Bluvector Threat Report

BluVector Threat Report

Q3 2018

Trojans are still winning. Out of the 12 Threat Reports over Q3, six were trojans. While the results from the Threat Report quarterly from Q2 2018 were pretty even in terms of the volume of threats being spread out between APTs, ransomware and trojans, Q3 2018 showcased the depth and breadth of trojan diversity and malicious innovation. TABLE OF CONTENTS

3. Threat Report Q3 2018 Threat Chart 4. Summary 5. Summary Continued 6. APT: Turla 7. APT: APT28 8. APT: Lojax 9. RANSOMWARE: Magniber 10. RANSOMWARE: Gandcrab 11. RANSOMWARE: BitPaymer 12. TROJAN: AZORult 13. TROJAN: Windows/Android App 14. TROJAN: Dark Tequila 15. TROJAN: Delphi Crypters 16. TROJAN: Cobalt 17. TROJAN: RtPOS 18. About BluVector Lojax 47 Months in advance Q3 2018

Operation GhostSecret 30 Months in RIG Exploit APTs advance FILELESS Kit APT28 41 Months in advance 42 Months in advance

Turla 38 Months in Kwampirs advance 11 Months in advance

Invisimole 3 Months in 50 40 30 20 10 advance MONTHS MONTHS MONTHS MONTHS MONTHS THREAT FIRST PUBLICLY IDENTIFIED RtPOS 8 Months in RANSOMWARE Windows/ advance Android App 17 Months in advance TROJANS BitPaymer Gh0st RAT 50 Months in 10 Months in advance advance GZipDe 28 Months in advance RadRAT Gandcrab 26 Months in 43 Months in advance advance Grobios Dark Tequila 50 Months in Cobalt advance 23 Months in 33 Months in advance advance

Matrix KillDisk SynAck 52 Months in advance 44 Months in 43 Months in Magniber advance Delphi advance AZORult 56 Months in 55 Months in Crypters advance advance 45 Months in advance

DBGer/ Satan 57 Months in advance BluVector runs all discovered malware samples through historical classifiers to KEY identify when our machine learning engine Discovered in Q2 2018 would have first detected the named threat. BluVector currently supports over 35 file- Discovered in Q3 2018 specific machine learning classifiers.

First, the biggest story was the threat that wasn’t. KEY FINDINGS Yet it illustrates clearly how prevalent malware has become and how those who should be the most protected aren’t. The discovery of Windows- targeted trojan code in 145 apps in Google’s FIRST UEFI Android Play Store might be easily overlooked by ROOTKIT those who didn’t understand the context. FOUND IN While there was no threat to Windows from an THE WILD Android application file (APK), the existence of the code showed that the app’s developers were infected. Through the development process, the code inserted itself into the app. It also illustrates TWO THREATS an infrequently reported attack vector as USING DELPHI developers of popular applications might become LANGUAGE bigger targets for malware that deliberately, and secretly, inserts code into programs before they’re compiled. However simple, without several obfuscation Oh Trojan, How You’ve Evolved methods that are commonly designed with newer threats, some malware detection solutions might As the most successful attacks, trojans are not pick it up. getting smarter as their developers are getting more organized or, in several apparently state- Many malware creators use crypters to hide their sponsored attacks, more multi-layered. In Q3, we malicious ways and they’re discovering old ways saw the growth of multi-layered attacks as well to build new threats. A new crypter, built in the as several attacks designed to infect computing older Delphi (née Pascal) language, is making devices in particular regions. the rounds as the compiled executable is harder to reverse engineer than some other coding Dark Tequila, unlikely to be a world-spanning languages. A similar approach also showed up in mega threat, targeted Spanish-speaking users in APT28’s Roman Holiday campaign, where Delphi South America and attempts to grab credentials code was used in the attack’s dropper. for web hosting panel access, Office 365, Lotus Notes, etc. When captured, that data is encrypted Spear phishing still works and the group behind and uploaded to a command and control (C2) Cobalt has been reported by Europol to have server. Interestingly, if the user isn’t using a stolen US$1.2 billion from 100 banks in over 40 Spanish keyboard, the malware simply uninstalls countries. Originally targeted towards Russian and itself. Romanian banks, emails were cleverly disguised as coming from the EU-based intrabank credit Other threats, such as RtPOS, came with Russian processor, Interkassa. In the U.S., Cobalt attacks language in the code but might be a plug-in used showed up in restaurant chains including Arby’s, with other malware, as it doesn’t encrypt data from Chili’s, Chipotle and Red Robin. POS machines. It simply writes the information to a text file, which might be more of a functional part of a bigger attack and not an attack itself.

Potentially the meanest attack of Q3, AZORult (“Marina Militare”) with a cleverly named C2 that 3.2, rips off cryptocurrency, exfiltrates browsers was similar to its Italian language name, “marina- histories from non-Microsoft browsers (yet, who info.net”. really uses Edge?) and any data to get admin access. Targeted at North America, the attack The scariest APT of the quarter easily goes begins with password-encrypted Zip file enclosed to Lojax, known for attacking the Democratic in an email that tells the recipient the password. National Committee, with a new campaign Inside is a Word file filled with malicious macros. that’s been deployed in Central and Eastern EU After stealing all that data, it then downloads counties. Rather than going file or fileless, the Hermes ransomware for a final coup-de-grace. new attack writes itself into the UEFI (the modern version of a BIOS) of the device. Removing Ransomware Still Getting Paid the threat would require reflashing the UEFI, something that most non-technical people would Rather than count how much ransomware not know how to do. The threat does seem to creators are earning, the Threat Report team be more limited, attacking Intel-based controller prefers to observe changes that are going on chips prior to the Intel Series 5, released in 2008. in the malware underworld. Gandcrab isn’t new but the group behind it is accelerating its efforts. Q4 Holiday Attacks Just two days after Gandcrab 4.0 was released, version 4.1 was released with new encryption, As with years prior, we expect to see an increase a unique method for hardcoding C2 URLs and in attacks in Q4 2018. Seasonally, this can be has several trojan-like functions that grabs partly due to holiday vacations of security staff, information, including installed AV software, and which can mean a delayed response to an attack. sends it back to a C2. With a reported $600,000 From the end user side, shoppers, looking for in ransom payments, Gandcrab isn’t going away bargains, are often a prime target for email-related anytime soon. Yet, BitPaymer could easily top that breaches. This is where user education proves amount with its high 53 bitcoin ransom request its worth in the real world. Remind your users to (roughly $337,000). be mindful about the emails they’re receiving, checking the links and reporting any activities APTs, The Choice for State-run Attacks that they believe might constitute a breach. Despite fewer APTs this quarter, APTs are the weapon of choice for state-run or state- targeted attacks. The Turla group, believed to Q3 FINDINGS be Russia-based, has attacked the U.S. State Department, U.S. Central Command, embassies MONTHS IN ADVANCE IN in EU countries and the German Federal Foreign EARLIEST DETECTION office. Attacks included a PDF file that includes a fileless PowerShell script. Once breached, the malware places the acquired information into an encrypted Outlook email back to its attackers. Yet, the APT28 group, known for attacking NEW THREATS FOUND southeast Asian countries jumped to Italy for THIS QUARTER its “Roman Holiday” attack on the Italian Navy

What Is It? Firstly, the backdoor logs information related to each legitimate email sent or received by the Researchers from security company ESET user (sender, recipients, subject and attachment have released a report detailing their analysis filenames). This information is encrypted and of malware used by the Advanced Persistent periodically sent to the attackers in a PDF Threat (APT) group Turla (also known as file attached to an email. Incoming emails Waterbug, Venomous Bear and KRYPTON). The containing PDF files are scanned to see if malware is currently using a novel technique they contain commands common to bots and for its C2 communication, it utilizes specially- backdoors, such as downloading and executing formatted PDF files in emails being sent to and files, running commands and exfiltrating data from Microsoft Outlook clients. via PDF files attached to outgoing emails. The The Turla APT group is Russia-based and has malware attempts to remain undetected by been active since 2007, targeting various blocking notifications of incoming C2 emails and governmental organizations and military removing them from the inbox and sent folder. contractors. Previous targets have included the It is believed to be the only malware using email U.S. Department of State, U.S. Central Command exclusively for its C2 communication. (CENTCOM) and embassies located in European countries. How Does It Propagate? Recent breaches attributed to Turla include the The malware does not contain the necessary German Federal Foreign Office, where several code to self-propagate. There are no details systems were backdoored for nine months in available regarding the initial infection vector, 2017 before the malware was discovered. however the Turla APT group have proven themselves adept at utilizing social engineering Previous attacks have shown Turla to have to their advantage, which may include malicious excellent social engineering and technical skills, documents in spear phishing emails. including campaigns where both Windows and Mac users downloaded genuine versions When/How Did BluVector Detect It? of Adobe Flash Player, plus a backdoor, from apparently legitimate IP addresses. Three publicly available samples were tested and BluVector’s patented Machine Learning ESET researchers believe the backdoor has Engine (MLE) detected all of them. Regression been under constant development as far back as testing has shown that the samples would have 2009. The most recent version, from April 2018, been detected up to 38 months prior to their is now capable of running PowerShell scripts release. in memory. Of great interest is the novel C2 communication technique leveraging Microsoft Outlook and using PDF files. This technique does not exploit any vulnerabilities and uses Outlook’s genuine Messaging Application Programming Interface (MAPI) to gain access to the mailboxes on infected systems.

What Is It? X-Agent malware has been observed to be available for most operating systems and can The Russian Advanced Persistent Threat (APT) incorporate custom modules for each individual group, known variously as APT28, Sofacy and campaign. Fancy Bear and active since 2007 or earlier, has been linked to various cyber espionage However, it was an additional Windows DLL file activities against government and public sector that the researchers found most interesting, due organizations, including the breach of the to its hardcoded C2 site, marina-info.net, which Democratic National Committee (DNC) during they believe to be specifically chosen for its the 2016 U.S. presidential election cycle. resemblance to Marina Militare, the name of the Italian Navy. Researchers have yet to determine Most recently, researchers from Italy-based CSE the specific requirements for this DLL file to Cybsec believe they have discovered an APT28 activate, but believe it may be the IP range the campaign targeting the Italian Navy. infected system is part of. Given APT28’s targets in the second half of How Does It Propagate? 2017 were mainly Asian and South East Asian countries, this new campaign has been dubbed The malware does not contain the necessary Operation Roman Holiday. code to self-propagate. The samples were discovered after being uploaded to sites such as VirusTotal, however, it is highly likely the attack vector would utilize social engineering techniques such as spear phishing emails with attached malicious documents. When/How Did BluVector Detect It?

Six samples are listed in the report and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown the samples would have been detected an average of 42 months prior to their release.

Alleged APT28 Attacks: The attack consisted of an initial piece of dropper - 2014 Ukrainian Army malware, written in the Delphi programming - 2014 German Parliament language. Then, the dropper downloads the second stage malware from the internet and - 2015 French TV Station TV5Monde executes it. This second stage is a new variant - 2016 World Anti-Doping Agency of the X-Agent backdoor malware, which has - 2016 U.S. Democratic National Committee previously been associated with APT28 and - 2017 French Presidential Election communicates to its C2 site using the secure - 2017 German Presidential Election HTTPS protocol. - 2018 International Olympic Committee

What Is It? the infected system when it is booted up and execute that malware when Windows starts. Researchers from ESET released a whitepaper to coincide with a presentation at Microsoft’s There are mitigations for Lojax and other BlueHat Security Conference. The whitepaper potential UEFI malware. Recent UEFI versions details their discovery of the first Unified have an option called Secure Boot, which when Extensible Firmware Interface (UEFI) rootkit to be enabled, requires all firmware to be signed found in the wild, which they have dubbed Lojax. before it is executed. With Secure Boot enabled, the unsigned Lojax firmware would not run. In They have tied this rootkit to the APT group they addition, Lojax can only infect UEFI memory on call Sednit, though more commonly known as versions with vulnerabilities, meaning those APT28, Sofacy or Fancy Bear. This group has systems with current firmware installed or been named as the perpetrator of the Democratic systems with the Intel Platform Controller Hub, National Committee hack in 2016, among many first released in 2008 alongside the Intel Series other successful compromises. Researchers 5 chipsets will not be affected. found that this rootkit has been very selectively deployed, mainly against government agencies How Does It Propagate? in the Balkans and unnamed Central and Eastern European countries. The malware does not self-propagate. There is no information regarding the attack vector used Previously known to exist as proof of concepts to initially infect systems with Lojax malware. from security conferences and potentially in the possession of some nation states, UEFI rootkits When/How Did BluVector Detect It? are highly sophisticated. UEFI is basically a The whitepaper contains a list of 12 samples modern version of a PC’s BIOS. related to Lojax and BluVector’s patented UEFI provides access to the firmware which Machine Learning Engine (MLE) detected them acts as an interface between the physical all. Regression testing has shown the samples hardware and the operating system. By being would have been detected an average of 47 able to update the flash memory that holds the months prior to their release. UEFI, the Lojax malware is not only much more difficult to detect, but is completely unaffected by reformatting or even replacing the hard drive. What is UEFI? The only way to remove the malware from the system is to reflash the UEFI memory with a clean A software interface between a device’s copy of the firmware. software-based operating system (OS) and its hardware-based firmware that manages ESET named this malware Lojax as it utilizes boot services or application before the OS a trojanized version of the legitimate Lojack starts and runtime services after the OS has software to gain access to the UEFI memory. been loaded. It replaced the older BIOS that Lojack, as the name suggests, is designed to existed on most PCs. notify the owner of the location of the system it is installed on, in the event it is lost or stolen. ESET found the only functionality present in the Lojax samples they analyzed is to place malware onto

What Is It? How Does It Propagate?

The original version of Magniber would only The malware does not contain the necessary install itself on the systems of South Korean code to self-propagate. Magniber ransomware users, deleting itself in all other cases. However, is spread via the Magnitude exploit kit, which this fact should not be used to assume where attempts to exploit unpatched vulnerabilities in the attackers are located. common software, such as Internet Explorer or Adobe Flash. The new version of Magniber ransomware expands the list of Asian languages on the When/How Did BluVector Detect It? devices that it will install itself onto, including Chinese and Malay. Infections have been noted Two samples are publicly available and in Taiwan and Hong Kong and could potentially BluVector’s patented Machine Learning Engine infect users in China, Macau, Singapore, (MLE) detected both. Regression testing has Malaysia and Brunei. The code itself has shown both samples would have been detected been significantly improved, no longer using a full 56 months prior to their release. a hardcoded encryption key (which previously made decryption a simple process) and does Countries Targeted by Magniber not require the infected system to have an active internet connection in order to be able to encrypt the files. The malware also uses code obfuscation techniques to make analysis and reverse engineering more difficult. Brunei China Hong Kong Magniber’s history goes back to the Magnitude exploit kit (EK) (originally known as Popads) that has been in the wild since 2013. While it started with a wide distribution, it later became privately operated to target Asian users. In late 2017, after previously distributing Cerber ransomware, the Magnitude EK started distributing their own Japan Macau Malaysia ransomware, dubbed Magniber. After briefly distributing Gandcrab ransomware in April 2018, Magnitude EK has recently been delivering a new version of Magniber ransomware. Researchers from Malwarebytes have observed the main exploit currently being Philippines Singapore South Korea used by the Magnitude EK is an Internet Explorer exploit for the Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174), which was patched by Microsoft in its May 2018 security updates.

Taiwan USA

What Is It? Office, database, email and similar applications prior to encrypting files. Though not unique to Researchers have previously noted that the Gandcrab, this ensures the user’s most current developers of Gandcrab ransomware appear files will be encrypted, therefore maximizing the to have adopted an agile development model user’s motivation to pay the ransom. as they’ve been releasing new versions that improve both the functionality and the underlying According to Fortinet, one feature that Gandcrab code. does not yet include is the ability to propagate using network file shares, through the use of This trend appears to be continuing as security the EternalBlue exploit. This functionality is vendor Fortinet discovered version 4.1 of expected to be included in future versions. Gandcrab only two days after the release of version 4.0. Due to such a rapid release schedule, How Does It Propagate? Gandcrab is currently considered to be the most prolific ransomware family, responsible for over The malware does not yet contain the necessary 50,000 infections and $600,000 in ransom code to self-propagate. In this case, it has been payments in a two-month period earlier in 2018. observed being downloaded from compromised websites that claim to offer pirated software, but instead (somewhat ironically) serve the ransomware. When/How Did BluVector Detect It?

Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 43 months prior to their release.

The new Gandcrab 4.1 added the more efficient Gandcrab Searches For AV Salsa2.0 encryption algorithm, removing the Software Including: most commonly used RSA-2048. The most Avast Internet Security Suite significant change is the malware now contains Avira Antivirus a lengthy list (in one case, nearly 1,000 long) of hardcoded C2 websites. The remainder Comodo Firewall Pro of the C2 URLs is created from lists of words, ESET Antivirus allowing the final URL to appear to be randomly Kaspersky Antivirus generated. The malware sends a variety of F-Secure Internet Security system information to the C2 site, including McAfee On-Access Antivirus Scanner if the keyboard is using a Russian layout and Microsoft Windows Defender any installed anti-virus product(s). Currently Panda Titanium Antivirus there appears to be no good reason to send Symantec Antivirus engine this information, but it is potentially a feature Symantec Endpoint Protection that’s still under development. The malware will Tiny Personal Firewall also terminate various processes belonging to Trend Micro PC-Cillin Firewall

What Is It? The attack affected all 500 of their user endpoint systems and 120 of their 150 servers, requiring While some cybersecurity pundits claim the the IT department to essentially shutdown their demise of ransomware, their prognostications entire network, resulting in staff being forced were at best a premature conclusion. In recent to use typewriters. Other systems impacted weeks, variants of BitPaymer ransomware have included email, telephone, swipe card and even infected systems at the Professional Golfers their backup and disaster recovery servers. Association of America (PGA) and the local They are currently planning on reimaging 650 government offices of Matanuska-Susitna, a systems at a rate of about 38 per day. municipal borough of greater Anchorage. FORE! According to reports, staff at the PGA BitPaymer, first identified in July 2017, was of America began receiving pop-up ransom responsible for ransomware attacks on a messages on their workstation screens on number of Scottish hospitals in August 2017. August 7, 2018. Though not yet confirmed by BitPaymer is also known for making large the PGA but based on the wording, it is believed ransom demands, up to 53 bitcoin (currently in BitPaymer ransomware is responsible. Another excess of $332,000). In most cases, the initial aspect consistent with BitPaymer ransomware attack vector of BitPaymer ransomware is is the offer to email two encrypted files to the compromising internet-facing Remote Desktop attackers, who would decrypt them as proof Protocol (RDP) servers. The passwords to these of their “honest intentions.” It is reported that RDP servers are brute forced. encrypted files include digital marketing assets related to the PGA Championship tournament and the Ryder Cup. How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The most common attack vector for BitPaymer ransomware is compromising internet-facing RDP servers by brute forcing poor or common passwords where there are no security policies in place to enforce password lockouts. In the case of Matanuska-Susitna, based on a report from the IT Director, the BitPaymer When/How Did BluVector Detect It? ransomware was part of an attack consisting Specific samples have not yet been publicly of several malware payloads, including the attributed to either incident. Therefore, a Emotet trojan. His investigation believes the random selection of 25 recent BitPaymer ransomware payload was activated 4 to 6 weeks samples were tested and BluVector’s patented after their network was initially compromised. He Machine Learning Engine (MLE) detected them incorrectly characterizes this attack as a zero- all. Regression testing has shown that samples day, based on the fact their legacy anti-virus would have been detected an average of 50 product did not detect any malware components months prior to their release. of the attack until it was too late.

What Is It?

Originally discovered by researchers from Malware downloading other malware is hardly Proofpoint in mid-2016, AZORult malware is an a new concept, however, the combination information stealer and downloader. Recently of a data and cryptocurrency wallet stealer, the authors released a major update that was immediately followed by ransomware could observed being used in a large malicious spam result in a double financial loss for the infected campaign within 24 hours of the updated version user and their organization. becoming available. How Does It Propagate? The documentation for AZORult (v3.2) shows added features for stealing cryptocurrency The malware does not contain the necessary wallets (including Exodus, Jaxx, Mist, Ethereum code to self-propagate. The attack vector and Electrum) and exfiltrating browser histories in this case is a password protected Zip file from browsers other than Internet Explorer attachment containing a malicious Microsoft and Edge. The update also improves various Word document, the password is contained in functions on the administration panel, used the body of the email. A potential victim must be by attackers to control how the malware is socially engineered by the content of the email deployed and oversee infections. A new feature to extract the document from the Zip and then allows attackers to specify rules, such as if there allow macros to execute, a common but still all are cookies or passwords related to a specific too effective technique. site, then download and run a specified file. When/How Did BluVector Detect It?

The campaign leveraging that version of The malware samples related to this attack were AZORult mainly targeted North American both detected by BluVector’s patented Machine email addresses using the tried and true lure Learning Engine (MLE). Regression testing has of resumes attached to job application emails. shown the samples of AZORult malware and The attachments were password protected Hermes ransomware would both have been Zip files, containing Microsoft Word documents detected 55 months prior to their release. using malicious macros. The password for the Zip file was included in the body of the email, an attempt to evade anti-virus and other related detection engines. If the email recipient opened the document and permitted the macros to run, the AZORult malware would be downloaded and executed. However, in this case, theft of the user’s credentials, browsing history, cryptocurrency wallets and other data is not the only consequence. The malware also downloads and executes a variant of Hermes ransomware, significantly compounding the impact of infection.

What Is It? financial software actually delivered the malware. In this situation, it appears that the A report from Palo Alto Networks’ Unit 42 Windows workstations or other servers used research group described an interesting by developers as part of development process discovery. They found 145 Android apps on were compromised by malware, resulting in the Google Play Store infected with Windows the malicious executables being added to the executable malware. After they were reported Android app APK files. to the Google security team, all the infected applications have since been removed from Though the threat posed by this specific Google Play. example is very low, it highlights how vulnerable the development process is to compromise. This is especially true in app store ecosystems that provide opportunities for small or individual developers to release apps directly, without the security infrastructure and experience large developers may have. How Does It Propagate?

The malware does not self-propagate. The The interesting aspect of this discovery is attack vector appears to be developer’s that the Windows malware poses absolutely workstations or servers which have already no threat to Android devices as Windows been compromised by Windows malware. executables do not run on Android devices. In When/How Did BluVector Detect It? order to be infected, it would require a highly unlikely sequence of events to occur. A user The report listed 43 samples of Android APK would have to download one of the infected files containing Windows malware and 22 APK files to a Windows system, extract the files unique samples of the Windows malware itself. contained by the APK file (which is a Zip archive) BluVector’s patented Machine Learning Engine and deliberately or inadvertently execute one of (MLE) detected 100% of both groups of samples. the malicious executable files on their Windows Regression testing has shown the infected system. Android APK files would have been detected an average of 17 months prior to their release and The majority of the infected apps were released the Windows malware samples an average of in October and November in 2017, meaning 23 months prior. they have been in circulation for at least nine months, some of which contained more than Note: BluVector would only detect the malware one malicious executable. if the Android device was connected to a corporate network monitored by BluVector. This is not a case where attackers have compromised a software package in order to distribute malware for that platform, as most famously occurred with the NotPetya outbreak. In NotPetya, an update to the Ukranian MeDoc

What Is It? This threat is still active and could be deployed to any other geographical region the attackers A new malware, named Dark Tequila, is may choose in future. designed to obtain financial information and various types of login credentials. Researchers How Does It Propagate? at Kaspersky Labs released a report detailing the sophisticated trojan that has been targeting The Dark Tequila malware includes a USB Mexican users since 2013. Researchers believe infector module that it can use to propagate. The the authors are native Spanish speakers and are geographically-based somewhere in Latin America. The malware consists of six modules and takes steps to protect itself from detection by only initial infection vector is either spear phishing installing the main payload modules if certain emails or via an infected USB device. conditions are met. The initial component makes contact with the C2 server and obtains When/How Did BluVector Detect It? the second module. This module checks to see Two samples are publicly available and if any security products are present, if there are BluVector’s patented Machine Learning Engine any network monitoring or debugging tools (MLE) detected both. Regression testing has running or if the malware is being executed in a shown that despite the samples being released virtual machine. If any of these criteria are met, in November 2015, both samples would still the malware will remove itself and any potential have been detected a further 23 months prior forensic evidence. to that date. The authors are quite hands-on in their monitoring of infections and if an infected system Dark Tequila Scans for: is not in Mexico or not considered interesting, Amazon the malware will uninstall itself. Bitbucket The purpose of the main malware modules Cpanels is to obtain credentials from various Mexican Dropbox financial institutions, web hosting control panels GoDaddy (Cpanels and Plesk), Office 365, IBM Lotus Notes, IBM Lotus Notes Bitbucket, Amazon, GoDaddy, Namecheap, Microsoft Office 365 Dropbox, Softlayer, Rackspace and others. Namecheap An information stealer module extracts Plesk passwords from email and FTP clients and Rackspace browsers. Any data obtained is encrypted and Register.com uploaded to the C2 server. A USB infector Softlayer module allows the malware to propagate by Zimbra Email infecting any removable drives attached to infected systems.

What Is It? The Delphi crypters described by FireEye researchers used various techniques to attempt A posting on FireEye’s Threat Research blog to remain undetectable. First, the Windows API described a recently observed rise in the calls they included in the code are commonly usage of crypters written in Borland’s Delphi used by applications with graphical user programming language. Crypters have been interfaces This makes a sample more likely used for a number of years to not only compress, to appear to be benign when executed in a but to make malware samples more difficult to sandbox or scanned by endpoint anti-virus and detect and reverse engineer. may slow down code-based analysis. Crypters used by malware authors are generally Next, in an effort to foil detection by sandbox sold on dark web forums, purchased with environments, these crypters check for activities cryptocurrency. Crypters such as these will be suggestive of being executed on a normal sold with a code generator which uses a unique endpoint system. One version of the crypter stub. The stub is the component which decrypts waited until the currently active window changed and loads the actual malicious code. Malware three times before proceeding, otherwise it authors then pass the final malicious payload remained in a permanent sleep state. Other to the code generator which then creates versions used more common techniques, such the crypted executable, similar in concept to as waiting for mouse movement and measuring zipping a file and creating a self-extracting zip the length of time the system remained idle. If file. Crypters are often sold with guarantees of the system passes these checks, the malicious being undetectable by anti-virus products and, payload is extracted, decrypted and executed. increasingly, by sandboxes. Researchers found that many of the samples Delphi is a programming language, initially using these Delphi packers were information an evolution of Turbo Pascal, first released by stealing trojans such as LokiBot and Pony, Borland in 1995 for Windows 3.1. Delphi has been Remote Access Trojans (RATs), as well as some used to write numerous malware and continues CoinMiner variants. to be used. Delphi is a so-called “high level” programming language, similar to the inimitable How Does It Propagate? BASIC, in that it uses a syntax closer to a spoken language, rather than machine language. This The blog entry contains examples of two spam fact means code development is quicker, easier campaigns containing malicious Excel files and requires less skill and experience than other used as the attack vector for trojans using programming languages. Delphi crypters. This is consistent with the most commonly seen vector for trojans. It also has the added benefit, which may seem counter-intuitive, that it can be more difficult to When/How Did BluVector Detect It? perform code-based reverse engineering on. The blog entry contains six samples of recent This is due to the fact that each Delphi command malware which utilize Delphi-based crypters and or function requires a lot of assembly code, BluVector’s patented Machine Learning Engine greatly increasing the volume of code needing (MLE) detected them all. Regression testing has to be studied or debugged. shown the samples would have been detected an average of 45 months prior to their release.

What Is It? processor. The Cobalt group has taken the uncommon, but not unheard of, tactic of placing Researchers at Arbor Networks ASERT team two attack vectors in each email. Those emails recently observed the Cobalt group attempting contain a link that appears to be to a JPEG to use spear phishing emails containing multiple image file (but is actually a malicious executable) malicious links in order to compromise Russian and a Microsoft Word document attachment. and Romanian banks. The Word document contains a macro which The recent attack shows the resilience of Cobalt then downloads a malicious executable. Both after successes by law enforcement against malicious executables contact different C2 high ranking members of the group. In March servers. 2018, Spanish authorities arrested the alleged The Cobalt group’s success demonstrates it leader, a Ukrainian whose name was not is both very experienced and adept at social released. In August 2018, the U.S. Department engineering. As always, it is necessary for of Justice advised that it had taken three high the user to enable macros in Word for the ranking members, also Ukrainians, into custody malicious macros to execute, the email and in relation to the theft of payment card numbers Word document need to be crafted in a way to from U.S. companies. convince users to allow the malicious code to Considered to be the most financiallyexecute. Often, even after realizing that they successfully attacker group, Cobalt, who are also have been successfully social engineered known variously as Carbanak, FIN7 and TEMP. and potentially been compromised, users are Metastrike have, according to Europol, stolen reluctant to report it, due to embarrassment or more than one billion Euros (approximately other concerns, a fact that groups such Cobalt US$1.2 billion) from 100 banks in 40 mainly exploit for profit. European countries across a five-year timespan. How Does It Propagate? The group is also responsible for the theft of over 15 million payment card numbers from The malware does not contain the necessary more than 6,000 point-of-sale (POS) systems in code to self-propagate. These attacks utilize the U.S., including well-known restaurant chains spear phishing and social engineering in order as Arby’s, Chili’s, Chipotle and Red Robin. Those to compromise organizations with malicious card numbers were then sold for profit on the documents and links. dark web. When/How Did BluVector Detect It?

Ten samples consisting of malicious documents and malicious executables used in this campaign are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 33 In this case, the spear phishing emails are written months prior to their release. as though they have originated from Interkassa, a legitimate European intra-bank payment

What Is It? attackers, such as social security numbers.

A new report from Booz Allen Hamilton Cyber Given its narrow focus, it is believed that RtPOS is (BAHC) describes a piece of POS malware named used in conjunction with additional malware in order RtPOS that appears to have been undiscovered for a to compromise the payment processing system and year. In previous Threat Reports, we have discussed exfiltrate the extracted data. The compile date of the the concept of dwell time in (RadRAT and InvisiMole) sample is August 2017 and there is no evidence to as the period of time between a network being suggest this is not accurate, indicating the malware compromised and when that breach was detected. has been unnoticed in the wild for a full year. POS malware, such as LockPOS, is designed to steal How Does It Propagate? payment card data from terminals and other systems used to process card payments in stores and other The malware does not self-propagate and the businesses. Most often, the card data is extracted infection vector is currently unknown. directly from the memory of the infected system. When/How Did BluVector Detect It? Readers may remember the news around the use of POS malware, such as in well publicized attacks on BluVector’s patented Machine Learning Engine (MLE) customers of Home Depot and Target in 2014. detected the RtPOS malware. Regression testing has shown the sample would have been detected BAHC did not describe how or where they obtained 20 months prior to its discovery, which appears to be the sample from, though they named it RtPOS 12 months after it was created, meaning BluVector based on a debug string found in the sample. The would have detected this sample 8 months before it metadata of the sample shows the language code to was even created. be Russian, which could indicate a possible location of the authors (or at least their chosen language). The sample’s apparent lack of sophistication and Biggest POS Breaches In 2018 (So Far): functionality has caused speculation as to whether it Jan: Aetna is an example of malware that’s under development. Feb: FedEx Although these same attributes could also indicate Mar: Orbitz deliberate intent on the part of the authors to make Mar: Under Armour the malware more stealthy. Apr: Saks Fifth Avenue, Lord & Taylor Apr: Panera Bread Unlike the majority of current malware, RtPOS Apr: SunTrust Banks May: Chili’s malware is not packed or otherwise obfuscated. May: Nuance Communications However, this may actually make the sample appear June: TaskRabbit less suspicious to endpoint-specific anti-malware June: Ticketmaster solutions. In a departure from most POS malware, June: Adidas July: Macy’s this sample also does not contain the capability July: U.S. Air Force to exfiltrate stolen card data, that data is merely July: LabCorp Diagnostics logged in plain text to a file stored in the Windows\ July: LifeLock SysWOW64 directory. The malware is very specific August: Fortnite Sept: British Airways in its function, it only accepts two parameters (either Sept: Facebook “install” or “remove”) and only looks for card data Oct: U.S. Department of Defense but not other data that could be commoditized by Source: https://www.identityforce.com/blog/2018-data-breaches

BluVector is revolutionizing network security with state-of-the-art AI, sensing and responding to the world's most sophisticated threats in real time. With the unmatched advantage of 8 years of work with the US Intel Community and their threat data, only BluVector has the proven ability to protect against emerging threats on average 13 months in advance. Stop waiting for breaches to happen. GET AHEAD OF THE THREAT.

BLUVECTOR MLE BLUVECTOR SCE BluVector MLE is a patented supervised BluVector SCE is the security market’s first analytic Machine Learning Engine that was developed specifically designed to detect fileless malware within the defense and intelligence community as it traverses the network. By emulating how to accurately detect zero-day and polymorphic the malware will behave when it is executed, the malware in real time. Unlike unsupervised Speculative Code Execution engine determines, machine learning, which is leveraged by at line speed, what an input can do if executed most security vendors today, BluVector MLE and to what extent these behaviors might initiate algorithms were pre-trained to immediately a security breach. By covering all potential identify malicious content embedded within execution chains and focusing on malicious common file formats like Office documents, capacity rather than malicious behavior, the archives, executables, .pdf, and system updates. analytic technology vastly reduces the number The result: 99.1%+ detection accuracy upon of execution environments and the quantity of installation. analytic results that must be investigated. The result: 99%+ detection accuracy of this otherwise “invisible” threat.

GET AHEAD OF THE THREAT www.bluvector.io