Royal Baby: Third in Line to the Throne, First in Line as a Threat Lure!

by

Following yesterday’s news, the Duke and Duchess of Cambridge are now the proud parents of a baby boy and future heir to the British throne. While they revel in the joy of being a family, cyber-criminals have predictably been busy delivering various malicious campaigns in order to piggyback on the news. The Websense ThreatSeeker® Intelligence Cloud has been tracking malicious cyber-campaigns that started in the hours following the official announcement that the Duchess of Cambridge was in labor.

 

The campaigns detected so far are utilizing email lures, which either redirect unsuspecting victims to Blackhole Exploit Kit URLs or, indeed, provide malicious attachments in the form of Windows SCR files in an attempt to dupe users. These kinds of threats are often launched when topical or global news stories develop. We’ll step through both current campaigns in order to relate them to our 7 Stages of Advanced Threats and will detail how they propagate, as well as illustrate that the kill chain leading to malicious content breaks if any one link breaks.

 

Lures
(Stage 2 of the 7 Stages of Advanced Threats)

In this latest example of a malicious campaign that takes advantage of users’ thirst for news, the Websense ThreatSeeker® Intelligence Cloud detected and stopped over 60,000 emails with the subject “The Royal Baby: Live Updates” (including quotes) that were mimicking a ScribbleLIVE/CNN notification and encouraging victims to “catch up with the latest.” Clicking any of the links in this lure email resulted in the victim being lead to the same malicious redirect URL. This is similar to a recent campaign that used topical events in email lures (the Fox News-themed Malicious Email Campaign).

 

Email Lure: Links to Redirect URLs …

 

A different campaign, using multiple lures containing malicious attachments has been detected in lower volumes with enticing subjects designed to pique interest and encourage victims to open the message:

  • Amazing, incredible share! Follow our leader, share it!
  • Royal Baby: Diana, Charlotte or Albert
  • Royal baby in fantastic picture!

In addition to varied but Royal Baby-themed subjects, the message bodies encourage victims to open the attached “image,” although the file, itself, is a malicious binary used to contact command and control (C2) infrastructure and download further malicious payloads:

Email Lure: Malicious attachment …

 

Should you receive any email news alerts or unsolicited messages regarding topical events, be sure that the message is legitimate before clicking any links or downloading any attachments. It is unlikely that reputable news agencies will send unsolicited email, and, therefore, any unexpected message should be treated with caution.

 

By their very nature, lures rely on human curiosity and our thirst for knowledge. In addition to needing an integrated security solution that is able to detect and protect against lures, be they delivered via social web or email, users need to also be educated to be wary of unsolicited links or messages and to consider visiting reputable news sites directly to gain the latest information.

 

Redirect
(Stage 3 of the 7 Stages of Advanced Threats)

Should users fall for the ScribbleLIVE/CNN lure, they are taken to intermediate websites that redirect victims to sites hosting exploit code, in this case the Blackhole Exploit Kit. The redirect sites, as is often the case, are legitimate websites that have been compromised or injected with malicious code that is hidden and obfuscated in order to abuse the compromised host site’s reputation. Real-time analysis of these sites at the point-of-click provides immediate protection and can effectively break the chain before a victim is redirected to an exploit.

 

Exploit Kit
(Stage 4 of the 7 Stages of Advanced Threats)

Another thing we see in these broad topical and global news campaigns is the use of common and accessible exploit kits, such as Blackhole, which allows the cyber-criminals to rapidly deploy their attack infrastructure and snare as many victims as possible. Once the exploit kit URL has been visited, the victim’s machine is likely to be assessed for vulnerabilities that can be exploited in order to deliver malicious payloads. In this case, as well as delivering malware, such as Zeus, which is designed to pilfer financial information from victims, the site utilizes a social-engineering method to trick the victim into installing a fake Adobe Flash Player update:

 

Exploit Kit: Social-engineering with a fake Adobe Flash Player update …

 

Real-time analysis of web content and malicious payloads protects users from both known and unknown threats.

 

Dropper File
(Stage 5 of the 7 Stages of Advanced Threats)

Should exploitation be successful, dropper and/or downloader files are used to install additional malicious payloads onto a victim’s machine. In the campaigns detailed so far, one relies on the victim falling for the lure and then being redirected to an exploit site from which this would be delivered, while the other simply attaches a malicious file directly to the initial email lure. These files are often encrypted and packed  to thwart detection by traditional signature-based solutions, and, therefore, require more advanced solutions to recognize malicious behavior, such as Websense ThreatScope™. Using the email attachment as an example, the ThreatScope™ Analysis Report nicely illustrates how the file sent requests to malicious hosts, as well as wrote further executable files to the local file system …

 

 

Call Home
(Stage 6 of the 7 Stages of Advanced Threats)

Once a victim’s machine has its malicious payload installed, it will attempt to “call home’ and contact the C2 infrastructure to receive commands by those behind the campaign. Real-time detection of nefarious outbound communications, in lieu of a threat being caught at an earlier stage, can prevent this call home and prevent attackers from achieving their goals.

 

Data Theft
(Stage 7 of the 7 Stages of Advanced Threats)

The exfiltration of databe that personally identifiable information (PII) from an individual, company confidential data, or even a list of potential royal baby namesis often the attackers’ endgame. Utilizing methods such as slowly “drip-feeding” data out of a compromised network or creating custom encryption routines to stay hidden, attackers attempt to steal data, which can then be used for further attacks or simply for criminal gain. Advanced data loss and theft prevention features, such as Drip DLP, OCR analysis, and the detection of custom encryption routines can be deployed to keep your data where it belongs and out of the hands of cyber-criminals.

 

Websense customers are protected by ACE, our Advanced Classification Engine, against emerging cyber-threats of this nature at multiple stages throughout the kill chain. While we await further official announcements regarding the Royal Baby, the Websense Security Labs™ team is monitoring developments and will post updates should further campaigns surface.

 

Custom Attachment Names and Passwords for Trojans

by

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, recently noticed an increased use of custom-generated attachment file names, and some use of password-protected ZIP files. Emails with banking/financial themes are being sent with executables packed in ZIP files, with file names matching the intended recipient. When the attachment runs on a victim’s computer, a Trojan from the Zbot P2P family is downloaded via a Pony loader. Zbot is typically used to steal banking credentials as well as for the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. We saw such a campaign on July 15, 2013, featuring subjects like “IMPORTANT Docs – WellsFargo” and “IMPORTANT Documents – WellsFargo”. Websense Cloud Email Security has detected and blocked over 80,000 instances of this campaign. We have proactively blocked similar cases since June 10. Just as we were getting ready to publish, we have noticed that Websense CES has proactively blocked another campaign, this time using fake emails pretending to be from Trusteer, trying to convince the victim to install an update for Trusteer Rapport software. Again, the attachment names are custom generated to match the recipient’s user name (or  the first recipient in the case of multiples). So far we have blocked more than 36,000 variants of this latest campaign.

 

Let’s take a look at the campaign from July 15 first:

 

 

What’s unique to these campaigns compared with others we have blocked in the past is the custom-generated attachment name. The cyber criminals seem to be trying to come up with incremental improvements to enhance their effectiveness.

By automating file name creation and linking it to the intended recipient’s email username, they are presumably trying to socially engineer the potential victims to feel a little more at ease about opening the attachment. They might also be hoping to get around rudimentary blocking based on attachment file name. In the examples we’ve seen, the packed executable was the same across the same campaign burst. The potential victim first sees the ZIP file with their own unique name, so a search for the attachment file name in a search engine might not show anything suspicious.

A typical misleading icon (another common trait to malware used in email attacks) would cause the file attachment to look like this if the folder option “Hide extensions for known file types” is selected:

 

 Savvy users will display all file extensions, which will clue them to the suspicious nature of the attachment:

 

If we analyze the behavior of the attachment using Websense ThreatScope™, we can see the Pony loader module communicates to:

hxxp:// dharmaking.net/ponyb/gate.php on 64.94.100.116

which is an empty Post transaction in this case, since there was no information to exfiltrate.

For the sake of curiosity, we can check out the admin login panel of the Pony loader on that page:

The Pony loader sends GET requests to download further executables from other locations:

hxxp:// liltommy.com/ep9C.exe 184.173.201.131

hxxp:// www.wineoutleteventspace.com/7UNFVh.exe 208.113.243.4

hxxp:// www.oh-onlinehelp.com/Pefyi.exe (suspended, not resolved)

hxxp:// video.wmd-brokerchannel.de/qAz575t.exe 213.148.99.220

It also includes communication to legitimate sites to mask its malicious activity.

 

You can see the full ThreatScope report here.

Anti-Virus detection at the time of the attack is pretty dismal, only 4 out of 45.

 

Dropped executables are recognized as malicious by ThreatScope. See reports here and here.

And again, AV detection is minimal – 1 out of 47.

But as is the case most of the time, AV vendors eventually update their signatures, and 19 out of 47 now detect the dropped binary as a Zbot Trojan variant.

For comparison sake, we decided to run another ThreatScope report, to see how our own analytics fared after they had a chance to update.

Here’s what we found:

As expected, some of the dropped files hosts are not responding anymore. But one actually delivered a new binary:

hxxp:// www.wineoutleteventspace.com/7UNFVh.exe

The ThreatScope report indicates that it is malicious, as seen here. In addition, Websense ACE™, our Advanced Classification Engine, had generic detection against it.

AV detection? 2 out of 47

We should also note that ACE updated the categorization of the Uncategorized hosts seen in the initial report:

hxxp:// dharmaking.net/ponyb/gate.php is now under Bot Networks.

hxxp:// dharmaking.net/ is now under Malicious Web Sites.

hxxp:// www.wineoutleteventspace.com is now under Malicious Web Sites.

See the updated report here.

 

In an older campaign example (June 14, 2013), we can see another feature that has been used frequently in the last few months.

Not only does the ZIP attachment file name match the recipient’s user name, it is also password protected, with the password supplied in the email body. This is an obvious attempt to get around automated analysis and further increase the window of exposure before security vendors update their detection for the malware variant.

 

 

The attachment (again hiding extensions for known file types) is displayed as:

Similar behavior can be seen in the ThreatScope report.

And again, AV is not quite up to speed.

See the dropped executables ThreatScope report, compared to VirusTotal at the time of attack, which is a little better at 18 out of 47.

 

The latest campaign, featuring fake Trusteer emails, has subject lines like:

Important Security Update : Customer 9382121

Here’s a sample:

 

 

As in the other samples, the attachments are named with a custom generated file name that matches the username of the first recipient. We can assume that since Trusteer are a software company, the cyber criminals are trying to lure potential victims to be less suspicious of the executable packed inside the attachment.

 

 

 

 

Similar behavior to above samples, see ThreatScope report here, and compare to Virus Total at 5/47

Dropped file ThreatScope report, Virus Total at 3/46

 

It is interesting how simple some of the lures are, but the attackers might be getting enough monetary gain from using them and employing the small, incremental changes described above.

Simple social engineering techniques, known exploits, and known malware families are still being widely used in attacks large and small, because apparently they work.

Beyond user education, employing a multi-layered security product that combines multiple analytics could help prevent such attacks.

Websense has provided protection against this campaign in multiple stages. As an email attack carrying attachments, this campaign uses some of the stages outlined in our whitepaper describing the 7 stages of Advanced Threats.

Lures – Websense Cloud Email Security provides proactive protection against emails carrying executables or other suspicious attachments, based on multiple analytics.

Dropper File – Websense ThreatScope recognizes the malicious behavior of the dropper file.

Call Home – Websense ACE, our Advanced Classification Engine, blocks the Pony loader page via real-time analytics.

Dropped Files – ThreatScope recognizes the malicious behavior of the dropped executable files. In addition, ACE protects against the URL hosts.

Data Theft – Websense DLP (data loss prevention) tools can detect and stop the exfiltration of sensitive information, like the banking credentials and PII that Zbot targets.

 

 

 

Installing and testing Ubuntu’s Mir server

by

It was recently announced that Mir would be the default display server for Ubuntu 13.10. Jack Wallen decided it was time to see how Mir was coming along. He was quite surprised at the results.

Categories Uncategorized