Wednesday, March 25, 2015

Beware Fake Cricket World Cup Stream

The Cricket World Cup 2015 is in it's final week and as always, has been drawing millions of users online to watch the matches. The Cricket World Cup takes place every 4 years and consists of 14 competing countries. The official broadcasting rights are owned by ESPN Star Sports and Star Sports. Due to the high cost of accessing these channels outside of these participating countries, millions of users turn to the Internet for free streaming services, supposedly offering Cricket World Cup matches. Scammers are taking advantage of this big event by hosting fake streaming sites that will lure unsuspecting users into downloading Potentially Unwanted Programs (PuP).

Most users will take to a search engine with common queries such as "World Cup Cricket Stream 2015". While this might actually yield a legitimate site where you can support your team, it can also lead to malicious content being installed on your system. In the following case, ThreatLabZ came across one such payload, which downloads a PuP.  Downloading this software brings the victim no closer to viewing the content that led them to the software to begin with.

First the victim encounters a site which promises a streaming service for the Cricket matches. This shows a fake message asking the user to update their Flash Player before viewing. Following the link through to the "Flash Update" leads the user to a PuP payload.





Following through with this 'update', leads the victim to a Video Player which bundles other applications.


The Video Player mentioned in the message leads the victim to believe that their current player is out of date.  A less savvy user might actually believe the warning and decide to click on the attacker's payload.

Following this installation, the user is shown a PuP called PC-Performer which attempts to trick the user into buying a subscription for $29.99 under the guise that it will boost machine performance.


This PuP is highly pervasive and manipulates numerous key Windows functions in an effort to remain persistent against removal.  First, it installs a Service in order to avoid removal.


Next, the PuP modifies the Windows Firewall to mark it as an approved application.  It also begins displaying annoying advertisements generating revenue for the attacker and reminding the user of their mistake of visiting a false streaming service.

This serves as a prime example of why users should be careful when looking for a free streaming service or downloading questionable applications. Scammers and Phishers use this opportunity to spread their malicious content to a wide array of new victims.

Thursday, February 26, 2015

Facebook Scam Stealing Credentials

Today, I received a message on Facebook from an acquaintance that I haven't heard from in a long time. Upon closer inspection of the message content, it became clear what was going on.

ಠ_ಠ

Naturally, I wasn't receiving the message from my friend, but rather his now compromised Facebook account. Even a less seasoned veteran to online interactions would raise an eyebrow at this message as it contains a URL.  I decided to visit the site and see what this scam was about.  These scams are commonly used to trick a victim into fraudulently 'liking' a Facebook account pushing yet another scam, but they can sometimes be used to harvest the credentials of less informed victims.  This case appears to be leveraging the latter in an attempt to steal Facebook username and password information.


Fake FaceBook Login page
Upon visiting the link in the message, the user is redirected to the following seemingly legitimate Facebook login page, but as can be seen, it's hosted at a third party domain.  If the user actually enters their credentials on this page, they are sent to an error page on Facebook itself, informing them that their login attempt failed.

whoops...
I took a wireshark capture of this transaction taking place and it appears that attackers are being completely overt about stealing the user's data by sending it in clear text.

Yikes!
There also appear to be more social media scams running from the same IP address hosting this attack. To name a few:
  • faceeibbook[.]com
  • faceiibuiksz[.]com
  • tiwitter[.]ru
  • opvids[.]com
  • wovidz[.]com
The VirusTotal results for this IP address show that protection against this attack is currently sparse.  The lesson here is to always be skeptical of messages that you receive with an embedded link.  If you aren't sure what the URL is actually doing, you can always use Zscaler's URL Analyzer, ZULU to investigate.


Thursday, November 6, 2014

American Express Phishing Campaign


Phishing is a well known attack vector, often used by cyber criminals to steal sensitive information like authentication credentials, credit cards, personal information, etc. As the Thanksgiving and holiday shopping season approaches, we are anticipating a sharp rise in cyber scams and phishing campaigns.

We wanted to share a recent phishing campaign targeting American Express users in this post. Below are the domains and IP addresses involved in this campaign:

hxxp://agericam-exprezs[.]com : 91.185.215[.]137
hxxp://amepigan-extuezs[.]com : 146.0.72[.]188

Screenshots below show an American Express site, which has been mirrored on the mentioned domains:



It will accept any credentials and further redirect the user to another fraudulent page asking for sensitive information like their Social Security Number (SSN), Date of Birth, etc. as seen below:


After phishing for user credentials and personal information, the cyber criminal then asks for the credit card details on the following page:



       
The phishing site sends all the stolen information to a remote server at 94.23.250[.]137 and redirects the user to the original American Express site.


It is extremely important for the users to carefully examine the URL in their browser as well as SSL certificate information in order to avert such phishing attempts.

RIG Exploit Kit Live Infection


We are seeing another wave of RIG Exploit Kit (EK) compromised sites and wanted to quickly share a sample compromised site we observed along with the infection chain:
  • www.novaproduction[.]fr/show.php

















The compromised site redirects a user to the RIG EK landing site:  
  • www.clause.senior-sherpa[.]net.
The exploit payload being delivered by this RIG EK landing site is targeting the MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow vulnerability in Internet Explorer (IE) 10. Though the content is obfuscated, it is not difficult to identify the vulnerability being exploited as seen below.


The code initially checks for IE by creating an ActiveXObject of type Microsoft.XMLDOM and loading an XML string with it. It then determines whether 32 or 64 bit IE is present by checking for a specific error code "-2147023083". Following a successful check, further deobfuscation of the next exploit payload chunk gives us a full perspective.

We also observed the download of a Silverlight file containing CVE-2013-0074 exploit.
VirusTotal: 10/53

Several RIG EK attacks have been observed in the past from IP address 46.182.30.250. It is repeatedly used by the RIG EK controllers for hosting their EK payloads. It is highly recommended that  communications to this IP address are blocked.

Wednesday, September 17, 2014

46.182.31[.]204 - Hosting RIG EK


Earlier this month, we published a blog about RIG EK's activity. On 9/9/2014 we also published a scrapbook blog about a RIG EK live infection impacting IP 46.182.31[.]247. Subsequently, we have found multiple RIG EK domains associated with IP 46.182.31[.]204, which belong to the same subnet. In this post, we would like to share the IP's and domains observed on 46.182.31[.]204.


Domains
asod.bandgwindows[.]com
azpapo.artefact-it[.]com
dgiuq.artbuscourse[.]com
potwut.arnoldandpearn[.]com
sido.ashleychancellor[.]com
sudia.ashleychancellor[.]com
uioai.artisan-rose[.]com
wtnweu.bandgwindows[.]com


URLs
asod.bandgwindows.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ODI2Mjk4MzRjYTUzZDM5ZGFjMzg4MWYwMTlmMWYzYmQ
azpapo.artefact-it.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|MDg3MGIxOTA4NTJhZTJjODVhZDcyYTU4NzczYzRmMDI
azpapo.artefact-it.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|MWM2YWFjYmQ4ZjIzMDg5NTFhYzQxODA2NWFjMzIwYzM
dgiuq.artbuscourse.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NmViYzg1NTdhN2E5NDhlN2YyZmIwMjNiZjQ0ZmQzZjA
potwut.arnoldandpearn.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|OWEwM2I0ZWYxNjljMTgzMjg3MDE4NTY1MmQwZGJlNDU
sido.ashleychancellor.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|YzdiN2Y0YzVlMzMwNzYxM2EyZGU0Y2QwNDkwOWI4MmQ
sudia.ashleychancellor.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|Zjk0ZTQxM2U2MjUxOWQ1ZTI0MzkyODc1ZjM4ZjU4ZTQ
uioai.artisan-rose.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|Y2I2YTAzYzRiZGI3Yjg1M2ZhNTgwMThlMjFhODU4MGQ
wtnweu.bandgwindows.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ODI2Mjk4MzRjYTUzZDM5ZGFjMzg4MWYwMTlmMWYzYmQ

Common URL pattern:
/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg

No surprises! Once again, this IP is hosted in Russia.

Geo Location of IP - 46.182.31[.]204

We advise blocking subnet 46.182.31.XX.  


Thursday, September 11, 2014

RIG EK live infection.

Recently RIG exploit kit is found to be very active in the wild. During data-mining we are seeing lots of infection has been spread by this well-known EK. With time flowing the RIG's infection routine has become much more sophisticated,following is the brief outline of the flash exploit cycle we have seen recently.

Compromised Domain  

www[.]crazycashclub[.]com

Redirection Chain :

www[.]crazycashclub[.]com
alllacqueredump[.]com/some[.]phtml
alllacqueredump[.]com/some[.]phtml?gonext=true&r=

EK domain[46.182.31.247]:

Landing page URL:
wey[.]anojirox[.]com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NTdiMzRjMDI2NjkxNDg3MjQyZTRhNTkxYmFiZjRhYjY

RIG EK Landing page
Flash Exploit download:
wey[.]anojirox[.]com/index[.]php?req=swf&num=978&PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NTdiMzRjMDI2NjkxNDg3MjQyZTRhNTkxYmFiZjRhYjY   

Flash Exploit Download


File Name: index.swf
MD5 : cd369e91ff61a2c1c493a686dd17f777
Size: 4276 bytes
Detection Ratio : 5 / 55

Reference:
http://research.zscaler.com/2014/09/rig-ek-outbreak-continues.html

Wednesday, May 28, 2014

Recent Angler EK Malicious Redirects

Recently we have seen rise in Angler exploit kit. Compromised websites are injected with JS or iFrame code to redirect it to malicious redirectors, which in turn makes a final redirection to the exploit kit page.The new malicious redirector URL's have the pattern '/script.html?0.'. Latest blog post on 'malware-traffic-analysis.net', shows a example of Angler EK being loaded into victim's browser though the malicious redirection. 

Malicious redirection:
Fiddler session for 'www[.]coventryboysclub[.]com'
Fiddler session for 'www[.]coventryboysclub[.]com'

Malicious JavaScript injected in compromised website:
Malicious JavaScript injected compromised website
Above malicious JavaScript code results into malicious redirection.

Data mining into our logs on URLs containing patterns '/script.html?0.' resulted into following malicious Angler EK redirectors.

Malicious Angler EK redirectors:
17530ded[.eu]/script.html?0.13876973787067392
1ce93eab[.eu]/script.html?0.30079703810562597
1ce93eab[.eu]/script.html?0.5477884006263802
1ce93eab[.eu]/script.html?0.6488428461203992
1ce93eab[.eu]/script.html?0.7534362460971151
1ce93eab[.eu]/script.html?0.7674786154127338
1ce93eab[.eu]/script.html?0.7932614087042251
1ce93eab[.eu]/script.html?0.9669280422046333
448a2efd[.eu]/script.html?0.0715755006824948
448a2efd[.eu]/script.html?0.0720967955057204
448a2efd[.eu]/script.html?0.12396148345095875
448a2efd[.eu]/script.html?0.13752752957795783
448a2efd[.eu]/script.html?0.18893366786652915
448a2efd[.eu]/script.html?0.20055626430884171
448a2efd[.eu]/script.html?0.39297801338546823
448a2efd[.eu]/script.html?0.559672783549431
448a2efd[.eu]/script.html?0.6315227990825216
448a2efd[.eu]/script.html?0.7142925010479783
448a2efd[.eu]/script.html?0.8961863257529772
4f301dbb[.eu]/script.html?0.01165945767279103
4f301dbb[.eu]/script.html?0.014521439900151145
4f301dbb[.eu]/script.html?0.02909044735133648
4f301dbb[.eu]/script.html?0.03621192215809843
4f301dbb[.eu]/script.html?0.06040500026673318
4f301dbb[.eu]/script.html?0.06620727899416734
4f301dbb[.eu]/script.html?0.07592342863790691
4f301dbb[.eu]/script.html?0.1056965972170999
4f301dbb[.eu]/script.html?0.17805376858450472
4f301dbb[.eu]/script.html?0.19134165719151497
4f301dbb[.eu]/script.html?0.2468458686489612
4f301dbb[.eu]/script.html?0.24732987699098885
4f301dbb[.eu]/script.html?0.2543650954030454
4f301dbb[.eu]/script.html?0.2642859390177215
4f301dbb[.eu]/script.html?0.2660833156109414
4f301dbb[.eu]/script.html?0.2754311924800277
4f301dbb[.eu]/script.html?0.27670867019332945
4f301dbb[.eu]/script.html?0.29127717796637753
4f301dbb[.eu]/script.html?0.3498865964383262
4f301dbb[.eu]/script.html?0.4132859113160521
4f301dbb[.eu]/script.html?0.4316767655261651
4f301dbb[.eu]/script.html?0.46010713503146305
4f301dbb[.eu]/script.html?0.47877446282655
4f301dbb[.eu]/script.html?0.4854609586764127
4f301dbb[.eu]/script.html?0.5035464715788367
4f301dbb[.eu]/script.html?0.519372357023097
4f301dbb[.eu]/script.html?0.5978336764965206
4f301dbb[.eu]/script.html?0.6030608513009923
4f301dbb[.eu]/script.html?0.6646832349838363
4f301dbb[.eu]/script.html?0.6854731151236686
4f301dbb[.eu]/script.html?0.6923399699988695
4f301dbb[.eu]/script.html?0.7101008273554276
4f301dbb[.eu]/script.html?0.7129303039578447
4f301dbb[.eu]/script.html?0.7612267575668117
4f301dbb[.eu]/script.html?0.7838674073533333
4f301dbb[.eu]/script.html?0.8025677101686597
4f301dbb[.eu]/script.html?0.8119433565801674
4f301dbb[.eu]/script.html?0.8321910223375173
4f301dbb[.eu]/script.html?0.8715455498891258
a45559ce[.eu]/script.html?0.027045608394174858
a45559ce[.eu]/script.html?0.16082289349287748
a45559ce[.eu]/script.html?0.7227968745864928
a45559ce[.eu]/script.html?0.8441381920129061
a45559ce[.eu]/script.html?0.954297112329845
f78c7ade[.eu]/script.html?0.09228469401218814
f78c7ade[.eu]/script.html?0.10404549677160007
f78c7ade[.eu]/script.html?0.11600669038614808
f78c7ade[.eu]/script.html?0.11630317475646734
f78c7ade[.eu]/script.html?0.2312467397204906
f78c7ade[.eu]/script.html?0.23150813408511922
f78c7ade[.eu]/script.html?0.39454319607259774
f78c7ade[.eu]/script.html?0.3989205304533243
f78c7ade[.eu]/script.html?0.44393448705808724
f78c7ade[.eu]/script.html?0.47427442020760046
f78c7ade[.eu]/script.html?0.5127957880031317
f78c7ade[.eu]/script.html?0.5951547447563215
f78c7ade[.eu]/script.html?0.5978974807076156
f78c7ade[.eu]/script.html?0.6755693661434181
f78c7ade[.eu]/script.html?0.7641308439307548
f78c7ade[.eu]/script.html?0.7996848016221056
f78c7ade[.eu]/script.html?0.9036962888203561
f78c7ade[.eu]/script.html?0.9408518108599162
 


Unique malicious redirector domains:
17530ded[.eu]
1ce93eab[.eu] 
448a2efd[.eu]
4f301dbb[.eu]
a45559ce[.eu]
f78c7ade[.eu] 


Snort signature: 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ANGLER EK Malicious Redirector"; flow:established,to_server; content:"/script.html?0."; http_uri; nocase; classtype:trojan-activity; reference:''; sid:XXXXX; rev:XX;) 

Compromised websites:
www[.]armourstore[.]co[.]uk/
www[.]coventryboysclub[.]com/
www[.]digitalbarriers[.]com/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/archeologia/siti-archeologici/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/borghi-medievali/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/castelli-e-palazzi/palazzi-storici/
www[.]ilpatrimonioartistico[.]it/il-gioco-dazzardo-nellantichita-pt-1/
www[.]ilpatrimonioartistico[.]it/il-gioco-dazzardo-nellantichita-pt-2/
www[.]ilpatrimonioartistico[.]it/le-antiche-case-di-piacere-i-lupanari/
www[.]infos-immobilier[.]fr/2014/05/le-scandale-des-tarifs-de-syndics-fait-polemique[.]html
www[.]itsonlyrocknrolllondon[.]co[.]uk/
www[.]nycent[.]com/
www[.]sne[.]pt/site/index[.]php?option=com_content&view=article&id=3&Itemid=10
e-mudanzas[.]com/
sabotagetimes[.]com/funny/the-best-of-whyimvotingukip-on-twitter/
sabotagetimes[.]com/life/adolf-hitler-and-the-third-reich-the-top-10-conspiracy-theories/
sabotagetimes[.]com/life/david-starkeys-career-ending-rant-was-mad-bad-and-dangerous-to-show/
sabotagetimes[.]com/life/the-day-i-had-a-gun-pointed-at-my-head-in-a-gift-shop
sabotagetimes[.]com/life/the-scariest-true-story-youll-ever-read/
sabotagetimes[.]com/music/layne-staley-the-self-destructive-genius-of-the-alice-in-chains-frontman/
sabotagetimes[.]com/reportage/embarrassing-bodies-another-wonky-week/
sabotagetimes[.]com/reportage/ms-pacman-four-other-female-video-characters-id-love-to-pixelate/
sabotagetimes[.]com/reportage/my-big-fat-gypsy-wedding-2012-week-three-spray-tans-fat-nans/
sabotagetimes[.]com/reportage/the-10-best-breaking-bad-quotes/softag[.]pt/blog/wordpress/34-criar-e-editar-conteudo-com-wordpress


Pradeep