Category Archives: Threat Research

Technical posts by the FireEye Labs team

MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages

| By , , and | Botnets, Mobile Threats, Threat Research

FireEye has uncovered and helped weaken one of the largest advanced mobile botnets to date. The botnet, which we are dubbing “MisoSMS,” has been used in at least 64 spyware campaigns, stealing text messages and emailing them to cybercriminals in China.

MisoSMS infects Android systems by deploying a class of malicious Android apps. The mobile malware masquerades as an Android settings app used for administrative tasks. When executed, it secretly steals the user’s personal SMS messages and emails them to a command-and-control (CnC) infrastructure hosted in China. FireEye Mobile Threat Prevention platform detects this class of malware as “Android.Spyware.MisoSMS.”

Here are some highlights of MisoSMS:

  • We discovered 64 mobile botnet campaigns that belong to the MisoSMS malware family.
  • Each of the campaigns leverage Web mail as its (CnC) infrastructure.
  • The CnC infrastructure comprises more than 450 unique malicious email accounts.
  • FireEye has been working with the community to take down the CnC infrastructure.
  • The majority of the devices infected are in Korea, which leads us to believe that this threat is active and prevalent in that region.
  • The attackers logged in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.

MisoSMS is active and widespread in Korea, and we are working with Korean law enforcement and the Chinese Web mail vendor to mitigate this threat. This threat highlights the need for greater cross-country and cross-organizational efforts to take down large malicious campaigns.

At the time of of this blog post, all of the reported malicious email accounts have been deactivated and we have not noticed any new email addresses getting registered by the attacker. FireEye Labs will closely monitor this threat and continue working with relevant authorities to mitigate it.

Continue reading »

Hacking a Revolution

| By | Threat Research

Ukraine-protest
Ukrainian protesters. (Credit: Ryan Anderson. Used under Creative Commons CC-BY-SA-3.0 license.)

In April 2005, General Boris Miroshnikov, head of the Russian police’s cybercrime division (Department К for “Кибер” or “Cyber”), announced that Russian hackers were the “best in the world.”  At DEF CON 13 that year, I explained how Soviet scientists had honed their reverse engineering skills on Western products for decades during the Cold War. More recently, Western reporting such as Tom Kellermann’s “Peter the Great versus Sun Tzu” and FireEye’s “World War C” suggests that Eastern European hackers are still more advanced and stealthy than their peers around the world. Ukraine was even called the world’s newest “haven for hackers.”

So, given the current political crisis in Ukraine, it seems like a good time to ask, what role is there for computer hackers in political revolutions? And could computer hacking play a decisive role in this would-be revolution? If we assume that there are two basic antagonists in this struggle – the government and the protesters – which side benefits the most from the existence of a strong hacker culture?

Continue reading »

Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs

| By | Advanced Malware, Advanced Threat Trends, Threat Intelligence, Threat Research

This week, FireEye released a report detailing how Chinese-speaking advanced persistent threat (APT) actors systematically attacked European ministries of foreign affairs (MFAs). Within 24 hours, the Chinese government officially responded.

Our report provides further proof that cyber espionage is a reality in today’s world. First, attackers appear to have no financial incentive to hit these targets. Instead, the goal appears to be collecting time-sensitive geopolitical information — in this case, insight into the intense international diplomacy surrounding Syria’s ongoing civil war.

FireEye was able to access just one of 23 command-and-control (CnC) servers responsible for managing cyber espionage against a handful of countries. But how many more countries were attacked? How many more CnC servers are a part of this attack campaign? Only the attackers know for sure — but the known scope of their efforts implies that this was only the tip of a much larger iceberg.

Since we began writing this report, this APT has continued its cyber espionage activities. Furthermore, we have recently located an additional cluster of Ke3chang activity.

Continue reading »

CVE-2013-3346/5065 Technical Analysis

| By and | Advanced Malware, Exploits, Threat Research, Vulnerabilities

In our last post, we warned of a new Windows local privilege escalation vulnerability being used in the wild. We noted that the Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox. CVE-2013-3346 was exploited to execute the attacker’s code in the sandbox-restricted Reader process, where CVE-2013-5065 was exploited to execute more malicious code in the Windows kernel.

In this post, we aim to describe the in-the-wild malware sample, from initial setup to unrestricted code execution.

CVE-2013-3346: Adobe Reader ToolButton Use-After-Free

CVE-2013-3346 was privately reported to ZDI by Soroush Dalili, apparently in late 2012. We could fine no public description of the vulnerability. Our conclusion that the sample from the wild is exploiting CVE-2013-3346 is based upon the following premises:

  1. The sample contains JavaScript that triggers a use-after-free condition with ToolButton objects.
  2. CVE-2013-3346 is a use-after-free condition with ToolButton objects.
  3. The Adobe Reader patch that addresses CVE-2013-3346 also stops the in-the-wild exploit.

CVE-2013-3346 Exploitation: Technical Analysis

The bug is a classic use-after-free vulnerability: Within Javascript, nesting ToolButton objects and freeing the parent from within child callbacks results in a stale reference to the freed parent. More specifically, the invalid free can be triggered as follows:

  1. Make a parent ToolButton with a callback CB
  2. Within the callback CB, make a child ToolButton with a callback CB2
  3. Within the callback CB2, free the parent ToolButton

The sample from the wild exploits the bug entirely from JavaScript. The code sets up the heap, builds ROP chains, builds shellcode, and triggers the actual bug. The only component of the attack that wasn’t implemented in JavaScript is the last-stage payload (executable file).

Continue reading »

MS Windows Local Privilege Escalation Zero-Day in The Wild

| By and | Advanced Malware, Exploits, Threat Research, Vulnerabilities

FireEye Labs has identified a new Windows local privilege escalation vulnerability in the wild. The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP.

This local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability. The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3. Those running the latest versions of Adobe Reader should not be affected by this exploit.

Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it.

Mitigations

The following actions will protect users from the in-the-wild PDF exploit:
1) Upgrade to the latest Adobe Reader
2) Upgrade to Microsoft Windows 7 or higher

This post was intended to serve as a warning to the generic public. We are collaborating with the Microsoft Security team on research activities. Microsoft assigned CVE-2013-5065 to this issue.

We will continue to update this blog as new information about this threat is found.

[Update]: Microsoft released security advisory 2914486 on this issue.

Dissecting Android KorBanker

| By and | Mobile Threats, Targeted Attack, Threat Intelligence, Threat Research, Vulnerabilities

FireEye recently identified a malicious mobile application that installs a fake banking application capable of stealing user credentials. The top-level app acts as a bogus Google Play application, falsely assuring the user that it is benign.

FireEye Mobile Threat Prevention platform detects this application as Android.KorBanker. This blog post details both the top-level installer as well as the fake banking application embedded inside the top-level app.

The app targets the following banks, all of which are based in Korea.

  • Hana Bank
  • IBK One
  • KB Kookmin Bank
  • NH Bank
  • Woori Bank
  • Shinhan Bank

Once installed, the top-level application presents itself as a Google Play application. It also asks the user for permission to activate itself as a device administrator, which gives KorBanker ultimate control over the device and helps the app stay hidden from the app menu.

Continue reading »

Monitoring Vulnaggressive Apps on Google Play

| By , , and | Mobile Threats, Threat Intelligence, Threat Research, Vulnerabilities

Vulnaggressive Characteristics in Mobile Apps and Libraries

FireEye mobile security researchers have discovered a rapidly-growing class of mobile threats represented by popular ad libraries affecting apps with billions of downloads. These ad libraries are aggressive at collecting sensitive data and able to perform dangerous operations such as downloading and running new code on demand. They are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. We have published some of our findings in our two recent blogs about these threats: “Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions” and “Update: Ad Vulna Continues”.

As we reported in our earlier blog “Update: Ad Vulna Continues”, we have observed that some vulnaggressive apps have been removed from Google Play, and some app developers have upgraded their apps to a more secure version either by removing the vulnaggressive libraries entirely or by upgrading the relevant libraries to a more secure version which address the security issues. However, many app developers are still not aware of these security issues and have not taken such needed steps. We need to make a community effort to help app developers and library vendors to be more aware of these security issues and address them in a timely fashion.

To aid this community effort, we present the data to illustrate the changes over time as vulnaggressive apps are upgraded to a more secure version or removed from Google Play after our notification. We summarize our observations below, although we do not have specific information about the reasons that caused these changes we are reporting. Continue reading »

Exploit Proliferation: Additional Threat Groups Acquire CVE-2013-3906

| By and | Exploits, Threat Intelligence, Threat Research

Last week, we blogged about a zero-day vulnerability (CVE-2013-3906) that was being used by at least two different threat groups. Although it was the same exploit, the two groups deployed it differently and dropped very different payloads. One group, known as Hangover, engages in targeted attacks, usually, against targets in Pakistan. The second group, known as Arx, used the exploit to spread the Citadel Trojan, and we have found that they are also using the Napolar (aka Solar) malware. [1]

Looking at the time of the first known use of the exploit, we noted that the Arx group appeared to have had access to this exploit prior to the Hangover group. Subsequent research by Kaspersky has found that this exploit was used in July 2013 to spread a cross-platform malware known as Janicab. Interestingly, the Janicab samples have exactly the same CreateDate and ModifyDate as the Arx samples. However, the ZipModifyDate is different. They also contain the same embedded TIFF file (aa6d23cd23b98be964c992a1b048df6f). Continue reading »

Supply Chain Analysis: From Quartermaster to Sunshop

| By and | Targeted Attack, Threat Intelligence, Threat Research

Today, we released a new report from FireEye Labs entitled Supply Chain Analysis: From Quartermaster to Sunshop.

The report details how many seemingly unrelated cyber attacks may, in fact, be part of a broader offensive fueled by a shared development and logistics infrastructure — a finding that suggests some targets are facing a more organized menace than they realize. Our research points to centralized planning and development by one or more advanced persistent threat (APT) actors. Malware clearly remains a desired cyber weapon of choice. Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialization that achieves an economy of scale.

The report is available for download here: https://www.fireeyesolution.com/resources/pdfs/fireeye-malware-supply-chain.pdf

Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method

| By , , and | Exploits, Targeted Attack, Threat Intelligence, Threat Research, Vulnerabilities

Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy. We have identified relationships between the infrastructure used in this attack and that used in Operation DeputyDog. Furthermore, the attackers loaded the payload used in this attack directly into memory without first writing to disk – a technique not typically used by advanced persistent threat (APT) actors. This technique will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods.

Enter Trojan.APT.9002

On November 8, 2013 our colleagues Xiaobo Chen and Dan Caselden posted about a new Internet Explorer 0-day exploit seen in the wild. This exploit was seen used in a strategic Web compromise. The exploit chain was limited to one website. There were no iframes or redirects to external sites to pull down the shellcode payload.

Through the FireEye Dynamic Threat Intelligence (DTI) cloud, we were able to retrieve the payload dropped in the attack. This payload has been identified as a variant of Trojan.APT.9002 (aka Hydraq/McRAT variant) and runs in memory only. It does not write itself to disk, leaving little to no artifacts that can be used to identify infected endpoints. Continue reading »