Anatomy of an attack on Skype users
Massive attacks to install malicious code have a large negative impact on users. In addition, they show the ability of cybercriminals to reuse the already known methods of compromising users, which will act in subsequent cases of attacks. We already wrote about a massive spam attack on Skype users in May of this year. Users all over the world received messages from their contacts through various Skype and Gtalk instant messaging services. The messages contained malicious links that led the user to install several types of malware, including Win32 / Rodpicom.C . Within a few hours, a large number of users were infected by this malware. The attackers repeatedly resorted to such campaigns and used various languages ​​when writing phishing messages to attack users in different countries, as well as special infection methods to complicate their detection.
In this post we will take a detailed look at each stage of such an attack in order to understand what methods the attackers used to overcome the system’s security capabilities. Of course, various social engineering methods for delivering malicious code provide these attacks with additional opportunities to enhance the effect.
')
Nature of attack
There are life cycles of such attacks, which attackers use in a special way. During the period of the cycle, the effectiveness of the attack changes, reaching at a certain point the maximum level of efficiency, i.e., when the maximum number of infections of users is recorded or when links follow malicious links. In such a period of time, the probability that a user of a certain service will receive a phishing message is, of course, higher.
When the number of potential victims of an attack, in a short period of time, begins to exceed a certain threshold, we begin to observe peculiar chain reactions of infection of users, on which this attack was not originally designed. A similar situation was fixed by us in May, when, in addition to notifications from the ESET Early Warning System, we received requests for technical support from affected users.
On May 20, we recorded a big surge in spam messages that were distributed via Skype and invited users to view various photos on social networks. The messages contained links that were shortened by the Google URL Shortener service and instead of photos pointed to downloadable malicious code. One of such distributed threats was detected by our products as Win32 / Kryptik.BBKB and through Google statistics about 300 thousand clicks on the links through which this malicious code was downloaded were recorded. At the same time, 67% of all cases of infection occurred in Latin America.
Fig. Malicious link navigation statistics showing a splash on May 20th.
After a more detailed analysis of the malicious code, we found that the code we detect is one of the modifications of the Win32 / Gapz threat , the detailed analysis of which we published earlier . One of the modifications of Gapz is a powerful bootkit with the ability to inject its code into the explorer.exe process to perform destructive functions from there. Both of these malicious codes are based on the PowerLoader dropper code.
One of the dropper features is bypassing various mechanisms used in antivirus software. In addition, it downloads another version of a malicious program that uses its method of distribution through Skype. This malware is detected by ESET as a Win32 / Rodpicom.C worm . Rodpicom is often used in conjunction with other malicious programs, as it contains the possibility of distribution through instant messaging services.
Malicious link statistics show that only five goo.gl addresses were used by users to navigate about half a million times throughout the campaign. Of the total number of conversions (clicks), 27% were from Latin American countries: Mexico (27.023), Brazil (37.757), and Colombia (54.524). Russia was also one of the most affected countries with more than 40,000 transitions. Germany is the global leader in transitions, with more than 80,000 clicks during the first wave.
Fig. Statistics on the used platforms for users who clicked malicious links on the first day of the attack on Skype. 85% of users used different versions of Microsoft Windows.
Below is an example of a message that was sent to the user for the purpose of compromise.
Fig. An example of a spam message sent from a computer infected with Win32 / Rodpicom.
Similar messages came to users of different countries on thousands of computers. Five malicious links that were used by attackers during the first 24 hours redirected users to download files with the following names:
Shortened links led to the 4shared hosting service, with the exception of one link for which another service was used. Notice that such phishing methods are not new and it is really strange that attackers managed to achieve such attack efficiency. These statistics allow us to claim that it was one of the largest malicious campaigns on Skype in all time.
In the following days of the attack, that is, after the first wave, the attackers responsible for this attack continued to use various variants of spam messages with the delivery of new variants of malicious programs. At the same time, these days the number of clicks on the links was not as high as at the beginning.
Fig. The number of URLs (links) that were used by attackers on the days of the attacks.
For two weeks, we observed a total of forty-one links that sent the user to download malware. Various link shortening services were used to form such links:
Not all of these link reduction services can provide information on the number of clicks and information about the OS or source (referrers). For those services that provide such information, we counted more than 700 thousand clicks on the links. Below is a more detailed statistics on the number of transitions, which allows you to more detailed assess the development of the spam campaign.
Fig. Malicious link navigation statistics.
You can see a drop in the number of transitions at the end of the wave of propagation of malicious code. Obviously, this is due to the lack of the effect of surprise, user awareness of malicious activity and warnings from anti-virus companies about such an attack. The figure below shows the regions of attack activity for different links. It can be seen that Russia is one of the most affected regions with high activity for all three links.
Fig. Countries with the most "active" links to malicious links.
In many cases, users continue to use their operating system unaware that they have been compromised. For some of these users, we observed more than 30 malware update files in the system directories.
Analysis
After two weeks of activity of the malicious campaign and its tracking, we had at our disposal a sufficient number of artifacts to analyze the attack itself, as well as the various families of malicious code and their modifications that were used for it. In total, more than 130 different malicious files were recorded that were used for this attack. At the same time, the two main families of threats to which these files belong are Win32 / PowerLoader modifications , which are responsible for the direct infection of the system and Win32 / Rodpicom, which is a worm and can spread itself through instant messaging services.
As we have indicated, Win32 / PowerLoader is associated with another threat - Win32 / Gapz. The droppers of the latter are based on PowerLoader codes, which is a bot builder for creating malware, known as downloaders. This malware creation tool is an example of a modular approach and the subsequent distribution of malicious code. The builder itself has been seen in use by intruders since the beginning of this year and has also been used in modifications of another threat - Win32 / Dorkbot. The tool allows attackers to specify up to three URLs with which the bot will interact on the infected computer. Another malicious program will be downloaded from these URLs, i.e. Win32 / Rodpicom, in case of this Skype attack.
Fig. Win32 / PowerLoader bot configuration file.
It can be seen that this file contains the same URL (C & C) for receiving instructions from the attackers, as well as other configuration data. After successfully infecting the computer, the bot will interact with C & C every 15 minutes to download other malicious code that will allow attackers to perform various tasks on the user's computer.
Fig. Report sent by the bot to the server.
Malicious files downloaded by the bot are stored in the “C: \ ProgramData” directory, and during the bot activity period we detected more than 50 such files.
Fig. Malicious files downloaded by the Win32 / PowerLoader bot.
Among the malicious programs that participate in the second stage of system compromise, the following families were detected:
Rodpicom lists all the processes in the system trying to find a Skype process, and then injects its code into it to send messages to the list of contacts. The malware itself does not act on its own; rather, it is used by other threats as a propagation vector. At the same time, the system settings are used to select the language in which the messages will be distributed, i.e. the current user language. Below are Win32 / Rodpicom.C sample hashes and the number of attempts to distribute them for this spam campaign.
Malicious code not only uses Skype to send malicious links. Below is a list of other instant messaging services that malicious code is trying to search for in the user's system:
Conclusion
It is obvious that such a massive spam attack was well planned in advance and the attackers wanted to achieve high rates of user compromise. We recorded that one of its stages began at 9 am European time, which corresponds to the beginning of the working day, when the traffic in social networks is quite high.
The practice of using attackers of four different modifications of malicious programs in conjunction with phishing messages has proven to be very effective. Each component of the malware performed its specified function. Power Loader was responsible for the initial compromise of the system with protection bypass, working with the C & C manager and loading the Rodpicom malware for the next step. In turn, Rodpicom was responsible for the subsequent distribution of malicious code through instant messaging services. Two other malicious programs that Power Loader downloaded onto a user's computer are means to collect various user data, including usernames and passwords from various accounts.
In this post we will take a detailed look at each stage of such an attack in order to understand what methods the attackers used to overcome the system’s security capabilities. Of course, various social engineering methods for delivering malicious code provide these attacks with additional opportunities to enhance the effect.
')
Nature of attack
There are life cycles of such attacks, which attackers use in a special way. During the period of the cycle, the effectiveness of the attack changes, reaching at a certain point the maximum level of efficiency, i.e., when the maximum number of infections of users is recorded or when links follow malicious links. In such a period of time, the probability that a user of a certain service will receive a phishing message is, of course, higher.
When the number of potential victims of an attack, in a short period of time, begins to exceed a certain threshold, we begin to observe peculiar chain reactions of infection of users, on which this attack was not originally designed. A similar situation was fixed by us in May, when, in addition to notifications from the ESET Early Warning System, we received requests for technical support from affected users.
On May 20, we recorded a big surge in spam messages that were distributed via Skype and invited users to view various photos on social networks. The messages contained links that were shortened by the Google URL Shortener service and instead of photos pointed to downloadable malicious code. One of such distributed threats was detected by our products as Win32 / Kryptik.BBKB and through Google statistics about 300 thousand clicks on the links through which this malicious code was downloaded were recorded. At the same time, 67% of all cases of infection occurred in Latin America.
Fig. Malicious link navigation statistics showing a splash on May 20th.
After a more detailed analysis of the malicious code, we found that the code we detect is one of the modifications of the Win32 / Gapz threat , the detailed analysis of which we published earlier . One of the modifications of Gapz is a powerful bootkit with the ability to inject its code into the explorer.exe process to perform destructive functions from there. Both of these malicious codes are based on the PowerLoader dropper code.
One of the dropper features is bypassing various mechanisms used in antivirus software. In addition, it downloads another version of a malicious program that uses its method of distribution through Skype. This malware is detected by ESET as a Win32 / Rodpicom.C worm . Rodpicom is often used in conjunction with other malicious programs, as it contains the possibility of distribution through instant messaging services.
Malicious link statistics show that only five goo.gl addresses were used by users to navigate about half a million times throughout the campaign. Of the total number of conversions (clicks), 27% were from Latin American countries: Mexico (27.023), Brazil (37.757), and Colombia (54.524). Russia was also one of the most affected countries with more than 40,000 transitions. Germany is the global leader in transitions, with more than 80,000 clicks during the first wave.
Fig. Statistics on the used platforms for users who clicked malicious links on the first day of the attack on Skype. 85% of users used different versions of Microsoft Windows.
Below is an example of a message that was sent to the user for the purpose of compromise.
Fig. An example of a spam message sent from a computer infected with Win32 / Rodpicom.
Similar messages came to users of different countries on thousands of computers. Five malicious links that were used by attackers during the first 24 hours redirected users to download files with the following names:
- Fotos91-lol.zip
- Fotos92-lol.zip
- Fotos93-lol.zip
Shortened links led to the 4shared hosting service, with the exception of one link for which another service was used. Notice that such phishing methods are not new and it is really strange that attackers managed to achieve such attack efficiency. These statistics allow us to claim that it was one of the largest malicious campaigns on Skype in all time.
In the following days of the attack, that is, after the first wave, the attackers responsible for this attack continued to use various variants of spam messages with the delivery of new variants of malicious programs. At the same time, these days the number of clicks on the links was not as high as at the beginning.
Fig. The number of URLs (links) that were used by attackers on the days of the attacks.
For two weeks, we observed a total of forty-one links that sent the user to download malware. Various link shortening services were used to form such links:
- goo.gl
- bit.ly
- ow.ly
- urlq.d
- is.gd
- fur.ly
Not all of these link reduction services can provide information on the number of clicks and information about the OS or source (referrers). For those services that provide such information, we counted more than 700 thousand clicks on the links. Below is a more detailed statistics on the number of transitions, which allows you to more detailed assess the development of the spam campaign.
Fig. Malicious link navigation statistics.
You can see a drop in the number of transitions at the end of the wave of propagation of malicious code. Obviously, this is due to the lack of the effect of surprise, user awareness of malicious activity and warnings from anti-virus companies about such an attack. The figure below shows the regions of attack activity for different links. It can be seen that Russia is one of the most affected regions with high activity for all three links.
Fig. Countries with the most "active" links to malicious links.
In many cases, users continue to use their operating system unaware that they have been compromised. For some of these users, we observed more than 30 malware update files in the system directories.
Analysis
After two weeks of activity of the malicious campaign and its tracking, we had at our disposal a sufficient number of artifacts to analyze the attack itself, as well as the various families of malicious code and their modifications that were used for it. In total, more than 130 different malicious files were recorded that were used for this attack. At the same time, the two main families of threats to which these files belong are Win32 / PowerLoader modifications , which are responsible for the direct infection of the system and Win32 / Rodpicom, which is a worm and can spread itself through instant messaging services.
As we have indicated, Win32 / PowerLoader is associated with another threat - Win32 / Gapz. The droppers of the latter are based on PowerLoader codes, which is a bot builder for creating malware, known as downloaders. This malware creation tool is an example of a modular approach and the subsequent distribution of malicious code. The builder itself has been seen in use by intruders since the beginning of this year and has also been used in modifications of another threat - Win32 / Dorkbot. The tool allows attackers to specify up to three URLs with which the bot will interact on the infected computer. Another malicious program will be downloaded from these URLs, i.e. Win32 / Rodpicom, in case of this Skype attack.
Fig. Win32 / PowerLoader bot configuration file.
It can be seen that this file contains the same URL (C & C) for receiving instructions from the attackers, as well as other configuration data. After successfully infecting the computer, the bot will interact with C & C every 15 minutes to download other malicious code that will allow attackers to perform various tasks on the user's computer.
Fig. Report sent by the bot to the server.
Malicious files downloaded by the bot are stored in the “C: \ ProgramData” directory, and during the bot activity period we detected more than 50 such files.
Fig. Malicious files downloaded by the Win32 / PowerLoader bot.
Among the malicious programs that participate in the second stage of system compromise, the following families were detected:
- Win32 / Injector : is a family of malicious programs that implements the introduction of its code into other processes and has the ability to steal usernames and passwords from online services.
- Win32 / Agent : a family of malicious software with the ability to steal user information.
- Win32 / Rodpicom : is a worm that is used in conjunction with other malware and contains the ability to spread malicious links through instant messaging services.
Rodpicom lists all the processes in the system trying to find a Skype process, and then injects its code into it to send messages to the list of contacts. The malware itself does not act on its own; rather, it is used by other threats as a propagation vector. At the same time, the system settings are used to select the language in which the messages will be distributed, i.e. the current user language. Below are Win32 / Rodpicom.C sample hashes and the number of attempts to distribute them for this spam campaign.
Malicious code not only uses Skype to send malicious links. Below is a list of other instant messaging services that malicious code is trying to search for in the user's system:
- Windows messenger
- Quite Internet Pager
- Googletalk
- Digsby
Conclusion
It is obvious that such a massive spam attack was well planned in advance and the attackers wanted to achieve high rates of user compromise. We recorded that one of its stages began at 9 am European time, which corresponds to the beginning of the working day, when the traffic in social networks is quite high.
The practice of using attackers of four different modifications of malicious programs in conjunction with phishing messages has proven to be very effective. Each component of the malware performed its specified function. Power Loader was responsible for the initial compromise of the system with protection bypass, working with the C & C manager and loading the Rodpicom malware for the next step. In turn, Rodpicom was responsible for the subsequent distribution of malicious code through instant messaging services. Two other malicious programs that Power Loader downloaded onto a user's computer are means to collect various user data, including usernames and passwords from various accounts.
Source: https://habr.com/ru/post/203088/
All Articles