EU warns of cyber‑risks as 5G looms

What are the scenarios that may prove to be challenging to manage in the 5G world?

The transition from 3G and 4G networks will be a technologically complex task, which carries myriad risks that need to be properly addressed. With the adoption of 5G technology looming around the corner, it is only natural that the member states of the European Union (EU) want to dot their i’s and cross their t’s. To this end, the European Commission and the European Union Agency for Cybersecurity (ENISA) published a report assessing the cybersecurity challenges in 5G networks.

Not a surprising fact, considering that 5G networks will be the front and center of our digital lives, with a huge impact on the economy of (not only) the EU and the social lives of its citizens. Essentially all the industries are interconnected with information being carried through these systems. Services such as healthcare, energy, and transport will be adopting 5G networks into their operations.

The report deals with the possible risks and even points out a few concrete scenarios that may prove to be challenging to manage in the 5G world. It is based on the results of national cybersecurity assessments submitted to the EU’s executive arm and ENISA by all EU member states. The EU’s assessment drew on input provided by legislators and regulators as well as cybersecurity and telecommunication authorities, security and intelligence services.

New high-level report on the EU-wide🇪🇺 coordinated risk assessment of #5G Networks available👉 #CyberSecMonth

— DigitalSingleMarket (@DSMeu) October 9, 2019

Outlined are the areas that member states view as main threats and cybersecurity risks to 5G networks. Among the scenarios that are of concern to the EU member states are the local or global disruption of 5G networks, spying on the traffic/data, modification or rerouting of the traffic/data, and the destruction or alteration of digital infrastructures and information systems. An example of such a scenario would be a sophisticated attack causing an outage that would impact essential areas such as emergency services and first responders.

The report further categorizes the main types of threat actors and their motivations to attack the future 5G infrastructure. The threats include accidental events that occur as a result of human error, as well as individual hackers, hacktivist groups, organized crime groups, insiders, cyber-terrorists or state-sponsored actors.

Among the security challenges that the EU needs to tackle are the access of third-party suppliers to networks and the use of third-party systems. As the report points out, the technological changes increase the overall attack surface and the number of potential entry points for threat actors.

That is partly due to networks having a less centralized architecture and due to the increased use of software in 5G equipment. The supply chain is another key area that the EU wants to focus on, especially assessing the individual risk profiles of suppliers as that might be another entry point.

You can delve into the full report here.

11 Oct 2019 – 03:05PM

ESET discovers Attor, a spy platform with curious GSM fingerprinting

ESET researchers discover a previously unreported cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions, and privacy-concerned users

ESET researchers have discovered a new espionage platform with a complex architecture, a host of measures to make detection and analysis more difficult and two notable features. First, its GSM plugin uses the AT command protocol, and second, it uses Tor for its network communications. ESET researchers thus named the cyberespionage platform Attor.

Attor’s espionage operation is highly targeted – we were able to trace Attor’s operation back to at least 2013, yet, we only identified a few dozen victims. Despite that, we were able to learn more about the intended victims by analyzing artifacts in the malware.

For example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings in the process name or window title.

Besides standard services such as popular web browsers, instant messaging applications and email services, the list of targeted applications contains several Russian services, as detailed in Table 1.

Table 1. Domains misused in the campaign
Process name/window title substring Context
ОДНОКЛАССНИКИ (transl. Classmates) Russian social network (Odnoklassniki)
AGENTVKONTAKTE Russian social network (VKontakte)
WEBMONEY Online payment system used in Russia (WebMoney)
MAIL.YANDEX, ЯНДЕКС.ПОЧТА (transl. Yandex.Mail), MAIL.RU, POCHTA (transl. Mail), MAGENT Russian email services (, Yandex.Mail)
ПРИГЛАШЕНИЕ ДРУЖИТЬ (transl. Friend request) Russian text
ВАМ СООБЩЕНИЕ (transl. Message for you) Russian text
MULTIFON Russian VoIP service
QIP, INFIUM Russian IM application (QIP)
RAMBLER Russian search engine (Rambler)

The list includes the two most popular social networks in Russia (Odnoklassniki, VKontakte) and a VoIP service provided by a Russian telecom operator (Multifon). Our conclusion is that Attor is specifically targeting Russian-speakers, which is further supported by the fact that most of the targets are located in Russia, as seen in Figure 1. Other targets are located in Eastern Europe, and they include diplomatic missions and governmental institutions.

Figure 1. Countries affected by Attor

In addition to its geographical and language targeting, Attor’s creators appear to be specifically interested in users concerned about their privacy.

Attor is configured to capture screenshots of encryption/digital signature utilities, the VPN service HMA, end‑to‑end encryption email services Hushmail and The Bat!, and the disk encryption utility TrueCrypt.

The victim’s usage of TrueCrypt is further inspected in another part of Attor. It monitors hard disk devices connected to the compromised computer, and searches for the presence of TrueCrypt. If TrueCrypt is detected, its version is determined by sending IOCTLs to the TrueCrypt driver (0x222004 (TC_IOCTL_GET_DRIVER_VERSION) and 0x72018 (TC_IOCTL_LEGACY_GET_DRIVER_VERSION)). As these are TrueCrypt-specific control codes, not standard codes, the authors of the malware must actually understand the open-source code of TrueCrypt installer. We have not seen this technique used before nor seen it documented in other malware.

Figure 2. The Device monitor plugin sends non-standard, TrueCrypt-specific control codes to the TrueCrypt driver, in order to determine the TrueCrypt version

Attor consists of a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The first step of a compromise comprises dropping all these components on disk and loading the dispatcher DLL.

The dispatcher is the core of the whole platform – it serves as a management and synchronization unit for the additional plugins. On each system start, it injects itself into almost all running processes and loads all available plugins within each of these processes. As an exception, Attor avoids injection into some system and security‑product‑related processes.

All plugins rely on the dispatcher for implementing basic functionalities. Rather than calling Windows API functions directly, the plugins use a reference to a helper function (a function dispatcher) implemented by the dispatcher DLL. A reference to the function dispatcher is passed to the plugins when they are loaded. Because the plugins are injected in the same process as the dispatcher itself, they share the same address space and are thus able to call this function directly.

Calls to the function dispatcher take as their arguments the function type and its numerical identifier. This design makes it harder to analyze individual components of Attor without having access to the dispatcher, as it translates the specified identifier to a meaningful function that is then executed.

Figure 3 illustrates a part of one plugin, calling the function dispatcher on several occasions. In the disassembly on the right, we have replaced the numeric identifiers (that we recovered by reverse-engineering the dispatcher) with descriptive names. Refer to our white paper for a full analysis of the dispatcher’s interface.

Figure 3. Additional plugins use functions implemented in the main module, by calling the function dispatcher (dubbed helperFnc here)

Furthermore, the dispatcher is the only component of the platform that has access to the configuration data. Attor’s plugins retrieve their configuration data from the dispatcher via the interface, as described above.

Attor’s plugins are delivered to the compromised computer as DLLs, asymmetrically encrypted with RSA. The plugins are only fully recovered in memory, using the public RSA key embedded in the dispatcher. As a result, it is difficult to obtain Attor’s plugins, and to decrypt them without access to the dispatcher.

We were able to recover eight of Attor’s plugins, some in multiple versions – we list them in Table 2. Assuming the numbering of plugins is continuous, and that actors behind Attor may use different sets of plugins on a per‑victim basis, we suspect there are even more plugins that have not yet been discovered.

Table 2. The analyzed plugins and their versions
Plugin ID Analyzed versions Functionality
0x01 0x0E Device monitor
0x02 (no version), 0x0C Screengrabber
0x03 (no version), 0x08, 0x09, 0x0B, 0x0C Audio recorder
0x05 0x0A File uploader
0x06 0x0A Command dispatcher/SOCKS proxy
0x07 0x02, 0x04, 0x09, 0x0A Key/clipboard logger
0x0D 0x03 Tor client
0x10 0x01 Installer/watchdog

The plugins are responsible for persistence of the platform (Installer/watchdog plugin), for collecting sensitive information (Device monitor, Screengrabber, Audio recorder, Key/clipboard logger) and for network communication with the C&C server (File uploader, Command dispatcher/SOCKS proxy, Tor client).

Attor has built-in mechanisms for adding new plugins, for updating itself, and for automatically exfiltrating collected data and log files. These mechanisms are illustrated in Figure 4.

In the following sections, we focus on plugins responsible for the two notable features that gave Attor its name – GSM fingerprinting via AT commands, and elaborate network communication using Tor.

Figure 4. Attor’s architecture. Note that ID 0x06 represents a single plugin, but the functionality is split here into two parts for clarity.

Attor’s espionage plugins collect sensitive data (such as a list of documents present on the disk) that is ultimately exfiltrated to a remote server, but these plugins themselves do not communicate over the network.

Only two of Attor’s components communicate with its C&C server: File uploader and Command dispatcher.

Files collected by the “espionage plugins” (Device monitor, Screengrabber, Audio recorder, and Key/clipboard logger) are uploaded to the C&C server automatically by the File uploader plugin. These plugins use a dedicated Upload folder as a central folder to store collected data, and other plugins use it to store log files.

The Command dispatcher plugin downloads commands and additional tools from the C&C server and interprets them. Again, it uses dedicated folders to store its data – most prominently, freshly downloaded plugins and platform updates, and encrypted log data containing status/results of the executed commands.

Attor’s dispatcher monitors the shared folders, and loads any new plugins and updates pushed to the compromised computer.

This means that neither Attor’s dispatcher, nor espionage plugins, ever communicate with the C&C server – they only use local shared folders for storing data to be exfiltrated and for reading further instructions from the server.

Both File uploader, and Command dispatcher use the same infrastructure to reach the remote server – the network communication itself is scattered across four different Attor components, each implementing a different layer.

Attor uses Tor: Onion Service Protocol, with an onion address for the C&C server. In order to communicate with the C&C server, any plugin must thus first establish a connection with the Tor client plugin (listening on the non‑default which is responsible for resolving the onion domain, choosing a circuit and encrypting data in layers. The Tor client plugin is based on the Tor client, and customized to the design of this malware (tor.exe with added interaction with Attor’s dispatcher).

The Tor client plugin must communicate with the dispatcher, which implements the cryptographic functions. Furthermore, it communicates with the SOCKS proxy plugin (listening on that relays communications between the Tor client and the remote server.

Both File uploader and Command dispatcher use FTP; files are uploaded to/downloaded from an FTP server that is protected by credentials hardcoded in the configuration:

  • C&C server: idayqh3zhj5j243t[.]onion
  • Username: do
  • Password: [Redacted]

The plugins log in to the FTP server and copy the collected data to, or download commands from, a victim‑specific directory.

In total, the infrastructure for C&C communication spans four Attor components – the dispatcher providing encryption functions, and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication, as illustrated in Figure 5. This mechanism makes it impossible to analyze Attor’s network communication unless all pieces of the puzzle have been collected.

Figure 5. Four Attor components cooperate to enable communication with the C&C server

It is important to note that Attor uses several additional tricks to hide its communications from the user and security products:

First, the C&C server is a Tor service, aiming for anonymity and untraceability.

Second, all network-communication-related plugins are only activated if running within the process of a web browser or an instant messaging application or other network applications (this is determined by checking the process name against a hardcoded list). This trick hides the exfiltration-related network communication in a stream of legitimate communications made by that application, and thus reduces the risk of raising any suspicion.

The most curious plugin in Attor’s arsenal collects information about both connected modem/phone devices and connected storage drives, and about files present on these drives. It is responsible for collection of metadata, not the files themselves, so we consider it a plugin used for device fingerprinting, and hence likely used as a base for further data theft.

While Attor’s functionality of fingerprinting storage drives is rather standard, its fingerprinting of GSM devices is unique.

Whenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to communicate with the device, via the associated serial port.

AT commands, also known as Hayes command set, were originally developed in the 1980s to command a modem to dial, hang up or change connection settings. The command set was subsequently extended to support additional functionality, both standardized and vendor-specific.

In a recent paper, it was discovered that the commands are still in use in most modern smartphones. Those researchers were able to bypass security mechanisms and communicate with smartphones using AT commands through their USB interface. Thousands of commands were recovered and tested, including those to send SMS messages, emulate on-screen touch events, or leak sensitive information. That research illustrates that the old‑school AT commands pose a serious risk when misused.

As for Attor’s plugin, however, we may only speculate why AT commands are employed. We have detected a 64‑bit version of this plugin in 2019, and we can confirm it is still a part of the newest Attor version (that we first saw in 2018). On the other hand, it seems unlikely it is targeting modern smartphone devices. The plugin ignores devices connected via a USB port, and only contacts those connected via a serial port (more precisely, devices whose friendly names match “COM*”).

A more likely explanation of the plugin’s main motive is that it targets modems and older phones. Alternatively, it may be used to communicate with some specific devices (used by the victim or target organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor. In this scenario, it is possible the attackers have learned about the victim’s use of these devices using some other reconnaissance techniques.

In any case, the plugin retrieves the following information from the connected devices, using the AT commands listed in Table 3:

  • Basic information about the mobile phone or GSM/GPRS modem: name of manufacturer, model number, IMEI number and software version
  • Basic information about the subscriber: MSISDN and IMSI number
Table 3. The commands of the AT protocol used by the Device monitor plugin
AT command Functionality
AT Signals start of communication (AT for attention).
AT+MODE=2 Prepares the phone for an extended AT+ command set.
AT+CGSN Requests IMEI number (International Mobile Equipment Identity), which is a unique number to identify a device.
AT+CGMM Requests information about the model of the device (model number).
AT+CGMI Requests name of the device manufacturer.
AT+CGMR Requests the version of the software loaded on the device.
AT+CNUM Requests MSISDN (Mobile Station International Subscriber Directory Number), which is the mapping of the telephone number to the subscriber identity module in a mobile or cellular phone.
AT+CIMI Requests IMSI (International Mobile Subscriber Identity), which is a unique number identifying a GSM subscriber. This number has two parts. The initial part is comprised of six digits in the North American standard and five digits in the European standard. It identifies the GSM network operator in a specific country with whom the subscriber holds an account. The second part is allocated by the network operator to identify the subscriber uniquely.

Note that many more (vendor-specific) AT commands exist that are not used by this plugin. It is possible that the malware operators use the listed commands to fingerprint the connected devices, and then deploy another plugin with more specific commands to extract information from the device.

Attor is an espionage platform, used for highly targeted attacks against high-profile users in Eastern Europe, and Russian-speaking, security-concerned users.

The malware, which has flown under the radar since 2013, has a loadable-plugin architecture that can be used to customize the functionality to specific victims. It includes an unusual plugin for GSM fingerprinting that utilizes the rarely used AT command set, and incorporates Tor with the aim of anonymity and untraceability.

Our research provides a deep insight into the malware and suggests that it is well worth further tracking of the operations of the group behind it.

ESET detection names and other Indicators of Compromise for these campaigns can be found in the full white paper: AT commands, TOR-based communications: Meet Attor, a fantasy creature and also a spy platform.

Acknowledgements to Anton Cherepanov, Peter Košinár, and Zoltán Rusnák for their work on this investigation.

Tactic ID Name Description
Execution T1106 Execution through API Attor’s dispatcher uses CreateProcessW API for execution.
T1129 Execution through Module Load Attor’s dispatcher executes additional plugins by loading the respective DLLs.
T1085 Rundll32 Plugin 0x10 schedules rundll32.exe to load the dispatcher.
T1053 Scheduled Task Plugin 0x10 schedules rundll32.exe to be executed on each boot/logon, and subsequently to load the dispatcher.
T1035 Service Execution Attor’s dispatcher can be executed as a service.
Persistence T1037 Logon Scripts Attor’s dispatcher can establish persistence via adding a Registry key with a logon script: HKEY_CURRENT_USEREnvironment”UserInitMprLogonScript”.
T1050 New Service Attor’s dispatcher can establish persistence by registering a new service. HKEY_LOCAL_MACHINESYSTEM*ControlSet*ControlSafeBootMinimal registry keys are updated to execute the service even in Safe mode and Safe mode with networking.
T1053 Scheduled Task Plugin 0x10 schedules a new task that loads the dispatcher on boot/logon.
Defense Evasion T1140 Deobfuscate/Decode Files or Information Strings are encrypted with a XOR cipher, using a hardcoded key.
Configuration data, log files and plugins are encrypted using a hybrid encryption scheme – Blowfish-OFB combined with RSA.
T1107 File Deletion The collected files and log files are deleted after exfiltration by plugin 0x05.
T1158 Hidden Files and Directories The attributes of log files and directories are set to HIDDEN/SYSTEM/ARCHIVE (or combination of those).
T1036 Masquerading Attor’s dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).
T1112 Modify Registry Attor’s dispatcher can modify the Run registry key.
T1055 Process Injection Attor’s dispatcher injects itself into running processes, to gain higher privileges and to evade detection. It avoids specific system and Symantec processes.
T1108 Redundant Access Both 32-bit and 64-bit versions of Attor’s dispatcher are executed; also they are injected into almost all processes.
There is a watchdog component, implemented in the dispatcher or as a separate plugin, that reinstalls Attor if it has been removed.
T1099 Timestomp The time of last access to files and registry keys is manipulated after they have been created/modified.
T1497 Virtualization/Sandbox Evasion Attor can detect whether it is executed in some virtualized or emulated environments. If detected, it terminates itself immediately.
Credential Access T1056 Input Capture User credentials can be collected by plugin 0x07 via capturing keystrokes.
Discovery T1083 File and Directory Discovery Plugin 0x01 enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.
T1120 Peripheral Device Discovery Plugin 0x01 collects information about inserted storage devices, modems and phone devices.
T1082 System Information Discovery Attor monitors the free disk space on the system.
Collection T1123 Audio Capture Plugin 0x03 is capable of recording audio using available input sound devices.
T1119 Automated Collection Attor automatically collects data about the compromised system.
T115 Clipboard Data Plugin 0x07 collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.
T1074 Data Staged Collected data is staged in a central upload directory prior to exfiltration.
T1056 Input Capture Plugin 0x07 captures keystrokes pressed within the window of the process where Attor is injected.
T1113 Screen Capture Plugin 0x02 captures screenshots of target applications.
Command and Control T1043 Commonly Used Port Attor uses port 21 for C&C communication.
T1188 Multi-hop Proxy Attor uses Tor for C&C communication.
T1079 Multilayer Encryption Attor sends encrypted traffic using Tor, which itself uses multiple layers of encryption.
T1105 Remote File Copy Attor can download additional plugins, updates and other files.
T1071 Standard Application Layer Protocol FTP protocol is used for C&C communication.
T1032 Standard Cryptographic Protocol A combination of Blowfish-OFB and RSA is used for data encryption.
Exfiltration T1020 Automated Exfiltration Exfiltration of the collected data and log files is done automatically by plugin 0x05.
T1022 Data Encrypted Attor encrypts data with a combination of Blowfish and RSA ciphers before sending it to the C&C server.
T1041 Exfiltration Over Command and Control Channel Attor exfiltrates data over the C&C channel.

10 Oct 2019 – 11:30AM

How concerned are you about the privacy challenges of your IoT devices?

An ESET survey of thousands of people in North America provides a peek into how they perceive the privacy and security of their smart home connected devices

The alarm is ringing. Half asleep, you scrabble for your smartphone on the nightstand, to snooze it for at least a few more minutes. Drowsily, you shuffle to the bathroom and ask your voice assistant to play your favorite shower song and turn on the coffee machine. Then you ask it about the weather and then to play your daily podcast while you get ready and have breakfast. Your GPS notifies you it’s time to leave and mirrors your smartphone’s screen onto the car’s multimedia system.

That’s just your morning. How many interactions did you have with devices connected to the internet, just from the time you got up till you got out the door?

You’re so connected that it has become a stereotypical part of your life – you don’t think about it and you don’t dwell on it. From checking your correspondence, through tracking your health to paying your bills, everything is literally at your fingertips. A large chunk of your life is recorded in ones and zeroes and shared across your devices connected to the Internet of Things (IoT). Fascinating and yet a bit unnerving, isn’t it?

It doesn’t have to be. If you have a healthy level of cybersecurity hygiene and knowledge you can significantly reduce the risks of your data being hacked.

Ahead of the 16th annual National Cyber Security Awareness Month (NCSAM), ESET and the National Cyber Security Alliance (NCSA) conducted a survey in September to find out how careful American and Canadian consumers are about their cybersecurity when it comes to IoT and their connected home devices.

In a nutshell, their approach to cybersecurity leaves a lot to be desired to say the least. About half of the 4,000 respondents own between one to five connected devices. Yet, barely a third of them are concerned about unauthorized access to their home networks through these devices (smart TVs, smart thermostats, smart fridges, etc.). If we boil it down to individual countries, that’s about 35% of Americans and 37% of Canadians.

One in four Americans watch streaming content using a device such as a Roku or Apple TV. Of those only, around 21% are concerned that cybercriminals could target their TV and remotely access it.  On the other hand, one in four Canadians prefer to watch streaming content on their computers and only a fifth is concerned about their TVs being targeted.

Turning to the device that is the nerve center of a home network, most of the people asked have never changed the default password on their routers or have no idea if it was ever changed since the installation. That’s true for 61% of Canadian respondents and 57% of American respondents.

Almost half of the respondents do not look for encryption features in the connected device they are purchasing. Yet one in two doesn’t know if the government should regulate privacy and security standards for IoT gadgets.

What most respondents agree upon is that they worry about their children, specifically the security and privacy of the gizmos that they use. This does not come as a surprise, since children are vulnerable to threats, mainly through social media, especially with their tendency to overshare.

As a parent, you can always take steps to keep your children safe online , but you are always walking a thin line between using preventive measures and encroaching on their privacy, so balance is key.

Most respondents are wary of home devices that run one of the widely known smart assistants (Alexa, Google Assistant, and Siri). Almost 60 % of them responded with ‘No’ when asked if they had a smart speaker, smart thermostat or other home assistant devices that ran one of the three. We addressed some of the underlying privacy issues in an earlier article and the associated white paper.

For additional insight into how the respondents deal with the challenges of securing their IoT devices, head over to another article we published about the survey’s results this week.

9 Oct 2019 – 03:30PM

Internet pioneer Dr. Paul Vixie on global internet security

We sat down with internet pioneer and Farsight Security CEO Dr. Paul Vixie, who co-invented some of the services that are central to the ‘Net’s fabric, to discuss a range of issues affecting security and privacy

The contributions that Dr. Paul Vixie has made to some of the foundational technologies underpinning the internet need little by way of introduction. As one of the brains behind the Domain Name System (DNS) architecture and an inventor of anti-spam measures, Dr. Vixie is an authoritative voice on a range of matters that concern the global internet.

Hence, ESET is very pleased that Dr. Paul Vixie will be presenting the keynote speech at the 22nd International AVAR Cybersecurity Conference in Osaka, Japan, 6 – 9 November, 2019. In advance of the conference, ESET security evangelist Tony Anscombe interviewed Dr. Vixie about his perspectives on a free and secure internet.

To be sure, the lightly edited excerpt that follows provides just a taste of the insightful interview, which is available in its entirety at the link below.

Tony Anscombe: Paul, AVAR has been taking place for over 20 years, along the way marking, in a fashion, the internet’s evolution. What’s on your mind ahead of delivering the keynote to a solidly APAC audience here in Japan?

Dr. Paul Vixie: I’ve been working with partners inside APAC for about 20 years also, and I’ve found the region to be full of smart and ambitious people who can, in many cases, leapfrog over nations like the USA. Fiber to the home is far more advanced in Japan and Korea than in the USA, for example. APAC has also pushed for (and helped to create) internationalization technologies like IDN for DNS. The world owes a lot to the APAC region.

TA: To your eyes, will the ‘Pacific century’ hold a unique place in the evolution of the internet?

PV: I think that the Pacific century will be where the Internet, as the mover and arbiter of most economic and cultural value, coincides with the rise of Asian nations as world powers. The internet doesn’t prefer one cultural norm over another; it can be used however its maintainers and users agree. This means APAC will shortly be much more dramatically affected by internet-enabled crime than the rest of the world.

TA: This year’s theme is Hacker versus counter-hacker: From retribution to attribution. What role does DNS, or better DNSSEC, have to play in this most serious of ‘games’? Do you think that researchers, developers and educators (generally) pay enough respect to the fact that DNS underpins so much of the function of the internet and internet security activity?

PV: There has been a war for three decades for control over the DNS resolution path, and this war is heating up now that many hackers, companies, and national security groups have begun to appreciate the way that DNS can be a control and monitoring point for other activities. To retain any safety, the rest of the technical and online communities must now also learn the powers and dangers of DNS. For example, with DNSSEC we could have a more vibrant global commerce system, yet the web community is pushing for non-DNSSEC ways to grow their economy, and of course the blockchain people are looking for some way they can make money. DNSSEC has been long coming, but we must all unite behind it.

TA: A new, open and more collaborative approach to cybersecurity seems to be afoot. ESET for example contributes to ATT&CK, and also has provided IOC/detections from its EDR solution to Domain Name System protection services to build use cases and get feedback on its products and data. Do the wider shifts, favoring a collaborative approach to cybersecurity, strike you as a boon for security?

PV: Threat and intelligence sharing has been going on for 15 years now, and yet newcomers still enter our field thinking that this is an unsolved problem where they can make an impact (and perhaps make some money). ESET has always done threat and intelligence sharing, they were part of the STIX/TAXII effort and also part of the IODEF/IDMEF community. What’s important is that every participant in the economy recognizes that no defender will be very much safer than the average, and so only by cooperation can we begin to reverse the trend of losses.

TA: You’ve co-founded SIE Europe, an organization that aims to secure the digital economy via the “collection, aggregation, and sharing of data, without Personally Identifiable Information.” However, profiting from data, which until Data Protection Regulations with teeth, a low-cost and high-return ‘gambit’ has become a widespread business model, how can SIE Europe and other parties protect the wider digital economy while in some ways undermining the gold rush taking place around data collection that is worth tens of billions of dollars in the US alone?

PV: After I lost the internet’s first culture war in the 1990’s, which was about spam, I spent several years trying to decide where we’d gone wrong with the first anti-spam company (Mail Abuse Prevention System or MAPS) and the first distributed reputation system which we invented (Realtime Blackhole List or RBL). Finally, I realized that building roads has greater long-term leverage and impact than building walls, and that at MAPS, with the RBL, we had built walls. Spammers and their enablers built roads, and they beat us. So, SIE Europe is about building roads, and if data monetizers go up against us they will have to compete by building roads also. We will all win from that, no matter which outcome.

TA: With stronger hints at both government and business seeking to carve up the WWW into “regional internets”, firewalled environments, etc., how far have we stepped away from a ‘free’ global internet? As for the perceived tradeoffs – restrictions for better/more (perceived) security… are there other ways forward? What role do DNS-based/oriented security approaches and/or threat-intelligence have to play in helping balance between a free and secure internet?

Inside consumer perceptions of security and privacy in the connected home

The ESET survey polled 4,000 people to get a sense of their attitudes towards the privacy and security implications of smart home technology

When most people think of home security, locks, alarms and big dogs come to mind. Substitute security with privacy, and images of curtains and blinds, or unlisted phone numbers spring to mind. While those are all (still) valid, over the last decade of digitalization, we have seen “the home” – long regarded as a refuge for privacy and safety – transformed into a battleground over what is private and secure. To recognize these shifts, ESET decided to focus on the “Protect IT” component during the 16th annual National Cybersecurity Awareness Month and, together with the National Cyber Security Alliance (NCSA), carried out a survey to uncover where people in the United States and Canada stand with the main themes connected to protection.


In the time it took for modems to give way to routers, and routers to then broadcast Wi-Fi, our identities as residents and as digital citizens have moved considerably closer together. And now, as IoT and the wider explosion in numbers of smart devices and attached services that have followed enter homes en masse, another reimagining of home, privacy and security unfolds.

So, how do North Americans see their “homes” and what makes them safe and secure? If that answer doesn’t involve digital, then trouble could be ahead. Take a quick look at our recent poll results to get a picture of the digital home in the popular imagination.

Ditching VHS and DVDs for streaming has enabled us to binge watch more effectively than ever before. In our poll of 4,000 respondents (2,000 Americans and 4,000 Canadians), 25% streamed via Apple TV or Roku, 17.9% on a connected (smart) TV, and 23% via their mobile device, with PC users adding in another 16.7%. But amidst all the juicy content, is there space for viewers to think about security?

We asked whether respondents were concerned that connected TVs could be targeted by cybercriminals – allowing them to remotely access or control the TV from the internet? The results were stark. Roughly 21% had concerns, while 41.6% didn’t worry about it despite the fact that there are valid concerns about connected TVs being targeted by cybercriminals. For example, TVs can fall prey to ransomware and coinminers like ADB.Miner which hijacked the computing power of thousands of Android devices.

While some of us successfully segregate our business and personal devices, ultimately it is their polyfunctionality that makes all of them useful for so many tasks. In either case, when using either business or personal devices at home, most of us leverage our home network that traces to the router. But have you ever wondered if it is safe and private?

Only 40% in the survey changed their default router credentials during the initial setup at home. When default usernames and passwords for routers are one-click away from discovery with a Google search, these are open networks ripe for easy plunder. Guarding the heart of your home network – your router – is an indispensable step before even thinking about the security settings of each connected IoT device.

Many may not even realize that their home router may be providing a separate public Wi-Fi network for their ISP’s travelling customers. Around 37% of respondents in the survey certainly didn’t know. So, it’s like we said, devices don’t judge. It’s up to you, the home user, to think about listing off all your connected devices at home and what you can do to keep safe, starting from the router up.

With your router central to the connected home you are building, whether accidentally or not, you are also likely adding new technologies and risks to the sanctuary of your home. Along with your very powerful mobile computer aka smartphone, you may have wanted to try out a few, more recently introduced devices?

Enter smart thermostats, smart speakers and… home assistants. While these items began marching into homes as early as 2007, with the Ecobee smart thermostat, concerns and competitors were not far behind. However, until the introduction of home assistants, like Alexa, which can communicate with multiple smart home devices, impacts were mostly theoretical. The conversation has now become much more realistic as many cases of devices giving away location data, listening and recording, or taking actions without consent have been documented.

Among users of these devices, concern seemed muted as only around 30% of both our U.S. and Canadian respondents felt affected by these issues, almost equal with 26% of U.S. respondents who claimed they were unconcerned. Canadians unconcerned with these issues amounted to approximately 21%, with 43% reporting that they do not own these device types.

While device makers still have work cut out for them to get assistants in homes and “speaking with’” other smart home devices, the main issue for people holding out doesn’t seem to be insecurity.

Returning to the router as ground zero, the adventurous among you who have been considering smartening up your home, might want to revisit those passwords. A great second step is auditing the number and type of connected devices you have in your home. Polled respondents in Canada who reported having “no connected devices” numbered 18.5 %, with their neighbors in the US posting 20.3%. A big jump among those with 1-5 devices occurs among both Canadians and Americans with 44 – 45% falling in this range. The numbers of power users are also similar, with Canadians holding 15-plus devices coming in at 8.5% and those in the US with 7.8%.

While the similarities in tech deployment may surprise some, what stood out is the shared number on both sides of the northern border who claimed that they “could name all the devices” in their caddies, with 42.4%!

Well, it’s a brave new world, people. And for a last peek at our survey: Have you ever purchased a device with connected features that you

Needles in a haystack: Picking unwanted UEFI components out of millions of samples

ESET experts describe how they trained a machine-learning model to recognize a handful of unwanted UEFI components within a flood of millions of harmless samples

UEFI (Unified Extensible Firmware Interface) security has been a hot topic for the past few years, but, due to various limitations, very little UEFI-based malware has been found in the past. After having discovered the first UEFI rootkit in the wild, known as LoJax, we set out to build a system that would enable us to explore the vast UEFI landscape in an efficient way – and reliably spot emerging UEFI threats.

Using the telemetry gathered by ESET’s UEFI scanner as a starting point, we devised a custom processing pipeline for UEFI executables that leverages machine learning to detect oddities among the incoming samples. This system, besides showing strong capabilities in identifying suspicious UEFI executables, offers real-time monitoring of the UEFI landscape, and was found to reduce the workload of our analysts by up to 90 percent.

Hunting for UEFI threats using our processing pipeline, we uncovered multiple interesting UEFI components, which can be divided into two categories – UEFI firmware backdoors and OS-level persistence modules. The most notable out of our discoveries is the so-called ASUS backdoor, a UEFI firmware backdoor found in several ASUS laptop models and remediated by ASUS following our notification.

UEFI is a specification defining the interface that exists between the OS and the device’s firmware. It defines a set of standardized services, called “boot services” and “runtime services”, that are the core APIs available in UEFI firmware. UEFI is a successor to the legacy BIOS (Basic Input/Output System) firmware interface, introduced to address the technical limitations of BIOS.

The UEFI firmware is stored in SPI flash memory, which is a chip soldered on the system’s motherboard. Thus, reinstalling the operating system or replacing the hard drive doesn’t affect the firmware code. UEFI firmware is very modular: it usually contains dozens, if not hundreds, of different executables/drivers.

Figure 1. How UEFI executables/drivers are stored in a PC

There are multiple ways firmware can be modified, compromising the security of the affected computer.

The first, and most common, option is modification of the firmware by the computer vendor to enable remote diagnostic or servicing, which, if implemented improperly, can serve as a backdoor. Another option is malicious flashing via manual tampering, when the attacker has physical access to the affected device. The third option: remote attacks using malware capable of modifying the firmware.

This third option was documented in our research on LoJax, the first UEFI rootkit to be detected in the wild. In a campaign targeting government organizations in the Balkans as well as in Central and Eastern Europe, the Sednit APT group successfully deployed a malicious UEFI module on a victim’s system. This module is able to drop and execute malware on disk during the boot process – a particularly invasive persistence method that will not only survive an OS reinstall, but also a hard disk replacement.

Finding malware like LoJax is rare – there are millions of UEFI executables in the wild and only a tiny portion of them are malicious. We have seen over 2.5 million unique UEFI executables (out of a total of six billion) over the past two years alone. Since it is not feasible to analyze each of them manually, we needed to come up with an automated system to reduce the number of samples that require human attention. To address this problem, we decided to build a system tailored to highlight outlier samples by finding unusual characteristics in UEFI executables.

In our research, we examined and compared multiple approaches of every part of the process – from feature extraction, text embedding, embedding multidimensional data through efficient storage, and querying of samples’ neighborhoods to generate a final scoring algorithm – all while considering performance and real-time capabilities of the techniques chosen. Once we established an efficient method of retrieving the nearest neighbors to any incoming UEFI binary, we set up a system for assigning similarity scores in the range of zero to one to the incoming executables, comparing them to previously seen files. Files with the lowest similarity score are then inspected with highest priority by an analyst.

As a proof of concept, we tested the resulting system on known suspicious and malicious UEFI executables that were not previously included in our dataset– most notably the LoJax UEFI driver. The system successfully concluded that the LoJax driver was very dissimilar to anything we had seen before, assigning it a similarity score of 0.

This successful test gives us a degree of confidence that if another similar UEFI threat emerged, we would be able to identify it as an oddity, promptly analyze it and create a detection as needed. Besides this, our ML-based approach can reduce the workload of our analysts by up to 90% (if they were to analyze every incoming sample). Finally, thanks to the fact that each new incoming UEFI executable is added to the dataset, processed, indexed and taken into consideration for the next incoming samples, our solution offers real-time monitoring of UEFI landscape.

Having tested our processing pipeline on known malicious samples, it was time to start hunting for unwanted UEFI modules in the wild. The interesting components that we found can be grouped into two categories – UEFI firmware backdoors and OS-level persistence modules.

UEFI firmware backdoors

So what are UEFI firmware backdoors? In most UEFI firmware setups, options are available to password-protect the system from unauthorized access during the early stages of the boot process. The most common options allow setting passwords to protect access to the UEFI firmware setup, to prevent the system from booting and to access the disk. UEFI firmware backdoors are mechanisms that allow bypassing these protections without knowing the user-configured password.

While such UEFI firmware backdoors are very common – mainly used as a recovery mechanism in case the computer’s owner forgets the password – they come with a number of security implications. Besides allowing attackers with physical access to the affected computer to bypass various security mechanisms, they also create a false sense of security in users who are unaware of them and may believe their computers are unbootable by anyone who doesn’t possess the password.

The most prevalent of the UEFI firmware backdoors we analyzed is the so-called ASUS backdoor. Our research confirmed that at least six ASUS laptop models were shipped with the backdoor; the number, however, is likely much higher (manually checking the presence in every ASUS laptop model was out of the scope of our research). Following our notification to ASUS about the backdoor in April 2019, the vendor removed the issue and released firmware updates on June 14th, 2019.

OS-level persistence modules

The remainder of our findings are OS-level persistence modules – firmware components responsible for installing software at the operating system level. With these persistence modules, the main security problem is that – due to the complicated nature of delivering firmware updates – a computer shipped with a vulnerable firmware component will most likely remain vulnerable during its whole lifetime. For this reason, we believe firmware persistence should be avoided as much as possible and limited to cases where it is strictly necessary, as is the case with anti-theft solutions.

To learn more about our research, please refer to the full paper, A machine-learning method to explore the UEFI landscape.

and 8 Oct 2019 – 11:30AM

Week in security with Tony Anscombe

ESET researchers publish an in-depth analysis of the Casbaneiro banking trojan that targets banks and cryptocurrency services in Brazil and Mexico

ESET researchers publish an in-depth analysis of the Casbaneiro banking trojan that targets banks and cryptocurrency services in Brazil and Mexico. Also this week, we explained why you should ensure that all the apps on your smartphone only run with the permissions they reasonably need to do their job. Ten hospitals in the US and Australia are reeling from ransomware attacks that have led to the cancellation of all but the most urgent appointments and surgeries.

Hospitals in US, Australia hobbled by ransomware

The incidents send medical staff back to the days of pen and paper

Several hospitals in the United States and Australia have been paralyzed by ransomware attacks, leading to the cancellation of all but the most urgent appointments and surgeries.

In the US, the outbreak affected three Alabama-based healthcare providers – DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center. Early on Tuesday, all of them were hit by a ransomware strain known as Ryuk, said the DCH Health System, which operates all three facilities.

Ryuk – which is detected by ESET endpoint protection as a variant of Win64/Filecoder.T – has previously been used in other highly disruptive attacks, including one that resulted in printing and delivery delays for a number of US newspapers late last year.

All three affected hospitals have implemented emergency procedures to ensure the safety of their patients. The DCH has given assurances that the hospitals are “still able to provide critical medical services to those who need it”.

On the other hand, patients with non-emergency health needs were encouraged to seek assistance in neighboring medical facilities. Only elective procedures and surgical cases that had been scheduled for Wednesday went ahead as planned.

There is no word on the demands of cyber-extortionists, according to an earlier press release that is no longer available on the DCH’s website. The new statement notes that the DCH is working closely with federal authorities and IT security experts on restoring its systems.

Meanwhile in Australia, the Victorian government announced on Tuesday that “a number of hospitals and health services” in the state had fallen victim to ransomware attacks on Monday. The affected healthcare providers are part of the Gippsland Health Alliance and the South West Alliance of Rural Health. At least seven major regional hospitals were impacted, according to The Age.

The government has deployed the Victorian Cyber Incident Response service to deal with the attack. The report states that computer systems in the affected hospitals have been isolated in order to quarantine the infection. The impacted systems include patient records, booking, and management systems.

According to a report published earlier this year by the office of the Victorian Auditor-General, Victoria’s public health system is highly vulnerable to cyberattacks like those that affected healthcare providers in Singapore and the United Kingdom (UK) in recent past.

The UK’s National Health System was crippled by WannaCryptor (aka WannaCry) in 2017, which cost the NHS £92 million (US$115 million). This prompted the NHS to bolster its cybersecurity posture and work on an infrastructure that would prepare it for any such future attacks.

A few years ago, ESET security researcher Lysa Myers brought up the issue of what healthcare organizations need to do to get their cybersecurity in order. More recently, she also looked at why successful ransomware attacks are symptomatic of a greater problem. Security advice on ransomware attacks is provided in our comprehensive white paper, Ransomware: An enterprise perspective.

In recent months, a number of US municipalities and other public entities have been hit particularly hard by ransomware attacks. Baltimore, for one, has spent a whopping US$18.2 million on restoring access to its systems. Twenty-three towns in Texas and two in Florida have also had their systems locked down and faced downtime due to ransomware recently.

About the author: Amer Owaida is a cybersecurity writer for WeLiveSecurity.

3 Oct 2019 – 04:53PM

Casbaneiro: Dangerous cooking with a secret ingredient

Número dois in our series demystifying Latin American banking trojans

Most reverse engineers would agree that quite often one can learn something new on the job. However, it is not every day you learn how to cook a delicious meal while analyzing malware. This unique experience is provided by a malware family we discuss in this blog post – Casbaneiro.

Casbaneiro, also known as Metamorfo, is a typical Latin American banking trojan that targets banks and cryptocurrency services in Brazil and Mexico (Figure 1). It uses the social engineering method described in the introduction to our previous article, where fake pop-up windows are displayed. These pop-ups try to persuade potential victims to enter sensitive information; if successful, that information is then stolen.

Figure 1. Countries affected by Casbaneiro

The backdoor capabilities of this malware are typical of Latin American banking trojans. It can take screenshots and send them to its C&C server, simulate mouse and keyboard actions and capture keystrokes, download and install updates to itself, restrict access to various websites, and download and execute other executables.

Casbaneiro collects the following information about its victims:

  • List of installed antivirus products
  • OS version
  • Username
  • Computer name
  • Whether any of the following software is installed:
    • Diebold Warsaw GAS Tecnologia (an application to protect access to online banking)
    • Trusteer
    • Several Latin American banking applications

Although there seem to be at least four different variants of this malware, the core of all of them is almost identical to the code in this GitHub repository. However, it is practically impossible to separate them from each other, mainly because some variants using different versioning use the same string decryption key, and the same mechanisms are used in different variants.

Moreover, the differences are not important from the functionality point of view. Therefore, we will refer to all these variants as Casbaneiro.

Casbaneiro is easy to identify by its use of a huge string table, with several hundred entries. Strings are retrieved by accessing this table by index. Curiously, whenever the malware needs to obtain a string, the whole string table is constructed in memory from stored chunks of encrypted text, the desired string is decrypted and the whole table is discarded again. You can see an example in Figure 2.

Figure 2. Casbaneiro obtaining a string by index (0x205) and decrypting it

There are strong indicators that this malware family is closely connected to Amavaldo, which we described in our first post in this series about Latin American banking trojans. We will mention these similarities later in this article.

Casbaneiro can also try to steal victim’s cryptocurrency. It does so by monitoring the content of the clipboard and if the data seem to be a cryptocurrency wallet, it replaces them with the attacker’s own. This technique is not new; it has been used by other malware in the past – even the infamous BackSwap banking trojan implemented it in its earliest stages.

The attacker’s wallet is hardcoded in the binary and we have encountered only one. By examining it, we can see payments were already made at the time of writing.

Figure 3. Detail of the attacker’s bitcoin wallet

Casbaneiro utilizes several cryptographic algorithms, each one to protect a different type of data. We describe them in the following sections.

Command encryption

Commands received from the C&C server are encrypted using AES-256. The SynCrypto Delphi library is used. The AES key is derived via SHA-256 from a password stored in the binary. It is not stored as a string but concatenated from separate pieces at runtime, as you can see in Figure 4.

Figure 4. Constructing the password “ze102030ca” used to derive the AES key

String encryption

The algorithm used to encrypt strings, comes from this book and is used in other Latin American banking trojans as well. Pseudocode of the decryption algorithm can be seen in Figure 5. The same key is used for all strings. Similar to the command encryption, the key is again concatenated from parts at runtime, only this time it consists of many more parts (see Figure 6). Notice how whitespace strings are added as well, but trimmed later on, therefore having no impact.

Figure 5. String decryption pseudocode

Figure 6. Part of code that concatenates the string decryption key shown in Figure 5. The valid key parts are marked red. The obfuscation by whitespace strings is marked purple.

Payload encryption

In some Casbaneiro campaigns, the actual banking trojan is encrypted and associated with an injector. The algorithm used to decrypt the main payload binary in such cases is exactly the same as the Amavaldo injector uses. Pseudocode is found in Figure 7.

Remote configuration data encryption

Finally, a fourth algorithm is used to decrypt configuration data not stored in the binary file but obtained remotely. We provide examples of such situations below.

You can clearly see in Figures 7 and 8 that this and the payload decryption algorithms are almost identical, only one uses plaintext and the other one ciphertext to update the key. We strongly suspect that the author rewrote the code by hand from the same source and made a mistake in one of the cases.

Figure 7. Payload decryption algorithm

Figure 8. Remote data decryption algorithm

We believe that a malicious email is usually at the beginning of Casbaneiro distribution chains. Some campaigns were described by FireEye, Cisco and enSilo. If you have read our previous article, you may notice that the campaign described by Cisco uses a PowerShell script very similar to the one utilized by Amavaldo. Even though some parts differ, both scripts clearly come from a common source and use the same obfuscation methods.

While writing this article, we noticed a new campaign using a similar technique to the one described by enSilo, with only a few changes. The Avast executable is no longer abused and the main payload, jesus.dmp, is no longer encrypted and therefore not associated with an injector. Finally, the installation folder has been changed to %APPDATA%SunJavar%RANDOM%. Since this most recent Casbaneiro campaign uses the URL shortener, we can learn more about it from Figure 9.

Figure 9. statistics for the latest Casbaneiro campaign

Besides that, we identified two other, earlier campaigns during our research.

Campaign 1: Fishy financial manager update

In this campaign, the victim is persuaded to download and install what may seem to be a legitimate update of financial software (see Figure 10). Instead of that, the installer:

  • downloads an archive containing:
    • Casbaneiro masquerading as Spotify.exe
    • other legitimate DLLs
  • extracts the content of the archive to %APPDATA%Spotify
  • sets up persistence using HKCUSoftwareMicrosoftWindowsCurrentVersionRun, Spotify = %APPDATA%SpotifySpotify.exe

We have also encountered cases where the payload masquerades as OneDrive or WhatsApp. In those cases, the name of the folder is changed accordingly.

Figure 10. Fake update installer. (Translation: Title: Wait.. Updating Financial Manager [BB]. Text: Please wait for Windows configuration to be done.. Updating Financial Manager [BB]. Gathering necessary information.)

Campaign 2: What’s cooking? A fowl Windows activator

This campaign is very similar to the one described by enSilo; it uses an MSI installer with an embedded JavaScript downloader. Only this time, the installer comes bundled together with the Re‑Loader cracking tool allowing unofficial activation of Windows or Microsoft Office. When executed, Casbaneiro is secretly downloaded and executed first, followed by Re‑Loader.

The attacker used this approach when the expected software is actually installed together with the malware. This method is not very common for Latin American banking trojans. It is more dangerous to the intended victims, because it may give them less reason to suspect anything has gone wrong.

Figure 11. The Re-Loader cracking tool installed together with Casbaneiro

The operators have gone to great lengths to hide the actual C&C server domain and port, and it is one of the most interesting Casbaneiro features. Let’s explore where the C&C servers have been hidden…

1) Stored encrypted in the binary

Encryption is definitely the simplest method to hide the C&C server. The domain is encrypted with a hardcoded key and the port is just hardcoded. We have encountered cases where the port has been stored in the data section, in the Delphi form data, or randomly chosen from a range.

2) Embedded in a document

A more advanced method is to store the data somewhere online, in this case on Google Docs. One way Casbaneiro uses this method can be seen in Figure 12, where the document is full of junk text. The encrypted domain is hexadecimal encoded and then stored between “!” delimiters. The encryption used is that used for all other strings, and the port is hardcoded in the binary.

Figure 12. C&C server domain (highlighted red) encrypted and hexadecimal encoded, hidden inside an online document

Another way this method is used involves multiple delimiters. An example can be seen in Figure 13, where different delimiters are used for the C&C port, C&C domain and the URL used to submit victim information. Initially, this method was used to store only the port; the other configuration data were added in later variants.

Figure 13. C&C server port (“thedoor”), domain (“sundski”) and the victim information submission URL (“contict”) encrypted and stored in an online document

3) Embedded in a crafted website

In this approach, the operators set up a fake website (Figure 14) mimicking this legitimate one showing the current time in Brazil. The real C&C domain is hidden inside the web page’s metadata, as can be seen in Figure 15, and the port is hardcoded in the binary. We have encountered at least three such identical websites with different URLs.

Figure 14. Website created by the attacker mimicking a legitimate one. (Partial translation: Brazilian time schedule. Set your watch with time schedule in Brazil, Brazil’s official time.)

Figure 15. Comparison of metadata of the legitimate (left) and fake (right) websites. The google-site-verification tag holds the encrypted C&C domain.

An important difference from the previous method is that the data are encrypted in a different way than all other strings, using the algorithm to decrypt remote configuration data described earlier. The three keys required are the first 12 bytes of the string, each taking 4 bytes.

4) Embedded in a legitimate website

If you have been wondering where the title of this blog post comes from, this section is for you!

Casbaneiro started to abuse YouTube to store its C&C server domains. We have identified two different accounts used for this by the threat actor – one focused on cooking recipes and the other one on soccer.

So where is the C&C server hidden? Each video on these channels contains a description. At the end of this description, there is a link to a bogus Facebook or Instagram URL (see Figure 17). The C&C server domain is stored in this link, using the same encryption scheme as in the previous case – the key is stored at the beginning of the encrypted data. The port is, once again, hardcoded in the binary.

Figure 16. One of the YouTube channels used by the attacker

Figure 17. Description of one of the videos the attacker posted. At the bottom, the encrypted C&C domain is embedded in a bogus Facebook link (red).

What makes this technique dangerous is that it does not raise much suspicion without context. Connecting to YouTube is not considered unusual and even if the video is examined, the link at the end of the video description may easily go unnoticed.

5) Generated using a fake DNS entry

The general idea of this method is to register a domain and associate it with a fake IP address so that the real IP address can be derived from it. The algorithm uses three input values:

  1. A base domain (B) – a domain used to derive other domains
  2. A list of suffixes (LS) – a list of strings that will be used to derive other domains from the base domain B
  3. A number (N) – a number used to transform a fake IP address to the real one

A different base domain is used for C&C domain and port. We provide pseudocode in Figure 18. The basic logic of the algorithm is:

  1. Generate a domain from the base domain B and resolve it to a fake IP address (FIP)
  2. Add a number N to the fake IP address FIP to get the real IP address
  3. To get the port, sum the octets of the real IP address and multiply by 7

Figure 18. Pseudocode of the algorithm used to generate C&C domain and port using a fake DNS entry

Most of the Latin American banking trojans, including Casbaneiro, have a way to download and execute other executables, usually via a backdoor command. However, Casbaneiro employs a different implementation of this functionality. We initially thought of it as an update mechanism because newer versions of the banking trojan were distributed by it but, as we found out later, not exclusively. Two different mechanisms are used, let’s explore them.

Via XML document

One way that this functionality is used is by downloading an XML document. Data stored in this document between the <xmlUpdate>## and ##</xmlUpdate> labels are encrypted using the algorithm for remote data provided in Figure 8.

Once decrypted, the data may contain the following tags:

  • <newdns> – new C&C server domain
  • <newport> – new C&C server port
  • <downexec> – a URL to use to download and execute a file

Via special configuration file

We believe this approach is used in (probably a subset of) Casbaneiro samples that are being sold to other cybercriminals. In this method, a configuration file is downloaded (as shown in Figure 19). It consists of multiple lines, each one containing:

  • An ID of the buyer
  • Payload archive filename
  • Main URL where the archive is located
  • Backup URL where the archive is located
  • Version (not used)
  • A number (not used)
  • Date (not used)

The latter three values seem to be ignored completely. The date “07/05/2018”, for example, is used even in the newest configuration files at the time of writing.

Figure 19. Configuration file obtained by Casbaneiro

Each Casbaneiro sample using this method has the buyer’s ID hardcoded in its data. When it downloads such configuration file, it parses it and finds the line that is intended for the specific buyer’s ID and downloads and executes the payload.

As you can see in Figure 19, the payload is mostly the same for all the buyers. However, we have encountered a situation where a sample downloaded such a configuration file and its buyer’s ID was not present. This way of distributing additional payloads gives the “main author” (probably the seller) the ability to exclude some buyers.

Besides Casbaneiro updates, we have seen two more payloads being distributed by this method, which are covered in the next two sections.

Email tool

A tool written in C# automatically registers a large number of new email accounts using the Brasil Online (BOL) email platform and sends the credentials back to the attacker. If you have read our previous article, this may seem very familiar to you. That is because, as far as functionality goes, this tool does exactly the same thing. It is also a variant of the spam tool described by Cisco.

Password stealer

Another payload we have seen being distributed by this functionality is a very simple Outlook password stealer. This malware, once executed, first displays a message box stating, in Portuguese, there is an issue with the victim’s Outlook account. After that, it displays a fake Microsoft login page requesting Outlook credentials.

Figure 20. Message box displayed by the password stealer. (Translation: Dear client, we have detected a problem with your Outlook account. Please check your account and avoid permanent blockage!)

Figure 21. Window displayed by the password stealer that tries to obtain the victim’s Outlook credentials. (Translation: Microsoft free personal email recover account. Begin session. Login, Password. Next)

In this article, we talked about Casbaneiro, another Latin American banking trojan. We have shown that it shares the common characteristics for this type of malware, such as using fake pop-up windows and containing backdoor functionality. In some campaigns, it splits its functionality into an injector and the actual banking trojan. It also masquerades as a legitimate application in most of the campaigns and targets Brazil and Mexico.

We have also shown strong indicators leading us to believe that Casbaneiro is closely related to Amavaldo. Both pieces of malware use the same, uncommon cryptographic algorithm in the injector component, they have used a very similar PowerShell script in one of their campaigns and they have been seen distributing a very similar email tool.

We have described various techniques Casbaneiro employs in order to hide its C&C server address. These include using remotely stored documents, both legitimate and fake websites and fake DNS entries.

Finally, we have described two techniques used by Casbaneiro to update itself or download and execute additional payloads.

For any inquiries, contact us as [email protected] Indicators of Compromise can also be found on our GitHub.


Campaign 1: Fishy financial manager update

SHA-1 Description ESET detection name
F07932D8A36F3E36F2552DADEDAD3E22EFA7AAE1 MSI installer Win32/TrojanDownloader.Banload.YJD trojan
BCDF0DDF98E3AA7D5C67063B9926C5D1C0CA6F3A Downloaded payload Win32/Spy.Casbaneiro.AJ trojan

Campaign 2: What’s cooking? A fowl Windows activator

SHA-1 Description ESET detection name
8745197972071EDE08AA9F7FBEC029BED56151C2 MSI installer JS/TrojanDownloader.Agent.TNX trojan
BC909B76858402B3CBB5EFD6858FD5954A5E3FD8 Re-Loader MSIL/HackTool.WinActivator.J potentially unsafe application

Campaign 3: The most recent one

SHA-1 Description ESET detection name
DD2799C10954293C8E7D75CD4BE2686ADD9AC2D4 MSI installer JS/TrojanDownloader.Agent.TNX trojan
9DFFEB147D89ED58C98252B54C07FAE7D5F9FEA7 Downloaded payload Win32/Spy.Casbaneiro.AJ trojan

Files distributed by Download & Execute

SHA-1 Description ESET detection name
C873ED94E582D24FAAE6403A17BF2DF497BE04EB Email tool MSIL/SpamTool.Agent.O trojan
B3630A866802D6F3C1FA2EC487A6795A21833418 Password stealer Win32/PSW.Agent.OGH trojan


  • %APPDATA%SpotifySpotify.exe
  • %APPDATA%OneDriveOneDrive.exe
  • %APPDATA%WhatsAppWhatsApp.exe

Run key & values

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun
    • Spotify = %APPDATA%SpotifySpotify.exe
    • OneDrive = %APPDATA%OneDriveOneDrive.exe
    • WhatsApp = %APPDATA%WhatsAppWhatsApp.exe
    • %Random% = %APPDATA%SunJavar%RANDOM%%RANDOM%.exe
    • %Random% = %APPDATA%DMCache%RANDOM%%RANDOM%.exe

C&C servers

  • hostsize.sytes[.]net:7880
  • agosto2019.servepics[.]com:2456
  • noturnis.zapto[.]org
  • 4d9p5678.myvnc[.]com
  • seradessavez.ddns[.]net:14875

Bitcoin wallet

  • 18sn7w8ktbBNgsX8LeeeLMqKS84xMG54si
Tactic ID Name Description
Initial Access T1192 Spearphishing Link Some Casbaneiro campaigns start with a malicious link in an email.
T1193 Spearphishing Attachment Some Casbaneiro campaigns start with a malicious email attachment.
Execution T1073 DLL Side-Loading Some campaigns bundle a legitimate executable so as to use this technique in order to execute Casbaneiro.
T1086 PowerShell One distribution chain uses an obfuscated PowerShell script.
Persistence T1060 Registry Run Keys / Startup Folder Casbaneiro downloaders set up persistence via Run key.
Defense Evasion T1140 Deobfuscate/Decode Files or Information Casbaneiro uses encrypted remote configuration data and its commands are encrypted too.
T1036 Masquerading Casbaneiro sometimes masquerades as or is bundled with a legitimate application.
T1064 Scripting PowerShell and JavaScript are used in Casbaneiro distribution chains.
Credential Access T1056 Input Capture Casbaneiro contains a command to execute a keylogger. It also steals contents from fake windows it displays.
Discovery T1083 File and Directory Discovery Casbaneiro searches for various filesystem paths in order to determine what applications are installed on the victim’s machine.
T1057 Process Discovery Casbaneiro searches for various process names in order to determine what applications are running on the victim’s machine.
T1063 Security Software Discovery Casbaneiro scans the system for installed security software.
T1082 System Information Discovery Casbaneiro extracts the version of the operating system.
Collection T1115 Clipboard Data Casbaneiro captures and replaces bitcoin wallets in clipboard.
T1113 Screen Capture Casbaneiro contains a command to take screenshots.
Command and Control T1024 Custom Cryptographic Protocol Casbaneiro uses three different custom cryptographic protocols.
T1032 Standard Cryptographic Protocol Casbaneiro encrypts its commands using the standard AES protocol.
Exfiltration T1041 Exfiltration Over Command and Control Channel Casbaneiro sends the data it collects to its C&C server.

3 Oct 2019 – 11:30AM

Do apps need all the permissions?

Why you should ensure that all those apps on your smartphone only run with the permissions they reasonably need to do their job

Friends mention exciting new apps or we see a promotion that requires an app to be downloaded, and the rush is on to download the app and start interacting with it. But do we consider the permissions needed by the app? Do we reconcile the permissions against functionality? Do we even bother reading the permissions? Unfortunately, the answer is probably a ‘no’, or at best it may be a ‘sometimes’.

Since October is dedicated to campaigns that promote cybersecurity and privacy awareness, let’s shine the spotlight on the growing importance of being mindful of what permissions we grant to mobile apps.

App permissions are complex, and it is not always obvious why an app may require a permission. And in reverse, it’s sometimes abundantly clear that an app probably does not need a permission. Take, for example, a battery monitoring app: does it need access to my precise location or the ability to create new accounts? Probably not.

I recently watched the Netflix documentary ‘The Great Hack’, an in-depth examination of the data company Cambridge Analytica and how data collected, mainly through social media, was being used to persuade voters in elections how to cast their vote. The narrator, Professor David Carroll, expressed concern that by the time his daughter is 18 there will be about 70,000 data points defining her. The big takeaway from the program is that data has surpassed oil as the world’s most valuable asset.

While many of the data points will come from information that is voluntarily shared through social media and such like, it’s when data is collected out of context or when least expected that is more concerning. Take the example above: a battery monitoring app needing my precise location seems to be out of context. Is the company tracking me? Why do they need this data point? The same permission is fully understood when using a map and getting directions. Without my location it would be lost. It may even feel like I have gone back in time to the days of paper maps and having no idea of where I am on the map.

The category of apps that are typically at the forefront of abusing permissions are flashlight apps that request contact data and microphone access to name a few. Does the flashlight app want to listen to me and know all my friends? The answer is no, but there are plenty of companies to sell this data point to. Back in 2013, the FTC took to task some flashlight app companies as the permissions did not tally with their privacy policy to the data being collected. The issue was that consent was not given for the data collected. If apps, as I am sure most do, disclose the permissions and their privacy policy matches the collection and use of data, then we, the users, are the ones that need to be vigilant and ascertain whether the data collected is in context. And even if the collection is out of context, we need to decide whether the service the app provides us equals the value of the data collected.

A practical test

When downloading an app that provides functionality remember there are choices. To demonstrate the differences between apps that provide similar functionality and the permissions requested, I searched for ‘battery saver’ in the Google Play store. Below is a table of the first 5 apps listed (in the order they were displayed):

The above is purely to demonstrate the differing number of permissions and how key permissions such as location and file access can differ on apps that have seemingly similar functionality.

Managing the apps on your phone and the permissions they have is good housekeeping. Rather than playing Candy Crush at the departure gate or bus stop, take a few minutes to uninstall unused apps and take a look through the permissions of apps you decide to keep.

You can check the app permissions you have enabled by heading to the Apps section of the Apps & Notifications. Find the app and scroll down until you find permissions and take a moment to review them, toggling off any that you don’t think are necessary.

There is also the ability to do this by feature. For example, if you look at Camera permissions you can see all the apps that have this permission and toggle them on/off as you see fit. Declining an app certain permissions does not mean it will not function altogether, it may just limit the functionality.

If data is truly more valuable than oil, then understanding the value of our personal data is essential as companies will be motivated to collect it to generate revenue. We, the consumers, must step up and engage in controlling, or at least understanding, the data we trade with companies to gain access to their services.

2 Oct 2019 – 11:30AM