December 23, 2024

Njw0rm Source Code Used to Create New RATs

Posted on January 23, 2015 by in Security

Malware developers have used the source code of the remote access tool (RAT) Njw0rm to create two new RATs, researchers at Trend Micro reported on Thursday.

Njw0rm is a variant of njRAT, a tool believed to be developed by a Kuwait-based individual. In June 2014, Microsoft announced the results of an operation targeting njRAT (Bladabindi) and Njw0rm (Jenxcus). At the time, the company noted that cybercriminals could create their own versions of the malware because the necessary information and packages were available on public forums.

Trend Micro says the source code of Njw0rm was published on hacker forums in May 2013, after which cybercriminals started creating new pieces of malware based on the threat.

One of the new RATs is Kjw0rm. Version 2.0 of the malware was first spotted by the security firm in January 2014. Kjw0rm 0.5X and a new worm dubbed Sir DoOom emerged in December 2014.

njRAT evolution

The new pieces of malware come with an enhanced control panel and they include several new features not seen in Njw0rm. In addition to information on the victim’s IP address, location, operating system, and USB devices, Kjw0rm’s control panel includes data on installed antiviruses (v2.0) and the presence of the .NET framework (v0.5x). Sir Do0om, on the other hand, also provides the botmaster with information on RAM, firewalls, antiviruses, CPU/GPU, and product details (name, ID, key).

As far as functions are concerned, Njw0rm can execute commands and files, steal credentials, and receive updates from the attacker. The Kjw0rm RATs allow their master to shut down or restart the computer, open Web pages, and download and execute files and code.

Sir Do0om is even more interesting since it can be used to mine Bitcoin, launch DDoS attacks, control computers based on a timer, display messages, terminate antivirus processes, and open a website related to Quran, the central religious text of Islam. This RAT is also designed to terminate itself if the presence of a virtual machine is detected.

Just like Njw0rm, the new threats are designed to propagate via removable devices. They hide some or all the folders found on the infected device and create shortcut links pointing to the malware with the names of the hidden folders.

“This evolution shows that the malware authors are becoming more active in developing new malware and using njw0rm as a template. Because of this pattern, we can expect to see more variants of this malware in the future,” Trend Micro threat response engineer Michael Marcos said in a blog post.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Facebook Users Targeted Via Android Same Origin Policy Vulnerability

Posted on December 29, 2014 by in Security

 Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android’s WebView browser in order to compromise Facebook accounts. 

The flaw allows the attackers to bypass Android’s Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.

“The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a u0000 character, as demonstrated by an onclick=”window.open(‘u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser,” according to the National Vulnerability Database.

According to Trend Micro Mobile Security Engineer Simon Huang, the attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. The page contains obfuscated JavaScript code that includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag while the inner frame has a size of one pixel, he added.

“While these routines are being carried out, the SOP bypass is being performed,” he blogged, adding that a remote JavaScript file is loaded from a legitimate cloud storage provider.

The file, he noted, contains the malicious code of the attack and enables the attackers to perform the following activities on Facebook:

  1. Add friends
  2. Like and follow Facebook pages
  3. Modify subscriptions
  4. Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
  5. Steal the victim’s access tokens and upload them to their server  at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $ token;
  6. Collect analytics data (such as victims’ location, HTTP referrer,  etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/

“In addition to the code at the above site, we found a similar attack at <a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.%257bBLOCKED%257dphp.com%2Fx%2Ftoplu.php%22%3Ehttp%3A%2F%2Fwww.%7BBLOCKED%7Dphp.com%2Fx%2Ftoplu.php%3C%2Fa%3E%2C" Huang explained. "We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app."

“The client_id involved in this malware was “2254487659”,” he added. “This is an official BlackBerry App  maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person.”

Blackberry is working with Facebook and Trend Micro to address the issue. Google has already issued a fix for the vulnerability for Android users.

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

MBR Wiper Attacks Hit Korean Power Plant: Trend Micro

Posted on December 24, 2014 by in Security

Researchers at Trend Micro revealed details of an attack against a major Korean utility company hit by malware designed to wipe the master boot records (MBR) of compromised computers.

According to Trend Micro, the malware is believed to have infected the targeted systems through a vulnerability in the Hangul Word Processor (HWP), a commonly-used application in South Korea. The attackers used a variety of social engineering lures as well.

“We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper,” according to Trend Micro. “In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.”

“This particular MBR-wiping behavior, while uncommon, has been seen before,” the researchers noted. “We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.”

Trend Micro also found similarities to the previous MBR wiper attacks as well. All three attacks overwrite the MBR with certain repeated strings; this attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

The attack on Sony has caused a further rift between North Korea and the United States, as U.S. President Barack Obama promised last week that the United States would offer a proportional response to North Korea’s involvement in the attack.

North Korea has denied any involvement in the incident. The country began suffering Internet outages this week, though the cause of those outages remains unclear.

“While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related,” according to Trend Micro. “All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.”

“These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors,” the researchers added. “This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed