Trend Ransomware Report

Wednesday, July 29, 2015

21st Century Extortion
The scourge of crypto-ransomware malware featured prominently in threat predictions for 2015, and the 165% increase reported in Q1 2015 indicate that these fears were well founded. Using a criminal model that runs counter to many of the others included in the threat predictions, crypto-ransomware is not concerned with exfiltrating valuable data, instead surreptitiously encrypting files to subsequently employ an abrupt, confrontational extortion demand. While on the surface the technique may seem crude, the evolution of crypto-ransomware and the criminal marketplace which has served as its incubator, it is actually a calculated operation, abusing technologies long upheld by privacy advocates. The propagation statistics of the CTB-Locker variant are broadly illustrative of the overall geographic spread of this subversive threat to date during 2015.

The infection vector criminals use to distribute crypto-ransomware varies, and is often symbiotic with prior malware infections; during 2014 it would often be a result of the Gameover Zeus botnet, and 2015 has seen an increase in ransomware as part of a malware lifecycle encompassing ‘click fraud’ and ‘malvertising’.

Once infected, asymmetric encryption is employed to create a public-private key pair for the malware to encrypt files. The key used to encrypt the files is often itself encrypted again, in a process often using a combination of RSA and AES cryptography, and ultimately without access to the attacker’s private key it is next to impossible to decrypt the data.

Over time the price point of the ransom demand has been adjusted by criminals, and is now commonly around $400 (€360) to be paid in Bitcoin, which appears to be close to the price ceiling at which untargeted ransomware balances likelihood of payment with the maximum ransom demand from an average user. However in June 2015 the FBI issued an advisory stating the CryptoWall variant had caused $18 million in damages including ransom payments of $200-$10,000 from both individuals and businesses.

Crypto-ransomware epitomises the nexus between the modern cyber-criminal and effective use of age-old psychological intimidation, and is a model that appears to scale well to technologies like mobile, cloud and IoT. Indeed the potential for this threat to develop further, nurtured within the cyber-criminal ecosystem is perhaps more sinister than viewing propagation statistics alone.

The only way to nullify the criminal business model is if no-one paid a ransom; however such idealism is of no compensation to an individual or business who have been infected and lack sufficient safeguards. Security awareness and system hardening are preventative measures, but the only contingency to rely on should infection occur is to have sufficient backups; ideally three copies, in two different formats, with one stored offline. Coding errors and seizures by law enforcement relating to specific variants may offer a chance of decryption in a small percentage of cases, but a ‘cure’ should be regarded as non-existent. The criminals may never even intend to provide decryption, but the trajectory of ransomware is testament to the number of unprepared victims who felt they had no other choice.

» Download the "Cyber Security Pulse and Ransomware report"

Ben Walton 
ben.walton@11paths.com

Top of the app charts. Shuabang: automated malware made in China

Tuesday, July 28, 2015

Have you ever wondered how some apps rocket up the charts so quickly? Sometimes you’ll spot one that seems like a curveball, like a pub rock covers band hitting number one in the download charts. At the Barcelona eCrime symposium ElevenPaths presented some new thinking on new Android malware trend called "Shaubang" – a term used in China to describe the shady methods whereby certain apps are being "gamed" in app stores to get them to the top of charts.

Get downloading – a whole industry in China

"Shuabang" is to app markets what "Black SEO" is to search engines and is sold as a service sometimes for a few hundred or thousands of dollars.

http://www.theverge.com/2015/2/12/8024861/top-10-app-store-manipulation-photo
This image of a factory line process, with workers employed solely to download apps to boost their ranking, was picked up widely in the media earlier in the year. But there’s a stumbling block to the number of downloads you can get… Google accounts. In Google Play a Gmail account is needed to download an app. Moreover, you not only need a Gmail account (that requires CAPTCHA authentication) but you need this account to be associated with a device ID.

But to get their fake download rate up, companies would need thousands of registered accounts. There’s only so many people you can employ to hit download all day and that isn’t exactly an efficient way to run a business. This brings us to the question – "where can we get the other thousands of accounts?" It’s possible to steal them or buy them in the black market but that carries all sorts of risks. Then, of course, there’s always malware – a malicious program that can do much of the heavy lifting for you by infecting numerous devices. There’s already services in China that can break CAPTCHAs, but device IDs, which are harder to get, are also required for downloading. You can’t just invent device IDs either, as Google will spot them and ban the account from the outset taking you back to square one.

The big (Shua)bang

What Eleven Paths found (thanks to Tacyt) was a new kind of malware spread via Google Play that associated fake accounts with existing device IDs. People infected with the malware were unknowingly giving away their own device’s ID to the malware creators, which were then associated with these fake Gmail accounts.

The attacker created more than 12,000 Gmail accounts and made them available to malware providers via simple web requests. They then created a malicious app that sent a request for a Gmail account every ten minutes in the attackers’ server. The program then simulated the whole registry process against Google services – thereby creating a new, seemingly human, profile. With this the attacker had all they needed to automate the Shuabang system. These apps were disguised as downloads and spread in Google Play between September and November 2014, getting millions of downloads in the process. Users who thought they were downloading a wallpaper, for example, were actually feeding this army of fake accounts for a Shuabang company.

Steal, buy or... do it yourself with malware

ElevenPaths found and alerted Google about these apps, which were then removed. The team studied them and even had access to attackers servers. The apps showed a reversing of how Android worked during the account registering process. The server got millions of hits with results fuelling the 12,000 registered accounts over millions of innocent devices. Victim’s real accounts were not compromised, but the harm for them came in consumed traffic and the potential that their device ID could be banned for fraudulent use. The attacker created a whole system connected to a "legal" company in China that offered "positioning services" for Android apps.

New malware methods

This attack was extremely interesting, not only for the code of the malware itself, but because they managed to fool Google Play by uploading these apps hundreds of times. Antiviruses were not aware of the attack until ElevenPaths told them, and they had to invent a new variant of malware to find them.

But the work did not stop there. ElevenPaths has been following the gang since the apps were removed and got to know about their new plans. They have found new malware that does not just associate an account with a device ID, but creates the Gmail account from scratch, although it’s not believed this particular malware has spread yet. This time the new malware does not get assigned Gmail accounts but, using data from the attackers server, asks Google to create the Gmail account, sends the CAPTCHA to this service, breaks it and associates the device ID... all without the victim noticing anything.

What can the user do?

Common sense is always the best policy. It’s still very unusual for malware to take advantage of Android vulnerabilities so wider prevention is all about making users aware that they have to physically install the malware themselves. We’d recommend that people whitelist their apps, so they only install the most reputed programs. Here’s a couple of tips to make sure you don’t become a victim:
  • Never install apps from outside Google Play, or markets you really trust. If in doubt, research the developer.
  • Never trust very "new" apps. Wait until they’ve been around few months and had a few thousands downloads.
  • Ban apps you do not feel comfortable with. If an app requires too many permissions, downloading it is probably a bad idea.
  • Use an antivirus on your phone

So next time you see an app that’s simply too good to be true, the chances are it probably is. Prevention is always the best cure, so exercise due caution and don’t let the Shaubangers get the better of you.

* A version of this article has originally been published by SCMagazine, here.

The Turkish behind pr0nClicker, uploads badware to Google Play for the fourth time

Monday, July 27, 2015

During last week, the Turkish (maybe a gang, maybe just a person) behind the pr0nClickers malware got to avoid Google Play defenses and upload again dozens of fake apps that visit pornographic links in the background. During 2015, this is the fourth time that, slightly modifying the code, the attacker gets to fool the defenses in Google Play.

February, the first time

It all started in February. ElevenPaths detected at least 32 apps that used an old known technique in the PC world, but not so used in Android badware. Between the simulated apps, we could find a fake Talking Tom (that was online for just a few hours) and a "Cut the Rope". In this case they visited ads and porn websites and simulated clicking in the banners, so they got some benefit. This schema affects the data plan of the user, because the apps will keep on requesting pages in the background and the victim will not be aware. The gang or person behind was operating since December, uploading apps to Google Play, with the only intention of booting with the device and making GET requests in the background.

App general schema
We made a deep research on them, and published this article about it. The attacker used domains with real names. It is easy to find even their Facebook profile.

Name of the registrar, common for most of the domains used

The first domain used for the attack still works as a "porn domain generator". Since the beginning, it showed some preference for movie related apps, domains, etc.

Click F5...

Apps related to the attacker, found thanks to Tacyt

April, the second time

Avast detected the attacker using again Dubsmash 2 as a fake app to spread these clickers. The way the apps worked were very similar, using the same JavaScript functions, part of the code, and Turkish addresses. But different enough to fool not only antivirus but Google Play again.

May, the third time

This time was Lukas from ESET, who alerted that the Turkish people were using same techniques and decoy (Dubsmash 2) to install clickers in victim's devices. The attacker got a few thousands of downloads and installations. It even used the same domains as in February, where the infected devices got the information from.

Fake Dubsmash 2 used during May

Same domains as the first time, seen in Tacyt
July, the fourth wave

This time, Avast alerted again about the same people: Turkish, same "movies related" domains and apps, same Dubsmash 2 as a decoy, same network and JavaScript code. But again, different enough to fool Google Play and antiviruses. He never stopeed trying to upload apps during June, but during July it was more aggressive.

The attacker still uses the same structure as the offensive domains. Some of them seem to be compromised domains (peliculasgratishd.net?). These are all the domains (we do not show all the paths) related with this wave of attacks. They seem harmless, but this could change any moment from now.
  • http://ynk.linuxum.com/
  • http://kankalar.linuxum.com/z/z5/
  • http://amas.europeanteenx.com/z/orap/
  • http://sulale.hitgit.com/com.sulale.dubb/1.png, 
  • http://tranquockarafren.peliculasgratishd.net/g/getasite/
  • http://kum.angelpinkgirls.com/z/z2/
  • http://cinar.pussyteenx.com/z/z5/
  • http://kamki.insfollows.com/com.nguyenngocjumraze.suuu/4.png
  • http://phutanjocohare.mobilprn.net/g/getasite/, 
  • http://mebk.pantiescock.com/z/z2/, 
  • http://komidin.cumshotsex.net/com.komidin.cheatscrim/3.png
  • http://rafta.girlstoyporn.com/z/orap/
  • http://sulale.hitgit.com/z/z2/
  • http://kendo.teenpornxx.com/z/orap/
  • http://fet.asianpornxx.com/z/z5/
  • http://pupa.romantictube.net/g/getasite/ 
  • http://palasandoreki.filmsme.net/z/z2/
The attackers keep using the same Turkish name to register most domains. Code (inside and outside the app) keep on using some characteristics and formulas that are common enough to attribute the code to the same people.

Domain used in February (up) and domain used in July (down)

Some of the files a are still available in Google Play while writing this lines.

One of the clickers simulating Temple Run 3, still online: https://play.google.com/store/apps/details?id=com.amas.ra


These are some of the apps we have found during these last days so far (using Tacyt and a few clicks) that share the same characteristics. But, since February, they had to refuse to some "commodities" as for example, starting the app with the telephone, which limits the attack to the moment the app is opened... so that is why the attacker is trying to add some content to it lately.
  • Amasra 1;com.amas.ra;f617515837ebe345a68904417d7823974e382e59
  • Best : Dubsmash;com.kankalar.elma;99cc2f0ff000df5c2e856d40acac1b4dc72e9230
  • Dubs Mash 2;com.sulale.dubb;459dc9198de2875017885d89e1c04c81301213b3
  • Panita Kin;com.tranquockarafren.king;f320e227b9742527be37a1c03afe4f2689bb76f0
  • Cheats for Boom Beach;com.kum.sal;36c4d4c0ca7c2d9e948daa32c20556709984fdba
  • Cinarcik 1;com.cinar.cik;315c57bddee7a2ee5db54fb52215986bc23a9c93
  • belki yanbak;com.nguyenngocjumraze.suuu;9b0e6c03338db95a86217ea298ae9a50c85c8217
  • MayHada;com.phutanjocohare.may;9fe6f210fe5209c3d6d97800054e42d80d4e6966
  • MayHayda;com.phutanjocohare.jat;84af3da99603e9d5586a2278d180d485c74d4068
  • Cheats for Clash of Clans;com.kankalar.cheats;a0f000baa8246908bdce9feabc2f24530fd8afcb
  • Man Kaptasi;com.phutanjocohare.conc;ed7ed72b9cf1de2cd67ce74d252be5aa7a2c0d35
  • Cheats for Pou;com.mebk.adli;9d3e6747cf892a7bc7571b1b91da1d14061ad4bb
  • Cheats for Criminal Case;com.komidin.cheatscrim;df5be5567eb7dc2ef8d6f96909ff6dfc29b37d8d
  • Cheats for Hill Climb;com.rafta.chetashill;8d4a009bae65731f10adc0b7fbfb708918579e74
  • Cheats & Trucos: Gta 5;com.sulale.chetastga;1741e985d4d204da73ee9f2a35622331fe7824c0
  • Maps & Guide: GTA 5;com.sulale.cimmi;ed388d4dd304c695aba5794d089355febaeb80d8
  • Followers for Instagram;com.nguyenngocjumraze.takip;5638df53b960a0d2b16f708bba8e46d4dc996f6d
  • C l a s h o f C l a n s 2;com.kankalar.clash2;7552118b7e5f1ef3698579cc48121a6be37aa5f3
  • Komidin;com.kendo.yako;0695c87554db4a10a7b38df49ecf03f6e20eb4db
  • Fethiye;com.fet.hiye;49c37da0ca94536600cecd8290aba670164ba7a6
  • Koday;com.pupa.yelken;2e2598c930a448217b6070d934e98735e4c44732
  • Doganın Güzellikleri 2;com.palasandoreki.hsa2;961923bad0f1a986a142ef5916d57b053e6591ba
  • Doganin Guzellikleri;com.palasandoreki.hsa;193e986d65249a8a04d596b9c13ecfdf0e3dced9
  • Doganin güzellikleri 3;com.palasandoreki.hsa3;6dad78b0bae7210fcc9335ee671f4514becdb214

So, this is the fourth time the attackers modify the apps and get them in Google Play. But we have to consider that, once you are able to "fool the antivirus" just twisting code, this kind of badware is hard to detect, since the way the apps work is not that "suspicious" ("just visiting sites") and the behavior can be easily "hidden", for example, waiting for some events to start visiting porn sites.

Sergio de los Santos
ssantos@11paths.com
@ssantosv

Studying the trojan apps for Android used in Hacking Team leak

Thursday, July 9, 2015

Between the information leaked these days about #HackingTeam, several trojan Android APK files have been found. A first approach with Tacyt shows interesting relations with legitimate apps, the ones leaked a few days ago, some leaked last year... and some other notable stuff.

We have studied some details of the leaked APKs. They were not public until this recent attack, and they were not detected by many antivirus engines until the leak. It is not the first time that we know about this company's APKs. During 2014 summer, some remote control Android apps were known to belong to this HackingTeam, and they were used to spy mobile devices.

A certificate for binaries in an APK. waste and a mistake

To digitally sign an executable file in Windows, an Authenticode certificate is necessary. It may be expensive, between 200 and 500 euros a year, depending on the CA that issues them. To sign an APK, Android doesn't require anything. It may be "self signed" and, therefore, free. And that is the way most of developers work. In fact, from our database, less than 100 APKs (0,002% approximately) use certificates signed by a CA.

The APKs from HackingTeam were signed by this certificate that allows signing executable files as well.

The three views of the Authenticode certificate used to sign the APKs

And the problem is not only the waste, but the exposition. These certificates were already known since early 2013, when the tools used by HackingTeam to spy remotely were discovered. So, these APKs have been signed after that, in March. We already knew, by then, that they have been used to sign malicious code (at least, since February 2013, as this link states). An unnecessary mistake from HackingTeam.

The certificate expires in November 2015. As a side note, in the executable files (in the APK, it does not make any sense) it's revoked and is not countersigned. That means that, even if it wasn't revoked, it would stop working in November 2015.

Binary file signed with the same certificate

What apps they were pretending to be

A quick search by the packageName allows us to know what apps were trying to be simulated and contained the trojan. These are some of them that we found.


Some examples of legitimate apps used as a decoy for the trojans

All of them may be downloaded right now from aptoide or Google Play (although in the latest you may find the earliest versions). The topics are different. From the Quran to spy cameras.

Legitimate apps used to create the malware

Obviously they differ from the good ones in several aspects.

Comparing the legitimate and the trojanized app

Much more permissions are needed and a Google Map link is always in the code. We guess they locate victims this way.

All the HackingTeam apps keep a Google Maps link in them


We insist: these apps shown in their markets are innocuous, it's just that HackingTeam uses them as trojans (in the more classic meaning of the word) to encourage or disguise the malware installation.

More notable facts

Both in this leak and previous analyses made to HackingTeam programs (like the one on 2014 summer, where some trojanized APKs were discovered as well), we can see some that could have allowed the early detection of these trojans (aside from using the same certificate). For example, all the APKs share a singularity: between their /assets/, they keep binary files named with a single letter.

HackingTeam Android malware contains this kind of files, with these singular names 

Searching by this kind of file or some of these hashes, we found no other sample containing them in our databases.

Some of the files shared by HackingTeam samples are a singularity for them

Finally, all the APKs in this leak (except one) were created "2013-04-09" roughly at 11:40, local timezone from the computer they were compiled in.

6 apps were created March, 9th, except one



Sergio de los Santos
ssantos@11paths.com

Adolfo Hernández
adolfo.hernandez@11paths.com

New Tool: MicEnum, Mandatory Integrity Control Enumerator

Wednesday, July 8, 2015

In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent lines of Windows operating systems. It adds Integrity Levels(IL)-based isolation to running processes and objects. The IL represents the level of trustworthiness of an object, and it may be set to files, folders, etc. Believe it or not, there is no graphical interface for dealing with MIC in Windows. MicEnum has been created to solve this, and as a tool for forensics.

MicEnum is a simple graphical tool that:

  • Enumerates the Integrity Levels of the objects (files and folders) in the hard disks.
  • Enumerates the Integrity Levels in the registry.
  • Helps to detect anomalies in them by spotting different integrity levels.
  • Allows to store and restore this information in an XML file so it may be used for forensic purposes.
  • Allows to set or modify the integrity levels graphically.

MicEnum scanning a folder


How does the tool work?

The only way by now, to show or set Integrity Levels in Windows is by using icacls.exe, a command line tool. There is no easy or standard way to detect changes or anomalies. As in NTFS, an attacker may have changed Integrity Levels of a file in a system to elevate privileges or leverage another attack, so, watching this kind of movements and anomalies is important for forensics or preventive actions.

The tool represents files and folders in a tree style. The integrity level of files and folders is shown in a column next to them. By scanning a folder, the tool will check all Integrity Levels and, if any of them does not match with its parent, it will expand it. If you have expanded some folders and want to group back the ones that are known to be the same, just use the checkbox at the bottom. It will hide the folders that are supposed to share same integrity level.


MicEnum scanning a Windows registry branch

For setting new integrity levels, just use the contextual menu again and set the desired level. Do not change them if you do not know what you are doing. You may need administrator privileges to achieve the change.


The program allows to set different integrity levels

For forensic purposes, the whole "session" or information about the integrity levels may be saved as an XML file. Later you may restore it with this same tool. Once restored, icons are missing, and there is no chance to set new values, of course, since you are not using your "live" hard disk.


If a session is loaded, the different values are shown

This all applies to registry branches as well, in its correspondent tab.

MicEnum is inspired in AccessEnum, a classical tool by Sysinternals that enumerates NTFS permissions and helps detecting anomalies.

MicEnum may be downloaded from: https://www.elevenpaths.com/labstools/micenum/index.html

Sergio de los Santos
ssantos@11paths.com