Category Archives: Threat Research

Technical posts by the FireEye Labs team

The Sunshop Campaign Continues

| By | Exploits, Targeted Attack, Threat Intelligence, Threat Research

We recently detected what we believe is a continuation of the Sunshop campaign that we first revealed on May 20, 2013.

This follow-on to the Sunshop campaign started on July 17, 2013. In this latest wave the attackers inserted malicious redirects into a number of websites – at least two of which were also compromised in the May 2013 edition of this campaign. The most prominent sites compromised in this round of the campaign were maintained by a Human Rights organization and an organization involved in science and technology policy development. Continue reading »

Survival of the Fittest: New York Times Attackers Evolve Quickly

| By and | Threat Intelligence, Threat Research

The attackers behind the breach of the New York Times’ computer network late last year appear to be mounting fresh assaults that leverage new and improved versions of malware.

The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China [1].

The newest campaign uses updated versions of Aumlib and Ixeshe. Continue reading »

Breaking Down the China Chopper Web Shell - Part II

| By , and | Botnets, Targeted Attack, Threat Intelligence, Threat Research

Part II in a two-part series. Read Part I.

Introduction

In Part I of this series, I described China Chopper’s easy-to-use interface and advanced features — all the more remarkable considering the Web shell’s tiny size: 73 bytes for the aspx version, 4 kilobytes on disk. In this post, I’ll explain China Chopper’s platform versatility, delivery mechanisms, traffic patterns, and detection. My hope is that armed with this information, you can eradicate this pest from your environment.

Platform

So what platform can China Chopper run on? Any Web server that is capable of running JSP, ASP, ASPX, PHP, or CFM. That’s the majority of the Web application languages out there. What about operating systems? China Chopper is flexible enough to run transparently on both Windows and Linux. This OS and application flexibility makes this an even more dangerous Web shell. Continue reading »

Breaking Down the China Chopper Web Shell - Part I

| By , and | Botnets, Targeted Attack, Threat Intelligence, Threat Research

Part I in a two-part series.

China Chopper: The Little Malware That Could

China Chopper is a slick little web shell that does not get enough exposure and credit for its stealth. Other than a good blog post from security researcher Keith Tyler, we could find little useful information on China Chopper when we ran across it during an incident response engagement. So to contribute something new to the public knowledge base — especially for those who happen to find the China Chopper server-side payload on one of their Web servers — we studied the components, capabilities, payload attributes, and the detection rate of this 4 kilobyte menace.

Components

China Chopper is a fairly simple backdoor in terms of components. It has two key components:the Web shell command-and-control (CnC) client binary and a text-based Web shell payload (server component). The text-based payload is so simple and short that an attacker could type it by hand right on the target server — no file transfer needed.

Continue reading »

The Curious Case of Encoded VB Scripts : APT.NineBlog

| By and | Advanced Malware, Targeted Attack

We came across a rather peculiar TTP (Tools, Techniques, and Procedures) in a targeted attack we found recently. This targeted attack uses simpler techniques but still remains effective in infiltrating the target. The weaponized document that was part of this attack was intended for a victim in India as evident from the contents of the decoy document presented post exploitation. The main modules of this attack are implemented in encoded VB scripts as also recently seen with Janicab, however we do not see any connections between the two. It also employs encrypted callback communications over HTTPS. Continue reading »

Hot Knives Through Butter: Bypassing File-based Sandboxes

| By and | Advanced Malware, Targeted Attack

Diamonds are a girl’s best friend. Prime numbers are a mathematician’s best friend. And file-based sandboxes are an IT security researcher’s best friend.

Unfortunately, malware authors know this. Aware that researchers are using sandboxes to monitor file behavior, attackers are building sandbox-evading techniques into new advanced persistent threat (APT) attacks — and even using these tricks to resurrect notorious malware classics.

As my colleague Zheng Bu and I explain in an upcoming presentation at the Black Hat USA conference, malware is using a variety of checks to determine whether it is running in a sandbox and “play dead” until it reaches a live target. These checks fall into several categories: Continue reading »

Syrian Electronic Army Hacks Major Communications Websites

| By and | Exploits, Targeted Attack, Threat Intelligence, Vulnerabilities

Syrian Electronic Army (SEA) has recently compromised three widely-used online communications websites, each of which could have serious real-world consequences for Syria’s political opposition.

  • July 16: SEA hacked the Swedish site Truecaller, home to the world’s largest online telephone directory, with over a billion phone numbers in over 100 countries. SEA claimed this attack also gave it access codes to more than a million Facebook, Twitter, LinkedIn, and Gmail accounts. The initial attack vector was an older, vulnerable version of WordPress.
  • July 21: SEA hacked the video and text messaging service Tango, stealing more than 1.5 TB of data, including user information, true names, phone numbers, emails, and personal contacts for millions of accounts. Again, the attack vector was a vulnerable version of WordPress CMS (v 3.2.1), which gave SEA unauthorized access to the database server.
  • July 24: SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged the attack, explaining that the initial compromise vector was an email phishing scam which enabled SEA to access two customer support sites. Thus far, the company has denied that private user information was lost.

Continue reading »

Trojan.APT.Seinup Hitting ASEAN

| By | Advanced Malware, Targeted Attack, Threat Intelligence, Threat Research

1. Executive Summary

The FireEye research team has recently identified a number of spear phishing activities targeting Asia and ASEAN. Of these, one of the spear phishing documents was suspected to have used a potentially stolen document as a decoy. The rich and contextual details (body and metadata) which are not available online lead us to believe this was stolen. This decoy document mentioned countries such as Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam, which leads us to suspect that these countries are targeted. As the content of this decoy document is suspected to be a stolen sensitive document, the details will not be published.

This malware was found to have used a number of advance techniques which makes it interesting:

  1. The malware leverages Google Docs to perform redirection to evade callback detection. This technique was also found in the malware dubbed “Backdoor.Makadocs” reported by Takashi Katsuki (Katsuki, 2012).
  2. It is heavily equipped with a variety of cryptographic functions to perform some of its functions securely.
  3. The malicious DLL is manually loaded into memory which hides from DLL listing.

Continue reading »

Ready for Summer: The Sunshop Campaign

| By | Exploits, Targeted Attack, Threat Intelligence, Threat Research

We recently identified another targeted attack campaign that leveraged both the recently announced Internet Explorer zero-day, CVE-2013-1347, as well as recently patched Java exploits CVE-2013-2423 and CVE-2013-1493. This campaign appears to have affected a number of victims based on the use of the Internet Explorer zero-day as well as the amount of traffic observed at making requests to the exploit server. This attack was likely executed by an actor we have named the ‘Sunshop Group’. This actor was also responsible for the 2010 compromise of the Nobel Peace Prize website that leverage a zero-day in Mozilla Firefox.

Impacted Sites

The campaign in question compromised a number of strategic websites including:

• Multiple Korean military and strategy think tanks
• A Uyghur news and discussion forum
• A science and technology policy journal
• A website for evangelical students

A call to a malicious javascript file hosted at www[.]sunshop[.]com[.]tw was inserted into all of these compromised websites.

Continue reading »