GReAT Ideas follow-up | Securelist – 10 minute mail

On June 17, we hosted our first “GReAT Ideas. Powered by SAS” session, in which several experts from our Global Research and Analysis Team shared insights into APTs and threat actors, attribution, and hunting IoT threats.

Sadly, the two hours of the session were not enough for answering all of the questions raised, therefore we try to answer them below. Thanks to everyone who participated, and we appreciate all the feedback and ideas!

  • How do you see Stonedrill deployment comparing now? Its discovery was based on lucky structural similarities with Shamoon, but do you see it actively used or correlating to the spread of this malware?

    There is some 2020 activity that looks like it could be Stonedrill related, but, in all likelihood, it is not. We are digging through details and trying to make sense of the data. Regardless, wiper activity in the Middle East region from late 2019 into early 2020 deployed code dissimilar to Stonedrill but more similar to Shamoon wipers. We stuck with the name “Dustman” – it implemented the Eldos ElRawDsk drivers. Its spread did not seem Stonedrill related.

    At the same time, no, the Stonedrill discovery was not based on luck. And, there are multiple overlaps between Shamoon 2.0 and Stonedrill that you may review under “Download full report” in ‘From Shamoon to StoneDrill‘ blogpost. You might note that Stonedrill is a somewhat more refined and complex code, used minimally.

    While the Shamoon spreader shared equivalent code with Orangeworm’s Kwampirs spreader, and are closely linked, we have not seen the same level of similarity with Stonedrill. However, several of the Shamoon 2.0 executables share quite a few unique genotypes with both Stonedrill and Kwampirs. In the above paper, we conclude that Stonedrill and Shamoon are most likely spread by two separate groups with aligned interests for reasons explained in the report PDF. Also, it may be that some of the codebase, or some of the resources providing the malware, are shared.

  • Do the authors of Shamoon watch these talks?

    Perhaps. We know that not only do offensive actors and criminals attempt to reverse-engineer and evade our technologies, but they attempt to attack and manipulate them over time. Attending a talk or downloading a video later is probably of interest to any group.

  • Are there any hacker-for-hire groups that are at the top level? How many hacker-for-hire groups do you see? Are there any hacker-for-hire groups coming out of the West?

    Yes. There are very capable and experienced hack-for-hire groups that have operated for years. We do not publicly report on all of them, but some come up in the news every now and then. At the beginning of 2019, Reuters reported insightful content on a top-level mercenary group and their Project Raven in the Middle East, for example. Their coordination, technical sophistication and agile capabilities were all advanced. In addition to the reported challenges facing the Project Raven group, some of these mercenaries may be made up of a real global mix of resources, presenting moral and ethical challenges.

  • I assume Sofacy watches these presentations. Has their resistance to this analysis changed over time?

    Again, perhaps they do watch. In all likelihood, what we call “Sofacy” is paying attention to our research and reporting like all the other players.

    Sofacy is an interesting case as far as their resistance to analysis: their main backdoor, SPLM/CHOPSTICK/X-Agent, was modular and changed a bit over the course of several years, but much of that code remained the same. Every executable they pushed included a modified custom encryption algorithm to hide away configuration data if it was collected. So, they were selectively resistant to analysis. Other malware of theirs, X-Tunnel, was re-coded in .Net, but fundamentally, it is the same malware. They rotated through other malware that seems to have been phased out and may be re-used at some point.

    They are a prolific and highly active APT. They added completely new downloaders and other new malware to their set. They put large efforts into non-executable-based efforts like various credential harvesting techniques. So, they have always been somewhat resistant to analysis, but frequently leave hints in infrastructure and code across all those efforts.

    Zebrocy, a subset of Sofacy, pushed malware with frequent changes by recoding their malware in multiple languages, but often maintain similar or the same functionality over the course of releases and re-releases. This redevelopment in new and often uncommon languages can be an issue, but something familiar will give it away.

  • Have we seen a trend for target countries to pick up and use tools/zero-days/techniques from their aggressors? Like, is Iran more likely to use Israeli code, and vice versa?

    For the most part, no, we don’t see groups repurposing code potentially only known to their adversary and firing it right back at them, likely because the adversary knows how to, and probably is going to watch for blowback.

    Tangentially, code reuse isn’t really a trend, because offensive groups have always picked up code and techniques from their adversaries, whether or not these are financially motivated cybercriminal groups or APT. And while we have mentioned groups “returning fire” in the past, like Hellsing returning spear-phish on the Naikon APT, a better example of code appropriation is VictorianSambuca or Bemstour. We talked about it at our T3 gathering in Cancun in October. It was malware containing an interesting zero-day exploit that was collected, re-purposed, touched up and re-deployed by APT3, HoneyMyte and others. But as far as we know, the VictorianSambuca package was picked up and used against targets other than its creator.

    Also, somewhere in the Darkhotel/Lazarus malware sets, there may be some code blowback, but those details haven’t yet been hammered out. So, it does happen here and there, maybe out of necessity, maybe to leave a calling card and shout-out, or to confuse matters.

  • If using API-style programming makes it easier to update malware, why don’t more threat actors use it?

    I think here we are talking about Microcin last-stage trojan exported function callbacks. Nobody could tell for sure, but from my point of view, it’s a matter of the programmer’s experience. The “senior” one takes a lot into consideration during development, including architectural approach, which could make maintenance easier in the future.

    The “junior” one just solves the trojan’s main tasks: spying capabilities, adds some anti-detection, anti-analysis tricks, and it’s done. So maybe if the author has “normal” programming experience, he carefully planned data structures, software architecture. Seems like not all of the actors have developers like that.

  • Have you seen proxying/tunneling implants using IOTs for APT operations, such as the use of SNMP by CloudAtlas? Do you think that’s a new way to penetrate company networks? Have you ever encountered such cases?

    We watched the massive Mirai botnets for a couple years, waiting to see an APT takeover or repurposing, and we didn’t find evidence that it happened. Aside from that, yes, APT are known to have tunneled through a variety of IOT to reach their intended targets. IOT devices like security web cams and their associated network requirements need to be hardened and reviewed, as their network connections may lead to an unintended exposure of internal resources.

    With elections around the world going on, municipalities and government agencies contracting with IT companies need to verify attack surface hardening and understand that everything, from their Internet-connected parking meters to connected light bulbs, can be part of a targeted attack, or be misused as a part of an incident.

  • How often do you see steganography like this being used by other actors? Any other examples?

    Steganography isn’t used exclusively by the SixLittleMonkeys actor for sure. We could also mention here such malware as NetTraveller, Triton, Shamoon, Enfal, etc. So, generally, we could say the percentage of steganography usage among all the malicious samples is quite low, but it happens from time to time.

    The main reason to use it from malefactors’ point of view is to conceal not just the data itself but the fact that data is being uploaded or downloaded. E.g. it could help to bypass deep packet inspection (DPI) systems, which is relevant for corporate security perimeters. Use of steganography may also help bypass security checks by anti-APT products, if the latter cannot process all image files.

  • If you want to join our honeypot project, please get in touch with us at [email protected]

    We are not afraid of tough questions; therefore, we did not filter out the following ones.

    We hope you find these answers useful. The next series of the GReAT Ideas. Powered by SAS webinars, where we will share more of our insights and research, will take place on July 22. You can register for the event here: https://zoom.us/webinar/register/7415946370370/WN_31aVVq-lSheiKPc5pDr7Ag

    As we promised, some of the best questions asked during the webinar will be awarded with a prize from the GReAT Team. The winning questions are:
    “Are there any hacker for hire groups that are at the very top level? How many hackers-for-hire groups do you see? Are there any hacker for hire groups coming out of the west?”
    “Can you expand on how you identify a genotype and determine that it is unique?”

    We will contact those who submitted these questions shortly.

    Feel free to follow us on Twitter and other social networks for updates, and feel free to reach out to us to discuss interesting topics.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    The Tetrade: Brazilian banking malware goes global – 10 minute mail

    Introduction

    Brazil is a well-known country with plenty of banking trojans developed by local crooks. The Brazilian criminal underground is home to some of the world’s busiest and most creative perpetrators of cybercrime. Like their counterparts’ in China and Russia, their cyberattacks have a strong local flavor, and for a long time, they limited their attacks to the customers of local banks. But the time has come when they aggressively expand their attacks and operations abroad, targeting other countries and banks. The Tetrade is our designation for four large banking trojan families created, developed and spread by Brazilian crooks, but now on a global level.

    Although this is not their first attempt – they tried, timidly, in 2011, using very basic trojans, with a low success rate – now the situation is completely different. Brazilian banking trojans have evolved greatly, with hackers adopting techniques for bypassing detection, creating highly modular and obfuscated malware, and using a very complex execution flow, which makes analysis a painful, tricky process.

    At least since the year 2000, Brazilian banks have operated in a very hostile online environment full of fraud. Despite their early adoption of technologies aimed at protecting the customer, and deployment of plugins, tokens, e-tokens, two-factor authentication, CHIP and PIN credit cards, and other ways to safeguard their millions of clients, fraud is still ramping up, as the country still lacks proper legislation for punishing cybercriminals.

    This article is a deep dive intended for a complete understanding of these four banking trojan families: Guildma, Javali, Melcoz and Grandoreiro, as they expand abroad, targeting users not just in Brazil, but in the wider Latin America and Europe.

    These crooks are prepared to take on the world. Are the financial system and security analysts ready to deal with this persistent avalanche?

    Guildma: full of tricks

    Also known as Astaroth
    First seen 2015
    Tricks LOLBin and NTFS Alternate Data Streams (ADS), process hollowing, payloads hosted within YouTube and Facebook posts
    Ready to steal data from victims living in… Chile, Uruguay, Peru, Ecuador, Colombia, China, Europe. Confirmed victims in Brazil

    The Guildma malware has been active since at least 2015, when it was targeting banking users exclusively from Brazil. From there on, it has been constantly updated, adding new targets, new features and stealthiness to its campaigns, and directing its attacks at other countries in Latin America. The group behind the attacks have shown a good knowledge of legitimate tools for performing a complex execution flow, pretending to hide themselves inside the host system and preventing automated analysis systems from tracking their activities.

    Recently, a newer version was found in-the-wild, abusing NTFS Alternate Data Streams (ADS) in order to store the content of malicious payloads downloaded during execution. The malware is highly modular, with a very complex execution flow. The main vector used by the group is sending malicious files in compressed format, attached to email. File types vary from VBS to LNK; the most recent campaign started to attach an HTML file which executes Javascript for downloading a malicious file.

    The malware relies on anti-debugging, anti-virtualization and anti-emulation tricks, besides the usage of process hollowing, living-off-the-land binaries (LOLBin) and NTFS Alternate Data Streams to store downloaded payloads that come from cloud hosting services such as CloudFlare’s Workers, Amazon AWS and also popular websites like YouTube and Facebook, where they store C2 information.

    From LNK to a full banking backdoor

    Guildma spreads rely heavily on email shots containing a malicious file in compressed format, attached to the email body. File types vary from Visual Basic Script to LNK. Most of the phishing messages emulate business requests, packages sent over courier services or any other regular corporate subjects, including the COVID-19 pandemic, but always with a corporate appearance.

    Purchase invoice for alcohol gel: Guildma’s trick for luring victims

    We observed that in the beginning of November 2019, another layer was added to the infection chain. Instead of attaching a compacted file directly to the email body, the attackers were attaching an HTML file which executed a Javascript for downloading the file.

    Javascript executed in order to download a compressed LNK file

    In order to download the additional modules, the malware uses the BITSAdmin tool, which this group has relied on for some years to avoid detection, since this is a whitelisted tool from the Windows operating system. By the end of September 2019, we started seeing a new version of Guildma malware being distributed that used a new technique for storing downloaded payloads in NTFS Alternate Data Streams in order to conceal their presence in the system.

    c:windowssystem32cmd.exe /c type “c:userspublicLibrariesradmkoddsuffyi.gif” > “c:userspublicLibrariesradmdesktop.ini:koddsuffyi.gif” && erase “c:userspublicLibrariesradmkoddsuffyi.gif”

    Downloaded payload being stored in desktop.ini’s ADS

    The usage of ADS helps to hide the file in the system, since it will not appear in Explorer, etc. In order to see the alternate data, you can use the “DIR” command, adding the switch “/R”, which is specifically intended for to displaying alternate data streams.

    Payloads stored in the ADS data of desktop.ini

    After the additional modules are hidden, the malware will launch itself by using DLL Search Order Hijacking. We have observed various processes being used by Guildma at this step; in this version of the malware, it uses ExtExport.exe, which is related to Internet Explorer. The library that will be loaded is the result of concatenating two files (64a.dll and 64b.dll), downloaded previously, as we can see in the image above. The resultant file will be named with different known libraries that are loaded by ExtExport on its execution. Once loaded, it will concatenate three other files and also load them.

    Some of the anti-debugging/anti-emulation techniques used by the loader

    This stage checks for debugging tools, virtual environments, known Windows product IDs commonly used by sandboxes, common usernames and certain disk serial numbers that are most likely associated with analyst environments detected earlier. If nothing like that is detected, the malware will decrypt the third stage and execute it by using the process hollowing technique, commonly used by malware authors. In this version, the payloads are encrypted with the same XOR-based algorithm as the one used in previous versions, however in this latest version, the payload is encrypted twice, with different keys.

    File content is encrypted twice using different keys

    In order to execute the additional modules, the malware uses the process hollowing technique for hiding the malicious payload inside a whitelisted process, such as svchost.exe. The payloads are stored encrypted in the filesystem and decrypted in the memory as they are executed.

    The final payload installed in the system will monitor user activities, such as opened websites and run applications and check if they are on the target list. When a target is detected, the module is executed, giving the criminals control over banking transactions.

    This module allows the criminals to perform certain very specific banking operations, such as:

    • full control over page navigation through the use of a VNC-like system,
    • toggling screen overlay,
    • requesting SMS tokens,
    • QR code validation,
    • requesting transaction

    The attacker can essentially perform any financial transactions by using the victim’s computer, while avoiding anti-fraud systems that can detect banking transactions initiated by suspicious machines.

    Youtube and Facebook for C2s

    After all loading steps, the malware will run in the infected system. It will monitor the system, communicating with the C2 server and loading additional modules as requested. In the latest versions, it started to store C2 information in encrypted format on YouTube and Facebook pages.

    C2 information hosted on a YouTube page

    The newer versions of Guildma found in 2020 are using an automated process to generate thousands of daily URLs, mostly abusing generic TLDs. Our systems have been catching more than 200 different URLs per day, such as:

    01autogestor.ga ghcco980m1zy9.org
    04autogestor.ml gurulea8.ml
    0ff2mft71jarf.gq k8cf0j5u.cf
    2va6v.6pnc3461.ink kaligodfrey.casa
    4nk7h3s453b019.com.de kfgkqnf5.cf
    64pgrpyxpueoj.ga nfiru.xyz
    6pnc3461.ink osieofcorizon.fun
    6zs1njbw.ml paiuew.bnorp.ml
    7wpinibw.ml peolplefortalce.gq
    84m4bl423.space topgear.cf
    909nu3dx3rgk13.com.de venumxmasz.club
    bantqr8rrm9c11.com.de vuryza.ga
    evokgtis.gq xufa8hy15.online
    g2ha14u2m2xe12.com.de xvbe.monster

    Some of Guildma’s URLs for downloading malware

    Our telemetry shows detections of Guildma are widespread.

    Guildma: widespread globally

    The intended targets of Guildma can be seen in the code: the malware is capable of stealing data from bank customers living in Chile, Uruguay, Peru, Ecuador, Colombia, China, Europe, and of course, Brazil. However, the code has been found in just one version of Guildma and has not been implemented in any of the newer versions.

    From Guildma’s code: possible target countries

    Javali: big and furious

    First seen 2017
    Tricks Big files for avoiding detection, DLL sideloading, configuration settings hosted in Google Docs
    Confirmed victims in Brazil and Mexico

    Javali targets Portuguese- and Spanish-speaking countries, active since November 2017 and primarily focusing on the customers of financial institutions located in Brazil and Mexico. Javali uses multistage malware and distributes its initial payload via phishing emails, as an attachment or link to a website. These emails include an MSI (Microsoft Installer) file with an embedded Visual Basic Script that downloads the final malicious payload from a remote C2; it also uses DLL sideloading and several layers of obfuscation to hide its malicious activities from analysts and security solutions.

    The initial Microsoft Installer downloader contains an embedded custom action that triggers a Visual Basic Script. The script connects to a remote server and retrieves the second stage of the malware.


    Using MSI’s ‘CustomAction’ events to trigger the execution of the downloader VBS

    The downloaded ZIP file package contains several files and a malicious payload that is capable of stealing financial information from the victim. A decompressed package commonly contains a large number of files including executables that are legit but vulnerable to DLL sideloading.

     The contents of a typical Javali .ZIP package, including a 602 MB DLL file

    The legitimate DLL that would be used in this case has the size of roughly 600 KB, but here we have an obfuscated library that is over 600 MB. The large size of the file is intended to hamper analysis and detection. In addition to that, file size limitations will prevent uploading to multiscanners like VirusTotal, etc. Once all empty sections have been removed from the library, the final payload is a binary of 27.5 MB…

    After deobfuscating it all, we are able to see the URLs and the names of banks targeted by the malware.

    Javali after deobfuscation: looking for Mexican bank customers

    GDocs for malware

    Once the library is called by one of the triggering events implemented in its code, it reads a configuration file from a shared Google Document. If it is not able to connect to the address, it uses a hardcoded one.

    Configuration settings stored in a shared Google Document

    The original configuration.

    inicio{

    “host”:”7FF87EF610080973F065CAB4B5B0AA”,

    “porta”:”0000″

    }fim

    The host information is obfuscated for obvious reasons. Javali adopts a third-party library named IndyProject for communication with the C2. In the most recent campaigns, its operators started using YouTube as well for hosting C2 information, exactly as Guildma does.

    Upon in-depth analysis of the library code, we can see a list of targets in some of the samples. Depending on the sample analyzed, cryptocurrency websites, such as Bittrex, or payment solutions, such as Mercado Pago, a very popular retailer in Latin America, are also targeted. To capture login credentials from all the previously listed websites, Javali monitors processes to find open browsers or custom banking applications. The most common web browsers thus monitored are Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge.

    The victim distribution is mainly concentrated in Brazil, although recent phishing email demonstrates a marked interest in Mexico.

    Javali: focus on Brazil and Mexico

    Javali is using whitelisted and signed binaries, Microsoft Installer files and DLL hijacking to infect victims en masse, all while targeting their efforts by country. This is achieved by controlling the means of distribution and sending phishing email only to those TLDs that the group is interested in. We can expect expansion mainly across Latin America.

    Melcoz, a worldwide operator

    First seen 2018 (worldwide) but active in Brazil for years
    Tricks DLL hijacking, AutoIt loaders, Bitcoin wallet stealing module
    Confirmed victims in Brazil, Chile, Mexico, Spain, Portugal

    Melcoz is a banking trojan family developed by a group that has been active in Brazil for years, but at least since 2018, has expanded overseas. Their Eastern European partners heavily inspired the recent attacks. The new operations are professionally executed, scalable and persistent, creating various versions of the malware, with significant infrastructure improvements that enable cybercriminal groups in different countries to collaborate.

    We found that the group has attacked assets in Chile since 2018 and more recently, in Mexico. Still, it is highly probable there are victims in other countries, as some of the targeted banks operate internationally. However, the attacks seem to be focused more on Latin American victims these days. As these groups speak different languages (Portuguese and Spanish), we believe that Brazilian cybercriminals are working with local groups of coders and mules to withdraw stolen money, managed by different operators, selling access to its infrastructure and malware constructors. Each campaign runs on its unique ID, which varies between versions and CnCs used.

    Generally, the malware uses AutoIt or VBS scripts added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and the memory, providing remote access for capturing online banking access. It also includes a module for stealing Bitcoin wallets. It replaces the original wallet information with the cybercriminals’ own.

    Yet Another Son of Remote Access PC

    Melcoz is another customization of the well-known open-source RAT Remote Access PC, which is available on GitHub, as well as many other versions developed by Brazilian criminals. It first started targeting users in Brazil, but since at least 2018, the group has shown interest in other countries, such as Chile and Mexico. The infection vector used in this attack is phishing email that contains a link to a downloadable MSI installer, as shown below.

    Phishing email written in Spanish

    Almost all of the analyzed MSI samples used some version of Advanced Installer with a VBS script appended to the CustomAction section, which makes the script run during the installation process. The script itself works as a downloader for additional files needed for loading the malware into the system, which are hosted separately as a ZIP package. We confirmed two different techniques used for distributing the Melcoz backdoor: the AutoIt loader script and DLL Hijack.

    The official AutoIt3 interpreter comes as part of the AutoIt installation package, and it is used by the malware to execute the compiled script. The VBS script runs the AutoIt interpreter, passing the compiled script as an argument. Once executed, it loads the library, which was also passed as an argument to call a hardcoded exported function.

    AutoIt script acting as a loader for the malicious DLL

    The other method used to execute the second stage in the victim’s system is DLL Hijacking. In this campaign, we have seen vmnat.exe, the legitimate VMware NAT service executable, abused for loading the malicious payload, although the group can use a number of legit executables in their attacks.

    The malware has specific features that allow the attackers to perform operations related to online banking transactions, password stealing and clipboard monitoring. We also found various versions of the payload: the version focused on stealing data from victims in Brazil is typically unpacked, while the versions targeting banks in Chile and Mexico are packed with VMProtect or Themida. For us, this is another flag that the operators can change their tactics in accordance with their local needs.

    After initialization, the code monitors browser activities, looking for online banking sessions. Once these are found, the malware enables the attacker to display an overlay window in front of the victim’s browser to manipulate the user’s session in the background. In this way, the fraudulent transaction is performed from the victim’s machine, making it harder to detect for anti-fraud solutions on the bank’s end. The criminal can also request specific information, asked during the bank transaction, such as a secondary password and token, bypassing two-factor authentication solutions adopted by the financial sector.

    The code also has a timer that monitors content saved to the clipboard. Once a match is triggered, the malware checks if there is a Bitcoin wallet and then replaces it with the cybercriminal’s wallet.

    The attackers rely on a compromised legitimate server, as well as commercial servers they purchased. The compromised servers mostly host samples for attacking victims, whereas the commercial hosting is for C2 server communications. As mentioned earlier, different operators run different campaigns. This explains the different network infrastructures seen so far.

    According to our telemetry, Melcoz samples have been detected in other Latin American countries and in Europe, mainly in Spain and Portugal.

    Melcoz detections worldwide: focus on Brazil, Chile, Spain and Portugal

    El Gran Grandoreiro

    First seen 2016
    Tricks MaaS, DGA, C2 information stored on Google Sites
    Confirmed victims in Brazil, Mexico, Portugal, Spain

    Just like Melcoz and Javali, Grandoreiro started to expand its attacks in Latin American and later in Europe with great success, focusing its efforts on evading detection by using modular installers. Among the four families we described, Grandoreiro is the most widespread globally. The malware enables attackers to perform fraudulent banking transactions by using the victims’ computers for bypassing security measures used by banking institutions.

    We have observed this campaign since at least 2016, with the attackers improving their techniques regularly, aiming to stay unmonitored and active longer. The malware uses a specific Domain Generation Algorithm (DGA) for hiding the C2 address used during the attack: this is one of the key points that has helped in the campaign’s clustering.

    It is still not possible to link this malware to any specific cybercrime group, although it is clear that the campaign is using a MaaS (Malware-as-a-Service) business model, based on the information collected during the analysis that showed many operators were involved.

    While tracking of cybercrime campaigns that targeted Latin America, we found one interesting attack that was very similar to known Brazilian banking malware, but had distinctive features relating to the infection vector and the code itself. It was possible to identify two clusters of attacks, the first one targeting Brazilian banks and the second one aimed at other banks in Latin America and Europe. This is to be expected: many European banks have operations and branches in Latin America, so this is a natural next step for the cybercriminals.

    The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method.

    Fake page driving the user to download the malicious payload

    In most cases, the MSI file executed a function from the embedded DLL, but there were also other cases where a VBS script was used in place of the DLL.

    MSI containing an action to execute a specific function from the DLL

    The function will then download an encrypted file containing the final payload used in the campaign. The file is encrypted with a custom XOR-based algorithm, with the key 0x0AE2. In the latest versions, the authors moved from encryption to using a base64-encoded ZIP file.

    The main module is in charge of monitoring all browser activity, looking for any actions related to online banking. As we analyzed the campaign, we identified two clusters of activity: the first one mainly focused on Brazilian targets and the second one focused more on international targets.

    The code suggests that the campaign is being managed by various operators. The sample build specifies an operator ID, which will be used for select a C2 server to contact.

    Code used to generate the URL based on the operator ID

    The code above will calculate the path to a Google Sites page containing information about the C2 server to be used by the malware. The algorithm uses a key that is specific to the user as well as the current date, which means that the URL will change daily. An implementation of this algorithm can be found in Appendix II.

    ID Operator Key Date Generated path
    01 zemad jkABCDEefghiHIa4567JKLMN3UVWpqrst2Z89PQRSTbuvwxyzXYFG01cdOlmno 16Mar0 zemadhjui3nfz
    02 rici jkABCDEefghFG01cdOlmnopqrst2Z89PQRiHIa4567JKLMN3UVWXYSTbuvwxyz 16Mar0 ricigms0rqfu
    03 breza 01cdOlmnopqrst2Z89PQRSTbuvwxjkABCDEefghiHIa4567JKLMN3UVWXYFGyz 16Mar0 brezasqvtubok
    04 grl2 mDEefghiHIa4567JKLMNnopqrst2Z89PQRSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 grl25ns6rqhk
    05 rox2 567JKLMNnopqrst2Z89PQmDEefghiHIa4RSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 rox2rpfseenk
    06 mrb 567JKLMNnopqrst2Z89PQmDEefghiHIa4RSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 mrbrpfseenk
    07 ER jkABCDEefghiHIa4567JKLMN3UVWXYFG01cdOlmnopqrst2Z89PQRSTbuvwxyz 16Mar0 erhjui3nf8

    The generated path will then be contacted in order to get information about the C2 server to be used for execution.

    C2 information stored on Google Sites

    The operator controls infected machines by using a custom tool. The tool will notify the operator when the victim is available and enable the operator to perform a number of activities on the machine, such as:

    • requesting information needed for the banking transaction, such as an SMS token or QR code;
    • allowing full remote access to the machine;
    • blocking access to the bank website: this feature helps to prevent the victim from learning that funds were transferred from their account.

    DGA and Google sites

    The campaign uses commercial hosting sites in its attacks. In many cases, they use a very specific Web server named HFS, or HTTP File Server for hosting encrypted payloads. One can note a small change on the displayed page that helps to show “Infects” instead of “Hits” as used on the default page.

     HFS used for hosting the encrypted payloads

    Those hosting sites are disposable. Each is used for a short time before the operators move on to another server. We have seen Grandoreiro use DGA functions to generate a connection to a Google Sites page storing C2 information.

    As for the victims, it is possible to confirm by analyzing samples that the campaign targets Brazil, Mexico, Spain and Portugal. However, it is highly possible that other countries are also victims since the targeted institutions have operations in other countries as well.

    Grandoreiro: focus on Brazil, Portugal and Spain

    Conclusions

    Guildma, Javali, Melcoz and Grandoreiro are examples of yet another Brazilian banking group/operation that has decided to expand its attacks abroad, targeting banks in other countries. They benefit from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and Europe, making it easy to extend their attacks against customers of these financial institutions.

    Brazilian crooks are rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries, adopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners. They are certainly leading the creation of this type of threats in Latin America, mainly because they need local partners to manage the stolen money and to help with translation, as most of them are not native in Spanish. This professional approach draws a lot of inspiration from ZeuS, SpyEye and other big banking trojans of the past.

    As a threat, these banking trojan families try to innovate by using DGA, encrypted payloads, process hollowing, DLL hijacking, a lot of LoLBins, fileless infections and other tricks as a way of obstructing analysis and detection. We believe that these threats will evolve to target more banks in more countries. We know they are not the only ones doing this, as other families of the same origin have already made a similar transition, possibly inspired by the success of their “competitors”. This seems to be a trend among Brazilian malware developers that is here to stay.

    We recommend that financial institutions watch these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate such risks. All the details, IoCs, Yara rules and hashes of these threats are available to the users of our Financial Threat Intel services.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    The Russian Prime Minister spoke about the growth of cybercrime activity in Russia – Disposable mail news

    Russian Prime Minister Mikhail Mishustin said that this spring there was an increase in cybercrime activity. The Prime Minister said this on July 8 in a video message to participants of the international online training on cybersecurity Cyber Polygon-2020

    “This spring, we observed an increase in the activity of cybercriminals. More than 90% of successful attacks are carried out using social engineering methods: fraudsters attack us with phishing emails and use the technology of number substitution, trying to take citizens by surprise,” said the prime minister.

    According to Mishustin, cyber threats can come from entire states. “Geopolitical differences also extend to the digital environment, thus adding countries to the list of possible sources of threats to digital security,” said he.

    The Prime Minister drew attention to the fact that security researchers regularly detect complex malware that is specifically designed to disable critical functionality and cause physical damage to industries and infrastructure.

    He said that the government, in cooperation with Russian companies in the field of information technology security, is working to inform the population about cyber risks and cyber threats. This makes it possible to solve many problems, but there are still many issues that require attention.
    Mishustin pointed out that the national action plan for the recovery of the Russian economy after the crisis is based on the increasing digitalization of the economy and government.

    “We will radically increase the number of e-government services provided and create fundamentally new systems to support digital business. In these conditions, one of the most important areas is the protection of cyberspace,” added the head of the Cabinet of Ministers.

    In addition, the Prime Minister said that the key to a secure digital future for the entire world is cooperation in the field of cybersecurity, and Russia is ready to share its achievements in this field with the world.

    He noted that Russia is today one of the leaders in technological progress. According to the Prime Minister, Russian developments in the field of information security successfully compete on the international market.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    Russian Medvedev pleaded guilty to cybercrime in a US court – Disposable mail news

    The US Department of Justice considers Sergei Medvedev one of the founders of the transnational organization Infraud, which sold stolen personal, banking and financial data, as well as information from credit and debit cards

    Russian Sergei Medvedev, accused in the United States of cybercrime and causing damage of $568 million, pleaded guilty, said the US Justice Department on June 26.

    “Sergey Medvedev, also known as Stells, segmed, serjbear, aged 33, from the Russian Federation, pleaded guilty to US District Court judge James Mahan in Nevada,” said the Department in a statement.

    According to the Ministry of Justice, Infraud engaged in large-scale acquisition, sale and distribution of stolen identification data, information from compromised debit and credit cards, personal information, banking and financial data, and malicious computer programs.

    The prosecution believes that Infraud was created in October 2010 by a native of Ukraine Svyatoslav Bondarenko, also known as Obnon, Rector, Helkern. In the United States, Medvedev is also considered one of the creators of the platform. The organization’s slogan is “In Fraud We Trust”. By March 2017, the organization had almost 11,000 registered members (according to the US Department of Justice). The loss from Infraud’s operations amounted to more than $568 million.

    Recall that on February 8, 2018, the Agency reported that 36 people were accused of involvement in the activities of Infraud. At the same time, the Ministry of Justice reported on the arrest of 13 people who were members of the organization. They were citizens of the United States, Australia, Britain, France, Italy, Kosovo and Serbia.

    The next day, it became known about the detention of Sergei Medvedev in Thailand. The operation to detain the Russian was conducted by local police at the request of the FBI. The Bangkok Post then reported that Medvedev was engaged in illegal online trading for bitcoins. More than 100 thousand bitcoins were found on the Russian’s accounts.

    Earlier on Friday, it was reported that a court in the United States found Russian Alexey Burkov guilty of cybercrime and sentenced him to nine years in prison.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    Medvedev: law enforcement agencies will need new technologies for detecting cybercrime – Disposable mail news

    According to the Deputy head of the Russian Security Council, the Internet is becoming more open, and this makes it an ideal field for criminal communities.

    Dmitry Medvedev, Deputy Chairman of the Russian Security Council, wrote an article “Security Cooperation during the new coronavirus pandemic”.  In it, he said that the new schemes of cybercriminals will require law enforcement agencies to use new technologies for fixing crimes. 

    “Cybercrime will also gain momentum, creating new fraudulent schemes that law enforcement agencies will have to respond very quickly, and due to the cross-border nature of transactions, new forms of cooperation between law enforcement agencies from different countries and the most modern technological means of detecting and fixing crimes will be required,” said Medvedev.

    In his article, he noted that the coronavirus pandemic has led to a surge in virtual crime. The Deputy head of the Security Council also stressed that the Internet is becoming more open, and this carries huge risks, making it an ideal field for criminal groups.

    “Until recently, it was difficult to imagine that the largest companies will completely switch to the format of meetings in online mode, for example, using Zoom. And any program has its own features,” warned Medvedev. 

    He also drew attention to the fact that during the pandemic period, humanity began to digitalize trade from the sale of household goods through online stores to large-scale transactions concluded in digital form using appropriate payment methods. 

    “The volume of such trade is measured in hundreds of billions of dollars and will grow. This is an irreversible process,” said he, adding that such transactions also come to the attention of cybercriminals. 

    Medvedev said that Russia is actively working on the development of the national cybersecurity system. 

    He called on the world community to cooperate more closely to ensure global security in the digital world. “It is time for all of us to adopt new laws and international conventions on countering terrorism and crime in the digital space. This work is already underway, but it should be accelerated,” summed up the Deputy head of the Security Council.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    Verizon’s 2020 DBIR | Securelist – 10 minute mail

    Verizon’s 2020 DBIR is out, you can download a copy or peruse their publication online. Kaspersky was a contributor once again, and we are happy to provide generalized incident data from our unique and objective research.

    We have contributed to this project and others like it for years now. This year’s ~120 page report analyses data from us and 80 other contributors from all over the world. The team provides thoughts on a mountain of breach data – “This year, we analyzed a record total of 157,525 incidents. Of those, 32,002 met our quality standards and 3,950 were confirmed data breaches”. And this year, Verizon pulled in far more data on cybercrime breaches this year, and report on thousands of them. We include a few interesting notes here.

    • 70% of reported breaches were perpetrated by external actors.
    • Majority of breaches do not just involve a dropped Trojan.
    • 86% of breaches were financially motivated.
    • 81% of breaches were contained in days or less.
    • Defenders are up against organized crime.
    • Almost a third of reported breaches involved ransomware.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    Cyberthreats on lockdown | Securelist – 10 minute mail

    Every year, our anti-malware research team releases a series of reports on various cyberthreats: financial malware, web attacks, exploits, etc. As we monitor the increase, or decrease, in the number of certain threats, we do not usually associate these changes with concurrent world events – unless these events have a direct relation to the cyberthreats, that is: for example, the closure of a large botnet and arrest of its owners result in a decrease in web attacks.

    However, the COVID-19 pandemic has affected us all in some way, so it would be surprising if cybercriminals were an exception. Spammers and phishers were naturally the trailblazers in this – look for details in the next quarterly report – but the entire cybercrime landscape has changed in the last few months. Before we discuss the subject, let us get something out of the way: it would be farfetched to attribute all of the changes mentioned below to the pandemic. However, certain connections can be traced.

    Remote work

    The first thing that caught our attention was remote work. From an information security standpoint, an employee within the office network and an employee connecting to the same network from home are two completely different users. It seems cybercriminals share this view, as the number of attacks on servers and remote access tools has increased as their usage has grown. In particular, the average daily number of bruteforce attacks on database servers in April 2020 was up by 23% from January.

    Distribution of botnet C&C servers by country, Q1 2020 (download)

    Unique computers subjected to bruteforce attacks, January through April 2020

    Cybercriminals use brute force to penetrate a company’s network and subsequently launch malware inside its infrastructure. We are monitoring several cybercrime groups that rely on the scheme. The payload is usually ransomware, mostly from the Trojan-Ransom.Win32.Crusis, Trojan-Ransom.Win32.Phobos and Trojan-Ransom.Win32.Cryakl families.

    RDP-attacks and ways to counter these were recently covered in detail by Dmitry Galov in his blog post, “Remote spring: the rise of RDP bruteforce attacks“.

    Remote entertainment

    Online entertainment activity increased as users transitioned to a “remote” lifestyle. The increase was so pronounced that some video streaming services, such as YouTube, announced that they were changing their default video quality to help with reducing traffic. The cybercriminal world responded by stepping up web threats: the average daily number of attacks blocked by Kaspersky Web Anti-Virus increased by 25% from January 2020.

    Web-based attacks blocked, January through April 2020 (download)

    It is hard to single out one specific web threat as the driver – all of the threats grew more or less proportionally. Most web attacks that were blocked originated with resources that redirected users to all kinds of malicious websites. Some of these were phishing resources and websites that subscribed visitors to unsolicited push notifications or tried to scare them with fake system error warnings.
    We also noticed an increase in Trojan-PSW browser script modifications that could be found on various infected sites. Their main task was to capture bank card credentials entered by users while shopping online and transfer these to cybercriminals.
    Websites capable of silently installing cookie files on users’ computers (cookie stuffing) and resources that injected advertising scripts into users’ traffic together accounted for a significant share of the web threats.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    Remote spring: the rise of RDP bruteforce attacks – 10 minute mail

    With the spread of COVID-19, organizations worldwide have introduced remote working, which is having a direct impact on cybersecurity and the threat landscape.

    Alongside the higher volume of corporate traffic, the use of third-party services for data exchange, and employees working on home computers (and potentially insecure Wi-Fi networks), another headache for infosec teams is the increased number of people using remote-access tools.

    One of the most popular application-level protocols for accessing Windows workstations or servers is Microsoft’s proprietary protocol — RDP. The lockdown has seen the appearance of a great many computers and servers able to be connected remotely, and right now we are witnessing an increase in cybercriminal activity with a view to exploiting the situation to attack corporate resources that have now been made available (sometimes in a hurry) to remote workers.

    Since the beginning of March, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet:

    Growth in the number of attacks by the Bruteforce.Generic.RDP family, February–April 2019

    Attacks of this type are attempts to brute-force a username and password for RDP by systematically trying all possible options until the correct one is found. The search can be based on combinations of random characters or a dictionary of popular or compromised passwords. A successful attack gives the cybercriminal remote access to the target computer in the network.

    Brute-force attackers are not surgical in their approach, but operate by area. As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks.

    Attacks on remote-access infrastructure (as well as collaboration tools) are unlikely to stop any time soon. So if you use RDP in your work, be sure to take all possible protection measures:

    • At the very least, use strong passwords.
    • Make RDP available only through a corporate VPN.
    • Use Network Level Authentication (NLA).
    • If possible, enable two-factor authentication.
    • If you don’t use RDP, disable it and close port 3389.
    • Use a reliable security solution.

    If you use a different remote-access protocol, you still cannot relax:  at the end of last year, Kaspersky experts found 37 vulnerabilities in various clients that connected via the VNC protocol, which, like RDP, is used for remote access.

    Companies need to closely monitor programs in use and update them on all corporate devices in a timely manner. This is no easy task for many companies at present, because the hasty transition to remote working has forced many to allow employees to work with or connect to company resources from their home computers, which often fall short of corporate cybersecurity standards. Our advice is as follows:

    • Give employees training in the basics of digital security.
    • Use different strong passwords to access different corporate resources.
    • Update all software on employee devices to the latest version.
    • Where possible, use encryption on devices used for work purposes.
    • Make backup copies of critical data.
    • Install security solutions on all employee devices, as well as solutions for tracking equipment in case of loss.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    The United States accused the manager of Group-IB of cybercrime – Disposable mail news

    According to an indictment in a court database, US authorities accuse Nikita Kislitsin, manager of a Russian cybersecurity company Group-IB, of hacking the Formspring social network. Group-IB, which does not appear in the charge, found the charges against its employee unfounded.

    Kislitsin was the editor-in-chief of magazine Hacker from 2006 to 2012. In 2012, he worked for some time in the United States, and since 2013, he has been working at Group-IB, where he is engaged in security threat intelligence. The indictment against Kislitsin dates back to 2014 but was declassified and uploaded to the San Francisco court database only this week.

    Kislitsin was charged with two counts related to the use of illegal access devices. One article assumes up to 10 years in prison, another – up to 5 years, also Kislitsin faces a fine of 250 thousand dollars.

    The indictment states that Kislitsin received the names, email addresses and passwords of Formspring customers from an accomplice-hacker, and then tried to sell them to another accomplice for 5.5 thousand euros. In total, the case involves three accomplices of Kislitsin, not one of them is named.

    Group-IB issued a statement on its website linking the charges against Kislitsin to the case of Yevgeny Nikulin, whose trial opens in California next week. Nikulin is accused of illegally accessing data from the social network LinkedIn, Dropbox and Formspring servers.

    Group-IB states that it supports its employees. Moreover, the company and its employee Nikita Kislitsin did not receive the official summons, notifications or invitations to the upcoming court hearing in the Nikulin case.

    The company said that Group-IB is currently consulting with international lawyers for a legal assessment of the situation and making a decision on further actions.


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

    FBI: Cybercrime losses tripled over the last 5 years – 10 minute mail

    On the upside, the Bureau recovered more than US$300 million in funds lost to online scams last year

    In 2019, the United States’ Federal Bureau of Investigation (FBI) received more than 467,000 cybercrime complaints that caused an estimated US$3.5 billion in losses, according to the Bureau’s annual 2019 Internet Crime Report (IC3). Last year saw both the highest number of complaints and the highest dollar losses on record; in 2015, for example, annual losses totaled ‘only’ US$1.1 billion.

    Business Email Compromise (BEC) fraud remains the costliest type of fraud on the list, accounting for more than half of the total losses and costing businesses almost US$1.8 billion. These schemes are constantly evolving, too. Back in 2013, scammers would typically hack or spoof the email account of a CEO or CFO to request a fraudulent transfer of funds to accounts under their control. Over the years the tactics have evolved to also include compromising personal or vendor emails as well as spoofing lawyers’ email accounts.

    Payroll diversion emerged as a popular form of BEC fraud last year. Scammers target HR and payroll departments by acting as employees who want to update their direct deposit information for the current payment period. The updated information then usually directs the funds to a pre-paid card account.

    Elder fraud is also an increasingly pressing issue. With 68,013 victims, this type of fraud had the highest number of victims; under-twenties claimed “just” 10,724 victims. The number of victims may not reflect the true extent of the problem since providing the age range is voluntary.

    Seniors are often the targets of romance, tech support, government impersonation and lottery scams. Victims of these schemes have been defrauded out of over US$835 million. Romance and confidence fraud alone account for almost half a billion of dollars in losses, with the FBI estimating that up to 30% of romance fraud victims had been used as money mules.

    Tech support fraud remains a growing problem as scammers attempt to defraud their victims by contacting them under the pretense of resolving a non-existing technical issue with their software licenses or bank accounts.

    Recently, however, scammers have started impersonating representatives of well-known travel companies, financial institutions or virtual currency exchanges. Tech support fraud has claimed approximately US$54 million in losses in 2019, a 40% increase compared to the previous year, with most victims falling into the over-60 age category.

    Meanwhile, losses emanating from ransomware reached around US$9 billion, almost triple the losses incurred in 2018. The number of reported victims also rose to about 2,000 compared to 1,500 from 2018. While phishing was still the most widespread problem claiming 114,072 victims last year, non-payment and non-delivery scams came in second with about half the number of victims being 61,832.

    Not to end on a bleak note, the FBI’s Recovery Asset Team (RAT) helped retrieve almost US$305 million lost in scams, giving it a 79% return rate of reported losses.



    Amer Owaida


    Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.