe they are logging in to an official website.
Instead, he or she is interacting with the real banking, investing, or retail website and is completing a legitimate transaction. However, while that activity takes place, keystrokes are being logged. Screenshots may even be taken and transmitted to the attackers C&C server. Usernames, passwords, security questions are all being monitored and recorded and transmitted to the attackers. All of these malicious actions occur silently. Once infected, there will be no sign that an Internet sessions is anything but private.
Since the 2010 leak of the Zeus source code, a host of Zeus variants has been unleashed on an unsuspecting public. Cybercriminals leaped at the opportunity to diversify both the traits and abilities of the Zeus Trojans, building their own variants. Some of those Zeus variants —such as Ice IX and Citadel—have garnered attention for their huge successes.
Perhaps the most successful Zeus variant to date, GameOver Zeus, was responsible for 38% of banking Trojan activity in 2013. In this post, we’ll explore three things that you need to know about GameOver Zeus.
#1: The difference between GameOver Zeus and other Zeus variants.
While other prominent Zeus variants – and their associated botnets – rely on centralized command and control infrastructure, GameOver uses a distributed peer-to-peer botnet. This means instructions can come from virtually any other infected machine. That is part of the reason for the success of the Trojan. Nailing down the all-important points of origin for these instructions is incredibly difficult, if not nearly impossible.
#2: GameOver Zeus is the most versatile Zeus Variant.
GameOver Zeus is the most versatile of the Zeus variants and enjoys the advantage of being distributed via email attachments and downloaders, or through URLs in emails that point to online exploit kits. Those same exploit kits are also used in drive-by attacks on the Web, and via malvertising that directs traffic to the sites. Regardless of the online medium, GameOver can utilize an attack vector to gain a foothold in your system.
Once a machine is infected, it can receive instructions to download even more malicious payloads: Other malware that can perform a much wider range of malicious actions. PhioshMe has observed the GameOver botnet distributing malware aimed at generating more malware-laden spam, stealing Bitcoin and other cryptocurrency wallets from an infected machine, as well as downloading CryptoLocker. CryptoLocker is ransomware that encrypts a wide range of files on the infected machine, rendering it unusable until a ransom payment is made. All photos, documents, databases, images, and other important files are locked with powerful, unbreakable encryption.
#3: Recent changes have made it more likely for Zeus to infect a machine on your network.
Last September, PhishMe saw GameOver’s distributors begin using the Upatre malware downloader—a downloader which served largely as a replacement for the more substantial Pony Loader that was largely abandoned following the fall of the Blackhole exploit kit.
Upatre capitalizes on leaving a smaller footprint and utilizes simple, yet effective encryption techniques to hide the GameOver infection process. This more sophisticated and nuanced approach makes less “noise” in infected systems and utilizes “throw-away” distribution resources. This variation in the way GameOver is distributed makes it much more difficult for the average user to avoid becoming infected with the Zeus Trojan, by reducing the likelihood that he or she will notice anything out the ordinary is happening.
In just the past two months, the developers of GameOver Zeus have implemented additional functionality to make their malware more persistent and harder to detect. This includes the addition of rootkit functionality borrowed from the prominent Necurs rootkit to prevent removal of the malware. Steps are also taken to prevent any potential future botnet sinkhole attempts.
Cybercriminals are, and always have been, persistent, savvy, and dynamic. Their continued development of GameOver serves to underscore all three of those traits. However, this malware clearly shows that they are also successful.
How has GameOver Zeus affected your business? Tell us what else you think business leaders should know about GameOver Zeus in the comments section below.
It’s unfortunate, but when the general public is captivated by a certain news story, cybercriminals are hard at work exploiting the publicity that the news attracts. Exploitation can take many forms. In the cybersecurity space, we often see fake news stories about trending topics floating around. Fake news is becoming a serious problem. It is becoming harder to differentiate fake news from real news. Those fake news stories often have one sole purpose. To trick Internet users into clicking on a malicious link.
Such is the case right now. The public is captivated by content about the new royal baby – His Royal Highness Prince George of Cambridge – born to the Duke and Duchess of Cambridge on Tuesday.
This was the topic of a spam email campaign that purported to have been sent by CNN Breaking News. When users click on the link contained in the email, they are infected with a malicious Trojan. That Trojan steals financial data from the user.
As Gary Warner explains in his blog post this morning, “As many sources reported earlier today, an email claiming to be from CNN’s “Scribbler” provided a link to “Watch Live Hospital Updates” of the Royal Baby.”
What do Harrison Ford, President Obama, and Edward Snowden have in common with The Royal Baby?
They were all subjects of fake “CNN Breaking News” stories delivered by spam email today. Those messages all contained links to malicious websites which automatically downloaded malware to users’ computers when clicked. In fact, PhishMe maintains a database of hundreds of copies of these and other similar emails, a small selection of the subject lines used in yesterday’s spam emails are listed below:
“Snowden able to leave Moscow airport” – BreakingNews CNN
“Harrison Ford on ‘Ender’s Game’ controversy: ‘Not an issue for me'”
“Obama speech to urge refocus ”
“Perfect gift for royal baby … a tree?” – BreakingNews CNN
I’ve added spaces to the URLs for your protection – DO NOT VISIT ANY OF THOSE URLS!!! – Doing so will result in infection with malware.
(early morning version <== redirects to nphscards.com / topic / accidentally-results-stay.php )
index.html with MD5 = 958a887fcfcad89b3fdeea4b58e55905
ftp.thermovite.de / kurile / teeniest.js
traditionalagoonresort.com / prodded / televised.js
Since it was late in the day by the time I was able to review these myself, I infected myself with the afternoon version. deltaboatraces.net == 220.127.116.11 and is still an active infector as of this timestamp. I got a randomly named 297,472 byte file, detected by 11 of 46 Anti-Virus vendors at VirusTotal.com as Zeus.
Adobe Flash Player Update?
After infecting an end user, the website tries to trick the user into “upgrading Adobe Flash Player”, but while it appeared that I was on the correct Adobe site from the graphics, I was not.
After “installing” my Adobe update, my sandbox went crazy and also fetched malware from a number of different locations.
After the second infection, my sandbox went to “deltarivehouse.net / forum / viewtopic.php” (18.104.22.168) which caused a string of additional infections to occur. The initial infection was Zeus. Zeus is a well-known financial information-stealing malware, but also provides criminals with full remote-control capabilities of the infected computer. The purpose of the additional malware was for another form of malicious income generation.
“sainitravels.in” (22.214.171.124) to fetch “f7Qsfao.exe” (VirusTotal: 8 of 46)) – “Tepfor” or “Medfos” malware ”server1.extra-web.cz” (126.96.36.199) to fetch “dbm.exe” (VirusTotal: 8 of 46) ”www.MATTEPLANET.com” (188.8.131.52) to fetch “q7ojEH7.exe” (VirusTotal: 4 of 46) ”ictsolutions.net.au” (184.108.40.206) to fetch “SAQjaWu.exe” (VirusTotal: 8 of 46)
Medfos, one of the malware names given to several of the above, is an “Advertisement redirection” malware campaign. Microsoft did a great job explaining how Medfos works in their blog post, Medfos – Hijacking Your Daily Search on the Microsoft Malware Protection Center – back in September. Some of the sites that seem to be related to this Medfos installation include “bidpenniesforgold.net” (IP: 220.127.116.11) and “webpayppcclick.com” (IP: 18.104.22.168).
According to our friends at Domain Tools, that last IP address is associated with a whole world of “Pay Per Click” fraud domains, including:
Hopefully, tying these malware samples to that activity can help someone clean up that mess! (Attention: Leaseweb!)
Trend Micro has just published research confirming what we at PhishMe already knew – spear phishing is the top threat to enterprise security. Trend Micro’s report estimates that spear phishing accounts for 91% of targeted attacks, making it the most prevalent method of introducing APT to corporate and government networks. Industry recognition of the severity of the dangers posed by spear phishing is always a positive development, but merely acknowledging the problem doesn’t provide a solution.
Fortunately, many of the underlying issues Trend Micro identifies are problems PhishMe is already helping our customers address.