header.png

August 24, 2015


Welcome back to our quarterly Malware Newsletter!


 

After a year of high profile cyberattacks and viruses, including the Heartbleed vulnerability that have dominated media reports, malware authors and online criminals are tweaking methods that are known to have been successful in the past in an attempt to breach enterprise environments.

 

Here at ISecG Malware Support Operations (MSO), we like to keep our readers up to date with the latest threat landscape developments covering viruses and other types of security threats as well as general malware support trends in the industry.

Inside This Issue:


1. Q1 & Q2 2015 Malware Support Trends.

2. The rise of W97M/Downloader malware.

3. Q1 & Q2 Common Exploit Kit.

4. Malware Q&A.

5. Whispers from the Underground Black Market.

6. Q1 & Q2 Malware News at a glance.

 

 

1. Q1 & Q2 2015 Malware Support Trends

1.png

In 2015 Q1 & Q2, we have seen an influx of Document-based malware incidents - W97M/Downloader followed by Generic Trojan and Ransom-CTB. We will focus on W97M/Downloader and Ransom-CTB in Q3 MSO Malware Session to provide more awareness of the two families. In Q4 2015, we will focus on Generic Trojan, analyzing the malicious Trojan application that allows hackers to remotely access computer systems, steal personal information and install more unwanted software.

2.png


Throughout this year, W97M/Downloader malware support incidents remained consistent from January until May with a large spike in June due to several malware campaigns targeting the EMEA region. Reports of RDN/Generic Trojan also remained constant from January until June.  Generic Trojan showed a peak in February but it is now decreasing. We saw significant reports of Ransom-CTB incidents in January and April due to Dalexis malspam campaign (Note: Dalexis is the downloader for Ransom-CTB).


2. The rise of W97M/Downloader malware

 

A scam email campaign is currently circulating that features Microsoft Office documents with malicious macros. Opening the attachment and enabling the macro could lead to ransomware or banking malware being downloaded and launched.

W97M/Downloader and X97M/Downloader are Microsoft Office files that contain a malicious macro. The only difference between them is that W97M detections are related to Word files and X97M detections are related to Excel files. In both cases the macro downloads and executes other malware on the infected machine. The malicious Office file usually arrives on a machine as an attachment in spam or phish emails pretending to be a legitimate document or spreadsheet. The file can be a Word document (.doc file and .docx file) or an Excel workbook (.xls file and .xlsx file).


  3.png

 

The highest W97M/Downloader submission & escalation activity was in June 2015. The majority of submissions came from EMEA and North America region. The monthly submission pattern indicates Word Document-based malware files were more prevalent than Excel Document-based malware files.

4.png

 

By region, EMEA and NORTH AMERICA were most impacted followed by APAC and Japan.

5.png

The malware uses email spam as the primary propagation vector and comes as an attachment in the form of a Word document or an Excel workbook. The secondary propagation vector is through access to the malicious document on a website or search result that links directly to it. The Word document or Excel workbook contains a Visual Basic Application macro that will download the malware directly to the user’s machine, or it may download a VB Script file or invoke a PowerShell script which will in turn download and execute malware.

 

Here is a sample of a spam email with a malicious Word document attached:

6.png

One of the reasons Document-based malware is so successful and consequently so dangerous is that it is usually delivered to innocent users via email.

 

For more information and mitigation:
https://kc.mcafee.com/corporate/index?page=content&id=PD25689


3. Q1 & Q2 common exploit kit


The Angler exploit kit is the most common exploit kit we have observed so far this year. It is also the most advanced and in this section we are going to run through some of its features:

Angler EK has the capability to infect a host without writing the malware on the drive. Yes, that’s right. The payload is injected directly in the process running the exploited plugin. The payload is sent in an encrypted manner (it doesn't use ASCII string to XOR when it is sent over HTTP). The URL patterns changes frequently – mainly on a daily basis. The vulnerabilities used by the Angler Exploit Kit are:


CVE

Description

Exploit Description

Product

Product versions

CVE-2013-0074

Silverlight Double Dereference

http://www.cvedetails.com/cve/CVE-2013-0074

Silverlight

Silverlight < 5.1.20913.0

CVE-2013-3896

Silverlight Double Dereference

http://www.cvedetails.com/cve/CVE-2013-3896

Silverlight

Silverlight < 5.1.20913.0

CVE-2013-2551

IE VML Use-after-free vulnerability

http://www.cvedetails.com/cve/CVE-2013-2551

IE

< IE 10

CVE-2013-5329

Adobe Flash Player Remote Code Execution I

http://www.cvedetails.com/cve/CVE-2013-5329

Flash

<11.7.700.252,<11.9.900.152

CVE-2014-0322

Use-after-free via JavaScript code

http://www.cvedetails.com/cve/CVE-2014-0322

IE

IE 9. 10

CVE-2014-0497

Adobe Flash Player Integer Underflow Remote Code Execution

http://www.cvedetails.com/cve/CVE-2014-0497

Flash

< 11.7.700.261, 11.8.x-12.0.0.44 (Win, OSX); < 11.2.202.336 (Lin)

CVE-2014-0515

Adobe Flash Player Buffer Overflow Remote Code Execution

http://www.cvedetails.com/cve/CVE-2014-0515

Flash

< 11.7.700.279, < 11.8.x, <13.0.0.206 (Win, OSX); < 11.2.202.356 (Lin)

CVE-2014-0569

Adobe Flash Player casi32 Integer Overflow

http://www.cvedetails.com/cve/CVE-2014-0569

Flash

< 13.0.0.250, <15.0.0.189 (Win, OSX); <11.2.202.411 (Lin)

CVE-2014-1776

Microsoft Internet Explorer Use-After-Free VGX.DLL Remote Code Execution (2965111)

http://www.cvedetails.com/cve/CVE-2014-1776

IE

< IE 11

CVE-2014-8439

Adobe Flash Player Dereferenced Memory Pointer Remote Code Execution

http://www.cvedetails.com/cve/CVE-2014-8439

Flash

<13.0.0.258, <15.0.0.239 (Win, OSX) ;<11.2.202.424 (Lin)

CVE-2014-8440

Adobe Flash Player Remote Code Execution XIV

http://www.cvedetails.com/cve/CVE-2014-8440

Flash

<13.0.0.252,14.x ,15.0.0.223 (Win,OX); < 11.2.202.418 (Lin); + A.Air

CVE-2015-0310

Adobe Flash Player Memory Leak Remote Code Execution

http://www.cvedetails.com/cve/CVE-2015-0310

Flash

< 16.0.0.287, all < 14-15x, < 13.0.0.262 (winOS) ,  11.2.202.438 (Lin)

CVE-2015-0311

A Use-After-Free in Adobe Flash Player

http://www.cvedetails.com/cve/CVE-2015-0311

Flash

< 16.0.0.287, all < 14-15x, < 13.0.0.262 (winOS)

CVE-2015-0313

Adobe Flash Player Unspecified Defect Remote Code Execution

http://www.cvedetails.com/cve/CVE-2015-0313

Flash

<13.0.0.269, 14.x, 15.x, <16.0.0.305; Linux <11.2.202.442

CVE-2015-0336

Adobe Flash Player Remote Code Execution V

http://www.cvedetails.com/cve/CVE-2015-0336

Flash

<13.0.0.277, 14.x, 15.x, <17.0.0.134; Linux <11.2.202.451

CVE-2015-0359

Adobe Flash Player Remote Code Execution XIX

http://www.cvedetails.com/cve/CVE-2015-0359

Flash

<13.0.0.281, 14.x- 17.x before 17.0.0.169

Malware distributed by Angler exploit kit in Q1 & Q2 – TeslaCrypt, Alpha Crypt & CrytoWall 3.0.

For more information on how to defeat the Angler exploit kit:

http://www.mcafee.com/au/resources/solution-briefs/sb-quarterly-threat-q4-2014-2 .pdf

4. Malware Q&A


Q. What makes Angler exploit kit so powerful and dangerous?
1. Frequently changes its patterns and payloads to hinder the ability of security products to detect the active exploit kit.
2. Uses two levels of redirectors before reaching the landing page.
3. Compromised web servers hosting the landing page can be visited only once from an IP.
4. Detects the presence of virtual machines and security products in the system.
5. Makes garbage and junk calls to be difficult to reverse engineer.
6. Encrypts all payloads when downloaded and decrypts them on the compromised machine.
7. Uses fileless infection (directly deployed in memory).


Q. How does the Angler exploit kit work?
7.png

1. Victim accesses a compromised web server through a vulnerable browser.
2. Compromised web server redirects to an intermediate server.
3. Intermediate server redirects to a malicious web server hosting the exploit kit’s landing page.
4. Landing page checks for the presence of vulnerable plug-ins (Java, Flash, and Silverlight) and their version information.
5. When a vulnerable browser or plug-ins is found, the exploit kit delivers the proper payload and infects the machine.


Q. What is the Process Hollowing technique commonly used by malware?
Process Hollowing (aka Dynamic forking), is a technique that allows to execute an executable image within another process's address space. It works by creating a seemingly innocent process in a suspended state. The original executable image (legitimate image) is then unmapped and memory is allocated in the process. The injector then writes the replacement executable into the allocated memory. Once the new image is loaded into memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed.


5. Whispers from the Underground Black Market
8.png

Office Exploit Builder v3 has been cracked and selling in the underground market. The builder offers numerous options.

9.png

Silent PPT Exploit builder is selling in the underground market for 6 BTC - $1600 USD.  Capable of inject malicious .exe and embedded as ppt output file. The seller is only selling a few Builds.

10.png

Bitcoin Ransomware & Source code is up for sale. Seller is willing to throw in business email leads.


6. Q1 & Q2 Malware News at a glance

s1.jpg


The CTB-Locker
CTB-Locker encrypts data files using elliptical curve cryptography. It communicates with the Command and Control server over TOR making it more difficult for law enforcement to track down the location of the C2 servers.
Read more

s2.jpg


‘Banking’ Malware Dridex arrives via phishing email (McAfee:PWS-Dridex)
Dridex “banker” malware derived from Cridex. Both are part of the GameOver Zeus malware family that can steal user credentials for online accounts. It has two variants. The first one comes as an XML document (.XML or .DOC) containing an embedded Office object encrypted in base 64. The second variant comes as a Word or Excel file (.DOC or .XLS) that contains an Office Active Object which executes the malicious code in the OLE file as native OLE code.
Read more

s3.jpg


Bartallex renews strain of Macro Malware
Macro Malware which comes with a macro downloader embedded in doc files. One of the malware families that serves these embedded macros is Bartallex. Its prevalence has increased significantly during this period.

Read more

s4.jpg


Teslacrypt joins ransomware family
A newly crafted ransomware, Teslacrypt, has arrived in the malware genre that encrypts user files using AES encryption and demands money to decrypt the files. This ransomware infects systems from a compromised website that redirects victims to a site running the Angler exploit kit.
Read more

s5.png


McAfee Labs Threats Report highlights surge in ransomware, Flash exploits and firmware attacks

  • A surge in powerful and clever ransomware that encrypts files and holds them hostage until the ransom is paid.
  • New Adobe Flash exploits target the growing number of vulnerabilities that have not been patched by users or enterprises.
  • Persistent and virtually undetectable attacks by the Equation Group that reprogram hard disk drives and solid state drive firmware.

Read more

s6.jpg


Beebone Botnet takedown
Several global law enforcement agencies with assistance from Intel Security successfully dismantled the “Beebone” botnet behind a polymorphic worm known as W32/Worm-AAEH.

Read more

s7.jpg


Duqu 2.0 malware used stolen certificate to infect Kaspersky network

The Duqu 2.0 malware that infiltrated Kaspersky Labs using a stolen digital certificate signed by Foxconn. Read more


Duqu 2.0 malware attacks Kaspersky. Read more

s8.jpg


Cryptowall 3.0 via Malspam and Angler exploit kit

Significant amount of CryptoWall 3.0 ransomware activity from malicious spam (malspam) and the Angler exploit kit.

Read more

 

Other Malware News:

 

Skeleton Key malware
Creates no network traffic and has the ability to bypass Active Directory systems that use single-factor authentication. Read more


Carbanak malware

Carbanak malware helped the criminals to make ATMs dispense cash and transfer funds from targeted banks. It may have been stolen as much as $1 billion from banks around the world. Read more


Equation Group
The most sophisticated hacking operation ever uncovered. The malware has the ability to rewrite the hard-drive firmware on the infected computer. Read more

footer.png

Intel Confidential         © 2015 Intel, Inc. All rights reserved.