Day: December 4, 2014

In late October, we began examination of a VBA-initiated Infostealer campaign. This blog post follows up on additional information we gathered on related malware and associated actors.

Pivot On Initial Predator Pain Sample C2

In our previous post, we identified two Command and Control (C2) fully qualified domain names (FQDNs) for the initial Predator Pain sample analyzed: mail.rivardxteriaspte.co[.]uk and ftp.rivardxteriaspte.co[.]uk. We were interested in seeing whether any other malware samples had been observed communicating with these FQDNs and, if so, to which malware family they belonged.

Leveraging the Palo Alto Networks WildFire platform, we found an additional 14 samples that communicated with one or both of these C2 FQDNs between December 27, 2013, and August 1, 2014 (Table 1).

While anti-virus (AV) detections varied widely, all of these samples belong to the Predator Pain keylogger malware family. Additionally, a number of samples were also packaged with the Limitless keylogger, most likely for its exfiltration capabilities. Although Limitless is easily modified, one clear indication that it is employed is a default POST request over TCP/80 to the following URL:

http://www.limitlessproducts[.]org/Limitless/Login/submit_log.php

Both of these keylogger packages are available in the cybercrime underground for less than $40 USD, with cracked versions available for free (albeit with potentially unwanted “features”). The samples observed had the following capabilities (ordered by prevalence):

• Collection of system information
• Web browser password extraction
• E-mail password extraction
• Screenshot capture
• Logging of web browser activity
• Logging of e-mail activity
• Logging of chat activity
• Internet Download Manager password extraction

Figure 1 presents a malware-centric view of identified samples, categorized under the dominant malware family of Predator Pain.

The newly identified samples were almost exclusively downloaded from one domain, nova.co[.]in, which resolved for some time to the same IP as the download domain for the initially analyzed Predator Pain sample, 209.160.24.197. Sometime between mid-March and the first of August, the nova.co[.]in IP resolution shifted to 209.160.26.174. The download domain view of those samples for which data was available can be found in Figure 2.

The broader set of malware also revealed five samples that reached out to Pastebin, as an additional C2-oriented request. Associated Pastebin pages were no longer active when checked in November 2014. Figure 3 depicts the C2 communications for samples.

Additional Actor Analysis

In our last post for this campaign, we attributed the focal Predator Pain sample to an actor that goes by the handle “Skozzy”. The profile for the related malware enumerated above further supports this attribution, given the shared C2 infrastructure and dominance of two malware packages favored by this actor.

In an attempt to gain further insight into this actor, we also performed a pivot on WHOIS registrant information for the initial Predator Pain sample’s C2 domain. This revealed a “Josh Frank” (sometimes “Josh Franks”, “Franks Josh” or “Josh Frank Kelvin”) persona, which in turn was confirmed as associated with both 419 and dating scams, under at least the following e-mail addresses:

• frankjosh61[at]yahoo.com
• frankjosh60[at]yahoo.com
• joshfrank615[at]yahoo.com (potential)

Additionally, this persona is known to register domains under two organizations, “Xteria pte” and “Amorex”, and has been observed using registrant contact information and/or social engineering references from Malaysia or the United Kingdom. Correlated domains lean towards financial (e.g., banking, brokerage) and dating themes, with registrar activity observed for associated domains as late as October 2014. A sampling of domains linked to this persona follows:

• maybnk2u-malaysia[.]net
• lexusmalaysia[.]com
• attaccq[.]com
• ahaldarazi[.]com
• tegbet[.]com
• acemovement[.]com

While it cannot be said with certainty that “Skozzy” and “Josh Frank” refer to the same individual, it is clear that there is a tie between the two in terms of motivations and objectives: financial gain through personal and/or business fraud.

Expanding on Actor Motivations and Objectives

As noted in the previous blog post on this topic, “roles across nation state, cybercrime, hacktivist and ankle-biter/script kiddies are not mutually exclusive and – in fact – continue to become fuzzier over time.” Actors using tools such as Predator Pain and Limitless have a myriad of options at their disposal for information collection. This extends into an equally broad range of potential malicious uses for that information. It also further blurs the lines between malicious actor categories, translating into increased challenges in characterization/qualification and attribution for cyber attacks.

Opportunism further extends within each of these malicious actor categories – especially with greater availability and a lower cost of entry for increasingly sophisticated and effective tools. One example is the shift by some cybercrime actors away from information theft from individuals and instead scaling up towards higher-yield attacks against companies and organizations. Clever application of insider, sensitive information gleaned from such tools can serve as a multiplier to the perceived legitimacy and potential impact of more precise second-stage social engineering and/or malware attacks.

With the demonstrated success of such tools and techniques to date, we anticipate continued growth in the number of these types of attacks in the future. The Palo Alto Networks Enterprise Security Platform can prevent, address and minimize the risk of these and other associated threats. Learn more about the platform here.

[Palo Alto Networks Blog]

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)

Although financial institutions have long allocated resources to security, they have often been under siege, and have frequently been victims of some of the largest breaches in recent years.

Bottom line: they still need to do more. Here are a few of my predictions on this industry for 2015:

1. The pace of investment will accelerate and companies with best-in-class security will stand out.

2015 will see a change in the level of innovation and investment, and overall spending and investment in resources will accelerate, driven by companies that have kept pace with security, implementing all best practices, from network segmentation to systematic patching.

Organizations that have best in class security will stand out from others who still need to catch up. We’ll know this because hackers will prey on the least protected companies as low hanging fruit – easy to spot.

2. More regulations will surface for segments that are core to the integrity of the international financial markets including trading exchanges.

In 2014, the SEC in the US and its Office of Compliance Inspections and Examinations (OCIE) issued an alert focusing on the cybersecurity preparedness of institutional investment organizations and capital markets. More than 50 registered investment brokers and advisers were surveyed on their level of preparedness.

This exercise is just one of many examples showing that more guidelines and, potentially, regulations will be crafted to ensure a consistent and higher level of security in financial markets. The SEC guidelines and survey documents can be used today as a resource to evaluate your security posture. Use the alert to close any gaping holes in your defenses!

3. 2015 will see the start of the overhaul of the payment processing segment, especially in the US.

American credit cards have historically been lagging behind the rest of the world when it comes to security. While the US market will slowly migrate to chip and pin cards, the market is now opening for more innovative payment technologies.

Unfortunately, priorities on new payment technologies are still based on costs and fees more than security. 2015 will most likely be the year where the adoption of Apple Pay or Google Wallet by consumers get weighed against merchants’ preference for alternative CurrentC because of its lower fee model.

Just like any other new and hyped technology, Apple Pay and virtual payment schemes will no doubt become prime hacking targets. Securing payment processes should remain a top priority for any business.

 

The challenge of securing financial services organizations is among many industry-specific topics planned for Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.

 

We’re pleased to announce that Palo Alto Networks has won in the Government Security NewsHomeland Security Awards category for Best Network Security/Enterprise Firewall.

We were also announced as a finalist in the Best Anti-Malware Solution category.

 

The GSN 2014 Homeland Security Awards Program was organized to honor distinguished vendors of IT Security and Physical Security products and solutions and the dedicated federal, state, county and municipal government agencies, whose combined efforts help to keep the United States secure.

You can view the full list of Homeland Security Awards winners here.

[Palo Alto Networks Blog]