Week in review 24 October 2014
This week, a chess manoeuvre called “Pawn Storm” gave its name to a complex, sophisticated cyber attack targeting several government agencies and defence contractors, amongst others. The banking trojan Dyre has appeared in a new guise, whilst a malicious file hosted on Dropbox attempted to trick users into giving away their Dropbox and webmail login credentials. Koler appeared with a new trick; this time it uses text messages to propagate. Finally, some malware writers found they had the tables turned on them when they hard coded their login credentials to a command and control server.
Dyre Spam Attack
One of the messages oft-repeated by security professionals is to “patch your systems”, together with “patch your applications”, and a general “keep your software up to date”. Just to highlight this mantra, a new version of Dyre appeared this week that exploited old vulnerabilities in Adobe Reader and Adobe Acrobat. Dyre uses phishing emails to install itself on a victim PC. One of its more insidious capabilities is a technique called “browser hooking”. Dyre uses this technique to steal a user’s login credentials just prior to them being encrypted. Dyre’s targets now include bitcoin sites. Cyber criminals are waking up to the fact that bitcoin has a real world monetary value, and is a ripe target for cyber crime.
Dropbox phishing Attack
Dropbox removed a malicious file this week. The file in question was being used as part of a phish designed to extract user webmail and Dropbox login credentials. This campaign is a new one for Dropbox; the emails directed the user to a phishing page that looked like the Dropbox login page, however, the page was run by an application with a file that was hosted on Dropbox. The file has since been removed.
New version of Koler ransomware spread by text messages
Koler is a form of Android ransomware that originally targeted visitors to pornographic websites. It would lock a phone and demand a ransom of $300 USD to unlock the phone. Fortunately it was easy to remove. A new version of Koler that uses text message to propagate was observed this week by Adaptive Mobile. This version will send itself to all contacts listed in the victim’s address book. Koler only does this once. The basis of this technique is simple: a person receiving a text message from a friend is more likely to open it. Once again, Koler locks the screen of the victim phone. This time the message purports to be from the FBI, and informs the victim that they have been accessing pornographic or other inappropriate material, and that consequently their phone has been locked until they pay the ransom. As with the original version of Koler, the malware is fairly easy to remove. In this case, booting the phone into safe mode and removing “PhotoViewer” using the Android uninstall tool removes the malware. Koler does not encrypt files.
Operation Pawn Storm
Last week a classic work of Science Fiction lent its name to malware; this week it was chess’s turn. Operation Pawn Storm (named after a chess manoeuvre) is a complex attack that has targeted selected individuals in selected organisations. The aim of the campaign is to gather sensitive information from victim PCs. The main method used to do this is via the Sednit malware. The attack has been ongoing since at least 2007. It is well organised; some of the targets included the French Ministry of Defence, ACADEMI (formerly Blackwater) and the Vatican Embassy in Iraq. The attackers crafted emails that were often related to a very recent event; one such phishing email concerned APEC. The emails contained an infected document that, if opened, would install Sednit on the victim PC. A second form of attack also features: phishing websites. In this case, the attackers registered domain names that were very similar to a legitimate domain name. One domain name the attackers registered was academl.com which is very similar to the academi.com domain name. The latter is a legitimate domain name used for Outlook webmail access by ACADEMI employees. The former was setup by the attackers to look like the legitimate site. It was designed to steal employee login information with a view to obtaining access to sensitive data. Fortunately the site was detected early and subsequently shut down.
Finally, an interesting piece surfaced at the start of the week about a new piece of malware called Dynasty Keylogger (also known as Predator Dynasty). Dynasty Keylogger is spread via phishing emails. It logs key strokes and can send back screenshots of the victim’s PC. But the creator(s) made a mistake. According to Phish Me, the attackers hard coded the login credentials the malware used to communicate to the command and control server. The researchers were able to extract the username and password of the attackers, and were able to, basically, watch the attackers. A salient lesson in the fact that malware writers make mistakes too.