New Spam Technique: .CPL File Use

Email remains the primary means of business communication. As such, cybercriminals and attackers often use it to infiltrate corporate networks. As a study said, the majority of organizations and large enterprises use corporate email accounts to send and receive confidential data.

As early as September 2013, we saw a rise in spam with malicious Control Panel (.CPL) files as attachment. In the past, spammers typically used .ZIP or. RAR files as attachment. In a particular financial spam run, the malicious .RTF file attachment came embedded with a malicious .CPL file we detect as TROJ_CHEPRO.CPL. The .RTF file contained a clickable image that, when clicked, ran the malicious .CPL file.

Legitimate .CPL files, when clicked, execute applets found in the Windows Control Panel. That’s probably why cybercriminals use them more now to spread malware. Some CPL malware like TROJ_CHEPRO.CPL, when executed, download data-stealing malware like TSPY_BANCOS.CVH. It gathers system-related information and text files as well as monitors transactions on sites like PayPal, Facebook, Google, and Hotmail. And as usual, data stolen can be used in future attacks.

For this reason, we recommend blocking .CPL attachments on your email system.


2013’s Most Notable Spam Trends

As one of the Internet’s most enduring threats, spam went through very notable changes in 2013.

The Death of the Blackhole Exploit Kit

The Blackhole Exploit Kit, a notorious exploit kit, was used in several spam campaigns. It can quickly adapt to existing trends by incorporating newfound exploits for vulnerabilities and using the latest social engineering schemes to infect computers and release damaging payloads.

2013 saw 198 Blackhat Exploit Kit campaigns, a considerably smaller number compared with last year’s. This can be explained by the arrest of the supposed kit creator, Paunch, in early October of 2013. Two weeks after Paunch was brought to justice, the Blackhole Exploit Kit spam run volume significantly dropped and later completely disappeared in December 2013.

Health Spam

The third quarter of 2013 saw a dramatic increase in health-related spam, which made up nearly 30% of the total volume. The spam, numbering around 2 million each day, contained weight loss tips, pharmaceutical product promotions, and so on. 2013 also saw health-related spam change, mostly in terms of how they convinced recipients to click embedded links. In the past, health-related spam were very direct. They had a product image and a few sentences convincing recipients to click an embedded link. They’ve become a bit more subtle with their messaging now; sporting newsletter templates with featured anecdotes and quotes from supposed health experts. This is most likely an effort to appear more legitimate and bypass anti-spam filters.

Malware Attachments

In 2013, malicious spam usually came with ZBOT/ZeuS malware in tow until halfway through the third quarter when TROJ_UPATRE malware ousted ZBOT/ZeuS. In fact, by November, 45% of all malicious spam came with UPATRE strains, which are known for downloading other malware like ZBOT/ZeuS and CryptoLocker variants onto already-infected computers. Unlike ZBOT/ZeuS, which is notorious for data stealing, CryptoLocker is well-known for locking infected computers, rendering it and the data stored within inaccessible.

Basic Spam Safety – Suggestions for everyone

While spam have certainly changed and will continue to do so, the ways by which you can avoid becoming their victim remain the same. To stay safe we recommend:

  • Immediately delete suspicious mail from unfamiliar senders.
  • Never open attachments or click links that come with suspicious mail.

Ransomware – a real and present danger

A few weeks ago, I had one of our clients open an email from a legitimate sender that contained a .zip file.

This wasn’t exactly normal correspondence, but it also wasn’t unusual to be contacted via email by this contact.

Shortly after, I was called and informed it appeared they had a virus. They said a strange pop-up warning message came up and they couldn’t get rid of it.

“Please don’t click anything anymore” I replied. I asked if it resembled their antivirus alerts or had any reference their web filter. They told me that less than a minute after the .zip file was opened, they got the 72-hour countdown screen from CryptoLocker stating that they needed to purchase the $300 encryption key or all data would be encrypted and useless.

I told the person to unplug the PC from the network and cut off the power. They would have to work from another station until we could send over someone to take care of it.

I walked out with the infected piece of hardware under my arm.

I got back to my office and started researching CryptoLocker while I allowed scans on the machine with no network connections. I downloaded the latest version of Malwarebytes to an empty flash drive and loaded that to the machine as the first scan finished with no results. I started a full system scan with Malwarebytes and went back to researching what I could about this particular virus, and testing nodes of shared files and drives.

It looked like it favors user-modified documents with MS Office, Adobe, and .txt type extensions. I followed file paths he had rights to and BAM every single document would produce the same error message: “This file cannot be opened because the file format or file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file.”

If I forced a file to display contents it was a massive garbled mess of displayed encryption. I had to restart the Malwarebytes scan two times before I decided it was a waste of time. I needed to re-image the machine and move on to backups.

In that short amount of time while the machine was connected to the network, it had infected all of the documents on the PC and nearly 80 percent of the public drive the user had read/write access to, which was highly relied upon by employees of all types at that client.

This being Monday, I decided to restore from Friday. I wanted to skip any chance of reviving a virus I presumed dead on this one machine and stopped all current backup tasks.

I ended up copying the 214Gb backup file to a different location and gave a new service account access to it. It worked. I was able to browse the backup file tree and restore the portion that was corrupt.

All in all, the ransomware spread incredibly fast and all documents — be it Office file types, or .txt, .pdf, — were unreadable even if they did open. Lesson to everyone – pull that computer off the internet and network as soon as you can. Otherwise massive encryption for all network drives and cloud stored files are destroyed.

Security and Threats Update

Symbiotic Malware
(July 1, 2013)

Researchers have discovered two pieces of malware that help each other maintain a foothold on the computers they have infected. The two different strains of malware, known as Vobfus and Beebone, download updated versions of each other. The newest versions are often unknown by malware detection programs. Vobfus spreads through malicious links on websites, over network links, or on USB drives, and is normally the first of the two to infect machines. Once installed, Vobfus downloads Beebone, which recruits the infected machine to become part of a botnet.

In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.

Defeating the two viruses is tricky because Vobfus is so good at travelling via networks. Keeping software up to date we also recommend disabling the “autorun” feature on machines since Vobfus exploits this and is stalled via USB drives. In addition people should be wary of clicking links on external websites to avoid falling victim to booby-trapped URLs.

Nasty Malware Targets South Korean Government and Media Networks
(June 28, 2013)

The recent cyber attacks against South Korean government and media networks have been found to involve malware that wipes data from hard drives and makes computers unusable. The malware, called Korhigh, permanently deletes data and overwrites hard drives’ master boot records and bears similarities to malware used in attacks on South Korean websites earlier this year.

Atlassian Fixes Vulnerability in Crowd Single Sign-On Tool
(July 1, 2013)

Atlassian has fixed a critical security issue in its Crowd single sign-on and identity management tool that could have been exploited by hackers to gain access to login credentials and sensitive data. Crowd is used by 1,000 organizations, including government agencies, banks, software companies, and telecommunication companies, in 55 countries.

Security Flaws in Phone App Library
(June 30 & July 1, 2013)

Vulnerabilities in the GNU ZRTPCPP open-source security library used by some secure mobile phone apps could be exploited to allow arbitrary code execution and crash applications. The flaws include a remote heap overflow, several stack overflows, and information leakage. ZRTPCPP, an open-source library that’s used by several applications offering end-to-end encrypted phone calls, contained three vulnerabilities that could have enabled arbitrary code execution and denial-of-service attacks.

ZRTPCPP is a C++ implementation of the ZRTP cryptographic key agreement protocol for VoIP (voice over IP) communications designed by PGP creator Phil Zimmermann.

Following the recent reports about the U.S. National Security Agency’s data collection programs that appear to cover Internet audio conversations, there’s been an increased interest into encrypted communication services from end users.

The vulnerabilities in ZRTPCPP were found while evaluating the security of some of the products that offer encrypted phone call capabilities. Patches for the vulnerabilities have been added to ZRTPCPP’s code repository on Github and that Silent Circle has updated its own apps on Google Play and Apple’s App Store with fixes.

Remote Controlled: Mobile Backdoor Spotted

Reports of a smartphone botnet with over a million bots confirm how varied mobile threats have become. The fact that these malware can avoid detection and lead to further infections makes this discovery more troubling.

Access Through Fake Apps

Malware like ANDROIDOS_KSAPP.A came from a third-party app store and were repackaged as gaming apps. Once installed, these malicious apps download and analyze a script from remote sites. This script contains commands that a remote attacker can execute on the affected device. The malicious apps can also make devices vulnerable to further infection via notifications and pop-up windows that prompt you to install other possibly malicious files.

More Sophisticated Malware

What make these particular malware notable are their abilities to analyze downloaded script and equip themselves with new ones. They can update their script to avoid antimalware detection. This behavior makes them more complicated than the typical Android malware with backdoor capabilities.

These refined routines led to a mobile trend we saw last year. Using social engineering baits, cybercriminals have since included newer attack methods. The discovery of the reported malware indicates that cybercriminals are continuously creating more complex malware to prey on mobile users like you.

Protecting Your Devices

Protect your mobile devices by scrutinizing each app before you download and install them. Cybercriminals often spoof popular apps to trick you into downloading malware. Reading app descriptions and reviews can help you sift legitimate from suspicious apps.

Installing a security app, if available, adds another layer of protection to your mobile device. Android devices have a good selection of security apps. iDevices have fewer options due to Apple’s reluctance to allow third party developers offer solutions. We beleive this will change this year. The threats are growing and manufacturers need partners to ensure security. As Windows phones gain market share, solutions will be available for them as well.

Dexter malware infects point-of-sale systems worldwide

Researchers from Israel-based IT security firm Seculert have uncovered a custom-made piece of malware that infected hundreds of point-of-sale (PoS) systems from businesses in 40 countries in the past few months and stole the data of tens of thousands of payment cards.

The malware was dubbed Dexter after a text string found in some of its components and infected Windows-based PoS systems belonging to big-name retailers, hotels, restaurants and even private parking providers.

It was determined the destination was a server hosted in the Republic of Seychelles, where the malware uploaded the stolen payment card data.

Since this is an ongoing attack it’s hard to determine exactly how many PoS systems have been compromised so far, but it’s probably between 200 and 300, Raff said. The total number of compromised payment cards is equally hard to estimate, but tens of thousands seems to have been compromised just in the past few weeks.

The origin of the attackers is unclear, but strings found in the malware suggest that the developers are fluent English speakers.

The method used to infect these systems has not been determined yet, but given that many of them run Windows Server and are most likely not used for Web browsing, it is believed that the attackers probably compromised other computers on the same networks first and then infected the PoS systems.

When researchers found the Dexter sample, there were some antivirus programs that already detected it as malicious. These companies have since shared it with other vendors from the security industry.

If the targeted companies would have encrypted the data directly on the hardware PoS terminals before sending it out to their payment processing providers, a method commonly known as end-to-end encryption, attacks like the ones based on the Dexter malware could have been prevented.

Bandwith-Burning Malware Among Biggest Consumer Threats

A new malware report indicates Android malware samples grew three-fold last quarter and that one in every 140 devices connected to mobile networks was infected at some point.

Closer to home, about 14 percent of household networks were hit by malware this spring, with a 50 percent increase in high-level bots, Trojans and backdoors.

Among the biggest threats to consumers was the ZeroAccess botnet, which grew to more than 1.2 million super nodes resulting in ad-click fraud that at one point burned through bandwidth equivalent to 45 monthly movie downloads per subscriber.

In recent months, the ZeroAccess botnet has updated its command and control protocol and grown to infect more computers while connecting to over one million computers globally. The concern with ZeroAccess is that it is using the subscriber’s bandwidth maliciously which will cost them money as they exceed bandwidth caps. And, once the computer is compromised, it can also spread additional malware or launch new attacks.

The ZeroAccess/Sirefef bot earlier this year modified its command-and-control protocol to evade detection and quietly distribute fraud-laced malware.

The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively low click rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profile, the bot operates 24 hour a day, seven days a week, so the bandwidth utilization for all that browsing adds up over time.

On the mobile front, most malware involved “trojanized” apps that steal information about the phone or send SMS messages. However, a banking Trojan that intercepts access tokens and two spyware applications also made the Top 20 list.

Researchers noted that Apple took a second hit to its security reputation with the “Find and Call” malware that targeted both iPhone and Android devices.

First Flashback infected the Mac and now it appears that an iPhone app called ‘Find and Call’ uploads the users contact list to a remote server. The server then sends e-mail and text-message spam to the victim’s contacts. The messages are in Russian and encourage the recipient to download the app.

The app has since been taken down from the Apple Store.

Flashback, the Trojan that exploited a Java vulnerability to infect thousands of Mac OS X systems worldwide last spring, infected 10 percent of homes that owned at least one Mac, during the month of April 2012.