Gameover Zeus re-emerges without peer-to-peer capability

Dell SecureWorks CTU(TM) researchers have observed the distribution of a modified version of the Gameover Zeus malware. The global Gameover Zeus infrastructure was disrupted in late May 2014 by law enforcement and private industry partners during Operation Tovar. The infrastructure, including its peer-to-peer (P2P) network, remains under the control of those organizations and is not available to the threat actors who originally operated it. The new version observed in distribution on July 10, 2014 has jettisoned the P2P component in favor of a centralized command and control (C2) infrastructure that is based on a domain generation algorithm (DGA).

Continue reading

Operation Tovar: Dell SecureWorks Contributes to Efforts Targeting Gameover Zeus and CryptoLocker

Dell SecureWorks partnered with international law enforcement and industry to take proactive action against the infrastructure of the Gameover Zeus botnet and the CryptoLocker ransomware, as well as the operators responsible for these threats. This action has been named Operation Tovar. Law enforcement organizations including the Federal Bureau of Investigation (FBI), the UK’s National Crime Agency, and Europol’s European Cybercrime Center (EC3) seized infrastructure assets relating to these threats, while technical measures were enacted to neutralize the command and control (C2) infrastructure.

Continue reading

APT Campaign Leverages the Cueisfry Trojan and Microsoft Word Vulnerability CVE-2014-1761

Dell SecureWorks Counter Threat Unit™ (CTU) researchers discovered the Cueisfry first-stage downloader trojan while analyzing a spearphishing message sent to an email account belonging to an intelligence-related group in Japan. The message was part of an Advanced Persistent Threat (APT) campaign targeting government officials and economic institutions in Southeast Asia.

Continue reading

Changes in Observed/Assumed Tactics, Techniques, and Procedures (TTPs)

Dell SecureWorks Counter Threat Unit™ (CTU) researchers interact directly with clients during targeted threat incident response engagements. These engagements provide access to a wide range of data for both analysis and research. CTU researchers can deploy host-based endpoint analysis agents and network monitoring systems, and can collect infrastructure logs for analysis. This access, coupled with alerts from Dell SecureWorks iSensors, allows CTU researchers to achieve a much deeper, targeted level of analysis. As a result, CTU researchers have observed a wide range of tactics, techniques, and procedures (TTPs) used by threat actors to deploy a popular remote access trojan (RAT). Some of these tactics, including the following examples, run counter to assumptions about common techniques.

Continue reading

HelloBridge Trojan Uses Heartbleed News to Lure Victims

The Dell SecureWorks Counter Threat Unit™ (CTU) research team analyzed a malware sample on April 9, 2014 that takes advantage of recent news reports focusing on the “Heartbleed” vulnerability. The filename used by the attacker, shown in Figure 1, literally translates to “Heartbleed vulnerability testing tool.exe,” but CTU researchers are referring to it as the HelloBridge backdoor trojan. On April 9, the VirusTotal analysis service showed low detection for this malware, with only 3 of 51 antivirus (AV) vendors detecting it as malicious. As of April 17, 27 of 51 AV vendors detected it as malicious.

Continue reading

Using Unicode to hide malware within the file system

Dell SecureWorks Counter Threat Unit™ (CTU) analysts previously observed the use of Unicode characters within the Windows Registry to obscure the presence of malware on a system. Similar techniques can be used within the file system. CTU analysts examined a system infected with the Win32/Vercuser.B worm, which was obscured, in part, through the use of a Unicode character.

Continue reading

Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit

Shortly after reports that the developer of the Blackhole exploit kit was arrested, one of the groups leveraging the Cutwail spam botnet changed tactics, switching which exploit kit they use to distribute malware. Cutwail has historically distributed the Gameover Zeus trojan through various themed spam campaigns (see Figure 1) in combination with malicious embedded links that led to the Blackhole exploit kit. Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed a shift by one of the groups using the Cutwail botnet from Blackhole to another exploit kit known in the security community as Magnitude (formerly known as Popads).

Continue reading

How to Hide Malware in Unicode

Unicode character sets are used throughout Windows systems, largely to make it easier to present the same information (warning messages, alerts, notices, etc.) in different languages. Windows applications, including the Windows Explorer shell, understand Unicode character sets, control characters, and know how to present them to the user. This functionality can also be subverted for malicious purposes in order to hide the presence of malware, often in plain sight.

Continue reading

Dell SecureWorks’ Brand Surveillance Team Warns Organizations of Hacktivists and Disgruntled Employees Mounting Multi-Prong Cyber Attacks, not Just DoS Attacks

Hactivists, disgruntled employees, and other cyber threat actors intent on sabotaging an organization, are expanding their tactics beyond Distributed Denial of Service (DDoS) attacks, warns Dell SecureWorks’ Enterprise Brand and Executive Threat Surveillance team. This team is constantly monitoring social media sites, forums, and other public information sources, looking for conversations and other indicators that a customer’s brand or its executives might be the target of a cyber-attack. Using their highly honed investigative skills, the team has worked numerous cases where they have obtained solid intelligence of an attack being planned by the threat actors. Dell SecureWorks has then worked with the organizations to quickly shut down the attack before it could happen or implemented countermeasures to block the attack, effectively protecting the organization’s infrastructure, assets and brand.

Continue reading

Online Tools

  • Print this Page
  • Share This Resource

By completing this form you'll be opting in to receiving future communications about products and services from Dell SecureWorks.