Posts Tagged: Blackshades


12
Nov 12

Malware Spy Network Targeted Israelis, Palestinians

Researchers in Norway have uncovered evidence of a vast Middle Eastern espionage network that for the past year has deployed malicious software to spy on Israeli and Palestinian targets.

The discovery, by Oslo-based antivirus and security firm Norman ASA, is the latest in a series of revelations involving digital surveillance activity of unknown origin that appears designed to gather intelligence from specific targets in the Middle East.

Norman’s experts say the true extent of the spy network came into focus after news of a cyber attack in late October 2012 that caused Israeli authorities to shut down Internet access for its police force. According to press reports, that incursion was spearheaded by a booby-trapped email that was made to look as if it was sent by Benny Gantz, the chief of general staff of the Israel Defense Forces.

Security vendor Trend Micro suggested that the initial target of that attack were systems within the Israeli Customs agency, and said the malware deployed was a version of Xtreme RAT, a Remote Access Trojan that can be used to steal information and receive commands from a remote attacker. According to Trend, the latest iterations of Xtreme Rat have Windows 8 compatibility, improved Chrome and Firefox password grabbing, and improved audio and desktop capture capabilities features.

All of the malware files Fagerland discovered as part of this campaign were signed with this phony Microsoft certificate.

Snorre Fagerland, a senior virus researcher at Norman, said he examined a sample of the Trojan used to deploy the malware in that attack, and found that it included a rather telltale trait: It was signed with a digital certificate that was spoofed to appear as though it had been digitally signed by Microsoft.

The faked digital certificate would not stand up to validation by Windows– or anyone who cared to verify it with the trusted root certificates shipped with Windows PCs. But it proved to be a convenient marker for Fagerland, who’s been scouring malware databases for other samples that used the same phony certificate ever since. So far, he’s mapped out an expanding network of malware and control servers that have been used in dozens of targeted email attacks (see graphic below).

“These malwares are set up to use the same framework, talk to same control servers, and have same spoofed digital certificate,” Fagerland said in an interview with KrebsOnSecurity. “In my view, they are same attackers.”

Fagerland discovered a vast network of command and control servers (yellow) that all bore the same forged Microsoft certificate and powered malware that targeted Israeli and Palestinian users.

Fagerland found that the oldest of the malicious files bearing the forged Microsoft certificate were created back in October 2011, and that the Arabic language email lures used in tandem with those samples highlighted Palestinian news issues. He observed that the attackers used dynamic DNS providers to periodically shift the Internet addresses of their control networks, but that those addresses nearly always traced back to networks in Gaza assigned to a hosting provider in Ramallah in the West Bank.

After about eight months of this activity, the focus of the malware operation pivoted to attacking Israeli targets, Fagerland discovered. When that happened, the attackers shifted the location of their control servers to networks in the United States.

Continue reading →


17
May 12

Facebook Takes Aim at Cross-Browser ‘LilyJade’ Worm

Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google ChromeInternet Explorer, and Mozilla Firefox.  The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview.  “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites. Continue reading →