Author Archives: Vinay Pidathala

Android.MisoSMS : Its Back! Now With XTEA

| By and | Advanced Malware, Mobile Threats, Threat Research

FireEye Labs recently found a more advanced variant of Android.MisoSMS, the SMS-stealing malware that we uncovered last December — yet another sign of cybercriminals’ growing interest in hijacking mobile devices for surveillance and data theft.

Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email.

FireEye Mobile Threat Prevention customers are already protected from both variants.

Continue reading »

From Windows to Droids: An Insight in to Multi-vector Attack Mechanisms in RATs

| By , , and | Mobile Threats, Threat Research

FireEye recently observed a targeted attack on a U.S.-based financial institution via a spear-phishing email. The payload used in this campaign is a tool called WinSpy, which is sold by the author as a spying and monitoring tool. The features in this tool resemble that of many other off-the-shelf RATs (Remote Administration Tools) available today. We also observed a second campaign by a different attacker where the WinSpy payload was implanted in macro documents to attack various other targets in what appears to be a spam campaign.

The command-and-control (CnC) infrastructure used in the attack against the financial institution is owned and controlled by author of WinSpy. This does not necessarily mean the author is behind attack as the author provides the use of his server for command and control as well as to store the victim data as the default option in the WinSpy package. This feature allowing shared command-and-control infrastructure advertently or inadvertently provides another level of anonymity and deniability for the attacker.

While analyzing the windows payloads for WinSpy we discovered that it also had Android spying components, which we have dubbed GimmeRat. The Android tool has multiple components allowing the victim’s device to be controlled by another mobile device remotely over SMS messages or alternatively through a Windows-based controller. The Windows-based controller is simplistic and requires physical access to the device. The recent surge in Android-based RATs such as Dendroid and AndroRAT shows a spike in the interest of malicious actors to control mobile devices. GimmeRAT is another startling example of malicious actors venturing into the Android ecosystem. Continue reading »

MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages

| By , , and | Botnets, Mobile Threats, Threat Research

FireEye has uncovered and helped weaken one of the largest advanced mobile botnets to date. The botnet, which we are dubbing “MisoSMS,” has been used in at least 64 spyware campaigns, stealing text messages and emailing them to cybercriminals in China.

MisoSMS infects Android systems by deploying a class of malicious Android apps. The mobile malware masquerades as an Android settings app used for administrative tasks. When executed, it secretly steals the user’s personal SMS messages and emails them to a command-and-control (CnC) infrastructure hosted in China. FireEye Mobile Threat Prevention platform detects this class of malware as “Android.Spyware.MisoSMS.”

Here are some highlights of MisoSMS:

  • We discovered 64 mobile botnet campaigns that belong to the MisoSMS malware family.
  • Each of the campaigns leverage Web mail as its (CnC) infrastructure.
  • The CnC infrastructure comprises more than 450 unique malicious email accounts.
  • FireEye has been working with the community to take down the CnC infrastructure.
  • The majority of the devices infected are in Korea, which leads us to believe that this threat is active and prevalent in that region.
  • The attackers logged in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.

MisoSMS is active and widespread in Korea, and we are working with Korean law enforcement and the Chinese Web mail vendor to mitigate this threat. This threat highlights the need for greater cross-country and cross-organizational efforts to take down large malicious campaigns.

At the time of of this blog post, all of the reported malicious email accounts have been deactivated and we have not noticed any new email addresses getting registered by the attacker. FireEye Labs will closely monitor this threat and continue working with relevant authorities to mitigate it.

Continue reading »

Dissecting Android KorBanker

| By and | Mobile Threats, Targeted Attack, Threat Intelligence, Threat Research, Vulnerabilities

FireEye recently identified a malicious mobile application that installs a fake banking application capable of stealing user credentials. The top-level app acts as a bogus Google Play application, falsely assuring the user that it is benign.

FireEye Mobile Threat Prevention platform detects this application as Android.KorBanker. This blog post details both the top-level installer as well as the fake banking application embedded inside the top-level app.

The app targets the following banks, all of which are based in Korea.

  • Hana Bank
  • IBK One
  • KB Kookmin Bank
  • NH Bank
  • Woori Bank
  • Shinhan Bank

Once installed, the top-level application presents itself as a Google Play application. It also asks the user for permission to activate itself as a device administrator, which gives KorBanker ultimate control over the device and helps the app stay hidden from the app menu.

Continue reading »

Android Mobile: Following In the Windows Footsteps

| By | Threat Research

FireEye discovered an email spam campaign, currently ongoing, which is dropping the well-known Android malware Android FakeDefender. Looking through our Dynamic Threat Intelligence (DTI) platform, we believe that this campaign started on the 6th of September.

Vector of Propagation
FireEye Labs has identified emails that are being used as part of this campaign. Below are some of the emails we noticed serving this malware. Once the user clicks on the link in the email from an Android device, the apk gets downloaded. Continue reading »

More Insights on the Recent Korean Cyber Attacks (Trojan.Hastati)

| By , , and | Botnets

It is interesting to see how this malware attack in Korea focuses on wiping and destruction rather than information or data stealing. This attack is as much a cyber rampage as it is a cyber attack. In the past, attackers resorted to DDoS to take out a nation’s infrastructure, such as the 2007 attack in Estonia or the 2012 attack on American banks by a group claiming to be Iranian hacktivists.

The malware attack not only corrupts the master boot record (MBR), but also deletes the disk contents through direct access to PhysicalDrive, thus rendering the computer useless.

Additionally, the malware is time-based. This means that the malware was set to launch at a specific time: “14:00-20-Mar-2013.” Then the malware would check for a Windows version and launch a thread, which writes directly to the hard disk, thereby corrupting the MBR. Finally, it had evasion capabilities. The malware also checked for AhnLabs anti-virus—a Korean product—and disabled it. This indicates that the attackers were explicitly targeting Korea. FireEye detects these malware attacks as Trojan.Hastati. Continue reading »

The Dingo and the Baby

| By and | Targeted Attack

SUMMARY:

FireEye has been tracking an APT campaign for a while and we have noticed that this attack is currently active and targeting companies.In this case, the campaign uses the name of the company it targets in the CnC domain name. Data mining and hunting for further samples, we found that this malware consistently uses either names of companies or a project that a specific company is working on in its CnC domain name to avoid raising any suspicion.

What does this have to do with dingoes and babies? The title comes from a string that we saw in all of the malware, called LetsGo/Merong, and its variants. Searching for the string on the Internet we found that it was referring to an article published by CNN about an unfortunate and sad episode in Australian history: http://articles.cnn.com/2012-06-12/asia/world_asia_australian-dingo-chamberlain-inquest_1_lindy-and-michael-chamberlain-dingo-australians?_s=PM:ASIA.

Continue reading »

Operation Beebus

| By , , and | Targeted Attack

FireEye discovered an APT campaign consistently targeting companies in the aerospace and defense industries. The campaign has been in effect for sometime now.

Infection Vector

We have seen this campaign use both email and drive-by downloads as a means of infecting end users. The threat actor has consistently used attachment names of documents/white papers released by well-known companies. The malicious email attachment exploits some common vulnerabilities in PDF and DOC files.

Continue reading »

Backdoor.ADDNEW (DarkDDoser) and Gh0st, a match made in heaven?

| By | Advanced Malware

At FireEye we monitor all kinds of attacks: targeted, non-targeted, and everything in between. We always try to figure out, not just how a piece of malicious code works, but also other possibilities, like whether it is related to some other malware, in what way, etc.

Gh0st has been much talked about and there is a lot of good research out there on this RAT (Remote Access Trojan). This RAT has been used in many serious attacks and a quick Google search on the Gh0st RAT will give you a lot of good articles which will go into great detail about the versions and the inner workings of the malware. However this post is not about Gh0st. Very recently while investigating some of these Gh0st infections, we identified another interesting piece of malware.

Possible Update to the Blackhole Exploit Toolkit

| By | Exploits

Pretty much everyone is aware of the BlackHole toolkit. We previously wrote a blog that compared the prevalence of various toolkits.

At FireEye, we trigger on thousands of BlackHole events every day across our customer base. We have recently seen reports that the toolkit has been updated. The following website gives you good details about what features have been included in the new toolkit: http://malware.dontneedcoffee.com/2012/09/blackhole2.0.html.

We immediately started looking through the FireEye Malware Protection Cloud (MPC) to see if the FireEye Virtual Execution engine in our appliances had seen instances of this new toolkit. (The FireEye Virtual Execution engine is our proprietary virtual machine technology that enables us to detect threats that have never before been seen.) Websense reported finding URLs in their blog, and we found a bunch of URLs—the earliest of which was detected on September 3, 2012.

Continue reading »