Phishing/Malware email campaigns have taken to new tactics to try to avoid detection by various malware analysis tools such as Fireeye and their ilk. This latest tactic is to embed different document types inside another one. While the last few weeks it was embedding things inside of word docs. Today we have begun to see evidence of word docs embedded in PDFs.
RSA today released a research report detailing their finds on what they are dubbing Terracotta. It is a series of VPN networks which do carry some significant legitimate VPN traffic to allow users inside of China to subvert the Great Firewall. However, it appears that various APT groups are also utilizing the service. Apparently calls to 1.8800free.info and 2.8800free.info are an indicator that a site has been compromised. However at this date it is difficult to find IP information for the domain or hosts on it.
The RIG crimeware kit received a major upgrade in the last few weeks. Infecting about 27,000 victims a day, the new kit is partially utilizing vulnerabilities in Flash made public with the HackingTeam document exposures.
RIG itself needed to be updated after its source code was released by a disgruntled reseller of of toolkit. The new kit is targeting 3 vulnerabilities. CVE-2015-5122 for Adobe Flash, CVE-2014-6332 for Windows OLE and CVE-2013-2551 and attack on IE 6 through IE 10.
Hackers used Yahoo’s Ad network to infect an unknown (to the public) number of users over a 7 day period. The attack started July 28th and targeted a number of Yahoo’s heavily trafficked sports, news and finance websites.
The attack was first uncovered by Malwarebytes. Once users visited one of the pages that was sending out the malware banners, the Windows machines were automatically infected. Infected machines were either held for ransom by the attackers or silently directed to other sites which paid the hackers for additional traffic.
It is believed that the attackers were using Flash exploits uncovered with the release of HackingTeam’s data. Once again, if you can live without Flash, you should.
Researchers at TrendLabs have identified new attack vectors for Flash vulnerabilities uncovered by HackingTeam. Instead of targeting users through targeted phishing campaigns that directed them to websites with malicious content. The team has found Flash malware embedded in office documents.
This is a change as more normally Microsoft Office attachments are targeted with macros etc. that target the Office suite of applications, sometimes calling out from them to get additional pieces of malware. In these new instances, the Office documents are just transporting an embedded Flash vulnerability. If the exploit succeeds, it is used to download the actual malware payload.
In the HackingTeam versions of this attack method, they would embed a Flash file which then would download the exploit.
To make detection more difficult, HTTPS is used to encrypt network traffic and at times the malware use is encrypted with a random 4-byte key.
As always it is best to keep your Flash software up to date and either choose “click-to-play” in browsers or disable Flash entirely. These controls only work against attacks that use Flash in the browser. Flash in Microsoft Office is not protected by this. Completely disabling or removing Flash from your system is a better solution. Windows users can also use kill bits to disable Flash from running.