Security Labs

On September 27, 2016 Forcepoint Security Labs noticed that the Russian boxing site allboxing[.]ru was compromised. The site is injected with code that attempts to silently redirect users to a third party website containing an exploit and a Russian banking trojan. The injected code employs several evasion tactics, and ensures that the redirect only occurs when there is significant user interaction on the website.

The site allboxing[.]ru is a very popular Russian boxing website receiving an estimated 3 million visitors per month.

One of the scripts being used by the website at hxxp://... Read more

Throughout September 2016 we have observed an actor sending malware to Canadian nationals by e-mail. Upon investigation we have determined the malware payload to be DELoader, which downloads a Zeus variant banking trojan upon execution.

The e-mails typically pretend to be from the Canada Revenue Agency (CRA) claiming that the individual has a tax payment outstanding.

The e-mails contain an MSG attachment with an embedded OLE object. This is not a technique we see very often and is challenging for security products to detect due to the complicated MSG format. When the user opens the MSG attachment... Read more

On September 1, 2016 a new trojan downloader became available to purchase on various Russian underground forums. Named "Quant Loader" by its creator, the downloader has already been used to distribute the Locky Zepto crypto-ransomware, and Pony (aka Fareit) malware families.

On September 12, 2016 Forcepoint Security Labs™ noticed an e-mail campaign which was typical of one we mainly see distributing the Locky or Dridex botnet 220 malware families. The e-mails themselves masqueraded as an invoice document like the one below.

The attached ZIP file contained a malicious... Read more

Dridex has drastically reduced in volume throughout 2016. Actors are now appearing to prefer crypto-ransomware such as Locky over the infamous banking trojan. However, Dridex is still being actively developed.  Here is Forcepoint Security Labs we have seen a number of changes and improvements over the last few months.

The initial Dridex executable is known as the Dridex Loader.  It is responsible for checking in to its C&C servers, requesting the "bot" module and a "list" of peers to communicate with. The module contains all of the core Dridex functionality and is known as the "... Read more

MONSOON is the name given to the Forcepoint Security Labs™ investigation into an ongoing espionage campaign that the Special Investigations team have been tracking and analysing since May 2016. We have released our technical analysis in the form of a whitepaper. A download link is provided below.

Monsoon Targets Specific Victims

The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia. It appears to have started in December 2015 and is still ongoing as of July 2016. The malware components used in MONSOON are typically distributed through... Read more

An actor known for distributing the Kovter and Miuref (aka Boaxxe) malware families has been working on a Javascript-based Nemucod ransomware for several months. Recently the actor has begun dropping legitimate command line utilities like 7Zip and PHP onto infected systems to perform the encryption. The malicious use of these benign tools makes this an effective and tricky-to-detect threat. We have dubbed this ransomware "NELocker".

The actor distributes their malware by e-mail. A recent e-mail campaign posed as a confusing courier e-mail.

A ZIP file is attached here, which contains a malicious... Read more

Last week we noticed that Sundown Exploit Kit (EK) was distributing a banking trojan. Upon further investigation we discovered that the banking trojan was a new version of Zeus Panda. This malware has previously been delivered by the Angler, Nuclear and Neutrino EKs.

The Sundown EK landing page obfuscation has undergone several evolutions recently, indicating that the developer is highly active. An example of the landing page from July 25, 2016 was as below.

The exploits used by Sundown are dynamically written onto the page from the base64-encoded content on the landing page.

Recently an actor has been using domains like realstatistics[.]info to direct users to exploit kits. These domains are injected as scripts into compromised websites, resulting in drive-by attacks on browsers. The domains are used as Traffic Direction Systems (TDS) which determine whether or not a target is of interest and should be sent to the malicious site or not.

A TDS is a web based gate that is able to redirect users to various content depending on who they are. A TDS is able to make a decision on where to send a user based on criteria such as their geo-location, browser, operating system, and whether or not... Read more

The very popular Russian site Sprashivai[.]ru has been compromised and is silently redirecting users to the RIG Exploit Kit (EK). During our analysis we saw RIG EK drop the SmokeLoader (aka Dofoil) malware.

Image above taken from the Sprashivai homepage

Sprashivai[.]ru is a popular Russian Q&A and social networking site, receiving an estimated 20 million visitors per month according to SimilarWeb. The Russian word "sprashivai" means "ask" in English.

The site has been compromised by an actor attempting to redirect users to RIG EK via an injected iFrame:

The iFrame... Read more

After the recent outage of the Necurs botnet, the Locky developers have used the break in activity to develop some new features for their ransomware. Locky e-mails came back in full force on 21 June, 2016 and now contain virtual machine (VM) and analysis tool countermeasures.

One of the new tricks involves new encryption of the payload that is downloaded by their Javascript downloaders. This prevents analysis tools from analysing the executable from the network traffic. Once decrypted, Locky now also requires a command line parameter in order to run correctly. This second technique prevents sandbox environments from knowing how to... Read more