Njw0rm Source Code Used to Create New RATs
Posted on January 23, 2015 by Kara Dunlap in Security
Malware developers have used the source code of the remote access tool (RAT) Njw0rm to create two new RATs, researchers at Trend Micro reported on Thursday.
Njw0rm is a variant of njRAT, a tool believed to be developed by a Kuwait-based individual. In June 2014, Microsoft announced the results of an operation targeting njRAT (Bladabindi) and Njw0rm (Jenxcus). At the time, the company noted that cybercriminals could create their own versions of the malware because the necessary information and packages were available on public forums.
Trend Micro says the source code of Njw0rm was published on hacker forums in May 2013, after which cybercriminals started creating new pieces of malware based on the threat.
One of the new RATs is Kjw0rm. Version 2.0 of the malware was first spotted by the security firm in January 2014. Kjw0rm 0.5X and a new worm dubbed Sir DoOom emerged in December 2014.
The new pieces of malware come with an enhanced control panel and they include several new features not seen in Njw0rm. In addition to information on the victim’s IP address, location, operating system, and USB devices, Kjw0rm’s control panel includes data on installed antiviruses (v2.0) and the presence of the .NET framework (v0.5x). Sir Do0om, on the other hand, also provides the botmaster with information on RAM, firewalls, antiviruses, CPU/GPU, and product details (name, ID, key).
As far as functions are concerned, Njw0rm can execute commands and files, steal credentials, and receive updates from the attacker. The Kjw0rm RATs allow their master to shut down or restart the computer, open Web pages, and download and execute files and code.
Sir Do0om is even more interesting since it can be used to mine Bitcoin, launch DDoS attacks, control computers based on a timer, display messages, terminate antivirus processes, and open a website related to Quran, the central religious text of Islam. This RAT is also designed to terminate itself if the presence of a virtual machine is detected.
Just like Njw0rm, the new threats are designed to propagate via removable devices. They hide some or all the folders found on the infected device and create shortcut links pointing to the malware with the names of the hidden folders.
“This evolution shows that the malware authors are becoming more active in developing new malware and using njw0rm as a template. Because of this pattern, we can expect to see more variants of this malware in the future,” Trend Micro threat response engineer Michael Marcos said in a blog post.
Tor-Enabled Bifrose Variant Used in Targeted Attack
Posted on September 1, 2014 by Kara Dunlap in Security
A new variant of the Bifrose backdoor has been used in a cyberattack aimed at an unnamed device manufacturer, Trend Micro reported.
The threat, detected by the security firm as BKDR_BIFROSE.ZTBG-A, is more evasive than previous variants because it uses the Tor anonymity network for command and control (C&C) communications.
After infecting a device, the backdoor allows its masters to perform various tasks, including downloading and uploading files, creating and deleting folders, executing files and commands, capturing keystrokes, capturing screenshots and webcam images, terminating processes, collecting system information and manipulating windows.
“BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes,” Trend Micro threat response engineer Christopher Daniel So explained in a blog post. “It can also send keystrokes and mouse events to windows, which means that the attacker may be able to conduct operations as the affected user without having to compromise their accounts. For example, the attacker can log into internal systems or even send messages to other users in the network.”
While C&C communications via Tor can make the threat more elusive, the same communications can also be used by IT administrators to detect an attack. More precisely, they can identify malicious activity by monitoring the network for Tor traffic. Many organizations don’t use Tor for regular operations so any traffic associated with the anonymity network could indicate a cyberattack.
Another method recommended by Trend Micro for detecting Bifrose, in addition to the use of security solutions, involves checking for a file named klog.dat, which is used for the threat’s keylogging routines. Verifying network and mail logs could also help IT admins in detecting the malware.
Bifrose has been around since at least September 2008. One interesting campaign leveraging this particular threat was launched in 2010, when cybercriminals distributed the backdoor with the aid of a mail worm. The operation, dubbed “Here You Have,” was initially aimed at the human resource departments of organizations like NATO and the African Union. This old campaign demonstrates Bifrose’s potential for targeted attacks.
The “Here You Have” campaign was so successful that it caused a global outbreak.
Nasty IE Zero-Day Used in Attacks Against Defense, Financial Sectors: FireEye
Posted on April 27, 2014 by Kara Dunlap in Security
Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.
The security flaw is a remote code execution vulnerability (CVE-2014-1776) that affects versions of IE6 through IE11, which in total accounted for 26.25% of the browser market in 2013.
The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11.
“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday.
Microsoft also issued a security advisory on Saturday and said they were working with partners in its Microsoft Active Protections Program (MAPP) to extend broader protections to customers as soon as possible.
If successfully exploited, an attacker could gain the same user rights on the impacted system as the current user, Microsoft said. Accounts configured with fewer rights on the could be less impacted than users who operate with administrative privilages.
FireEye has named the campaign “Operation Clandestine Fox,” but has shared very little details other than saying the group behind the exploit has been the first to have access to a select number of browser-based 0-days in the past.
FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
“They have a number of backdoors including one known as Pirpi that we previously discussed here,” the researchers wrote. “CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.”
“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray,” FireEye explained. “The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”
Because the attack leverages Adobe Flash, users who do not have Flash installed or have the Flash plugin for IE disabled, will be protected. Additionally, several versions of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will break the exploit.
Additional technical details are available from FireEye. Microsoft also has provided some mitigation information.
Related: ASLR Bypass Techniques Appearing More Frequently in Attacks