Royal Baby: Third in Line to the Throne, First in Line as a Threat Lure!

Following yesterday’s news, the Duke and Duchess of Cambridge are now the proud parents of a baby boy and future heir to the British throne. While they revel in the joy of being a family, cyber-criminals have predictably been busy delivering various malicious campaigns in order to piggyback on the news. The Websense ThreatSeeker® Intelligence Cloud has been tracking malicious cyber-campaigns that started in the hours following the official announcement that the Duchess of Cambridge was in labor.

 

The campaigns detected so far are utilizing email lures, which either redirect unsuspecting victims to Blackhole Exploit Kit URLs or, indeed, provide malicious attachments in the form of Windows SCR files in an attempt to dupe users. These kinds of threats are often launched when topical or global news stories develop. We’ll step through both current campaigns in order to relate them to our 7 Stages of Advanced Threats and will detail how they propagate, as well as illustrate that the kill chain leading to malicious content breaks if any one link breaks.

 

Lures
(Stage 2 of the 7 Stages of Advanced Threats)

In this latest example of a malicious campaign that takes advantage of users’ thirst for news, the Websense ThreatSeeker® Intelligence Cloud detected and stopped over 60,000 emails with the subject “The Royal Baby: Live Updates” (including quotes) that were mimicking a ScribbleLIVE/CNN notification and encouraging victims to “catch up with the latest.” Clicking any of the links in this lure email resulted in the victim being lead to the same malicious redirect URL. This is similar to a recent campaign that used topical events in email lures (the Fox News-themed Malicious Email Campaign).

 

Email Lure: Links to Redirect URLs …

 

A different campaign, using multiple lures containing malicious attachments has been detected in lower volumes with enticing subjects designed to pique interest and encourage victims to open the message:

  • Amazing, incredible share! Follow our leader, share it!
  • Royal Baby: Diana, Charlotte or Albert
  • Royal baby in fantastic picture!

In addition to varied but Royal Baby-themed subjects, the message bodies encourage victims to open the attached “image,” although the file, itself, is a malicious binary used to contact command and control (C2) infrastructure and download further malicious payloads:

Email Lure: Malicious attachment …

 

Should you receive any email news alerts or unsolicited messages regarding topical events, be sure that the message is legitimate before clicking any links or downloading any attachments. It is unlikely that reputable news agencies will send unsolicited email, and, therefore, any unexpected message should be treated with caution.

 

By their very nature, lures rely on human curiosity and our thirst for knowledge. In addition to needing an integrated security solution that is able to detect and protect against lures, be they delivered via social web or email, users need to also be educated to be wary of unsolicited links or messages and to consider visiting reputable news sites directly to gain the latest information.

 

Redirect
(Stage 3 of the 7 Stages of Advanced Threats)

Should users fall for the ScribbleLIVE/CNN lure, they are taken to intermediate websites that redirect victims to sites hosting exploit code, in this case the Blackhole Exploit Kit. The redirect sites, as is often the case, are legitimate websites that have been compromised or injected with malicious code that is hidden and obfuscated in order to abuse the compromised host site’s reputation. Real-time analysis of these sites at the point-of-click provides immediate protection and can effectively break the chain before a victim is redirected to an exploit.

 

Exploit Kit
(Stage 4 of the 7 Stages of Advanced Threats)

Another thing we see in these broad topical and global news campaigns is the use of common and accessible exploit kits, such as Blackhole, which allows the cyber-criminals to rapidly deploy their attack infrastructure and snare as many victims as possible. Once the exploit kit URL has been visited, the victim’s machine is likely to be assessed for vulnerabilities that can be exploited in order to deliver malicious payloads. In this case, as well as delivering malware, such as Zeus, which is designed to pilfer financial information from victims, the site utilizes a social-engineering method to trick the victim into installing a fake Adobe Flash Player update:

 

Exploit Kit: Social-engineering with a fake Adobe Flash Player update …

 

Real-time analysis of web content and malicious payloads protects users from both known and unknown threats.

 

Dropper File
(Stage 5 of the 7 Stages of Advanced Threats)

Should exploitation be successful, dropper and/or downloader files are used to install additional malicious payloads onto a victim’s machine. In the campaigns detailed so far, one relies on the victim falling for the lure and then being redirected to an exploit site from which this would be delivered, while the other simply attaches a malicious file directly to the initial email lure. These files are often encrypted and packed  to thwart detection by traditional signature-based solutions, and, therefore, require more advanced solutions to recognize malicious behavior, such as Websense ThreatScope™. Using the email attachment as an example, the ThreatScope™ Analysis Report nicely illustrates how the file sent requests to malicious hosts, as well as wrote further executable files to the local file system …

 

 

Call Home
(Stage 6 of the 7 Stages of Advanced Threats)

Once a victim’s machine has its malicious payload installed, it will attempt to “call home’ and contact the C2 infrastructure to receive commands by those behind the campaign. Real-time detection of nefarious outbound communications, in lieu of a threat being caught at an earlier stage, can prevent this call home and prevent attackers from achieving their goals.

 

Data Theft
(Stage 7 of the 7 Stages of Advanced Threats)

The exfiltration of databe that personally identifiable information (PII) from an individual, company confidential data, or even a list of potential royal baby namesis often the attackers’ endgame. Utilizing methods such as slowly “drip-feeding” data out of a compromised network or creating custom encryption routines to stay hidden, attackers attempt to steal data, which can then be used for further attacks or simply for criminal gain. Advanced data loss and theft prevention features, such as Drip DLP, OCR analysis, and the detection of custom encryption routines can be deployed to keep your data where it belongs and out of the hands of cyber-criminals.

 

Websense customers are protected by ACE, our Advanced Classification Engine, against emerging cyber-threats of this nature at multiple stages throughout the kill chain. While we await further official announcements regarding the Royal Baby, the Websense Security Labs™ team is monitoring developments and will post updates should further campaigns surface.

 

Fox News-themed Malicious Email Campaign [UPDATED]

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, discovered an interesting malicious email campaign using spoofed email addresses from Fox News domains in an attempt to ultimately lure victims to websites hosting the Blackhole Exploit Kit. Should the exploit and compromise be successful, a malicious payload related to the Cridex family appears to be delivered which, as detailed in an earlier Websense Security Labs blog, is typically used to steal banking credentials as well as the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. These emails, discovered early on the morning of June 27th,  featured “breaking news” subjects and mimicked legitimate news content related to the US Military moving into Syria in order to entice the victim to ‘click’ on the malicious links. The campaign appears to have targeted a variety of industries and countries, as of 1600 PST on June 27th, the Websense ThreatSeeker® Intelligence Cloud had detected and blocked over 60,000 samples.

Email Screenshot:

 

Intercepted emails generated interest as they are highly convincing as breaking news alerts and are targeting highly popular and polarizing topics such as Immigration reform, the war on terror, and sending troops to Syria. Example email subjects include:

  • U.S. Military Action in Syria – is it WW3 start?
  • US deploys 19,000 troops in Syria
  • Obama Sending US Forces to Syria

Malicious Email Analysis

The emails above contain links that follow a series of redirections leading to a BlackHole exploit kit which delivers a malicious PDF. Once opened, the malicious PDF executes embedded and obfuscated JavaScript code which delivers an exploit (CVE-2010-0188). In the event the exploit is successful, the shellcode downloads a malicious component from: hxxp://sartorilaw.net/news/source_fishs.php?kxdtlz=1l:1g:1i:1o:1j&mbtdi=1k:33:1f:32:2w:30:1h:1o:1h:1g&swlpwu=1i&doko=vaif&wgnrppva=xoti

 

Redirection Chain:

 
       

The malicious component downloaded by the shell-code is characterized as a Trojan that is capable of downloading malicious files onto a compromised computer and spreading itself via mapped and removable drives.

Malicious component:
https://www.virustotal.com/en/file/2b6a58cbf235fedfbcdb1f15645f5d3f9156ebeb916074539b83c1e7934b1ef9/analysis/

About the PDF file:
https://www.virustotal.com/en/file/f2130f5c0e388454db7c8b25d16b59cb19ba193fe6cd1a5a7b7168d94e6d243b/analysis/

Malicious PDF Analysis

First Stage – Obfuscated JavaScript embedded in PDF:

 

Second Stage:

 

The third and final stage reveals the shellcode and URL:

 
Should the malicious PDF successfully exploit the victim’s machine, it creates a Windows Registry entry in order to maintain persistence by running automatically as the system starts:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Once executed, a number of HTTP connections on port 8080 are opened in order to download additional malicious payloads:

Associated Domains

The domain (hxxp://sartorilaw.net) that hosts the malware downloaded by the PDF exploit above was first registered on June 25th, 2013. In that time, it has resolved to three different IP addresses (119.147.137.31, 203.80.17.155, 174.140.166.239) and has hosted multiple pieces of malware which resulted in it being characterized as a malicious website by the Websense ThreatSeeker® Intelligence Cloud nearly immediately.

Malicious domain (hxxp://sartorilaw.net)
Contact email: soldwias@usa.com
Registrant: Cabrieto, Debbie

A WhoIS lookup on the contact email and registrant indicates that a second domain was registered on the same day (hxxp://enterxcasino.net). This domain does not resolve yet, but is likely to be used for malicious purposes in the future.

Impact and Protection

The overall efficacy of this campaign is difficult to judge, but the combination of a relatively high level of sophistication in the attacker’s social engineering and the utilization of relatively recent exploits and malware result in an increased risk to targeted systems. Websense provided protection from this campaign at multiple stages. Correlating this attack to the 7 stages of Advanced Threats (as explained in our whitepaper), we currently have protection for:

  • Stage 2 (Lure) – The Fox News themed email campaign
  • Stage 3 (Redirect) – The websites that take the user to the delivery of the exploit code
  • Stage 4 (Exploit Kit) – Real-time detection of the BlackHole exploit kit that was used in this attack
  • Stage 6 (Call Home) – The malicious PDF launches code that reaches out to a server known to host malware and that is blocked via Websense. Further, analytics have been added that detect and block the C2 protocol used by the PDF
  • Stage 7 (Data Theft) – Websense DLP (data loss prevention) tools are capable of detecting and stopping the exfiltration of sensitive information with advanced feature sets such as Drip DLP, OCR analysis and covert channel detection

 

[Update]

 

Tuesday, July 2, 2013:

Websense Labs, via our ThreatSeeker Intelligence Cloud, have identified a modification to this campaign; using Pinterest as it’s platform, the update informs the recipient their Pinterest account is in need of updating and suggests they follow a link to do so – clicking on this link results in action which is identical to the Fox News campaign, mentioned in the initial blog.

As always, Websense keeps it’s users safe through the7 stages of Advanced Threats, via our Advanced Classification Engine.

    Cyber Criminals Exploiting the Boston Marathon Aftermath [UPDATED]

    While the world recoils in shock at the horrifying events at Monday’s Boston Marathon, cybercriminals are actively seeking to exploit people’s thirst for information and eagerness to help those affected by the attacks.

    The Websense ThreatSeeker® Intelligence Cloud is currently detecting and blocking multiple email-borne campaigns that attempt to lure unsuspecting recipients to malicious websites in order to exploit their machines for criminal gains.

    Let’s follow this campaign through the 7 Stages of Advanced Threats (as explained in our whitepaper) to see how cyber-criminals attempt to dupe and compromise users and their machines. We’ll also show that breaking any one link in the chain can protect potential victims.

     

    Stage 1: Reconnaissance

    This campaign, like many other topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations. Given this, those behind the nefarious campaign simply have to identify a news story with global appeal (in this case, Monday’s events), and then propagate their lure to as many people as possible.

     

    Stage 2: Lure

    Preying on human curiosity, in particular after a significant event, the lure is designed to get as many victims onto the hook as possible. In the email campaigns being monitored by Websense® Security Labs™, the email subjects have been designed to suggest that the message contains information or news regarding the events:

    • 2 Explosions at Boston Marathon
    • Aftermath to explosion at Boston Marathon
    • Boston Explosion Caught on Video
    • BREAKING – Boston Marathon Explosion
    • Explosion at the Boston Marathon
    • Explosions at Boston Marathon
    • Explosions at the Boston Marathon
    • Runner captures. Marathon Explosion
    • Video of Explosion at the Boston Marathon

    The message body itself, in most cases, contains a single URL in the format http://<IP Address>/news.html or http://<IP Address>/boston.html with no further detail or information. At this point, the recipient is lured to click on the malicious link, which ushers them on to stage 3.

     

    Stage 3: Redirect

    Having clicked the link, the unwitting victim is presented with a page containing YouTube videos of the horrific events (intentionally obscured below) while an iframe redirects them to an exploit page.

     

    Stage 4 – Exploit Kit

    Based on an analysis of a sample set of the malicious URLs seen in this campaign so far, the RedKit Exploit Kit has been used to, in our case, exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver a file onto our analysis machine.

     

    Stage 5 – Dropper File

    Rather than using a dropper file, which contains the malicious code within itself and often packed to prevent detection by antivirus signatures, this campaign uses a downloader belonging to the Win32/Waledac family which is used to download further malicious binaries. In this case, two bots named Win32/Kelihos and Troj/Zbot are downloaded and installed on the compromised machine in order to join it to the cyber-criminals’ bot network.

     

    Stage 6 – Call Home / Stage 7 – Data Theft

    Once the compromised machine is under the control of the cyber-criminal, the bots call home, which allows remote commands to be issued and for data to be sent and received. Common abuses of a compromised machine include data collection and exfiltration, such as the theft of financial and personal information. Other abuses include the sending of unsolicited email or the unwilling participation in Distributed Denial of Service attacks.

     

     

    Websense customers are protected by ACE™, our Advanced Classification Engine, against cyber threats of this nature.  In addition to blocking lures at stage 2 before they reach end-users, access to malicious destinations throughout stages 3 through 6 are denied which, combined with data loss controls to protect against stage 7, help to ensure that your data stays where it belongs and not in the hands of an attacker.

    Our thoughts are with the victims and their families at this time. While these cyber abuses are minor by comparison, users can help protect themselves by sourcing the news directly from reputable news agencies. Should you want to donate (be that blood to local hospitals or money to assisting organizations), be sure to visit official websites rather than following links that appear in your mailbox.

     

     

    [Update]

     

    Thursday, April 18, 2013:

    The campaign quickly evolved to match the latest news from the Texas fertilizer plant explosion.

    The emails are similar, but use texas.html instead of boston.html path.

     

    Subjects lines include:

     

    • Texas Plant Explosion
    • Raw: Texas Explosion Injures Dozens
    • Texas Explosion Injures Dozens
    • CAUGHT ON CAMERA: Fertilizer Plant Explosion
    • Waco Explosion HD
    • Video footage of Texas explosion
    • Plant Explosion Near Waco, Texas
    • West Tx Explosion

     

     

    The lure pages have updated titles, but the rest is similar:

     

     

    Websense Security Labs will continue to monitor this campaign.

    Battered Twitter, Phish but no Chips!

    Hot on the heels of Friday’s announcement by Twitter that they ‘detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data’ and subsequent confirmation that ‘attackers may have had access to limited user information’ for  ‘approximately 250,000 users’,  Websense® Security Labs™ are tracking a phishing campaign propagated via Twitter’s direct message functionality.

     

    Whilst no correlation between the two events can be drawn at this time, Twitter users should be on guard for signs of their own account being abused or compromised, as well for abnormal signs or unusual behavior (or perhaps in many cases, more unusual than normal) from those that they follow. Specifically, users should be cautious, as always, when following any links received from direct messages or Tweets particularly if the page you’ve been directed to is asking for your credentials or personal information.

     

    Given the recent compromise, Websense Security Labs suggest that you regularly check your online accounts for signs of compromise and, as if anyone needs an excuse to do so, regularly update your suitably complex (and most definitely not your pet/team/town or dictionary word) password as well as reviewing the permissions granted to third-party applications that have access to your accounts (Twitter: How to Connect and Revoke Third-Party Applications). Should you have been unlucky enough to fall victim to this recent compromise, you’ll have hopefully received a notification from Twitter that suggests these actions along with some general tips for account security:

     

     

    Thankfully there are also suggestions, given this recent article on The Guardian’s Web site, that Twitter may be looking to implement two-factor authentication in the future as they are currently advertising a Product Security Software Engineer role in which the successful candidate would have the opportunity to work  with “user-facing security features, such as multifactor authentication”. The implementation of two-factor authentication would be a welcome addition to Twitter’s service which, based on figures released in 2012, has an estimated 500 million users, of which 200 million are estimated to be ‘active’.

     

    The recent compromise is reported to impact 250,000 users, a mere 0.0005% of total users or 0.00125% of active users, and therefore may seem a somewhat small drop in the Twitter ocean. It is not unsurprising, therefore, that attackers are continuing to target Twitter users by dumping a barrel load of phish into this metaphorical ocean.

     

    This recent phishing campaign, given the samples analyzed by Websense Security Labs so far in this incident, is using lures likely to elicit a click when received from a friend or associate, such as Did you see this pic of you? lol followed by a shortened URL.

     

    Interestingly for us, and hopefully you, the use of Bitly’s URL shortening service allows us to append the URL with a plus ‘+’ and then view statistics for the shortened URL:

     

     

    Whilst the click rate for the above example is low, we’ve seen numerous unique Bitly shortened URLs related to just one account, and would expect the perpetrators behind this campaign to rapidly cycle these in order to avoid detection and to increase the chances of catching more victims.

     

    From all of the Bitly URLs analyzed, the statistics indicate that the victims are not confined to any one geographical area and that users are following the links. With regard to the small percentage of non-Twitter referrers, these could be Tweets or Direct Messages accessed via other applications or  indicative that the campaign is not limited to Twitter itself.

     

    Once followed, the shortened URLs lead to what appears to be an intermediate and changing subdomain on hecro(.)ru which in turn redirects to active phishing sites hosted on a variety of typosquat-style domains:

     

     

    The phishing URL in the above example, Tivtter(.)com (ACEInsight Report) appears at a glance to be legitimate and therefore is likely to dupe some unsuspecting victims into believing that they need to ‘re-login’ to their expired Twitter session. The URL in this example also appears to cycle through an alphabetic sequence of folders containing the phishing page, perhaps in order to gather some statistics or to split the campaign in some way, as we’ve seen active examples from /a/verify/ upwards (/n/verify/ at the time of writing). Once the letter has cycled onto the next, any attempt to access the phishing page will be met with a standard  ‘404 – Page not found’ error.

     

    Should you fill in your account credentials, they’ll be snaffled by those behind this nefarious scheme and you’ll be presented with a fake ‘404’ page not found error before being whisked back to the official Twitter Web site as if nothing happened:

     

     

    As well as the URL above, we’re also seeing other variations on the same Twitter typo theme including iftwtter(.)com (ACEInsight Report) and iwltter(.)com (ACEInsight Report).

     

    Reassuringly, Bitly are flagging many of the shortened URLs as ‘potentially problematic’ although it is likely that for every one flagged another is sure to emerge.

     

    Whilst Websense customers are protected from phishing and other threats by ACE, our Advanced Classification Engine, please do ensure that you check your personal accounts as well as sharing some basic security tips with your friends and family!

     

    Happy New Year and Unhappy New IE Zero-Day! (CVE-2012-4792)

    First, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.

     

    The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publicly available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.

     

    Websense customers are protected from this threat by Websense ACE (Advanced Classification Engine).

     

    The vulnerability, as recently announced in Microsoft Security Advisory 2794220, affects users of Microsoft Internet Explorer versions 6, 7, and 8 and could allow attackers to remotely execute code on vulnerable machines by simply having the victim visit a malicious website.

     

    As seen countless times in the past, typical tactics for enticing victims to visit these malicious sites often include tricking them into clicking links in fake emails, or simply compromising legitimate websites to serve malicious payloads to their unsuspecting visitors.

     

    This particular vulnerability is caused by how Internet Explorer accesses an object in memory that has been deleted or improperly allocated. Exploitation can then result in memory corruption, which in turn could allow an attacker’s own code to be executed within the context of the current user, or as if it was being run by that user.

     

    At this time, Microsoft has not released a patch in order to address this vulnerability. However it has provided an easy one-click ‘Fix It’ solution. Internet Explorer versions 9 and 10 are listed as not being vulnerable.

     

    Websense Security Labs™ are continuing to monitor this situation and, as a member of the Microsoft Active Protection Program (MAPP), are working with Microsoft in order to provide the best protection to our customers.

     

    Update:

    Microsoft has issued an Out Of Band update for CVE-2012-4792, which you can read about here.