Earlier this week we came across an interesting spam email. It was targeted at one of our customers in the retail industry. It contained a Microsoft Word document (MD5 = b74604d0081e68e91d64b361601d79c4) with a rather small macro in it. All that macro did was save a copy of the document as RTF, open it and then launch an executable from user’s temp folder. The interesting bit is that it did not explicitly drop or download the executable, it was just supposed to be there somehow. Turns out the malicious executable was embedded into the document as a package and dropped by MS Office itself. For the full details read on.
Dridex is a botnet with multiple features, it is most known for stealing people’s credentials on finance-related web sites. Despite the arrest of the gang behind the Dridex malware campaigns, the samples keep popping up on our customers’ machines. And other research groups noticed that as well.
Most of the Dridex attacks we see were triggered by malicious Microsoft Word or Excel in the result of spam disseminations. Microsoft Office allows its users to create macros – scripts in Visual Basic for Applications (VBA). This feature is used by many companies as a quick and easy way to automate certain parts of their business workflow. Naturally, malware writers take advantage of it. They can create a macro that downloads and executes malware on the victim’s machine, trick a user into opening the document, and trick them into allowing the macro to run. This part of the attack is more in the field of social engineering as attackers must convince a user to open a malicious email attachment and convince them to allow macros (macros won’t run by default).
Microsoft tried to raise awareness earlier this year, but little seems to have been done since then as the spam campaigns featuring macro malware have increased and evolved to become more effective.
On Windows systems, before Windows 8.1 update 3, C code calling a function pointer used to be compiled to just a simple “call register” instruction; for example, in a 32bit process:
Starting with Windows 8.1 update 3, in all system libraries, it is more complicated:
mov ecx, esi
Security researchers the world over have been digging through the massive HackingTeam dump for the past five days, and what we’ve found has been surprising. I’ve heard this situation called many things, and there’s one description that I can definitely agree with: it’s like Christmas for hackers.
“On the fifth day of Christmas Bromium sent to me a malware analysis B-L-O-G” – You
This is a very interesting situation we’ve found ourselves in. We have our hands on the code repositories of HackingTeam, and inside of them we’ve found the source code for a cross-platform, highly-featured, government-grade RAT (Remote Access Trojan). It’s rare that we get to do analysis of complex malware at the source-code level, so I couldn’t wait to write a blog about it!
For those paying attention to infosec news, it’s no secret that HackingTeam – a provider of exploits and malware to governments around the world – has been hacked. The hackers who hacked the hackers released a torrent with over 400GB of internal HackingTeam software, tools, write-ups, and, of course, 0-day exploits. One of the exploits we’ve come across was first exposed by the Twitter user @w3bd3vil, and is reminiscent of the “ActionScript-Spray” attack used in CVE-2014-0322 and first documented by Bromium researcher Vadim Kotov. In summary, CVE-2014-0322 used a UAF (user after free) vulnerability in Microsoft’s Internet Explorer to increase the size of an ActionScript Vector object, giving the attacker access to the heap of the process. HackingTeam’s exploit uses this idea to achieve execution, but uses a UAF bug internal to the ActionScript 3 engine.
Note: before diving in, let’s remember that this is not a weaponized 0day, but a PoC that HackingTeam provided to customers, so we don’t have any malicious payload to accompany it; only a simple calc.exe pop.
In a typical drive-by-download attack scenario the shellcode would download and execute a malware binary. The malware binary is usually wrapped in a dropper that unpacks or de-obfuscates and executes it. Droppers’ main goal is to launch malware without being detected by antiviruses and HIPS. Nowadays the most popular way of covert launching would probably be process hallowing. Recently we found a couple of curious specimen that does not follow this fashion. These cases are not new, but we thought they’re worth mentioning because we’ve been seeing quite a few of those lately.
Here at Bromium Labs, we’re always striving to further our knowledge of the rapidly-changing attack landscape that threatens our enterprise customers. Over the past few months, our dedicated team of researchers have collectively developed a severe chemical dependency on caffeine in search of a paradigm to clearly define this landscape in a way that could benefit the security community as a whole. What they came up with is truly groundbreaking, and will go down in history as “The ABC’s of APT.”
As we all know, the term APT refers to an “Advanced Persistent Threat.” In our research, we realized each APT has unique behavior, and casting them all under one umbrella can be a slippery slope towards people marrying their television sets. For this reason, we devised our own paradigm that strips the broad term “APT” from threat diagnoses and, instead, categorizes them using a more specialized spectrum. Surprisingly, this spectrum happens to encompasses twenty-six different distinct behaviors – each of which can be represented using one letter of the alphabet. And, thus, The ABC’s of APT were born. Without further blabbering, here’s our finished diagnosis table:
Gamers may be used to paying to unlock downloadable content in their favorite games, but a new crypto-ransomware variant aims to make gamers pay to unlock what they already own. Data files for more than 20 games can be affected by the threat, increasing what is already a large target for cybercriminals. Another file type that hasn’t been targeted before is iTunes related. But first, let’s have a look at the initial infection.