Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

Earlier this month, Ciscos Talos team published an in-depth report on the Angler exploit kit (EK) [1]. The report also documentedCiscos coordination with hosting providers to shut down malicious servers associated with this EK. The result? Ive found far less Angler EK in the last two">Angler is still active, even if werenot finding as much as before, andother EKs remain a concern. CryptoWall 3.0 remains a popular payload. Ive noticed CryptoWall 3.0 from Angler, Nuclear,and Rig EK in the past few days.

Lets look at some recent examples of EK traffic.

Nuclear EK

The URL structure for Nuclear EK has changed since myprevious ISC diary about it last month[2]. The landing page URL (the initial HTTP GET request)has recently changed patterns. Previously, wed seen the HTTP GET request start with/url?sa=, but now its back to /search? followed byrandom characters. The images below show HTTP GET requests for Nuclear EK" />
Shown above: Nuclear EK on a machine running IE 8 and outdated Flash player (sentone malware" />
Shown above: Nuclear EK on a machine running IE 8 and outdated Flash player (sent twomalwarepayloads).

weeks, Ive noticed at least two types of infection chains for Nuclear EK. The first type uses a gate with 052F in the URL. So far, Ive seen ransomwarepayloads delivered by 052FNuclear EK. Last month I sawTelsaCrypt 2.0[3], and this monthIve seenCryptoWall 3.0.

The other type of infection chain forNuclear EK chain has no gate, and its been delivering two malware payloads. ">dual payload Nuclearissimilar to what we sawin last monthsdiary on thisEK [2].

Im calling these two types of infection chains:

  • 052FgateNuclear EK
  • Dual payload Nuclear EK

Traffic characteristics indicate these are different actors. Other actors are also associated with Nuclear EK,likethe Windigogroup [4],BizCNgate actor [5], and (I assume) many more. This diary only covers the 052F and dual payload actors.

052F gate Nuclear EK sends CryptoWall 3.0

On 2015-10-14, a compromised serverleading to the052F gate had obfusctedjavascript injected into the site" />
Shown above: Some of the injected script in a page from compromised website (the full length of the script is not shown).

The obfuscated javascript led to the 052F gate, which returned more obfuscated script." />
Shown above: " />
Shown above: The trafficin Wireshark, filtered on HTTP requests, showing indicatorsof" />
Shown above: Alerts from a pcap of the traffic afterusing tcpreplay in Security Onion.

l 3.0 samplesbitcoin address for the ransom payment was" />
Shown above: ">EK sends its dual payloads

Ive noticed this recent dual payload Nuclear EK actorsince mid-September 2015 [2, 6, 7]. Code is injected near the end of the page, right before the closing body and HTML tags. There are several dozen blank lines before the malicious iframe leading toa Nuclear EK landing page. I recently sawthis type of traffic again" />
Shown above: Malicious code on a page from the compromised website.

After the Nuclear EK traffic,HTTP requests show a GET /harsh02.exeforfollow-up malware, and we also seesubsequent" />
Shown above:">The trafficinWireshark, filtered on HTTP requests, showing indicatorsof" />
Shown above: ">Shown above: Alerts from apcapof the traffic afterusingtcpreplayin Security Onion.

em>Rig EK sends CryptoWall 3.0

On Tuesday 2015-10-13, I infected a Windows host through Rig EK and saw CryptoWall 3.0 as the payload. Pages compromised by this actor have injected script withan unobfuscated iframe leadingto">Shown above: " />
Shown above:">ThetrafficinWireshark, filtered on HTTP requests, showing Rig EKand CryptoWall 3.0">Shown above: Alerts from apcapof the traffic afterusingtcpreplayin Security Onion.

This CryptoWall 3.0 samples bitcoin address for the ransom payment was" />
Shown above: User checking decryption instructions on the infected Windows host.

Angler EK still out there, still sending ransomware

On Tuesday2015-10-13, I generated an Angler EK infection and saw CryptoWall 3.0 as the payload [8]. Injected script from the compromised websiteis highly-obfuscated, but its quite" />
Shown above: ">Shown above:">ThetrafficinWireshark, filtered on HTTP requests, showing Angler EKandCryptoWall3.0">Shown above: Alerts from apcapof the traffic afterusingtcpreplayin Security Onion.

The bitcoin address for this CryptoWall 3.0 samples ransom payment was 1yA3czfyuUeYHwgNZnvBSatU8Z7GJffj2

">Shown above: User checking decryption instructions on the infected Windows host.

Final words

The exploit kit landscape can quickly change, and whats current this week may not be the next. My field of view is limited, and this EK round-up is not comprehensive. Ive also seen Neutrino EK recently [9], which is not documented in this diary. Furthermore, other EKs are still active, even though I havent been covering them. Hopefully this diary reflectssome of the more common EK traffic during the past week or so.

Links for the individual pcap files follow:

Below is a link for azip archive containing all of the above pcaps:

Links for the malware follow:

Below is a link for all zip archive containing all the malware and artifacts:

The zip archives are password-protected with the standard password. If you dont know it, email [email protected] and ask.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://talosintel.com/angler-exposed/
[2]https://isc.sans.edu/forums/diary/Recent+trends+in+Nuclear+Exploit+Kit+activity/20203/
[3]http://malware-traffic-analysis.net/2015/09/29/index.html
[4]https://isc.sans.edu/forums/diary/A+recent+decline+in+traffic+associated+with+Operation+Windigo/20065
[5]https://isc.sans.edu/forums/diary/BizCN+gate+actor+update/20209/
[6]http://malware-traffic-analysis.net/2015/09/18/index.html
[7]http://malware-traffic-analysis.net/2015/10/08/index.html
[8]http://malware-traffic-analysis.net/2015/10/13/index2.html
[9]http://malware-traffic-analysis.net/2015/10/13/index3.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
US DoD's Dc3dd v7.2.6 suffers from a Buffer Overflow vulnerability - Advanced Information Security Corporation - Zero Day Research
 

Enlarge (credit: http://habrahabr.ru/post/268421/)

USB sticks have long been a mechanism for delivering malware to unsuspecting computer users. A booby-trapped flash drive, for instance, was the means by which the US and Israel reportedly infected Iran's Natanz uranium enrichment facility with the Stuxnet worm. And, in case anyone thought USB stick attacks had lost their novelty, last year's Bad USB proof-of-concept exploit delivered a highly programmable attack platform that can't be detected by today's defenses.

Now, a researcher who goes by the name Dark Purple has created a USB device that can permanently destroy much of a computer's innards, rendering the machine little more than an expensive doorstop. Within seconds of being plugged in, the USB stick delivers a negative 220-volt electric surge into the USB port. As the video below demonstrates, that's enough to permanently damage the IBM Thinkpad receiving the charge.

As viewers can see, the USB stick looks normal, and there are no outward signs it's malicious. But the USB Killer 2.0, as its creator calls it, takes computer attacks on a less-traveled road that leads to physical destruction. According to this post from The Daily Mail, an earlier and less powerful version of the device drew power from USB ports using a DC-to-DC converter until it reached negative 100 volts. At that point, the power was directed into the computer. The process ran on a loop until the circuitry failed. It's likely Version 2 works similarly.

Read 1 remaining paragraphs | Comments

 

In the new version of Chrome, which should be rolling out to everyone today, the "mixed content" warning—that mysterious little yellow "caution triangle" in the address bar—will finally be removed. Instead, sites with a mix of HTTP and HTTPS content will show a normal, grey piece of paper, as if it's a regular HTTP-only website.

According to Google, this change is intended to "encourage site operators to switch to HTTPS sooner rather than later." The problem is, it's almost impossible to switch completely from HTTP to HTTPS in one fell swoop—there are just too many factors that need to be tested and debugged. At the same time, webmasters weren't keen to begin the migration process to HTTPS because of that pesky mixed content warning, which had a tendency to spook less-experienced users of the Information Superhighway. This was far from an optimal solution, according to Google: "During this [migration] process the site may not be fully secured, but it will usually not be less secure than before."

As a result, in Chrome 46 (on desktop PCs, at least), there will be just three security states: a green padlock (full HTTPS), a red padlock (broken HTTPS), and a grey piece of paper (HTTP). "We’ve come to understand that our yellow “caution triangle” badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users," says a Google blog post.

Read 3 remaining paragraphs | Comments

 

Black Hat Europe 2015 Releases Full Schedule and Huge InfoSec Demo Lineup
PR Newswire (press release)
SAN FRANCISCO, Oct. 14, 2015 /PRNewswire/ -- Today, Black Hat, the world's leading family of information security events, highlights the full schedule for Black Hat Europe 2015. Packed with 10 deeply technical, hands-on Trainings, more than 40 ...

and more »
 
October is yielding a bumper crop of honors for National Institute of Standards and Technology (NIST) Fellow Ron Ross. Considered the father of the Federal Information Security Management Act (FISMA) security standards, a cyber rock star ...
 

CSO Online

Getting your Information Security team right
CSO Online
Companies are investing in cybersecurity more than ever and it is a critical and yet a difficult task to bring a team that effectively monitors threats and manages security incidents. Despite the increased trend in spending in cybersecurity by ...

 
[CVE-2015-2552] Windows 8+ - Trusted Boot Security Feature Bypass Vulnerability
 
[security bulletin] HPSBGN03515 rev.1 - HP Smart Profile Server Data Analytics Layer (SPS DAL), Remote Cross-Site-Scripting (XSS), Disclosure of Information
 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Black Hat Europe 2015 Releases Full Schedule and Huge InfoSec Demo Lineup
PR Newswire UK (press release)
SAN FRANCISCO, Oct. 14, 2015 /PRNewswire/ -- Today, Black Hat, the world's leading family of information security events, highlights the full schedule for Black Hat Europe 2015. Packed with 10 deeply technical, hands-on Trainings, more than 40 ...

 

A few days ago, I found a malicious website which triesto lure the visitor by simulating a Microsoft Windows Blue Screen of Death(BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw Microsoft engineers calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:

  • Displays a fake BSOD
  • Displays constant Javascript pop-up messagescontaining technical information about a process failure
  • Plays a MP3 with a female voice asking you to not reboot your computer and to call a provided toll-free number

The URL contains also many parameters which, I presume, can help the attacker to identify his victim">hxxp://makeitfaster.website/blut924/?campaign=0f72fd0a-3507-4370-bf5c-21f9b8cd7643os=Windowsdomain=isp=Wz%20Communications%20inc.state=Floridacity=Miamiip=redactedtracking=vwwlv.voluumtrk.combrowser=Operabrowserversion=Opera%2020voluumdata=vid..00000000-54a7-440a-8000-000000000000__vpid..7d250800-6905-11e5-8dee-e0e7be81898c__caid..0f72fd0a-3507-4370-bf5c-21f9b8cd7643__rt..H__lid..4c4a0d7d-d78e-48aa-9f68-f2dd9d51c91b__oid1..4dedcb41-feee-41c5-a0fd-ed93f8447dbc__oid2..13034530-ab85-4189-adbf-aea214fb4794__var1..2821__rd..astoob\.\org__aid..__sid..source=2821clickid=

The domain has been registered in July 2015 (whois details)and the indexpage calls an index.js file with">table width=904 height=645 border=0 align=center cellpadding=2 cellspacing=2
tbodytr
td height=631 bgcolor=#000093div align=center class=style1
p class=style50x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS/p
p class=style6/p
p class=style4WINDOWS HEALTH IS CRITICALbrDO NOT RESTART/p
p class=style4PLEASE CONTACT MICROSOFT-CERTIFIED TECHNICIANSS/p
p class=style2BSOD: Error 333 Registry Failure of operating system - Host :brBLUE SCREEN ERROR 0x000000CE/p
p class=style4Please contact microsoft-certified technicians Toll Free at:brscript/script/p
p class=style4To Immediately Rectify issue to prevent Data Loss/p
/div/td
/tr
/tbody/table
audio autoplay=autoplay loop
source src=gp-msg.mp3 type=audio/mpeg
/audio
div style=a style= href=http://link.everythingfastagain.link/click/2./a/div

Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:

  • (855)348 1197
  • (888) 725 1202

It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages (your call can be monitoring and recorded, your call is very important to us). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem (It seems that my computer is infected by a virus) but he was not able to help me!? I did not test the second number but it hasalready been reportedas malicious by other people.

This is not a brand new attack but it can make non-technical people scary.I also found that, since June 2015,EmergingThreats provides rules to detect this in their"># grep Fake AV Phone Scam emerging-current_events.rules |awk match($0, /sid:[0-9]+/) { print substr($0, RSTART, RLENGTH)}
sid:2021177
sid:2021181
sid:2021182
sid:2021183
sid:2021206
sid:2021207
sid:2021256
sid:2021255
sid:2021258
sid:2021285
sid:2021286
sid:2021287
sid:2021288
sid:2021294
sid:2021295
sid:2021357
sid:2021358
sid:2021359
sid:2021365
sid:2021366
sid:2021367
sid:2021368
sid:2021447
sid:2021448
sid:2021449
sid:2021500
sid:2021522
sid:2021811

I recorded a small videoof the web page.

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status