GandCrab Ransomware Crooks Take Agile Development Approach

Earlier this month, command-and-control servers tied to the fast-growing GandCrab ransomware campaigns were seized by Romanian Police and Europol. But, criminals behind GandCrab don’t appear phased by the setback and have already tweaked the malware to keep ransomware payment coming in.

According to new research by Check Point, the group behind GandCrab has infected over 50,000 victims mostly in the U.S., U.K. and Scandinavia. And in the two months the ransomware crew has been in business, criminals have earned an impressive $600,000.

“GandCrab is the most prominent ransomware of 2018. By the numbers this ransomware is huge,” said Yaniv Balmas, group manager, security research at Check Point who compares the ransomware to the prolific Cerber malware. He said despite popular opinions that the sands have shifted away from ransomware to cyptojacking, they actually haven’t. “There are still very high infection rates. And it is still a very easy way for criminals to make money,” he said.

For those behind GandCrab, staying profitable and staying one-step ahead of white hats means adopting a never-before-seen agile malware development approach, said Check Point.

Check Point made the assessment after reviewing early incarnations of the GandCrab ransomware (1.0) and later versions (2.0).

“Comparing the two versions of GandCrab gives us a glimpse into the process by which a strain of ransomware evolves. The authors started by publishing the least well-built malware that could possibly work, and improved it as they went along. Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile,” according to a report expected to be released Thursday by Check Point.

Early versions of the GandCrab were full of bugs and mistakes from a developers stand point, said Michael Kajiloti, team leader, malware research at Check Point. “They have been diligent about fixing issues as they pop up. They are clearly doing their own code review and fixing bugs reported in real-time, but also fixing unreported bugs in a very efficient manner.”

Much like Cerber, the hackers behind the malware simply rent their ransomware software, and are never engaged in the actual campaigns. This allows them to focus on malware development, and not the day to day infecting and collecting of ransomware. That development-focused approach is credited to Cerber’s success as well. Files are encrypted using the .CRAB extension with DASH cryptocurrency payments equal to $300 to $600 for each infection.

It is not clear who is behind GandCrab, but Check Point believes its likely Russia-based hacking group because instructions by the criminals forbid users of the ransomware to target systems where the keyboard layout is in Russian.

Earlier this month, security firm BitDefender released a free decryptor. However, Check Point said GandCrab’s developers quickly made changes to their product to render the decryptor tool useless.

“GandCrab itself is an under-engineered ransomware that manages to still be effective. For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” according to the authors of the Check Point report.

“If you monitor your internet traffic while you are infected for the private key, this means you can easily decrypt your files,” Balmas said. “The private key is encrypted in transit. But it is encrypted using the same password every time. And the password is embedded in the malware code.”

This flaw won’t last for long, suspects Check Point researchers.

“It is getting harder and harder to find flaws,” Kajiloti said.

Constant development has also helped GandCrab, in some instances, bypass signature-based AV engines. “Cosmetics and incremental code changes keep the core of the malware behavior essentially the same. This comes to show the core differentiator of dynamic analysis and heuristic-based detection, which is signature-less,” according to the Check Point report.

“With agile development and the infection rate and affiliates, GandCrab will keep making money,” Kajiloti said.

Iran-Linked Group ‘TEMP.Zagros’ Updates Tactics, Techniques In Latest Campaign

Researchers say a massive phishing campaign targeting Asia and Middle East regions is linked to an Iranian-based threat actor TEMP.Zagros, also known as MuddyWater. This latest attack illustrates an evolution by the threat actor, which has now adopted new tactics, techniques and procedures.

“We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East,” wrote FireEye researchers in a blog post Tuesday.

FireEye’s discovery builds off previous research into the group by Palo Alto Networks, Unit 42 and Trend Micro. In November, Unit 42 first wrote about TEMP.Zagros (or MuddyWater) noting the attacks hit various industries in several countries, primarily in the Middle East and Central Asia, and lured victims to download infected documents and compromise their computer networks.

On Monday, Trend Micro reported similarities between the MuddyWater campaign and these new attacks, stressing that the link signifies that the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries.

In the FireEye report, researchers assert that this latest wave of phishing attacks is a new strategy for TEMP.Zagros. The group has also adopted new tools such as POWERSTATS for backdoors and techniques such an as AppLocker bypass, researchers said.

“In this campaign, the threat actor’s tactics, techniques and procedures shifted after about a month, as did their targets,” according to the co-authors of the FireEye report Sudeep Singh, Dileep Kumar Jallepalli, Yogesh Londhe and Ben Read.

According to FireEye, this latest campaign has been running from January through March. Similar to past the campaigns reported in November, the threat actor sent out phishing emails featuring malicious macro-based documents via email. FireEye said that these spearphishing emails typically have geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology (established by the Reserve Bank of India).

“Given the type of entities targeted, we believe this activity is strategic in nature, primarily conducting reconnaissance and collection operations for geopolitical, defense, and economic data that could support nation-state interests and decision making,” Sarah Hawley, principal analyst at FireEye, told Threatpost.

When successfully executed, the malicious documents installed a backdoor trackable with POWERSTATS, researchers said.

“Each of these macro-based documents used similar techniques for code execution, persistence and communication with the command and control (C2) server,” said FireEye’s report.

“One of the more interesting observations during the analysis of these files was the re-use of the latest AppLocker bypass, and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.”

Starting Jan. 23, the actor used a macro-based document that dropped a VBS file and an INI file containing a Base64 encoded PowerShell command, task-based command-line shell and scripting language that is designed for system admins and power-users so that they can quickly automate the administration of multiple operating systems.

“Although the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it,” according to FireEye’s report.

The actor then switched techniques starting Feb. 27 and started using a scriptlet code execution method that leverages plain-text Setup Information (INF) files and scriptlet (SCT) files in an attempt to evade security products.

If executed, the phishing email’s malicious Word macro triggers the dropping of three files onto the target’s PC (C:\programdata). These files are malicious JavaScript-based scriptlet Defender.sct, DefenderService.inf and WindowsDefender.ini.

The Defender.sct file, which uses obfuscated JavaScript code, then executes a decoded PowerShell Script to perform several malicious activities. The PowerShell script is able to retrieve the data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables. It also has the capabilities of taking screeenshots of the system desktop, checking for the presence of security tools and shutting down the system if any tools are detected.

Targeted countries include Turkey, Pakistan, Tajikistan, and India. FireEye told Threatpost that a combination of the targeting scope, use of malicious macros, similarly-themed decoy materials, and POWERSTATS malware led them to link TEMP.Zagros to the campaign. Hawley said that FireEye also found Chinese strings that it believes were left as false flags to complicate attribution efforts.

“These factors, as well as the operation’s focus on geopolitical entities and targeting scope led us to assess with moderate confidence that this activity has a nexus to Iran,” said Hawley.

How ‘Slingshot’ Router Malware Lurked for Six Years

Anti-Malware , Cybercrime , Cyberwarfare / Nation-state attacks

No Link to Known APT Group Cited, But Attackers Appear to Like Tolkien

How 'Slingshot' Router Malware Lurked for Six Years
Source: Kaspersky Lab

Kaspersky Lab says it has uncovered an elegant piece of malware that in part leveraged a Latvian-designed router as part of a stealthy attack campaign that has persisted for over six years.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The Moscow-based security firm hints that the engineering behind the malware, dubbed Slingshot, could only have been accomplished by a well-resourced attacker. But it stopped short of naming one.

Kaspersky gives Slingshot high praise, putting it on a level of Regin and Project Sauron.

The security firm says it’s identified at least 100 victims of Slingshot, mostly in the Middle East and Africa. Close to half of the victims were in Kenya, with the rest in places including Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates.

According to a 25-page technical paper published by Kaspersky Lab, Slingshot’s framework was designed for flexibility and reliability, which is why it has flown under the radar since 2012.

“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the company writes.

Latvian Routers

Kaspersky wasn’t able to determine the vector that resulted in the infection of most of Slingshot’s victims. But it did figure out one: routers from Latvian computer networking equipment manufacturer MikroTik.

For some time, MikroTik’s router firmware downloaded other components directly onto Windows computers. That was the expected behavior, although now MikroTik has since modified its software.

The tip-off came as Kaspersky was investigating a suspected keylogger. The company came across a malicious library that could interact with the virtual file system.

MikroTik included router management software called Winbox, which downloaded dynamic link libraries and loaded them directly into a computer’s memory. The attackers managed to swap a legitimate DLL for a malicious downloader that ended up on victims’ computers.

Kaspersky writes that the malicious downloader was exactly the same size as the legitimate one. Once the DLL has loaded other malicious modules – one a kernel-mode called Cahnadr and another called GollumApp in user mode – the original deleted DLL is replaced.

“The references to Tolkien’s ‘Lord of the Rings’ – Gollum, Smeagol – could suggest the authors are fans of Tolkien’s work.”

GollumApp, named after a character in “The Hobbit,” collects network-based information, handles input/output requests for the encrypted file system, collects saved passwords in Firefox and Internet Explorer and logs keystrokes or pull information from the clipboard, among other functions.

MikroTik Exploit

Kaspersky says it hasn’t been able to identify how MikroTik’s routers were initially infected in order for the attackers to abuse Winbox’s behavior. But it does note that suspected CIA tools contained in WikiLeaks’ Vault7 dump do mention an attack related to MikroTik.

The exploit is called ChimayRed. After it became public, MikroTik issued a statement saying that it had released a new version of its router firmware, RouterOS 6.38.4, that should remove any malicious files in devices that had been compromised.

However, one of the victims studied by Kaspersky ran version “6.38.5 of the firmware, making it unclear whether this version is still vulnerable or if attackers used a different one,” the security firm writes.

“We contacted MikroTik and reported this attack procedure,” it adds. “According to MikroTik, latest versions of Winbox no longer download the ipv4.dll file from the router, closing the attack vector.”

In a March 2017 posting to its own forum, MikroTik says it was unable to obtain the exploit from WikiLeaks. But it did note that ChimayRed was only effective if the firewall on port 80 had been disabled. The firewall is active by default.

Nod to J.R.R. Tolkien

Kaspersky steered away from attempting to guess the identity of Slingshot’s authors – a wise move given enduring controversies over attributing attacks in the murky cyber-espionage world.

But Kaspersky does say that Slingshot doesn’t appear to have any links to other so-called advanced persistent threats.

The only definitive conclusion is that whoever designed the malicious code appears to have been a fan of J.R.R. Tolkien’s fantasy novels. They also had good grammar skills.

“Most of the debug messages found throughout the platform are written in perfect English,” Kaspersky Lab writes. “The references to Tolkien’s ‘Lord of the Rings’ – Gollum, Smeagol – could suggest the authors are fans of Tolkien’s work.”

166 Applebee’s Restaurants Hit With Payment Card Malware

Breach Notification , Data Breach , Data Loss

Payment Card Data Stolen by Malware-Wielding Attackers, Franchisee Warns

166 Applebee's Restaurants Hit With Payment Card Malware
Photo: RMH Franchise Holdings

Anyone who dined out at Applebee’s restaurants in 15 states – ranging from Alabama and Arizona to Texas and Wyoming – may have gotten a free side of payment card theft with their meal.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

On Friday, RMH Franchise Holdings warned that of the 167 Applebee’s restaurants it owns and operates, 166 of them suffered a data breach in which point-of-sale systems were infected with malware designed to capture payment cards for anyone who dined at the restaurants.

Infection periods vary by location, but the earliest infections began on Nov. 23, 2017, and none appear to have lasted longer than Jan. 2, the company says. It has not published an estimate of the number of payment cards that hackers compromised.

RMH says it’s the second largest Applebee’s franchisee as well as “one of the fastest growing casual dining restaurant companies in America.”

The company discovered the breach on Feb. 13 and “promptly took steps to ensure that it had been contained,” RMH says in a statement. “In addition to engaging third-party cybersecurity experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation. Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again.”

Customers’ names, credit or debit card numbers, card expiration dates and card verification codes may have been compromised. “Payments made online or using self-pay tabletop devices were not affected by this incident,” the company says.

The company says it’s set up a help line that customers can call to receive more information about the breach.

Applebee’s Restaurants: 166 Infected

RMH’s data breach notification includes a list of all affected locations by name and lists the infection period. Here’s a breakdown of how many RMH-owned Applebee’s were affected in each state:

  • Alabama: 2
  • Arizona: 23
  • Florida: 4
  • Illinois: 14
  • Indiana: 21
  • Kansas: 3
  • Kentucky: 14
  • Missouri: 2
  • Mississippi: 1
  • Nebraska: 11
  • Ohio: 44
  • Oklahoma: 6
  • Pennsylvania: 1
  • Texas: 15
  • Wyoming: 5

RMH says the malware infections have been remediated and that it’s safe again to use a payment card at its Applebee’s restaurants.

The company has recommended that anyone who dined in one of the Applebee’s restaurants it owns and operates keep a close eye on their bank and credit card statements. “If they see an unauthorized charge, guests should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.”

Identity theft experts say that U.S. credit card issuers are required to reimburse the full amount of any fraudulent charges, so long as customers report the charge in a timely manner. “Credit cards are better protected by federal law as to the amount of money that you are responsible for if lost or stolen, and most companies now extend a zero liability policy to customers,” according to the Identity Theft Resource Center, a nonprofit U.S. organization that assists data breach victims.

ITRC recommends that at least when traveling, U.S. consumers never use a debit card to pay for anything because any fraud will result in funds immediately disappearing from an account. “It is more difficult and time consuming to resolve fraudulent purchases made with debit cards,” ITRC says.

The company issued its breach notification on a Friday, which is when companies try to bury bad news (see Jason’s Deli: Hackers Dine Out on 2 Million Payment Cards).

List of 166 Breached Locations

Source: RMH Franchise Holdings

RMH declined to comment on how the breach was discovered, how many cards appear to have been affected, how attackers broke in, what specific steps Applebee’s has taken to secure its systems to prevent a recurrence, and whether RMH’s Applebee’s restaurants use chip-and-PIN card security and if that helped mitigate the breach.

Yet Another Restaurant Chain Breach

RMH’s breach means Applebee’s joins the ever-growing roster of restaurants that have suffered POS malware infections leading to payment card data being stolen. The spate of restaurant-related breaches seems to have been nonstop since mid-2014, when restaurant chain P.F. Chang’s China Bistro warned that a POS malware attack had compromised dozens of its locations.

Since then, numerous other restaurants, including Arby’s, Chipotle, Jason’s Deli and Wendy’s, among many others, have fallen victim to POS malware infections (see ‘Where’s the Breach?’).

The payment card breach epidemic isn’t just centered on U.S. restaurants; it has also hit retailers and hotels (see Forever 21 Suffered 7-Month POS Malware Attack).

The problem is compounded by the ease of procuring card-scraping malware, designed to infect POS systems, from underground cybercrime forums.

Many hospitality and retail sector organizations also have poor information security practices, according to Verizon’s 2017 Data Breach Investigations Report.

Some information security experts recommend that any organization that uses POS terminals should assume they have been breached unless it can demonstrably and repeatedly prove otherwise. But many organizations don’t appear to take the threat seriously until after their systems have been breached.

Attackers, however, are not just gunning for POS systems installed in restaurants and other locations, but also POS system providers, which could enable hackers to infect many more systems and harvest many more payment card details at once.

In 2016, Oracle issued an alert about its MICROS point-of-sale hardware and software, used across 330,000 customer sites in 180 countries, warning that it had “detected and addressed malicious code in certain legacy MICROS systems.” And many more POS vendors have also been targeted, security experts say.

Start With the Basics

Information security experts have long recommended that corporate IT administrators always ensure they have basic security defenses in place, including segmenting networks, restricting admin-level rights and never allowing any device with a default password to connect to corporate networks (see Solve Old Security Problems First).

But cybersecurity firm Mandiant, part of FireEye, in a report issued last year, warned that too many organizations still fail to put these basic, well-proven security defenses in place.

View of a “flat” retail network that is not segmented. (Source: Mandiant)

The lack of segmentation in particular leaves organizations that handle payment card information at heightened risk of being breached. “Unfortunately, most networks, including those with payment card information, are not segmented,” Mandiant says. “The compromise of a single retail location often leads to the compromise of the larger PCI environment, making customer-facing employees in these retail environments the low-hanging fruit sought by attackers.”

Editor’s note: An earlier version of this story stated that all 167 Applebee’s operated by RMH Franchise Holdings were affected by the breach, but the correct figure is 166 restaurants, as one location – in Crestwood, Illinois – was not affected.