Botnets, APTs, and Malicious Emails: The Commonest Methods of Attack

A question that we regularly receive at PhishMe is “How do the higher skilled cyber criminals get into major networks?” – The answer is botnets, APTs and malicious emails in most cases.

The way Advanced Persistent Threat-style actors are described by the media often leaves the average reader believing that these intrusions are performed by Mission: Impossible’s Ethan Hunt!  But the truth is that even the APT-level hackers often gain their initial foothold into your network through the most common and trustworthy means of infection — a malicious email.

But surely these are highly crafted, customized and targeted spear-phishing emails, right?  Sometimes.  But more often than not, the initial foothold into the network comes from common malware that is broadly distributed through spam.

Selling Logs

Most of the major botnets in circulation today are known for a primary activity, such as the Financial Crimes aspects of Zeus, Cridex, and Dyre. Whether it is those Financial Crimes botnets, or ClickFraud botnets such as Bamitol, ZeroAccess, or MeVade or spamming botnets such as Cutwail and Kelihos, the criminals often include additional functionality to “remote control” the infected computers to allow them to drop ADDITIONAL malware on the same systems.

Security journalist (and now New York Times Best Seller) Brian Krebs has been making this point for quite some time.  In his article The Scrap Value of a Hacked PC he points out that one use of a compromised PC is to use that PC to access Corporate E-mail accounts.  Later in 2012, he also explored the variety of additional uses of a hacked PC in his article Exploring the Market for Stolen Passwords.  More recently his article One-Stop Bot Chop-Shops pointed out some of the many additional ways that criminals monetize their bots, including selling the raw botnet logs – “huge text files that document notable daily activities of the botted systems.”

Fox-IT / Group-IB and Anunak

Netherlands-based Fox-IT and Moscow-based Group-IB have just released a report called “Anunak: APT Against Financial Institutions” (PDF) which they describe as a new group of cyber criminals who have stolen tens of millions of dollars, credit cards, and intellectual property.  In the report, the team documents one of the main methods the criminals were able to penetrate more than fifty financial institutions, as well as oil and gas companies, and government agencies:

“To find such malicious programs the criminal group keeps in touch with several owners of large botnets that massively distributes their malware.  The attackers buy from these botnet owners the information about IP addresses of computers where the botnet owners have installed malware and then check whether the IP address belongs to the financial and government institutions.  If the malware is in the subnet of interest, the attackers pay the large botnet owner for installation of their target malware.  Such partner relations were established with [several botnet owners] including Zeus.” (p. 5 of the Anunak report)

The report goes on to actually provide Python source code used by the Anunak actors to scan large collections of log data for networks that may be of high value.

Once the malware actors identify a desirable bot, they pay the large botnet owner to install software that provides remote control to the Anunak group instead, and then proceed with their attack.  At this point, the criminal can fully control the machine that has been identified in a desirable target network, and will often read the victim’s emails in order to find people within the target organization who would be appropriate targets to try to gain higher levels of access to desirable systems.  Because they now have access to previous communications, it becomes easier for them to provide a compelling social engineering email based on prior communications, and being sent FROM WITHIN THE TARGET NETWORK by a known associate of the email recipient!  These are the highly-customized spear-phishing emails that give APT actors their reputation — but in this case, the FIRST STEP in the criminals’ version of the Cyber Kill Chain is to take advantage of a large botnet that has by coincidence, rather than by design, been installed on a machine of interest to the Anunak criminals.

One of the botnets known to be used by these criminals is Andromeda.  In the example detailed on page 10 of the Anunak report, combined with indicators from the appendix of the report, we find that malware named “001.photo.exe” that used as its Command & Control domains the addresses ddnservice10.ru and ddnservice11.ru on IP address 144.76.215.219 are definitely associated with these actors.

PhishMe Intelligence

PhishMe Intelligence subscribers can find samples of this threat by using the “URL search” and entering the partial string “ddnservice” which will show 18 major spam campaigns tied to those two domains via their Malware Watch List entries.  Those domains were active from September 26, 2014 until November 6, 2014, at which time the criminals shifted their usage to dns22dns22.ru.

While the most common email subject used by this campaign was “my new photo ;)” email subjects related to “Order Details” and “New offer Job” and others were also commonly seen.  The malware distribution network, commonly known as SmokeLoader, is used in many instances to install the Andromeda botnet, as in the Anunak example.

The current C&C address for this group, first seen on December 19, 2014, is “fudsufsd3.com” which is associated with IP addresses:

178.132.206.57 – hosted at JSC KazakhTelecom (ASN 9198)
46.151.52.73 – hosted at VDS INSIDE, Ltd. (ASN 61214)
62.76.184.68 – hosted at the famously malicious “IT House, Ltd” on ASN 57010.

According to Passive DNS, ddnservice10.ru was seen on near-neighbor IP addresses to two of these — 62.76.189.169 (ASN 57010) used on and after October 31, 2014 and 178.89.191.146 and 178.89.191.167 (ASN 9198) used on and after September 27, 2014 and October 23, 2014 respectively.

Top 10 Phishing Attacks of 2014

With December upon us and 2014 almost in the books, it’s a perfect time to take a look back at the year that was, from a phishing standpoint of course. If you’ve been following this blog, you know that we are constantly analyzing phishing emails received and reported to us by PhishMe employees. What was the most interesting phishing trend we observed in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content.

WordPress Phishing: Target of Cybercriminals Worldwide

WordPress phishing attacks are now commonplace, with the sites a target for cybercriminals worldwide. WordPress and Phishing now go hand in hand. WordPress sites are being used by cybercriminals to obtain a wide range of sensitive data from users. In some cases, those sites are created by cybercriminals. In other cases, vulnerabilities in WordPress sites are leveraged and new content is created – content that captures users’ information. Exploit kits are also loaded onto the sites that download malware.

Today’s technical press was full of headlines about the recent WordPress updates -eWeek’s WordPress 4.01 Updates Millions of Sites for 8 Flaws for example.

The WordPress.org website describes the latest WordPress 4.0.1 Security Release as a “Critical security release for all previous versions” and says we “strongly encourage you to update your sites immediately.”  According to the release, all versions of WordPress are affected by a critical cross-site scripting vulnerability that could allow anonymous users to compromise a site.

At PhishMe this is not big news. In fact, it’s not really news at all. Why? Well, we know that the great thing about WordPress is the platform makes it quick and easy for any user to make a website! We also know that worst thing about WordPress is that it makes it quick and easy for any user to make a website! Not only does it make it very quick and easy for cybercriminals to make new WordPress sites, the platform is used by legitimate users to create a site, that they then forget about maintaining. Having a website and then choosing not to maintain it, or perhaps not knowing enough about web security to be capable of maintaining it, is actually a very dangerous thing.

When people ask us about WordPress, we often tell them a story. Once upon a time, in the summer of 1983, my brother John and I went hiking in northern Michigan with a couple Eagle scout friends of ours called Philip and Michael. We assured our parents we would be safe in the woods for a week by ourselves, after all, our friends were Eagle Scouts! As we were hiking, dozens of miles from the nearest paved road, we came across a small shed in the woods and inside the shed was a shotgun and a big box full of shells!

Being extremely responsible children, we of course notified the nearest authorities (ahem).

Having a WordPress website and failing to maintain it is exactly the same, in cyber terms at least, as leaving a loaded shotgun unattended on your front porch in a neighborhood full of curious teenagers. A dramatically high number of websites that are compromised and then used to distribute malware, to host malware C&C servers, and to host phishing webpages are made malicious as a result of carelessness by webmasters. Essentially the same as leaving a loaded gun on the porch or going on holiday and leaving the front door wide open.

When a curious teen or a convict picks up the gun and does harm to people, or when the house is burgled, it is easy to say “It wasn’t my fault!  I didn’t know!”  But perhaps we should start educating webmasters so they know that is not a valid excuse. Since we now know that cybercriminals target WordPress sites, leaving the sites with known vulnerabilities is nothing short of negligence. Your website could easily be turned into a WordPress phishing site if vulnerabilities are left unaddressed. Your site may also be used to infect all of your customers with malware.

How often does this really happen? One way to find many of these WordPress phishing sites is to look at the URL used in a phishing attack for evidence that it is a WordPress site. Many of these phishing attacks take the form of a Remote File Inclusion attack that often allows the user to inject their phishing content into a subdirectory of either the “wp-admin” directory or the “wp-content” directory.

We ran some searches in through our threat intelligence system to find out how many such pages we’ve seen. Just today there were:

  • Alibaba phish on “bluribbon.com/wp-admin” and “ambitionthekid.com/wp-admin/”
  • credit card phish on “resepmasakanalaindonesia.com/wp-includes”
  • TD Bank phish on “mariabobrova.com/wp-content/” and “jaw-photo.com/wp-content/”
  • generic email phish (AOL/Google/Microsoft/Yahoo) on “osiedlaimiasta.pl/wp-includes/” and “mariogavazzi.it/wp-content”
  • Paypal phish on “deluxetravelviajes.com/wp-content/”
  • Standard Bank phish on “woodsidenylawyer.com/wp-admin/”
  • AOL phish on “arkansaswebsiterentals.com/wp-content/”
  • Yahoo phish on “fenwaymarketing.com/wp-content/” and “pierrefauchard.com.br/wp-content/”
  • MayBank2U phish on “cascalhoriopreto.com.br/wp-admin/”
  • Halifax phish on “ics.com.ph/wp-admin/”
  • Royal Bank of Canada on “ohtleathercrafts.com/wp-content/”
  • Bank of America phish on “secureserver.net/~cables/wp-admin/”
  • BT.com phish on “accionpreventiva.cl/wp-content/”

And the business day is only half-way done!

Since January 1, 2014 we have seen:

  • 12,416 confirmed phishing URLS that contained the string “wp-content”
  • 6,054 confirmed phishing URLs that contained the string “wp-includes”
  • 4,255 confirmed phishing URLs that contained the string “wp-admin”

Those URLs were on 6,627 different domain names on 4,947 different IP addresses, at 164 different hosting companies. Sadly, the statistics make it clear that WordPress phishing websites tend to be clustered at hosting companies that offer cheap hosting with poor technical support. Often this is the result of “resellers” who use servers in those hosting company data centers to offer even cheaper webhosting deals with even poorer technical support.

Our checks showed six hosting companies had more than 100 domains hacked using a WordPress Remote File Inclusion attack — and five of those are in the United States!

We can’t put all the blame on the hosting companies. Many of them are providing “do-it-yourself” web services where the webmasters have chosen to NOT do-it-themselves when it comes to security!

Do you know a WordPress webmaster?  If so, make sure you share this article with them and have them upgrade by following the WordPress 4.0.1 Security Release guidance. If you do, you are helping to keep all of us safer from WordPress phishing attacks and malware downloads from WordPress sites!

Cridex Malware Authors Warn Lloyds users of Dyre

PhishMe malware researchers have been helping you protect your network by sharing information about the Dyre Trojan and Cridex malware on a daily basis for several months; however, in that time we have not seen any actions as bold as those used by the Cridex malware authors today.

Dyre is the current top banking Trojan being distributed by email, and it poses a significant threat to businesses and consumers. The Trojan steals credentials and the attackers use that information for financial fraud.

Threat Analyst Neera Desai let us know about this new threat from today’s Cridex attack, which uses a malicious Microsoft Word document to infect victims by pretending to be a Failed Fax Transmission.  On November 17, 2014, we received approximately 1,000 copies of this spam message before noon. The sending domain in the ‘From’ field was “interfax.net” in all of those samples.

Here’s the thing we’ve never seen before – A warning about Dyre malware FROM THE AUTHORS OF THE CRIDEX MALWARE!  If – and only if – you are infected with this version of Cridex malware, and you visit a website at www.lloydsbankcommercia.com, you will receive the following pop-up message when you visit LloydsLink.  PhishMe analysts spoke with Lloyds and learned that the message being propagated by Cridex malware was previously used on the Lloyds website in a now discontinued security advisory, but confirmed that if someone is seeing that message now it is a sign of a Cridex malware infection.

The security warning displayed to users that have been infected with Cridex malware is as follows:

IMPORTANT SECURITY INFORMATION
21 October
Lloyds Banking Group is aware that the Dyre malware (also known as Dyreza) is currently actively targeting financial institutions across the UK including customers of LloydsLink online.

This is not a vulnerability within LloydsLink online but malware that resides on infected computer systems designed to steal user log-in credentials.

We recommend you:

1. Work with your IT security providers to confirm that your anti-malware solution is capable of detecting and removing the very latest variants of Dyre.
2. Carry out comprehensive scans of any systems used to access LloydsLink, as well as any other financial service institution or financial orientated software that you use and transact on.
3. Change Passwords and memorable information, following the comprehensive scans of your systems.

Please remember it is important to check all beneficiary details, especially bank sort codes and account numbers, before creating and approving all payments.
For more information on protecting your payments please visit our Security Centre.

3) KEEPING YOUR PC SECURE

Protect against viruses
Use anti-virus software and ensure that it is kept up to date – this should protect your computer against the latest viruses
Use up-to-date anti-spyware software to protect against programs that fraudsters can use to collect information about your Internet usage

Keep your software up-to-date

Occasionally publishers discover vulnerabilities in their products and issue \’patches\’ to protect against any security threats. It is important that you regularly visit the website of the company which produces your operating system (e.g. Windows XP) and browser (e.g. Internet Explorer) to check for any patches or updates they may have issued.


While it would appear that the content above is being provided by Lloyds, that is not the case. The content is being pushed into your browser by the Cridex malware in what is known as a “web inject”. The web inject occurs if the malware senses that a user is visiting Lloyds commercial banking services.

Astute network monitoring professionals will want to watch for network traffic to the IP addresses 37.59.136.102 and 91.121.134.223. Both addresses are hosted on OVH France, a network that has great loyalty from the criminals behind this malware.

While nearly 300 other banks are also specifically targeted by this version of Cridex, the only other one with a special “web inject” pop-up message from the criminals are customers of Barclays Bank. They receive this special message:

Your security obligations
Due to our recent security changes you should keep your smart card inserted in your card reader.
This security message will appear periodically.
Please tick the box to acknowledge these security obligations.

In addition to many UK-based banks, banks in Austria, Belgium, Bulgaria, Germany, Hungary, Ireland, Indonesia, Israel, Italy,  India, Malaysia, Netherlands, Norway, Qatar, Romania, Singapore, Switzerland, United Arab Emirates, United States of America, and Vietnam have also been targeted.

Several companies offering services to small and regional banks and credit unions are also being targeted, including CardinalCommerce, Electracard.com, ElectraPay.com, and Enstage.com.

PhishMe Intelligence subscribers can review further details of this attack online under Threat ID 2361.

Three Ways Reporter Can Enhance Your Incident Response Process

Most of us have been in an airport and heard the announcement over the loud speaker; “If you see something, say something.”  The airport has security personnel; however, their agents cannot be everywhere at once.  They collectively rely on travelers passing through the airport to be their eyes and ears in places agents cannot be.  In this way, as an airport traveler, you are a “sensor” watching for, detecting, and alerting on suspicious behavior such as unoccupied luggage.

What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a data breach by reporting suspicious email. The key to unlocking this valuable source of threat intelligence is to simplify the reporting process for employees, and to measure the results of your program to prioritize reports from savvy users.