Two months after claiming there was “no indication” that confidential information was exposed in a security cock-up, domain name overseer ICANN has admitted it happened on at least 330 occasions.…
The Register – Security
Secure Hunter Anti -Malware
The post Confidential information exposed over 300 times in ICANN security snafu Secure Hunter appeared first on Secure Hunter Anti-Malware.
Analysis Last week’s warning that Britain’s railway systems could be susceptible to hacking has triggered a debate among security experts.…
The Register – Security
Secure Hunter Anti -Malware
The post UK rail comms are safer than mobes – for now – say infosec bods Secure Hunter appeared first on Secure Hunter Anti-Malware.
Google’s seen way too much phishing, it seems, so the Chocolate Factory has pushed out a Chrome extension to catch attacks against accounts on Google domains.…
The Register – Security
Secure Hunter Anti -Malware
The post Google polishes Chrome security with Password Alert Secure Hunter appeared first on Secure Hunter Anti-Malware.
“It is unacceptable that a Kalashnikov can be bought easily on the internet,”* thundered European Commission number two Frans Timmermans yesterday, as he presented the Commission’s plans to combat terrorism. So what’s he going to do about it? That’s right, hold a consultation.…
The Register – Security
Secure Hunter Anti -Malware
The post New EU security strategy: Sod cyber terrorism, BAN ENCRYPTION Secure Hunter appeared first on Secure Hunter Anti-Malware.
DDoS attacks have grown in volume yet again with 25 attacks larger than 100Gbps globally in Q1 2015, according to the latest stats from DDoS mitigation firm Arbor Networks.…
The Register – Security
Secure Hunter Anti -Malware
The post DDoSsers use reflection amplification to crank up the volume to 100Gbps+ Secure Hunter appeared first on Secure Hunter Anti-Malware.
Marketing email distribution service SendGrid is asking customers to switch passwords after admitting it got hacked.…
The Register – Security
Secure Hunter Anti -Malware
The post SendGrid infosec chief eats humble pie, admits email service hacked Secure Hunter appeared first on Secure Hunter Anti-Malware.
A frustrated Finnish security researcher has gone public with a vulnerability in WordPress that lets attackers hijack website admin accounts.…
The Register – Security
Secure Hunter Anti -Malware
The post Comments considered harmful: WordPress web hijack bug revealed Secure Hunter appeared first on Secure Hunter Anti-Malware.
The Telecom Regulatory Authority of India has dumped more than a million Indian netizens’ traceable personal details online, after it decided to publish, in full, the emails it received as part of its consultation paper about net neutrality.…
The Register – Security
Secure Hunter Anti -Malware
The post MASSIVE FAIL: Indian gov DOXXES net neutrality campaigners Secure Hunter appeared first on Secure Hunter Anti-Malware.
As mentioned in our previous blog post about the Microsoft Clean-File Metadata initiative, there are a number of benefits for our partners and customers who use our clean or released-file metadata, specifically during antimalware whitelisting efforts.
Using the authoritative metadata manifest of Microsoft-released files that are found in our clean-file metadata feed can help reduce antimalware resources spent flagging known bad files by eliminating already known good files. It can also help our partners and customers quickly categorize fake Microsoft files – files that can be used by malware creators to hide their malicious code.
One threat that we have seen using Microsoft file names is Win32/Bioazih, a family of remote access tools (RAT).
Bioazih is a backdoor mutation that can be used for targeted attacks. It was named after a string in its code:
Figure 1: Bioazih string found in malware code
We have seen Bioazih used in targeted attacks in conjunction with other RAT families in an attempt to prevent detection.
Bioazih is not a new threat. We first detected it in 2010 and continue to see variants in the wild, albeit in small numbers. However, its code is frequently updated to avoid being detected by antivirus products and increases the risk of infection during targeted attacks.
Bioazih is usually installed by a malware dropper or document exploit – typically attached in spear-phishing emails. Once a user opens the attachment, a decoy file is displayed while the malware is run in the background. Figure 2 and 3 show Japanese and Russian decoy files that can be dropped at the same time as Bioazih malware:
Figure 2: A Japanese language XLS bait file. The title roughly translates to: “Hiroshima Domain Shelter Table”
Figure 3: A Russian language DOC bait file. The title roughly translates to: “TELEPHONE DIRECTORY Primary trade union organization GROUPS OJSC, Magnitogorsk Iron and Steel Works, Mining and Metallurgical Union RUSSIA”
A second stage executable dropper is then run, installing any of the following EXE or DLL components (depending on the variant) which contains the payload:
As seen above, several of the files names used by this malware are deceptively similar to Microsoft files. The malware does this in an attempt to avoid discovery and to make detection and removal more difficult. This is a common malware technique and one we hope to address in our Microsoft Clean-File Metadata Initiative.
The DLL is injected into a legitimate process as a persistence mechanism. On initial execution the RAT phones home to its command and control (C&C) server to send information from the affected PC. Figure 4 is a screenshot of the HTTP request format for newer variants:
Figure 4: TCP stream of a Bioazih phone home request
Once running, the malware can execute the following commands:
Bioazih has been used in a number of targeted attacks where it sends a campaign password or tag to its C&C server to identify its victims. In Figure 4, we can see the campaign tag under the pass parameter. Below is a table of Bioazih campaigns that we have seen and their respective tags.
Figure 5: Bioazih timeline and campaign tags
In recent years, Bioazih’s persistence is due, in part, to a number of code updates. This includes added or removed functionality, as well as updated C&C communication parameters, format, encryption, and installation routines.
In 2011, samples b1e51e43f3064abb800ff7b0a815d452, b6721b5e84de365cd9f1434b99888d26 and 5afa2b1045e9735e97703298c2bf2bde contained an export named Test that simply pointed to a RETN code. The sample b6721b5e84de365cd9f1434b99888d26 did not have a C&C server in its code and instead used its campaign tag mfc3 as the parameter for C&C connection, resulting in that RAT instance being useless to the attacker. This suggests these variants may be test builds of updated Bioazih code.
We have observed that Bioazih’s code, which is written in C++, has similarities to the HeartBeat APT and Bisonal (detected as Trojan:Win32/Korlia). Both malware families are also written in C++. It has been previously reported by Coseinc that Bisonal uses code that is freely available through a Chinese underground site.
One of the later variants (51f7f3d6f78b9dea06f520b7648bfdc2) include a path in its code pointing to the C++ source code HttpSever.cpp as shown below.
Figure 6 CPP code reference in malware code
Searching online for the string HttpSever returned source code that had a similar spelling and is available on a Chinese source code sharing site. Since the source code is freely available for this malware, it makes it easier for people to mutate and that makes it more difficult for antivirus vendors to track and detect.
It appears that, perpetrators of Bioazih relied heavily on URL redirection and dynamic DNS services to hide their C&C servers. The IP addresses that the C&Cs point to were hosted in the USA, Ghana, and Egypt. Some of the Bioazih C&Cs display the message below, which suggests that they may be using a virtual private server (VPS) to host their C&Cs which helps to hide the attacker’s real location.
Figure 7: Page displayed by some of Bioazih C&Cs
We mapped the C&C infrastructure of some of the Bioazih campaigns and saw multiple overlaps between Bisonal (Trojan:Win32/Korlia) and Bioazih C&Cs:
Figure 8 Bioazih and Bisonal C&C overlaps
We also saw that at least one Bioazih C&C overlapped with a known Sluegot/TABMSGSQL (detected as Trojan:Win32/Sluegot) IP address.
Figure 9: Bioazih and TABMSGSQL C&C overlap
Overlaps in its C&C infrastructure suggests that it is very likely that Bioazih is part of a larger campaign.
A combination of factors can hinder the analysis and detection of threats such as Bioazih. For example, the availability of source codes in underground forums helps malicious hackers create countless mutations of malicious code in an attempt to evade detection and discovery.
The Microsoft Clean-File Metadata Initiative can help our partners and customers better detect and remove these threats by addressing its use of common Microsoft file names. By providing metadata straight from the source, we add a layer of protection that increases confidence in our whitelisting technologies therefore allowing us to release more signatures while minimizing the risk of false positives.
To help stay protected against Bioazih and other threats, use up-to-date real-time security products such as Windows Defender for Windows 8.1. We also recommend enabling the Microsoft Active Protection Service (MAPS) to take full advantage of Microsoft's cloud protection service.
Roland Dela Paz
Microsoft Malware Protection Center
Secure Hunter Anti -Malware
The post Bioazih RAT: How clean-file metadata can help keep you safe appeared first on Secure Hunter Anti-Malware.
As mentioned in our previous blog post about the Microsoft Clean-File Metadata initiative, there are a number of benefits for our partners and customers who use our clean or released-file metadata, specifically during antimalware whitelisting efforts.
Using the authoritative metadata manifest of Microsoft-released files that are found in our clean-file metadata feed can help reduce antimalware resources spent flagging known bad files by eliminating already known good files. It can also help our partners and customers quickly categorize fake Microsoft files – files that can be used by malware creators to hide their malicious code.
One threat that we have seen using Microsoft file names is Win32/Bioazih, a family of remote access tools (RAT).
Bioazih is a backdoor mutation that can be used for targeted attacks. It was named after a string in its code:
Figure 1: Bioazih string found in malware code
We have seen Bioazih used in targeted attacks in conjunction with other RAT families in an attempt to prevent detection.
Bioazih is not a new threat. We first detected it in 2010 and continue to see variants in the wild, albeit in small numbers. However, its code is frequently updated to avoid being detected by antivirus products and increases the risk of infection during targeted attacks.
Bioazih is usually installed by a malware dropper or document exploit – typically attached in spear-phishing emails. Once a user opens the attachment, a decoy file is displayed while the malware is run in the background. Figure 2 and 3 show Japanese and Russian decoy files that can be dropped at the same time as Bioazih malware:
Figure 2: A Japanese language XLS bait file. The title roughly translates to: “Hiroshima Domain Shelter Table”
Figure 3: A Russian language DOC bait file. The title roughly translates to: “TELEPHONE DIRECTORY Primary trade union organization GROUPS OJSC, Magnitogorsk Iron and Steel Works, Mining and Metallurgical Union RUSSIA”
A second stage executable dropper is then run, installing any of the following EXE or DLL components (depending on the variant) which contains the payload:
As seen above, several of the files names used by this malware are deceptively similar to Microsoft files. The malware does this in an attempt to avoid discovery and to make detection and removal more difficult. This is a common malware technique and one we hope to address in our Microsoft Clean-File Metadata Initiative.
The DLL is injected into a legitimate process as a persistence mechanism. On initial execution the RAT phones home to its command and control (C&C) server to send information from the affected PC. Figure 4 is a screenshot of the HTTP request format for newer variants:
Figure 4: TCP stream of a Bioazih phone home request
Once running, the malware can execute the following commands:
Bioazih has been used in a number of targeted attacks where it sends a campaign password or tag to its C&C server to identify its victims. In Figure 4, we can see the campaign tag under the pass parameter. Below is a table of Bioazih campaigns that we have seen and their respective tags.
Figure 5: Bioazih timeline and campaign tags
In recent years, Bioazih’s persistence is due, in part, to a number of code updates. This includes added or removed functionality, as well as updated C&C communication parameters, format, encryption, and installation routines.
In 2011, samples b1e51e43f3064abb800ff7b0a815d452, b6721b5e84de365cd9f1434b99888d26 and 5afa2b1045e9735e97703298c2bf2bde contained an export named Test that simply pointed to a RETN code. The sample b6721b5e84de365cd9f1434b99888d26 did not have a C&C server in its code and instead used its campaign tag mfc3 as the parameter for C&C connection, resulting in that RAT instance being useless to the attacker. This suggests these variants may be test builds of updated Bioazih code.
We have observed that Bioazih’s code, which is written in C++, has similarities to the HeartBeat APT and Bisonal (detected as Trojan:Win32/Korlia). Both malware families are also written in C++. It has been previously reported by Coseinc that Bisonal uses code that is freely available through a Chinese underground site.
One of the later variants (51f7f3d6f78b9dea06f520b7648bfdc2) include a path in its code pointing to the C++ source code HttpSever.cpp as shown below.
Figure 6 CPP code reference in malware code
Searching online for the string HttpSever returned source code that had a similar spelling and is available on a Chinese source code sharing site. Since the source code is freely available for this malware, it makes it easier for people to mutate and that makes it more difficult for antivirus vendors to track and detect.
It appears that, perpetrators of Bioazih relied heavily on URL redirection and dynamic DNS services to hide their C&C servers. The IP addresses that the C&Cs point to were hosted in the USA, Ghana, and Egypt. Some of the Bioazih C&Cs display the message below, which suggests that they may be using a virtual private server (VPS) to host their C&Cs which helps to hide the attacker’s real location.
Figure 7: Page displayed by some of Bioazih C&Cs
We mapped the C&C infrastructure of some of the Bioazih campaigns and saw multiple overlaps between Bisonal (Trojan:Win32/Korlia) and Bioazih C&Cs:
Figure 8 Bioazih and Bisonal C&C overlaps
We also saw that at least one Bioazih C&C overlapped with a known Sluegot/TABMSGSQL (detected as Trojan:Win32/Sluegot) IP address.
Figure 9: Bioazih and TABMSGSQL C&C overlap
Overlaps in its C&C infrastructure suggests that it is very likely that Bioazih is part of a larger campaign.
A combination of factors can hinder the analysis and detection of threats such as Bioazih. For example, the availability of source codes in underground forums helps malicious hackers create countless mutations of malicious code in an attempt to evade detection and discovery.
The Microsoft Clean-File Metadata Initiative can help our partners and customers better detect and remove these threats by addressing its use of common Microsoft file names. By providing metadata straight from the source, we add a layer of protection that increases confidence in our whitelisting technologies therefore allowing us to release more signatures while minimizing the risk of false positives.
To help stay protected against Bioazih and other threats, use up-to-date real-time security products such as Windows Defender for Windows 8.1. We also recommend enabling the Microsoft Active Protection Service (MAPS) to take full advantage of Microsoft's cloud protection service.
Roland Dela Paz
Microsoft Malware Protection Center
Secure Hunter Anti -Malware
The post Bioazih RAT: How clean-file metadata can help keep you safe appeared first on Secure Hunter Anti-Malware.
As mentioned in our previous blog post about the Microsoft Clean-File Metadata initiative, there are a number of benefits for our partners and customers who use our clean or released-file metadata, specifically during antimalware whitelisting efforts.
Using the authoritative metadata manifest of Microsoft-released files that are found in our clean-file metadata feed can help reduce antimalware resources spent flagging known bad files by eliminating already known good files. It can also help our partners and customers quickly categorize fake Microsoft files – files that can be used by malware creators to hide their malicious code.
One threat that we have seen using Microsoft file names is Win32/Bioazih, a family of remote access tools (RAT).
Bioazih is a backdoor mutation that can be used for targeted attacks. It was named after a string in its code:
Figure 1: Bioazih string found in malware code
We have seen Bioazih used in targeted attacks in conjunction with other RAT families in an attempt to prevent detection.
Bioazih is not a new threat. We first detected it in 2010 and continue to see variants in the wild, albeit in small numbers. However, its code is frequently updated to avoid being detected by antivirus products and increases the risk of infection during targeted attacks.
Bioazih is usually installed by a malware dropper or document exploit – typically attached in spear-phishing emails. Once a user opens the attachment, a decoy file is displayed while the malware is run in the background. Figure 2 and 3 show Japanese and Russian decoy files that can be dropped at the same time as Bioazih malware:
Figure 2: A Japanese language XLS bait file. The title roughly translates to: “Hiroshima Domain Shelter Table”
Figure 3: A Russian language DOC bait file. The title roughly translates to: “TELEPHONE DIRECTORY Primary trade union organization GROUPS OJSC, Magnitogorsk Iron and Steel Works, Mining and Metallurgical Union RUSSIA”
A second stage executable dropper is then run, installing any of the following EXE or DLL components (depending on the variant) which contains the payload:
As seen above, several of the files names used by this malware are deceptively similar to Microsoft files. The malware does this in an attempt to avoid discovery and to make detection and removal more difficult. This is a common malware technique and one we hope to address in our Microsoft Clean-File Metadata Initiative.
The DLL is injected into a legitimate process as a persistence mechanism. On initial execution the RAT phones home to its command and control (C&C) server to send information from the affected PC. Figure 4 is a screenshot of the HTTP request format for newer variants:
Figure 4: TCP stream of a Bioazih phone home request
Once running, the malware can execute the following commands:
Bioazih has been used in a number of targeted attacks where it sends a campaign password or tag to its C&C server to identify its victims. In Figure 4, we can see the campaign tag under the pass parameter. Below is a table of Bioazih campaigns that we have seen and their respective tags.
Figure 5: Bioazih timeline and campaign tags
In recent years, Bioazih’s persistence is due, in part, to a number of code updates. This includes added or removed functionality, as well as updated C&C communication parameters, format, encryption, and installation routines.
In 2011, samples b1e51e43f3064abb800ff7b0a815d452, b6721b5e84de365cd9f1434b99888d26 and 5afa2b1045e9735e97703298c2bf2bde contained an export named Test that simply pointed to a RETN code. The sample b6721b5e84de365cd9f1434b99888d26 did not have a C&C server in its code and instead used its campaign tag mfc3 as the parameter for C&C connection, resulting in that RAT instance being useless to the attacker. This suggests these variants may be test builds of updated Bioazih code.
We have observed that Bioazih’s code, which is written in C++, has similarities to the HeartBeat APT and Bisonal (detected as Trojan:Win32/Korlia). Both malware families are also written in C++. It has been previously reported by Coseinc that Bisonal uses code that is freely available through a Chinese underground site.
One of the later variants (51f7f3d6f78b9dea06f520b7648bfdc2) include a path in its code pointing to the C++ source code HttpSever.cpp as shown below.
Figure 6 CPP code reference in malware code
Searching online for the string HttpSever returned source code that had a similar spelling and is available on a Chinese source code sharing site. Since the source code is freely available for this malware, it makes it easier for people to mutate and that makes it more difficult for antivirus vendors to track and detect.
It appears that, perpetrators of Bioazih relied heavily on URL redirection and dynamic DNS services to hide their C&C servers. The IP addresses that the C&Cs point to were hosted in the USA, Ghana, and Egypt. Some of the Bioazih C&Cs display the message below, which suggests that they may be using a virtual private server (VPS) to host their C&Cs which helps to hide the attacker’s real location.
Figure 7: Page displayed by some of Bioazih C&Cs
We mapped the C&C infrastructure of some of the Bioazih campaigns and saw multiple overlaps between Bisonal (Trojan:Win32/Korlia) and Bioazih C&Cs:
Figure 8 Bioazih and Bisonal C&C overlaps
We also saw that at least one Bioazih C&C overlapped with a known Sluegot/TABMSGSQL (detected as Trojan:Win32/Sluegot) IP address.
Figure 9: Bioazih and TABMSGSQL C&C overlap
Overlaps in its C&C infrastructure suggests that it is very likely that Bioazih is part of a larger campaign.
A combination of factors can hinder the analysis and detection of threats such as Bioazih. For example, the availability of source codes in underground forums helps malicious hackers create countless mutations of malicious code in an attempt to evade detection and discovery.
The Microsoft Clean-File Metadata Initiative can help our partners and customers better detect and remove these threats by addressing its use of common Microsoft file names. By providing metadata straight from the source, we add a layer of protection that increases confidence in our whitelisting technologies therefore allowing us to release more signatures while minimizing the risk of false positives.
To help stay protected against Bioazih and other threats, use up-to-date real-time security products such as Windows Defender for Windows 8.1. We also recommend enabling the Microsoft Active Protection Service (MAPS) to take full advantage of Microsoft's cloud protection service.
Roland Dela Paz
Microsoft Malware Protection Center
Secure Hunter Anti -Malware
The post Bioazih RAT: How clean-file metadata can help keep you safe appeared first on Secure Hunter Anti-Malware.
As mentioned in our previous blog post about the Microsoft Clean-File Metadata initiative, there are a number of benefits for our partners and customers who use our clean or released-file metadata, specifically during antimalware whitelisting efforts.
Using the authoritative metadata manifest of Microsoft-released files that are found in our clean-file metadata feed can help reduce antimalware resources spent flagging known bad files by eliminating already known good files. It can also help our partners and customers quickly categorize fake Microsoft files – files that can be used by malware creators to hide their malicious code.
One threat that we have seen using Microsoft file names is Win32/Bioazih, a family of remote access tools (RAT).
Bioazih is a backdoor mutation that can be used for targeted attacks. It was named after a string in its code:
Figure 1: Bioazih string found in malware code
We have seen Bioazih used in targeted attacks in conjunction with other RAT families in an attempt to prevent detection.
Bioazih is not a new threat. We first detected it in 2010 and continue to see variants in the wild, albeit in small numbers. However, its code is frequently updated to avoid being detected by antivirus products and increases the risk of infection during targeted attacks.
Bioazih is usually installed by a malware dropper or document exploit – typically attached in spear-phishing emails. Once a user opens the attachment, a decoy file is displayed while the malware is run in the background. Figure 2 and 3 show Japanese and Russian decoy files that can be dropped at the same time as Bioazih malware:
Figure 2: A Japanese language XLS bait file. The title roughly translates to: “Hiroshima Domain Shelter Table”
Figure 3: A Russian language DOC bait file. The title roughly translates to: “TELEPHONE DIRECTORY Primary trade union organization GROUPS OJSC, Magnitogorsk Iron and Steel Works, Mining and Metallurgical Union RUSSIA”
A second stage executable dropper is then run, installing any of the following EXE or DLL components (depending on the variant) which contains the payload:
As seen above, several of the files names used by this malware are deceptively similar to Microsoft files. The malware does this in an attempt to avoid discovery and to make detection and removal more difficult. This is a common malware technique and one we hope to address in our Microsoft Clean-File Metadata Initiative.
The DLL is injected into a legitimate process as a persistence mechanism. On initial execution the RAT phones home to its command and control (C&C) server to send information from the affected PC. Figure 4 is a screenshot of the HTTP request format for newer variants:
Figure 4: TCP stream of a Bioazih phone home request
Once running, the malware can execute the following commands:
Bioazih has been used in a number of targeted attacks where it sends a campaign password or tag to its C&C server to identify its victims. In Figure 4, we can see the campaign tag under the pass parameter. Below is a table of Bioazih campaigns that we have seen and their respective tags.
Figure 5: Bioazih timeline and campaign tags
In recent years, Bioazih’s persistence is due, in part, to a number of code updates. This includes added or removed functionality, as well as updated C&C communication parameters, format, encryption, and installation routines.
In 2011, samples b1e51e43f3064abb800ff7b0a815d452, b6721b5e84de365cd9f1434b99888d26 and 5afa2b1045e9735e97703298c2bf2bde contained an export named Test that simply pointed to a RETN code. The sample b6721b5e84de365cd9f1434b99888d26 did not have a C&C server in its code and instead used its campaign tag mfc3 as the parameter for C&C connection, resulting in that RAT instance being useless to the attacker. This suggests these variants may be test builds of updated Bioazih code.
We have observed that Bioazih’s code, which is written in C++, has similarities to the HeartBeat APT and Bisonal (detected as Trojan:Win32/Korlia). Both malware families are also written in C++. It has been previously reported by Coseinc that Bisonal uses code that is freely available through a Chinese underground site.
One of the later variants (51f7f3d6f78b9dea06f520b7648bfdc2) include a path in its code pointing to the C++ source code HttpSever.cpp as shown below.
Figure 6 CPP code reference in malware code
Searching online for the string HttpSever returned source code that had a similar spelling and is available on a Chinese source code sharing site. Since the source code is freely available for this malware, it makes it easier for people to mutate and that makes it more difficult for antivirus vendors to track and detect.
It appears that, perpetrators of Bioazih relied heavily on URL redirection and dynamic DNS services to hide their C&C servers. The IP addresses that the C&Cs point to were hosted in the USA, Ghana, and Egypt. Some of the Bioazih C&Cs display the message below, which suggests that they may be using a virtual private server (VPS) to host their C&Cs which helps to hide the attacker’s real location.
Figure 7: Page displayed by some of Bioazih C&Cs
We mapped the C&C infrastructure of some of the Bioazih campaigns and saw multiple overlaps between Bisonal (Trojan:Win32/Korlia) and Bioazih C&Cs:
Figure 8 Bioazih and Bisonal C&C overlaps
We also saw that at least one Bioazih C&C overlapped with a known Sluegot/TABMSGSQL (detected as Trojan:Win32/Sluegot) IP address.
Figure 9: Bioazih and TABMSGSQL C&C overlap
Overlaps in its C&C infrastructure suggests that it is very likely that Bioazih is part of a larger campaign.
A combination of factors can hinder the analysis and detection of threats such as Bioazih. For example, the availability of source codes in underground forums helps malicious hackers create countless mutations of malicious code in an attempt to evade detection and discovery.
The Microsoft Clean-File Metadata Initiative can help our partners and customers better detect and remove these threats by addressing its use of common Microsoft file names. By providing metadata straight from the source, we add a layer of protection that increases confidence in our whitelisting technologies therefore allowing us to release more signatures while minimizing the risk of false positives.
To help stay protected against Bioazih and other threats, use up-to-date real-time security products such as Windows Defender for Windows 8.1. We also recommend enabling the Microsoft Active Protection Service (MAPS) to take full advantage of Microsoft's cloud protection service.
Roland Dela Paz
Microsoft Malware Protection Center
Secure Hunter Anti -Malware
The post Bioazih RAT: How clean-file metadata can help keep you safe appeared first on Secure Hunter Anti-Malware.
As mentioned in our previous blog post about the Microsoft Clean-File Metadata initiative, there are a number of benefits for our partners and customers who use our clean or released-file metadata, specifically during antimalware whitelisting efforts.
Using the authoritative metadata manifest of Microsoft-released files that are found in our clean-file metadata feed can help reduce antimalware resources spent flagging known bad files by eliminating already known good files. It can also help our partners and customers quickly categorize fake Microsoft files – files that can be used by malware creators to hide their malicious code.
One threat that we have seen using Microsoft file names is Win32/Bioazih, a family of remote access tools (RAT).
Bioazih is a backdoor mutation that can be used for targeted attacks. It was named after a string in its code:
Figure 1: Bioazih string found in malware code
We have seen Bioazih used in targeted attacks in conjunction with other RAT families in an attempt to prevent detection.
Bioazih is not a new threat. We first detected it in 2010 and continue to see variants in the wild, albeit in small numbers. However, its code is frequently updated to avoid being detected by antivirus products and increases the risk of infection during targeted attacks.
Bioazih is usually installed by a malware dropper or document exploit – typically attached in spear-phishing emails. Once a user opens the attachment, a decoy file is displayed while the malware is run in the background. Figure 2 and 3 show Japanese and Russian decoy files that can be dropped at the same time as Bioazih malware:
Figure 2: A Japanese language XLS bait file. The title roughly translates to: “Hiroshima Domain Shelter Table”
Figure 3: A Russian language DOC bait file. The title roughly translates to: “TELEPHONE DIRECTORY Primary trade union organization GROUPS OJSC, Magnitogorsk Iron and Steel Works, Mining and Metallurgical Union RUSSIA”
A second stage executable dropper is then run, installing any of the following EXE or DLL components (depending on the variant) which contains the payload:
As seen above, several of the files names used by this malware are deceptively similar to Microsoft files. The malware does this in an attempt to avoid discovery and to make detection and removal more difficult. This is a common malware technique and one we hope to address in our Microsoft Clean-File Metadata Initiative.
The DLL is injected into a legitimate process as a persistence mechanism. On initial execution the RAT phones home to its command and control (C&C) server to send information from the affected PC. Figure 4 is a screenshot of the HTTP request format for newer variants:
Figure 4: TCP stream of a Bioazih phone home request
Once running, the malware can execute the following commands:
Bioazih has been used in a number of targeted attacks where it sends a campaign password or tag to its C&C server to identify its victims. In Figure 4, we can see the campaign tag under the pass parameter. Below is a table of Bioazih campaigns that we have seen and their respective tags.
Figure 5: Bioazih timeline and campaign tags
In recent years, Bioazih’s persistence is due, in part, to a number of code updates. This includes added or removed functionality, as well as updated C&C communication parameters, format, encryption, and installation routines.
In 2011, samples b1e51e43f3064abb800ff7b0a815d452, b6721b5e84de365cd9f1434b99888d26 and 5afa2b1045e9735e97703298c2bf2bde contained an export named Test that simply pointed to a RETN code. The sample b6721b5e84de365cd9f1434b99888d26 did not have a C&C server in its code and instead used its campaign tag mfc3 as the parameter for C&C connection, resulting in that RAT instance being useless to the attacker. This suggests these variants may be test builds of updated Bioazih code.
We have observed that Bioazih’s code, which is written in C++, has similarities to the HeartBeat APT and Bisonal (detected as Trojan:Win32/Korlia). Both malware families are also written in C++. It has been previously reported by Coseinc that Bisonal uses code that is freely available through a Chinese underground site.
One of the later variants (51f7f3d6f78b9dea06f520b7648bfdc2) include a path in its code pointing to the C++ source code HttpSever.cpp as shown below.
Figure 6 CPP code reference in malware code
Searching online for the string HttpSever returned source code that had a similar spelling and is available on a Chinese source code sharing site. Since the source code is freely available for this malware, it makes it easier for people to mutate and that makes it more difficult for antivirus vendors to track and detect.
It appears that, perpetrators of Bioazih relied heavily on URL redirection and dynamic DNS services to hide their C&C servers. The IP addresses that the C&Cs point to were hosted in the USA, Ghana, and Egypt. Some of the Bioazih C&Cs display the message below, which suggests that they may be using a virtual private server (VPS) to host their C&Cs which helps to hide the attacker’s real location.
Figure 7: Page displayed by some of Bioazih C&Cs
We mapped the C&C infrastructure of some of the Bioazih campaigns and saw multiple overlaps between Bisonal (Trojan:Win32/Korlia) and Bioazih C&Cs:
Figure 8 Bioazih and Bisonal C&C overlaps
We also saw that at least one Bioazih C&C overlapped with a known Sluegot/TABMSGSQL (detected as Trojan:Win32/Sluegot) IP address.
Figure 9: Bioazih and TABMSGSQL C&C overlap
Overlaps in its C&C infrastructure suggests that it is very likely that Bioazih is part of a larger campaign.
A combination of factors can hinder the analysis and detection of threats such as Bioazih. For example, the availability of source codes in underground forums helps malicious hackers create countless mutations of malicious code in an attempt to evade detection and discovery.
The Microsoft Clean-File Metadata Initiative can help our partners and customers better detect and remove these threats by addressing its use of common Microsoft file names. By providing metadata straight from the source, we add a layer of protection that increases confidence in our whitelisting technologies therefore allowing us to release more signatures while minimizing the risk of false positives.
To help stay protected against Bioazih and other threats, use up-to-date real-time security products such as Windows Defender for Windows 8.1. We also recommend enabling the Microsoft Active Protection Service (MAPS) to take full advantage of Microsoft's cloud protection service.
Roland Dela Paz
Microsoft Malware Protection Center
Secure Hunter Anti -Malware
The post Bioazih RAT: How clean-file metadata can help keep you safe appeared first on Secure Hunter Anti-Malware.
