AI: Artificial Ignorance

Does true Artificial Intelligence even exist yet? Will it ever exist or will it end the world before we reach its full capacity?

The hype around Artificial Intelligence (AI) is currently a media frenzy and if we aren’t careful, we will ruin the name before it has had a chance to really prove itself due to a lack of knowledge around it. AI is a beautiful concept of futuristic computing that the tech industry and academic research is leading in a way that will one day see dramatically enormous changes to the way we live our lives and pivot the human race into a new digital era.

But for now, AI is simply misunderstood. Computers are not yet thinking for themselves, nor are they able to live on their own and no, the Terminator is not hiding around the corner looking for John Connor… yet.

You’d be forgiven for thinking AI currently exists for the amount of media attention it attracts. People desperately want to believe in AI and hope that the next generation of software uses it to its full advantage. It has ubiquitous influence, however, and as sad as it may be to admit, I think we are still a few generations off it becoming mainstream.

Take truly autonomous cars for the masses, for example, which is a wondrous concept but for now this is just awesome science fiction. This doesn’t mean it won’t ever happen, it just means we are still way off from it ever taking off. To be able to produce a completely autonomous car sounds impressive but with the technological advancements required, the essential and seemingly infinite amount of calculations at incredible speeds, and not to mention a horrendously dangerous transition phase whilst autonomous cars mix with standard cars, it remains a distant dream for now.

Some seriously difficult mathematical problems that are hard to crack via computing alone, such as image recognition, end up developing an aura of magic around them. We currently tend to imagine that only AI could hold such an ability. Yet once we go and solve such a vast problem churning through even more data accurately finding the answer we actually find that it’s just good computer engineering and not very ‘artificial’ or even that ‘intelligent’ – it’s just simple consistent advancements.

Well, true AI is typically known for being able to teach itself things such as games or even learn to anticipate moves of opponents within games. Better still, to quote Wikipedia, true AI is a “hypothetical machine that exhibits behavior at least as skillful and flexible as humans do”.

I am just not convinced that we are ready to call our computer power AI yet, however impressively powerful it is.

Machine learning, however, is making headway in one of the most exciting technological developments in history and should not be confused with artificial intelligence thinking for itself. Humongous amounts of data churning through the processing wheels of machines is creating wonderfully accurate predictions and able to solve incredibly complex algorithms faster than ever before. But it is yet to do this for itself or mimic the brain of a human.

Machine learning is unequivocally constrained by man-made rules and these rules have even been known to contain a disappointing reflection of human biases such as racial, sexual and gender bias, making it fail before it has begun. Sadly, most of what we come to know and believe can be based on personal biases in our brains. True AI, however, is limitless and has the possibility of doing anything and, if taught correctly, will be fair and without prejudice.

Machine learning is, without a doubt, changing our lives and making our lives more streamlined. From image recognition, to prediction of crime, even to medical diagnosis, the increased computer power is phenomenally and rapidly increasing our accuracy in multiple industries. Google, IBM and a handful of start-ups are all racing to create the next generation of supercomputers. If quantum computers ever take off, they could potentially help us solve extremely complex processes which our current computers can’t even begin to solve in less than a millennium.

If anything, AI remains a few decades away and we should avoid using the futuristic term for now or we will simply be doing all the current great technological feats provided by machine learning a disservice by making claims that are presently false. Let’s not forget how far we have come into this current digital age and enjoy the journey into the next-gen digital era, however artificial it is.

16 Aug 2019 – 11:30AM

Microsoft warns of new BlueKeep‑like flaws

Unlike BlueKeep, however, these vulnerabilities affect more recent Windows versions, including Windows 10

Microsoft issued fixes for four critical vulnerabilities in Remote Desktop Services (RDS) this week, likening two of them to ‘BlueKeep’, another critical flaw in the same Windows component.

All four Remote Code Execution (RCE) flaws – tracked as CVE‑2019‑1181, CVE‑2019‑1182, CVE‑2019‑1222 and CVE‑2019‑1226 – can be exploited by attackers sending a specially-crafted remote desktop protocol (RDP) message to RDS.

“An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” reads the advisory that is common to all four flaws.

What’s more, the first two holes are wormable and so bear a strong resemblance to BlueKeep, as well as to a flaw in an old version of Microsoft’s Server Message Block (SMB) implementation that enabled WannaCryptor, also known as WannaCry, in 2017.

As a result, exploits might use either of the new vulnerabilities to spread malware from one unpatched system to another without any user interaction. This is ultimately what prompted the Microsoft Security Response Center (MSRC) to issue a patch alert.

“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these,” said Microsoft. The company noted that computers with automatic updates enabled are automatically protected by these fixes. The threat, which looms large especially over organizations, can also be partially mitigated, specifically by enabling Network Level Authentication.

Unlike BlueKeep, these bugs affect more recent Windows versions – Windows 10, including server versions, together with Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2. By contrast, Windows XP, Windows Server 2003 and Windows Server 2008 are not affected this time.

Also unlike BlueKeep, which was discovered by the United Kingdom’s National Cyber Security Centre (NCSC), the two new wormable vulnerabilities were identified by Microsoft itself while the company was shoring up RDS’s security.

“At this time, we have no evidence that these vulnerabilities were known to any third party,” said the company.

All four fixes were released as part of this month’s Patch Tuesday. By Qualys’s count, 93 security holes, including 29 rated as critical, were addressed in this batch of security updates. Edge, Internet Explorer, Outlook and Office are all among products where the fixes should be applied sooner rather than later.

This month’s crop of patches is neatly summarized in this table drawn up by the SANS Technology Institute.

15 Aug 2019 – 03:10PM

In the Balkans, businesses are under fire from a double‑barreled weapon

ESET researchers discovered a campaign that uses two malicious tools with similar capabilities to ensure both resilience and broader potential for the attackers

We’ve discovered an ongoing campaign in the Balkans spreading two tools having a similar purpose: a backdoor and a remote access trojan we named, respectively, BalkanDoor and BalkanRAT.

BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface, i.e., manually; BalkanDoor enables them to remotely control the compromised computer via a command line, i.e., possibly en masse. ESET security products detect these threats as Win{32,64}/BalkanRAT and Win32/BalkanDoor.

A typical victim of this campaign, which uses malicious emails as its spreading mechanism, ends up having both these tools deployed on their computer, each of them capable of fully controlling the affected machine. This rather uncommon setup makes it possible for attackers to choose the most suitable method to instruct the computer to perform operations of their choice.

The campaign’s overarching theme is taxes. With the contents of the emails, included links and decoy PDFs all involving taxes, the attackers are apparently targeting the financial departments of organizations in the Balkans region. Thus, although backdoors and other tools for remote access are often used for espionage, we believe that this particular campaign is financially motivated.

The campaign has been active at least from January 2016 to the time of writing (the most recent detections in our telemetry are from July 2019). Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017. Each of these sources focused only on one of the two tools and only on a single country. However, our research shows that there is a significant overlap in targets and also in the attackers’ tactics, techniques and procedures.

Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia, Serbia, Montenegro, and Bosnia and Herzegovina.

Our research has also shed more light at the malware used in this campaign and provided some context. We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability (CVE-2018-20250). Further, we’ve seen both malicious tools digitally signed with various certificates the developers paid for to add perceived legitimacy. One of them, issued to SLOW BEER LTD, was even valid at the time of writing; we’ve notified the issuer about the misuse and they revoked the certificate.

In this article, we will describe some notable features of both BalkanDoor and BalkanRAT. Our analysis shows that the former runs as a Windows service, which allows it to unlock the Windows logon screen remotely and without the password or start a process with the highest possible privileges. The latter misuses a legitimate remote desktop software (RDS) product and uses extra tools and scripts to hide its presence from the victim, such as hiding the window, tray icon, process and so on.

Both BalkanRAT and BalkanDoor spread in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina. (These countries, along with Slovenia and former Macedonia, formed the country of Yugoslavia until 1992.)

Figure 1. Malware distribution by country

According to our telemetry, the campaign spreading these tools has been live since 2016, with the most recent detections as late as in July 2019.

The attackers have been distributing their tools via malicious emails (“malspam”) with links leading to a malicious file.

The links included in the malspam emails used for distribution of both BalkanRAT and BalkanDoor mimic legitimate websites of official institutions.

Table 1. Domains misused in the campaign
Malicious domain Real domain Institution
pksrs[.]com pks.rs Chamber of Commerce and Industry of Serbia
porezna-uprava[.]com porezna-uprava.hr Ministry of Finance of Croatia, Tax Administration
porezna-uprava[.]net
pufbih[.]com pufbih.ba Tax Administration of the Federation of Bosnia and Herzegovina

The decoy PDFs revolve around the tax theme.

Table 2. Decoy PDFs used in the campaign
PDF name Language Content
MIP1023.pdf Bosnian Tax form
Ponovljeni-Stav.pdf Bosnian Tax law
AUG_1031.pdf Bosnian Instructions for using tax filing application
Zakon.pdf Croatian Tax law
ZPDG.pdf Serbian Tax law

Figure 2. Decoy PDF documents

Most often, the links leading to an executable file are disguised as links to a PDF. The executable file is a WinRAR self-extractor with its name and icon changed to resemble a PDF to fool the user. When executed, it is configured to unpack its content, open the decoy PDF to prevent any suspicion – and silently execute either BalkanRAT or BalkanDoor.

In some of the latest samples of BalkanDoor detected in 2019, the malware is distributed as an ACE archive, disguised as a RAR archive (i.e., not an executable file), specially crafted to exploit the WinRAR ACE vulnerability (CVE-2018-20250). This vulnerability, which has been remediated in version 5.70 released on February 28th, 2019, is known to have been exploited quite often to distribute malware.

The exploit-based deployment of BalkanDoor is stealthier than in previous versions of the malware because it does not require executing the downloaded file – an operation that might raise the intended victim’s suspicions.

According to our telemetry, most of the time, both tools have been deployed on the same machine. The combination of the tools gives the attacker both a command-line interface and a graphical interface to the compromised computer.

In the case of the whole toolset being deployed on the machine, here is an example scenario for the attack:

The attacker detects that the victim has their screen locked and thus, most probably, is not using the computer (either via BalkanDoor sending screenshot showing that computer is locked, or via the View Only mode of BalkanRAT). Via the BalkanDoor backdoor, the attacker sends a backdoor command to unlock the screen… and using BalkanRAT, they can do whatever they want on the computer.

However, even if the victim does not use their computer, the chance of them spotting the actions performed by the attackers is still there. Even with this disadvantage, using the RDS tool may be useful. The attacker is not limited by the commands shipped in the backdoor, or by their programming skills: manually, they can perform actions that would require writing a lot of code if a backdoor was the only tool available.

In principle, the Balkan- toolset could be used for espionage, among other possible goals. However, not only the campaign’s targets and distribution, but also our analysis of the Balkan-toolset tools show that the attackers are going after money instead of espionage.

The BalkanDoor backdoor does not implement any exfiltration channel. Presumably, if the campaign were intended for espionage, the attackers would need an exfiltration channel for uploading the collected data – at least as a backup to manual exfiltration, which might not be always an option.

On the contrary – and supporting the notion that the attackers’ goal has been to commit some financial crime – we’ve seen BalkanRAT dropping a tool that can list available smart cards, via the SCardListReadersA/ SCardConnectA API functions. Smart cards are usually issued by banks or governments for confirmation of the holder’s identity. If misused, smart cards can facilitate illegal/fraudulent activities, e.g. digitally signing a contract, validating a money transaction etc.

In the past, we’ve seen this feature in Operation Buhtrap, a campaign targeting Russian banks.

BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, ranging in supported commands, evolving since 2016.

The initial dropper unpacks all components, opens a decoy PDF (in some cases) and executes a batch installation script that ensures persistence of the backdoor.

The backdoor registers itself as a service, under a legitimately-looking service name (e.g. WindowsSvc, WindowsPrnt, WindowsConn or WindowsErr); the accompanying batch scripts can further ensure persistence by using Registry Run Keys or Startup folder.

After the backdoor is installed, the computer connects to a C&C server, identifying itself by the computer name and requesting the commands. The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience. It connects via the HTTP or HTTPS protocol; if HTTPS is used, then the server certificates are ignored.

If the connection is not successful, the backdoor is capable of using the user-configured proxy on the victim’s computer and repeating the connection attempt.

The backdoor commands come in a format of an INI file, with properties determining the commands, command arguments and intended recipients. Specifying the list of recipients allows the attacker to send their commands to several compromised computers at once, e.g. to automatically take screenshots of all compromised computers.

Table 3. BalkanDoor’s commands
Commands Functionality
cn Specifies computer name(s) of the intended recipients of the commands
du, int Download and execute a file
du, ra, de, rpo Download and execute a file, in the specified context and on a specified desktop
rip Create a remote shell accessible from the specified IP address
scr_int, scr_dur Capture a series of screenshots of the specified duration

Furthermore, the backdoor itself can be executed in several modes, determined by the command line arguments with which it is executed. These modes themselves can serve as backdoor commands (when executed from the remote shell):

Table 4. BalkanDoor’s modes
Argument Functionality
/unlock Unlocks the screen
/rcmd Creates a remote shell and redirects its input/output to the specified IP address
/takescr Captures a series of screenshots, duration determined by other arguments
/run Executes the specified command using cmd.exe
/runx Executes the specified command using cmd.exe, on the active (input) desktop
/inst Installs itself as a service and starts the main procedure (see /nosvc)
/start Starts the associated service, which starts the main procedure (see /nosvc)
/nosvc Main payload, communicates with C&C and interprets backdoor commands

Among the BalkanDoor capabilities, the most notable is passwordless screen-unlocking.

This feature comes in handy to the attackers in cases when a logged-in user locks the computer. The “Lock screen” is just another Desktop for the system, so any malware with the necessary privileges can switch to a real desktop by command. No password is required to perform this operation.

Figure 3. Code responsible for unlocking the computer when the backdoor is executed remotely with an “/unlock” argument

The BalkanRAT part of the malicious Balkan- toolset is more complex compared to its backdoor accomplice. Its goal is to deploy a copy of the Remote Utilities software, which is commercial software by a Russian vendor, Remote Utilities, LLC, used for remote access to a computer or for remote administration. BalkanRAT also provides the attacker with the credentials needed for this remote access.

BalkanRAT has several additional components to help load, install and conceal the existence of the RDS. They can add exceptions to the firewall, hide the RDS’s window and its tray icon, and hide the presence of related processes in the task manager.

Figure 4. Components used in the campaign to deploy and hide the presence of the RDS

  1. The dropper first unpacks all components; a configuration file, the remote desktop software and a core component installing it, a userland rootkit, a GUI hider and a decoy PDF file.
  2. The dropper opens the PDF file so as not to arouse suspicion of the user.
  3. Covertly, the dropper executes the core component (32-bit) in the installation mode.
  4. The core component (32-bit) installs itself to be executed with each start, and adds exception to the firewall for the RDS. It executes commands inst1 and inst2 specified in the configuration file, and executes itself again, now in stealth mode.
  5. In this mode, the core component acts like a keylogger.
  6. The core component (32-bit) executes the 64-bit version of itself, in injection mode (if applicable).
  7. The core component (64-bit) injects the userland rootkit (64-bit) into task manager processes. The userland rootkit then hides presence of the malicious processes in the task manager.
  8. The core component (32-bit) executes the RDS. It repeatedly monitors and hides the RDS window (because it is a GUI application).
  9. The core component (32-bit) injects the userland rootkit (32-bit) into task manager processes. The userland rootkit then hides presence of the malicious processes in the task manager.
  10. The core component (32-bit) executes commands cmd1 and cmd2, as specified in the configuration file. One of such commands was seen executing a GUI hider, which is an AutoHotKey script hiding the tray icon of the RDS.

Note: Some components are optional. Also, sometimes they are deployed as a set comprising an encrypted payload and the corresponding loader. We are omitting these details.

The configuration file of BalkanRAT is in INI file format (similarly to BalkanDoor, which uses this format for backdoor commands), with one section named [CFG]. The INI file is used by the malware’ core component and the userland rootkit.

Property Functionality
inst1, inst2 Commands executed by the core component during installation
cmd1, cmd2 Command executed by the core component main payload
hproc List of processes that should be hidden by userland rootkit
mproc List of processes where userland rootkit is injected

Figure 5. BalkanRAT’s configuration file – properties (top) and example (below)

BalkanRAT’s core is a multipurpose component (there are both a 32-bit and a 64-bit versions); it can be executed in various modes, determined by the command-line argument. Most significantly, it is used for installation of BalkanRAT, launching a userland rootkit and adding exceptions for the RDS component in the firewall.

Table 5. BalkanRAT’s core component – supported functionality
Argument Functionality
/rhc Executes a batch file
/fwl Adds exception to the firewall for the specified program
/sreg Sets configuration data for the RDS in the registry (especially email address where the credentials should be sent)
/inst Ensures persistence by adding itself to the [HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionWindows] registry key under the “load” entry. Adds exception for the RDS to the local firewall. Executes itself again in the main mode (no arguments).
/inj Injects the userland rootkit library into processes, as specified in the configuration file
(none) Main mode. Executes the 64-bit version of itself (if applicable), injects the userland rootkit, executes the RDS and hides the window by changing its coordinates to values outside the screen.
Another thread captures pressed keystrokes.

The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access. Instead of using the official version, BalkanRAT deploys a copy signed by a certificate of the attacker.

The client side of the RDS running on the victim’s computer must know the unique ID and the password, both generated on the server side, to connect to the server. The RDS deployed by BalkanRAT is configured in such a way that the password is the same for all victims, and the generated unique ID is sent to the attacker’s email address by the tool itself.

Since the tool BalkanRAT misuses is legitimate, it leverages the genuine Remote Utilities’ infrastructure for this communication (rutils.com, server.rutils.com); due to this, the communication may seem legitimate to the user – and to security products.

As a result, the attacker has obtained credentials to access the compromised computer via the Remote Utilities software. Using this tool, they can broadcast the screen to monitor the activity of the user and manually take over the compromised computer.

Figure 6. A window the victim never sees. With a legitimate copy of Remote Utilities, this window is visible; however, BalkanRAT will hide it using the GUI hider feature.

To remain stealthy, BalkanRAT uses the GUI hider feature. In most samples (some older ones are an exception), it is implemented as an AutoHotKey script, compiled into an executable file so that it can be run on a computer even if AutoHotKey is not installed there. The purpose of this script is to hide the tray icon of the RDS client.

Figure 7. AutoHotKey script embedded in the resource section of the executable

Another notable feature used by BalkanRAT to stay hidden is the ability to hide processes from the user.

To achieve this, userland rootkit libraries are injected in processes hardcoded in the configuration file. The userland rootkit hooks the NtQuerySystemInformation function for the process in which it is injected. In case SystemProcessInformation is queried, it filters out all entries for processes with the names specified in the configuration file. As a result, conventional task manager utilities will not display the processes the attackers want to keep hidden from the user.

Figure 8. With the userland rootkit injected, some processes are missing in the list (left). Without the rootkit, the processes are visible (right).

Naturally, the list of processes that will be hidden contain mostly ones belonging to BalkanRAT. However, we have also seen names like “weather.exe” or “preserve.exe” in the list – which belong to the BalkanDoor backdoor. This finding supports the belief these two tools are indeed used together.

Both BalkanRAT and BalkanDoor have some interesting tricks up their sleeves and each of them separately pose a significant risk to the victims. If used together as a toolset, they make an even more powerful weapon – the more the campaign we have discovered targets accounting, a function that is critical for organizations.

The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016. (The only source we have been able to find describing it is in Russian.) In that case, the attackers’ goal was to take control over a notary computer and issue some illegal operation on behalf of the notary.

Just as attackers may confirm a fraudulent transaction on behalf of a notary, they may perform a fraudulent transaction while impersonating a manager in a company’s financial department.

To stay safe, business users – and their employers – should follow basic cybersecurity rules: be cautious about emails and scrutinize their attachments and links, keep their software updated and use a reputable security solution.

ESET detection names

Win32/BalkanDoor.A
Win32/BalkanDoor.B
Win32/BalkanRAT.A
Win32/BalkanRAT.B
Win64/BalkanRAT.A
Win64/BalkanRAT.B

SHA-1

BalkanDoor – executable files

02225C58A0800A8FFFE82F7614695FDEEB75C8B3
3E8AF08F2C64D9D305A129FDEA6B24ED3D8D9484
400FF3FD5BEF94DCBEAE24B5B8A6632DCD1D22A6
576EF0057982DE87CA029C736706E840031A27F4
5CC4F248595268A0C9988DAEE3F0F8F9F5AC0A7F
60EB2A19EC63FF36D13F472EC0E6A594C2778CE6
7AA3D6EA4736C3BF627DB1837B9C8D2B29D7AB8D
AC5383306459CE8CD19BFF412875F093B40427C6

BalkanRAT – executable and auxiliary files

006B8EF615550BA731A30FA83B0E03CD16D2A92D
030DC8C3832F664FA10EFA3105DFF0A9B6D48911
032884A46430039ED4E38518AA20742B79AB2678
09D18CD045285A753BCF4F42C6F10AF76913546A
0F7A95C89911E3DE9205FF6AA03E1A4FCE6BC551
13D8664B438DA278CEB9C8593AE85023432054CD
17EA62EBC5F86997FD7E303FBBFF3E343DA38FCC
1C03ED1ADF4B4E786EFC00F3D892217FAAAFB268
15EC88015FB554302DB131258C8C11C9E46209D4
21DE3EB6F39DF4DBBF2D1FE4B6467AAE3D9FBEBD
21EE61874F299661AECC5453F4D6D0EC5380DAD0
270F1FA36365273F14D89EE852D8A438A594CD05
30BA2213BE4355D619E20DA733F27F59DA7B937E
3170B45FB642301687A3A320282099B9D7B7F0F2
38E7FCD6038E688DEC9F1AF9D2D222B9BBC03A8C
3927B48D315F6712D33166A3B278B7835E76A6A9
3C1FF7BBE8BC2BE9E5531FFAD25B18F03C51CF6B
421F52733D334BE32C899670426C06CB72D92CDE
46E4B456729CF659527D2697BD8518E67B5A0056
4F8BA64DA7EA16A7CE5AA2C83BBFCE1C8646E424
500A447A187240706C059C16366FEDF1AA13EA77
555844CA5CD40DFC27778C2D3B6AFA43D1B76685
5A3201048D8D9D696102A3C3B98DA99C2CC4FF1F
64E3A46BF393936A79478C891654C1070CEC42D1
685314454A7D7987B38ADD2EDDBAC3DB9E78464F
6C83ABE56219CA656B71AA8C109E0955061DA536
6E27F7C61230452555B52B39AB9F51D42C725BED
6EF16FAA19FC4CEF66C4C1B66E58FB9CFFD8098E
72DB8CCC962E2D2C15AC30E98F7382E3ACDEDDA8
730E20EE7228080A7F90A238D9E65D55EDD84301
73E0A62F1AAAB3457D895B4B1E6E2119B8B8D167
7BA4D127C6CD6B5392870F0272C7045C9932DB17
7BF564891089377809D3F0C2C9E25FD087F5F42B
8852647B1C1A2EFA4F25FEA393D773F9FF94D6FA
8D9A804B1433A05216CFE1D4E61CE5EB092A3505
8F85738534158DB9C600A29B9DED8AC85C3DE8C1
963CF321740C4EF606FEC65FCE85FB3A9A6223AC
97926E2A7514D4078CF51EAC069A014309E607F1
9EA0C6A17EE4EB23371688972B7F4E6D4D53F3C8
9F2C6A44453E882098B17B66DE70C430C64C3B26
A1DEA762DD4329E77FE59526D4ABC0E15DE2BBBC
A56A299A8EEF9F4FF082184F66FAD1B76C7CACB8
A5ACE8F90C33CBDB12D398C0F227EC48F99551BF
AA4AD783DFE3CC6B0B9612814ED9418253203C50
AB311B53591C6625335B9B791676A44538B48821
AEDF43347AF24D266EC5D471723F4B30B4ACC0D0
B18222E93D25649BC1B67FAB4F9BF2B4C59D9A1A
B8F67BB5682B26ACD5969D9C6AC7B45FE07E79E1
BAD38D474D5CAAAC27082E6F727CAE269F64CF3C
BEEF0EE9397B01855C6DAA2BFF8002DB4899B121
BFE3F5CEC25181F1B6852E145013E548B920651E
C268CAB6D8EC267EEE463672809FAAEE99C2F446
C2F9FFDF518DA9E037F76902746DE89C2E2821E8
C3813734D3BFC07E339C05417055A1A106E2FBBD
C8CBBC175451A097E605E448F94C89D3E050ACD5
C90756A3C6F6DC34E12BABF5F26543510AACE704
C90B5471BBA3293C0A0E6829A81FBE2EB10B42B2
CD1BC431F53E9CFF8204279CDF274838DE8EBB61
CD82D898A3CEA623179456D9AE5FAD1FB5DA01A0
CDBB74CA0960F2E8631D49ACABF2CEA878AE35B8
CE7092FF909E9380CC647C3350AA3067E40C36A9
CEA70DB7FB8E851EF0D6A257A41C9CEE904345B5
CF7A8AFAC141E162A0204A49BAD0A49C259B5A45
DEEA26F5AF918CEC406B4F12184F0CAB2755B602
DFDFCC61770425A8D1520550C028D1DF2861E53F
E0007A2E0E9AE47DD028029C402D7D0A08EBBC25
E00C309E3FE09248B8AFCFF29FC1A79445C913DA
E95C651C539EAF73E142D1867A1A96098A5E219F
ECEEE01F4E8051F544062AE37D76A3DF2921DF82
F06CB000F9A25DDE791C7E5BC30917C74A8F2876
F26C663D5F6F534543A7C42B02254C98BB4EC0D5
F3BC2F436693B61FED7FA7DDF8BC7F27618F24F3
F6030AE46DC2CEF9C68DA1844F7DCEA4F25A90A3
FA19E71F9A836EA832B5D738D833C721D776781A
FFE23D510A24DB27C1C171D2BAF1FBEB18899039

Remote Utilities (otherwise legitimate releases signed by attackers’ certificates)

038ECEB80597DE438D8194F8F57245EB0239FF4B
2A1BB4BB455D3238A01E121165603A9B58B4D09D
34CE3FBEE3C487F4F467B9E8EB36844BB5ACB465
3B88D4047FA2B8F8FA6241320D81508EB676EA7A
400438EB302886FD064274188647E6653E455EED
42F70DAA8C75E97551935D2370142C8904F5A20D
446D3FBAE9889FE59AFAD02C6FB71D8838C3FC67
4D46FB773C02A9FF98E998DA4F0777FB5D9F796B
510C93D3DC620B17500C10369585F4AF7CF3CE0D
6A5CA3B9EE0A048F0AEE1E99CBF3943D84F597FF
6D53E7B5099CE11ACA176519620E8064D4FF9AD0
7CEC39AC6A436577E02E7E8FE8226A00E58564CB
8888014C16732CD5136A8315127BA50BB8BB94ED
A5A05BA6E24226F1BC575CBC12B9FC59F6039312
B77CFFF0E359946029120DD642505BC0A9713ECC
BC6F31D5EBC71FF83BACC0B4471FDEFC206B28D0
BE8A582360FB16A4B515CD633227D6A002D142FA
C6E62A113E95705F9B612CDBF49DAC6BAD2073BD
D8D27C742DA87292EF19A197594193C2C5E5F845
DBE0E084B2A8CE4711C3DF4E62E8062234BF6D3B
E56189FE86C9537C28099518D4F4EA2E42EF9EEE
E918192D2B5C565A9B2756A1D01070C6608F361C

Scripts

0BD6C70B7E2320F42F0CFC2A79E161614C7C4F66
7A41B912A3F99370DF4CD3791C91467E23B2AA82
A15AB505B79B88A9E868C95CE544942403C58CB6
A8A5980DE35FBF580497B43EF7E8499E004F9F38
B248E43BAB127D8E1E466821B96B7B7ECF37CB78

Configuration files

28F152154F6E6074EA0DE34214102119C8589583
37A2A15C52CAA7D63AF86778C2DD1D2D81D4A270
B4A847D7AAC4164CF90EA585E4842CBF938B26CF

Decoy PDF files

1E0C4A5F0FF2E835D12C3B6571AE6000E81A014B
8722441FF3678D154C89E312DB1A54951DD21C3F
88C3FDA42768C5B465FD680591639F2CDC933283
9F48E109675CDB0A53400358C27853DB48FCD156
C9B592BD7B69995C75CD5B1E4261B229C27FB479

Misused certificates

Name Email Valid from Valid to SHA1 Thumbprint Status at the time of writing
AMO-K Limited Liability Company [email protected] 2015/07/30 2016/07/28 4E36C4D10F1E3D820058E4D451C4A7B77856BDB3 Expired
Valmpak, TOV [email protected] 2016/04/10 2017/04/01 17D50E2DBBAF5F8F60BFFE1B90F4DD52FDB44A09 Revoked
Valmpak, TOV 2016/08/22 2017/11/04 4A362020F1AFD3BD0C67F12F55A5754D2E70338C Revoked
3D PEOPLE LIMITED 2017/11/05 2018/11/06 936EDFB338D458FBACB25FE557F26AA3E101506E Expired
ADUNIK LTD 2017/10/11 2018/10/12 E7DF448539D1E2671DCF787CF368AAC2ED8F5698 Expired
SLOW BEER LTD [email protected]
slowbeerltd.info
2019/01/25 2019/12/18 2359D644E48759F43993D34885167FECAFD40022 Revoked

File names

BalkanDoor

Dropper: Zakon.exe
Backdoors: weather.exe, winmihc.exe, Preserve.exe, PreservS.exe, WindowsConnect.exe
Scripts: weather.cmd, winmihc4.cmd, mihcupdate.cmd
Decoy PDF file: Zakon.pdf

BalkanRAT

Droppers: ZPDGI.exe, ZPDGV.exe, ZPDGE.exe, ZPDGO.exe, ZPDGU.exe, ZPDGA.exe, Ponovljeni-Stav.exe, AUG_1031.exe, MIP1023.exe
Configuration file: stg.cfg
Decoy PDF files: ZPDG.pdf, Ponovljeni-Stav.pdf, AUG_1031.pdf, MIP1023.pdf
Core component: winchk32.exe, wininit.exe, hide.exe, winchk64.exe
RDS: rutserv.exe, rfusclient.exe
Userland rootkit: winmmon.dll, winmmon64.dll
GUI hider components: serk.bat, serk.exe

Folder names

%WINDIR%1B20F6AA-6CAD-45A7-81CB-120FB86FECD8
%WINDIR%29D451CF-3548-4486-8465-A23029B8F6FA
%WINDIR%B1EDD68E-6AD8-4A7E-91A1-3C30903B8DD4
%APPDATA%1B20F6AA-6CAD-45A7-81CB-120FB86FECD8
%APPDATA%29D451CF-3548-4486-8465-A23029B8F6FA
%APPDATA%B1EDD68E-6AD8-4A7E-91A1-3C30903B8DD4

C&C servers

http://bestfriendsroot[.]com/smart.php
http://bestfriendsroot[.]com/weather.php
http://bestfriendsroot[.]com/zagreb.php
http://consaltingsolutionshere[.]com/smart.php
http://consaltingsolutionshere[.]com/weather.php
http://consaltingsolutionshere[.]com/zagreb.php
http://dogvipcare[.]net/kversion.php
http://hvar.dogvipcare[.]net/dekol.php
http://kimdotcomfriends[.]com/smart.php
http://kimdotcomfriends[.]com/weather.php
http://kimdotcomfriends[.]com/zagreb.php
http://limosinevipsalon[.]com/kversion.php
http://luxembourgprotections[.]com/kversion.php
http://malmevipbikes[.]se/kversion.php
http://split.malmevipbikes[.]se/dekol.php
http://zagreb.porezna-uprava[.]com/dekol.php

Email addresses used to exfiltrate Remote Utilities credentials

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

BalkanRAT

Tactic ID Name Description
Initial Access T1192 Spearphishing Link BalkanRAT is distributed via emails that contain links to malware.
Execution T1059 Command-Line Interface BalkanRAT uses cmd.exe to execute files.
T1106 Execution through API BalkanRAT uses ShellExecuteExW and LoadLibrary APIs to execute other malware components.
T1064 Scripting BalkanRAT uses batch scripts for malware installation and execution.
T1204 User Execution BalkanRAT relies on the victim to execute the initial infiltration. The malware is disguised as PDF documents with misleading names, in order to entice the intended victim to click on it.
Persistence T1060 Registry Run Keys / Startup Folder BalkanRAT uses the following Registry Run key to establish persistence: [HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionWindows], “load”.
Privilege Escalation T1134 Access Token Manipulation BalkanRAT is able to impersonate the logged-on user using DuplicateTokenEx or ImpersonateLoggedOnUser APIs.
Defense Evasion T1116 Code Signing BalkanRAT is digitally signed with code-signing certificates.
T1140 Deobfuscate/Decode Files or Information BalkanRAT decrypts and decompresses some of its components.
T1089 Disabling Security Tools BalkanRAT is capable of adding exceptions to the local firewall, using its COM interface.
T1112 Modify Registry BalkanRAT modifies the [HKEY_CURRENT_USERSoftwareUsorisRemote UtilitiesServerParameters] registry key to store configuration of the RDS
T1027 Obfuscated Files or Information Some components of BalkanRAT are compressed and then encrypted by a XOR cipher.
T1055 Process Injection BalkanRAT injects a userland rootkit library into processes of task manager utilities.
T1108 Redundant Access Operators of BalkanRAT have been seen deploying a second malicious tool (BalkanDoor) to preserve remote access in case BalkanRAT is removed.
T1014 Rootkit BalkanRAT uses a userland rootkit that hooks the NtQuerySystemInformation function to hide the presence of malicious processes.
T1143 Hidden Window BalkanRAT uses 3 rd party remote desktop software and hides its window and tray icon in order to hide it from the user.
Discovery T1082 System Information Discovery BalkanRAT collects the computer name and the language settings from the compromised machine.
Collection T1056 Input Capture BalkanRAT is capable of logging pressed keystrokes.
Command and Control T1219 Remote Access Tools BalkanRAT has misused legitimate remote desktop software for remote access.

BalkanDoor

Tactic ID Name Description
Initial Access T1192 Spearphishing Link BalkanDoor is distributed via emails that contain links to download malware.
Execution T1059 Command-Line Interface BalkanRAT uses cmd.exe to create a remote shell.
T1106 Execution through API BalkanRAT uses ShellExecuteExW and LoadLibrary APIs to execute files.
T1203 Exploitation for Client Execution BalkanDoor can be distributed as an ACE archive disguised as a RAR archive, exploiting CVE-2018-20250 vulnerability in WinRAR to execute malicious code.
T1064 Scripting BalkanDoor uses batch scripts for malware installation and execution.
T1035 Service Execution BalkanDoor’s backdoor can be executed as a service.
T1204 User Execution BalkanDoor relies on the victim to execute the initial infiltration. The malware is disguised as PDF documents or RAR archives with misleading names, in order to entice the intended victim to click on it.
Persistence T1050 New Service BalkanDoor can be installed as a new service, mimicking legitimate Windows services.
T1060 Registry Run Keys / Startup Folder BalkanDoor can be installed in the Registry Run key, or dropped in the Startup folder.
Privilege Escalation T1134 Access Token Manipulation BalkanDoor is able to create a process under the security context of a different user, using DuplicateTokenEx, SetTokenInformation or CreateProcessAsUserW APIs.
Defense Evasion T1116 Code Signing BalkanDoor is digitally signed with code-signing certificates.
T1107 File Deletion BalkanDoor deletes files with backdoor commands after the commands have been executed.
T1158 Hidden Files and Directories BalkanDoor sets attributes of its files to HIDDEN, SYSTEM and READONLY.
T1036 Masquerading BalkanDoor can be installed as a service with names mimicking legitimate Windows services.
T1108 Redundant Access Operators of BalkanDoor have been seen deploying a second malicious tool (BalkanRAT) to preserve remote access in case BalkanDoor is removed.
Discovery T1082 System Information Discovery BalkanDoor collects the computer name from the compromised machine.
Collection T1113 Screen Capture BalkanDoor can capture screenshots of the compromised machine.
Command and Control T1043 Commonly Used Port BalkanDoor uses ports 80 and 443 for C&C communication.
T1090 Connection Proxy BalkanDoor is capable of identifying a configured proxy server if one exists and then using it to make HTTP requests.
T1008 Fallback Channels BalkanDoor can communicate over multiple C&C hosts.
T1071 Standard Application Layer Protocol BalkanDoor uses HTTP or HTTPS for network communication.

14 Aug 2019 – 11:30AM

Hacking my airplane – BlackHat edition

After welcoming hacking research, automobile technology started to get better at defending against hacks. So why has the airline industry not been as welcoming?

I’m building a homebuilt experimental airplane. Yes, I plan to fly in it. Don’t be afraid, lots of others are too, and this segment of inventors could easily prove a valuable anti-hacking component for big jets and small planes industries alike.

The airline industry is paralyzed with fear of bad press, especially of getting hacked. With more new planes getting wired (and wireless) systems, there will continue to be more networks flying around in the air by your seat in the cabin.

Not all networks control critical things; many are involved in doing quite simple things like changing the color of the lights in the cabin. So what’s the risk to flight control systems? That’s exactly what the automotive industry figured ten years ago: What could possibly go wrong with vehicle control if they got hacked?

Until it did. Here at BlackHat a while back we got to see videos of vehicles swerving out of control following a hack. Thankfully, the automotive industry came to terms with the hacking reality, and (some) even sponsored hacking opportunities like the automotive hacking village here at DefCon later in the week. It was a very positive turn of events. By engaging the hacker culture in a more open way, automobile technology started to get better at defending against hacks, which helps to keep us all safe.

The airline industry has not been as welcoming. While it’s not as plausible to park a jet in a suite at DefCon, seemingly few strides have been made to warmly welcome hacking research. It’s not implausible to make some systems available that are currently used in aircraft, but there seems to be cultural inertia that has only warmed slightly to the thought.

So now we have a briefing here at BlackHat about messing with the in-flight guidance systems on small planes. These kinds of systems are often used in planes like mine.

But unlike typical manufacture disclosure processes, which can be, um, unfulfilling and unwelcoming, those who work on their own planes, for which they are considered the manufacturer, are prime candidates to engage to help work things out.

After all, we don’t really have large PR inertial problems, we just want to fix the problem. Our stock won’t tank. We can publish findings to enthusiast lists and groups in the U.S. like the Experimental Aircraft Association (EAA) where people share ideas rather quickly, and thereby become a sort of ad hoc beta test group.

Can it work? Absolutely. About 40 years ago, the homebuilt/experimental groups started hacking planes for performance. Nowadays, a homebuilt aircraft might be constructed of carbon fiber laminate flow wings with Fowler slotted flaps for low-speed handling in a high-speed aircraft that will absolutely destroy the performance of the heavily regulated light planes the aircraft industry still produces, which are still largely based on 70‑year‑old technology still today. At half the price.

One model of homebuilt, the Lancair IV-P, using the same engine used to fly a certificated airplane around 200 miles per hour, cruises along at around 350. It’s embarrassingly good what hacking improvements can bring to an industry.

Are homebuilt aircraft safe? Yes. They have similar insurance rates as other high-performance aircraft, so there’s been enough time to prove solid designs reliable.

It’s time to engage the industry – not to find fault, but to fix problems. And we’re here to help. If you let us.

13 Aug 2019 – 11:30AM

Facebook hits two app developers with lawsuit

The legal action, brought over alleged click injection fraud, is said to be among the first of its kind

Facebook announced this week that it is suing two Asia-based Android app developers over alleged ad fraud.

The social network alleges that LionMobi, based in Hong Kong, and JediMobi, based in Singapore, made apps available on the Google Play store that planted malware on people’s smartphones with the aim of generating phony clicks on ads that appeared on people’s phones.

“LionMobi and JediMobi generated unearned payouts from Facebook for misrepresenting that a real person had clicked on the ads,” said the social network.

The ads were part of Facebook’s Audience Network, which enables advertisers to extend the reach of their Facebook and Instagram campaigns to thousands of other websites and apps. Facebook has expelled both developers from the program and refunded the advertisers who had been affected by the alleged fraud.

Facebook didn’t disclose in its blog post how much revenue it believes the app developers have made. According to the company’s court complaint cited by Bloomberg, however, one of the apps generated more than 40 million ad impressions and 1.7 million clicks through Audience Network over a three-month period at the end of 2018.

“At times, the malware was delivered in the form of ‘updates’ to the apps and, after October 2018, the malware was included directly in the apps,” reads the complaint.

One of LionMobi’s apps as available in Google Play as of May 22nd, 2019 (source: web.archive.org)

By TechCrunch’s count, apps developed by LionMobi and JediMobi amassed more than 207 million installs before they were booted from Google Play.

Meanwhile, LionMobi rejected the accusations and said that it “never obtained any illegal income by so-called click injection fraud on the Facebook platform”.

The firm also told Bloomberg that its app revenue came from third-party software development kits (SDKs) that are common to mainstream ad platforms. LionMobi also said that it had learned about some of the SDKs on its apps being potentially in breach of Facebook’s policies, which prompted it to remove the SDKs.

JediMobi has yet to comment on the issue. The two companies launched several apps each, including apps marketed as a battery tool, a phone cleaner, and a calculator.

Earlier in 2019, Facebook sued a number of companies and individuals in China and New Zealand for selling fake accounts, likes and followers on Facebook itself and Instagram.

8 Aug 2019 – 05:05PM

Varenyky: Spambot à la Française

ESET researchers document malware-distributing spam campaigns targeting people in France

In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, we identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP. We notified them before the release of this publication.

We believe the spambot is under heavy development and it has changed a lot since the first time we saw it. A mention about this threat was posted on Twitter by AnyRun; however, to the best of our knowledge no one has published a detailed analysis of it. We named this new malware Varenyky, and on July 22nd, ESET researchers saw it launch its first sextortion scam campaign.

This spambot is interesting because it can steal passwords, spy on its victims’ screen using FFmpeg when they watch pornographic content online, and communication to the C&C server is done through Tor, while spam is sent as regular internet traffic. This article describes the functionality of the malware.

Distribution

Varenyky was seen for the first time early in May 2019. At this time, we unfortunately cannot tell how it was distributed, but the more recent email phishing distribution and context suggest that the operator has been using this technique since the beginning.

One month later, in June 2019, we saw the first malicious document that initiates the infection of the victim’s computer, attached to an email message (Figure 1).

Figure 1. Screenshot of email distributing Varenyky downloader

That email states that a bill of €491.27 is available and attached. The Microsoft Word document filename contains the word “facture” which is a French word for “bill”. Also, when the victim opens the document, it states that the document is protected by Microsoft Word and “requires human verification”.

Figure 2. Malicious document

The content of the document (Figure 2) explains how to enable the “human verification”, which, in fact, is how to enable macros. For security purposes, Word macros are not enabled by default and need user interaction to execute.

Overall, the email text content, the document’s filename and the “protected” content of the document emphasize to the recipients that they are dealing with a real bill and that they should open it. The quality of the French is very good; overall, the document is convincing.

Targets

Varenyky targets the French. The macro (Figure 3) contained in the Word document has two purposes: the first is to filter out non-French victims based on their computers’ locale and the second is to download and execute the malware.

Figure 3. Word macro

The macro uses the function Application.LanguageSettings.LanguageID() to get the language ID of the victim’s computer. This ID contains the country and the language set by the user. The script checks if the value returned is 1036 in decimal (or 0x40C in hexadecimal) and according to the Microsoft documentation this value corresponds to France and the French language (Figure 4).

Figure 4. Language ID table

This is a good trick to fool automatic sample analyzers and to avoid drawing attention because of the limited number of computer configurations on which this malware will be installed.

It’s worth noting that by using this specific locale identifier, it excludes French-speaking countries other than France such as Belgium and Canada, which have their own identifiers.

There is also an additional language check in the downloaded executable regarding the keyboard layout. This check is done at the very beginning of the executable that is downloaded and run by the macro (Figure 5).

Figure 5. Hex-Rays output of keyboard layout check

Once again, a verification is done to filter out people with a keyboard layout in English or Russian. If it matches, it displays the following message box (Figure 6) and exits.

Figure 6. Message box for English and Russian keyboard layouts

Figure 6. Message box for English and Russian keyboard layoutsLet’s describe the malware’s functionality once it’s running on a system it targets.

Older variants of Varenyky used the UPX packer, but recent samples use a custom packer. The custom unpacker will first XOR its payload with a 32 character-long alphanumeric string and then decompress it using the LZNT1 algorithm, which is a variant of LZ77. The unpacked malware is never written to disk.

If the malware has not yet been installed, it will create a directory in %APPDATA% with a specific name. It’s an upper-case hash made of the machine’s GUID, user name, computer name and CPU name: see Figure 7. It creates a mutex named with this same hash to avoid two instances running at the same time.

Figure 7. Functions that gather information used to compute the hash

The malicious payload will then extract multiple libraries and the Tor executable, which are embedded inside of itself, to the directory it just created. These libraries include zlib and dependencies for programs compiled with MinGW. The malware’s executable is finally copied to this directory and the original is deleted from the temporary directory where it was downloaded via the macro.

It also makes itself persistent by adding an entry to HKLMSoftwareMicrosoftWindowsCurrentVersionRun in the Windows Registry. The mutex is released and the malware restarts itself from its directory in %AppData%.

On the second run, the malware notices that it is already installed. It will execute Tor and fetch its external IP address using AWS’ checkip.amazonaws.com service.

It will start two threads: one that’s in charge of sending spam and another one that can execute commands coming from its C&C server. This is where versions of the malware differ. Some variants have more threads that are sending spam at the same time and some have different functionalities when it comes to the commands that the C&C server can have it execute. All communication to the C&C is done through Tor at jg4rli4xoagvvmw47fr2bnnfu7t2epj6owrgyoee7daoh4gxvbt3bhyd.onion using the HTTP protocol.

Early versions of the malware could receive a command to download a file and execute it. The malware was able to handle executable files, batch files and PowerShell scripts. Support for the last was later removed. The malware could also be instructed to update itself with an executable that had to be downloaded from a specific URL. There is another command that will uninstall the malware from the computer, although it doesn’t remove the change that it made to the registry.

A new command was later added, allowing the malware to deploy NirSoft’s WebBrowserPassView and Mail PassView tools. These are password recovery tools for web browser and email client passwords. They are routinely abused by malware and thus detected by ESET as potentially unsafe applications. Both are LZNT1‑compressed executable files embedded inside the malware. They are extracted, injected into another executable and run once to steal the victim’s passwords, which are then exfiltrated to the C&C server.

The most recently added command will create a hidden desktop on the victim’s computer. The malware can be directed to start various applications that have a graphical interface, such as web browsers and the Windows Run dialog on this invisible desktop. It has the ability to accomplish various tasks, such as navigating menus, reading text, taking screenshots, clicking on the screen, and also minimizing, restoring and maximizing windows.

The C&C commands are summarized in Table 1.

Table 1. List of commands that can be sent by the C&C server
Command name Description
DL_EXEC Downloads a file (.exe or .bat) that the malware will execute
UPDATE Downloads an executable to replace the malware’s executable
UNINSTALL Removes the malware from the computer’s disk
NIRSOFT Extracts NirSoft’s WebBrowserPassView and Mail PassView, runs them once and sends the results to the C&C server
HIDDEN_DESK Creates a hidden desktop to accomplish various tasks

A feature that made an appearance and was modified in subsequent versions finally to be removed was a function that made the malware scan the title of the open windows on the computer. If the malware found a porn-related word in French or the word “bitcoin” in the title of a window, it sent the window’s title to its C&C server.

Figure 8. Words that the malware looked for

This feature was later changed so that when encountering the word “sexe”, the malware would record the computer’s screen using an FFmpeg executable that it previously would have downloaded through the Tor network. The video was uploaded to the C&C server after it was recorded.

These videos could have been used for convincing sexual blackmail; a practice called sextortion. It’s unknown if these videos were recorded out of curiosity by the author(s) of the spambot or with an intention to monetize them through sextortion. Different versions of this malware used different strings to identify itself to the C&C server. One of them was “Bataysk”, which is a Russian city known to have a “monument that shows a man’s hand gripping a nubile female breast”. Another sample identified with “PH”, which probably stands for the initials of a popular pornography website. And another version identified with the string “Gamiani_MON”; Gamiani is a French erotic novel and “MON” probably means “monitoring”.

C&C server home page

Over time, many changes were made to what appears to be the C&C server’s login panel. At first (Figure 9), it displayed the VADE RETRO SATANA verse in Latin and a red-eyed statue of Marianne, a national personification of the French Republic. On the upper-right, the sign in German reads “Stop – State border – No entry”. The word “войти” on the button below the keypad means “login” in Russian and Ukrainian.

Figure 9. First version of the login panel

It was later updated to play the song “F*ck them all” by Mylène Farmer when viewing the web page (Figure 10).

Figure 10. C&C server login panel with song player added

In the last update that added content, seen in Figure 11, the C&C login panel displays dancing parrots with a Serbian flag. It makes a reference to OCaml, a programming language created by French people. Ricard is a reference to the 1963 movie The Pink Panther. On the lower-right, it says, in French “Alcohol abuse is dangerous for your health, drink with moderation”, which is the official warning on alcohol advertisements in France. The picture above the warning shows a Jelen pivo pale lager from a Serbian brewery. The song that plays is now “Opa!” by the Russian band Diskoteka Avariya.

Figure 11. Screenshot of the login panel of the C&C server

At the time of publication of this blogpost, the login panel has been uncluttered and only the keypad remains.

“You’ve got mail”

This spambot will send emails using the SMTP protocol through port 25 and only targets the customers of the French ISP Orange. Each bot receives instructions from the C&C server in order to craft an email, including the body of the message, a list of email addresses to spam and the server to use to send the emails. The mail servers used to relay the spam don’t look like they belong to the malicious actors; they look like servers that have not been properly secured and they don’t require authentication.

Figure 12. Two different spam emails

Spam messages sent by this spambot are as simple as “If this message doesn’t show up correctly, click here” or “Please follow the link: <URL>” (Figure 12). There are also emails with attachments. These links lead to a scam, which is a survey (Figure 13) where the victim always “wins” a promotion for a recent smartphone.

Figure 13. Survey where the victim always wins a smartphone

The link takes victims to a site where they apparently have a chance to “win” a prize such as an iPhone X, a Galaxy S9 or S10+ for €2 or less (Figure 14). To win, they need “only” enter their personal information; name, address, city, email and phone number. The email address that is entered may not work if it’s not what the web page expects, but if successful, the victim will be asked to enter their credit card information including its validation numbers.

People should avoid providing their credit card information to websites they don’t know for deals that are too good to be true. Such deals are often a scheme to get an unwitting user’s credit card information in order to charge them monthly fees, which the user can sometimes learn about by scrutinizing the fine prints. Legitimate contests don’t charge winners a fee so they can claim their prize.

Figure 14. Scam pages with smartphones

Although Varenyky has the ability to record a video of the display while the computer’s user is probably viewing pornography, so far we have seen no evidence of the malware operator leveraging such video. However, coincidentally, on July 22nd we saw Varenyky start a sextortion scam campaign. It is important to note that this campaign is an example of the common sextortion scam that has been widely documented and does not appear to be related to Varenyky’s partial ability to carry out the functions of the fictitious malware described in these scam emails. Figure 15 depicts the scam message we saw Varenyky sending. These emails consist of three JPG images that are used to bypass text-based spam filters.

Figure 15. Screenshot of the sextortion’s email

This email claims that the author, who is a hacker, has gained access to the victim’s computer through a virus that was caught while visiting an adult website (the translation of this is much like that in the English version documented here). It says that the victim has particular tastes in pornography and that the hacker has gained remote control over the victim’s computer. The email also says a video has been made where on one half of the screen is a recording of the victim’s browser and the other half is a recording from the webcam of “you having… fun”.

Furthermore, the email says a copy has been made of the victim’s contact list, pictures, passwords, bank account data and more. It promises that the recipient of this email is not the only victim and that the victim will be left alone once €750 are paid in bitcoin to the BTC address 1PBpawAYJG7FfAxmTagU34CfEFoNobb1Re

The email says the victim has 72 hours to pay before the video is sent to family, colleagues, posted on Facebook, Twitter and elsewhere. It is said that changing passwords, deleting the virus, sending the computer for repair or cleaning the computer will be useless because the victim’s data is on a remote server (“Don’t think I’m a fool”). For proof, the victim can answer “Yes” to the email so the video is sent to six of their most valuable contacts.

The email ends with “This offer is non-negotiable, do not waste my time and yours, think about the consequences of your actions”.

All the email addresses that were seen being targeted are on the domains wanadoo.fr and orange.fr; both are operated by the French ISP Orange S.A. A single bot can send as many as 1500 emails an hour.

At the time of publication, the bitcoin address in the scam email had received four payments. The bitcoin address has been already reported on bitcoinabuse.com for sextortion (Figure 16).

Figure 16. Screenshot of the bitcoin address reported on BitcoinAbuse

This spambot is not very advanced, but the context and story around it make it interesting. We can assume from the fact that it targets France could indicate that the operator has some French understanding, reading or speaking the language, or maybe both. However, the Word document showed us a lack of attention in the operator’s work. In the macro, the operator forgot to change the value of the test_debug variable, which means that the malware will be downloaded whatever the language ID is (French or not French).

There are many functions related to possible extortion or blackmail of victims watching pornographic content, but despite having sent unrelated sextortion scam emails, the operator has not leveraged these as far as we can tell. Many functions have been added and then quickly removed across many different versions in a short period of time (two months). This shows that the operators are actively working on their botnet and are inclined to experiment with new features that could bring a better monetization of their work.

We recommend that people be careful when they open attachments from unknown sources. Keep system as well as security software up to date.

Thanks to Alexandre-Xavier Labonté-Lamoureux for the technical analysis.

Thanks to our peers at proofpoint.com for allowing us to use a screenshot of the phishing email.

Hashes (SHA-1) ESET detection names
0970BDE765CB8F183CF68226460CDD930A596088 Win32/Varenyky.A
09EFD54E3014A7E67F0FCAA543F826AC06BBE155 Win32/Varenyky.A
1C27359023B7195AC739641BBC53789A0BA4A244 Win32/Varenyky.A
1D52D26FC2E7E24FA68F36FA04B36D9516DF036F Win32/Varenyky.A
21128D4E7124FD8F1D1A62FCC01F5D5F6C653811 Win32/Varenyky.A
25FF8154F1CEB0C8E13A3F0F72D855B40819D26B Win32/Varenyky.A
36D9AEF26D9B7E40F1140BB62FF6C76110791FAD Win32/Varenyky.A
6A9213A89708D2D304371A00678755F2C6AFE42B Win32/Varenyky.A
722FE03B7ECA8C11C73CF7206EF0E9A11E857182 Win32/Varenyky.A
7F04B6418E31967C12D30150D1CAE7F48980ED08 Win32/Varenyky.A
93D51AC86C5ED207DD6E77B2E767CDEB23106925 Win32/Varenyky.A
9987B0072EF9850CAB869981B05B85284FDDEE92 Win32/Varenyky.A
A9B04941548917BD67CAA533F5078B75D65DD1EE Win32/Varenyky.A
ABF3AC24BE92ABE3425379418CF53AA65F370279 VBA/TrojanDownloader.Agent.OAW
AC1EB847A456B851B900F6899A9FD13FD6FBEC7D Win32/Varenyky.A
B855C03A47901C52C901FFF606F90BC1C262EB87 Win32/Varenyky.A
C32552EFEDAC932AD53DB4569569780782B04704 Win32/Varenyky.A
PDB paths
C:NoCyReleaseVarenyky.pdb
C:UserslenovoDesktopNoCyReleaseVarenyky.pdb
C:UnTroueCunTroueKhouyaReleaseUnTroueCunTroueKhouya.pdb
Network
artisticday[.]icu
astonishingwill[.]icu
directfood[.]icu
gradualrain[.]icu
proapp[.]icu
provincialwake[.]icu
shrek[.]icu
thinstop[.]icu
jg4rli4xoagvvmw47fr2bnnfu7t2epj6owrgyoee7daoh4gxvbt3bhyd[.]onion

8 Aug 2019 – 11:30AM

FBI warns of romance scams using online daters as money mules

Up to 30 percent of romance fraud victims in 2018 are estimated to have been used as money mules

Scammers are using dating sites and apps not only to scout for lovesick men and women before bilking them out of money, but also to recruit ‘money mules’ for laundering funds obtained in illicit activities.

According to a new warning by the FBI’s Internet Crime Complaint Center (IC3), the latter flavor of confidence/romance scams commonly involves one of a number of meticulously crafted stories that may ultimately result in the victims unwittingly aiding and abetting a crime.

Oftentimes, the con artists convince their marks to open bank accounts under the guise of sending or receiving funds. “These accounts are used to facilitate criminal activities for a short period of time. If the account is flagged by the financial institution, it may be closed and the actor will either direct the victim to open a new account or begin grooming a new victim,” said the FBI.

In some cases, the fraudster will claim to be a European citizen or an American living abroad and will tell the victim about a “lucrative business opportunity”. The “venture” is said to have already attracted a great deal of interest from investors who are willing to fund it, but need a US bank account into which they can send the money.

The story may be spun further, and the scammer will ultimately convince the victim to open the account in their name or register a limited liability company and allow money transfers to flow into the account. In reality, however, the fraudsters transfer stolen money into the account and instruct their unsuspecting crime accomplices into forwarding the money to accounts controlled by the fraudsters.

A recent report by the Better Business Bureau (BBB) said that up to 30 percent of romance scam victims in 2018 were used as money mules.

Faux romance

Of course, dating sites and apps remain rewarding hunting grounds also for the more usual kind of confidence/romance fraud, where the false admirers establish a romantic or friendly relationship with the victim and use various pretenses to request money or financial details.

The problem is becoming increasingly acute, as in 2018 the IC3 received reports from 18,000 people who claimed to have become victims of confidence/romance fraud. The aggregate losses reached US$362 million – an increase of more than 70 percent from 2017.

“In 2018, confidence/romance fraud was the seventh most commonly reported scam to the IC3 based on the number of complaints received, and the second costliest scam in terms of victim loss,” said the FBI. Only losses that emanated from Business Email Compromise (BEC) and Email Account Compromise (EAC) scams were higher last year, according to the IC3’s annual Internet Crime Report (ICR) that we also wrote about recently.

Worse still, it is generally recognized that most victims are too embarrassed to come forward, so the actual losses are expected to be far higher.

Obviously, romance scammers also scout for victims on social media, where, just like on dating sites, they lure victims with fake online profiles, creating attractive personas and elaborate plots.

Here are two more articles and a video about dating fraud, complete with recommendations for how to stay safe.

When love becomes a nightmare: Online dating scams

When it just doesn’t click: How to date online without being scammed



7 Aug 2019 – 12:22PM

Sharpening the Machete

ESET research uncovers a cyberespionage operation targeting the Venezuelan military

Latin America is often overlooked when it comes to persistent threats and groups with politically motivated targets. There is, however, an ongoing case of cyberespionage against high-profile organizations that has managed to stay under the radar. The group behind these attacks has stolen gigabytes of confidential documents, mostly from military organizations. It is still very active at the time of this publication, regularly introducing changes to its malware, infrastructure and spearphishing campaigns.

ESET has been tracking a new version of Machete (the group’s Python-based toolset) that was first seen in April 2018. While the main functionality of the backdoor remains the same as in previous versions, it has been extended with new features over the course of a year.

From the end of March up until the end of May 2019, ESET researchers observed that there were more than 50 victimized computers actively communicating with the C&C server. This amounts to gigabytes of data being uploaded every week. More than half of the compromised computers were in the Venezuelan military forces, whereas the others were related to education, police, and foreign affairs sectors. This extends to other countries in Latin America, with the Ecuadorean military being another organization highly targeted with the Machete malware. The distribution of this malware in these countries is shown in Figure 1.

Figure 1. Countries with Machete victims in 2019

Machete’s operators use effective spearphishing techniques. Their long run of attacks, focused on Latin American countries, has allowed them to collect intelligence and refine their tactics over the years. They know their targets, how to blend into regular communications, and which documents are of the most value to steal. Not only does Machete exfiltrate common office suite documents, but also specialized file types used by geographic information systems (GIS) software. The group is interested in files that describe navigation routes and positioning using military grids.

The Machete group sends very specific emails directly to its victims, and these change from target to target. These emails contain either a link to, or an attachment of, a compressed self-extracting archive that runs the malware and opens a document that serves as a decoy.

Figure 2 is a typical PDF file displayed to a potential victim during compromise. To trick unsuspecting targets, Machete operators use real documents they have previously stolen; Figure 2 is a classified military document that is dated May 21st, 2019, the same day the related .zip file was first sent to targets. ESET has seen more cases like this where stolen documents dated on one particular day were bundled with malware and used on the same day as lures to compromise new victims.

Figure 2. Decoy (PDF file) in one of the Machete downloaders (blurred)

The kind of documents used as decoys are sent and received legitimately several times a day by the group’s targets. For example, Radiogramas are documents used for communication in the Venezuelan military forces. Attackers take advantage of that, along with their knowledge of military jargon and etiquette, to craft very convincing phishing emails.

The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018. Previous versions were described by Kaspersky in 2014 and Cylance in 2017. In Figure 3 we show the components for the new version of the Machete malware.

Figure 3. Components of Machete

The first part of the attack consists of a downloader that comes as a self-extracting archive, made with 7z SFX Builder. Once the archive is unpacked by the self-extraction code, the extractor opens a PDF or Microsoft Office file that serves as a decoy, and then runs the downloader executable from the archive. That executable is another self-extracting file that contains the actual downloader binary (a py2exe component) and a configuration file with the downloader’s target URL as an encrypted string.

All download URLs we have seen are at either Dropbox or Google Docs. The files at these URLs have all been self-extracting (RAR SFX) archives containing encrypted configuration and py2exe backdoor components. Since May 2019, however, the Machete operators stopped using downloaders and started to include the decoy file and backdoor components in the same archive.

The py2exe binaries can be decompiled to obtain Python code. All of the components – downloaders and backdoors – are obfuscated with pyobfuscate. This has been used in previous versions of the malware as well. Figure 4 shows part of one of these obfuscated scripts.

Figure 4. Script obfuscated with pyobfuscate

Since August 2018, the Machete components have been delivered with an extra layer of obfuscation. The scripts now contain a block of zlib-compressed, base64-encoded text which, after being decoded, produces a script like the one in Figure 4. This first layer of obfuscation is produced using pyminifier with the -gzip parameter.

Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings. A schema summarizing the components is shown in Figure 5.

Figure 5. Backdoor py2exe components of Machete

GoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.

The Chrome.exe component is responsible for collection of data from the victimized computer. It can:

  • Take screenshots
  • Log keystrokes
  • Access the clipboard
  • AES-encrypt and exfiltrate documents
  • Detect newly inserted drives and copy files
  • Execute other binaries downloaded from the C&C server
  • Retrieve specific files from the system
  • Retrieve user profile data from several browsers
  • Collect geolocation of victims and information about nearby Wi-Fi networks
  • Perform physical exfiltration to removable drives

The Machete operators are interested in obtaining specific file types from their targets. Apart from Microsoft Office documents, drives are searched for:

  • Backup files
  • Database files
  • Cryptographic keys (PGP)
  • OpenOffice documents
  • Vector images
  • Files for geographic information systems (topographic maps, navigation routes, etc.)

Regarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL. Part of the code is shown in Figure 6.

Figure 6. Code for geolocation

The advantage of using Mozilla Location Service is that it permits geolocation without an actual GPS and can be more accurate than other methods. For example, an IP address can be used to obtain an approximate location, but it is not so accurate. On the other hand, if there is available data for the area, Mozilla Location Service can provide information such as in which building the target is located.

The GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.

This component uploads encrypted files to different subdirectories on the C&C server, but it also retrieves specific files that have been put on the server by the Machete operators. This way, the malware can have its configuration, malicious binaries and file listings updated, but can also download and execute other binaries.

The Machete group is operating more strongly than ever, even after researchers have published technical descriptions and indicators of compromise for this malware. ESET has been tracking this threat for months and has observed several changes, sometimes within weeks.

At the time of this publication, the latest change introduced six backdoor components, which are no longer py2exe executables. Python scripts for malicious components, an original executable for Python 2.7, and all libraries used are packed into a self-extracting file.

Various artifacts that we have seen in Machete’s code and the underlying infrastructure lead us to think that this is a Spanish-speaking group. The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries, although we cannot be certain.

A full and comprehensive list of Indicators of Compromise (IoCs) can be found in the full white paper and on GitHub. ESET detects this threat as a variant of Python/Machete.

For a detailed analysis of the backdoor, refer to our white paper Machete just got sharper: Venezuelan military under attack.

For any inquiries, or to make sample submissions related to the subject, contact us at [email protected]

5 Aug 2019 – 11:31AM

Smart TVs: Yet another way for attackers to break into your home?

A primer on why internet-enabled TVs make for attractive and potentially soft targets, and how cybercriminals can ruin more than your TV viewing experience

With their high-resolution screens, cameras, microphones and innovative interfaces geared towards a better user experience, smart TVs have found their way into many homes. They have become so popular that, according to Statista, more than 114 million smart TVs were sold globally in 2018 and smart TVs account for the majority of TVs sold these days.

In addition, consumers also have the option to turn “dumb” TV sets with HDMI input into “smart” ones by connecting them to external streaming devices. Three of the best-known streaming devices are Google Chromecast, Amazon’s Fire TV, and Apple TV. Nonetheless, there are dozens of TV boxes or streaming boxes that offer similar features.

It is little surprise that Android TV – which encompasses both pure Android implementations and manufacturer-modified versions – is the most popular operating system for smart TVs. With Android and Android TV sharing the same base architecture, many malware strains targeting your Android-powered smartphone or tablet are just as capable of causing havoc on your internet-enabled TV.

How can a smart TV be compromised?

Cybercriminals are typically driven by financial motives. That means they want information they can sell, data they can use to blackmail people, hardware they can hijack, or computing power they can harness. Smart TVs might provide all these opportunities, making them appealing targets.

There’s an arsenal of tools that attackers can combine and use to wreak havoc on a victim’s digital – and actual – life. Malware, social engineering, vulnerabilities, wrong or weak settings, and physical attacks against smart TVs in public spaces rank among the most common techniques used to gain control of smart TVs.

To be sure, Android security has improved since its days of old. The platform, released more than a decade ago, is now more resilient to exploits, its sandboxing techniques have been enhanced, and its attack surface has been reduced courtesy of limiting the number of processes running with root privileges.

Still, its open-source character and huge popularity, together with the imperfect vetting process for Google Play apps, has made the platform, and its users, an appealing target. With Android’s expansion into the Internet of Things (IoT) arena, the risks clearly go beyond touchscreen mobile devices.

Malware

There have been cases of smart TVs falling prey to ransomware similar to Simplocker and the “police virus“ – threats that instruct victims to pay up in order to recover access to their devices. Meanwhile, in 2018 a worm called ADB.Miner hijacked the computing power of thousands of Android devices, including many Android-based smart TVs, and used them to mine digital coins for the attackers. This threat is an example of how malware designed for cryptocurrency-mining has become more complex, gaining the ability to self-propagate and install itself on Android devices by exploiting open debug ports.

Compounding things further, many users root their devices and install software from outside Google Play store for Android TV. Once a device is rooted, an app can run loose and, if malicious, it can leverage the elevated permissions for stealing information from accounts in other apps, execute a keylogger or overall neutralize the system’s security safeguards.

Poor configuration

As hinted at earlier, another threat potentially looming large has to do with misconfiguration of your smart TV. This could be the fault of the vendor, who modified the underlying operating system to add new functionalities, or it could very well be due to your own negligence, or it could be a combination of the two.

The most common ways that device misconfiguration that ultimately set the stage for a cyberattack include keeping ports open, using insecure protocols, enabling debugging mechanisms, relying on poor or default passwords (or no passwords at all), as well as using unneeded services and, as a result, expanding your attack surface.

Lest it be forgotten, insecure settings paved the way to the ADB.Miner outbreak, as the worm scanned for devices with their Android Debug Bridge (ADB) open to remote connections.

Vulnerabilities

Smart TVs are also known to suffer from security vulnerabilities that can make them easy prey for hackers. This includes flaws that make it possible to control some TV models remotely using public APIs or vulnerabilities that allow attackers to run arbitrary commands on the system.

Other proof-of-concept or actual attacks relied on the use of HbbTV (Hybrid Broadcast Broadband TV) commands to gain administrator permissions and execute malicious actions. Additional examples aren’t hard to come by, and one of our earlier articles listed a slew of them.

The fact that TVs have voice assistants built-in and link to a variety of IoT sensors opens another potential attack vector. The large amounts of information that they handle, together with their being hubs for endless sensors, only boosts their appeal to cybercriminals.

Physical attacks through USB ports

Although vulnerabilities can be patched and users can educate themselves to avoid falling for scams, many TVs still wind up in vulnerable spaces. Places where they are physically accessible to outsiders, such as in waiting rooms outside offices or in private living rooms used for events attended by guests who are effectively strangers.

For example, USB ports can be used to run malicious scripts or to exploit vulnerabilities. This can be done quickly and easily by using certain gadgets, such as the famous (or infamous) Bash Bunny by Hak5 and its predecessor, the Rubber Ducky, or indeed any hardware with similar features. And – spoiler alert – they aren’t particularly complicated or expensive to create from zero, either.

With these gadgets in their hands, attackers can automate a wide range of malicious actions based on interaction with the user interface and launch an attack in just a few seconds by simply plugging in a device that looks like a USB stick.

Social engineering

Generally speaking, social engineering remains at the heart of many campaigns aimed at stealing personal information, distributing malware or exploiting security loopholes.

There is

From Carnaval to Cinco de Mayo – The journey of Amavaldo

The first in an occasional series demystifying Latin American banking trojans

At the end of 2017, a group of researchers from ESET’s Prague malware lab decided to take a deeper look at the infamous Delphi-written banking trojans that are known to target Brazil. We extended our focus to other parts of Latin America (such as Mexico and Chile) soon after as we noticed many of these banking trojans target those countries as well. Our main goal was to discover whether there is a way to classify these banking trojans and to learn more about their behavior in general.

We have learnt a lot – we have identified more than 10 new malware families, studied the distribution chains and linked them to the new families accordingly, and dissected the internal behavior of the banking trojans. In this initial blog post, we will start by describing this type of banking trojan in general and then move to the first newly identified malware family we’ll discuss – Amavaldo.

Before moving further, let’s define the characteristics of this type of banking trojan:

  • It is written in the Delphi programming language
  • It contains backdoor functionality
  • It uses long distribution chains
  • It may divide its functionality into multiple components
  • It usually abuses legitimate tools and software
  • It targets Spanish- or Portuguese-speaking countries

We have encountered other common characteristics during our research. Most Latin American banking trojans we have analyzed connect to the C&C server and stay connected, waiting for whatever commands the server sends. After receiving a command, they execute it and wait for the next one. The commands are probably pushed manually by the attacker. You can think of this approach as a chat room where all the members react to what the admin writes.

The C&C server address seems to be the resource these malware authors protect the most. We have encountered many different approaches to hiding the actual address, which we will discuss in this series of blog posts. Besides the C&C server, a unique URL is used by the malware to submit victim identification information. This helps the attackers to keep track of their victims.

Banking trojans from Latin America usually use little-known cryptographic algorithms and it is common that different families use the same ones. We have identified a book and a Delphi freeware library the authors were apparently inspired by.

The fact that this malware is written in Delphi indicates the executable files are at least a few megabytes in size because the Delphi core is present in every binary. Additionally, most Latin American banking trojans contain a large number of resources, which further increases the file size. We have even encountered samples with file sizes reaching several hundred megabytes. In those cases, the file size has been deliberately increased in order to avoid detection.

When analyzing such an executable, it is usually not very hard to decide quickly that it is a malicious banking trojan. Besides the aforementioned characteristics, the authors tend to copy each other’s work or to derive their malware from a common source. As a result of that, most of the Latin American banking trojans look alike. This is the main reason why we mostly see only generic detections.

Our research started with identifying strong characteristics that would allow us to establish malware families. Over time, we were able to do so and identified more than 10 new ones. The characteristics we used were mainly how strings are stored, how the C&C server address is obtained and other code similarities.

The simplest way that these malware families are delivered is by utilizing a single downloader (a Windows executable file) specific to that family. This downloader sometimes masquerades as a legitimate software installer. This method is simple, but also the less common one.

Much more common is to use a multistage distribution chain that typically employs several layers of downloaders written in scripting languages such as JavaScript, PowerShell and Visual Basic Script (VBS). Such a chain typically consists of at least three stages. The final payload is typically delivered in a zip archive that contains either only the banking trojan or additional components along with it. The main advantage, to the malware authors, of this method is that it is quite complicated for malware researchers to reach the very end of the chain and thereby analyze the final payload. However, it is also much easier for a security product to stop the threat because it only needs to break one link in the chain.

Unlike most banking trojans, those from Latin America do not utilize web-injection – instead they use a form of social engineering. They continuously detect active windows on the victim’s computer and if they find one related to a bank, they launch their attack.

The purpose of the attack is almost always to persuade the user that some special, urgent and necessary action is required. This can be an update of the banking application used by the victim, or verification of credit card information or bank account credentials. A fake popup window then steals the data after the victim enters it (an example is seen in Figure 1) or a virtual keyboard acts as a keylogger as seen in Figure 2. The sensitive information is then sent to the attackers who can abuse it in any way they see fit.

Figure 1. Fake popup window that tries to steal an authorization code (Translation: Anti-intrusion tool. Your security is the first priority. Enter your signature)

Figure 2. Virtual keyboard with a keylogger (Translation: Card Password. Enter your card password by clicking on the buttons)

We named the malware family described in the rest of this blog post Amavaldo. This family is still in active development – the latest version we have observed (10.7) has a compilation timestamp of June 10th, 2019.

This is an example of modular malware whose final payload ZIP archive contains three components:

  1. A copy of a legitimate application (EXE)
  2. An injector (DLL)
  3. An encrypted banking trojan (decrypts to DLL)

Figure 3 displays the contents of an example Amavaldo final payload ZIP archive.

Figure 3. Amavaldo components extracted in a folder. The components are: ctfmon.exe (legitimate application), MsCtfMonitor (encrypted banking trojan), MsCtfMonitor.dll (injector).

The downloader stores all the ZIP archive contents to the hard drive in the same folder. The injector has a name chosen to match that of a DLL used by the bundled, legitimate application. Before the downloader exits, it executes the legitimate application. Then:

  • The injector is executed via DLL Side-Loading
  • The injector injects itself into wmplayer.exe or iexplore.exe
  • The injector searches for the encrypted banking trojan (an extensionless file whose name matches that of the injector DLL)
  • If such a file is found, the injector decrypts and executes the banking trojan

Characteristics

Besides the modular structure, the strongest identifying characteristic is the custom encryption scheme used for string obfuscation (Figure 4). As you can see, aside from the key (green) and encrypted data (blue), the code is also filled with garbage strings (red) that are never used. We provide simplified pseudocode in Figure 5 to emphasize the algorithm’s logic. This string handling routine is used by the banking trojan itself, the injector and even the downloader that we will describe later. Unlike many other Latin American banking trojans, this routine does not appear to be inspired by the book mentioned earlier.

Figure 4. String obfuscation in Amavaldo

Figure 5. Amavaldo string decryption pseudocode. This algorithm does not seem to be inspired by the book mentioned earlier.

Additionally, the latest versions of this family can be identified by a mutex that seems to have the constant name {D7F8FEDF-D9A0-4335-A619-D3BB3EEAEDDB}.

Amavaldo first collects information about the victim that consists of:

  • Computer and OS identification
  • What kind of banking protection the victim has installed. The information is gathered from searching the following filesystem paths:
    • %ProgramFiles%DieboldWarsaw
    • %ProgramFiles%GbPlugin
    • %ProgramFiles%scpbrad
    • %ProgramFiles%Trusteer
    • %ProgramFiles%AppBrad
    • %LocalAppData%Aplicativo Itau

The newer versions communicate via SecureBridge, a Delphi library that provides SSH/SSL connections.

As with many other such banking trojans, Amavaldo supports several backdoor commands. The capabilities of these commands include:

  • Obtaining screenshots
  • Capturing photos of the victim via webcam
  • Logging keystrokes
  • Download and execute further programs
  • Restricting access to various banking websites
  • Mouse and keyboard simulation
  • Self-update

Amavaldo uses a clever technique when launching the attack on its victim that is similar to what Windows UAC does. After detecting a bank-related window, it takes a screenshot of the desktop and makes it look like the new wallpaper. Then it displays a fake popup window chosen based on the active window’s text while disabling multiple hotkeys and preventing the victim to interact with anything else but the popup window.

Only Brazilian banks had been targeted when we have first encountered this malware family, but it has extended its range since April 2019 to Mexican banks as well. Even though the previously used Brazilian targets are still present in the malware, based on our analysis the authors focus only on Mexico now.

Distribution

We were able to observe two distribution chains – one early this year and a second one since April.

Distribution chain 1: Targeting Brazil

We first observed this chain in January 2019 targeting victims in Brazil. The authors decided to use an MSI installer, VBS, XSL (Extensible Stylesheet Language) and PowerShell for distribution.

The whole chain starts with an MSI installer that the victim expects will install Adobe Acrobat Reader DC. It utilizes two legitimate executables: AICustAct.dll (to check for an available internet connection) and VmDetect.exe (to detect virtual environments).

Figure 6. Error message when the downloader runs inside a virtual machine (left) or without an internet connection (right)

Once the fake installer is executed, it makes use of an embedded file that, besides strings, contains a packed VBS downloader (Figure 7). After unpacking (Figure 8), it downloads yet another VBS downloader (Figure 9). Notice that the second VBS downloader abuses the Microsoft Windows WMIC.exe to download the next stage – an XSL script (Figure 10) with embedded, encoded PowerShell. Finally, the PowerShell script (Figure 11) is responsible for downloading the final payload – a zip archive with multiple files, as listed in Table 1. It also ensures persistence by creating a scheduled task named GoogleBol.

Figure 7. The first stage. A packed VBS downloader (highlighted in red) embedded inside the MSI installer.

Figure 8. The unpacked first stage

Figure 9. The unpacked second stage. WMIC.exe is abused to execute the next stage.

Figure 10. The third stage. A large XSL script that contains embedded, encoded PowerShell script (highlighted in red).

Figure 11. The fourth (final) stage. An obfuscated PowerShell script that downloads the final payload and executes it.

nvsmartmaxapp.exe Legitimate application 1
NvSmartMax.dll Injector 1
NvSmartMax Payload 1
Gup.exe Legitimate application 2
libcurl.dll Injector 2
Libcurl Payload 2
gup.xml Configuration file for gup.exe

Table 1. Contents of the final payload archive and their descriptions

In Table 1 you can see two sets of payloads and injectors, both using the execution method described earlier. The NvSmartMax[.dll] has been used to execute Amavaldo. The libcurl[.dll] is not directly related to Amavaldo, since it executes a tool that is used to automatically register a large number of new email accounts using the Brasil Online (BOL) email platform. These created email logins and passwords are sent back to the attacker. We believe it to be a setup for a new spam campaign.

Distribution chain 2: Targeting Mexico

The most recent distribution chain we have observed starts with a very similar MSI installer. The difference is that this time, it contains an embedded Windows executable file that serves as the downloader. The installer ends with a fake error message (Figure 12). Right after, the downloader is executed. Persistence is ensured the by creating a scheduled task (as in the first chain), this time named Adobe Acrobat TaskB (Figure 13). Then it downloads all the Amavaldo components (no email tool has been observed this time) and executes the banking trojan.

Figure 12. The fake error message displayed by the installer

Figure 13. The scheduled task created by the downloader

We believe that companies are being targeted via a spam campaign by this method. The initial files are named CurriculumVitae[…].msi or FotosPost[…].msi. We think that the victims are deceived into clicking on a link in an email message that leads them to downloading what they believe is a CV. Since it should be a PDF, running an apparent installation of Adobe Acrobat Reader DC may seem legitimate as well.

Since the authors decided to use the bit.ly URL shortener, we can observe additional information about their campaigns (Figures 14 and 15). As we can see, the vast majority of the clicks on those URLs were geolocated in Mexico. The fact that email is the most frequent referrer supports our assumption about spam being the distribution vector.

Figure 14. Statistics for a recent Amavaldo campaign targeting Mexico (1)

Figure 15. Statistics for a recent Amavaldo campaign targeting Mexico (2)

In this blog post, we have introduced our research into the banking trojans of Latin America. We have described what is typical for such malware and how it operates. We have also presented what key features we have used to establish malware families.

We have described the first malware family – Amavaldo – its most typical features and targets, and analyzed recent distribution chains in detail. Amavaldo shares many typical characteristics of Latin America banking trojans. It splits its functionality into several components, so that having only one component is not enough for analysis. It abuses legitimate applications to execute itself and to detect virtual environments. It tries to steal banking information from Brazilian and Mexican banks and contains backdoor functionality as well.

For any inquiries, contact us as [email protected] Indicators of Compromise can also be found on our GitHub.

Hashes

First distribution chain (Brazil) hashes

SHA-1 Description ESET detection name
E0C8E11F8B271C1E40F5C184AFA427FFE99444F8 Downloader (MSI installer) Trojan.VBS/TrojanDownloader.Agent.QSL
12C93BB262696314123562F8A4B158074C9F6B95 Abuse legitimate application (NvSmartMaxApp.exe) Clean file
6D80A959E7F52150FDA2241A4073A29085C9386B Injector for Amavaldo (NvSmartMax.dll) Win32/Spy.Amavaldo.P trojan
B855D8B1BAD07D578013BDB472122E405D49ACC1 Amavaldo (decrypted NvSmartMax) Win32/Spy.Amavaldo.N trojan
FC37AC7523CF3B4020EC46D6A47BC26957E3C054 Abused legitimate application (gup.exe) Clean file
4DBA5FE842B01B641A7228A4C8F805E4627C0012 Injector for email tool (libcurl.dll) Win32/Spy.Amavaldo.P trojan
9A968341C65AB47BF5C7290F3B36FCF70E9C574B Email tool (decrypted libcurl) Win32/Spy.Banker.AEGH trojan

Second distribution chain (Mexico) hashes

SHA-1 Description ESET detection name
AD1FCE0C62B532D097DACFCE149C452154D51EB0 Downloader (MSI installer) Win32/TrojanDownloader.Delf.CSG trojan
6C04499F7406E270B590374EF813C4012530273E Abused legitimate application (ctfmon.exe) Clean file
1D56BAB28793E3AB96E390F09F02425E52E28FFC Injector for Amavaldo (MsCtfMonitor.dll) Win32/Spy.Amavaldo.U trojan
B761D9216C00F5E2871DE16AE157DE13C6283B5D Amavaldo (decrypted MsCtfMonitor) Win32/Spy.Amavaldo.N trojan

Other

SHA-1 Description ESET detection name
B191810094DD2EE6B13C0D33458FAFCD459681AE VmDetect.exe – a tool for detecting virtual environment Clean file
B80294261C8A1635E16E14F55A3D76889FF2C857 AICustAct.dll – a tool for checking internet connectivity Clean file

Mutex

  • {D7F8FEDF-D9A0-4335-A619-D3BB3EEAEDDB}

Filenames

  • %LocalAppData%%RAND%NvSmartMax[.dll]
  • %LocalAppData%%RAND%MsCtfMonitor[.dll]
  • %LocalAppData%%RAND%libcurl[.dll]

Scheduled task

  • GoogleBol
  • Adobe Acrobat TaskB

C&C servers

  • clausdomain.homeunix[.]com:3928
  • balacimed.mine[.]nu:3579
  • fbclinica.game-server[.]cc:3351
  • newcharlesxl.scrapping[.]cc:3844
Tactic ID Name Description
Initial Access T1192 Spearphishing Link The initial attack vector is a malicious link in an email that leads the victim to a web page the downloader is obtained from.
Execution T1073 DLL Side-Loading The injector component is executed by abusing a legitimate application with this technique.
T1086 PowerShell The first distribution chain uses PowerShell in its last stage.
T1047 Windows Management Instrumentation The first distribution chain abuses WMIC.exe to execute the third stage.
Persistence T1053 Scheduled Task Persistence is ensured by a scheduled task.
Defense Evasion T1140 Deobfuscate/Decode Files or Information The actual banking trojan needs to be decrypted by the injector component.
T1036 Masquerading The injector masks itself as a DLL imported by the abused legitimate application. The downloader masks itself as an installer for Adobe Acrobat Reader DC.
T1055 Process Injection The injector injects itself into wmplayer.exe or iexplore.exe.
T1064 Scripting VBS, PowerShell and XSL are used in the first distribution chain.
T1220 XSL Script Processing The first distribution chain uses XSL processing in its third stage.
T1497 Virtualization/Sandbox Evasion Downloader of Amavaldo uses third-party tools to detect virtual environment.
Credential Access T1056 Input Capture Amavaldo contains a command to execute a keylogger. It also steals contents from fake windows it displays.
Discovery T1083 File and Directory Discovery Amavaldo searches for various filesystem paths in order to determine what banking protection applications are installed on the victim machine.
T1082 System Information Discovery Amavaldo extracts information about the operating system.
Collection T1113 Screen Capture Amavaldo contains a command to take screenshots.
T1125 Video Capture Amavaldo contains a command to capture photos of the victim via webcam.
Command and Control T1024 Custom Cryptographic Protocol Amavaldo uses a unique cryptographic protocol.
T1071 Standard Application Layer Protocol Amavaldo uses the SecureBridge Delphi library to perform SSH connections.
Exfiltration T1041 Exfiltration Over Command and Control Channel Amavaldo sends the data it collects to its C&C server.

1 Aug 2019 – 05:00PM