Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond

In 2015, Sucuri published two blog posts, one in March describing a pseudo-Darkleech campaign targeting WordPress sites, and another about its evolution the following December. Sites compromised by this campaign redirected unsuspecting users to an exploit kit (EK). The Sucuri posts describe patterns in the injected script related to this campaign. Since December 2015, patterns associated with pseudo-Darkleech have continued to evolve. Our blog post today will examine these changes.

However, before we look at the recent developments, we should understand how EKs fit into the overall picture and review the history of Darkleech.

Path to an Exploit Kit

An EK is used by criminals to infect unsuspecting users while they are browsing the web. EKs are hosted on servers dedicated to the EK. The EK will check if a user’s computer is vulnerable and send the appropriate exploit. That exploit is used by the EK to send malware, execute it as a background process, and infect the user’s computer.

This malware is the EK payload. Most payloads are designed to infect computers running Microsoft Windows. Different EKs are available to criminals for this purpose. Notable EKs in recent months include Angler, Neutrino, Nuclear, and Rig.

How are web browsers directed to these EK severs? Since users won’t intentionally view an EK, criminals must establish a path behind-the-scenes. The first step in this process is a compromised website. These compromised websites are legitimate pages with hidden script that initiates a network connection to the EK. This is the most direct path to an EK.

Criminals sometimes use another server as a gate between the compromised website and the EK server. In some cases, you’ll find more than one gate in this path. However, pseudo-Darkleech traffic doesn’t appear to rely on gates. From what we can tell, the injected script most often points directly to an EK’s landing page.

Enter Darkleech

Darkleech is the name of a campaign that infected thousands of Apache servers starting in 2012. More specifically, Darkleech refers to an Apache module available on the black market that was used for malware distribution. In 2013, many organizations had reported on Darkleech. At the time, servers infected with Darkleech led to Blackhole EK.

Below are examples of injected script from compromised websites running the Darkleech module in July and August 2012.

Figure 1: Example of injected script from July 2012.

Figure 2: Example of injected script from August 2012.

Patterns for this injected script remained relatively consistent throughout 2013. But changes were coming. By October 2013, Russian authorities had arrested Paunch, who allegedly created the Blackhole EK. Within a few months, Blackhole EK disappeared from the scene. By early 2014, the same Darkleech pattern was pointing to No-IP.com domains (hopto.org, ddns.net, myftp.biz, serveftp.com, etc). These No-IP domains were either gates to an EK, or they directly hosted EKs like Fiesta.

Figure 3: Injected script from March 2014 pointing to Fiesta EK.

Figure 4: Another example of injected script from November 2014.

Enter Pseudo-Darkleech

In March of 2015, Sucuri published a blog identifying these newer patterns of injected script from early 2014 as “pseudo-Darkleech.” Why use “pseudo” to describe this campaign, especially if the injected script looked the same as before? Because the injected script was now seen from IIS sites, where previously it had only been noticed on Apache servers. As the year progressed, pseudo-Darkleech script was found pointing to Angler EK and delivering ransomware like CryptoWall].

Figure 5: Injected script pointing to an Angler EK landing page in July 2015.

These patterns remained consistent until late September 2015. At that time, injected script caused by pseudo-Darkleech dramatically changed. The script became highly-obfuscated. It looked nothing like previous Darkleech patterns, and you couldn’t easily determine the URL it would generate.

Figure 6: Injected script from September 2015.

An example of this injected script from October 2015 has been isolated and posted to Pastebin. Using a tool named Revelo from Kahu Security, you can quickly see what the script does. As shown below, the script tries to access a URL, and the URL matches patterns for Angler EK.

Figure 7: Injected script from October 2015 run through Revelo.

Later in 2015, pseudo-Darkleech injected script occasionally switched between Angler EK or Neutrino EK as it delivered ransomware like CryptoWall or TeslaCrypt. By December 2015, Sucuri published a new blog post covering these most recent updates on pseudo-Darkleech injected script. Even with the injected script’s new patterns, Sucuri reported that server-side indicators remained the same as it had reported in March 2015. This activity was still pseudo-Darkleech.

Recent Developments

Since September 2015, patterns associated with pseudo-Darkleech have evolved. Any changes were minor until early February 2016, when we saw the addition of a sizable block containing numeric characters in the injected script.

Figure 8: Start of pseudo-Darkleech injected script from early February 2015.

Figure 9: End of pseudo-Darkleech injected script from early February 2015.

Since that time, the characters separating the numbers in that large block of numeric characters have changed. For example, on 2016-02-24 they switched from spaces to commas. By 2016-02-29, pseudo-Darkleech had switched to semicolons. By 2016-03-07, we saw asterisks. On 2016-03-14, the patterns had changed yet again.

Figure 10: Start of pseudo-Darkleech injected script from 2016-03-07.

Figure 11: Start of pseudo-Darkleech injected script from 2016-03-14.

Conclusion

Since it was first called pseudo-Darkleech by Sucuri in March 2015, members of the security community have found websites compromised through this campaign on a daily basis. Withtens of thousands of compromised sites reported in 2013 under the original Darkleech banner, pseudo-Darkleech continues the onslaught with no signs of slowing down.

In recent weeks, this campaign has led to Angler EK delivering a ransomware payload, especially TeslaCrypt. Pseudo-Darkleech and the associated Angler EK traffic remain a persistent and evolving threat. Both Darkleech and Angler frequently change patterns to avoid detection. Palo Alto Networks researchers have already examined Angler EK and published an in-depth report containing indicators in January 2016. We continue to investigate pseudo-Darkleech and Angler EK for applicable indicators to inform the community and further enhance our threat prevention platform.

Indicators of Compromise

Domains and IP addresses from websites compromised through this campaign are continually changing. Below are recent examples of the injected script caused by pseudo-Darkleech that have been isolated and posted to Pastebin:

[Palo Alto Networks Research Center]

Locky Ransomware Installed Through Nuclear EK

In February 2016, Unit 42 published detailed analysis of Locky ransomware. We certainly weren’t the only ones who saw this malware, and many others have also reported on it. Since that time, Locky has been frequently noted in various campaigns using malicious spam (malspam) to spread this relatively new strain of ransomware.

When we initially reported on Locky, attackers were distributing the malware using Microsoft Office documents with malicious macros to download and execute the ransomware. Attackers quickly added another tactic, sending e-mails with zip attachments containing malicious Javascript files to accomplish the same goal. However, exploit kits (EKs) have also been used to infect users with Locky from casual web browsing. This activity suggests that there are effectively two paths to Locky: one through malspam and another through EK traffic.

Figure 1: An example of two paths to Locky from February 2016.

The EK path is rarely mentioned. So far, we have seen very little reporting on Locky’s propagation through EK traffic. Some sources noted Neutrino EK was used to send this malware, but no more has been publicly announced on the subject.

In recent days we have noticed Locky attempting to infect systems using the Nuclear EK.

Details

In February 2016 when Neutrino EK was first reported delivering Locky, we found a pcap of the traffic and saw the following pattern:

Figure 2: Wireshark display of Locky sent by Neutrino EK on 2016-02-16.

Proofpoint reported similar traffic and stated it was Locky distributed by a Neutrino EK thread known for spreading Necurs. This month, we ran across the same type of gate. This time, traffic patterns after the gate were similar to what we’ve seen for Nuclear EK. The payload was either Locky, or it was a downloader that retrieved Locky from another domain.

Figure 3: Wireshark display of Locky sent by Nuclear EK on 2016-03-15.

Figure 4: Wireshark display of Nuclear EK on 2016-03-16 sending a payload that downloaded Locky.

A Windows host infected with these Locky samples looks similar to previously-infected hosts when we first reported about the ransomware in February 2016.

Figure 5: A Windows host after being infected with Locky on 2016-03-16.

Conclusion

As noted in our previous blog post about Locky, Palo Alto Networks customers are protected from Locky through our next-generation security platform. WildFire continues to detect Locky, and AutoFocus identifies this threat under the Unit 42 “Locky” tag.

We continue to investigate Locky and EK traffic for applicable indicators to inform the community and further enhance our threat prevention platform.

Indicators of Compromise

Date/time range: 2016-03-15 and 2016-03-16
Gate IP address: 91.195.12.177
Gate domain: sed.poudelkamal.com.np
Nuclear EK IP address: 46.101.8.169
Nuclear EK domains: lotos.castrumtelcom.com.br , here.jninmobilaria.com.ar
Follow-up malware IP address: 46.148.20.32
Follow-up malware domain: js.cefora.com.ar
IP addresses from post-infection traffic caused by Locky ransomware:

  • 51.254.181.122
  • 51.255.107.8
  • 78.40.108.39
  • 149.202.109.205

Exploits and malware noted:

  • Description: 2016-03-15 Nuclear EK Flash exploit
  • SHA256 hash: 94bd74514cc9e579edf55dd1bac653ceca1837d930d109c6e701afe309b23310
  • Description: 2016-03-16 Nuclear EK Flash exploit
  • SHA256 hash: 4228036684f4f519704a102cd9322ac9edb1bfb5b20558a7a6873818f0e6a7b4
  • Description: 2016-03-15 Nuclear EK payload – Locky ransomware
  • SHA256 hash: faf4f689683f3347738ef0a8370a78d504b513d44f3a70f833c50de3d138c3b2
  • Description: 2016-03-16 Nuclear EK payload – file that downloaded Locky ransomware
  • SHA256 hash: a9dac0a0389c463b063cb30f647b3d1610e6052570efe2dfb1fca749d8f039fc
  • Description: Locky ransomware downloaded by Nuclear EK payload (soft.exe)
  • SHA256 hash: cc2355cc6d265cd90b71282980abcf0a7f3dcb3a608a5c98e7697598696481af

[Palo Alto Networks Research Center]

Watering Holes: Chief Marketing Officers, CISOs Need to Talk

Not many organizations are using their often substantial marketing budgets to protect their brands.  Brand protection must include the protection of corporate web sites, as the incidence of watering hole attacks continues to climb thus compromising web sites and leveraging brands against the very constituencies of enterprises.

Last year we saw a 148 percent increase in watering hole attacks, according to a Trend Micro report. They have become more common as the cyber world is inundated with the Big Five exploit kits, including Sweet Orange, Angler, Magnitude, Rig and Nuclear. Here is how ISACA defines watering hole attacks:

The term “watering hole” denotes a technique whereby end users visiting a certain web site are covertly redirected to another web site that will deliver malware to the user IT environment. First identified in 2012 by RSA, a watering hole attack typically requires considerable effort in intelligence gathering and preparation.

Given the amount of preparation required to deploy a successful attack, watering holes are often directed against larger organizations and their end users, with the intent of luring as many users as possible to the watering hole. Their comparatively expensive preparation phase means that watering holes are not normally directed against individuals or the general public.
From ISACA’s Threats and Controls Tool

When a web site is compromised it hurts the brand. No longer is the issue simply about security; it is about brand protection. To protect the brand, work must be done to insulate it from watering hole attacks. That means investing the time and money required before a web site goes live to ensure the brand is protected. This can be a spendy proposition, though it pales in comparison to many marketing department budgets. The cost is substantially lower, however, than the bill to repair a damaged brand and corporate reputation.

Unfortunately, not many companies are allocating marketing dollars toward cybersecurity with the goal of protecting their brands and web sites. What has to happen—at every enterprise—is the chief marketing officer (CMO) needs to have a conversation with the chief information security officer (CISO) about what they both will do to maintain and secure their web site to keep it from becoming a watering hole.

Both need to understand critical details around protecting the web site and the brand. Who owns the web pages? Who owns any WordPress pages? Is a contractor involved in creating or maintaining the pages? Are patches being installed? Are we instituting regular updates? Have we tested for the top OWASP vulnerabilities before the site has gone live? Do we have an incident response plan for when it turns into a watering hole? Will we need to take down part or all of our web site after an attack?

These are important questions that will require contributions from CMOs and CISOs working together to address this potentially catastrophic issue. The CMO brings substantial financial resources, along with in depth knowledge of brand management, the company’s brand and its web pages. The CISO, of course, brings IT and cybersecurity knowledge.

Timely software updates, web application testing, network traffic detection and using big data analytics to correlate well-known advanced persistent threat (APT) activities can help prevent or limit watering hole attacks, but ultimately what needs to happen in organizations around the world is CMOs need to wake up to reality and collaborate with their CISOs.

Note: ISACA Now is running a series of blogs on the 10 threats covered in ISACA’s Cybersecurity Nexus (CSX) Threats & Controls tool. The threats include APT, cybercrime, DDoS, insider threats, malware, mobile malware, ransomware, social engineering, unpatched systems and watering hole. To learn more about the controls for cybercrime, as well as recent examples and references, typical patterns of cybercrime and more, visit the tool here.

Tom Kellermann, CISM, CEO, Strategic Cyber Ventures

[ISACA Now Blog]

Connect to Protect: CSO Thoughts from RSA 2016

The theme of this year’s RSA Conference was “Connect to Protect,” promoting connections among the information security community, IT and other parts of the enterprise, and private and public sectors. It was the 25th annual event, which saw 40,000+ attendees and more than 550 vendors in the expo hall showing off their wares.

Over a number of days, keynotes from industry leaders addressed the need to do something different. Debates focused on the Internet of Things, industrial control systems, encryption, artificial intelligence and machine learning, crowdsourcing, and more, with many reflecting on current industry news.

Here are some of the highlights and themes of the week that particularly interested me:

Innovation Sandbox

In the top 10 finalists battle for the title of the “Innovation Sandbox” session, each vendor had three minutes to pitch to a panel of judges why their solution will have the greatest impact on information security in 2016. Phantom was the contest winner, describing how a typical enterprise has over 50 security solutions and nothing interoperates. Their solution tries to solve this by offering an open and orchestrated security platform.

Many vendors were talking about the need for security orchestration and how, in light of the challenge to hire skilled talent, teams need help integrating security tools and workflows. The industry needs to work together to make it easier for security professionals to do their job. The other side to this is the need to consolidate security solutions into a platform and move away from siloed approaches to solving security challenges.

Threat Intelligence

A very big theme that many vendors were talking about was threat intelligence. Whilst not new, it has evolved over the years to the point where many organisations are grappling with what to do with all of the data. We have seen various threat feeds being bundled into security solutions, web portals offering the latest security bulletins, indicators published on an ad hoc basis, and vendors trying to establish their own standards as opposed to aligning with industry- and community-based standards, such as STIX and TAXII. Whilst STIX and TAXII had evolved, security solutions and processes had not. Manual efforts were still required to be fed directly into the systems and, typically, required additional processing and analysis of raw information before being used.

The goal here is to provide as much end-to-end automation as possible, to collect the raw information from various sources, normalise the data as no one source looks the same, de-duplicate the data, age out the data, and the final piece is to use the data automatically in security solutions. As an industry we need to move away from manual analysis in processing the raw information. We need to be able to automate the enforcement to prevent an attack from taking place or the attackers from achieving their objective.

Skillset Shortage

The shortage of skills was mentioned during keynotes and in a lot of sessions I visited. When we look at the continuing rise of successful cyberattacks, as well as the growing focus on cybersecurity in businesses today, this has created the need for more skilled security professionals. This is an area that is often debated and was no different at RSA, with many saying that there aren’t enough people entering the field with the required skills, that the education and required skills may not necessarily be taught, and that the required skills are not necessarily taught but rather learned on the job. Unlike many industries, security is not a stand-alone discipline; it is actually a discipline within the computer field. Treating it otherwise is a mistake.

At the same time, businesses need to learn to foster these types of skills to be taught, looking at developing new processes and even operational models. Businesses should look to have programs in place to identify competent professionals within their own organisation and offer them jobs and training that will arm them with the security expertise needed. Whilst throwing more people at the security challenges, it is time businesses look to leverage other ways they have built, run and managed security in their environments and look to automate as much as they can.

When relating these themes to Asia-Pacific, I see that we are no different to the rest of the world. These are global challenges; and, in Asia-Pacific, we need to all work through these challenges together. The cyber attackers don’t discriminate against industries and geographies. Organisations in Asia-Pacific need to automate as much as possible. We, like every other part of the world, have a skillset shortage challenge. Like many organisations and governments, we are working to solve that by funding from industry to build security curriculum to be taught in higher education, governments investing in internship programs, we need to think about doing things smarter. Automation is key here. We need to work on preventing attacks, detecting the unknowns and closing the time it takes to turn them into known threats and provide this timely threat intelligence to everyone else – across all industries in Asia-Pacific.

In keeping with the theme of RSA, we need to connect as many people and businesses together as we can to solve the security challenges facing all of us. Security needs to be a team sport. Collaboration is something we need to continue to do more of across industries and between the public and private sectors. Working in siloes and not sharing what we have learned will only slow us down in our mission: to defend our people, organisations and information.

[Palo Alto Networks Research Center]

Are We Winning the Cyber War? A Look at the State of Cybersecurity in 2016

Who is winning the cyber war—the criminals and hackers or network and system defenders?  ISACA and RSA Conference wanted to answer this question so we conducted the second annual State of Cybersecurity study, which was released today at the RSA Conference.

The data shows us that the answer is a bit unclear. Cyber attacks are still pervasive. We are still experiencing many of the same attack types that have plagued organizations for years. And it is increasingly difficult to hire fully capable cyber-practitioners and others who are part of the enterprise assurance and risk management network. The good news is that executives and board members are very concerned. They recognize that cyber threats are harming the bottom line and that—if they want to deploy leading-edge technologies and offer new technology-based services and products—they need to ensure that security is designed in and that personal information is protected.

One-third of the 461 cyber and information security specialists who participated in the study reported that their organization was a cyber-victim in 2016. While this is a high number in itself, an additional 20 percent did not know if their organization had been a victim. When asked about the frequency of attacks, the largest number (23 percent) reported experiencing cyber-attacks at least quarterly. The most frequent attacks were phishing, malicious code incidents, physical loss of computing or mobile devices, and hacking. As you might expect, the experience of attacks on a daily, weekly or monthly basis were reported less frequently. An alarming trend is that 54 percent of study participants did not know how frequently they experience cyber-incidents. While 73 percent believed they were able to detect and to respond to incidents, 42 percent felt they could only do so for simple attacks. In an era of increasingly sophisticated and persistent attacks, being able to identify and respond to attacks is imperative.

Board and executive concern and support for cyber activities are increasing. Eighty-two percent of security executives and practitioners participating reported that boards are concerned or very concerned about cybersecurity. This is not surprising given the higher level of awareness about cyber in general and the number of high profile attacks that we have recently seen. Executive support for cyber is essential. We find that executive support for enforcing security policy (66 percent) and providing needed funding (63 percent). The challenge is that less than half of executives follow good security practices themselves (43 percent) or mandate cyber awareness (59 percent). Cyber is not only a technical problem. Many attacks target the weakest link, executives who do not follow good practices, and employees who are security unaware.

Technical solutions to address cyber threats are getting better. We have all witnessed how technology vendors are enhancing current products. New startup companies are bringing very exciting products to the market. These however will not solve the problem alone. More important is the need to address the critical shortage of skilled cyber practitioners. Security executives are finding this difficult. The majority (54 percent) reported that it takes from three to six months to find a candidate. Less than half of these candidates (59 percent) are fully qualified on hire. Slightly more than 60 percent lack the required technical skills. Three quarters do not have the necessary understanding of the business to be effective. Slightly more than 60 percent do not have needed communication skills. Security will never be effective if new practitioners don’t have a strong technical understanding, the ability to address cyber-risks in business language, and if they cannot clearly and concisely communicate security issues.

While technology will help us meet cyber-challenges, it is also creating new opportunities for compromise. Cyber specialists are concerned about the rapid development of artificial intelligence products as well as the Internet of Things (IoT). We have all seen reports of advanced technologies, including medical devices and self-driving cars being hacked. More than half of those participating in the study are concerned or very concerned about the risk associated with the IoT. Forty-two percent believe that cyber risk associated with artificial intelligence will increase in the short term and 62 percent believe that risk will increase in the long term.

So, are we winning the cyber war? Not yet. We win some battles, but we are still plagued by attack types that have been long standing problems. We may not always be aware that we are being attacked, so we are too often late in responding. We are building our capabilities by deploying good technologies, but we don’t have sufficient skilled staff to bring to the battle. We still have too many leaders who say they support cybersecurity but do not consistently follow best practices or encourage cyber awareness in the enterprise.

To further complicate things, advanced technologies are expected to gain wide acceptance when we are still unsure about the risk they represent. The good news is that the challenges we are experiencing can be solved. We see increased attention to cyber by governments, research institutes and enterprise decision makers. Public awareness is increasing. Programs are being offered to solve the skill shortage. With skills-based training and performance-based testing, we are building the front line defenders and responders capable of engineering strong defenses and aggressive response plans.

Note: For the full survey report and related graphic, visit www.isaca.org/state-of-cybersecurity-2016. Hale will present a webinar on the study results and their implications on 8 March. Registration is open here.

[ISACA Now Blog]

English
Exit mobile version