Modern messaging apps, many of which offer end-to-end encryption, are used every day by millions of people. These apps come with the expectation of privacy. However, we recently observed an interesting operational security issue involving one such popular messaging app, Telegram. We're posting our observations to alert users of this app to potential privacy concerns.

Changing Scammer Tactics

Relentless calls from telemarketing scammers are a bane of existence in modern life. Whether it's the "can you hear me now" scam, fake charity scams, or fake tech support scams, the pace of attacks on consumers is relentless.  The problem is particularly bad for cell phone users and businesses.

Despite the Do Not Call registry and other associated telemarketing rules, advances of VoIP mean scammers can launch their attacks from anywhere. Scammers often spoof phone numbers. Despite these tricks, scammers have a problem -- the rise of phone number reputation sites and mobile applications designed to warn of bad phone numbers. Thanks to these websites and consumer education, the adversary is seeing their “success rate” drop.

While Do Not Call rules help reduce unwanted and scam phone calls, these regulations do not apply to encrypted messaging and calling applications. That's why messaging apps are an enticing option for scammers. It's a new way to potentially reach millions of new victims.

Taking a Look a Telegram

Telegram is a popular mobile messaging application with encryption options for Android and iOS. It uses your contact list to prepopulate contacts inside the application. In addition, when someone in your contact list signs up for Telegram, you receive a notification so you know you can contact them using the app. Convenient, huh?

However, the combination of these features made it possible for us to uncover a situation that raises a big privacy flag. Here's the deal: If a scammer signs up for Telegram and already has your phone number in their contact list, it will also notify them that you also have Telegram. So in addition to connecting you to your friends and contacts, the app will also connect scammers directly to you. Likewise, if you have scammers' numbers in your contact list for some reason, you will get push notifications when they join Telegram (like in the image above).

And this didn't happen just once or twice. On multiple occasions, we observed phone numbers associated with telemarketing scammers signed up to use Telegram. To complicate matters, we found no obvious way to prevent people from finding out if you are a Telegram user.

Further, it would not be difficult to create a way to determine if a phone number uses Telegram (or any of the many other, readily available secure mobile messaging/voice applications). There are several uses for this insight by third parties:

• Intelligence agencies consider the use of such services as a "risk factor" when deciding on surveillance targets,
• Border control officials could detect the use of such services during border crossing interviews, and conclude that the user has something to hide, and
• Criminals could use the knowledge that a user is on such a service to target them.

Zeroing in on Scammers

In this case, I already had the number of a suspected scammer number added to a mobile application I use to detect such calls. After a quick visit to one of the various caller reputation sites, I verified this number has a history of calls involving IRS-related scams.

Trust, but Verify

Encrypted messaging and voice applications create a new surface area for attacks to unfold and should not be entirely trusted. While these apps may be a great benefit to privacy, they shouldn’t be trusted any more than unencrypted calls.  These systems do protect against spoofing, but if you have unknown callers on such applications, due caution is still required.

Scammers are eager to use other lures to reel in their targets. Just as privacy-conscious individuals may use burner phones and change phone numbers often, modern communications provide an array of methods to make it possible to send a message to a potential victim. For example, it doesn't take much work to pretend to be a trusted contact and tell the victim that "this is a new phone" to exploit an existing relationship.

Avoid Being a Victim: Tips for Messaging App Users

• Remember that while secure messaging services are great for privacy, default settings (which can't always be changed) will often expose you as a user of such services.
• Telemarketing scammers can use new messaging apps to evade regulations and use “trusted” channels to contact potential victims. Use out-of-band verification methods, such as a phone call, before interacting with new contacts to avoid impersonation attacks.
• Understand that using encrypted apps may cause third parties to believe you are -- at the very least -- privacy conscious, or may suggest you have something to hide.
• Some messaging apps, like Signal, are entirely dependent on capturing your address book. Others, like WhatsApp, make this optional but one can assume that most users enable this feature.
• Know that your messaging app could be vacuuming up your address book into their cloud service, where user matches are made – which means they could have a comprehensive social graph, possibly even for numbers that aren't their users.

 -- By John Bambenek, Threat Systems Manager, Fidelis Cybersecurity

Deception and crime go hand in hand. But knowing when you’re being deceived means you need to think like the bad guys and know what to look for.

There are three elements of deception. To see these elements in action, we need look no further than a few notable cases -- including the alleged Russian state actors behind the DNC and DCCC breaches as they continue to dump documents intended to influence the upcoming U.S. election.

Let’s take a look at the three elements of effective deception.

1. Plan and Prepare

The key is to create a storyline that’s mostly true – and that requires research. Research makes it possible to understand both the target of the deception and its target audience. Before fabricating communication between two parties (perhaps with the intent to leak information), your research must indicate they are likely in contact in the first place. All of the other elements of style must match too, or the deception will be revealed. 

As an example, I use Domain Generation Algorithm-based malware to track command-and control-servers.  Attackers know this kind of surveillance is done, so some of them try to camouflage their C2s to look like sinkholes and security researchers. They research what headers or fingerprints are used, what malware families they are interested in, and other data so they can craft an operational plan to make their C2 look like a security researcher.

2. Craft a Narrative That Is Credible -- but False

You need a carefully crafted narrative that’s believable. A plausible narrative will play into the biases of your target audience. It also involves finding an environment where deception can thrive. For example, rumors about politicians are so effective because people are already predisposed to think poorly of politicians.

Most deception can be detected easily when there is readily available information to verify its authenticity. For example, the Syrian Electronic Army once hacked the Associated Press Twitter account and planted a false story about an explosion at the White House. Hilarity did not ensue. This graph of the Dow Jones index (from The Washington Post) shows the immediate impact of this one tweet.

The markets saw a precipitous drop for 5-10 minutes. Trading returned to normal almost immediately once the hoax quickly came to light. After all, the “explosion” could immediately and easily be deemed a hoax with no lasting impact.

3. Deceive in Moderation

Use deception only when it counts. Dump lots of false narratives and the source will eventually (and quickly) lose credibility. Once we spot a pathological liar, we never trust anything from them again – even when it’s true. For example, if the Podesta emails that mention extraterrestrial intelligence were obviously false, the entire document dump would be discarded.

These three elements can be helpful in figuring out what will happen in the wake of the alleged state-sponsored document dumps. Assuming the leaks are from Russians and this is, in fact, a propaganda operation, the adversary knows how to deceive and does it well. They’ve done the research, they’ll choose a narrative that is mostly true and hard to disprove. Then, they’ll lie only when it really counts and the deception will be contained in a dump of mostly real information.

So what would the ramifications be? Time will tell, but if the actors are potentially trying to affect the outcome of the election, they’ll know the retaliation for the attack could be severe if the target, Secretary Clinton, becomes president.

-- John Bambenek, Manager, Threat Systems

Threat actors provide valuable clues when they compromise a new environment. But a single clue, such as a malware sample, seldom sheds the necessary light on an attack. Sniffing out the tools and tactics of attackers requires that you (or someone you know) has seen them before. Historical attack data can serve as a valuable resource for analysts by helping to identify and contextualize the adversary and rank the risk of an attack.

Today, we are excited to make a new (and we think pretty interesting) database available to the security community at no cost. The Fidelis Barncat™ Intelligence Database (or just Barncat for short) includes more than 100,000 records with remote access tool (RAT) configuration settings that we have extracted from malware samples gathered during our incident response investigations and other intelligence gathering operations over the past decade. As many of you know, while file hashes are easy to change, attackers are much less likely to change the configuration settings in the Remote Access Tool (RATs) they use to create their malware. By creating IOCs that find malware with unique configuration settings, security teams can identify attackers with more accuracy and attribute multiple attacks to a common threat actor.

Consider Dark Comet, a commodity  RAT. It’s commonly used by novice threat actors and would-be internet stalkers. It’s also being used in high-profile attacks by attackers with more sophisticated motives. To deceive defenders, sophisticated attackers may use RATs in an attempt to appear unskilled or less threatening. Barncat enables analysts to review a current sample, compare its configuration to previous samples, and correlate specific uses of malware families and activities to a specific threat actor.

To illustrate, let’s look at a JSocket sample observed last year with a “NICKNAME” configuration setting of “August24rd Bombing”. The NICKNAME setting seems nefarious and a quick trip to Wikipedia shows August 24 as the anniversary of the bombing of two civilian airliners at Moscow’s Domodedovo Airport. Terrorists have an affinity for these anniversaries. In fact, many JSocket incidents were traced back to RATs used by terrorist actors and groups.

Given these indicators, it’s easy to jump to conclusions. Even seasoned security experts could succumb to the temptation to quickly label this malware campaign as terrorist-related and spin up their hype machine. But be careful not to jump too quickly.

The Barncat database lets you dig deeper to come to a more informed conclusion. For example, searching for any JSocket sample with “Bomb” in the NICKNAME yields several other similar values (September 3^rd, 30^th September, etc.). In all of these cases, the C2 points to nikresut015js.zapto.org which (at the time) resolved to a U.S. IP address. This common data point suggests a common attacker among all the configurations.

The NICKNAME filed in the JSocket builder is a free-form text field. The use of “bombing” is simply nomenclature used by this adversary to describe discrete builds he sends into the world. In this case, the attacker removes the month and date, and types over the setting for each new version as indicated by the “rd” in the Nickname field from “August24rd Bombing”. The previous setting appears to have been “August3rd Bombing.”

In this case, the historical data shows the threat actor is not as malevolent as it seemed at first glance. The data could also result in the opposite conclusion, linking seemingly simple attacks to sophisticated attackers or terrorists.

The intelligence we are sharing via Barncat is available to the security community via one of our Malware Information Sharing Platform (MISP) instances. With the API, the data can be loaded into an internal Splunk instance, CIF or any number of tools to cross-check various aspects of a currently observed attack and see if previous malware samples can be linked. 

We are making the Barncat database available at no cost to the security community. It’s intended to be used by CERTs, research organizations, government entities, ISPs and other large commercial enterprises. To ensure proper use of this resource, organizations requesting access to the database must to provide some information about their organization, and how they plan to use the Barncat intelligence database. You can learn more and apply for access on the Fidelis website. As more people draw new insights from this data, we look forward to sharing and discussing them here on ThreatGeek.

-- Threat Systems Manager John Bambenek

This month, a multi-national law enforcement team led by Europol arrested a key player believed to be behind the 2015 distributed denial of service (DDoS) extortion attacks by the criminal gang DD4BC (short for Distributed Denial of Service for Bitcoin). The gang formed in 2014 by targeting online gambling interests, and more recently expanded operations to another lucrative target -- financial institutions.

The attack unfolded as DD4BC honed in on their target and triggered a DDoS attack in the 25-35 Gbps range. Victims received a “ransom note” demanding 30 to 40 bitcoins (about $13,000 to $17,000) as insurance against a second, stronger attack as detailed in this threat intelligence report.

While the arrest of the threat actors behind DD4BC is good news, DDoS attacks will continue as targeted organizations pay the ransom fees. However, previous extortion attempts show few reasons to pay up. A larger secondary attack rarely occurs. In fact, paying an attacker could lead to additional attacks. In 2015, Switzerland-based ProtonMail paid a ransom as part of a DDoS extortion attack and went public with its actions. The result? Other DDoS attackers zeroed in and demanded payoffs.

Fortunately, most organizations can defend themselves against DDoS attacks using the following guidelines. First, institute strong external network-facing access control lists (ACLs) to keep all out-of-profile traffic off servers. For example, on a web server, only allow TCP port 80 and/or 443. Block out all other traffic, and aggressively time-out “half-open” network traffic designed to fill up connection tables. High-risk organizations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks.

Most importantly, set up robust monitoring to identify these types of attacks and patterns during the early stages of an attack. The upstream ISP should be notified to place mitigations on their connected devices to protect networks. DDoS commercial products are an option, but organizations can take several proactive steps to help minimize the impact of these attacks.

While the exact numbers of victims targeted by DD4BC are unknown, best estimates place the numbers in the thousands. Collecting and sharing information with law enforcement is crucial. Unfortunately, many organizations fail to report extortion attacks. To assist law enforcement, organizations should provide several key pieces of information to law enforcement and/or their security vendors. An e-mail threatening DDoS should be preserved with full headers, timestamps of the attack with the victim’s IP, size of attack, and a profile of the type of DDoS attack (with packet captures if possible). Collection should not be limited to these items -- basically any data that can be shared can be helpful in tracking these attacks to their originator and bringing cyber criminals to justice.

-- John Bambenek

Earlier this month, the media covered an FBI presentation on ransomware. What was noteworthy was that the FBI warned that because ransomware encryption is so good, the easiest thing for victims to do may be to pay the ransom to recover their files.  Such advice has spurred a debate in the security community about whether it is appropriate to suggest that cybercrime victims pay ransom.

Since the first appearance of CryptoLocker, new variants of extortion-based attacks have been on the rise. Beyond malware, groups, such as DD4BC and Armada Collective, are using  DDoS attacks as an extortion tool, threatening to knock the victim’s website offline unless a ransom is paid. The hacking of source code repositories and cloud services has also provided a means for extortion, as evidenced by case of Code Spaces last year.

Ransomware, when done right, encrypts files so they cannot be recovered without payment. It is important to note that some ransomware is so poorly coded that victims cannot retrieve their data even if they pay. Such is the case with the recent Power Worm ransomware.

Until recently, many forms of ransomware had weaknesses that allowed for the recovery of encrypted files. In the Cryptolocker case, the private keys were eventually recovered and a free service was developed to allow victims to recover their files. With the proliferation of ransomware variants, efforts  to obtain the private keys have unfortunately been unsuccessful. Cryptowall version 4 and the newly observed Linux ransomware, for example, have been making the rounds and, lacking backup files, there is no easy way to recover the encrypted files.

This leaves victims with two choices: pay the ransom to get their files back, or lose their files -- potentially forever.

On one hand, there are those who advise not to pay the ransom because the money funds criminals and perpetuates their activities. On the other hand, because the value of the information is usually much more than the ransom, it can be argued that paying makes good “economic” sense.

An analogy often used to describe ransomware is the use of mob rules. In old-fashioned mob movies, two guys walk into a grocery store saying “Hey, nice store. Would be a shame if something were to happen.” The reason the mob “insurance” scams worked is because the value of the protection was higher than the cost of the insurance -- and the mob delivered on their promises. In the case of ransomware, the value of the data is higher than the ransom and operators go through great effort to ensure users get their data back. Occasionally there are errors, but in general, people get their data back.

In an ideal world, consumers and organizations would be prepared. With sound backups in place, ransomware infections would merely be annoying exercises involving file restoration.  Ensuring backups of critical or valuable information has been a best practice for decades. Because reality rarely matches the ideal, here are some key takeaways when dealing with ransomware:

• Avoid announcing decisions to pay the ransom, as it may induce other cybercriminals to launch similar attacks. Such was the case when ProtonMail came under attack and announced publicly that they paid the ransom. This led to follow on attacks, likely by other individuals.
• Report the ransom payment details to the FBI’s Internet Crime Complaint Center (IC3) or other law enforcement or security industry contacts. The payment details allow investigators to track the payments to identify the individual behind the ransomware campaigns.
• If you don’t want to report a ransomware attack to law enforcement, consider sending details of ransom payments to bambenek (at) gmail (dot) com so that data can be used to try to identify the criminals behind these campaigns and bring them to prosecution.

Hopefully, the continuing stream of stories about new victims will encourage people to adopt effective backups. The reality is, independent of the debate in the security community, people simply are going to pay the ransom because the economics are soundly in favor of doing so. To use a domestic analogy, if my wedding pictures were only in electronic form and they were encrypted with ransomware, I’d pay the ransom to get those files back – after all, my couch is not that comfortable for a good night’s sleep.

A brief video overview of the ransomware threat is available at Malware: The New Scourge of Ransomware A Study of CryptoLocker and Its Friends. Presentation slides are available here. 

- John Bambenek

Let’s say you’re an individual who wants to start engaging in naughty behavior online but the Ashley Madison dump has made you skittish. Engaging in bad behavior (and for that matter crime) is pretty easy in the grand scheme of things.  Getting away with that behavior is actually pretty hard. To get away with it you have to get everything correct in a way that can’t be mapped back to you and even seasoned cybercriminals get this wrong from time to time.

The key is making sure no attributes of what you are doing can be mapped to your actual persona. Josh Duggar was caught using Ashley Madison (as were others) because they used their real names and addresses. This is not a difficult problem to get around if you use gift cards to purchase subscriptions as many people did. It also creates the possibility of using another name altogether.

Additionally, you’d want a separate email that you’d ideally never access with your known and core devices. This is the operational security principle known as compartmentalization. One can see how it gets inconvenient really quickly and failures here have led to investigators catching even experienced online criminals.

However, there are other interesting ways to correlate individuals to their actual personas. Recently 11 million passwords have been decrypted in the Ashley Madison database dump. Usual password advice is to create long and strong passwords. The problem with this is that unless you have an uncanny memory or are using a password manager (which would be a problem for those engaging in bad behavior) the tendency is towards password reuse even of complex passwords.

Assuming you had access to multiple password dumps, one could start correlating complex passwords between them to start mapping identities together. This was one of the points made by the UK Government in making its case against overuse of complex passwords. While it may be interpreted as self-service, people with many complex passwords either reuse them across domains or have a password manager that can be compromised, both of which are unideal.

Now this blog isn’t really about how to cheat on your spouse safely but a useful technique that can also be used to correlate and hopefully attribute malware campaigns.

Many malware campaigns use the same tools which all have built in configuration items that are either randomized or are free-form text fields created by the actor. Many of these fields can be used to correlate malware binaries to a specific likely actor. For example, one could use the password entered in malware to authenticate it to its controller.

Looking in our database of indicators, we found one such password of “@client$321$” which mapped to 7 different binaries all using PoisonIvy. In each case, the hostnames were mostly distinct between samples as were other fields such as “campaign ID”.

What was unique between all these binaries was a password from a free-form text field that is unlikely to have been used by another actor. This allows the researcher to map between all 10 hostnames used by 7 samples to correlate other activity and map backwards.

This is the reason why bulk analysis and storage of a broad set of indicators is useful. Human beings, including criminals, are prone to re-use information from time to time especially when it comes to security which allows for correlation.

That being said, keep using strong passwords just make them unique to avoid such correlation.

The details are below, all the domains have either been blown away or are currently being sinkholed as of September 15, 2015.

Password:

@client$321$

MD5s:

089fe27df0be49a5eaa5d233561105f8  

19b1c577c41c8d4ac540d166b34a6eac            

21f3369333d26192e5f1a4578eac934f              

7ee53765e423d7c965e8b09c24bd931b            

b9c8eb67e91bd53271127821a3b6e1a2                       

c4ded03b6e79ed948a570961907d4beb           

df25df77402ba4f5db5fd48234611a3e   

Domains:

connektme.hopto.org         

connektme.no-ip.org          

drwebstatic.hopto.org                     

drwebstatic.myvnc.com                  

easyconnect.no-ip.org                   

easyconnect.zapto.org                   

gserverhost.myftp.org                     

gserverhost.no-ip.biz                      

hellointra.myftp.org             

hellointra.no-ip.org             

Campaign IDs:

Connektme~8.1.5353.17671 - WIN_7     

Connektme~8.1.5353.17671 - WIN_XP             

Easyconnect~8.1.5353.17671_2 - WIN_7          

Gserverhost~8.1.5353.17671 - WIN_XP             

Hellointra~8.1.5353.17671 - WIN_7                    

MetaTrader_test      

-John Bambenek

News of the murder of Argentinian prosecutor Alberto Nisman linked to an unique version of AlienSpy takes another turn. Last week we began tracking organizations in the U.S., UK and Germany that were infected by Java-based remote access tools (RATs). These organizations were in the critical infrastructure, financial services, technology and consulting verticals. We notice some important differences from an older version of AlienSpy, which we had seen months ago.

Early this year, we wrote extensively on AlienSpy in a Fidelis Threat Advisory #1015 and follow up blog post about the Alienspy.net domain being taken down and crippling the existing builders. Since then, AlienSpy has re-emerged with new encryption and operating under a new domain at jsocket[dot]org.

AlienSpy (and now JSocket) is a commercial subscription-based RAT written in Java that attackers use to compromise all flavors of PCs and Android phones. The builder “phones home” to verify a valid subscription exists based on the hardware ID of the machine the builder resides on before any functionality is available. Accordingly, the builder cannot run on virtualized hardware.

This malware has been implicated in several high-profile events such as the murder of Argentinian prosecutor Alberto Nisman. You can see some of our research has been referenced on motherboard.vice.com and firstlook.org reports.

As a brief timeline, the AlienSpy domain was suspended on April 10, 2015 by GoDaddy. On April 19, 2015, jsocket[dot]org was registered at eNom and the first started blogging there on June 23, 2015. As of July 11, 2015, the AlienSpy client “officially” closed with everyone required to point to jsocket that currently resides at 37.61.237.251 at LayerIP in the UK.

In the meantime, reseller rekings[dot]com was also selling versions of AlienSpy that did not talk to AlienSpy[dot]net to verify subscription information. Those versions talked to carity[dot]x10host[dot]com for subscription information, likely an interim solution by the operators of AlienSpy. This hostname currently resides at 198.91.81.2 in the X10Hosting network in the US.

Campaigns have recently been observed beginning August 13th, 2015 that utilize this new malware as part of phishing emails such as the one below:

Dear All,

We have placed you an order No.51203319 Dated 28/05/15 Delivery date is 30/08/15 please maintain your delivery adherence.

and find attach for some changes made in article 5 & 6 for your kind perusal

Thanking you!

Trinity Engineering Services L.L.C.

P.O. Box: 8807, Dubai, U.A.E.

Tel: +971 4 3466644, Fax: +971 4 3466655

Mobile: +971 52 9940344

Website: www.zaibchem.com

Two variants of this malware with hashes d44b930e4060e2f021de888e0fa2df8a and ae4b7f41c120cb8a14cff629b4b0308d use similar lures, fake invoices or court documents and beacon to C2 at giftedman[dot]serveblog[dot]net with IP 197.251.168.227 which appears to be a residential ADSL line in Ghana near Accra.

Interestingly, this malware will also attempt to install a Java client on machines if it is not already present.

In all cases, you can detect this type of threat by seeing .jar file attachments to email, .zip and other archive files with a .jar file and .jar files with mismatched file extensions to popular document types.

We anticipate that JSocket will continue to grow in use due to its platform independence and versatility. Its use against high-profile targets has shown that it is entering the toolboxes of sophisticated attackers.

The JSocket family of malware is currently monitored with our active intelligence and surveillance program. As we continue our research, we will report on its use against enterprises and investigate the actors behind this malware. We expect to publish an additional Fidelis Threat Advisory in the near future.

Summary of Indicators:

Hashes:

d44b930e4060e2f021de888e0fa2df8a

ae4b7f41c120cb8a14cff629b4b0308d
83f3b4b77ca81e9b216e53bdb0ae3f60

C2:

Giftedman.serveblog.net / 197.251.168.227 on port 1818

Filenames:

PO#51203319.pdf.jar

TT Reference Number-#150807000000.pdf.jar

Court.Doc.jar

PO#-5014103.jar

698790_Court.Doc.jar

XLB948507BH7.pdf.jar

Subscription server (only builders talk to this IP):

JSocket.org / 37.61.257.251

Prior Subscription server:

Carity.x10host.com / 198.91.81.2

Other malware settings:

"PLUGIN_FOLDER":"IO9l2pcvyii",

"JRE_FOLDER":"2IfTOp",

"JAR_FOLDER":"s0yoncFKXCL",

"JAR_EXTENSION":"Vyg8Py",

"JAR_NAME":"c0ieAmSYn4W",

"JAR_REGISTRY":"0NLph8Mx4cR"

- John Bambenek and Hardik Modi