Dashboard Global

ASERT Security Intelligence

Summary: Researchers continue to analyze the Equation Group leak and have discovered expanded threats against Cisco devices and exploit code that affects Juniper devices. Cisco has released patches and other vendors continue to investigate. Users are strongly encouraged to harden and patch in a robust manner since threat actors have been attempting to use at least some of the malicious code contained in the dump.A nation-state interest has apparently targeted an activist for surveillance and attempted to exploit the target with a series of three distinct iOS vulnerabilities known as "Trident". The activist has been targeted in years prior and therefore has increased his operational security, which allowed for the exploitation attempt to be analyzed which resulted in the discovery of malicious infrastructure associated with the Pegasus spying software sold by the NSO Group of Israel.Banking trojan activity appears to have increased recently, with upticks observed in the Dridex trojan, the GozNym trojan, and the Brazilian Bancos trojan. Threat actors continue to evolve their TTP's to increase campaign longevity.Ransomware threats continue to unfold, with new variants being discovered nearly daily as older threats are neutralized. The basic defenses remain consistent, however threat actors are continually innovating their tactics in order to compromise more targets and thus generate more income to feed the underground economy.

Title: Banking Trojan Threat Update: Bancos, Dridex, GozNym
Severity Level: Normal Severity
Published: Thu, 25 Aug 2016 22:44:43 +0000
In the wake of the Olympics, a variety of threat activity was observed including a Brazilian banking trojan ("Banker") being deployed if a compromised system was geolocated inside the country. Such geolocation is not a new technique, but it does provide cybercriminals with the opportunity to ply regional connections and underground economy expertise to enrich local operations. The malware was spread via enticing malicious spam suggesting that the user could get free tickets to Olympic events. For further details, please see the source material from Trend [http://blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/]. In other banking trojan news, the Dridex malware was engaged in smaller operations in recent times, however, a larger spike in activity was observed on August 17, targeting Switzerland. Dridex is being delivered through malicious macros embedded in Word documents and must typically be manually triggered by the unsuspecting user, although some activity involving the Neutrino exploit kit was also observed [https://www.proofpoint.com/us/threat-insight/post/Dridex-returns-to-action-for-smaller-more-targeted-attacks].The malware threat known as GozNym (a hybrid of the Gozi banking trojan and the Nymaim downloader) has recently been observed in targeted attacks upon 13 German financial institutions [https://securityintelligence.com/goznyms-euro-trip-launching-redirection-attacks-in-germany/].
Source: Recent Brazillian Banker Trojan Activites

Title: Equation Group / Shadow Brokers Insight Continues
Severity Level: Normal Severity
Published: Thu, 25 Aug 2016 22:44:43 +0000
Various researchers continue to explore the leaked code that has been attributed to the Equation Group and the NSA. Recent findings indicate that the EXTRABACON exploit code successfully exploits at least one additional newer versions of a Cisco firewall with some modifications [https://www.helpnetsecurity.com/2016/08/24/extrabacon-newer-cisco-asa/]. As of August 24, Cisco has released patches for the vulnerability [http://blogs.cisco.com/security/shadow-brokers].Other related news reveals that Juniper infrastructure gear has also been targeted, however, the code involved is intended to be loaded onto the device and is not a remote exploit [https://forums.juniper.net/t5/Security-Incident-Response/Shadow-Brokers-Release-of-Hacking-Code/ba-p/296128]. Juniper is working to help customers obtain insight regarding past compromise activity.Other researchers have posted a series of tweets about their own investigations into the leak [https://twitter.com/musalbas/status/765318905942376449]. Researchers continue with their discoveries.
Source: Equation Group / Shadow Brokers Insight Continues

Title: Ransomware Trends
Severity Level: Normal Severity
Published: Thu, 25 Aug 2016 22:44:43 +0000
Researchers were able to take down two ransomware variants this week, releasing decryption keys while shutting down C2 infrastructure. However, for every instance of ransomware mitigated, seemingly one or more new variants are discovered taking their place. This week, a law enforcement led operation successfully thwarted those behind Wildfire ransomware by taking over C2 infrastructure. The takedown of Wildfire, a ransomware predominately impacting Dutch and Belgian nationals, netted law enforcement officials over 5800 decryption keys [https://threatpost.com/wildfire-ransomware-campaign-disrupted/120095/].Other researchers discovered and successfully created a decryption tool for the Alma variant. They found the variant while monitoring RIG exploit kit activity. For information on Alma and for access to the decryption tool please visit https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter. As mentioned previously, when one variant is mitigated, even more are discovered. Three new variants, based on the two ’educational’ open source versions Hidden Tear and EDA2, were recently discovered. The first variant, KaoTear attempts to mimic the South Korean messaging app KaKaoTalk. The ransom note contained within was crafted in Korean. KaoTear is based on Hidden Tear.The next variant was developed to target English speakers and based on EDA2. FSociety, crafted as an homage to the popular TV series Mr.Robot, appears to still be in development, according to researchers. The final variant appears to be used for targeting Arabic speaking PokemonGo players. Dubbed PogoTear and based on Hidden Tear as well, this is the only variant, of the three, that is capable of propagating to removable media, shared folders and mapped network drives. All three are relatively new and required limited overall knowledge to compile given their root sources. Uniquely, all three appear designed to target SQL and MDB (database files) and web server files like XML, PHP, and ASPX [https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter].Finally, ransomware-as-a-service is not too new but still novel. A new variant, DetoxCrypto, appears to have multiple variants, themes, emails all either being sold uniquely to various buyers or working as part of an affiliate system [https://www.grahamcluley.com/2016/08/detoxcrypto-ransomware-new-raas-affiliate-program-works/].
Source: New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses

Title: iPhone 0day Exploitation Activity: The Million Dollar Dissident
Severity Level: Normal Severity
Published: Thu, 25 Aug 2016 22:44:43 +0000
An activist based in the UAE with a history of being targeted by apparent nation-state interests was targeted once again, this time via an SMS message that was designed to generate an emotional response and subsequent click. If that click would have been made, the targets device would have been exploited by the combination of three distinct 0day vulnerabilities (dubbed "Trident" - CVE-2016-4657, CVE-2016-4655, and CVE-2016-4656) affecting the version of iOS being used by the victim. The payload appears to correlate with a sophisticated surveillance application called Pegasus, created by a somewhat stealthy company known as the NSO Group. Insight into Pegasus was leaked to the public in the prior Hacking Team stolen information dump. Various researchers from organizations such as Lookout Security and CitizenLab collaborated to track the infrastructure apparently used by the NSO group and also uncovered threat activity aimed at others around the world. For further details and IOC's, please see the Citizen Lab report at https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ and for additional technical detail, please see the Lookout report at https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf.
Source: iPhone 0day Exploitation Activity: The Million Dollar Dissident


Alpha Testing the AlphaLeon HTTP Bot

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]
Wed, 09 Mar 2016 15:21:37 +0000

Estimating the Revenue of a Russian DDoS Booter

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]
Wed, 02 Mar 2016 11:00:15 +0000

Dumping Core: Analytical Findings on Trojan.Corebot

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]
Wed, 10 Feb 2016 11:00:54 +0000

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]
Wed, 10 Feb 2016 11:00:16 +0000

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]
Mon, 11 Jan 2016 11:00:24 +0000



Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 141.91 -15.1 %
SSH brute-force login attempts 70.18 -1.7 %
RPC portmap listing UDP 111 31.24 +38.3 %
SNMP MS Windows getbulk request 23.95 +252.4 % CVE-2006-5583
MYSQL brute-force login attempts 22.73 -15.0 %
Description Attacks per subnet Change from yesterday CVE Percentage
SNMP private community access attempt 2.20 +403.4 % CVE-2002-0013
SNMP MS Windows getbulk request 23.95 +252.4 % CVE-2006-5583
ping attempt 11.57 +119.0 %
TFTP root directory 0.67 +100.0 % CVE-1999-0183
RPC portmap listing UDP 111 31.24 +38.3 %

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 375.12 kB -37.5 % CVE-2006-0189
TCP/23 (telnet) 126.16 kB -15.6 % CVE-2007-0956
TCP/5900 57.42 kB -21.2 % CVE-2006-4309
UDP/53413 48.68 kB -12.4 %  
ICMP/8 40.80 kB -28.3 %  
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/65476 9.48 kB +inf %  
UDP/161 (snmp) 9.19 kB +inf % CVE-2007-5381
UDP/137 (netbios-ns) 6.82 kB +inf % CVE-2004-0444
TCP/8080 (webcache) 6.05 kB +inf % CVE-2007-5461
Other 181.56 kB N/A  

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 50 148.74 kB 3 2587 429
CA (Canada) 2 27 159.64 kB 0 156 56
DE (Germany) 3 2 118.54 kB 1 421 26
CN (China) 4 49 88.98 kB 1 0 238
KR (South Korea) 5 21 39.81 kB 1 3 78
GB (Great Britain) 6 1 28.46 kB 1 362 25
FR (France) 7 4 31.86 kB 10 124 18
RU (Russian Federation) 8 1 25.39 kB 0 262 5
NL (Netherlands) 9 21 26.97 kB 2 32 25
VN (Viet Nam) 10 64 22.20 kB 0 0 28
RO (Romania) 11 5 11.15 kB 0 209 96
CO (Colombia) 12 0 23.98 kB 1 0 5
BR (Brazil) 13 0 11.22 kB 0 143 69
TW (Taiwan) 14 1 10.96 kB 0 0 0
CH (Switzerland) 15 0 5.64 kB 0 3 59
PL (Poland) 16 0 6.15 kB 0 95 0
IN (India) 17 0 3.14 kB 0 23 66
SE (Sweden) 18 0 934.43 B 0 181 6
AU (Australia) 19 3 1.10 kB 0 78 56
EU (European Union) 20 5 2.86 kB 0 102 11
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS6428 (CDM) 1 0 107.42 kB 0 0 0
AS13301 (UNITEDCOLO-AS) 2 0 53.79 kB 0 0 0
AS4134 (CHINANET-BACKBONE) 3 22 38.94 kB 1 0 28
AS29791 (VOXEL-DOT-NET) 4 0 29.82 kB 0 0 0
AS34289 (WEBART-AS) 5 0 27.31 kB 0 0 0
AS6939 (HURRICANE) 6 40 23.63 kB 0 0 0
AS30083 (SERVER4YOU) 7 0 22.28 kB 0 0 0
AS4837 (CHINA169-BACKBONE) 8 9 20.54 kB 0 0 10
AS18403 (FPT-AS-AP) 9 63 18.79 kB 0 0 13
AS680 (DFN) 10 0 19.56 kB 0 0 0
AS24961 (MYLOC-AS) 11 0 18.20 kB 0 0 0
AS29073 (QUASINETWORKS) 12 6 15.67 kB 1 22 0
AS19529 (RAZOR-PHL) 13 0 16.37 kB 0 0 0
AS4766 (KIXS-AS-KR) 14 0 14.92 kB 0 0 13
AS3816 (COLOMBIA) 15 0 14.41 kB 0 0 0
AS8972 (PLUSSERVER-AS) 16 0 13.47 kB 0 0 0
AS19066 (WIREDTREE) 17 0 0 B 0 373 0
AS12322 (PROXAD) 18 2 10.39 kB 6 25 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 19 0 0 B 0 327 0
AS8342 (RTCOMM-AS) 20 0 7.74 kB 0 100 0