A campaign just started up of fake JP morgan emails. The emails coming in claim to be secure messages from JP Morgan using the Voltage secure messaging platform. The FROM name changes between the messages but stays in a consistant format for the actual email address (First.Last@jpmorgan.com). Interestingly, all of the messages seemed to try to use the same security image of, what I assume, is a valid users image from JP Morgan. However the link the spammers used appears to be dead now and none of the messages show a security image.

initialemailjpmorgan

 

 

 

The HTML file is just an official looking page with a button to read the message (and a personal image here that shows). One thing to note is that looking at the source of the HTML or hovering over links does indeed only show jpmorgan links. The Click to Read Message button did not show the link when hovering and linked directly to an address using an IP instead of a hostname.

 

initial page in attachment

 

This campaign has sort of a 3 part attack going on here. The first attack is when you click the read message button. The next page it loads has a malicious iframe in it. From the samples I have seen, the iframes all had data hosted at cornishhoughs.com. Eset classifys the attack as “JS/Kryptik.ASA trojan”.

second page email address

cornishmaliframe

esetalertjpmorganthird page password jpmorgan

No matter what you type in, as long as it’s in the proper format, the page advances. This could be considered a second part to the entire attack. The pages do make POSTs to the server with the email address and password that are typed in. This data is most lilely being harvested as well for further attacks to be made with that users information. If anyone visited these pages and typed their information in, I’d strongly suggest changing your password as soon as possible.

Once you get this far you are taken to a rather convincing looking secure messaging portal. Complete with working buttons that all lead to JP Morgan pages. The exception being the View and Download buttons.

 

JPMorgan Chase - Sign In 2014-08-21 13-16-03

Clicking either View or Download prompts you to save an exe file with a double extension at the end and is the third part of this attack.

download prompt jpmorgan

 

These can fool most users in to thinking they are harmless once the file is saved. The reason is that most of the time the malware writeers will build in a resource icon of whatever the fake extension is. This method combined with the fact that Windows does not show known file extensions by default, means that the average user would only see “8.21.14 report.pdf” as the filename and a normal PDF icon as well (as seen below). Some users find it annoying to show all file extensions but it can make it significantly easier to spot the double extension files that trick users.

fakepdfshowing

 

At the time of checking all of this, VirusTotal shows no AV company has anything on this file. It appears to be a trojan downloader that retrieves content offsite. Fortunately we were able to quickly block the file in our filter and have over 177,000 hits so far and climbing.

no virustotal hits jpmorgan

This particular campaign was tricky due to it being rather in depth and the effort put in to make it convincing. This type of campaign takes more resources for an attacker to put together, but if successful it can yield more of an impact due to the threat not being as obvious.

shutterstock_60239461While reading this morning about an recently discovered APT dubbed “Machete” discovered by the team over at Kaspersky Labs, I was immediately reminded of a recent briefing I attended at Blackhat USA. The talk was given by Mikko Hypponen and in this talk Hypponen discussed how the cyber-weapon capabilities of nation states are murky at best, especially in contrast to the very public nature of more traditional weapons such as nuclear warheads, naval vessels, etc.. This is never more evident than when a new piece of APT malware seemingly being used for cyber-espionage such as ‘Machete’ is made public.

This is a great example of the current state of cyber-espionage. The perpetrator of this attack may not be currently known but given the targets… it’s not unreasonable to assume that it was initiated by a nation state or some group acting on one’s behalf. “Machete” is interesting in both design and longevity (apparently has existed undetected since 2010). It is capable is a wide array of data gathering capabilities. It also appears that it is both designed by and aiming to infect targets with Spanish as the native language.

It is worthy to note that despite the somewhat unique methods and capabilities displayed in Machete, those spreading the infection are still relying on traditional infection vectors such as spearphishing emails and infected web pages. Of course it can be difficult for entities to protect themselves against attacks of this nature since it is so unclear exactly what they are trying to protect themselves from. One thing is for sure, there is not any single solution. That is why it is always advisable to employ a comprehensive layered security approach covering everything from email and web filtering to IPS and IDS.

This newly discovered APT (Machete) is likely just the tip of the iceberg when it comes to the scope of this activity on a global scale. Just as Hypponen discussed at Blackhat, we simply don’t know what types of cyber-weapons (like this) each nation is capable of deploying or currently have in place, which is what makes this situation so alarming.

AnonThe infamous hacking group known as Anonymous today announced a National Day of Rage in protest of the current situation in Ferguson Missouri. Currently all media outlets are buzzing with constant updates on the state of affairs around this small St. Louis suburb. Many in Ferguson have been in protest over the shooting and killing of an unarmed black teen by a white police officer since it occurred on Saturday August 9th,  while others, let’s call them opportunists, have decided this would be a good time for looting everything in sight. All of the chaos and racial division has forced others to stay locked in their homes out of fear and for their own safety. Nightly protesters have gathered while the police force  face them in what looks to be nothing short of a stand-off with an imaginary line drawn between the two. Also nightly, things eventually get out of hand when the crowd is deemed to be assembled illegally and dispersed with rubber bullets, acoustic cannons, flash grenades and tear gas.

It now seems that Anonymous wants to join in the fight. Well known for a long laundry list of hacktivism, including a strong showing in the quasi-recent Occupy Wall Street protests in 2011, protests against Westboro Baptist Church, and Operation Tunisia in support of the Arab Spring movement. In addition to these, Anonymous has also had a hand in attacks against Sony resulting in over 100 million accounts being compromised in that same year as well as attacks against the US Department of Justice and the New York Stock Exchange. The internet has always been the weapon of choice for this group whether it be calling people to action by assembling in protest, or using it to disable websites leveraging some sort of SQL Injection flaw, with the reach of the world-wide web they are able to wield a large amount of power in the name of their causes.

They often like to input their brand into highly polarizing world events such as the one happening now in Ferguson. This is an event that has a lot of people up in arms and Anon agrees. They have announced a “National Day of Rage” this Thursday August 21st in order to protest the events in Ferguson. According to their YouTube channel and video on the subject “This is another collective peaceful day of rage. Rage with voices, not with violence.” and the video calls for “Justice against police brutality“.

https://www[dot]youtube.com/watch?v=KsWGvh-Nw5c

They have also included a schedule of cities and locations where the events are supposed to take place via a Pastebin post, a favorite site for sharing items such as these. These can be seen below.

  1. EMERGENCY PR: NATIONAL DAY OF RAGE
  2. DATE: THURSDAY, AUGUST 21 2014
  3. 7PM ET, 6PM CT, 5PM MT, 4PM PT
  4. Phoenix: 5:00PM (EASTLAKE PARK, 1549 E Jefferson St , Phoenix, AZ 85034)
  5. Tuscon: 5:00PM (CATALINA PARK, 900 N 4th Avenue, Tucson, AZ 85705)
  6. Little Rock: 6:00PM (OUTSIDE STATE CAPITOL BUILDING, Dr Martin Luther King Jr Dr., Little Rock, AR 72201)
  7. San Francisco: 4:00PM (CIVIC CENTER PLAZA, 355 Mcallister St, San Francisco, California 94102)
  8. Oakland: 4:00PM (FRANK OGAWA PLAZA, 1 Frank H Ogawa Plaza, Oakland, CA 94612)
  9. Los Angeles: 4:00PM (LEIMERT PLAZA PARK, 4395 Leimert Blvd., Los Angeles, CA 90008)
  10. Denver: 5:00PM (CIVIC CENTER PARK, 100 W 14th Ave Pkwy, Denver, Colorado 80204)
  11. Washington DC: 7:00PM (OUTSIDE WHITE HOUSE, 1600 Pennsylvania Ave NW, Washington, DC 20500)
  12. Atlanta: 7:00PM (OLD DECATUR COURTHOUSE, 101 E Court Sq, Decatur, GA 30030)
  13. Tampa: 7:00PM (OUTSIDE HILLSBOROUGH COURTHOUSE, 800 E Twiggs St, Tampa, FL)
  14. Orlando: 7:00PM (LAKE EOLA PARK, 195 N Rosalind Ave, Orlando, Florida 32801)
  15. Miami: 7:00PM (GWEN CHERRY PARK, NW 71 St., Miami, Florida, 33147)
  16. Chicago: 6:00PM (RICHARD J DALEY CENTER, 50 W Washington St, Chicago, Illinois 60602)
  17. Des Moines: 6:00PM (IOWA STATE CAPITOL, 1007 E Grand Ave, Des Moines, IA 50319)
  18. New Orleans: 6:00PM (LAFAYETTE SQUARE, New Orleans, LA 70130)
  19. Baltimore: 7:00PM (201 E Pratt St, Baltimore, MD 21202)
  20. Boston: 7:00PM (MASSACHUSETTS STATE HOUSE, 24 Beacon St, Boston, MA 01233)
  21. Detroit: 7:00PM (HART PLAZA, One Hart Plaza, Detroit, Michigan 48226)
  22. Lansing: 7:00PM (STATE CAPITOL BUILDING, Capitol Avenue at Michigan Avenue, Lansing, MI 48933)
  23. Ann Arbor: 7:00PM (THE DIAG, Burns Park, Ann Arbor, MI 48109)
  24. Minneapolis: 6:00PM (MINNEAPOLIS URBAN LEAGUE, 2100 Plymouth Ave N, Minneapolis, MN 55411
  25. St. Louis: 6:00PM (GATEWAY ARCH, St. Louis 63102)
  26. Carson City: 4:00PM (NEVADA STATE CAPITOL BUILDING, 101 N Carson St, Carson City, Nevada 89701)
  27. Manhattan, NY: 7:00PM (TIMES SQUARE, Manhattan, NY, 10036)
  28. Newark: 7:00PM (NEWARK CITY HALL, 920 Broad Street, Newark, New Jersey 07102)
  29. Durham: 7:00PM (200 E. Main St. Durham, North Carolina)
  30. Columbus: 7:00PM (GOODALE PARK, Columbus, Ohio 43215)
  31. Cleveland: 7:00PM (CLEVELAND PUBLIC LIBRARY, 325 Superior Ave E, Cleveland, Ohio 44114)
  32. Portland: 4:00PM (PIONEER COURTHOUSE SQUARE, 701 SW 6th Ave, Portland, Oregon 97204)
  33. Philadelphia: 7:00PM (LOVE PARK, 1599 John F Kennedy Blvd, Philadelphia, Pennsylvania 19102)
  34. Pittsburgh: 7:00PM (PITTSBURGH CITY-COUNTY BUILDING, 414 Grant St, Pittsburgh, Pennsylvania 15219)
  35. Nashville: 6:00PM (801 Broadway Nashville, TN 37203 Estes Kefauver Federal Building)
  36. Memphis: 6:00PM (Health Sciences Park Memphis, TN)
  37. Austin: 6:00PM (TEXAS STATE CAPITOL, Outside South Gate-11th and Congress Ave.)
  38. Salt Lake City: 5:00PM (SALT LAKE CITY COMMUNITY COLLEGE, 4600 S Redwood Rd, Salt Lake City, Utah 84123)
  39. Seattle: 4:00PM (QUEEN ANNE BAPTIST CHURCH, 2011 1st Ave N, Seattle, Washington 98109)
  40. Milwaukee: 5:00PM (DINEEN PARK, Milwaukee, Wisconsin)
  41. IF YOUR CITY IS NOT LISTED, MAKE A FACEBOOK EVENT FOR IT NOW.
  42. WE ARE ANONYMOUS.
  43. JUSTICE AGAINST POLICE BRUTALITY.

Currently the World is witnessing the largest Ebola outbreak on record with over a thousand confirmed cases of infection and over six hundred confirmed deaths thus far according to the World Health Organization. This is terrible news for the people of West Africa as they still continue to try to keep the sick cared for and the virus contained. Because the virus has a 21 day incubation period, health care professionals have a longer wait to know whether the spread has ended and the virus has extra time to continue to spread as people who are infected don’t develop any symptoms until they’ve already been sick for 21 days. So every time a new patient is diagnosed, the clock starts over. Containment has been extra difficult as groups, such as one recently in Liberia who believe the outbreak to be a hoax perpetrated by the government, have broken into a containment facility and forcibly removed patients from their quarantine risking further spread of the disease. This is also a rare occurrence that the virus has found its way into the United States due to two doctors who were attempting to help the situation in Africa became infected themselves. They were given experimental treatments and flown back to the US for further treatment and observation. This news immediately caused alarm for some in the US who worried that this would bring Ebola not just closer to them but possibly even to the World stage.

Additionally unfortunate is the fact that malware authors and those of the seedy underbelly of the internet took this as an opportunity. Banking on the fact that the Ebola outbreak is of concern to a large portion of the world, they began delivering phishing and malware laden emails pretending to be information about the virus and its prevention. One such campaign purported to be from the World Health Organization themselves and supposedly contained a document with instructions on how to prevent infection from this deadly virus.

WHOAn archive file is used as the attachment and contains a file named “preventin of ebola.scr”, spelling error and all. The Scr or screensaver extension is often hidden from the recipient once it’s removed from the archive and instead they see the file name below a variation of a Microsoft Excel spreadsheet icon. Once this malware is executed it begins communication with two known malicious domains as well as a known malicious IP address directly, those being ikeguruobiri.com, xxdrgdurxx.ws and 5.199.167.26. The malware then installs a keylogger on the victim machine and sends information back to the command and control server utilizing http Post’s. One such post was in the form of an image file that contained an interesting post parameter - pcname=[redated]=best+recovery&country=&user=[redacted]&log=%22%22%22%22Hey+bro+welcome+to+my+world   %21+i+am+now+%0D%0ALegally+undetectable+Lolz%22%22%22%22%0D%0A

Once the percent version of the hex code is translated over it reads - pcname=[redacted]¬e=best+recovery&country=&user=[redacted]&log=””””Hey+bro+welcome+to+my+world!+i+am+now+Legally+undetectable+Lolz””””

The - “”””Hey+bro+welcome+to+my+world!+i+am+now+Legally+undetectable+Lolz”””” being a nice little note from the attacker.

 

Other campaigns have also used malware to infect computers and are designed to steal account credentials after infection such as this one claiming to be from the World Health Service that gives another simple message that stops short of begging the recipients to open their malicious attachment. This time it comes as an executable file wrapped in a Zip and is entitled “NEWSEBOLA.zip”. This PC infection behaves more like a Zeus variant than just a simple keylogger.

WHSSome versions aren’t quite as aggressive and rely on the victim to provide their account information instead of infecting the machine and stealing it, people who click the link in this email that contains “…vital information…on the outbreak of the new deadly virus”. This phishing attack is an attempt to skim log in information from AOL, Google/Gmail, Hotmail and Yahoo accounts via a web form.

PhishingPhishing Form

There have also been other reports around the web of these Ebola themed attacks appearing to come from CNN which is a very common tactic in times when the bad guys are riding on the wave of international news. Luckily we have all of these variants contained and locked up in quarantine. The world can be a very dangerous place and with people like this waiting on any opportunity they’re given to take advantage of anyone they can, the cyberworld can be nearly as dangerous to our identities and bank accounts. Therefore it is very important that everyone does what they can to protect themselves from attacks such as these. Use multi-layered protection such as email spam and virus filtering, web filtering, a local firewall and local anti-virus in addition to network protection for those with multiple hosts.

 

 

This morning we’re seeing a malware campaign purporting to come from Barclays Bank that is making a somewhat half-hearted attempt at tricking recipients into believing money has just been transferred from their accounts. It would appear that those involved are targeting victims in the UK judging by the verbiage in the email that states GBP’s or Great British Pounds being the currency involved. However, the amount, which is random in each of the emails, lacks proper formatting making it appear as just a random number and not necessarily how a monetary value would look. For example – “5884 GBP has been successfully transfered.” or “9969 GBP has been successfully transfered.” Normally one would expect a comma or a decimal from a financial institution, perhaps both, maybe even the proper spelling of the word “transferred”.

The malware utilizes Armadillo as its packer of choice to scramble its contents in an attempt to avoid initial detection. After infection it enumerates all running processes of the target machine and goes through its routine to make sure it holds on to its victim.

So far we’ve seen about 230,000 pieces of mail attempting to deliver this payload, but luckily AppRiver has blocked all of these preemptively.

morningmalware