Wednesday, May 2, 2018
Tuesday, November 28, 2017
Google Discovers New Android Malware Called Tizi
The security team of Google has discovered a brand new type of Android malware. Called Tizi, the malware has so far been used mainly to target users in African nations.
Tizi is categorized as spyware, meaning it could access data in your device.
According to Google, Tizi’s capabilities are many though its main focus is on social media applications and activities. As per the security engineers at Google Threat Analysis and Google Play Protect, Tizi could be put to use for the following purposes:
- Stealing information from social media apps like Twitter, WhatsApp, Skype, Telegram, LinkedIn, Viber and Facebook.
- To record calls on Skype, WhatsApp and Viber.
- Recording ambient audio using microphone.
- To take pictures of the screen without letting the user know.
- Sending and intercepting SMS messages on the infected gadgets.
- Accessing calendar events, photos, call logs, wi-fi encryption keys and also apps that are locally installed in the device.
- When the Spyware infects a device first, it sends the GPS coordinates of the device through SMS to a C&C server(C& C servers are Command and Control servers that are used to remotely send commands to botnets, which are networks of internet connected devices).
- Any subsequent communication with the attacker’s C&C server happens through HTTPS and in certain isolated cases, through MQTT (both HTTPS and MQTT are communication protocols used over the internet).
The spyware was spotted by Google engineers in September 2017.
It was found rather serendipitously when automatic scans done with Google Play Protect — the security scammer in the Google play Store app — came across an app infected by Tizi. The infected app was installed in a user’s device through the Google Play Store.
This led the Google team to look into the older versions of the apps on the Play Store. During this process, they found even more Tizi-infected apps, some of them going as far back as October 2015.
According to Google, they then uninstalled the Tizi apps from the infected devices using the Google Play Store app.
Meanwhile, data gathered by Google shows that most of the infected users were in African nations. However, it’s not clear if the author/distributor of Tizi is located in the African continent.
So far, there has been no significant effort to trick people into installing the apps in large numbers. Also, security researchers are of the view that the spyware was most probably used for targeted attacks against a limited number of people chosen for some unknown reason.
According to Google, Tizi’s capabilities are based on vulnerabilities seen only on older Android devices.
All the same, as an extra-precaution to keep your Android device safe from the malware, Google recommends the following steps:
- Check permissions: Be careful about apps that request permissions that strike you as unreasonable. For instance, a flashlight app would have no need to access anything related to sending SMS messages.
- Enable secure lock screen: Google recommends you to pick a pattern, PIN or password that’s easy for you to remember but which would be hard for anyone else to guess.
- Keep your device up-to-date: Having the latest security patches in your device is a great idea, says Google.
- Google Play Protect: Ensure that you have enabled Google Play Protect.
Friday, November 24, 2017
Firefox “Breach Alerts” Will Warn If You Visit A ‘Hacked’ Website
Mozilla Firefox is trying its best to get back in the browser game. It recently overhauled is browser inside out with the Firefox Quantum and how it is planning to add extra features to the privacy focused browser. The team at Mozilla have teamed up with the website “Have I Been Pwned” to bring a safety feature that will warn you when you are about to visit a website that has been hacked or suffered a data breach. If you are familiar with the “Have I Been Pwned” service, you know that it is a website where you can enter your email id and verify if your credentials on any website you might have used to login have been stolen by hackers.
The implementation of this security feature is in its early stages, and we mean very early stages. If you are adventurous you can use the Developer Edition of Firefox and download the GitHub resource to activate it. Both Mozilla and the team from “Have I Been Pwned” are tested various ways in which there services can be integrated. It is expected that the final feature will be a overlay screen which will display a warning if you are visit a website that is on the “Have I Been Pwned” blacklist. Just like every other security warning on Firefox there will be a “Know More” link where users can read about the details of the security risk and as always users will be allowed the access the questionable website if they agree to take the risk.
This feature is still under development and is expected to be rolled out to the public by next year. Website owners are giving this a mixed response. Some think that this will help instill faith and make sure that a website is 100% secure while others point out the flaws with the “Have I Been Pwned”’ system. They say if the website has suffered a breach in the past which has since been rectified by the website administrator, the website still remains on the “Have I Been Pwned” blacklist and when Firefox users see a warning they shall hesitate to visit the website even if it has been deemed safe.
Source: Github (Firefox)
The implementation of this security feature is in its early stages, and we mean very early stages. If you are adventurous you can use the Developer Edition of Firefox and download the GitHub resource to activate it. Both Mozilla and the team from “Have I Been Pwned” are tested various ways in which there services can be integrated. It is expected that the final feature will be a overlay screen which will display a warning if you are visit a website that is on the “Have I Been Pwned” blacklist. Just like every other security warning on Firefox there will be a “Know More” link where users can read about the details of the security risk and as always users will be allowed the access the questionable website if they agree to take the risk.
This feature is still under development and is expected to be rolled out to the public by next year. Website owners are giving this a mixed response. Some think that this will help instill faith and make sure that a website is 100% secure while others point out the flaws with the “Have I Been Pwned”’ system. They say if the website has suffered a breach in the past which has since been rectified by the website administrator, the website still remains on the “Have I Been Pwned” blacklist and when Firefox users see a warning they shall hesitate to visit the website even if it has been deemed safe.
Source: Github (Firefox)
Tuesday, April 4, 2017
Malware Attack Targets Open Source Developers
Early this year, Palo Alto Networks observed that developers who posted their work on GitHub were receiving phishing emails from .ru domains. The attackers used social engineering ploys to influence recipients to open malicious attachments. Some emails included compliments on posted code, while others featured job offers or other misleading links in the body text.
Despite different body texts, the emails all included the same attachment: a .gz file that resolves to a .doc file. In actuality, the attachment was an embedded PowerShell command that would download and run a file called Dimnie. Dimnie has existed since 2014, the researchers said, but only previously targeted Russian users.
Phishing for Developers
Gervase Markham, a policy engineer at Mozilla, told CSO Online that he had received several such messages, but they were sent to an email address that he specifically used on GitHub. Because of this, he felt that the campaign had been using automated targeting.
Dimnie is stealthy and sophisticated. It cloaks the internal GET requests so that they appear to go to Google-owned domain names, but they actually go to an attacker-controlled IP address. The malware downloads various modules for functions such as keylogging, screen grabbing and more. Once downloaded, it leaves no direct trace of these modules on the target computer’s hard drive.
Basically, Dimnie is designed to steal information. It stores itself and the information it gets into memory to cover its footprints. There is even a self-destruct module to remove any residual traces left on the target machine.
Once Dimnie has grabbed its targeted information, the swag is encrypted using AES-256 in Electronic Codebook (ECB) mode and then appended to image headers. This tricky method is an attempt to bypass traditional intrusion prevention systems.
The purpose of the malware is to gather all the information it can about a targeted developer. If the credentials are exfiltrated, a later impersonation on GitHub is possible. The developer’s source code could then be altered by the impersonator, perhaps by adding a malicious payload.
Sophisticated Attacks
Palo Alto did not name the attacker directly, but the techniques that Dimnie uses are typical of state-sponsored attacks. These techniques include the loading of malicious code directly into memory, sophisticated data exfiltration methods and the use of relatively quiet command-and-control (C&C) channels, which mask the malware’s communications. Such protocols suggest that this malware is somewhat advanced.
GitHub has evolved into the de facto repository for open source code; even Microsoft recently threw in the towel in this sector, shutting down its competing service. With this malware online, GitHub users will have to carefully watch communications and messages to avoid falling victim to the next Dimnie-inspired attack that comes along.
Wednesday, December 21, 2016
Rakos Malware Is Infecting Linux Servers And IoT Devices
In
case you’re facing a problem of your embedded devices going overloaded
with networking and computing tasks, there are chances that it might be
due to some foreign elements trying to lure your ‘smart’ device into
joining a botnet cult
The security researchers at ESET have written about multiple cases of IoT devices and Linux servers being infected with Rakos malware since August. These attacks are launched from a temporary directory — named .javaxxx, .swap, or kworker — and often disguised as a part of the Java framework.
There are reports online about the compromises. For example, one from August 23rd, 2016, may be found on Pastebin. The table below contains the output of running “lsof –n” on the guilty process. Note that the IP address ranges tried by SSH attempts seem random:
The security researchers at ESET have written about multiple cases of IoT devices and Linux servers being infected with Rakos malware since August. These attacks are launched from a temporary directory — named .javaxxx, .swap, or kworker — and often disguised as a part of the Java framework.
Attack vector
The attack is performed via brute force
attempts at SSH logins, in a similar way to that in which many Linux
worms operate, including Linux/Moose (which spread by attacking Telnet logins) – also referenced here
– as analyzed by ESET since last year. The targets include both
embedded devices and servers with an open SSH port and where a very weak
password has been set. The obvious aim of this trojan is to assemble a
list of unsecured devices and to have an opportunity to create a botnet
consisting of as many zombies as possible. The scan starts with not too
extensive list of IPs and spreads incrementally to more targets. Only
machines that represent low-hanging fruit from the security perspective
are compromised. Note that victims reported cases when they had had a
strong password but they forgot their device that had online service
enabled and it was reverted to a default password after a factory reset.
Just a couple of hours of online exposure was enough for such a reset
machine to end up compromised!
Analysis
The malware is written in the Go language and
the binary is usually compressed with the standard UPX tool. The
awkward thing was that the function names were stripped from the binary
in the usual way, but they are still present in a special section
anyway. With the help of a script by RedNaga Security
that maps symbols back to their respective function in the IDA Pro
disassembling software, the whole analysis was simplified to reviewing
the features that function names suggested, like main_loadConfig, main_startLocalHttp, main_Skaro_Upgrade, main_IPTarget_checkSSH etc. There are strings like “Skaro” and “dalek”
in the binary. The author(s) possibly had in mind a connection to a
fictional planet in the science fiction television series Doctor Who
from whence the Daleks originated.
As a first step, [Linux/]Rakos loads its configuration via standard input (stdin) in YAML
format. The configuration file contains information like lists of
C&Cs, all the credentials that are tried against its targets, and
internal parameters:
The full plain text Linux/Rakos configuration is available on ESET’s Github: https://github.com/eset/malware-ioc/tree/master/rakos.
Following this, it starts a local HTTP service available at http://127.0.0.1:61314.
There are two reasons why this is installed: the first is as a cunning
method for the future versions of the bot to kill the running instances
regardless of their name by requesting http://127.0.0.1:61314/et; second, it tries to parse a URL query for parameters “ip”, “u”, “p” by requesting http://127.0.0.1:61314/ex. The purpose of this /ex HTTP resource is still unclear at the time of writing and it seems not to be referenced elsewhere in the code.
The bot also creates a web server listening on
all interfaces. In the early versions, it was listening on TCP port
13666, but now the port is picked randomly from 20,000 to 60,000.
Sending a remote request to the device on this port returns the response
…
… where the IP address corresponds to the client side. This output is in the same format as the public test server http://httpbin.org with /ip request. On the side running Linux/Rakos, one might see the following logged to stdout:
Next, it sends an initial HTTP request containing important information about the victim device to https://{C&C}/ping. The data sent may appear as follows (some fields have been edited):
The main feature of this bot is its scanning of
the SSH service on various IP addresses, which are obtained from the
C&C server by asking for the list located at https://{C&C}/scan.
This list seems to be modified frequently. The previous versions of the
trojan also scanned for the SMTP service, but the attackers have
disabled this feature in current build. We speculate that this feature
might be under further development together with additional network
scanning features.
The main attack is performed as follows: if one
of the username:password pairs from the configuration file results in a
successful login to one of the target devices connection to target is
successful, two commands are run on that newly-accessed victim (id, uname -m),
and other checks are performed and their results reported. Finally the
binary checks whether if it is possible to upload to the new victim and
does so if the answer is affirmative. We simulated an attack locally
with two targets picked, 127.0.0.1 and 127.0.0.100 (originally, the
attackers try 200 simultaneous targets every 10 seconds). Suppose the
bot fails to connect to the first one which it then marks as FORGET,
while the latter one is successful with the INSTALL
notice (a SSH connection was established with the correct
shipping:shipping login credentials; also note that the uploaded
executable is deleted immediately after execution):
Moreover, the backdoor is capable of:
- updating the configuration file (from https://{C&C}/upgrade/vars.yaml)
- upgrading itself
There are reports online about the compromises. For example, one from August 23rd, 2016, may be found on Pastebin. The table below contains the output of running “lsof –n” on the guilty process. Note that the IP address ranges tried by SSH attempts seem random:
Mitigation and cleanup
The trojan isn’t able to maintain persistence
after the system is rebooted. Instead, available devices may be
compromised repeatedly.
The steps needed to clean up after a compromise are as follows:
- connect to your device using SSH/Telnet,
- look for a process named .javaxxx,
- run commands like netstat or lsof with -n switch to confirm that it is responsible for unwanted connections,
- (voluntarily) collect forensic evidence by dumping the memory space of the corresponding process (with gcore for example). One could also recover the deleted sample from /proc with cp /proc/{pid}/exe {output_file}
- the process with the -KILL
Needless to say that victims have to secure their SSH credentials and have to do that after every factory reset.
We also prepared a plugin for Volatility Framework called vf_ioc_linux_rakos_a.py
that would detect indicators of compromise if a whole memory dump
supported by this framework is acquired. Moreover, it extracts from the
malicious process space data such as configuration or information sent
to the C&C. It is available here: https://github.com/eset/malware-ioc/tree/master/rakos
Conclusion
We have presented here another example of a
Linux backdoor spreading through a well-known channel. It seems
worthwhile for attackers to write new pieces of malicious software to
misuse loopholes in the current state of network security. Our advice is
this: Don’t build walls around your devices from sticks and straws, but
from bricks and stones. The internet is a windy place.
Special thanks to Marc-Étienne Léveillé.
IoCs
Samples
The malware binary is removed after successful execution therefore there are not many samples collected.
C&C Servers
217.12.208.28
217.12.203.31
193.169.245.68
46.8.44.55
195.123.210.100
5.34.183.231
5.34.180.64
185.82.216.125
185.14.30.78
185.14.29.65
185.20.184.117
217.12.203.31
193.169.245.68
46.8.44.55
195.123.210.100
5.34.183.231
5.34.180.64
185.82.216.125
185.14.30.78
185.14.29.65
185.20.184.117
Subscribe to:
Posts (Atom)