Ran Mosessco A new vulnerability related to the parsing of TIFF
images was found in the Microsoft Graphics component that affects
Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft published Security Advisory 2896666 explaining the …
Executive Summary
Details
A few days ago, researchers from Websense Security Labs™ were reviewing data in the Websense ThreatSeeker® Intelligence Cloud and noticed a very small volume email attack targeting companies dealing with currency transfer/exchange located in Asia. Countries that were affected were the UAE, Pakistan and Nepal, but it’s possible that other countries in the region were also targeted. The email messages were spoofing an email account that belongs to a remittance and currency exchange company. They were sent to recipients from the same company and a few other financial organizations in Asia. Some of the headers reveal they were most likely sent from compromised accounts in India and Pakistan. Websense Cloud Email Security proactively blocked the messages, and the data was stored in the ThreatSeeker Intelligence Cloud for review.
The messages carried a zip attachment containing an executable that is a variant of the Trojan.Zbot.
So how is this campaign different?
Normally, we see large-scale attacks sent using the Cutwail spambot, and the intended recipients are varied in location and industry. Frequently, we see these type of attacks sent to spamtrap addresses and even honeypot domains. The volume we see across the Websense ThreatSeeker Intelligence Cloud is tens of thousands or sometimes hundreds of thousands for each “brand” attack. In the small campaign we encountered, we saw about 10 instances and a few single references in non-delivery reports. All of the targets were related to the financial sector, and all were in Asia.
The small volume attack used plain text email with no attempt to clone the appearance of a known bank/financial organization (as is often done in large-scale attacks). The body of the message is simple and the grammar not very out of the ordinary. The subject is suspicious (notice the redundant zero):
Subject: FW: Urgent Money transfer USD $52,1000
The zip attachment contains an executable file named:
Transfer money.doc.exe:
If you look at the icon, you can see that it’s not the typical fake MS Office or Adobe Reader type of icon that we normally see in large-scale attacks. In this case, it seems like the icon uses obfuscation to get around signature-based detection, not a new technique, but less common in typical large-scale attacks these days.
The malware itself is a variant of a common Trojan. We will review a few highlights later in the text to show the similarities.
For now, let’s dig deeper into the email headers and see if we can get some additional information about the attack:
All the messages were being spoofed to appear to be coming from the same address (anonymized to protect customer information):
xm@custdomain1
The logs in Websense Cloud Email Security show that the spoofing was identified:
“The sender address is probably forged since its domain is configured in Hosted Email Security but the sending relay is not associated with that domain”
We had 10 messages, 1 non-delivery receipt (NDR), and one complaint from a recipient thinking custdomain1 was the actual address that sent them malware:
As we can see, the mail relays are all associated with hosting companies across multiple locations. So probably not much help there. When we examine the received lines in the headers, we can see that some have a user IP of 46.37.180.217 both on evirtualservers.net (Germany) and on ukfast.net (UK). However, checking that IP address leads to BurstNET Limited (UK), another hosting/cloud/data center company that has no direct connection to the attacks. A few messages appear to come through mail.altlastravels.com (atlastravels.com is a Travel company in India), which looks suspicious (notice the extra “l” added). Some messages had Anti-Abuse headers added. Let’s see if they give us more info (the user names have been anonymized):
We can see that the attackers might have used a few compromised accounts of companies in India and Pakistan. We can see that one of the messages was also intended for another currency exchange/transfer company in the UAE.
The intended recipients we see are on custdomain1, custdomain2 (UAE), smartexchange.ae (UAE), mcb.com.pk (Pakistan) and prabhumoneytransfer.com.np (Nepal). All are involved in financial transactions, so the content of the email might appear relevant. In addition, the tool, a banking Trojan, fits the job.
This attack seems a lot more targeted than what we see from the threat actors that use Zbot in large scale, but the motive seems to be the same: use of common crimeware for monetary gain.
Malicious Attachment Details
One of the most popular pieces of Crimeware, the Trojan.Zbot, is frequently used in large-scale email attacks, either as attachments, or using URLs leading to exploit kits that ultimately drop Zbot on the victim’s computer. Zbot can specifically target banking credentials and other personally identifiable information (PII).
Zbot (Zeus) source code was leaked in 2011, so it’s quite easy for cyber criminals to compile new variants to get around many AV solutions, before they close the detection gap.
At the time of the attack, the executable was not previously seen in VirusTotal.com. A day later we tested and saw some minimal AV coverage via generic heuristics, 13/47:
https://www.virustotal.com/en/file/8750c27c58467b1c05e9912ce80ecce524ff3c38/analysis/1378380234/
Here’s a summary of the Websense ThreatScope Analysis Report
The malware is requesting URLs that are already known to be related to Zbot in the past:
If we examine the behavior we can see created Mutexes* on shared memory, which have been associated with Zbot in the past:
gcc-shmem-tdm2-use_fc_key (successful)
gcc-shmem-tdm2-sjlj_once (successful)
gcc-shmem-tdm2-fc_key (successful)
* Mutex (Mutual Exclusions) are lock mechanisms used by software to control access to shared resources in order to prevent deadlock. They can be used to identify variants of known malware based on commonality. More on the subject can be found in this computer forensics blog on SANS.ORG
The attachment also drops a copy of itself in the user profile directory, and just as before, at the time of the attack, no VT info, a day later some minimal coverage, detection ratio 9/46:
Websense Protection
Since the attack uses email attachments, it corresponds with some of the stages outlined in our white paper describing the 7 stages of Advanced Threats.
Lures – Websense Cloud Email Security provides proactive protection against email carrying executables or other suspicious attachments, based on multiple analytics: In this case, the built-in AV engine had generic detection, but in addition, the ThreatSeeker Intelligence Cloud would have quarantined the messages even without AV detection, based on several attributes.
Dropper File – Websense ThreatScope recognizes the malicious behavior of the dropper file, Websense ACE, our Advanced Classification Engine, offers protection against the executable.
Call Home -ACE blocks the hosts associated with the call home functions.
Dropped Files – ACE protects against the URL hosts and blocks the files.
Data Theft – Websense DLP (data loss prevention) tools can detect and stop the exfiltration of sensitive information, like the banking credentials and PII that are targeted by Zbot.
Thanks to Victor Chin for helping with the binary analysis.
Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, recently noticed an increased use of custom-generated attachment file names, and some use of password-protected ZIP files. Emails with banking/financial themes are being sent with executables packed in ZIP files, with file names matching the intended recipient. When the attachment runs on a victim’s computer, a Trojan from the Zbot P2P family is downloaded via a Pony loader. Zbot is typically used to steal banking credentials as well as for the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. We saw such a campaign on July 15, 2013, featuring subjects like “IMPORTANT Docs – WellsFargo” and “IMPORTANT Documents – WellsFargo”. Websense Cloud Email Security has detected and blocked over 80,000 instances of this campaign. We have proactively blocked similar cases since June 10. Just as we were getting ready to publish, we have noticed that Websense CES has proactively blocked another campaign, this time using fake emails pretending to be from Trusteer, trying to convince the victim to install an update for Trusteer Rapport software. Again, the attachment names are custom generated to match the recipient’s user name (or the first recipient in the case of multiples). So far we have blocked more than 36,000 variants of this latest campaign.
Let’s take a look at the campaign from July 15 first:
What’s unique to these campaigns compared with others we have blocked in the past is the custom-generated attachment name. The cyber criminals seem to be trying to come up with incremental improvements to enhance their effectiveness.
By automating file name creation and linking it to the intended recipient’s email username, they are presumably trying to socially engineer the potential victims to feel a little more at ease about opening the attachment. They might also be hoping to get around rudimentary blocking based on attachment file name. In the examples we’ve seen, the packed executable was the same across the same campaign burst. The potential victim first sees the ZIP file with their own unique name, so a search for the attachment file name in a search engine might not show anything suspicious.
A typical misleading icon (another common trait to malware used in email attacks) would cause the file attachment to look like this if the folder option “Hide extensions for known file types” is selected:
Savvy users will display all file extensions, which will clue them to the suspicious nature of the attachment:
If we analyze the behavior of the attachment using Websense ThreatScope™, we can see the Pony loader module communicates to:
hxxp:// dharmaking.net/ponyb/gate.php on 64.94.100.116
which is an empty Post transaction in this case, since there was no information to exfiltrate.
For the sake of curiosity, we can check out the admin login panel of the Pony loader on that page:
The Pony loader sends GET requests to download further executables from other locations:
hxxp:// liltommy.com/ep9C.exe 184.173.201.131
hxxp:// www.wineoutleteventspace.com/7UNFVh.exe 208.113.243.4
hxxp:// www.oh-onlinehelp.com/Pefyi.exe (suspended, not resolved)
hxxp:// video.wmd-brokerchannel.de/qAz575t.exe 213.148.99.220
It also includes communication to legitimate sites to mask its malicious activity.
You can see the full ThreatScope report here.
Anti-Virus detection at the time of the attack is pretty dismal, only 4 out of 45.
Dropped executables are recognized as malicious by ThreatScope. See reports here and here.
And again, AV detection is minimal – 1 out of 47.
But as is the case most of the time, AV vendors eventually update their signatures, and 19 out of 47 now detect the dropped binary as a Zbot Trojan variant.
For comparison sake, we decided to run another ThreatScope report, to see how our own analytics fared after they had a chance to update.
Here’s what we found:
As expected, some of the dropped files hosts are not responding anymore. But one actually delivered a new binary:
hxxp:// www.wineoutleteventspace.com/7UNFVh.exe
The ThreatScope report indicates that it is malicious, as seen here. In addition, Websense ACE™, our Advanced Classification Engine, had generic detection against it.
AV detection? 2 out of 47
We should also note that ACE updated the categorization of the Uncategorized hosts seen in the initial report:
hxxp:// dharmaking.net/ponyb/gate.php is now under Bot Networks.
hxxp:// dharmaking.net/ is now under Malicious Web Sites.
hxxp:// www.wineoutleteventspace.com is now under Malicious Web Sites.
See the updated report here.
In an older campaign example (June 14, 2013), we can see another feature that has been used frequently in the last few months.
Not only does the ZIP attachment file name match the recipient’s user name, it is also password protected, with the password supplied in the email body. This is an obvious attempt to get around automated analysis and further increase the window of exposure before security vendors update their detection for the malware variant.
The attachment (again hiding extensions for known file types) is displayed as:
Similar behavior can be seen in the ThreatScope report.
And again, AV is not quite up to speed.
See the dropped executables ThreatScope report, compared to VirusTotal at the time of attack, which is a little better at 18 out of 47.
The latest campaign, featuring fake Trusteer emails, has subject lines like:
Important Security Update : Customer 9382121
Here’s a sample:
As in the other samples, the attachments are named with a custom generated file name that matches the username of the first recipient. We can assume that since Trusteer are a software company, the cyber criminals are trying to lure potential victims to be less suspicious of the executable packed inside the attachment.
Similar behavior to above samples, see ThreatScope report here, and compare to Virus Total at 5/47
Dropped file ThreatScope report, Virus Total at 3/46
It is interesting how simple some of the lures are, but the attackers might be getting enough monetary gain from using them and employing the small, incremental changes described above.
Simple social engineering techniques, known exploits, and known malware families are still being widely used in attacks large and small, because apparently they work.
Beyond user education, employing a multi-layered security product that combines multiple analytics could help prevent such attacks.
Websense has provided protection against this campaign in multiple stages. As an email attack carrying attachments, this campaign uses some of the stages outlined in our whitepaper describing the 7 stages of Advanced Threats.
Lures – Websense Cloud Email Security provides proactive protection against emails carrying executables or other suspicious attachments, based on multiple analytics.
Dropper File – Websense ThreatScope recognizes the malicious behavior of the dropper file.
Call Home – Websense ACE, our Advanced Classification Engine, blocks the Pony loader page via real-time analytics.
Dropped Files – ThreatScope recognizes the malicious behavior of the dropped executable files. In addition, ACE protects against the URL hosts.
Data Theft – Websense DLP (data loss prevention) tools can detect and stop the exfiltration of sensitive information, like the banking credentials and PII that Zbot targets.