Posts Tagged ‘command-and-control servers’
Wednesday, June 25, 2014 @ 12:06 PM gHale
Kaspersky Lab mapped a massive international infrastructure used to control ‘Remote Control System’ (RCS) malware implants, and identify undiscovered mobile Trojans that work on Android and iOS.
These Trojans are part of spyware tool, RCS, also known as Galileo, developed by the Italian company, HackingTeam.
The list of victims indicated in the new research, conducted by Kaspersky Lab together with its partner Citizen Lab, includes activists and human rights advocates, as well as journalists and politicians.
Kaspersky Lab has been working on different security approaches to locate Galileo’s command and control (C&C) servers around the globe. For the identification process, Kaspersky Lab experts relied on special indicators and connectivity data obtained by existing reverse engineering samples.
Kaspersky Lab’s researchers were able to map the presence of more than 320 RCS C&C servers in 40+ countries. The majority of the servers were in the United States, Kazakhstan, Ecuador, the United Kingdom and Canada.
“The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab. “However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures.”
In the past, researchers knew the HackingTeam’s mobile Trojans for iOS and Android existed, but nobody had actually identified them before or noticed them in attacks.
Kaspersky Lab has been researching the RCS malware for a couple of years. Earlier this year, they were able to identify certain samples of mobile modules that matched the other RCS malware configuration profiles in their collection. During the research, new variants of samples also ended up received from victims through the Kaspersky Lab cloud-based KSN network. In addition, the Kaspersky researches worked closely with Morgan Marquis-Boire from Citizen Lab, who has been researching the HackingTeam malware set extensively.
The operators behind the Galileo RCS built a specific malicious implant for every concrete target. Once the sample is ready, the attacker delivers it to the mobile device of the victim. Some of the known infection vectors include spear phishing via social engineering, often coupled with exploits, including Zero Days, and local infections via USB cables while synchronizing mobile devices.
One of the major discoveries has been learning precisely how a Galileo RCS mobile Trojan infects an iPhone, which first requires a device jail break. However, non-jailbroken iPhones can become vulnerable too because an attacker can run a jailbreaking tool like ‘Evasi0n’ via a previously infected computer and conduct a remote jailbreak, followed by the infection. To avoid infection risks, Kaspersky Lab recommends that people refrain from jailbreaking their iPhones, and also constantly update the iOS on the device to the latest version.
The RCS mobile modules operate in a discreet manner, for instance by paying close attention to the mobile device’s battery life. This end up implemented through carefully customized spying capabilities, or special triggers. For example, an audio recording may start only when a victim connects to a particular Wi-Fi network, or when that person changes the SIM card, or while the device is charging its battery power.
Overall, the RCS mobile Trojans are capable of performing a variety of surveillance functions, including reporting the target’s location, taking photos, copying events from the device’s calendar, and registering new SIM cards inserted in the infected device. It can also intercept phone calls and SMS messages, including chat messages sent from specific applications such as Viber, WhatsApp and Skype.
Click here for more information on the report.
Tuesday, January 14, 2014 @ 06:01 PM gHale
It wasn’t that long ago when the Flashback Trojan infected over 600,000 Macs, and even now there are at least 22,000 infected devices out there, researchers said.
Researchers found 14,248 unique identifiers of the latest version of the threat designed to allow attackers to steal information from infected devices, said officials at security firm Intego.
Apple has taken some steps to disrupt the Flashback botnet, including the release of a malware removal tool and the shutdown of the domains utilized by the malware.
Intego owns some of the command and control (C&C) servers used by the Trojan. The security firm said it spotted connections from infected devices trying to contact the sinkhole servers.
As most security professionals will say, you might harness a botnet, but you can never say for sure it is gone. For the time being, Apple and security outfits are closely monitoring the servers so it’s difficult to revive the botnet. However, experts said the malware author could buy the C&C domain names in the future.
Furthermore, if at one point no one is supervising them, the domains could fall into the hands of other cybercriminals.
Tuesday, June 25, 2013 @ 03:06 PM gHale
New and improved has a new meaning when it comes to the DirtJumper malware family as a new variant called “Drive” contains some interesting features.
Written in Delphi, Drive has a much more powerful distributed denial-of-service (DDoS) engine compared to earlier variants, said researchers at Arbor Networks.
Other than the improved DDoS engine, researchers also found command and control (C&C) servers that serve Gzip-compressed data. At least one of these servers has been blocking connections based on geographic location.
“Drive sports 2 POST floods, a GET flood, 2 connection + data floods and a UDP flood – although the UDP flood was not seen in all instances. It also has the ability to specify a post query string of random data to add additional stress to a server in the cases where login pages, search pages, etc. are targeted,” said Jason Jones of Arbor Networks.
The new DDoS engine also features a new string encryption algorithm that’s similar to the Khan algorithm.
The new variant is not present on “mainstream” underground forums yet and so far only 15 unique C&C hostnames are available, Arbor Networks said.
However, the attacks where Drive takes part are more powerful. For instance, experts found cases where the C&Cs named over 60 targets at once for extended time intervals.
Drive appears to be targeting a popular online retailer, a popular security news site, a search engine, and a number of foreign financial institutions, the researchers said.
By utilizing Umbrella’s Security Graph, Arbor Networks was able to determine a “rough low-end estimate” on the number of hosts infected by Drive. During one successful attack, the number of queries peaked at around 1,000.
Tuesday, May 21, 2013 @ 05:05 PM gHale
A new, massive cyber espionage campaign is hitting as many as 71 victims each day, including government ministries, technology companies, academic research institutions, nongovernmental organizations and media outlets, researchers said.
The “Safe” campaign first came out in October 2012 and has resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to connect to two sets of command-and-control (C&C) infrastructures, but the actual number of targets seems to be smaller as some of these IP addresses ended up focused within specific network blocks so are probably used by the same organization, said Trend Micro researchers.
“Investigating and monitoring the activities of the Safe campaign over time, we were able to take advantage of the mistakes the attackers made and thus gain a deeper understanding of their operations,” the researchers wrote in a whitepaper.
“One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.”
The attacks start via Tibetan- and Mongolian-themed spear-phishing emails containing a malicious MS Word file specifically designed to exploit a vulnerability (CVE-2012-0158) in older versions of the software.
The decoy document would open, and in the background malicious files would be dropped onto the system in preparation for the second stage of the attack: The downloading and running of additional malware and tools such as off-the-shelf programs that are able to extract saved passwords from Internet Explorer and Mozilla Firefox as well as any stored Remote Desktop Protocol (RDP) credentials.
The analysis of the IP addresses contacting the two C&C servers found most targeted systems were in Mongolia, India, the U.S., China, Pakistan and the Philippines. A closer look at the C&C servers allowed them also to identify the tools and source code the attackers used to create, distribute, and encrypt/decrypt data.
The malware author seems to be China-based and the researchers believe him to be a professional software engineer.
“The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers. These qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science,” they said.
“Apart from being significantly well-organized and well-commented, the code was also developed with defensive programming in mind. Each of the variables was named in a very obvious manner, helping other engineers easily distinguish functionality; again, a trait seen in the work of many professional software engineers. In addition to being heavily commented on and using intuitive variable naming conventions, the code also had an apparent slant toward usability. Each interface was very intuitive and well-designed, something not often seen in the code of a hobbyist.
“The use of terms like ‘bot,’ combined with the author’s posting of the malware code to code-sharing sites, indicate a degree of familiarity with the cybercriminal underground in China.”
But the campaign’s operators remain a mystery due to their use of VPNs and proxy tools.
Click here for a copy of the Trend Micro whitepaper.
Monday, May 20, 2013 @ 01:05 PM gHale
A family of information-stealing malware targeting Pakistan looks like it is coming out of India.
Unlike other known cyber espionage campaigns, this one appears oddly rudimentary in that it uses publicly available tools and basic obfuscation methods, and doesn’t encrypt its command-and-control communications, according to researchers at Eset, which posted its analysis of the malware and attack.
“String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work,” said Jean-Ian Boutin, a malware researcher with Eset.
The malware campaign is at least two years old and spreads via phishing emails with rigged Word and PDF files, according to Eset. It steals sensitive information via keyloggers, screenshots, and uploading stolen documents, unencrypted. “The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation,” Boutin said.
The attack uses a code-signing certificate issued in 2011 to a New Delhi, India-based Technical and Commercial Consulting Pvt. Ltd., and it ensures the malware binaries could spread within the victim organization. The certificate ended up revoked in late March 2012, but was still in use. Eset contacted VeriSign, which revoked the certificate. Eset found more than 70 binary files signed with the malicious certificate.
Among the attachments was one that appears to be about Indian military secrets. “We do not have precise information as to which individuals or organizations were really specifically targeted by these files, but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted,” Boutin said.
Nearly 80 percent of the infections are in Pakistan, according to Eset. One version of the attack exploits a known and patched Microsoft Office flaw, CVE-2012-0158. The malware executes once the victim opens a malicious Word attachment; the other method used in the attack uses PE files that appear to be Word or PDF attachments.
The attackers used NirSoft’s WebPassView and Mail PassView tools for recovering passwords in email clients and browser stores; the tools ended up signed by the malicious cert.
Monday, April 8, 2013 @ 02:04 PM gHale
Yes, it focuses on the banking industry and it doesn’t really work in the manufacturing automation sector, but the credential-stealing Shylock Trojan is growing increasingly sophisticated, a new report said.
Its level of sophistication keeps rising because its creators continue adding new modules and functionalities to the man-in-the-browser malware, according to a Symantec report.
Shylock makes its loot via man-in-the-browser (MiTB) attacks designed to pilfer banking login credentials from a predetermined list of target organizations. Symantec said Shylock is targeting more than 60 banks and financial institutions mostly in the United Kingdom but also in the United States and Italy. From its inception in July 2011 until around May of 2012, Shylock was only targeting institutions in the UK, so this global expansion is part of the Trojan’s new look.
The malware’s creators are also refining the target list to root out less valuable banks that have either become harder to compromise or no longer provide services for high-value clients.
Shylock’s list of potential features includes an archiver that allows it to compress and upload recorded video files to remote servers, a BackSocks mechanism that allows Shylock to use infected machines as proxy servers, a diskspread functionality that lets Shylock spread via removable drives, an ftpgrabber module that supports password theft from various applications, an MsgSpread which gives Shylock the ability to proliferate through Skype instant messages, and a VNC that provides attackers with a remote connection to compromised devices.
Shylock’s creators aren’t just refining their target list and adding features to expand its capabilities and reach; they’re also fortifying its infrastructure to avoid downtime.
Shylock possessed the ability to move itself over Skype messages since January. Before that, its most substantial upgrade happened in November of last year, when its creators added a detection-evading function that let them determine whether the virus was executing organically on a computer or if researchers were opening it in a virtual machine to pick it apart.