Dashboard Global

ASERT Security Intelligence

Summary: Microsoft has released security patches for several vulnerabilities, to include CVE-2016-3238, which allows for Windows system compromise via the installation of malicious printer drivers through a variety of methods.Reports of a compromise of a European energy company with custom malware may have been slightly overblown in the media, however the activity connects with prior threat actors and features malware that goes to substantial lengths to evade detection and analysis.A Point of Sale compromise at Wendy's is now being reported as larger than initially expected. During analysis of the first compromise, a second compromise was discovered that breached more systems. PoS infrastructure continues to be a hot target.The long-running Kelihos spambot, facilitator of a great deal of traditional spam, is now delivering a ransomware payload. The profit from ransomware activity is likely quite tempting for threat actors who are operating or renting out Kelihos.Ransomware continues to be a substantial problem, and we review the weeks most important stories as this threat continues to spread and cause more pain.

Title: Ransomware Weekly Threat Activity Review
Severity Level: Normal Severity
Published: Thu, 14 Jul 2016 20:34:03 +0000
This week some good news abounds for those battling ransomware variants. However, with good news also comes bad news. A new variant of Locky was discovered on July 12, 2016, when threat actors launched a massive spam campaign, peaking at over 120,000 messages per hour. The new variant can encrypt files without an internet connection. This new implementation brings with it a less robust encryption scheme. By implementing an offline encryption scheme, all compromised systems within a network should be utilizing the same encryption ID, making it possible for a company to decrypt all impacted systems while only paying the ransom for one. [http://news.softpedia.com/news/huge-spam-wave-drops-locky-variant-that-can-work-without-an-internet-connection-506294.shtml]. Next on the ransomware block, researchers combing underground forums found a new and inexpensive variant being marketed, “Stampado.” The creators behind the variant are selling lifetime licenses and support services for $39 U.S. Crimeware as service is not new and selling ransomware as a service is not new. However, the price tag for this new variant does open up opportunities for additional and less capable actors to get involved with ransomware operations. [http://www.infosecurity-magazine.com/news/brand-new-stampado-ransomware/]Finally, the last piece of bad news, security researchers are seeing evidence hinting at a major breach at Apple. To make matters worse, additional research uncovered a ransomware campaign targeting iPhones using compromised Apple ID credentials. Once a threat actor logs into Apple services, they then use the “Find My iPhone” service to place the device into lost mode, locking the device and allowing to post a ransom demand on the locked screen. [http://www.csoonline.com/article/3093016/security/apple-devices-held-for-ransom-rumors-claim-40m-icloud-accounts-hacked.html]In the good news department, researchers have designed another ‘anti-ransomware’ program. The program, “CryptoDrop” is currently available for Windows based computers. Creators designed the program to recognize elements heavily associated with ransomware activities and then proactively terminate the associated program. Individuals will still lose access to a small portion of files as the CryptoDrop works to recognize and mitigate the threat. [http://www.inforisktoday.com/researchers-unleash-ransomware-annihilation-a-9255?utm_source=twitterfeed&utm_medium=twitter]Last, security researchers at CheckPoint disclosed new workaround for JigSaw ransomware. JigSaw ransomware is particularly threatening when compared to other malware families. If victims refuse to pay the ransom within the allotted timeframe, the program begins to delete thousands of files every hour. If a user reboots the compromised system, they lose 1,000 files. For additional information on mitigating JigSaw and current versions visit http://blog.checkpoint.com/2016/07/08/jigsaw-ransomware-decryption/.
Source: Researchers Unleash Ransomware Annihilation - InfoRiskToday

Title: CVE-2016-3238 Allows for Windows System Compromise via Printer Drivers
Severity Level: Normal Severity
Published: Thu, 14 Jul 2016 20:34:03 +0000
Microsoft has patched a vulnerability for CVE-2016-3238, described as a Windows Print Spooler Remote Code Execution Vulnerability [https://technet.microsoft.com/library/security/MS16-087]. The issue can be exploited by a legitimate printer providing a trojaned driver, by a fake printer delivering a malicious driver, or via Internet-enabled mechanisms that provide for Internet-based printing. Windows machines configured to allow installation of printer drivers on demand are more vulnerable to the threat since a UAC prompt does not take place when a system is in an unpatched state. Researchers at Vectra Networks described the threat http://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack but have not provided exploit code. Exploit code is not really needed, in at least one of the attack scenarios, however, a shell script and other material are provided that could easily be modified and weaponized.
Source: CVE-2016-3238 Allows for Windows System Compromise via Printer Drivers

Title: Compromise of European Energy Company with Custom Malware
Severity Level: Normal Severity
Published: Thu, 14 Jul 2016 20:34:03 +0000
SentinelOne published an interesting blog "SFG: Furtim's Derivative," on July 12, 2016, describing a malware sample associated with threat activity involving an energy company in Europe. The blog post covers an extensive array of anti-analysis routines at play within a sample of the SFG malware binary, two privilege escalation exploits, and one UAC bypass, before describing the final payload which performs typical actions of information gathering and reporting back to a C2. In an interview with ThreatPost, researcher Joseph Landry indicated that the Furtim malware was also downloaded as the final payload in some instances. This malware is being described as "Furtim's parent" based on the title https://sentinelone.com/blogs/sfg-furtims-parent/.
Source: Targeting of European Energy Company with Custom Malware

Title: Kelihos Spambot Now Delivering Ransomware Payload
Severity Level: Normal Severity
Published: Thu, 14 Jul 2016 20:34:03 +0000
The Kelihos spambot is a long-running threat that continues to operate and is known mostly for delivering traditional spam associated with so-called Canadian pharmacies. Recently, researchers at University of Alabama noticed a distinctly different linked payload - the WildFire Locker Encryption ransomware - being delivered by Kelihos, which represents a dangerous turn for this prolific and long-running spambot [http://garwarner.blogspot.com/2016/07/kelihos-botnet-delivering-dutch.html].
Source: Kelihos Spambot Now Delivering Ransomware Payload


Alpha Testing the AlphaLeon HTTP Bot

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]
Wed, 09 Mar 2016 15:21:37 +0000

Estimating the Revenue of a Russian DDoS Booter

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]
Wed, 02 Mar 2016 11:00:15 +0000

Dumping Core: Analytical Findings on Trojan.Corebot

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]
Wed, 10 Feb 2016 11:00:54 +0000

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]
Wed, 10 Feb 2016 11:00:16 +0000

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]
Mon, 11 Jan 2016 11:00:24 +0000



Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 43009.51 +94.9 %
SSH brute-force login attempts 808.85 +108.0 %
ntpdx overflow attempt 385.85 -13.2 % CVE-2001-0414
MYSQL brute-force login attempts 371.88 +93.8 %
Description Attacks per subnet Change from yesterday CVE Percentage
SNMP private community access attempt 232.47 +1005.0 % CVE-2002-0013
POLICY PE EXE or DLL Windows file download 47.47 +308.4 %
Microsoft Windows ASN.1 Library buffer overflow attempt 46.38 +303.3 % CVE-2003-0818
ASN.1 constructed bit string 46.41 +302.5 % CVE-2005-1935
SNMP MS Windows getbulk request 314.86 +290.8 % CVE-2006-5583

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/5900 23.54 MB -10.8 % CVE-2006-4309
UDP/53413 15.13 MB +16.0 %  
UDP/5060 (sip) 2.66 MB -16.6 % CVE-2006-0189
TCP/23 (telnet) 2.48 MB -20.3 % CVE-2007-0956
ICMP/8 573.19 kB +69.4 %  
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/111 (sunrpc) 369.77 kB +inf % CVE-2007-3618
TCP/5000 (commplex-main) 153.09 kB +inf % CVE-2001-0876
UDP/45339 121.75 kB +inf %  
UDP/1046 (wfremotertm) 105.89 kB +inf %  
UDP/4011 (pxe) 102.54 kB +inf %  

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
CN (China) 1 16940 11.20 MB 1 513 246
US (United States) 2 9380 6.07 MB 3 27925 828
VN (Viet Nam) 3 5900 5.89 MB 0 204 24
KR (South Korea) 4 7250 5.82 MB 1 316 469
CA (Canada) 5 727 2.57 MB 0 2018 51
TW (Taiwan) 6 36 1.96 MB 0 23 3
NL (Netherlands) 7 3066 1.46 MB 2 783 33
JP (Japan) 8 2982 1.30 MB 1 27 30
BR (Brazil) 9 0 1.17 MB 0 597 209
RU (Russian Federation) 10 27 1.12 MB 0 873 42
RO (Romania) 11 0 866.23 kB 0 673 68
DE (Germany) 12 17 724.63 kB 1 2244 41
UA (Ukraine) 13 9 671.76 kB 0 125 0
TR (Turkey) 14 113 542.23 kB 0 920 5
CO (Colombia) 15 0 535.30 kB 1 145 7
PL (Poland) 16 25 413.70 kB 0 2678 0
GB (Great Britain) 17 349 367.90 kB 1 1995 31
FR (France) 18 50 365.65 kB 10 1368 15
IN (India) 19 215 339.70 kB 0 423 57
EU (European Union) 20 94 237.59 kB 0 714 15
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS4837 (CHINA169-BACKBONE) 1 15951 7.07 MB 0 135 19
AS9318 (HANARO-AS) 2 6161 3.36 MB 0 0 24
AS18403 (FPT-AS-AP) 3 5874 3.30 MB 0 0 23
AS4134 (CHINANET-BACKBONE) 4 273 3.42 MB 1 140 15
AS6428 (CDM) 5 2 2.12 MB 0 0 0
AS4766 (KIXS-AS-KR) 6 278 1.59 MB 0 292 42
AS3462 (HINET) 7 3 1.59 MB 0 0 0
AS19994 (RACKSPACE) 8 2697 1.20 MB 0 0 0
AS16265 (LEASEWEB-NETWORK) 9 2635 1.07 MB 0 203 9
AS7922 (COMCAST-7922) 10 121 803.58 kB 0 0 5
AS7552 (VIETEL-AS-AP) 11 0 792.36 kB 0 0 0
AS3786 (LGDACOM) 12 808 623.67 kB 0 0 8
AS45899 (VNPT-AS-VN) 13 11 427.05 kB 0 0 0
AS30083 (SERVER4YOU) 14 0 420.20 kB 0 0 0
AS9121 (TTNET) 15 0 403.57 kB 0 0 5
AS24086 (VIETTEL-AS-VN) 16 0 386.57 kB 0 0 0
AS8708 (RCS-RDS) 17 0 351.34 kB 0 0 9
AS8560 (ONEANDONE-AS) 18 120 316.28 kB 0 835 0
AS29073 (QUASINETWORKS) 19 367 310.93 kB 1 149 0
AS12322 (PROXAD) 20 27 276.86 kB 6 559 0