Security of blockchain-based smart contracts I

Recently, blockchain technology has been advocated as a game changer for many industries. Distributed ledger technology that has emerged out of Bitcoin has promising applications beyond digital currencies.

One of the most promising use cases of blockchain technology is the development of smart contracts.

Smart contracts are self-executing contracts, in which the terms are specified in code. Essentially, this means encoding legal contracts in computer code, which executes them automatically.

Whilst the concept has been around for a while, at least since Nick Szabo’s wrote up the concept in 1996, it was not until the advent of the Turing-complete Ethereum blockchain that smart contract use became common.

Contracts on the Ethereum blockchain exist at contract addresses and can be invoked by transaction calls.

Executing contracts written in code and stored on an immutable public blockchain creates certain risks and issues, which we will discuss in a general way in this post. In an upcoming second part, we will look at more specific examples of smart contract security vulnerabilities. [Read more…]

Linux.IotReaper Analysis

A couple of days ago we learned about the existence of a new threat IoT considerably more elaborated than any of the ones detected to date (, said botnet has been named by Netlab 360 as IotReaper. So, from the malware laboratory of S2 Grupo we have obtained and analyzed some of the related samples.


The infrastructure of the network is quite similar to that of the Mirai botnet, which is formed by four elements:

  • Report Server: Responsible for collecting the information sent by the bots.
  • Server Downloader: Responsible for providing malware samples via HTTP. The presence of an element allows the continuous incorporation of updates without the need to leave obsolete versions of the malware.
  • Server C2: Responsible for sending denial of service orders.
  • Bot: IoT device infected by the IotReaper botnet.

[Read more…]

Miners, miners everywhere!

It is evident that cryptocurrencies are fashionable. The price increase of, for example, Bitcoin with respect to last year is exponential, as can be seen in the following Coinbase graph:

Everyone, including cybercriminals, want to take advantage of this hype, and we have detected that, just as the price increase of Bitcoin or Monero (widely used in cybercrime) has been exponential, so has the activity of attacks related to the distribution of miners who plan to compromise computers and get our electricity for free.

So far this year we have detected an increasing tendency to distribute miners. Through a specific technique, they use vulnerabilities in the insecure processes of “deserialization” of Java objects to, after exploiting them, download and execute the miner on the compromised server or computer. These vulnerabilities, although not new, are trying to be exploited by numerous groups of criminals. [Read more…]

Templates with bad intentions

A few days ago while analyzing several emails I came across one that contained a suspicious attachment. It was a .docx document that at first glance had nothing inside but it occupied 10 kb.

The mail had passed all the barriers, both SPF, as the two antiviruses that gateways have, and also the anti-spam filter.

The .docx file can be treated as a tablet. Once extracted its content, I began to analyze all the files in the directory in search of domains or IP addresses that could be seen clearly:

And I managed to find something interesting inside the path word/_rels/document.xml.rels where the following appears:
[Read more…]

Droppers from Locky Ransomware with extra anti-Sandboxing

Recently an old acquaintance has returned to his old ways. This is the Ransomware “Locky”, which about a year ago was very active through #Malspam campaigns (Spam Mail with the purpose of installing malware in the victim’s system) mostly with scripting files such as “.js “,” .wsf “or” .vbe “. Since then it has continued to maintain activity, although to a lesser extent.
Recently they have started a new campaign in which they use .doc (MSOffice Word) files with macros, like the following:

[Read more…]

JAFF Ransomware via PDF attachment with Doc

We continuously receive phishing emails coming from a variety of sources, often containing attachments with malicious payloads. In this case the attachment was a bit more interesting because it embedded a .docm file inside a .pdf file.

The email that arrived to our servers had “Order” as subject, and no visible content, only a p(paragraph) HTML entity with an empty symbol, but fun was on the attachment.

Attack stages

The attachment was a proper PDF file that contained a .docm file embedded. Once you opened the pdf file de docm would unpack and execute its macros leading to the download of a file that, once repacked by the macro on execution, would be executed in the system.
[Read more…]

Simple domain fronting PoC with GAE C2 server

In this entry we continue with domain fronting; on this occasion we will explore how to implement a simple PoC of a command and control and exfiltration server on Google App Engine (GAE), and we will see how to do the domain fronting from Windows, with a VBS or PowerShell script, to hide interactions with the C2 server.

The goal

When we have everything ready, we will have a webservice at which we can use from a compromised Windows machine in the following way; we will have a command and control channel (on the path /e2e7765b71c1, as an authenticator):
[Read more…]

Camouflage at encryption layer: domain fronting

In today’s post we are goint to talk about a somewhat old technique (although programs like Signal have recently started using it) that I have always found to be a really clever hack:
domain fronting.

For example, let’s take the IP address of the frontal that serves

$ host has address

If we take a look at the Common Name (CN) field of the TLS certificate returned by the server: [Read more…]

Malware Trends. December 2016

During this month of December we have observed from the malware laboratory of S2 Grupo various threats that we once again wanted to share with you. In this type of entries we will find known threats, seen in other sources or analyzed directly in our laboratory, but the goal of the post is to know what kind of threats have been active throughout this last month.

Here is a diagram with the information collected this month from the lab:


First of all, we would like to highlight the break that Locky has at least given us this month, with a tremendously reduced SPAM compared to the previous two months. This does not mean at all that it has disappeared, rather, many have been arriving at emails with texts of “subject:” such as the following: [Read more…]

The Russian ICC (V): FSB

As we have indicated in previous posts, the FSB (Federal’nya Sluzhba Bezopasnosti) is the main heir of the KGB and the FAPSI; directed by Army General Alexander Bortnikov, whose breadth of responsibilities and power in Russia are undoubtedly marked by Vladimir Putin himself, a former director of the Service who, upon becoming President of the country, greatly strengthened the capabilities of the FSB -and its budget- as well as the presence of former Service members in the whole of Russian society. The FSB not only works in areas directly associated with intelligence and counterintelligence, but also reaches aspects such as social or electronic surveillance.

Regarding the cyber domain, the FSB has a wide range of technical and regulatory powers: although it is a service dedicated to internal intelligence, it has authorization for external intelligence actions, theoretically coordinated with the SVR. Among others, he is responsible for the security of information at the federal level, something similar to a police force to use or at least to the Information Services -with the corresponding name in each case- of a police force. In this area it has the attributions – and obviously, capacities – SIGINT operative for the interception of communications in the State: since 1995, it has the legally constituted right to monitor telephone lines, open mails and monitor Internet traffic ([1]). The FSB operates the system called SORM for this purpose, to which Russian Internet service providers must facilitate the work by deploying capabilities that they must also pay out of pocket. This system is operated by an FSB group initially designated UKIB (Computer & Information Security Directorate), Directorate R, heir to the KGB and focused especially on the fight against cybercrime and terrorism. The successor of this Directorate is the Information Security Center (CIS) of the FSB, framed in the Counterintelligence Directorate (SKR), the Second Directorate of the FSB and also identified as the Military Unit (VCH) 64829 or the Center number 18. SORM, which we will speak about in other posts as an example of “collaboration” of companies with the Russian intelligence services, deals, like the FSB mainly does, with the interception of data in the “Russian Internet”, where CIS is responsible for surveillance and counterintelligence, also working closely with Directorate K of the Russian Ministry of the Interior, responsible for combating cybercrime ([2]).

A priori, these CIS surveillance and counterintelligence capacities should be focused on Russia, without directly impacting the outside of the country; however, even though the FSB and within it the CIS are focused on inner intelligence, its actions may be directed against that focus but against Russian interests outside its borders, including elements considered to be disturbing according to Russian criteria (this may include attack on terrorist objectives … or simply political) and even with police powers of investigation and prosecution of such elements.

The Center for Electronic Communications Surveillance (TsRRSS), identified as FSB unit 71330 and focused on ELINT, has electronic spying and cyberespionage capabilities (communications interception, decryption …). This Center (number 16) is hypothetically the main offensive capability of the FSB, including operations outside Russia, as opposed to groups such as the CIS, described above and focused especially on defensive and surveillance tasks. Its internal structure is classified, and its responsibilities include the operation and processing of electronic communications.

The Center for Special Communications and Information Protection (TsBISS) provides the FSB with protection against cyberattacks or third party intrusions. From this Center, there have been peculiar (or interesting) initiatives such as the request to prohibit services such as GMail, Hotmail or Skype in Russia, as their use may constitute a threat to national security. A comment by the Center’s director in 2011 which caused a great stir at the time in social networks but that, much more interesting than the relative turmoil on the privacy and freedom of the users, was the moment in which it was published, marked by facts as transcendent as Arab spring or the Russian legislative elections.

Another interesting group in the cyber environment within the FSB is the Communications Security Center (CBS FSB, Vch 43753), which is part of the Eighth Service Directorate and is responsible for the logical protection of government communications through product accreditation and certification of safety standards, a kind of equivalent to the Certification Office of the Spanish CNI. Also in this sense, TSLSZ (translated approximately as Center for Licensing, Certification and Protection of State Secrets) is the branch of the FSB in charge of enabling organizations to handle classified information, in this case something similar to the attributions of The National Security Office in the CNI.

Finally, as a group with no offensive capabilities, cyber training activities within the FSB are the responsibility of the Institute of Cryptography, Telecommunications and Information Technology (IKSI), in the Service Academy, which trains specialists in cybersecurity not only for the FSB but also for other Russian Services… or for industry.

To try to summarize this structure, a summary table of the main groups or centers directly related to SIGINT or CNO dependent on the FSB is shown below:

Center ID Unit Function
Center for Information Security FSB CIS 64829 SORM. Search and surveillance
Center for Electronic Surveillance of Communications FSB TSRRSS 71330 Attacking capacity/td>
Centre for the Security of Information and Special Communications TsBISS N/A Defense against foreign intrusions
Communications Security Center FSB CBS 43753 Accreditation of products and services
Center for Licensing, Certification and Protection of State Secrets FSB TSLSZ N/A Security clearance
Institute of Cryptography, Telecommunications and Computer Science IKSI N/A Training

[1] Roland Heickerö. Industrial Espionage and Theft of Information. In Proceedings of the 14th European Conference on Cyber Warfare and Security. Nasser Abouzakhar (Ed.). University of Hertfordshire. Julio, 2015.
[2] Taia Global. Russian Federal Security Service (FSB) Internet Operations Against Ukraine. Taia Global, 2015.