Low Volume, High Payoff Attacks Target Financial Services Industries in Asia

Executive Summary

  • Malicious email found targeting financial institutions in the Middle East, Pakistan, and Nepal.
  • Very low volume and advanced penetration techniques applied aiming for stealthy payoff.
  • Websense®  ThreatScope™ sandboxing reveals the attack most likely seeks monetary gain through the use of a banking Trojan variant.

 

Details

A few days ago, researchers from Websense Security Labs™ were reviewing data in the Websense ThreatSeeker® Intelligence Cloud and noticed a very small volume email attack targeting companies dealing with currency transfer/exchange located in Asia. Countries that were affected were the UAE, Pakistan and Nepal, but it’s possible that other countries in the region were also targeted. The email messages were spoofing an email account that belongs to a remittance and currency exchange company. They were sent to recipients from the same company and a few other financial organizations in Asia. Some of the headers reveal they were most likely sent from compromised accounts in India and Pakistan. Websense Cloud Email Security proactively blocked the messages, and the data was stored in the ThreatSeeker Intelligence Cloud for review.

The messages carried a zip attachment containing an executable that is a variant of the Trojan.Zbot.

 

So how is this campaign different?

Normally, we see large-scale attacks sent using the Cutwail spambot, and the intended recipients are varied in location and industry. Frequently, we see these type of attacks sent to spamtrap addresses and even honeypot domains. The volume we see across the Websense ThreatSeeker Intelligence Cloud is tens of thousands or sometimes hundreds of thousands for each “brand” attack. In the small campaign we encountered, we saw about 10 instances and a few single references in non-delivery reports. All of the targets were related to the financial sector, and all were in Asia.

The small volume attack used plain text email with no attempt to clone the appearance of a known bank/financial organization (as is often done in large-scale attacks). The body of the message is simple and the grammar not very out of the ordinary. The subject is suspicious (notice the redundant zero):

 

Subject: FW: Urgent Money transfer USD $52,1000

 

 

The zip attachment contains an executable file named:

Transfer money.doc.exe:

 

If you look at the icon, you can see that it’s not the typical fake MS Office or Adobe Reader type of icon that we normally see in large-scale attacks. In this case, it seems like the icon uses obfuscation to get around signature-based detection, not a new technique, but less common in typical large-scale attacks these days.

The malware itself is a variant of a common Trojan. We will review a few highlights later in the text to show the similarities.

 

For now, let’s dig deeper into the email headers and see if we can get some additional information about the attack:

All the messages were being spoofed to appear to be coming from the same address (anonymized to protect customer information):

xm@custdomain1

The logs in Websense Cloud Email Security show that the spoofing was identified:

“The sender address is probably forged since its domain is configured in Hosted Email Security but the sending relay is not associated with that domain”

 

We had 10 messages, 1 non-delivery receipt (NDR), and one complaint from a recipient thinking custdomain1 was the actual address that sent them malware:

 

 

 

 

As we can see, the mail relays are all associated with hosting companies across multiple locations. So probably not much help there. When we examine the received lines in the headers, we can see that some have a user IP of 46.37.180.217 both on evirtualservers.net (Germany) and on ukfast.net (UK). However, checking that IP address leads to BurstNET Limited (UK), another hosting/cloud/data center company that has no direct connection to the attacks. A few messages appear to come through mail.altlastravels.com (atlastravels.com is a Travel company in India), which looks suspicious (notice the extra “l” added). Some messages had Anti-Abuse headers added. Let’s see if they give us more info (the user names have been anonymized):

 

 

 

 

We can see that the attackers might have used a few compromised accounts of companies in India and Pakistan. We can see that one of the messages was also intended for another currency exchange/transfer company in the UAE.

The intended recipients we see are on custdomain1, custdomain2 (UAE), smartexchange.ae (UAE), mcb.com.pk (Pakistan) and prabhumoneytransfer.com.np (Nepal). All are involved in financial transactions, so the content of the email might appear relevant. In addition, the tool, a banking Trojan, fits the job.

This attack seems a lot more targeted than what we see from the threat actors that use Zbot in large scale, but the motive seems to be the same: use of common crimeware for monetary gain.

 

Malicious Attachment Details

One of the most popular pieces of Crimeware,  the Trojan.Zbot, is frequently used in large-scale email attacks, either as attachments, or using URLs leading to exploit kits that ultimately drop Zbot on the victim’s computer. Zbot can specifically target banking credentials and other personally identifiable information (PII).

Zbot (Zeus) source code was leaked in 2011, so it’s quite easy for cyber criminals to compile new variants to get around many AV solutions, before they close the detection gap.

At the time of the attack, the executable was not previously seen in VirusTotal.com. A day later we tested and saw some minimal AV coverage via generic heuristics, 13/47:

https://www.virustotal.com/en/file/8750c27c58467b1c05e9912ce80ecce524ff3c38/analysis/1378380234/

 

Here’s a summary of the Websense ThreatScope Analysis Report

 

 

 

 

The malware is requesting URLs that are already known to be related to Zbot in the past:

 

If we examine the behavior we can see created Mutexes* on shared memory, which have been associated with Zbot in the past:

gcc-shmem-tdm2-use_fc_key (successful)

gcc-shmem-tdm2-sjlj_once (successful)

gcc-shmem-tdm2-fc_key (successful)

* Mutex (Mutual Exclusions) are lock mechanisms used by software to control access to shared resources in order to prevent deadlock. They can be used to identify variants of known malware based on commonality. More on the subject can be found in this computer forensics blog on SANS.ORG

 

The attachment also drops a copy of itself in the user profile directory, and just as before, at the time of the attack, no VT info, a day later some minimal coverage, detection ratio 9/46:

https://www.virustotal.com/en/file/f0937ba9cb179dfc8075e1b545e6fccb15a79d4bf784382be3d75a049884738f/analysis/1378380235/

 

Websense Protection

Since the attack uses email attachments, it corresponds with some of the stages outlined in our white paper describing the 7 stages of Advanced Threats.

Lures – Websense Cloud Email Security provides proactive protection against email carrying executables or other suspicious attachments, based on multiple analytics: In this case, the built-in AV engine had generic detection, but in addition, the ThreatSeeker Intelligence Cloud would have quarantined the messages even without AV detection, based on several attributes.

Dropper File – Websense ThreatScope recognizes the malicious behavior of the dropper file, Websense ACE, our Advanced Classification Engine, offers protection against the executable.

Call Home -ACE blocks the hosts associated with the call home functions.

Dropped Files – ACE protects against the URL hosts and blocks the files.

Data Theft – Websense DLP (data loss prevention) tools can detect and stop the exfiltration of sensitive information, like the banking credentials and PII that are targeted by Zbot.

 

 

Thanks to Victor Chin for helping with the binary analysis.

New Java and Flash Research Shows a Dangerous Update Gap

Today we’re
continuing our Java security research series by analyzing other plug-ins,
browser extensions and rich internet applications that are commonly exploited.

 

Our previous
research
indicated that the current state of Java affairs isn’t pretty. At
that time, ninety-three percent of enterprises were vulnerable to known Java
exploits. Nearly 50 percent of enterprise traffic
used a Java version that was more than two years out of date. Through Websense ThreatSeeker Intelligence
Cloud analysis we now discover:

 

  • Only 19 percent of enterprise Windows-based
    computers ran the latest version of Java (7u25) between August 1-29, 2013.
  • More than 40 percent of enterprise Java requests
    are from browsers still using outdated Java 6. As a result, more than 80
    percent of Java requests are susceptible to two popular new Java exploits:
    CVE-2013-2473 and CVE-2013-2463.
  • 83.86 percent of enterprise browsers have
    Java enabled.
  • Nearly 40 percent of users are not running the
    most up-to-date versions of Flash.
  • In fact, nearly 25 percent of Flash
    installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old.

 

Our in-depth
analysis ran for one month, across multiple verticals and industries. We
surveyed millions of real-world web requests for Java usage through our global
Websense ThreatSeeker Intelligence Cloud. 

 

New Java Exploits and the Neutrino Exploit
Kit

New Java
exploits CVE-2013-2473 and CVE-2013-2463 are already making a big impact by targeting
computers running outdated versions of Java. It’s clear the cybercriminals know
there is a Java update problem for many organizations.

 

For example, Websense ThreatSeeker Intelligence Cloud noticed an
uptick in new hosts running the Neutrino exploit kit in the first and second
weeks of August 2013. This could be attributed to Neutrino’s addition of
Java-based code execution exploits including CVE-2013-2463, which is based on AWT/2D vulnerabilities
and affects all Java 6 users (tip of the hat to F-Secure). Typically associated with ransomware payloads,
Neutrino is best known for its easy-to-use control panel and features that evade
AV and IPS systems.

 

Forty percent
of Java 6 users are vulnerable to these new exploits and there are no software
patches in sight. Effective exploit kit delivery mechanisms, such as Neutrino, and unpatched vulnerabilities targeting Java 6 create a significant challenge
for organizations that have not updated to Java 7.

 

On the positive
side, our updated numbers show that enterprise IT is pushing out more Java
updates. Earlier this year, 70 percent of Java requests came from Java 6 users.
That figure has decreased to 40 percent.

 

Check out this previous blog post
on how Java plays a part within the Seven Stages of Advanced Attacks and our advice on Java remediation steps at this post.

 

Don’t Forget About Flash

Remember,
just a few years ago, Flash was a primary attack vector. As our research above indicates,
nearly 40 percent of users are not running the most up-to-date versions of
Flash. In the last three months, five security patches have been released for
Flash-and that number leaps to 26 over the course of the last year.

 

This is
exactly why real-time security models are absolutely essential. Even the best patch
management and traditional security tools simply cannot keep up with the ongoing barrage of
zero-day attacks and exploit kits being created.

 

We’ll keep
you posted as we conduct ongoing and future research on these critical systems
and programs. Stay tuned on the latest research and information on how to
mitigate these threats in future posts.