Spammers Accelerate Dyre Distribution

ThreatTrack Security Labs researchers continue to monitor the evolution Dyre (aka Dyreza), the banking-credential-stealing Trojan that appears to be quickly filling the gap left by the takedown of GameOver Zeus.

We reported earlier on how Dyre has been associated with malicious spam utilizing the Upatre downloader, and our researchers also cited how Dyre’s list of global banking targets continues to grow – expanding beyond traditional financial institutions to target online bitcoin wallets.

Over the last few weeks, the cybercriminals behind Dyre have continued to refine their delivery tactics, and the Trojan is now capable of helping to spread itself and other malware. Our researchers have observed that systems infected with Dyre are not only at risk of the malware stealing log-in credentials, but it may also receive commands to download and install additional spammers – including the Cutwail/Pushdo botnet – to more broadly propagate Dyre. Pushdo is responsible for a large portion of Upatre spam, and the botnet is actively distributing Dyre and other malware, including the data-encrypting ransomware CryptoWall.

Other recent additions to the Dyre code include:

  • The implementation of a Domain Generating Algorithm (DGA) to quickly cycle through fresh URLs to avoid detection
  • The use of peer-to-peer Invisible Internet Project (I2P) protocol for clandestine communications, presumably between infected machines and their Command and Control server masters
  • A newly expanded list of targeted banking institution servers. Click here for a complete list of targets.

It is also worth noting that GameOver Zeus (before the government takedown) was downloading Pushdo/Kegotip/ransomware and facilitating its own spread very similar to how Dyre is behaving now.

Click here for a dynamic malware analysis of a recent Dyre sample.

Spammers Set To Maximumspam email

The bad guys are pulling out all the stops when it comes to distributing their malicious spam. Everything from fraudulent PayPal security alerts to a Top Gun-inspired tale about a Norwegian fighter pilot crossing paths with a Russian MiG to a fake survey purporting to ask recipients their opinions on the controversial events in Ferguson, Missouri, have all been employed to trick recipients into clicking links and opening infected attachments.

We recently observed Dyre downloading three spammers. The first, is Pushdo, which runs its own spammer modules. The second and third are a standalone spammers, one of which hijacks the victim’s Microsoft Outlook application to send personal emails with attachments harboring Upatre. The third spammer (see images and email text below from a small sampling) is generating a separate campaign and is increasing in frequency over the last several weeks. All this signals that Dyre is poised to become a more pervasive threat and increasingly active in malicious spam campaigns.

CNN Norwegian Russian MiG Spam

 Subject: Video shows Norwegian fighter pilot’s

Video shows Norwegian fighter pilot’s close call with Russian MiG

(CNN) — It was a routine call for the Norwegian fighter pilot participating in NATO’s Quick Reaction Alert mission, high in the sky off Norway’s coast.

He was tasked with investigating and identifying an aircraft that had entered the mission’s patrol area in international airspace northwest of Norway.

Fluffy clouds dotted the piercing blue atmosphere, and it looked like it would be a non-eventful mission, until something gray darted in front of the Norwegian pilot’s F-16 — a Russian MiG fighter, according to the Norwegian Defence Ministry. FULL STORY [1]

            * comment on CNN stories and blogs
            * submit and comment on iReport assignments
            * receive breaking news e-mail alerts
            * receive e-mail newsletters

 Thank you,
 CNN

Ferguson Tyranny of Police Spam

 Subject: Tyranny of the police

Morning,

Our company make a survey research about horrible situation in Ferguson, state MS.

Please, follow the link above, vote and do not pass by!!!

Regards

 Click here <$url$>

Melinda Goens Paralegal
D 214.838.2522

American Express Spam

Subject: Security Concern on Your American Express Account

Security Concern on Your American Express Account

Dear Customer:

We are writing to you because we need to speak with you REGARDING A SECURITY CONCERN on your account. Our records indicate that you recently used your American Express card on November 24, 2014.

For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.

To secure your account , please click log on to : http://americanexpress.com [1]

Your prompt response regarding this matter is appreciated.

Sincerely,

American Express Identity Protection Team

paypal spam Dyre Upatre

Subject: Update your PayPal account

Dear valued PayPal=C2=AE member*:

Due to concerns, for the safety and integrity of the paypal account we have issued this warning message.

It has come to our attention that your PayPal=C2=AE account information nee=ds to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

However, failure to update your records will result in account suspension.

Please update your records on or before June 30, 2005.

Once you have updated your account records your paypal account service will not be interrupted and will continue as normal.

To update your PayPal=C2=AE records click on the following link:

*Click here* <$url$>

Thank You.
*PayPal=C2=AE UPDATE TEAM*

HSBC Spam Dyre Upatre

Subject: Payment Advice – Advice Ref:[GB$number5$] / CHAPS credits

Sir/Madam,

Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.

Download link:

$url$

Yours faithfully,
Global Payments and Cash Management
HSBC

NetDocuments Spam

 Subject: Employee Documents – Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: $url$

Documents are encrypted in transit and store in a secure repository

voicemessage

Subject: Voice Message #$number9$

Voice message

$url$
Sent date: $date$

voicemessage2

Subject: Voice Message #$number9$

Voice redirected message

$url$
Sent: $date$

fax message

 Subject: Fax message

Fax Message [Caller-ID: 1-407-$number2$-$number3$]

$url$

You have received a 3 page fax at $date$.

* The reference number for this fax is chd_did11-1$number8$7-1$number9$-$number2$.

View this fax using your PDF reader.
Thank you for using the MyFax service!

adp Dyre Nov 2014

Subject: ADP Past Due Invoice

Your ADP past due invoice is ready for review at ADP Online Invoice Management.

If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.

Important: Please do not respond to this message. It comes from an unattended mailbox.

VIPRE detects Dyre as Win32!MalwareDrop and the spammers as Trojan.Win32.Spammer (fs).

The MD5s for the spammer responsible for the campaign above, include:

439fb64eed4419010fba328e9385bb68
2bbd5e4b01ade31849497aed7d4a41ab
371410aa7577f2a01038e0e068522b5c
390368c514eb97baa584121ce68827c0
45f9e415ebf2e8b8aa8170b6a2af5e37
4cc8c97f55c0ad5569b5cc3116342f43
591d2f3aaba558bdb46ba2aa47201fc9
74e087b9f9dc65f27ad0fa5f694feaaf
aeee894a1e78ad048b631a37236f46c4
e7247e067d6d4184611f82292560622a
1c847d03dc8645ae0d51bb4da2e8150a
d71b138ac7ef500c5ece95c473c25cb6

Defend Yourself Against Dyre

Ensure your antivirus and endpoint security is up-to-date, and deploy a robust email security solution to protect your organization from malicious spam. IT admins should continue to educate their users about email-borne threats and stress that despite them being at work, they shouldn’t click links and open attachments without regard for security. For help, reference Users Beware: 10 Security Tips to Share with Your Users.

Consumers should always be cautious about what they click, and if there is any doubt about a warning, special offer or request for private information, contact the bank, retailer or service provider directly by phone to confirm.

Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

Update: The American Express ploy is a phishing campaign very similar to what has been reported at TechHelpList.

Share via email Share

Spyware Vendors Find New Ways to Deliver Mobile Apps

With mobile devices an essential part of our lives and privacy, we must protect that privacy against a form of mobile “spyware” that is openly sold and distributed and that threatens our privacy by secretly monitoring all of our activities on smartphones.

dnakajim-phonespy-1

In this context, spyware does not refer to Trojan malware that poses as legitimate games and tools while secretly stealing our private information. This type of spyware is usually called spy or monitoring apps to watch over our spouses, kids, or employees. Buyers of this kind of spyware will install it on their subjects’ mobile devices to monitor their activities and location. Most of these products claim that their software will remain undetected by those who are monitored. Yet how can we, or the developers, justify installing spyware without users’ knowledge and monitor all their private activities on smartphones?

dnakajim-phonespy-2

In September, we read reports that a seller of the spyware StealthGenie was indicted in the United States. The seller was criticized for supplying an app that could threaten a victim’s life and could be used, for example, by stalkers and domestic abusers. But similar kinds of spyware are still being distributed in markets and will continue to threaten our privacy.

Most spyware has the following features to remotely monitor and collect data about the target user’s private actions:

  • Recorded phone calls and call logs
  • Sent and received SMS messages
  • Contact information
  • Web browsing history and bookmarks
  • Photograph, video, and other documents
  • Current location
  • Account names for various services, including email addresses

Worse still, for devices that are “rooted” for Android or “jailbroken” for iOS, some spyware claims that they can monitor contacts and conversation data of SNS and messaging apps such as WhatsApp, Facebook, LINE, Skype, Viber, Kik, and so on.

It is rare to find these kinds of spyware apps on official markets for mobile apps. Some apps with similar functionality for antitheft or parental control are offered on official stores, and these can be used as spyware depending on circumstances. But spyware apps whose main use is to invade the target’s privacy are not published on official sites, probably because doing so would violate the official app markets’ policies.

Nonetheless, McAfee Labs has recently confirmed that spyware vendors are cleverly offering their products for Android devices via the official store. These vendors or their affiliates publish many free apps that download the spyware products or lead users to their product websites. Those who want to find spyware can get such products directly from the developers sites, but it seems that spyware vendors are seeking more sales opportunities by using popular app stores.

dnakajim-phonespy-3

Some of these apps simply redirect users to the sales site of the spyware product; others directly download the spyware and prompt users to install and register. In this manner, spyware vendors let users download and install their spyware products from external sites by publishing apparently harmless landing apps on the official store. Spyware installed from external sites are not listed in the My Apps list on the official store portal, so it is less likely that a target user will notice the installation if the initial landing apps were uninstalled by the monitoring person to hide their traces.

dnakajim-phonespy-4

Some of the installed spyware remove their application icons from home screen and app list to not be noticed by the target. And they start monitoring the target’s activities and sending the collected information to a remote server in the background. Other spyware also requires the DeviceAdmin privilege just after launch to make it difficult for victims to uninstall the app even if they notice suspicious behavior.

dnakajim-phonespy-5

Because much spyware is sold outside of the official store, they will not usually be installed unless the user enables installation from unknown sources. And even if these apps are installed, McAfee Mobile Security and other security software will detect them and alert users. However, although these countermeasures are effective when the device user accidentally installs malware, these defenses might not work as expected when another person with access to the device wants to monitor the user secretly and installs the app. The monitoring person could change the device’s security settings and even disable detection by security software.

Thus in addition to the usual defenses against malware, we should also observe the following:

  • Harden the device’s physical security. Never let anybody else use it. Make sure the device is locked with password, etc. to prevent someone else from changing the settings and installing any apps.
  • Carefully check changes made by someone else, no matter the reasons. Check whether any settings are changed or apps are installed. Most spyware hides from the target user by removing their icons from the home screen. Make sure to check the apps list from [Settings] – [Apps], or from apps list displayed by security software such as McAfee Mobile Security.
  • Carefully check the settings and apps on the device if it has been in someone else’s hands. Make sure that default settings are applied and look for any additional apps. It is desirable to factory reset the device and do initial settings yourself. Be careful also when buying a phone from any untrusted used-phone shop; shop staff might install apps for “free.”

There might be cases in which you want to use this kind of spyware as a monitoring tool to really protect someone you care about. First, get his or her consent. And you should be very careful about some points. The careless use of spyware can expose your loved one to danger. The information obtained through spyware must be accessible only to you and/or the monitored person; it is dangerous if you allow the spyware vendor to access the information. If the vendor is malicious, then all the privacy of your loved could be disclosed. Any information collected should be encrypted by a password that only you know, and only you should be able to decrypt it. Otherwise, even a benign spyware vendor could lose information due to a leak or security flaw. Much of the spyware we have seen transfers privacy and account authentication data as plaintext. If the monitored person were to use the phone on an unguarded public LAN with no appropriate security settings, all the private information could be snooped by a malicious observer.

Many of these spyware apps claim that their purpose is to protect spouses and kids, or to prevent employees inappropriate actions. However, if these apps are really intended for that purpose, then it would be reasonable to install them on the targets’ devices with their explicit approval and explain that their activities can be remotely monitored. Installing these apps publicly is a more effective way to prevent any unauthorized actions. Installing spyware secretly only opens the door to privacy invasion and potential cybercrime.

The post Spyware Vendors Find New Ways to Deliver Mobile Apps appeared first on McAfee Blogs.

Spammers Cast Email Snares for Holiday Shoppers

ThreatTrack Security Labs recently identified some unsurprising holiday shopping threats via a seasonal malware delivery ploy: malicious holiday shopping spam.

This particular campaign targeted customers of major retailers with a Thanksgiving Day message, but it would be best to stay on guard for similar ploys throughout the holiday season as predicted recently.

Some of the falsified retailer information includes Best Buy, Target, Costco, Kroeger and Home Depot, such as those reported over at TechHelpList.

Example email:

BestBuy_email_snap

Email text:

E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days.

Upon confirmation you may pick it in any nearest store of Best Buy.

Detailed order information is attached to the letter.

Wishing you Happy Thanksgiving!

Best Buy

The spam email entices recipients to click on a link to see further information about their order. This malicious link downloads a fake “order information” zip file, which contains the Asprox/Kuluoz exe Trojan.

Sample malicious links:

  • hxxp://kapsourcing.com/blog.php?dp=HjfXKcld9XbxdykcP5puw…
  • hxxp://lannasilvercm.com/user.php?dp=eH/E/JhqQkx/0pMOLyLb…
  • hxxp://osmani.net/diff.php?dp=d5EqMyV3VXak6ztsgq77vgBD…
  • hxxp://perpersoon.com/help.php?dp=dg346+8NzWHY0EDkIkdXZA7X…
  • hxxp://reebate.com/pm/file.php?dp=VooGqDfxFP85tietLum2…

VIPRE Antivirus detects this particular strain as Trojan.Win32.Kuluoz.cnyj (v).

The zip file adds an additional layer of deception by using an IP lookup from the recipient’s area and implements his/her city name in the filename of the zip.

When opened, the Trojan connects the user’s PC to the Asprox botnet.

Once infected, a victim’s PC can be used for whatever function the threat actor intends. Common uses include:

  • ad fraud
  • stealing passwords
  • sending more malware spam

Shop Secure

The Department of Homeland Security has a great post on how to stay safe online this holiday season. Some of their suggestions include:

Use and maintain anti-virus software and a firewall. Protect yourself against viruses and Trojan horses that may steal or modify the data on your computer and leave you vulnerable.

Shop on reliable websites. Take a look at the website’s trademark or logo to make sure it’s valid. Also, pay attention to the website’s URL. Malicious websites may look identical to a legitimate website, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

Look for the lock. When shopping online, check the lower-right corner of your screen for the padlock symbol and make sure the website address begins with “https://” before entering your shipping, billing, or payment information. This symbol means that you’re using a website that is secure and which encrypts the data you send or receive.

Credit: ThreatTrack Security Labs Malware Researchers Matthew Mesa and Robert Stetson

Share via email Share

ThreatTrack Security Labs
About Author

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.

Perma-Cookies Bite Back

Cookies, while delicious to eat, are not quite always as scrumptious when found online. One type of cookie comes to mind that neither you nor your device will want to consume – I’m talking about ‘perma-cookies.’

Perma-cookies, also known as super-cookies, are used to help marketers create more targeted ads based on a user’s browsing habits. And they sure are making headlines as of late! Previously, we’ve looked at how advertisers use perma-cookies to track online shopping behaviors, now let’s talk about how mobile carriers are potentially abusing these cookies.

Perma-cookies have recently come under fire from privacy advocates who are concerned about how mobile carriers use unique identifier headers (UIDHs). These UIDHs are a hidden string of about 50 letters, numbers and characters that advertisers can use to identify a mobile user and track their browsing habits.

One of the main concerns with UIDHs is that they are broadcasted to every website a user visits on their mobile phone, every time a new page is opened. Each time a mobile user navigates the Internet, this string is silently passed along to websites allowing them to collect data on the user. Therefore, third parties could use the data from UIDHs to track subscribers or build a profile of a user’s activity – without the user’s consent.

Since the insecurities behind these unique identifiers have come to light and received a significant amount of attention, one carrier stopped using them, but others have not indicated any plans to stop.

With these hidden perma-cookies lurking in the depths of your mobile devices, how can you maintain privacy and control over your personal data?

In this case, the most important first step you can take is to test if your phone is broadcasting a UIDH by visiting this site. If there is nothing after the line “your UID is reporting,” then your phone is not displaying a UIDH.

If your phone is indeed displaying a UIDH, things get a bit trickier. While there is no way to turn these perma-cookies off, you can opt out of your carrier’s advertising program by logging into your account online to disable the carrier and its advertising partners from creating targeted ads based on your browsing history.

In addition to the steps above, here are a few security tips and tricks you can practice for an added layer of protection:

  • Enable the security settings on your mobile devices. Many devices have privacy settings that allow you to block cookies when browsing the web. If you choose to block cookies, the websites you visit will not be able to store the data you have provided (such as your name or email address).
  • Be sure to check and see if your mobile device has a ‘Do Not Track’ setting. When this setting is turned on, a request will be made to each website you visit to not track your activity. In the end, it is up to the individual websites themselves to honor this request but nonetheless, it’s a good setting to always have enabled.
  • Install comprehensive security on your device. Don’t let your personal information become exposed through unsafe online searches. McAfee® Mobile Security is free for both Android and iOS, and offers a variety of protections to help avoid your personal data being over shared or falling into the wrong hands.

To keep up with the latest security threats, make sure to follow @IntelSec_Home on Twitter and like us on Facebook.

lianne-caetano

The post Perma-Cookies Bite Back appeared first on McAfee Blogs.