Monthly Cyber Summary – Feb 2016
Giving you a taste of what Silobreaker has to offer, we’ve picked a selection of hacker groups, hacker ops and attack types that have been trending over the past month.
A new ransomware variant that’s caused quite a storm, Locky was picked up by Silobreaker in a Reddit post late on February 15th, and has now infected hundreds of thousands of computers around the world. It’s possible that Locky was behind the temporary shutdown of Hollywood’s Presbyterian Hospital.
Locky compromises computers via a malicious Word document attached to an email (see image below). When the document is opened, it requests permission to run a macro (if this option is disabled). The macro then installs the ransomware which will encrypt users’ files.
The base code for a very popular and dangerous set of mobile banking Trojans has been leaked online in the past month, making it highly accessible to all manner of fraudsters and cyber criminals.
According to X-Force researchers, the code for GM Bot was leaked onto an underground forum in December 2015, and is now available to download for free.
With the base code now easily obtainable, it is possible for individuals to recompile the code, create new malware variants and deploy existing Trojans in new scenarios.
GM Bot forms the code base for well-known banking malware such as Bankosy, Slembunk, Acecard and Slempo. It accepts a variety of remote commands, can intercept SMS messages and will inject fake overlay pages to collect login details. GM Bot originated from Russian criminal sources and has been very successful in targeting mobile banking apps, making the release of its base code onto the underground market something to keep close track of.
Android malware MazarBOT hit the news this month, chiefly for its well-reported ability to wipe the storage of infected phones. While it makes for a good headline, deleting files is probably the least worrying capability that Mazar possesses; identity theft or major financial damage are equally possible outcomes.
Users who run the malware’s .apk and give it the permissions it requests will essentially hand their phone over to Mazar’s controllers. The malware can read, write and send messages (including to premium numbers), inject itself into the Chrome browser, install additional apps, and manipulate web traffic.
MazarBOT was sent in record numbers to phones in Denmark, but it also made headlines for its (assumed) connection to Russia. The malware will delete itself automatically if it detects that the default language on infected phones is Russian, which has been taken to mean that its authors don’t want trouble from law enforcement in their own country.
It appears that the Guardians of Peace, infamous for the Sony Pictures Entertainment (SPE) attack, were merely the cover for a long running APT that researchers have dubbed The Lazarus Group.
Led by Novetta, specialists from major AV/security/analytics companies have released a report detailing their findings as part of Operation Blockbuster, an industry-wide effort to clarify and attribute the 2014 SPE attack.
It remains likely that the Lazarus Group is associated with North Korea, but TTP and YARA analyses have suggested that up to 45 families of malware are linked to Lazarus. This would mean that the group has been operating from around 2007.
Sons of the Caliphate:
A new hacking division loyal to the Islamic State (IS) has emerged in the past 30 days. Entitled Sons of the Caliphate (Army) the group have vowed to wreak destruction on those that seek to disrupt or prohibit IS’ cyber activity.
The new division debuted by launching a video titled ‘Flames of the Supporters’ in which they made death threats against Mark Zuckerberg and Twitter CEO Jack Dorsey. The threats were levelled after the social media bosses vowed to do more to combat the IS propaganda that circulates online.
Perhaps more importantly, the group also claimed to have compromised over 10,000 Facebook accounts and 5000 Twitter handles. The video showed ‘evidence’ of these claims, stating that the accounts had been hacked and control handed over to IS supporters.
The veracity of the group’s hacking claims has not yet been verified, and IS are often guilty of making grandiose statements that are later found to be false. This group has certainly succeeded in dominating news and disseminating propaganda, so expect further announcements and videos in the coming months.
The first Brazilian-Portuguese APT, known as Poseidon Group because of the mythological references found in their code, was discovered by Kaspersky researchers this month. They noted that malware produced and used by the group has been circulating since 2005, but it took many years to tie these samples to a single threat actor.
Poseidon Group has targeted a wide variety of companies and institutions, and operates in Russia, Brazil, France, the UAE, India, Kazakhstan and the United States. They appear to target Windows exclusively and have attacked at least 35 companies. It’s interesting to note that despite the advanced technical capabilities shown by Poseidon, they still use spear phishing to gain access to their targets.
Having compromised a target’s systems, Poseidon’s cash-out strategy is unique. After obtaining sensitive data via lateral movement across an organisation’s network, the group proceeds to extort the target and coerce it into maintaining a paid ‘business relationship’, leveraging the release of the data in question.
On Feb 15th a Glibc exploit became the hot topic within the cyber security community. Glibc or GNU C Library is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware. Given the amount of people at risk and the fact that this exploit could even allow remote code execution, this explosion of chatter isn’t particularly surprising.
The flaw, indexed as CVE-2015-7547, is a stack-based buffer overflow vulnerability in glibc’s DNS client-side resolver that is used to translate human-readable domain names into network IP addresses. It can be exploited when an affected device or app queries a malicious DNS server that then returns too much information to a lookup request and floods the program’s memory with code.
Malvertising, a portmanteau of ‘malicious advertising’, is an attack type that utilizes online advertising to spread malware and compromise machines. The standard tactic is to target legitimate but low-end advertising companies that promote adverts on popular websites. Malvertisers then inject those adverts with malware or redirectional code that directs a clicking user away from the intended website and towards a malicious site.
In the last month there have been a number of potentially dangerous malvertising campaigns that have compromised major websites. Arguably the most significant of these was the SmartyAds campaign, which has been used to post malicious ads to major sites such as TMZ and Rotten Tomatoes.
This campaign installed redirectional code into ads that sent users to landing pages compromised by the Angler Exploit Kit (AEK), which is frequently used to spread a variety of trojans and ransomware.
As with all malvertising, it is the severity of what the user is exposed to that determines how dangerous the adverts are. With SmartyAds directing users to the AEK, the danger of this campaign is significant.
In theory, MouseJack is a dangerous vulnerability that allows an attacker to gain remote control of a user’s keyboard input from up to 100 metres away. MouseJack was discovered by Bastille Networks, who realised that a set of wireless (non-bluetooth) mice in the 2.4Ghz range did not encrypt traffic sent to a receiving dongle.
Because of this flaw, an attacker could send packets that mimicked a user left-clicking on their mouse, but actually contained the equivalent of keystrokes, allowing the attacker to ‘type’ commands into the target computer remotely. Compromised users could therefore be made to download and run any number of malicious executables, assuming that they remain logged in and AFK.
Wireless keyboards are not affected by MouseJack, and many developers have already rolled out firmware patches for their products. The original white paper and list of compromised mice is available here.
The Silobreaker Team