Wednesday, November 26, 2014
           (757) 873-6707                     Monday - Friday, 9 am - 5:30pm
Craigslist Back Online Following DNS Hijack The popular classified website Craigslist is back online today following a DNS attack that forced it offline for several hours Sunday evening.
Remote Code Execution in Popular Hikvision Surveillance DVR A number Hikvision digital video recorders contain vulnerabilities that an attacker could remotely exploit in order to gain full control of those devices.
Costin Raiu on the Regin APT Malware Denis Fisher talks with Costin Raiu of the Kaspersky Lab GReAT Team about the discovery of the Regin APT malware, the threat's targets and tactics, its ability to compromise GSM base stations and its other capabilities.
FTC Shutters $120 Million Tech Support, Bogus Software Scam The FTC and a Florida federal court issued temporary restraining orders against a number of organizations and individuals involved in a massive telemarketing operating selling bogus software and support.

Latest News

New Google Security Dashboard Manages Device Activity

Google released a new Devices and Activity Dashboard, along with a new security wizard for Google for Work accounts.

Siemens Patches WinCC Vulnerabilities Likely Being Exploited

Siemens has patched two critical vulnerabilities in the WinCC application in a number of its products; the flaws are likely being exploited, ICS-CERT and Siemens said.

Home Depot Breach Cost Company $43 Million in Third Quarter

The massive Home Depot data breach disclosed earlier this fall involved the theft of 56 million credit and debit card numbers, and now the company has revealed that the incident so far has cost it $43 million. The costs are the result of both the investigation into the data breach as well as the recovery […]

Sony Pictures Dealing With Apparent Network Compromise

Sony Pictures Entertainment is still in the process of trying to recover from an apparent compromise of some of the company’s computer systems. The attack first came to light on Monday, and the extent of the incident is still emerging. The compromise appears to affect just the networks at SPE, a division of Sony. Reports […]

Adobe Releases Emergency Flash Player Patch

Adobe released an emergency out-of-band Flash Player security bulletin, revising a patch released in October with an additional CVE addressing a memory corruption vulnerability.

Brain Science and Browser Warnings

Computer users will click through browser warnings and security alerts in order to complete a task, but once they're hacked, their behaviors change, a recent BYU study learned.

Experts Question Legality of Use of Regin Malware by Intel Agencies

Though security researchers involved in uncovering the attack have remained mum on the attribution of Regin, privacy experts say that if one of the intelligence agencies is involved, there's no legal basis for the operation.

Regin Cyberespionage Platform Also Spies on GSM Networks

Kaspersky Lab researchers have learned that the Regin cyberespionage platform also targets GSM telecommunications networks.

EFF, Privacy Groups Say NIST Crypto Standards Must be Free From Backdoors

The EFF and a long list of civil and privacy groups have sent a letter to NIST, emphasizing the need for the agency to create \\"a process for establishing secure and resilient encryption standards, free from back doors or other known vulnerabilities.\\"

A Nightmare on Malware Street

Another ransomware has been spotted in the wild lately, branded as 'CoinVault'. This one involves some interesting details worth mentioning, including the peculiar characteristic of offering the free decryption of one of the hostage files as a sign of good faith.

CoinVault

Technically, the malware writers have taken a lot of measures to slow down the analysis of the sample. Even though it was made with Microsoft's .NET framework, it takes a while to reach the core of their malicious application. Upon opening the initial sample in 'IL Spy', we find that the program starts by using a string key which is passed to a decryption method, which will ultimately get the executable code.

CoinVault (17)

A byte array is also passed as a parameter to the 'EncryptOrDecrypt' method, which in conjunction with the key will output a final byte array with the malware's much needed code.

CoinVault (18)

Implementing these functions in Visual Studio is as easy as copy/paste, so we execute the methods gotten from the source code and set a breakpoint to check what the decryption method is doing. A '77', '90' in decimal tells us we are on the right track since when converting these numbers to hexadecimal we get '4D', '5A', which is the magic number for DOS executable files identified by the ASCII string 'MZ'. We dump all the bytes to an executable file in disk for further analysis.

CoinVault (19)

We get a file called 'SHIELD runner', serving as a 'RunPE' helper application. A 'RunPE' application serves to execute files on the fly, meaning that a memory stream is created from an input and executed directly without first storing the file to disk. This is useful for malware writers that want to avoid leaving traces behind, and as we'll soon see, it's not all this file has to offer.

CoinVault (2)

Although we'll carry on with our investigation into the ransomware code, there's a noteworthy string embedded in the SHIELD runner executable, 'd:\Users\dennis…'.

CoinVault (13)

In the same way as before, a string key and a byte array are used to generate yet another executable file. As you can see, the cybercriminals have gone to great lengths in order to slow down the analysis and hide the malicious payload for as long as possible.

CoinVault (1)

Not only do we have the usual 'RunPE' functions but also a nice additional set of methods that will help the malware detect analysis tools and virtualized environments. It checks for 'Sandboxie', 'Wireshark', 'Winsock Packet Editor' and even checks whether the machine's name is 'MALTEST'. Fortunately, none of these conditions are met in my environment so we are good to go.

CoinVault (20)

But wait…. there's more! The detection of the virtualized environment will cause the execution to stop and the malicious payload to be hidden.

CoinVault (21)

Using PowerShell, we are going to check if the malware can actually detect our environment. Apparently it can, so we'll need to carry out some simple modifications in order to continue the analysis process.

CoinVault (10)

We can fix this easily from VMWare's configuration VMX file, setting the option 'SMBIOS.reflectHost = TRUE'. Running out PowerShell checks again, we witness the good news and are ready to go even further.

CoinVault (11)

Repeating the process of string key and byte array decryption and dumping the memory at just the right time pays off and we finally end up with the set of files that will be used during the infection.

CoinVault (6)

The CoinVault 'Locker' has two main Windows forms: the main one telling us to pay in order to recover the victim's files and 'frmGetFreeDecrypt' which is used to decrypt one of the victim's files as a way to demonstrate that we can in fact recover our precious information if we comply in a timely manner.

CoinVault (3)

However, before the 'Locker' analysis we'll need to deobfuscate it (at least a little bit). The malware writers display some sense of humor here: if the analyst has gone through this much trouble to reach this point it seems he's welcome as suggested by the phrase, 'Your worst nightmare'. Moreover, they are keen enough to leave a banner signaling the obfuscation utility they used. In this case we are dealing with the ever popular 'Confuser', in its version 1.9.0.0.

CoinVault (4)

Certainly, this is confusing… but we can make it better. So, we go from something that resembles a Chinese manuscript to readable source code.

CoinVault (5)

We now can see, amongst the many (many) methods and delegates inside the assembly some relevant code regarding the file encryption. .NET's 'System.Security.Cryptography.RijndaelManaged' namespace is used (amongst others) revealing symmetric encryption functionality.

CoinVault (8)

We can even get a glance at how the PRNG was implemented and some internal details of the malicious application.

CoinVault (7)

When we are finally shown the 'Locker' executable, a connection is made to a dynamic domain. During the analysis, two addresses were present: 'cvredirect.no-ip.net' and 'cvredirect.ddns.net'. They are currently offline and this hampers the 'Locker' functionality, since upon traffic analysis inspection we were able to see that a hardware ID is sent to the C&C in order to use a dynamic file encryption password. I guess now we can understand why the malware is checking for Wireshark in the system. After all, cybercriminals wouldn't want you to take a peek at how their business is getting done.

Network (1)

At this point, if everything went well (for the cybercriminals) your personal documents and files have been encrypted and a payment is demanded in less than 24 hours or the price will rise. The bitcoin address used is dynamic too, making the tracing of the funds a lot more complex than usual.

MainScreen

Is this your worst nightmare? If you don't have an updated anti-malware suite and (just in case) a backup of your most important files, it might just be.

Kaspersky detects this family as 'Trojan-Ransom.Win32.Crypmodadv.cj'. We have already seen similar malicious applications in the past (regarding functionality) such as 'TorrentLocker', and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel.