Information Security News |
Introduction
Originally reported by Malwarebytes in October 2014 [1], the EITest campaign has been going strong ever since. Earlier this year, I documented how the campaign has evolved over time [2].
During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of malware payloads. That changed earlier this month, when I noticed an EITest gate leading to Neutrino EK instead of Angler on 2016-05-05 [3].
This is not a new situation. Weve seen at least one other campaign switch between Angler and Neutrino EK in the fall of 2015 [4, 5, 6]. However, May 2016 is the first time Ive noticed it from the EITest campaign.
The EITest campaign predominantly uses Angler, but it now uses Neutrino EK on occasion. In todays diary, we" />
Shown above: Flow chart for the EITest campaign.
Details
Since January 2016, the EITest campaign has used 85.93.0.0/24 for a gate between the compromised website and the EK. The TLD for these gate domains has most often been .tk but weve seen .co.uk domains used this week [7]." />
Shown above: An example of injected EITest script in a page from a compromised website.
Using the same compromised website, I generated two full infection chains from the EITest campaign. The infections were 11 minutes apart. The first one used Neutrino EK and sent Gootkit malware." />
Shown above:" />
Shown above: 11 minutes later, the same gate led to Angler EK.
wing indicators of compromise (IOCs) were noted from these infections:
Date/Time: 2016-05-19 20:06 UTC:
Date/Time: 2016-05-19 20:17 UTC:
I wasnt able to generate any post-infection traffic from the Angler EK payload, and I havent had time to examine the malware to determine what it is. The Neutrino EK payload was Gootkit (an information stealer). I generated the following IOCs from the Neutrino EK payload:
Final words
With any EK traffic, malware is delivered behind the scenes. The infection happens while the user is browsing the web, and the chain of events starts with a legitimate website compromised by this (or any other) campaign. In both cases, I was running Adobe Flash Player 20.0.0.306, which is vulnerable to CVE-2016-1019. Both Angler and Neutrino EK use Flash exploits for CVE-2016-1019 [8], so my lab hosts were infected.
Properly administered Windows hosts following best security practices (up-to-date applications, latest OS patches, software restriction policies, etc.) should not be infected when running across this campaign.
Unfortunately, a large percentage of people dont follow best practices, and their computers are at risk. Until this situation changes, actors distributing malware through EK channels remain a significant threat.
Pcaps and malware for this ISC diary can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
References:
[1] https://blog.malwarebytes.org/threat-analysis/2014/10/exposing-the-flash-eitest-malware-campaign/
[2] http://researchcenter.paloaltonetworks.com/2016/03/unit42-how-the-eltest-campaigns-path-to-angler-ek-evolved-over-time/
[3] http://malware-traffic-analysis.net/2016/05/05/index.html
[4] https://isc.sans.edu/forums/diary/Whats+the+situation+this+week+for+Neutrino+and+Angler+EK/20101/
[5] https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neutrino/20059/
[6] https://isc.sans.edu/forums/diary/Actor+that+tried+Neutrino+exploit+kit+now+back+to+Angler/20075/
[7] http://malware-traffic-analysis.net/2016/05/16/index.html
[8] http://malware.dontneedcoffee.com/2016/04/cve-2016-1019-flash-up-to-2100182187.html
Fortune | US House Lifts Block on Google-Hosted Apps Fortune Yahoo Mail remains inaccessible, however, and has been blacklisted since the House Information Security Office said in an April 30 memo it had detected an increase of ransomware attacks on the network. The two restrictions were not related, but came ... |
The Inquisitr | James R. Clapper: U.S. Intelligence Chief Says Foreign Governments Have Made Attempts To Hack Into The Websites ... The Inquisitr As ABC News reports, the nation's intelligence chief believes the hackers are working for foreign governments by snooping around potential presidential candidates. Clapper said government officials are working with campaigns of all the candidates to ... |
(credit: Rockydallas)
ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers and a security researcher who is following the ongoing campaign.
San Jose, California-based Ubiquiti Networks confirmed on Friday that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.
Nico Waisman, a researcher at security firm Immunity, said he knows of two Argentina-based ISPs that went dark for two days after being hit by the worm. He said he's seen credible reports of ISPs in Spain and Brazil being infected by the same malware and that it's likely that ISPs in the US and elsewhere were also hit, since the exploit has no geographic restrictions. Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears. Ubiquiti officials have said there are at least two variations, so it's possible that other strains behave differently.
Read 9 remaining paragraphs | Comments
In a surprising move...The TeslaCrypt ransomware developers have have stopped distributing TeslaCrypt and released their master decryption keyto the public. Various TeslaCrypt decryptor tools have been updated to include this key permitting anyone who gets compromised with TeslaCrypt a way of decrypting their data without paying the ransom.
Further information can be found in the ESET blog post.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.ImageMagick calls into question responsible disclosure reporting TechTarget Worse, because the ImageMagick libraries are used in so many applications and services, many users may be completely unaware they are affected by the vulnerability, making it all the more important to spread the news of the vulnerability quickly. The ... |
Imprivata UK unveils latest range of security solutions created for the healthcare industry at InfoSec Europe ResponseSource (press release) London, UK.— May 19, 2016—Imprivata, the healthcare IT security company, will be revealing its latest comprehensive range of security solutions for the healthcare market at Infosec Europe, including Imprivata OneSign® 5.2 and Imprivata Confirm ID® 2.0. |
The Guardian | US intelligence: Foreign hackers spying on campaigns Sentinel-Tribune "This exceeded traditional lobbying and public diplomacy." Jonathan Lampe with InfoSec Institute, a private information security company in Chicago, said security hasn't improved significantly since then. In October, he evaluated the security of 16 ... Presidential candidates may be vulnerable to foreign hackers, US says Clapper: Hackers target US presidential campaigns |
Reuters | House lifts block on Google-hosted apps, Yahoo Mail remains blacklisted Reuters Yahoo Mail remains inaccessible, however, and has been blacklisted since the House Information Security Office said in an April 30 memo it had detected an increase of ransomware attacks on the network. The two restrictions were not related, but came ... |