News

Starting from May 2016, Certego Threat Intelligence platform has been detecting multiple viral spam campaigns using a new evasion technique. These attacks are able to hide malicious attachments inside a specific area of the MIME/Multipart structure and to avoid Content Filtering controls.

Certego has also verified that few of the most common email clients and Web Mail services, using a different way of rendering the MIME/Multipart structure, are able to identify and extract the attachment, resulting in a Malware Evasion technique that we called BadEpilogue.

Analysis of the evasion technique

The picture at the top of the page shows a snippet of the source of a malicious email message.

Rows from 53 to 57 contain the end of the HTML message, while the attachment is located within an area that RFC2046 defines as Epilogue of a MIME/Multipart message, right after the final boundary of the Multipart message located at line 59 ending with the double “-” character.

According to RFC 2046, the message’s epilogue should not contain any useful text and, in particular, it should be ignored by MIME-compliant software:

NOTE: These "preamble" and "epilogue" areas are generally not used because of the lack of proper typing of these parts and the lack of clear semantics for handling these areas at gateways, particularly X.400 gateways. However, rather than leaving the preamble area blank, many MIME implementations have found this to be a convenient place to insert an explanatory note for recipients who read the message with pre-MIME software, since such notes will be ignored by MIME-compliant software.

In the attack, right after the closing boundary of the MIME/Multipart message and at the beginning of the Epilogue area, there is a new boundary (see line 61) that starts another Multipart section containing the malicious attachment.

Certego verified that many libraries used in Antispam and Antivirus systems to extract and analyze email attachments are unable to detect files hidden in the Epilogue area. On the other hand, popular email clients such as Outlook, Thunderbird and Evolution and also Web Mail services are able to detect the attachment and to show it to the user resulting in a new malware evasion technique.

Responsible Disclosure Policy

Certego decided to report this evasion technique to the developers of the email clients impacted by BadEpilogue. At the same time, we informed the vendors of major Antispam systems so that some of their Content Filters are ignoring attachments hidden in the Epilogue area.

So, we reported the technique to Microsoft and Mozilla. Microsoft has just released a patch for their email client in their last Security Bulletin (CVE-2016-3366 in the security bulletin MS16-107) fixing the vulnerability.

Talking about Antispam systems, Certego contacted Google and TrendMicro: both vendors confirmed the existence of the problem and promptly released a fix for it.

Detecting BadEpilogue using a SNORT signature

Certego also created the following Snort signature, that should detect all incoming SMTP messages exploiting the BadEpilogue evasion technique.

alert tcp any any -> $HOME_NET [25,587] (msg:"CERTEGO CURRENT_EVENTS Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)"; flow:to_server,established; content:"|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"; pcre:"/\x0d\x0a--(?P<boundary>[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{1,70})--(?:\x0d\x0a(?!--|\x2e|RSET).*)*\x0d\x0a--(?P=boundary)\x0d\x0a/"; reference:url,www.certego.net/en/news/badepilogue-the-perfect-evasion/; classtype:bad-unknown; sid:9000501; rev:3;)

The campaigns

As mentioned, this evasion technique has been detected in the wild since May 2016, in at least eleven different campaigns exclusively targeting Italian users. These campaigns use messages written in a fluent Italian asking the user to open an attachment labeled as invoice or payment receipt. The attachment is in ZIP format and it contains a malware in PE EXE format. This attack pattern is typical of the so-called Viral Spam that has been prevalent until a few months ago, but it has now been deemed ineffective by antispam filters blocking ZIP files containing PE EXE. In this case, the BadEpilogue evasion technique allows the attacker to generate extremely effective campaigns that can reach a very high number of targets.

While the first campaigns were spreading a malicious attachment containing a Trojan Downloader of the Fareit family which downloaded a variant of the Andromeda Infostealer, the latest campaigns have started working mainly with ransomware and in the last few days we have observed a massive amount of emails containing Zlader.

The following picture shows the various campaigns using the BadEpilogue evasion technique as reported by our systems.

The following picture shows the geolocation of IP addresses used to spread the malicious emails. Spreading patterns seem to be related to a single botnet that is expanding and contracting over time. This seems to be confirmed also by the fact that so far only Italian users have been targeted by these attacks.

There are many ways to detect ransomware at the network level: some families check-in to their C&C before encrypting files, some send a report when they're done encrypting; other samples can be detected by the hash of a known SSL certificate, or by their .onion domain used to pay the ransom.

Some more indicators of compromise (IoC) could be used on the endpoint: ransomware often has a custom file extension for encrypted files (even if latest variants avoid doing so), and in addition leaves a trail of instruction files for the victim.

Those same endpoint IoCs can be used on the network to detect if the ransomware is encrypting files on mapped and unmapped SMB shares. Here are some template Snort/Suricata signatures valid for both SMB ( 0xA2 SMB_COM_NT_CREATE_ANDX command) and SMB2 (0x05 SMB2/Create command). SMB3 can not be covered because "unfortunately" it adds an encryption layer.

alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Encrypted File over SMBv1 (.EXT ASCII)"; flow:established,to_server; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".EXT"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000001; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Encrypted File over SMBv1 (.EXT Unicode)"; flow:established,to_server; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:".|00|E|00|X|00|T|00|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000002; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Instructions File over SMBv1 (FILENAME.EXT ASCII)"; flow:established,to_server; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"FILENAME.EXT"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000003; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Instructions File over SMBv1 (FILENAME.EXT Unicode)"; flow:established,to_server; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"F|00|I|00|L|00|E|00|N|00|A|00|M|00|E|00|.|00|E|00|X|00|T|00|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000004; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Encrypted File over SMBv2 (.EXT)"; flow:established,to_server; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:0; content:".|00|E|00|X|00|T|00|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000005; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Instructions File over SMBv2 (FILENAME.EXT)"; flow:established,to_server; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:0; content:"F|00|I|00|L|00|E|00|N|00|A|00|M|00|E|00|.|00|E|00|X|00|T|00|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000006; rev:1;)

What follows is just an example of how those template signatures could be used for older Locky and CryptoFortress samples. More ransomware families could be easily added or updated to reflect latest changes (the old cat and mouse game).

CERTEGO TROJAN Possible Locky Ransomware Writing Encrypted File over SMBv1 (.locky ASCII)
CERTEGO TROJAN Possible Locky Ransomware Writing Encrypted File over SMBv1 (.locky Unicode)
CERTEGO TROJAN Possible Locky Ransomware Writing Instructions File over SMBv1 (_HELP_instructions.txt ASCII)
CERTEGO TROJAN Possible Locky Ransomware Writing Instructions File over SMBv1 (_HELP_instructions.txt Unicode)
CERTEGO TROJAN Possible Locky Ransomware Writing Encrypted File over SMBv2 (.locky)
CERTEGO TROJAN Possible Locky Ransomware Writing Instructions File over SMBv2 (_HELP_instructions.txt)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Encrypted File over SMBv1 (.frtrss ASCII)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Encrypted File over SMBv1 (.frtrss Unicode)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Instructions File over SMBv1 (READ IF YOU WANT YOUR FILES BACK.html ASCII)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Instructions File over SMBv1 (READ IF YOU WANT YOUR FILES BACK.html Unicode)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Encrypted File over SMBv2 (.frtrss)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Instructions File over SMBv2 (READ IF YOU WANT YOUR FILES BACK.html)

Abstract
In the last few days, since October 7, 2015, Certego's spamtrap started analyzing three different malware campaigns targeted to Italian users. All three campaigns are using a JavaScript downloader called JS/Nemucod, which is attached directly to the emails inside a ZIP file. When the user opens the zip file and double clicks the JavaScript, the default file type associations in Windows will cause Internet Explorer to open and execute the JavaScript.

Campaigns
We were able to identify three different campaigns, all of them being targeted specifically at Italian users: in all cases, emails were written in Italian, and so was the PDF document used as a decoy.

Campaign 0710TIT
This campaign started hitting our mailboxes on October 7. Some examples of attachment names are:

fattura_28234_del_07_10_2015.zip

Some examples of the JavaScript files inside the zip are:

fattura_del_07_10_2015_no_45859260.js
fattura_no_757961.js

The variant of JS/Nemucod used in this campaign is employing two different layers of obfuscation, both of them using a simple bitwise XOR with a 12 to 14-byte long key. In the first layer, all the JavaScript code is obfuscated; the second layer only obfuscates the domain names of the Command & Control servers.

Once executed, Nemucod will instantiate three different ActiveX controls: WScript.Shell, MSXML2.XMLHTTP and ADODB.Stream. To make a long story short, Nemucod will use them to save an executable file to the temporary folder %TEMP% and to run it; right after that, Nemucod will open a legitimate PDF file in the browser: this document is uses as a decoy to let the user believe they're actually viewing a real invoice, as shown below.

This version of the JavaScript file downloads a simple EXE file which is then invoked directly in the background through the WScript.Shell ActiveX control. Right after that, the malware opens the decoy PDF document through the ADODB.Stream ActiveX control.

Campaign 0810DTIT
This campaign started hitting our sandbox on October 8. Attachment names are very similar to the first campaign:

fattura_82902_del_08_10_2015.zip

Even the JavaScript files are pretty much the same:

fattura_del_08_10_2015_no_7075701.js
fattura_no_9526.js

However, this second campaign does not download an EXE file; instead, it downloads a DLL library which is then invoked by running rundll32.exe through the WScript.Shell ActiveX control. The DLL's entry point is the non-standard function name "DLLRegisterServer". Once again, right after that, the malware uses the ADODB.Stream ActiveX control to open the decoy PDF file.

Campaign 1410DTIT
The last campaign started hitting our sandbox early this morning, even if its name suggests that it probably started yesterday. This campaign uses a different naming for both the compressed file and its content, some examples being:

copia_del_contratto.zip
info11_53343060.js
documento_7466.js
iscrittura_45568664.js
informazioni_5022.js

This campaign also downloads a DLL library which is invoked through rundll32.exe; the entry point is still "DLLRegisterServer" and the decoy PDF document is always the same.

The payload
Execution of these campaigns in our Sandbox showed that the executable files downloaded by Nemucod are used to retrieve a Trojan Downloader called Fareit or Pony Downloader, which in turn downloads another set of executable files containing the Gozi infostealer. Interestingly enough, the computer is rebooted after a few instants, and Gozi starts phoning home only after the reboot. This technique may be used to avoid detection in sandboxed environments.

Trivia
It looks like the bad guys made some mistakes in the setup of the Command & Control servers used by Nemucod. During our analyses we found out that sometimes the servers were replying with a HTTP header indicating that the file being server was an application/x-dosexec; but better analysis of the payload only showed an internal error generated by the script that probably packs the file before serving it, as shown in the following picture.

IOCs
Nemucod's C&C domains from the first campaign (0710TIT):

dcmyx.com
ibmdatacap.com
www.landtourjapan.com
thevillageveterinaryhospital.com
majorcase.org
albirtchad.org 
czarplast.com 
www.yurtmobilyalari.net
jlinksms.com 
alberchad.org

Second campaign (0810DTIT):

bugrasilte.com
skbmw.com
wellnessherbal.com
istanbulklima.org
sieumaukimdung.com
skbmw.com

Third campaign (1410DTIT):

erikssonelectric.com
sieumaukimdung.com 
www.landtourjapan.com
albirtchad.org 
creativefoodstylist.com 
wellnessherbal.com 
belarusstudy.com 
adenyaoteleet.com 
tripsnepal.com

C&Cs for Gozi and Fareit/Pony Downloader

famoussuperstars.ru
torpedazil.ru
gofermertoop.ru
109.120.142.168
109.120.155.30
83.69.230.16

Snort signatures
The following Snort signatures should help detect the execution of Nemucod; the first two of them will detect any request that looks like Nemucod's italian campaigns; the third and fourth will detect the server returning an executable or the decoy PDF. 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CERTEGO MALWARE JS/Nemucod.M.gen requesting EXE payload"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; nocase; content:"key="; http_uri; nocase; content:!"pdf="; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; pcre:"/\/get(_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}$/U"; flowbits:set,CERTEGO.nemucod.exerequest; classtype:trojan-activity; sid:9000101; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CERTEGO MALWARE JS/Nemucod.M.gen requesting PDF payload"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"pdf="; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; pcre:"/\/get(_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}&pdf=[a-zA-Z]{4,}$/U"; flowbits:set,CERTEGO.nemucod.pdfrequest; classtype:trojan-activity; sid:9000102; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CERTEGO MALWARE JS/Nemucod.M.gen downloading EXE payload"; flow:from_server,established; flowbits:isset,CERTEGO.nemucod.exerequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:9000103; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CERTEGO MALWARE JS/Nemucod.M.gen downloading PDF payload"; flow:from_server,established; flowbits:isset,CERTEGO.nemucod.pdfrequest; file_data; content:"%PDF-"; within:5; classtype:trojan-activity; sid:9000104; rev:1;)

UPDATE 2015-10-16

A better look at yesterday's traffic showed that the new campaigns were actually two: one with ID 1410DTIT and the other with ID 14IT10M. Looking at timestamps shows that 14IT10M was probably released a few hours after 1410DTIT. Both campaigns are already covered by the Snort signatures that we released yesterday, and that have been included in today's release by Emerging Threats. 

A few hours ago Certego's Incident Response Team detected a malware campaign serving a new Ransomware variant through Nuclear Pack Exploit Kit.

Compromised web sites redirect the user to the Exploit Kit's first step, located at IP address 85.143.218 .208. The domain name used for this first step varies over time, and some of the variants we saw are:

mexicoss.everythingcannabis .biz
shift.boutiqueeuphoria .com

The resource name, instead, does not seem to change:

/customerss/detect.js

The second step is located at IP address 62.76.180 .20 and some of the domain names we saw are:

actually.murdererswelcome .com
utah.murwel .com

In this case, the resources seem to mimic the behaviour of a search engine:

/search?q=...

Flash SWF exploit

The Exploit Kit serves a Flash SWF file with a 0/56 detection rate on VirusTotal.

The execution of this exploit causes the download of a payload that is obfuscated by running a byte-wise XOR with a 7 bytes long key, as shown in the picture below.

Encoded payload

Deobfuscation is pretty simple and leads to a PE file (Windows executable) that has a pretty low detection rate on VirusTotal (2/56), with only AhnLab-v3 and SUPERAntiSpyware detecting it as malicious.

But what does this malware do? Execution on Certego's sandbox shows it will encrypt all of the files on the affected PC, renaming them in the form:

<original_name>.id-<id-number>_<email>

with <original_name> being the original file name, <id-number> being a unique ID the malware gives to each victim, and <email> being the address to contact to get the decryption instructions.

Ransomware effects

The most peculiar characteristic of this ransowmare is the fact that it does not give you clear instructions for the payment: it simply renames all your files, and you'll have to be smart enough to understand that all you have to do is to contact the email address you see appended in your file names. The fact that almost no antivirus solution is still able to correctly detect this ransomware shows that it's probably a brand new piece of malware. We still haven't analyzed it, so we still cannot say anything, but right after being executed, the malware makes a single POST request to the following site:

http://permanencez .com/script.php

The content of the POST request and the subsequent server response are shown below.

Malicious POST to C&C

Basically, the malware sends its C&C server a unique ID, the hostname of the infected machine, the whole string appended to the file names (using the format shown above) and a number that appears to be randomly generated. The server answers with a binary string that may contain the encryption key - but we still have to verify this point. They also seem to be using one or more Squid instances as reverse proxies to hide the real C&C's address.

The exploit kit can be detected by using the following two Emerging Threats Snort/Suricata signatures:

ET CURRENT_EVENTS Nuclear EK Exploit URI Struct Aug 12
ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2

However, the download of the XOR-ed payload and the malware's request to the above mentioned C&C Server do not seem to trigger any alert on Snort at the moment.

Andromeda/Gamarue bots are routinely used as backdoors to infected systems and can also be vectors for downloading different malicious payloads.

Over the last few weeks we noticed the resurgence of a particular spam campaign that is distributing Andromeda/Gamarue to Italian domains, with a couple of bursts in the last 20 days but also going back to April and May 2015.

adromeda_spam.png

Our systems collected more than 4000 unique emails with malicious attachments that can be linked to Andromeda with an ultimate goal of distributing two particular families of financial malware. Spam relays linked to this campaign are primarily located in Europe with a strong focus on Spain and Italy.

spam_servers.png

The attachments (ZIP archives) have been crafted using names that resemble standard Italian business documents, but actually they are executable files compromising the system. As previously reported, the malicious executable creates a new msiexec.exe process and injects code into it, then it joins the Andromeda botnet by connecing to the C&C 93.115.38[.]134 using an RC4-encoded JSON.

In the second stage of infection, we have observed the download of one or two different payloads: Citadel (“ssdc32716372” gang) or Gozi/Ursnif (a recent variant, see here and here). In the recent past, other Andromeda botnets have been detected, one of them dropping Lethic malware instead of infostealers.

On June, 24th we also identified a different sample having the same behaviour but targeting German users. That sample is using a different Command and Control server 5.9.253[.]153.

Some IOCs we have identified so far:

MD5 hashes

0290d35ab5caad08a51034bb09c4d023
21435848d62a094ecd30b8128fd6209b
238d4107ede2bc48b3372a62bfd8d5cd
28e01a0e29155e5b993dff915acea976
2ec3bd331846e717a80efb7c33682c6f
30441510bcc4123dd0f0cf211bdc104b
3d3188e83f64ed6ae2a14896f9a1eade
4f011d0d9abac35c7d1125b754730a43
589632bd743554004afc24ecc0b13834
5c59eeb9b1762c4af5c89226262b6327
7fa569b2ccd73da52a181918367d986e
879f701d990e54acf14614090cdd255d
8c4105ebcd57be6de710d0094efbc32a
8e0f37f2d36aada0ba87f5e66a3c27ff
a693f356384bbf61258688563ea843b9
af911be206423bf440ea9d4df075a632
b5c36f29948fb76c31fb045652abcac2
dabac137f4e1a7a33072c6c08f7abe55
ef947b2c2c36b76a0ceb87880654206c
f2bed8f637dfd4a07850a699a983a311

Attachment names

349-fattura-dal-13-05-2015-creata-automaticamente-sistema-automatica.exe
DSC_0101_0111[jpg].jpeg-.exe
FATT. 130-2015 SRL noleggio_pdf_.exe         
FT. 118 - 2015 srl noleggio _docx_.doc.exe
MMS_Email_N_8900277.jpeg_.exe
booking_hotel_confirmation.pdf_.exe 
fatt._130-2015_srl_noleggio_pdf_.exe
fattura Tiscali numero 026778844.pdf.exe             
fattura-100543246-sistem-genereted-verified.exe   
ft._118_-_2015_srl_noleggio__docx_.doc.exe     
ihre_rechnung_vom_24062015_als_pdf_.exe
img_005_apr2015.jpeg.exe                 
info_bank_pdf_xglapuk.exe 
large_2_03_06_2015jpgjpeg.exe

Dropped files
Seemingly random, regexp: KB[0-9]{8}\.exe

KB07341263.exe    (896dec6dd2e1190aa69e3f19bd7c00c9)
KB21743115.exe    (f7c776865c6e202a19a590e063303016)
KB21746240.exe    (1c04d9fac2fdc1017b8443de81dabc3c)
KB33798926.exe 	  (2d11c7b7d7b418a45a30cf4ba4e938d8)
KB07887278.exe 	  (1df302a42144ad240f7b0ee8b165840f)
KB36135815.exe	  (ebb7e22d4a10cbed0d6f1a5be3163078)

Command and Control servers

hxxp://93.115.38 .134/new/stats.php    (Italian campaign)
hxxp://5.9.253 .153/new/stats.php      (German campaign)

In the last few days Certego identified and analyzed a new spam campaign that targeted italian domains. This campaign is spreading a variant of the Dridex financial malware which is loaded with operational intelligence that is effective against many Italian banks. Dridex is not new nor original software, as it belongs to the famous Zeus family, being derived from one of Zeus descendant known as Cridex or Feodo. It uses a command and control system based on traditional web servers via plain HTTP. The spreading technique itself is not particularly sophisticated, as it uses an Office document, in this case an Excel file, that is attached to spam email messages. The document contains a series of VBScript macros, which execution is usually disabled by default in Office products, just because in the past the same method was widely used to convey malicious programs. It therefore seems even more surprising that, despite the notifications that alert the user about the potentially dangerous consequences of their actions, this block is voluntarily removed to be able to open the attachment. Once again the most basic social engineering techniques are enough to induce a careless behaviour that can have very serious consequences.

The campaign analyzed by Certego uses email messages in English, with the subject "Order T / N: CL0943_744". One of the sender is "Mariana Holland, State Department <6607@ttnet.com.tr>". The body of the email is as follows:

"Your order is ready for collection at your chosen store.View full order details T / N: CL0943_744 in attached document."

The attachment is an excel file containing different macros,  a sequence of statements in VBScript that have the task of downloading the malware itself from a public site and of running it. Macros are heavily obfuscated in an attempt often successful of circumventing antivirus checks. The following image shows the VBScript procedure used to execute a command using the system shell.

As we see, the command is a heavily obfuscated string, which is processed by a further subroutine that returns the cleartext version of the command to be executed. This second subroutine, from wich we have removed some jump code for clarity, is shown in the following screenshot.

This function only takes the odd characters of the obfuscated string, and the end result is visible in the last image below.

The macro downloads a file "sspidarss.cab" from the IP address 134.19.180 [.] 144, then decompresses it and launches the executable content.

Once installed on your system Dridex uses, like all other Zeus variants, a configuration file that contains the "instructions" on the actions to take when it detects that a browser on the infected machine is visiting a specific web page belonging to a targeted bank. In the latest sample we analyzed, as we posted Friday on Twitter and Pastebin, there were about forty new Italian targets , including some major banks and e-commerce portals.

Dridex can intercept  communications with your home banking portal, and possibly steal login credentials or manipulate transactions in order to commit fraud. The only effective defense is a sufficient awareness and preparation of users, that must avoid the opening of suspicious attachments. In the case we have shown, the email you may receive in your inbox should ring many alarms: it comes from an unknown and implausible sender, it refers to a purchase you have never done, and it requires you to disable Office macros protection in order to be able to open the attachment. If you already fell to the trick and became infected, you must be aware of unnecessary sensitive data that your usual home banking portal may ask you to input at login or during transactions.

Certego Threat Intelligence can help the affected institutions to identify suspicious transactions carried out by malware compromised devices and block fraud transactions.

Image from: www.net-security.org

In the last few days, Certego threat monitoring systems detected a malware distribution campaign affecting several forums hosted on italian domains.

How it works

The affected forum sites have been previously compromised, possibly exploiting vulnerabilities in software platforms used for forums management, namely vBulletin version 4.1.9 and IP Board version 3.4.6. Users who visit the forum pages are redirected to external sites to download the so called Nuclear Pack Exploit Kit, a software container that provides the ability to leverage several vulnerabilities on user machines in order to infect them and gain complete control. In this particular case, files in .swf format are used to exploit the latest Adobe Flash Player vulnerabilities.

All the forums identified by Certego as being compromised during this campaign have URLs in the following format:

http://[domain]/forums/threads/[id]-[slug]

with domains like:

[random_long_string].[domain]

For example, these are some of the domains used to distribute Nuclear Pack, albeit not all of them are still reachable and active:

72ni9v3j9chko9ak5u4uwhf.nostaljiyemekler [.] com
ey03cunzlam19kc1v9ee9jf.gumuspastabodrum [.] com
ftafyk9wkvu42523ju20iri.devletdestegi [.] com

We also identified some of the IP addresses on which the malicious domains are are hosted, in example:

195.154.166[.]120
213.238.168[.]139
213.238.166[.]227

Some of the IPs as well are no longer reachable and may have been cleaned, but most of them are still active and dangerous.

A few of these IP addresses belong to Virtual Private Servers purchased specifically for the installation of Nuclear Pack Exploit Kit, while others, used only as the first step in the redirection chain, are more likely to be compromised hosts. Gaining the control of these servers in the first place has allowed the creation of sub-domains with random names used for the distribution of malware. As a matter of fact, this way the Exploit Kit is reachable only by knowing beforehand the subdomain used, and is therefore much more protected from accidental discovery.

Countermeasures

This attack exploits vulnerabilities in Flash Player, which therefore must be updated to the latest version If you suspect to be already compromised, you can try to remove the infection using the following free products:

A more radical solution is to uninstall the Flash plug-in browser, or to limit the operation selectively, as explained in this guide, but this must be carefully evaluated because of the impacts it may have on usability and user experience in a production environment.