Wednesday, July 9, 2014

Apple ID Harvesting, now this is a good phish.

Phishing isn't new.  "So, why are you writing about it?", you ask.

I received this one today and it was very well done, so I thought I'd write it up.  Chances are, you've seen these before:

If you are familiar with Apple Verification emails, you'll notice the format is almost exactly what Apple uses.  You'll notice that there are hardly any grammar, punctuation or capitalization errors.  Usually, something as simple as the "Dear Customer" would give it away by the insertion of a space between the word "Customer" and ",".  Those of you that look at phish emails all day know what I am talking about.

The domain "" that the email was "sent" from could even be legitimate.  If you mouse over the "Click here to verify your account" link, the email begins to fall apart.

hxxp://[.]net/validation_code=<long code here>/

It uses "webobjects" in the URL (an Apple Technology), and if you weren't paying attention, you will  glance over the "gb-appleid[.]net" as the domain (bolded above).  

In fact, when you load it in a browser, the domains the resulting webpage loads its images from is "gb-appleid[.]com".  

(In fact the only reason the menu (across the top of the "Apple ID Page" doesn't load correctly is because of the browser I am using in this screenshot, but the images are correct.)

Well, let's take a look at the domains whois records:

This is where the ruse falls apart.  Obviously Apple runs their own DNS servers, isn't registered by "Crazy Domains, LLC", and isn't "registered" in London.

The resulting page is an attempt to get you to fill in your Apple credentials, which, of course, gives the attacker access to your entire Apple ecosystem.  Email, iTunes, the works.

Phishes aren't going away.  They are getting better with age.

Cisco Web and Email Security products protect customers against these sites.

Tuesday, July 8, 2014

Microsoft Update Tuesday July 2014: light month, mostly Internet Explorer

This month’s Microsoft Update Tuesday is relatively light compared to the major update of last month. We’re getting a total of six bulletins this month, two marked critical, three as important and finally one moderate. These six bulletins cover a total of 29 CVEs, most of which are, as is usual, in Internet Explorer.

Let’s start off with the Internet Explorer bulletin, MS14-037. It covers a total of 24 CVEs, 23 of which are memory corruption vulnerabilities that could result remote code execution vulnerabilities and most of those memory corruptions are the result use-after-free vulnerabilities. What’s interesting this month is that Microsoft has implemented a number of enhancements to IE that make particular use-after-free vulnerabilities non-exploitable. The one vulnerability (CVE-2014-2783) that didn’t deal with remote code execution is an update that fixes a vulnerability in extended validation (EV) SSL certificates. EV-SSL certificates cannot contain wildcards, however most major browsers did support wildcards when tested. This update corrects that issue for Internet Explorer.

The next critical update (MS14-038) is for Window Journal, a note-taking application that comes installed by default on non-Server editions of Windows. The update covers a single vulnerability, CVE-2014-1824, where an attacker can achieve remote code execution by getting a user to open a maliciously crafted Windows Journal file.

The next three important updates are all fixes for escalation of privilege vulnerabilities and were disclosed during Pwn2Own. With these fix, Microsoft is closing out all the vulnerabilities related to Windows (both kernel and usermode) that were disclosed during the competition. MS14-039 is an update that fixes a vulnerability in the on-screen keyboard (CVE-2014-2781), where an attacker could call the on-screen keyboard from a low integrity application and cause the keyboard to execute a higher privileged program. The next one is MS14-040, it corrects a vulnerability in the Ancillary Function Driver (afd.sys) that when exploited can provide an application with increased privileges. Finally, MS14-041 provides an update for a vulnerability in DirectShow (CVE-2014-2780), that can be used by an attacker to escape the restrictions imposed on a low integrity application.

The final update (MS14-042) for this month is marked as moderate and is a fix for a Denial of Service in the Service Bus (CVE-2014-2814). The vulnerability can be exploited by a remotely authenticated user who sends crafted messages to the Service Bus that result in a system crash. 

The VRT is releasing the following rules to address these issues: SID  31380-31387.

Threat Spotlight: "A String of Paerls", Part 2, Deep Dive

This post has been coauthored by Joel Esler, Craig Williams, Richard Harman, Jaeson Schultz, and Douglas Goddard

In part one of our two part blog series on the “String of Paerls” threat, we showed an attack involving a spearphish message containing an attached malicious Word doc. We also described our methodology in grouping similar samples based on Indicators of Compromise: static and dynamic analysis indicators. In this second part of the blog series we will cover the malicious documents and malicious executables.

The Attachment (that your IT department would tell you not to open)

Here’s a screenshot of the malicious Microsoft Word document attached to the phishing e-mail referenced in Part 1. Opening the Word doc triggers a macro that downloads additional malware from Dropbox, eventually phoning home to the command and control domains selombiznet[.]in, and[.]uk. However, the threat actor is aware (along with most users, we’d hope!) that Microsoft Word refuses to launch macros by default, so they guide the recipient of the phish to enable macros, with the promise that it will somehow enable the recipient to view the contents of the document.

In reality, it enables the Visual Basic for Applications macro that downloads and launches a malicious executable. While performing analysis on the Word documents, we noticed that the several instances of the VBA macro code were quite similar -- exactly the same functionality, but with variables renamed. This is a common occurrence in exploit kits, when malicious code is auto-generated. We see this all the time in exploit kits we track and defend against with our products, but seeing this same “behavior” in a Word document is interesting as well.

Generated Visual Basic Macro code

The following animation shows two examples of VBA code from two different documents downloading a different executable, the code is functionally the same, but you can see how the variables and URLs change:

Confirmed ‘String of Paerls’ threat actor samples so far that we have observed:


Phishing e-mail subjects we’ve observed:

PNS new order (urgent order)
RE: Shipment and Stuffing Details  
RE: Container number CMAU5861946 and CMAU5735393
RE: Freight Invoice Payment

Phishing e-mail attachment names observed:

3x 2014-05.doc
2x Shipment & Stuffing details.doc
2x shipment details.doc
1x 576877.doc
1x 7856578.doc
1x Booking confirmation and original document.doc
1x Invoice76453773.doc
1x PO 28670315.doc

Analysis of the downloaded executable:

The first stage downloaded by the VB macro, (SHA256: 58b49802b53b4ab8556d5dac487d4b95296dd4ee268a7eb37d467d904129299b), that was downloaded from: hxxp://dl.dropboxusercontent[.]com/s/3n5v79wyd9ha85q/b.exe, is an obfuscated .NET executable. Some of the analysis utilities used to assist in defeating the obfuscation were De4dot to clean things up, and JetBrains dotPeek for decompilation. To begin, in Main(), there are two calls. The first loops through cases in a switch statement and simply results in a Thread.Sleep(20000) ­­ an attempt to defeat automated sandbox analysis by introducing a delay before performing any malicious activity.

The second is a pretty big mess of indirection, but the critical function is D66cJkg(int). Its only argument is an offset into a resource file {873abddb­bad0­4a16­8785­ff568fe91088} (SHA256:7e54c5ab02465d8ca3ff9e6c2ae2d29085923da54adfe65024590811cbe991f2
The format was incredibly simple to infer. One byte is read at the provided offset­57 (the beginning 57 just being obfuscation noise). If the high bit is set, then an additional 3 bytes are read. That 7­bit byte or 31­bit integer is the size of the following string, which is base64 encoded. Below are those that are short enough to be included here:

Piecing things back together, if we pull out the obvious stuff:

Using the above, we can guess that there will be some base64, and that will likely turn into more .NET code, and that .NET code will be loaded via reflection.

That leaves us with:

Observing the first column above, the offset field, you can see the large gap in the offsets. The base64 string in that space decoded to yet another base64 string. That ended up decoding to yet another .NET binary (SHA256: 31b24948510e058c81c3d1d015dd6779c2a9adccc4bd4df51f061060a58d4d52).

Inside of it:

That takes care of the rest of our decoded strings. The hhplwewj class has some interesting methods:

Additionally, in the binary, we see CreateProcess and WriteProcessMemory for injecting code. This behavior was observed during analysis, as it launched multiple copies of itself, and injected code into those processes. Since the above .NET code is loaded via reflection, keep in mind that we are still in the initial binary.

There is an interesting method of extracting and deserializing assets from the executable; In the method nvjsope(), the binary's timestamp is retrieved (1399871638), converted to a string, and a resource by that name is loaded. The functions Decrypt and Deserialize are then called on the extracted resource. The Decrypt function takes the resource data and a password, in the case of this sample the password provided is the same timestamp (1399871638).

Decrypt extracts the first 8 bytes of the md5sum of the password.

It then uses DES with the Key and IV set to these 8 bytes, and Mode set to CBC. Before deserialization, the file produced is 8c543c3584dfc71ccea8d81acf42243a06b84237c445ec132829ba09adabe425. It is a serialized config file containing a binary, a bunch of (unused) configuration flags, and this (unused) tidbit at the end:

The configuration flags in this sample are not set to use this download link and encryption key.

The binary extracted is a native PE file (not .NET) (sha256: 2e7dc2963155a01fe59d1c8ca97093eded226dfc12ea35fa831c05f170c6d9e7). A new copy of the current process is spawned and this binary is injected into it. If configuration flags were set, this could also have been injected into AppLaunch.exe or vbc.exe. Additionally, since many of the other configuration flags are not set, much of the anti­analysis and anti­vm functionality is left unused. The sample locates and loads functions with a common search­by­hash method observed in a lot of malware ­­ this is to defeat simplistic analysis such as running ‘strings’ against a binary looking for imported functions. The hash is stored in the executable, rather than the name of the function to import. The hashing algorithm is weak and simple, here’s some Python code to replicate it:

The values and imports that resolve to them:

In the start function of this binary we see it checking for the mutex "lol", this is an indication that this is sample belongs to the Andromeda family of trojans. If the “lol” mutex is present, it skips a long chunk of anti­vm and anti­debugging checks.

These checks have been detailed in depth elsewhere online, so for the sake of brevity we will only give the high level summary. First, all processes are iterated through and some blacklisted process names are checked for (eg. vmwareuser.exe, vboxtray.exe, sandboxierpcss.exe)

The sample uses the registry key HKLM\System\CurrentControlSet\Services\disk\enum to retrieve the hard disk name. It checks if the hard disk name contains “vmwa”, “qemu”, or “vbox” at offset 8 as a means of VM detection.

As an additional anti­debugging check, the sample then does a time query with two invocations of the rdtsc (read timestamp counter) instruction, comparing the difference in the results with 200h. So if there are greater than 512 processor cycles between the two rdtsc instructions, the comparison fails. In this variant, the failure condition jump is "nopped" out, ignoring the results of this check. This may indicate that the operator made some customization to the base Andromeda samples.

The malware then goes through and selectively copies bytes to memory. Another function resolves function addresses for a jump table in that copied code. After that, is a check for 'e' (0x65) at a specific offset in this copied code. This 'e' corresponds to the end of the process names that will be injected into, wuauclt.exe and svchost.exe. If these names are present in memory then the code is not encrypted, the xor loop is skipped, and execution is redirected to the injector.

The injected code is a partially unpacked version of itself. When the process (wuauclt or svchost) is started, it goes through the same selective copying routine to pull more code into memory. Now we have reached the main Andromeda payload where we see some recognizable strings.

The first is the default RC4 key for Andromeda:
This is a default domain in the builder:
As well, there is the default post format string:

If we grab a copy of Andromeda’s builder, we can see what some of these fields mean.

Taking the network traffic from the first post in this series:

One will notice the POST body appears to be filled with 64 encoded data. If we apply RC4 with the default key to the posted base64:

In conclusion, this campaign is a perfect example of a threat actor being very effective while using a widely known vector to compromise victims. Using Microsoft Word macros to load binaries was so effective Microsoft even disabled the auto­open macros by default, years ago! Still this threat actor is able to make use of this vector by compromising what is still the weakest link, the user. If the recipient followed best practices and did not open documents from unknown sources, and did not enable macros when prompted to by the document this attack would not be successful. Despite this low tech attack ­­ one that requires direct user interaction to work, we continue to see malicious Word documents such as these attempting to download the binaries from sites we’ve associated with this threat actor in our web security telemetry. It’s always advisable that users follow best practices to avoid these threats. That said if your user base is prone to such errors defense in depth may be the best approach.

Complete list of ‘paerls’ samples found on Dropbox:


Dropbox URLs: