NEWS ABOUT TECH-VIRUSES & MALWARE

[PRITAM DASS SHARMA]

Infostealer Campaign detected in the wild


Quick Heal Threat Research Lab has recently observed an active cybercrime campaign designed to steal user info. The campaign has been noticed to make use of three keyloggers (malicious software that records information entered by a user on their computer keyboard) iSpy logger, Predator logger and Knight Logger. These software are easily available on the Internet and can be used for keylogging, stealing passwords and capturing screenshots.

In May 2016, Quick Heal detected an attack related to this campaign, on the computers of multiple users. The attack uses spear phishing emails with attachments of malicious Microsoft Office documents (RTF). These documents are loaded with codes that exploit the CVE-RTF-2012-0158 vulnerability. When the receiver opens any of these RTF documents, a keylogger component is dropped on the computer, which then does rest of the job.

Infection Vector
The user receives an email about the arrival of a shipment. The email carries a malicious attachment containing the code to exploit the CVE-RTF-2012-0158 vulnerability. Once the document is opened, one of the software (iSpy, Predator, Knight Logger) is dropped on the victim’s computer.

[PRITAM DASS SHARMA]

Technical Details of malicious attachment

File Name: SHIPMENT_ARRIVAL.doc

MD5: 4B2388DA552BDE61EBC3C634BE4B8B1E

File Size: 714KB

Quick-Heal detection name: CVE-RTF-2012-0158

The RTF file drops the following executable:

C:\Documents and Settings\User\Local Settings\svchost.exe

The dropped file gets executed and displays a decoy as shown below:

[PRITAM DASS SHARMA]

The dropped component is an infostealer made from either iSpy, Predator or Knight RAT tool.

Analysis of the infostealer component
The infostealer component can carry out the following malicious activities:

Keylogging
Capturing screenshots
Stealing passwords
Capturing video
Collecting system information
Further analysis shows that the malware is using AES decryption algorithm for decrypting the strings present in its binary code. It sends the stolen information to the email address kept in binary in an encrypted format.

The malware uses the following email addresses:

Kay.boy@yandex.com
Austinfred@yandex.com
Keylogger79@gmail.com

[PRITAM DASS SHARMA]

The admin panel used for the campaign, shows that the malware authors are using three different loggers.

Comparison of information stolen by each of the keylogger:

 Information Type        iSpy       Predator        Knight
System Information   • Username
• Windows Version

• Installed Language

• Installed .NET
• Framework

• System Privileges

• Default Browser

• Installed Anti-Virus

• Installed Firewall

• Internal IP

• External IP

• Local Date and Time
• Installed Language

• Operating System

• Internal IP Address

• External IP Address

• Installed Anti-Virus

• Installed Firewall

• Username
• IP Address

• Windows Version

• UI Language

• Installed Anti-Virus

• Installed Applications

• Application Publisher

Credentials of Email Clients   • Email Client’s Name
• Display Name

• Email Address

• Server

• Port

• Username

• Password

• SMTP Server

• SMTP Port

• Email Client Name
• Server

• Server Port

• Secured

• Type

• Username

• Password

• Profile

• Password Strength

• SMTP Server

• SMTP Server Port

 

• Application
• Host

• Username

• Password

 

Web Browser Cached Credentials   • Browser Name
• Website• Username

• Password

• Browser Name
• Website

• Username

• Password

• Password strength

 

 

• Browser Name
• Website

• Username

• Password

 

Microsoft Office
Operating System

AutoCAD

 

• Product ID
• Product Name

• License Key

• Installation Path

 

 

 

[PRITAM DASS SHARMA]

Ways of sending stolen data
The detected keyloggers use the following methods for sending the stolen information.

Using SMTP: Sends stolen data to mail by using SMTP server on port 587
FTP upload: Uploads file to FTP server.
Web Request/PHP: Sends data as web requests to web servers.
Each keylogger sends stolen information to a predetermined email in the following format

Keylogger   First Run   Data Stolen
Predator   Predator Pain v13 – Server Ran – [ComputerName]   Predator Pain v13 | Stealer Log – [ComputerName]
Knight Logger   FIRST RUN Knight Logger first run Username@ComputerName   [ACCOUNT] Knight Logger of [Username]@[ComputerName]
iSpy   iSpy Keylogger – Notification – ComputerName\UserName   iSpy Keylogger – WebCam- ComputerName\UserName
iSpy Keylogger – Screenshot – ComputerName\UserName

iSpy Keylogger – Password Recovery – ComputerName\UserName

iSpy Keylogger – Clipboard – KeyStroke – ComputerName\UserName

Activity of iSpy logger
iSpy Logger, when executed, disables Command Prompt, Task Manager and Registry Editor by setting values of the following registry keys:
Software\\Policies\\Microsoft\\Windows\\System-
“DisableCMD” = 1
“DisableTaskMgr” = 1
“DisableRegistryTools” = 1

Preventing antivirus programs process from working
To evade detection by antivirus programs, the malware disables their processes by using debugger settings in the registry:

“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[ProcessName]\Debugger”

iSpy sets this value to “rundll32.exe”

ProcessName is from the below list:

rstrui.exe   AvastSvc.exe   avconfig.exe   AvastUI.exe
instup.exe   mbam.exe   mbamgui.exe   mbampt.exe
mbamservice.exe   hijackthis.exe   spybotsd.exe   ccuac.exe
avguard.exe   avgnt.exe   avgui.exe    avgcsrvx.exe
avgrsx.exe   avgwdsvc.exe   egui.exe   zlclient.exe
keyscrambler.exe   avp.exe   wireshark.exe   ComboFix.exe
MpCmdRun.exe   msseces.exe   MsMpEng.exe   avscan.exe
mbamscheduler.exe   avcenter.exe   avgidsagent.exe   bdagent.exe
Communication via email                                                                                           

Screenshot Capturing

iSpy takes screenshots of the victim’s desktop and uploads it to the web server hxxp://sm.uploads.im/[Filename.png]. This link is sent as an email with the following subject line:
“iSpy Keylogger – Screenshot – ComputerName\UserName”

[PRITAM DASS SHARMA]

Video Capturing

iSpy captures videos using web cam and uploads them to video hosting sites and sends path of the file via email with following subject line:
“iSpy Keylogger – WebCam- ComputerName\UserName” 

[PRITAM DASS SHARMA]

Detection Reports

File Name   MD5   Quick Heal Detection Name
SHIPPMENT_ARRIVAL.doc   4B2388DA552BDE61EBC3C634BE4B8B1E   CVE-RTF-2012-0158
svchost.exe   867077b4a536c4bbff31c6a957f8927f   TrojanSpy.Siplog.ST3
svchost.exe   6BB1D69AC18E4E770D360AF4E2595417   TrojanSpy.Predtr.ST3
svchost.exe   f0153d96f59570d93b961db6046f03f6   TrojanSpy.Siplog.ST3
svchost.exe   97cc38c47497e0e08d83d263cf9071ce   TrojanSpy.Siplog.ST3
svchost.exe   fee794fb60fe365ddacc5d9a0427c9a9   TrojanSpy.Siplog.ST3
Measures to take

Avoid clicking on links or downloading attachments in emails sent from unwanted, unexpected or unknown sources.
Update your Operating system, and programs like Microsoft Office, Adobe Reader, Java, etc.
Avoid saving passwords for email clients, online accounts in browsers and FTP servers.

[PRITAM DASS SHARMA]

Cyber Security Challenges and Emerging Reforms in the Indian Banking Sector


The Indian banking industry has evolved majorly in the past few years owing to technological innovations. Public and privatized banks are allotting bigger budgets towards acquiring and building IT infrastructure and have leveraged IT across all banking operations. Banks constantly face the business challenge of meeting customers’ expectations and improvising on their services and offerings. Operationally, sophistication in banking technology is thwarted by cyber security challenges that are becoming increasingly complex.

BFSI, Telecom, Education and Government organizations have been behind the major driving factors of the growth of the IT security market in India. Organizations today are increasingly aware of cyber security considerations in India, driven by factors like highly visible security incidents, and regulatory focus on security and privacy. Sectors like banking and financial services have a strong focus towards IT security and are preparing themselves for the third era of IT digitalization by investing in technology approaches that can enable them to grow their business securely while embracing digital business models.

The Long Road Ahead: RBI’s IT Reforms for BFSI

In the last quarter of 2015, RBI Governor Raghuram Rajan announced that the revenue arm of the government plans to set up an Information Technology (IT) subsidiary for monitoring and regulating internet-based services offered by banks in India. As we are moving towards a paperless banking system driven by dependence on IT, the subsidiary will help banks address issues on cyber security and evaluate the technological capabilities of banks. The steps to stay ahead of cyber criminals is a prime concern for the Indian banking sector and customers who are becoming more and more dependent on simplified digital banking experiences.

India has the second largest number of smartphone users in the world. And, internet acts as a catalyst in driving the growth of smartphone users in India. This has prompted sectors like banking and financial services to conduct rapid migration of their services to the internet and mobile platforms without fully comprehending the threats associated with them. Thus, they end up rendering themselves vulnerable to an array of cyber security threats.

Banking customers are frequent victims of internet based frauds, phishing, vishing and other malware attacks. Irrespective of these threats, there is a continued interest and love for technology-backed innovations in the banking and financial services such as online banking and mobile banking, amongst others.

The establishment of an IT subsidiary by RBI is a welcome step not only for the BFSI sector but also for IT security solutions providers like Quick Heal, as it will ensure better compliance with regulations to prevent data theft and to check financial fraud.

The setting up of an IT subsidiary is not the first attempt RBI has taken to address vulnerability issues that come with digitization of the banking sector. In 2010, the RBI had set up a working group in order to ensure a minimum standard of cyber safety norms for the BFSI sector. In 2011, the RBI released the Information Technology Vision Document 2011-2017, focusing on the growing menace of cyber security attacks and reiterated its commitments to mitigating IT fraud in the banking sector. In spite of the best possible intentions of the RBI to combat cyber-attacks and to ensure transparency at all levels of banking operations, Indian banks have been finding it hard to handle the magnitude of cyber-attacks.

Initially, many banks failed to comply with the guidelines of the RBI. Nonetheless, in a span of two to three years, banks have stepped up their digital security by introducing multi-level authentication and transaction verification and also by securing all levels of banking operations within and outside the organization by deploying high level of IT security. Over time, banks have to robustly develop their IT security infrastructure ensuring compliance not only with RBI guidelines for data protection and cyber security norms, but they must also develop real-time fraud prevention models and awareness programs to increase customer confidence.

[PRITAM DASS SHARMA]

New CVE in Spammer’s toolkit
 
The Quick Heal Malware Intelligence Reporting System has made a recent observation about a CVE (Common Vulnerabilities and Exposures) known as CVE-2015-2545 being actively used in an online spam campaign.

The campaign begins with targeted users receiving a spam email with an attached malicious document. Below are some common attachment names used in this spam campaign:

Proforma Order.doc
Confirmed_orders.doc
Covering letter.doc
Payment_Advise.doc
Purchase Order.doc
TIANJIN_LIGHT_IMPORT_EXPORT.doc
Outstanding_Acc-40493.doc
Spammers trick users into opening the attached document which contains the exploit code for CVE-2015-2545. Once the document is opened, it exploits the vulnerability present in unpatched versions of Microsoft Office.

This vulnerability was patched by Microsoft in September 2015. Users who haven’t applied Microsoft security updates for this vulnerablity are at a risk of this exploit.

By exploiting Microsoft Office software, spammers execute malicious code on the victim’s machine and can download and execute malware payload.

Some URLs found for payload download in this campaign include:

hxxp://cozeh.com/.css/mun.exe
hxxp://hmarques.lusitanium.com/Image/PonyOrder_1C0.exe
hxxp://bunandbar.com/.css/maha.exe
hxxp://bunandbar.com/.css/joe.exe
hxxp://bunandbar.com/.css/cyprus.exe
Analyzed document files hashes

0431F3E850CF50C5735E0BF36A1C97B9

160A45F1BA0DAAEDB4ED457E8AD874A6

306B97C61C2FC793E2B32CFB932DE825

782BA5D56A3D94B941CC9C772CBFA176

695C000179737A74ECA071CC8EF814AA

Quick Heal detects this threat as “Exp:PS.CVE-2015-2545.B”

One common trait found in all documents is that they all were created by the same author and at the same time.

Below is a snapshot from virustotal:

[PRITAM DASS SHARMA]

Based on our analysis, we suspect that all samples were created by the same exploit tool. The names associated with these documents are forged and in Japanese.

Company Name: 三菱電機株式会社 (Mitsubishi Electric Corporation)
Creator: 森 勉(電シ本) {Tsutomu Mori (Denshihon)}

Details of the Exploitation

EPS file:

Information about Encapsulated post script (EPS) can be found here.

Following is the location of the EPS file in a document file (Docx)