Organizations in 30 Countries Targeted in “Operation Ghoul”

Industrial, engineering and other types of organizations from around the world have been targeted in a profit-driven campaign dubbed by Kaspersky Lab “Operation Ghoul.”

The threat group, whose activities have been traced back to March 2015, has been trying to make money by hijacking bank accounts and stealing intellectual property that they can sell to interested parties. The cybercrime gang has targeted more than 130 organizations in over 30 countries.

According to the security firm, Operation Ghoul attacks start with a malicious email coming from a spoofed address that appears to belong to a bank. The emails typically carry a file attachment or contain links that point to phishing websites. The fake messages are mostly sent to executives, managers and other employees that could have access to valuable information.

The piece of malware delivered by the attackers is HawkEye, a commercial spyware capable of collecting keystrokes, screenshots, clipboard data, FTP credentials, app license information, and account data from browsers, messaging apps and email clients.

Kaspersky Lab has identified victims in Spain, Pakistan, UAE, India, Egypt, UK, Germany, Saudi Arabia, Portugal, Qatar and other countries. The targeted organizations are typically small and medium-sized businesses (SMBs) with 30 to 300 employees.

Roughly half of the Operation Ghoul victims are in the industrial sector, including petrochemical, naval, military, aerospace, solar energy and heavy machinery firms. The threat group has also targeted companies in the engineering, shipping, pharmaceutical, manufacturing, trade, education, IT and technology, and tourism sectors.

The latest attack waves, which Kaspersky spotted in June, focused on the Middle East, particularly the United Arab Emirates.

Operation Ghoul

“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon, and today, the term is sometimes used to describe a greedy or materialistic individual,” said Kaspersky researcher Mohammad Amin Hasbini.

“This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts.

Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer,” the expert added.

Attribution is often difficult, but even more so in this case as the attackers have been using off-the-shelf malware such as HawkEye. The HawkEye spyware has been used to target entities all around the world in various types of campaigns.

By Eduard Kovacs

Source: Security Week

High-End Banking Malware Hits Brazil

In the past two weeks, IBM’s X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda targeting Brazilian financial institutions, according to a new report.

Brazil just can’t catch a break. We’ve already seen flesh-eating bacteria in the water, athletes getting robbed on the streets, and police officers holding up a “welcome to hell” sign at the airport. Plus a wide variety of cybercrime, including phishing attacks and credit card skimming machines.

Now the criminals are getting even more sophisticated. In the past two weeks, IBM’s X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda, according to a new report.

“This is considered sophisticated malware, and this kind of sophistication is not typical for Brazil,” said Limor Kessem, executive security advisor for IBM Security. “This is definitely a step up from what we usually see in Brazil.”

Brazilian malware is typically scripts or browser extensions, not a complex modular software product like Zeus, she said.

The way that it works is that both strains of malware target Brazilian computer users, then wait for the users to access their online banking or payments accounts. They then intercept the communications, modify the websites, steal credentials, and redirect the payments.

It is likely that the attackers are based in Brazil or have local partners, she said.

The malware communicates back to central command-and-control servers to download customized configuration files, she explained. In these two cases, the files have been customized to attack three major Brazilian banks and a Brazilian payment system, as well as one bank in Colombia.

Adding a new banking target requires the the attackers create a social engineering injection that precisely mimics a bank’s look and feel and requires an understanding of the bank’s authentication methods.

“They are able to manipulate what the persons sees when they visit the page,” Kessem said. “For example, in addition to a login and password, they might also ask for a Social Security number and their mother’s maiden name.”

This is where local knowledge comes in handy.

“In the past, a lot of times, cybercriminals going after countries where they don’t speak the language would have a lot of spelling mistakes, and that would be a sign that something isn’t right,” she said. “Now that they collaborate with people who are local, they have more of an ability to say the right things in the right way, and have more knowledge of how that bank works and have a better chance of defrauding accounts.”

As a result, adding a new target becomes fairly easy, she said. All the criminals have to do is modify the configuration file. “It’s fairly easy to do and criminals can do that at any time.”

The core source is the same for both Panda and Sphinx, and both are based on the Zeus source code that was leaked in 2011 and has become a popular base for commercial malware sold on underground boards, she said.

Zeus Panda is extremely localized, she said. In addition to local banks, it targets a supermarket that delivers food, a police agency, and a Bitcoin exchange.

The Bitcoin exchange is probably being used to help the criminals launder their ill-gotten gains, Kessem suggested.

Zeus Sphinx targets Brazilian banks as well, but also goes after the popular Boleto Bancário payment platform, which allows users to go online and send money orders.

Sphinx first emerged a year ago, first attacking banks in Australia and the U.K.

Kessem did not have any data about how much financial damage these attackers are causing Brazil. In 2014, however, RSA issued a report that a Boleto malware fraud ring had compromised nearly $4 billion worth of transactions over the previous two years.

IBM currently monitors 270 million endpoints worldwide, Kessem said. After spotting the malware, the company notified the targeted institutions and local law enforcement authorities.

She declined to name the specific institutions targeted by the malware.


Source: CSO Online

Cerber Ransomware Set to Net Black Hats $2 Million Per Year

The Cerber ransomware variant is on track to earn its developer and network of affiliates over $2 million per year, according to the latest stats from Check Point.

The security vendor’s latest report, CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service, aims to lift the lid on the ransomware.

Unlike most variants it’s operated on a highly distributed model, with 161 active campaigns spotted in July alone, targeting 150,000 users in 201 countries.

This is made possible via a private affiliate program, with new recruits offered up to 60% of profits in return for disseminating the malware plus a possible extra 5% for recruiting new members to the scheme.

The developer is said to get the rest of the takings, with Bitcoin accounts used to receive and launder the money. A new Bitcoin wallet is created for each victim, making it virtually impossible to trace individual payments, according to Check Point.

The ransomware itself is designed for non-technical participants to get involved via an easy-to-use control panel, and the fact it is pre-translated into 12 different languages, with online help available in each.

Despite only 3% of victims electing to purchase the decryption key, it’s enough to turn a tidy profit.

With the average payment coming in at $500, total revenue is estimated at $195,000 for July, meaning well over $2 million per year.

The ransomware is mainly spread by exploit kit drive-by-download campaigns and traditional malicious attachments.

A Check Point spokesperson told Infosecurity that regular back-ups are now a must for firms, urging IT teams to ensure at least one copy is made offline.

“Exercise caution. Don’t open e-mails you don’t expect to receive, and if you are asked to run macros on an Office file, don’t. The only situation in which you should run macros is in the rare case that you know exactly what those macros will do,” they added.

“Have a comprehensive, up-to-date, security solution. High quality security solutions and products protect you from a variety of malware types and attack vectors. And if you do get infected, search for decryption tools which could help get your data back.”


Source: Info Security Magazine

Shakti Info Stealer Designed for Corporate Espionage

Bleeping Computer researchers spotted an information-stealing trojan, dubbed Shakti, that is designed for corporate espionage and may have originated in India.

Once infected, the malware will configure itself to start automatically on login by configuring an entry in the Windows Registry and will then inject itself into a running process such as a web browser process, according to an Aug. 12 blog post.

Shakti then scans a victim’s drive for files with specific extensions and, when detected, will upload the entire file to the Command & Control server. Based on targeted file types researchers believe the malware is looking to steal trade secrets and corporate data.

Researchers said Shakti is currently detected by 34 out of 55 security programs but said most misidentify the malware as a generic trojan or downloader, rather than as an information stealer.


Source: SC Magazine

China Launches ‘Hack-Proof’ Communications Satellite

China on Tuesday launched the world’s first quantum satellite, which will help it establish “hack-proof” communications between space and the ground, state media said, the latest advance in an ambitious space program.

The program is a priority as President Xi Jinping has urged China to establish itself as a space power, and apart from its civilian ambitions, it has tested anti-satellite missiles.

The Quantum Experiments at Space Scale, or QUESS, satellite, was launched from the Jiuquan Satellite Launch Centre in the remote northwestern province of Gansu in the early hours of Tuesday, the official Xinhua news agency said.

“In its two-year mission, QUESS is designed to establish ‘hack-proof’ quantum communications by transmitting uncrackable keys from space to the ground,” it said.

“Quantum communication boasts ultra-high security as a quantum photon can neither be separated nor duplicated,” it added. “It is hence impossible to wiretap, intercept or crack the information transmitted through it.”

The satellite will enable secure communications between Beijing and Urumqi, Xinhua said, referring to the capital of China’s violence-prone far western region of Xinjiang, where the government says it is battling an Islamist insurgency.

“The newly-launched satellite marks a transition in China’s role – from a follower in classic information technology development to one of the leaders guiding future achievements,” Pan Jianwei, the project’s chief scientist, told the agency.

Quantum communications holds “enormous prospects” in the field of defense, it added.

China insists its space program is for peaceful purposes, but the U.S. Defense Department has highlighted its increasing space capabilities, saying it was pursuing activities aimed to prevent adversaries from using space-based assets in a crisis.

By Ben Blanchard

Source: Reuters

Vawtrak Banking Trojan Uses SSL Pinning, DGA

A new version of the Vawtrak banking Trojan includes some significant improvements, such as a domain generation algorithm (DGA) and additional protection for command and control communications.

According to researchers at security firm Fidelis, the new version of Vawtrak includes a DGA that generates .ru domains with a length ranging between 7 and 12 characters (excluding the domain suffix). The domain names are generated using a pseudorandom number generator (PRNG) found in the Trojan’s loader.

Another noteworthy feature is the use of HTTPS to protect C&C communications. While this is not uncommon, Vawtrak also leverages certificate pinning, or SSL pinning, which is fairly unusual.

Normally, when an SSL connection is made, the client checks if the server’s certificate matches the requested hostname and that it has a verifiable chain of trust. SSL pinning provides extra protection against man-in-the-middle (MitM) attacks by ensuring that only a certificate specified by the user is accepted.

In the case of Vawtrak, the use of SSL pinning helps the malware evade detection by enterprise security solutions that use their own certificates to intercept communications.

In order to ensure that no other certificates are accepted, the Trojan conducts some checks based on the Common Name, which identifies the domain names associated with the certificate. It also uses a public key found in a header from the initial inject performed by the malware loader.

“Vawtrak has been a very successful banking trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced. The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare,” Fidelis said in a blog post.

Vawtrak, also known as Neverquest and Snifula, has been used to target online banking customers from across the world. The threat has been around for several years and it has been continually improved by its developers.

By Eduard Kovacs

Source: Security Week

Hackers Insert SEO Spam on Legitimate Sites via WordPress Core Files

As a reminder that crooks will try everything to go undetected, Sucuri revealed last week a new method of inserting SEO spam on hacked WordPress sites using the /wp-includes/load.php file, one of WordPress’ core files.

Unsecured WordPress sites are all around us thanks to the huge market share the CMS has compared to all other products. Crooks leverage this large number of unsecured sites to hack into WordPress installations, either via outdated plugins, vulnerable themes, or via weak admin passwords.

After hacking their target, crooks tend to use these sites as bots in DDoS attacks, as command and control servers for criminal operations, and as malware download sites, to host malvertising or hijack SEO results.

SEO spam relies on unsecured WordPress sites

They achieve the last by forcing hacked websites to load content that’s hidden by default from human users but shows up for search engine crawlers.

These hacked websites present different text to search bots than what regular users would see, usually with completely different topics, descriptions, and links to other sites for which crooks want to boost search engine rankings.

This happens to the detriment of the hacked website, which now loses traffic and has its public description altered on Google, Bing or other sites.

In one case Sucuri investigated, the company’s analysts discovered a successful business portal showing pornographic content in its Google search results description.

Getting down to the bottom of the infection, Sucuri discovered that crooks weren’t content with just loading a simple JavaScript or PHP file in the website’s header or footer, but actually went as far as to modify WordPress core files, a place where very few site admins tend to look.

Crooks hijack WordPress core files to do all the dirty work

These particular hackers modified /wp-includes/load.php, a core WordPress file that runs for every site visitor and loads other files, putting together the final website.

“The attacker hopes you will focus on the theme files (i.e. header.php, footer.php) and the files in the root of the WordPress install (i.e. index.php, wp-load.php),” Sucuri’s Luke Leal explains the crook’s decision to modify this particular file.

Hackers modified /wp-includes/load.php to load another file /wp-admin/includes/class-wp-text.php, which should never exist in normal WordPress installations but which the crooks hid among other WordPress core files.

This, in turn, loaded all the SEO spammy content, but only for Google’s search engine crawler, leaving the site as is for regular visitors. This procedure explains why the site showed up in search results as you can see in the image below but looked perfectly normal for everyone accessing it.

“At this point, I would like to mention that manually auditing your website files for modifications would be very exhaustive and this is why we recommend using file monitoring,” Leal advises other site admins. “This system would alert you that a new file (./wp-admin/includes/class-wp-text.php) was created and a core file was modified (./wp-includes/load.php). Instead of having to manually go through over a thousand WordPress files, you already know which ones were modified and so can begin there.”

By Catalin Cimpanu

Source: Softpedia

A Nasty Android Malware is Spreading Using Google’s Online Ad Network

Researchers discovered a campaign that delivers a malicious banking Trojan to Android devices using Google AdSense advertisements. The campaign, discovered by Kaspersky Lab researchers, delivers the Svpeng Android banking Trojan.

The campaign was launched by the criminal group that developed the Svpeng Trojan and Android users are infected with the malware when they visit mainstream websites, wrote Kaspersky Lab malware analysts Nikita Buchka and Mikhail Kuzin in a SecureList blog post.

The analysts refer to the campaign as “a gratuitous act of violence against Android users.” The payload is delivered to Android devices without requiring users to click on the malicious advertisements.

Cybercriminals “are turning the ad networks into incredibly efficient malware delivery vehicles,” wrote Michael Covington, VP of Product, Wandera. Malware is incorporated into the ad networks “without actually breaking into the distribution sites directly.”

Malvertising campaigns such as these continue “to plague businesses and consumers,” wrote Carbon Black co-founder and chief security strategist Ben Johnson, in an email to Targeting Android devices can yield “access to millions (potentially billions) of devices to exploit,” Johnson wrote. “The downside for attackers is that each carrier often has different versions of the operating system and there are many different versions of Android. Exploits are often pretty specific to the version of the operating system they provide.”

Svpeng was initially discovered by Kaspersky in July 2013 as a Trojan for the theft of payment card information from Russian bank customers. A ransomware version of the malware was discovered a year later in the U.S.


Source: SC Magazine

“HOMEKit” Exploit Generator Used to Deliver Espionage Malware

Researchers have come across a document exploit generator that has been used over the past few years by several threat actors to deliver malware in cyber espionage campaigns.

The toolkit, dubbed “HOMEKit” by Palo Alto Networks, is believed to have been used to generate malicious Microsoft Word documents for various campaigns since 2013. Similar to the MNKit exploit generator, HOMEKit relies on the CVE-2012-0158 vulnerability in Office to deliver malware.

The most recent attack involving HOMEKit was observed by Palo Alto Networks in late June, when researchers found an email apparently coming from the United Nations Environment Programme (UNEP). The email carried a Word document and an Excel spreadsheet containing a global directory for residents of North Korea under UNEP.

While the Excel file turned out to be harmless, the Word document attempted to exploit CVE-2012-0158, which Microsoft patched in 2012, to deliver a new Trojan named “Cookle” by Palo Alto Networks.

Cookle is a newly discovered downloader that can collect information on the infected system, and download and execute files. In order to avoid being detected, the threat waits 20 minutes before contacting its command and control (C&C) server. Attackers can also configure the malware to change its sleep interval between C&C communications.

HOMEKit is designed to exploit a vulnerability in the TreeView ActiveX control. If the flaw is exploited successfully, a shellcode is executed and a decoy document is opened. In the meantime, a payload (.dat file) is executed on the system.

An analysis of the documents generated with HOMEKit showed that it had been leveraged to deliver various payloads used in the past years in cyber espionage campaigns, includingPlugX, which is often used by Chinese APTs, Surtr, seen in attacks targeting Tibetan organizations, and Mirage, which in 2012 was observed targeting energy, military and other organizations worldwide.

The exploit generator has also been used to deliver Tapaoux, a Trojan associated with theDarkHotel group, which in 2014 was spotted spying on business travelers in the Asia-Pacific region.

Researchers discovered many similarities between the documents that installed the DarkHotel malware and the ones that delivered Cookle. They determined that the functional shellcodes were more than 90 percent similar.

“The difference between the functional shellcode that installs Cookle and DarkHotel lies in the way a process is created to execute the payload and to open the decoy document,” Palo Alto’s Bryan Lee and Robert Falcone explained in a blog post. “While the difference between the two is very minor, it is worth discussing as it suggests the author of the Cookle shellcode intentionally modified the DarkHotel shellcode, possibly as an anti-analysis technique.”

Experts believe HOMEKit might have been made available to multiple threat groups by a common intermediary.

By Eduard Kovacs

Source: Security Week

New Air-Gap Jumper Covertly Transmits Data in Hard-Drive Sounds

Researchers have devised a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet to prevent the leakage of sensitive information it stores.

The method has been dubbed “DiskFiltration” by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive’s actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.

“An air-gap isolation is considered to be a hermetic security measure which can prevent data leakage,” Mordechai Guri, a security researcher and the head of research and development in the cyber security labs at Israel’s Ben-Gurion University, told Ars. “Confidential data, personal information, financial records and other type of sensitive information is stored within isolated networks. We show that despite the degree of isolation, the data can be ex filtrated (for example, to a nearby smart phone).”

Besides working against air-gapped computers, the covert channel can also be used to steal data from Internet-connected machines whose network traffic is intensively monitored by intrusion prevention devices, data loss prevention systems, and similar security measures.

DiskFiltration is only the latest method devised by Ben-Gurion University researchers to bridge air gaps. Other techniques include AirHopper, which turns a computer’s video card into an FM transmitter; BitWhisper, which relies on the exchange of heat-induced “thermal pings”; GSMem, which relies on cellular frequencies; and Fansmitter, which uses noise emitted by a computer fan to transmit data. In 2013, researchers with Germany’s Fraunhofer Institute for Communication, Information Processing, and Ergonomics devised a technique that used inaudible audio signals to covertly transmit keystrokes and other sensitive data from air-gapped machines.

The techniques are effective, but their utility in real-world situations is limited. That’s because the computers they target still must be infected by malware. If the computers aren’t connected to the Internet, the compromise is likely to be extremely difficult and would require the help of a malicious insider, who very well may have easier ways to obtain data stored on the machine. Still, the air-gap jumpers could provide a crucial means to bypass otherwise insurmountable defenses when combined with other techniques in a targeted attack.

Receiving data transmitted by sound generated from a hard drive is generally not efficient. DiskFiltration improves the signal-to-noise ratio by focusing on a narrow range of acoustic frequencies, a feature that effectively strips out background noise. DiskFiltration works even when a hard drive’s automatic acoustic management, which reduces acoustic noise, is at its default setting. Still, casual noise emissions from other running processes can sometimes interfere or interrupt the DiskFiltration transmissions.

The most effective way to prevent DiskFiltration-style data ex filtration is to replace hard drives with solid-state drives, since the latter aren’t mechanical and generate virtually no noise. Using particularly quiet types of hard drives or installing special types of hard drive enclosures that muffle sound can also be an effective countermeasure. It may also be possible to jam hard-drive signals by generating static noise. Intrusion prevention systems may also be programmed to detect suspicious hard-drive seek patterns used to create the transmissions. Yet another solution is to isolate air-gapped computers from smart phones and other devices with a microphone.


Source: Arstechnica