Miners, miners everywhere!

It is evident that cryptocurrencies are fashionable. The price increase of, for example, Bitcoin with respect to last year is exponential, as can be seen in the following Coinbase graph:

Everyone, including cybercriminals, want to take advantage of this hype, and we have detected that, just as the price increase of Bitcoin or Monero (widely used in cybercrime) has been exponential, so has the activity of attacks related to the distribution of miners who plan to compromise computers and get our electricity for free.

So far this year we have detected an increasing tendency to distribute miners. Through a specific technique, they use vulnerabilities in the insecure processes of “deserialization” of Java objects to, after exploiting them, download and execute the miner on the compromised server or computer. These vulnerabilities, although not new, are trying to be exploited by numerous groups of criminals. [Read more…]

Templates with bad intentions

A few days ago while analyzing several emails I came across one that contained a suspicious attachment. It was a .docx document that at first glance had nothing inside but it occupied 10 kb.

The mail had passed all the barriers, both SPF, as the two antiviruses that gateways have, and also the anti-spam filter.

The .docx file can be treated as a tablet. Once extracted its content, I began to analyze all the files in the directory in search of domains or IP addresses that could be seen clearly:

And I managed to find something interesting inside the path word/_rels/document.xml.rels where the following appears:
[Read more…]

Droppers from Locky Ransomware with extra anti-Sandboxing

Recently an old acquaintance has returned to his old ways. This is the Ransomware “Locky”, which about a year ago was very active through #Malspam campaigns (Spam Mail with the purpose of installing malware in the victim’s system) mostly with scripting files such as “.js “,” .wsf “or” .vbe “. Since then it has continued to maintain activity, although to a lesser extent.
Recently they have started a new campaign in which they use .doc (MSOffice Word) files with macros, like the following:

[Read more…]

JAFF Ransomware via PDF attachment with Doc

We continuously receive phishing emails coming from a variety of sources, often containing attachments with malicious payloads. In this case the attachment was a bit more interesting because it embedded a .docm file inside a .pdf file.

The email that arrived to our servers had “Order” as subject, and no visible content, only a p(paragraph) HTML entity with an empty symbol, but fun was on the attachment.

Attack stages

The attachment was a proper PDF file that contained a .docm file embedded. Once you opened the pdf file de docm would unpack and execute its macros leading to the download of a file that, once repacked by the macro on execution, would be executed in the system.
[Read more…]

Simple domain fronting PoC with GAE C2 server

In this entry we continue with domain fronting; on this occasion we will explore how to implement a simple PoC of a command and control and exfiltration server on Google App Engine (GAE), and we will see how to do the domain fronting from Windows, with a VBS or PowerShell script, to hide interactions with the C2 server.

The goal

When we have everything ready, we will have a webservice at myc2server.appspot.com which we can use from a compromised Windows machine in the following way; we will have a command and control channel (on the path /e2e7765b71c1, as an authenticator):
[Read more…]

Camouflage at encryption layer: domain fronting

In today’s post we are goint to talk about a somewhat old technique (although programs like Signal have recently started using it) that I have always found to be a really clever hack:
domain fronting.

For example, let’s take the IP address of the frontal that serves www.google.es:

$ host www.google.es
www.google.es has address

If we take a look at the Common Name (CN) field of the TLS certificate returned by the server: [Read more…]

Malware Trends. December 2016

During this month of December we have observed from the malware laboratory of S2 Grupo various threats that we once again wanted to share with you. In this type of entries we will find known threats, seen in other sources or analyzed directly in our laboratory, but the goal of the post is to know what kind of threats have been active throughout this last month.

Here is a diagram with the information collected this month from the lab:


First of all, we would like to highlight the break that Locky has at least given us this month, with a tremendously reduced SPAM compared to the previous two months. This does not mean at all that it has disappeared, rather, many have been arriving at emails with texts of “subject:” such as the following: [Read more…]

The Russian ICC (V): FSB

As we have indicated in previous posts, the FSB (Federal’nya Sluzhba Bezopasnosti) is the main heir of the KGB and the FAPSI; directed by Army General Alexander Bortnikov, whose breadth of responsibilities and power in Russia are undoubtedly marked by Vladimir Putin himself, a former director of the Service who, upon becoming President of the country, greatly strengthened the capabilities of the FSB -and its budget- as well as the presence of former Service members in the whole of Russian society. The FSB not only works in areas directly associated with intelligence and counterintelligence, but also reaches aspects such as social or electronic surveillance.... Leer Más

The good news from Yahoo

yahoo_logo_detailYahoo has just acknowledged the theft of information relating to more than 1 billion customer account … in 2013. Yes, 3 years ago.

Faced with this situation, different interpretations can be found: either because of the analysis of the incident they suffered in 2014, which they reported in September they have extended the forensic analysis of what happened backwards and have discovered that in 2013 they had suffered the largest information theft ever suffered by a single company, or they already knew it and have decided to report it now before the news leaked out through another source. I can even think of a third possibility (and maybe even one of you could think a fourth): that it was a malicious leak now that Verizon is formalizing a bid for Yahoo.
[Read more…]

The Russian ICC (IV): A bit of history: FAPSI

fapsiWhen talking about Russia in the area of cybersecurity or, more specifically, information warfare, we must by force mention the FAPSI (Federal Agency of Government Communication and Information), operative between 1991 and 2003 and considered the Russian equivalent to the US NSA (Roland Heickerö, Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations. FOI. Swedish Defense Research Agency, March, 2010.), which inherited the attributions and capabilities of the 8th (encrypted) and the 16th (Decryption and interception) General Directorates of the KGB. Among its functions there was the figure (cryptology and cryptanalysis), the interception of communications and even the incident response capabilities as a CERT. In 2003 this powerful agency was dissolved by the Russian government, possibly because of corruption, although it also shows that an agency with more than 50,000 people was becoming a great uncontrollable monster, as it was with the KGB at the time. After transforming the Special Information and Communications Service, an agency heir to the FAPSI that lasted only five months, its attributions were distributed among the four large Russian services, the GRU and the KGB derivatives: SVR, FSB and FSO. Each of these services has different attributions, although they obviously share capabilities, information, tactics or interests … or compete among them. In fact, in his Putin’s Hydra: Inside Russia’s Intelligence Services, and European Council on Foreign Relations, May 2016, Mark Galeotti presents us with a curious graphic summary of the roles of the Russian intelligence community, from which we then select only the main services – at least in our cyber sphere:
[Read more…]