shutterstock_60239461While reading this morning about an recently discovered APT dubbed “Machete” discovered by the team over at Kaspersky Labs, I was immediately reminded of a recent briefing I attended at Blackhat USA. The talk was given by Mikko Hypponen and in this talk Hypponen discussed how the cyber-weapon capabilities of nation states are murky at best, especially in contrast to the very public nature of more traditional weapons such as nuclear warheads, naval vessels, etc.. This is never more evident than when a new piece of APT malware seemingly being used for cyber-espionage such as ‘Machete’ is made public.

This is a great example of the current state of cyber-espionage. The perpetrator of this attack may not be currently known but given the targets… it’s not unreasonable to assume that it was initiated by a nation state or some group acting on one’s behalf. “Machete” is interesting in both design and longevity (apparently has existed undetected since 2010). It is capable is a wide array of data gathering capabilities. It also appears that it is both designed by and aiming to infect targets with Spanish as the native language.

It is worthy to note that despite the somewhat unique methods and capabilities displayed in Machete, those spreading the infection are still relying on traditional infection vectors such as spearphishing emails and infected web pages. Of course it can be difficult for entities to protect themselves against attacks of this nature since it is so unclear exactly what they are trying to protect themselves from. One thing is for sure, there is not any single solution. That is why it is always advisable to employ a comprehensive layered security approach covering everything from email and web filtering to IPS and IDS.

This newly discovered APT (Machete) is likely just the tip of the iceberg when it comes to the scope of this activity on a global scale. Just as Hypponen discussed at Blackhat, we simply don’t know what types of cyber-weapons (like this) each nation is capable of deploying or currently have in place, which is what makes this situation so alarming.

AnonThe infamous hacking group known as Anonymous today announced a National Day of Rage in protest of the current situation in Ferguson Missouri. Currently all media outlets are buzzing with constant updates on the state of affairs around this small St. Louis suburb. Many in Ferguson have been in protest over the shooting and killing of an unarmed black teen by a white police officer since it occurred on Saturday August 9th,  while others, let’s call them opportunists, have decided this would be a good time for looting everything in sight. All of the chaos and racial division has forced others to stay locked in their homes out of fear and for their own safety. Nightly protesters have gathered while the police force  face them in what looks to be nothing short of a stand-off with an imaginary line drawn between the two. Also nightly, things eventually get out of hand when the crowd is deemed to be assembled illegally and dispersed with rubber bullets, acoustic cannons, flash grenades and tear gas.

It now seems that Anonymous wants to join in the fight. Well known for a long laundry list of hacktivism, including a strong showing in the quasi-recent Occupy Wall Street protests in 2011, protests against Westboro Baptist Church, and Operation Tunisia in support of the Arab Spring movement. In addition to these, Anonymous has also had a hand in attacks against Sony resulting in over 100 million accounts being compromised in that same year as well as attacks against the US Department of Justice and the New York Stock Exchange. The internet has always been the weapon of choice for this group whether it be calling people to action by assembling in protest, or using it to disable websites leveraging some sort of SQL Injection flaw, with the reach of the world-wide web they are able to wield a large amount of power in the name of their causes.

They often like to input their brand into highly polarizing world events such as the one happening now in Ferguson. This is an event that has a lot of people up in arms and Anon agrees. They have announced a “National Day of Rage” this Thursday August 21st in order to protest the events in Ferguson. According to their YouTube channel and video on the subject “This is another collective peaceful day of rage. Rage with voices, not with violence.” and the video calls for “Justice against police brutality“.

https://www[dot]youtube.com/watch?v=KsWGvh-Nw5c

They have also included a schedule of cities and locations where the events are supposed to take place via a Pastebin post, a favorite site for sharing items such as these. These can be seen below.

  1. EMERGENCY PR: NATIONAL DAY OF RAGE
  2. DATE: THURSDAY, AUGUST 21 2014
  3. 7PM ET, 6PM CT, 5PM MT, 4PM PT
  4. Phoenix: 5:00PM (EASTLAKE PARK, 1549 E Jefferson St , Phoenix, AZ 85034)
  5. Tuscon: 5:00PM (CATALINA PARK, 900 N 4th Avenue, Tucson, AZ 85705)
  6. Little Rock: 6:00PM (OUTSIDE STATE CAPITOL BUILDING, Dr Martin Luther King Jr Dr., Little Rock, AR 72201)
  7. San Francisco: 4:00PM (CIVIC CENTER PLAZA, 355 Mcallister St, San Francisco, California 94102)
  8. Oakland: 4:00PM (FRANK OGAWA PLAZA, 1 Frank H Ogawa Plaza, Oakland, CA 94612)
  9. Los Angeles: 4:00PM (LEIMERT PLAZA PARK, 4395 Leimert Blvd., Los Angeles, CA 90008)
  10. Denver: 5:00PM (CIVIC CENTER PARK, 100 W 14th Ave Pkwy, Denver, Colorado 80204)
  11. Washington DC: 7:00PM (OUTSIDE WHITE HOUSE, 1600 Pennsylvania Ave NW, Washington, DC 20500)
  12. Atlanta: 7:00PM (OLD DECATUR COURTHOUSE, 101 E Court Sq, Decatur, GA 30030)
  13. Tampa: 7:00PM (OUTSIDE HILLSBOROUGH COURTHOUSE, 800 E Twiggs St, Tampa, FL)
  14. Orlando: 7:00PM (LAKE EOLA PARK, 195 N Rosalind Ave, Orlando, Florida 32801)
  15. Miami: 7:00PM (GWEN CHERRY PARK, NW 71 St., Miami, Florida, 33147)
  16. Chicago: 6:00PM (RICHARD J DALEY CENTER, 50 W Washington St, Chicago, Illinois 60602)
  17. Des Moines: 6:00PM (IOWA STATE CAPITOL, 1007 E Grand Ave, Des Moines, IA 50319)
  18. New Orleans: 6:00PM (LAFAYETTE SQUARE, New Orleans, LA 70130)
  19. Baltimore: 7:00PM (201 E Pratt St, Baltimore, MD 21202)
  20. Boston: 7:00PM (MASSACHUSETTS STATE HOUSE, 24 Beacon St, Boston, MA 01233)
  21. Detroit: 7:00PM (HART PLAZA, One Hart Plaza, Detroit, Michigan 48226)
  22. Lansing: 7:00PM (STATE CAPITOL BUILDING, Capitol Avenue at Michigan Avenue, Lansing, MI 48933)
  23. Ann Arbor: 7:00PM (THE DIAG, Burns Park, Ann Arbor, MI 48109)
  24. Minneapolis: 6:00PM (MINNEAPOLIS URBAN LEAGUE, 2100 Plymouth Ave N, Minneapolis, MN 55411
  25. St. Louis: 6:00PM (GATEWAY ARCH, St. Louis 63102)
  26. Carson City: 4:00PM (NEVADA STATE CAPITOL BUILDING, 101 N Carson St, Carson City, Nevada 89701)
  27. Manhattan, NY: 7:00PM (TIMES SQUARE, Manhattan, NY, 10036)
  28. Newark: 7:00PM (NEWARK CITY HALL, 920 Broad Street, Newark, New Jersey 07102)
  29. Durham: 7:00PM (200 E. Main St. Durham, North Carolina)
  30. Columbus: 7:00PM (GOODALE PARK, Columbus, Ohio 43215)
  31. Cleveland: 7:00PM (CLEVELAND PUBLIC LIBRARY, 325 Superior Ave E, Cleveland, Ohio 44114)
  32. Portland: 4:00PM (PIONEER COURTHOUSE SQUARE, 701 SW 6th Ave, Portland, Oregon 97204)
  33. Philadelphia: 7:00PM (LOVE PARK, 1599 John F Kennedy Blvd, Philadelphia, Pennsylvania 19102)
  34. Pittsburgh: 7:00PM (PITTSBURGH CITY-COUNTY BUILDING, 414 Grant St, Pittsburgh, Pennsylvania 15219)
  35. Nashville: 6:00PM (801 Broadway Nashville, TN 37203 Estes Kefauver Federal Building)
  36. Memphis: 6:00PM (Health Sciences Park Memphis, TN)
  37. Austin: 6:00PM (TEXAS STATE CAPITOL, Outside South Gate-11th and Congress Ave.)
  38. Salt Lake City: 5:00PM (SALT LAKE CITY COMMUNITY COLLEGE, 4600 S Redwood Rd, Salt Lake City, Utah 84123)
  39. Seattle: 4:00PM (QUEEN ANNE BAPTIST CHURCH, 2011 1st Ave N, Seattle, Washington 98109)
  40. Milwaukee: 5:00PM (DINEEN PARK, Milwaukee, Wisconsin)
  41. IF YOUR CITY IS NOT LISTED, MAKE A FACEBOOK EVENT FOR IT NOW.
  42. WE ARE ANONYMOUS.
  43. JUSTICE AGAINST POLICE BRUTALITY.

Currently the World is witnessing the largest Ebola outbreak on record with over a thousand confirmed cases of infection and over six hundred confirmed deaths thus far according to the World Health Organization. This is terrible news for the people of West Africa as they still continue to try to keep the sick cared for and the virus contained. Because the virus has a 21 day incubation period, health care professionals have a longer wait to know whether the spread has ended and the virus has extra time to continue to spread as people who are infected don’t develop any symptoms until they’ve already been sick for 21 days. So every time a new patient is diagnosed, the clock starts over. Containment has been extra difficult as groups, such as one recently in Liberia who believe the outbreak to be a hoax perpetrated by the government, have broken into a containment facility and forcibly removed patients from their quarantine risking further spread of the disease. This is also a rare occurrence that the virus has found its way into the United States due to two doctors who were attempting to help the situation in Africa became infected themselves. They were given experimental treatments and flown back to the US for further treatment and observation. This news immediately caused alarm for some in the US who worried that this would bring Ebola not just closer to them but possibly even to the World stage.

Additionally unfortunate is the fact that malware authors and those of the seedy underbelly of the internet took this as an opportunity. Banking on the fact that the Ebola outbreak is of concern to a large portion of the world, they began delivering phishing and malware laden emails pretending to be information about the virus and its prevention. One such campaign purported to be from the World Health Organization themselves and supposedly contained a document with instructions on how to prevent infection from this deadly virus.

WHOAn archive file is used as the attachment and contains a file named “preventin of ebola.scr”, spelling error and all. The Scr or screensaver extension is often hidden from the recipient once it’s removed from the archive and instead they see the file name below a variation of a Microsoft Excel spreadsheet icon. Once this malware is executed it begins communication with two known malicious domains as well as a known malicious IP address directly, those being ikeguruobiri.com, xxdrgdurxx.ws and 5.199.167.26. The malware then installs a keylogger on the victim machine and sends information back to the command and control server utilizing http Post’s. One such post was in the form of an image file that contained an interesting post parameter - pcname=[redated]=best+recovery&country=&user=[redacted]&log=%22%22%22%22Hey+bro+welcome+to+my+world   %21+i+am+now+%0D%0ALegally+undetectable+Lolz%22%22%22%22%0D%0A

Once the percent version of the hex code is translated over it reads - pcname=[redacted]¬e=best+recovery&country=&user=[redacted]&log=””””Hey+bro+welcome+to+my+world!+i+am+now+Legally+undetectable+Lolz””””

The - “”””Hey+bro+welcome+to+my+world!+i+am+now+Legally+undetectable+Lolz”””” being a nice little note from the attacker.

 

Other campaigns have also used malware to infect computers and are designed to steal account credentials after infection such as this one claiming to be from the World Health Service that gives another simple message that stops short of begging the recipients to open their malicious attachment. This time it comes as an executable file wrapped in a Zip and is entitled “NEWSEBOLA.zip”. This PC infection behaves more like a Zeus variant than just a simple keylogger.

WHSSome versions aren’t quite as aggressive and rely on the victim to provide their account information instead of infecting the machine and stealing it, people who click the link in this email that contains “…vital information…on the outbreak of the new deadly virus”. This phishing attack is an attempt to skim log in information from AOL, Google/Gmail, Hotmail and Yahoo accounts via a web form.

PhishingPhishing Form

There have also been other reports around the web of these Ebola themed attacks appearing to come from CNN which is a very common tactic in times when the bad guys are riding on the wave of international news. Luckily we have all of these variants contained and locked up in quarantine. The world can be a very dangerous place and with people like this waiting on any opportunity they’re given to take advantage of anyone they can, the cyberworld can be nearly as dangerous to our identities and bank accounts. Therefore it is very important that everyone does what they can to protect themselves from attacks such as these. Use multi-layered protection such as email spam and virus filtering, web filtering, a local firewall and local anti-virus in addition to network protection for those with multiple hosts.

 

 

This morning we’re seeing a malware campaign purporting to come from Barclays Bank that is making a somewhat half-hearted attempt at tricking recipients into believing money has just been transferred from their accounts. It would appear that those involved are targeting victims in the UK judging by the verbiage in the email that states GBP’s or Great British Pounds being the currency involved. However, the amount, which is random in each of the emails, lacks proper formatting making it appear as just a random number and not necessarily how a monetary value would look. For example – “5884 GBP has been successfully transfered.” or “9969 GBP has been successfully transfered.” Normally one would expect a comma or a decimal from a financial institution, perhaps both, maybe even the proper spelling of the word “transferred”.

The malware utilizes Armadillo as its packer of choice to scramble its contents in an attempt to avoid initial detection. After infection it enumerates all running processes of the target machine and goes through its routine to make sure it holds on to its victim.

So far we’ve seen about 230,000 pieces of mail attempting to deliver this payload, but luckily AppRiver has blocked all of these preemptively.

morningmalware

As the internet begins to flood with the word on the untimely death of comedian/actor Robin Williams yesterday, the cybercriminals immediately jumped on board in order to catch unsuspecting information seekers off guard. A campaign that began coming in late last night appears to be hastily thrown together, but very similar to other fake media themed attacks riding the crest of breaking news stories in the past. An oddly pale CNN logo appears at the top of the email in an attempt to pass it off as actual news. Below all of this a picture of Williams, a headline in bold text that reads “Robin Williams Dies, See His Last Words On Video”, as well as a brief news synopsis on the event.

Fake CNN News Alert

Fake CNN News Alert

There are two links included in these emails, one to “…see the video” and one that appears to be an “unsubscribe” link. Both of these links lead to the same place, which is to a legitimate IT security domain that apparently hosted a subdomain with the payload for a brief period of time, or perhaps the attackers simply anticipated being able to host their malware on this newly exploited site. By the time we got to the sample, this subdomain had been taken down. Interestingly enough though, the subdomain appears to be in arabic when it’s moused over and obviously hex percent encoded when clicked for the browser to properly interpret thee destination.

Luckily we seem to have all of these attacks in captivity and all appears to have slowed down, but always remember to be vigilant when receiving unsolicited news such as these. It is a very common tactic that seems to work very well for those who try it.

Arabic Subdomain

Arabic Subdomain