Peter Kruse – WindowsTechs.com

CSIS Blog: MazarBOT returns in new SMS waves

Posted on February 19, 2016 by Peter Kruse

The Android data stealer, which we dubbed “MazarBOT” based on text in the binary APK code, is active again.

It’s spammed out via SMSs with the following content (sanitized by of CSIS):

“Du har modtaget en MMS-besked fra +45430444292. Følg linket http://mmsservice[.]pw/apk for at få vist beskeden”

English translation:
“You have received a multimedia message at +45430444292. Follow the link http://mmsservice[.]pw/apk to view the message.”

It’s worth mentioning that the message is written in perfect Danish.

If the code is executed, it will call back home to a C&C server on (sanitized by CSIS) http://37.1.205[.]193/?action=command.

The server is hosted in the United Kingdom at 3nt Solutions Llp

The data that is sent to the C&C server includes a. o. {“type”:”install”,”country”:”DK”,”imei”:”%”,”model”:”%”,”apps”:[“exts.denmark”],”operator”:”%”,”sms”:[%],”os”:”4.2.1″,”install id”:”1″}

MazarBOT does overlaying tricks on several applications installed on the infected Android. Below is shown a MiTM phishing attack when using Danske Bank:

Besides from that it’s identical to the write up we posted here:
https://www.csis.dk/en/csis/news/4819/

At the time of distribution MazarBOT had zero AV detection, but that seems to improve slightly (11/53):
https://www.virustotal.com/en/file/124675ce63027ceea0a52bf89a813ad2a6b0cc3e6ca55329831d0099af2307d9/analysis/

Continue reading CSIS Blog: MazarBOT returns in new SMS waves→

CSIS News: MazarBOT: Top class Android datastealer

Posted on February 14, 2016 by Peter Kruse

This Friday, a swarm of SMSs were sent to random phone numbers in Denmark and likely elsewhere. The content of the SMS had the purpose of luring the recipient into clicking the provided link, which would serve up a malicious APK.

The SMS in question arrives with the following content (sanitized by CSIS):
“You have received a multimedia message from +[country code] [sender number] Follow the link http://www.mmsforyou[.]net/mms.apk to view the message“.

If the APK (an application file for Android) is run on an Android-powered smartphone, it will gain administrator rights on the victim’s device.
This will allow the attackers to:

SEND_SMS
RECEIVE_BOOT_COMPLETED
INTERNET
SYSTEM_ALERT_WINDOW
WRITE_SMS
ACCESS_NETWORK_STATE
WAKE_LOCK
GET_TASKS
CALL_PHONE
RECEIVE_SMS
READ_PHONE_STATE
READ_SMS
ERASE_PHONE

CSIS has identified the malicious APK to be the Mazar Android BOT (and based on that named it MazarBOT), a threat that Recorded Future reported in November 2015 when being sold on Russian underground websites.

The malicious APK retrieves TOR and installs it on the victim’s phone via the following harmless URLs:

https://f-droid.org/repository/browse/?fdid=org.torproject.android
https://play.google.com/store/apps/details?id=org.torproject.android

In the next phase of the attack, the infection will unpack and run the TOR application, which will then be used to connect to the following server: http://pc35hiptpcwqezgs[.]onion.

After that, an automated SMS will be sent to the number 9876543210 (+98 is the country code for Iran) with the text message: “Thank you”. The catch is that this SMS also includes the device’s location data.

This specific mobile malware opens the door to a variety of hostile attacks targeting the victim. Amongst many things, the attackers can:

– Open a backdoor into Android smartphones, to monitor and control them as they please
– Send SMS messages to premium-rate numbers, seriously increasing the victim’s phone bill
– Read SMS messages, which means they can also read authentication codes sent as part of two-factor authentication mechanisms, frequently used a.o. by online banking apps and e-commerce websites
– Use their full access to Android phones to basically manipulate the device to do whatever they want

Polipo proxy and Man-in-the-Middle Attack
The attackers behind MazarBOT also implemented the “Polipo proxy“, which gives them additional access to even more Android functionalities.

Through this proxy, cyber criminals can change the traffic and interpose themselves between the victim’s phone and a web-based service. This effectively becomes a Man-in-the-Middle attack.

The files are dropped to the victim’s phone disguised as mp3 files:

122.933 polipo.mp3
1,885,100 tor.mp3

Then, the proxy is configured as one can see below:

174.398 debiancacerts.bks
574 torpolipo.conf
879 torpolipo_old.conf
212 torrc
276 torrc_old

For those technically inclined, the configuration of the TOR proxy will seem quite straightforward:

proxy address = “127.0.0.1”
proxy port = 8118
allowedClients = 127.0.0.1
allowedPorts = 1-65535
proxy name = “127.0.0.1”
cacheIsShared = false
socksParentProxy = “127.0.0.1:9050”
socksProxyType = socks5
diskCacheRoot = “”
localDocumentRoot = “”
disableLocalInterface = true
disableConfiguration = true
dnsUseGethostbyname = yes
disableVia = true
from, accept-language, x-pad link
censor referer = maybe
maxConnectionAge = 5m
maxConnectionRequests = 120
serverMaxSlots = 8
server slots = 2
tunnelAllowedPorts = 1-65535
chunkHighMark = 11000000
object high mark = 128

Chrome injects
As if it wasn’t enough that it can stop calls and launch other aggressive commands on the victim’s phone, MazarBOT is also capable of injecting itself into Chrome.

And there are several other settings and commands that MazarBOT can trigger, as showcased below. These include:

– Controlling the phone’s keys
– Enabling the sleep mode
– Saving actions in the phone’s settings, etc.

MazarBOT won’t run on Russian Android smartphones
CSIS was not surprised to observe that the malware cannot be installed on smartphones configured with Russian language settings. MazarBOT will check the phone to identify the victim’s country and it will stop the malicious APK, if the targeted phone turns out to be owned by a user in Russia:

locale.getCountry ()
equalsIgnoreCase ( “RU”))
Process.killProcess (Process.myPid ());

Until now, MazarBOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code to be deployed in active attacks.

Remote debugging
Another interesting thing about MazarBOT is the fact that it also implements a remote debugger. This allows the infected device to be used as a jumpstation over TCP/IP or on the same WiFi network. This functionality opens up for a variety of advanced attacks on the network. This goes for TCP/IP, WIFI and connection to host over USB.

Generally enabling ADB daemon on phone allows a computer to debug the phone over connected USB cable or predefined (on phone) tcp port.

Also, Android has a security setting that allows to permit/deny ADB access from a connected computer unless explicitly allowed and it denies so by default on android versions 4.2.2 and later (with few exceptions for a few phones).

Conclusion
MazarBOT is pretty advanced and nasty Android malware. Several factors indicate that it was designed as malware primarily targeting online banking customers. In fact, it will most likely succed in circumventing most online banking protection solutions.

Antivirus detection at the time of distribution of the APK was low (3/54):
https://www.virustotal.com/en/file/73c9bf90cb8573db9139d028fa4872e93a528284c02616457749d40878af8cf8/analysis/

Continue reading CSIS News: MazarBOT: Top class Android datastealer→

CSIS Blog: Carbanak returns

Posted on September 2, 2015 by Peter Kruse

Short background
Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample.

The $1bn heist
Carbanak (aka Anunak) has been around for several years and it was highlighted in a report released by researchers at Kaspersky in February 2015 with the headline “The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide” (ref 1). As expected, such a colorful title would quickly draw the attention of international press and a few days later the story was headlining the media.

At the time when the Carbanak story broke into the media, several researchers from CSIS were attending the Kaspersky Security Analyst Summit (TheSAS2015) hosted in Mexico. We soon got very busy answering questions from concerned customers. As our investigation at that time progressed, it turned out, that none of our customers was affected by Carbanak. Unfortunately, this would not last forever. As stated earlier, during the last week, we uncovered a new variant of Carbanak. From our analysis, it comes clear that Carbanak has returned and has been confirmed targeting large corporations in Europe and in the USA. Attack methods are spear phishing.

The first new variant
As already mentioned, the new variant of Carbanak is digitally signed (more details on that follow later in the blog post). It was found on the compromised Windows 7 host at this location: C://Program//DataMozilla//svchost.exe. On Windows XP, the location would be: C://Documents and Settings//All Users//Application Data//Mozilla//svchost.exe. At the same time, it adds a runkey to registry, so that the code would be executed upon reboot of the system.

After having reversed the code, we are now able to confirm that the folder and the filename are both static and thus can be used as an IoC (Indicator of Compromise).
Carbanak injects itself into the svchost.exe process. In this way, it manages to hide its presence in memory.

As several other advanced data stealing threats, Carbanak utilizes plugins. The plugins are installed using Carbanak’s own protocol and communicating with a hardcoded IP address over TCP port 443. The two plugins downloaded during our analysis were “wi.exe” and “klgconfig.plug”. Both of them have already been mentioned in the Kaspersky report (ref. 2).

When communicating with the C&C, the sample in question registers the BOT with a predefined string: yamota0 – followed by a 16 bytes randomly generated string used as BOTID e.g.: “yamota0832ebfe80090bd64”. See screenshot below:

There are several differences between these new variants and the previously observed Carbanak specimen (ref 2). These include:
–    new geographical targets
–    a new proprietary protocol
–    the use of random files (i. e. main component is static) and mutexes
–    predefined IP address (previous variants were using domains)

Besides these, the binaries are almost identical with the previous Carbanak samples.

For one of the new samples, the C&C server can be tied to a well-known bulletproof hosting company.

Signed Carbanak malware
As shown below, this new variant of Carbanak was digitally signed using Comodo:

CN = Blik
O = Blik
STREET = Berzarina, 7, 1
L = Moscow
S = Moscow
PostalCode = 123298
C = RU

Certificate valid from 02-Oct-2014 till 03-Oct-2015

After some investigations, we located additional information related to the company “Blik”.

Company registration date: April 3, 2014.
Director: Chunyaeva Svetlana Alexandrova.
Company address: 123298, Moscow, street. Berzarina, 7, 1.

The registration information of the company states “Other wholesale” as the primary business activity of “Blik”. The organization also operates the following non-core activities:
–    wholesale trade of timber and building materials
–    wholesale trade of food, beverages and tobacco
–    wholesale of fruit and vegetables
–    wholesale of meat, poultry, products and canned meat and poultry meat
–    wholesale of dairy products, eggs and edible oils and fats
–    wholesale of alcoholic and other beverages

When searching further, we only managed to find the following domain related to this company: bliksco.com

Updated Date: 2015-04-01 17:55:18.274469
Creation Date: 2014-10-01
Registrant Name: Svetlana Chunyaeva
Registrant Organization: Blik
Registrant Street: Berzarina, 7, 1
Registrant City: Moscow
Registrant Postal Code: 123298
Registrant Country: Russian Federation
Registrant Phone: +7.4997030345
Registrant Email: admin@bliksco.com

One interesting question arises, as it sometimes does in cases like this: “why would a company working within this kind of business area ever need a code-signing certificate?”.

This brings us to several observations:
– The timeline between the dates of company registration and certificate issue could indicate that criminals have probably registered their own company using fake identity or a stolen passport
– This time, the criminals have obviously registered a real company instead of using a stolen certificate for code signing as they did previously as report by Kaspersky.
– We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process.

Conclusions:
Carbanak is what we define as a financial APT. In its nature, it is very targeted and it is being deployed in small numbers. In this way, it tends to slide under the radar. We have observed at least four different new variants of Carbanak targeting key financial personal in large international corporations.

It is our intention to release a technical write-up on our analysis of Carbanak. Meanwhile samples have been shared with trusted entities to ensure that detection is deployed in order to eradicate the threat through various security solutions.

References
Ref 1:
http://www.kaspersky.com/about/news/virus/2015/Carbanak-cybergang-steals-1-bn-USD-from-100-financial-institutions-worldwide

Ref 2:
https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf

// Yurii Khvyl and Peter Kruse, CSIS

Continue reading CSIS Blog: Carbanak returns→

CSIS News: Welcome to CCCC-15

Posted on May 4, 2015 by Peter Kruse

We are delighted to announce this year’s Copenhagen Cyber Crime Conference 2015 (CCCC-15). CCCC-15 is being held in the heart of Copenhagen, in the headquarters of the Confederation of Danish Industry on Thursday, June 11, 2015. The conference is organ… Continue reading CSIS News: Welcome to CCCC-15→

CSIS News: Architectural firms in Denmark targeted by DarkComet RAT

Posted on March 25, 2015 by Peter Kruse

Yesterday afternoon, selected architectural firms in Denmark were exposed to a spear phishing campaign. This time, the payload was DarkComet, which is an advanced remote control tool.

In this new campaign, which comes from the same criminal group as last week’s attack against Danish chiropractors, the goal has changed to the architectural profession. The content of the email is tailored to attract this particular target group, but the binary code is different and this time features a RAT (Remote Administration Tool).

The unwanted e-mail is written in perfect Danish and contains a link to Dropbox. A screenshot of the unwanted e-mail can be found below:

If the receiver is lured into clicking on the link, the following file (camouflaged with an AutoCad icon) is offered: “AutoCad-export.exe” (778752 bytes).

If this file is opened, it will systematically collect a large amount of data and send them to the criminals. It thus acts as a data stealer. Among other features, the following ones can be mentioned: keylogging, harvesting of data from the clipboard, screen capturing, microphone and webcam activation, setting up an RDP session. etc. Our preliminary analysis reveals that most probably DarkComet is involved. The main component is copied to the folder: C:Users[brugerkonto]AppDataRoamingMicrosoftSecuritywinsec.exe.

When executed it shows a dialog box which potentially would make the victim think that the code did not run/work correcly. Unfortunately it does.

Meanwhile, the following files are copied to the machine:

C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.INI
C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe.config
C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe
C:nzlvnwssfdllyuESBS.dll

Together with the following changes to the registry:

HKEY_CLASSES_ROOTAppIDwinsec.exe
HKEY_CLASSES_ROOTAppIDAutoCad-export.exe

As in the previous campaign, the code is wrapped into a Cryptor and binded. The primary payload is called “WebMatcher3.exe”. This contains a series of commands that can be used to update the machine, establish remote administration, move traffic to a web address and issue a DDoS attack. Below, a complete overview of all the commands that are found in this RAT is provided:

BTRESULT PingRespond [OK] for the ping !
BTRESULT Update from URLUpdate : File Downloaded , Executing new one in temp dir…
BTRESULT UDP FloodUDP Flood task finished!
BTRESULT HTTP FloodHttp Flood task finished!
BTRESULT Visit URLfinished to visit 0000E18C 47e310 -> BTRESULT Open URL
BTRESULT Uninstalluninstall command receive, bye bye…
BTRESULT Run command
BTRESULT Close Serverclose command receive, bye bye…
BTRESULT Mass DownloadDownloading File…
BTRESULT Download FileMass Download : File Downloaded , Executing new one in temp dir…
BTRESULT Syn FloodSyn task finished!
BTRESULT PingRespond [OK] for the ping !
BTRESULT Update from URLUpdate : File Downloaded , Executing new one in temp dir…
BTRESULT UDP FloodUDP Flood task finished!
BTRESULT HTTP FloodHttp Flood task finished!
BTRESULT Visit URLfinished to visit 0002A4AC 47e310 -> BTRESULT Open URL
BTRESULT Uninstalluninstall command receive, bye bye…
BTRESULT Run command
BTRESULT Close Serverclose command receive, bye bye…
BTRESULT Mass DownloadDownloading File…
BTRESULT Download FileMass Download : File Downloaded , Executing new one in temp dir…
BTRESULT Syn FloodSyn task finished!

In order to complicate the code analysis, a number of anti-debugging and VM checks were added that, among others, target VirtualBox: VBoxHook.dll, VBoxMiniRdrDN. The whole thing is spiced up with a ‘sleep’ functionality that postpones the unfolding of the code by ca 3 min.

The central C&C server is hosted in Canada on the IP address (sanitized by CSIS) 107[.]191.46.220.

CSIS recommends that you block access to that server and use it as an IoC.

The malicious code reaches only limited antivirus detection (8/57):
https://www.virustotal.com/en/file/37dcd2979c46707ec0f1f5acb6d86d51f3f977e678c947ee8b174ab2fecbf2be/analysis/1427214682/

Continue reading CSIS News: Architectural firms in Denmark targeted by DarkComet RAT→

CSIS News: Spear phishing attacks against Danish chiropractors

Posted on March 24, 2015 by Peter Kruse

CSIS has been informed about a number of targeted spear phishing attacks against Danish chiropractors. The attacks have been carried out by means of well-drafted emails that were written in flawless Danish and that were sent to carefully selected targets.

Note that the e-mail has been written making use of a high degree of social engineering in order to entice this target group to click on the web link provided in the email. At the same time, the content of the email suggests that it might have been written by a Dane.

We have chosen to categorize this as “high” risk, even if the attack has been specifically targeted. This is partly due to the degree of social engineering that underlies the attack and partly to the destructive code that attempts to be installed on the victim’s machine. This type of attack is likely to be successful with many other industries in Denmark and can thus be a threat to most businesses and public authorities.

In the unwanted e-mail, a link to dropbox is provided, which contains a new ransomware variant that has been dubbed “ransomware-Pacman” by the author of the code. This is obvious from the compile leftover in the binary code: “L:x00[ransomware]PacmanPacmanobjx86ReleasePacman.pdb”.

The code is ‘binded’ and consists of several layers that should make it more difficult to analyze and detect the malicious code.

The main component can be extracted from the resources in the file and is unsurprisingly called “pacman.exe”. Even from the file properties it becomes obvious that this is the name that the author wants us to know:

0000350C Pacman.exe
0000352A LegalCopyright
00003548 Copyright
0000355E 2014
00003572 LegalTrademarks
00003594 Pacman Tour
000035B2 OriginalFilename
000035D4 Pacman.exe
000035F2 ProductName
0000360C Pacman Tour

The code has been developed in .NET and it thus needs to have the .NET package installed. However, the vast majority of Microsoft Windows installations have it available nowadays.

When run, it will copy itself to the system via “NtCreateFile”:

C:DOCUME~1[%brugerkonto%]LOCALS~1Tempimg_5672.exe.config
C:DOCUME~1[%brugerkonto%]LOCALS~1Tempimg_5672.exe

From there, “pacman.exe” is extracted and dropped on to the system while initializing the encryption of files on the local hard disk. The code searches the disk for data files that are then encrypted. To all files, a new file extension “.ENCRYPTED” is added. The process continues by replacing the desktop of the infected machine with instructions on how to regain access to the data. This is a typical ransomware strategy. See the attached screenshot. The ransom should be paid using Bitcoins.

Besides containing ransomware, the code also carries keylogging capabilities.

After a system has been compromised it will call home to the central C&C server (sanitized by CSIS)

http://myplacehome[.]comuv.com/crypted.php
http://myplacehome[.]comuv.com/locked.php

We have blocked this domain in CSIS Secure DNS and Heimdal PRO/Corporate to prevent data leakage.

One of the malicious functions constantly carried out by the code is a “kill process” terminating the following legitimate system tools:

taskmgr
cmd
regedit
msconfig
sdclt
rstrui
powershell

Clearly, this can complicate the removal of “pacman” from an infected system.

The main component has the following antivirus detection (20/57):
https://www.virustotal.com/en/file/68931ef9cf810d5a69d8ebf33155db7845fffcc685b1ae9f0670803bb97228cc/analysis/

Continue reading CSIS News: Spear phishing attacks against Danish chiropractors→

CSIS Blog: New Neverquest campaign is targeting Canadian banks

Posted on March 23, 2015 by Peter Kruse

Neverquest (aka Vawtrak) is a classic Trojan-banker with a variety of different advanced functions to attack online banking customers. The malware often gets installed through downloaders that are dropped using drive-by attacks.

When the Neverquest’s main component is installed, it will modify settings on the system and enable different functions, such as video and screenshot capturing. In the meantime, it will establish a reverse connection to a list of predefined C&Cs and enroll the machine into the BOTnet with a unique BOTID. This allows the attacker to steal all passwords stored on the system as well as update the component and functions at any time.

The current webinject reveals that the primary goal, at least of this campaign, is financial institutions in Canada. We have more than 15 unique targets in Canada. The webinject is very much in the style of the ZeuS template and with the goal to alter the content of several specified target websites.

Even the most savvy browsers are unlikely to be aware of such changes as they occur under the hood at the official site.

Webinjection allows the attackers to circumvent 2FA (Two Factor Authentification) and harvest additional user data. This, in combination with virtual network computing (VNC), will break most online banking protection.

The C&C servers, which should be blocked or preferably nuked, are shown below:

horologecom.net
derjihuy.com
woevenglaref.ru
fywaskinsed.ru
zdravstvuyfm.com
nawerhuy.com

The domains translate to different IPs, which gives us the following geoIP heatmap.

We have a lot of overlapping hostile activities coming from these servers/IPs. Best recommendation would be blocking all of them.

Sample hash: 8f6c511eb4210b5c8c5ee957e0e99a33

Continue reading CSIS Blog: New Neverquest campaign is targeting Canadian banks→

CSIS News: Europol and CSIS enter into strategic cooperation

Posted on November 21, 2014 by Peter Kruse

In a targeted and transnational cooperation, Europol and CSIS have entered into a strategic cooperation agreement which in the future will increase the effort against organized on-line crime. The purpose of the cooperation is a.o. to continuously exchange technical information and non-operational information which specifically will lead to investigation and arrest of IT criminals.

The agreement, which has just been entered into between Europol and CSIS, is a result of a specific increased attention to the increasing IT crime. With the knowledge from CSIS’s daily investigation of a.o. BOTnets, targeted attacks, and netbanking thieves, data can be shared with EC3 for the purpose of international investigation.

“Cybercrime is neither a national nor a regional problem – it is a global one. It is a challenge that cannot be solved solely by the police. It is, to a great extent, a task of public interest, which requires a much better cooperation between the police and other stakeholders, in particular IT security companies. Fortunately, Denmark has a number of world-class IT security companies, among them CSIS, which we have now signed a cooperation agreement with. Consequently, we can benefit from the synergy of our mutual expertise and within the legal framework exchange information and intelligence, which enables us to more precisely analyze threats and the networks behind them. In this way, we help each other to ensure that the Internet not only remains unrestrained and open but also becomes much safer. This agreement helps to make life easier for ordinary users and much harder for criminals who want to steal our data, money, ideas, identities and digital lives”, says Troels Ørting, the Head of the European Cybercrime Center at Europol.

“It is our goal to continually feed our partner EC3 with information which may be relevant for the investigation”, explains Peter Kruse who is founder and responsible for the day-to-day operations of CSIS’s special eCrime Unit. He continues: “We have to recognize that investigations of IT crime is high on the agenda in many countries, but that it is also a heavy and technically difficult task. The solution is, however, to strengthen information sharing between private security companies such as our company and the police. This new cooperation agreement is a fine example of this.”

EC3 was introduced last year as an action against cyber-crime, sharing of pedophile material, and for the protection of critical infrastructure in the European Union.

“It is our view that EC3’s justification as the focal point in investigation of IT crime has already produced results with several successful operations and arrests. We would like to have this trend continue”, explains Peter Kruse.

Further information about Europol/EC3:
https://www.europol.europa.eu/ec3

Further information about CSIS:
https://www.csis.dk/da/csis/about/

Continue reading CSIS News: Europol and CSIS enter into strategic cooperation→

CSIS Blog: Dyreza aims at Swiss banks

Posted on October 29, 2014 by Peter Kruse

The latest variant of Dyreza/Dyre, just analyzed in our lab, contains several new targets in its configuration file.

The most interesting fact is that Dyreza now also target several banks in Switzerland. The latest targets (sorted by diff) added to its configuration can be observed below:

The most recent campaigns observed have arrived as spam e-mails to victims with a PPT attachment that exploit a vulnerability: CVE-2014-4114, also known as “Windows OLE Remote Code Execution Vulnerability”. As a sidenote this exploit was first seen abused in Sandworm APT attacks against Poland and Ukraine. If the software is not updated, arbitrary code is executed and Dyreza is then downloaded to the host and run.

As previously stated, Dyreza is oftentimes delivered through spam e-mails. We have seen various content:

Subject(s):
Unpaid invoic
New bank details
Invoice #[7 random numbers]

Content example:
Attached is the invoice received from your bank.
Please print this label and fill in the requested information. Once you have filled out all the information on the form please send it to payroll.invoices@adp.com.

For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you ,

Automatic Data Processing, Inc.
1 ADP Boulevard
Roseland
NJ 07068

[..]

Attachment(s):
Invoice[6 random numbers].pdf (PDF exploit -> CVE-2013-2729)
bank details.zip -> bank details.exe (Upatre)
Invoice-[6 random numbers].zip -> Invoice-[6 random numbers].scr (Upatre)
ADP-invoice.pptx (CVE-2014-4114)

Heimdal Security Agent, a free patch management tool (https://heimdalsecurity.com), will automatically update any vulnerable Adobe installations as well as several other third party products used in the wild to plant malware on Microsoft Windows hosts. Patching vulnerable software will prevent the code from running even if the user opens the attached maliciously crafted PDF document.

Dyreza installs itself as a service “Google Update Service (googleupdate)” and thus gets executed each time the system is rebooted:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesgoogleupdate=”DisplayName”
Type: REG_SZ
Data: Google Update Service

On Microsoft Windows 7, it injects itself into explorer.exe process and hooks the browser. A slightly different approach is used on older Windows versions, on which it injects into the svchost.exe process instead.

OVH and Dyreza C&C
We couldn’t help noticing that most of the C&Cs of Dyreza are hosted at OVH in France:

We have previously posted technical details on Dyreza. For details see:

“New banker Trojan in town: Dyreza”
https://www.csis.dk/en/csis/news/4262/

Just recently US-CERT has issued a warning for Dyreza:
“Phishing Campaign Linked with “Dyre” Banking Malware”
https://www.us-cert.gov/ncas/alerts/TA14-300A

Continue reading CSIS Blog: Dyreza aims at Swiss banks→

CSIS Blog: Retefe sets sails for Japan

Posted on October 10, 2014 by Peter Kruse

The latest variant of “Retefe” has expanded its target list to include several financial institutions in Japan. Retefe is a smart piece of malware. It installs a root certificate on the victim’s machine, changes DNS settings and then deletes itself. Th… Continue reading CSIS Blog: Retefe sets sails for Japan→