CyberWire Daily - Lebal malware phishes for victims. [Research Saturday]
Episode Date: March 3, 2018Researchers at Comodo Security Solutions have been tracking a recently discovered strain of malware named Lebal. The malware uses several clever techniques to attempt to hide itself, and once installe...d targets credentials and cryptocurrency wallets. Fatih Orhan is VP of Threat Labs at Comodo, and he takes us through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
We discovered with our sensors that we monitor 24-7 around the globe. We have visibility almost in all countries and we are monitoring suspicious
activities in all different security areas. That's Fatih Orhan. He's a vice president of
Threat Labs at Komodo Security Solutions. Today, we're discussing his team's research
on a recently discovered malware strain called LaBalle. This case, this specific case, has brought our attention
because we have seen some phishing emails,
an increasing number of phishing emails,
especially for some industries or some type of users,
like universities and private companies.
So it all started with a phishing email.
The email was well crafted.
It was different from the others.
Although our systems raised alerts and detected this, we found it valuable to investigate and to further analyze the case.
The email was pretending to be coming from FedEx.
And it was including a legit email, a legit link URL that redirects to Google
Drive. So from a user standpoint, there is nothing that you might be suspicious or you might get
alerted because all seem to be legit. Yeah, FedEx is a legitimate company and certainly
Google Drive is legit as well.
Right. And even when you click the link, you get this secure logo, you know, the HTTPS under drivegoogle.com. So since it's a legit website, the secure logo also creates a sense of trust, a sense of security for the user.
a sense of trust, a sense of security for the user,
but it was an executable that user had to download to his computer and run it.
Eventually when the application is run,
that's the malicious part that comes into picture
and it was trying to collect all the data in the computer,
all sensitive data.
Criminals know how to get the credentials,
the credit cards, the Bitcoin wallets, all kinds of sensitive information. This malware
was collecting all and sending to unknown servers, criminal servers mostly.
Yeah. Let's walk through it step by step here. So they would get the phishing email and they would click the link in the phishing email.
And that would open a site on their browser.
And what that site presented them with this file to download, what file was that?
Yeah, the file itself has a PDF icon, but actually it's not a PDF file. So this is also a trick that hackers are being using currently
because usually if you connect with your regular email attachment,
you would only see the PDF file and you wouldn't suspect
that it might be an executable, a malicious executable.
The second step of the attack is the download of the malware application,
which is an executable, but disguised as a PDF file.
And even if you bring up the sort of the get info on that file,
it goes on to try to present itself as an Adobe PDF file.
Right, exactly.
PDF file. Right, exactly. So Adobe PDF file, all the details, all the information is being,
the users are lured to think that it's a PDF file. So usually they are not, PDF is usually not seen as a malicious source, although it might be still with some scripts, but it's more secure than any
executable. You know, the users are tricked and the executable is behind this PDF Acrobat image.
So once they download this executable, do they manually have to execute it? Does it automatically,
does it auto execute or do they have to click on it to start it running?
For this case, there is no auto execute because actually Google is serving this application.
This Google Drive is the main source. So we see usually this kind of cloud-based
storage services being used for malicious application, malicious content distribution.
But since they don't have control on Google or any other cloud storage, they cannot initiate,
trigger the execution of that downloaded application. So the user has to run this
application in this case. Which is interesting because the name of the file
isn't really something that I suppose would attract people to run it,
but I guess enough people run it that it is a problem.
Right.
And yeah, usually one person executes this malicious file in a network
is enough so that they can copy itself to other computers
or other locations as well.
I see.
Yeah.
So once the file is downloaded and they've executed, what happens next?
Take us through how it reaches out and the things that it does.
First, there is an investigation phase.
Usually, the malware tries to stay hidden, being unaware of the system.
They try to check some folders folders specific folders and specific files to extract credentials or wallets cryptocurrency wallets or any other
information so they know specific applications like ftp clients or browser applications or Bitcoin wallets.
They know the locations that these can be stored.
So the first step is to investigate all this data, collect all this data.
And then it connects with a command and control server?
Right.
In today's words, it's very easy for a criminal to hack into a server,
put a small application, as we call it command and control server application,
and connect the infected computers to this server and send all credentials directly. And usually,
we experience that these servers are live less than 24 hours,
like 8 hours, 10 hours, 12 hours, until they are being detected.
And then they just jump to another server.
But the malware collects the files, the credentials,
and all sensitive information, and they send to servers.
And so who does it seem like they were targeting with this?
Was there anyone specific or was this more of a shotgun approach?
We know that the cryptocurrency wallets are also searched by the malware.
So as you know, Bitcoin is very popular, it's hot now.
So as target Bitcoin users were in the target, but as an industry, we know that universities was one of the organizations on the target.
And we had also some government organizations.
But since there are also private companies, it seems like it was a generic attack towards any kind of organization.
And do you have any sense for what the scale is of the attack
or how many people they tried to hit?
By looking to only our data,
it should be close to 50,000 people that are being targeted.
But when we make an estimation about the global target,
it should be minimum double of this so a hundred thousand people should be
affected should be receiving at least this email this phishing email and
depending on their security solutions they could either receive it in their
inbox or they could eliminate this this threat and you said that these these campaigns jump around from server to server.
Is this one that you're seeing still being active or did it sort of come and go?
This analysis is being performed in the first two weeks of January.
On the last two weeks also we saw the same malware being delivered via We had a slightly different phishing so
it is a continuous campaign and usually the servers are changing very fast
because we know that criminals are getting organized and they don't use any
server for a long time and the security companies also identify this and detect.
So it's chasing the tail of the criminals.
So it's like a game.
It's like a-
A cat and mouse.
Cat and mouse, yes.
It's like a cat and mouse game.
Right.
We know that criminals are getting organized
and usually infrastructure owners are different than the
malware producers, the malware creators, which are different than the actual phishing attack,
the criminals who perform the phishing attacks. So these are different groups, but they are
working in collaboration. And when saying this, we can also express that they are organized.
They are even maybe more organized than some other legit companies or legit security solutions because they can provide this as a service.
They provide malicious servers or infected computers as a service.
They can provide malware or ph computers as a service. They can provide malware or phishing
as a service. They can provide delivery as a service. So we know that usually these type of
campaigns are being performed by people who actually don't have control on the malicious
server or who don't know how to write a malware,
but they just get and buy the service from these organized criminal groups.
And what are your recommendations in terms of people protecting themselves against this?
In today's world, we can get malware from many different areas. I mean, you can download a file,
you can get an email. When we are talking about
phishing, users should be aware that phishing is the first entry point for a malware into your
computer. So they should be aware of who is sending this. They should check the links. They should
check the sender. Even if they can be modified or they can give some sense of trust, they should be
double checking everything and they should just visit the pages that they know. The alternative
is this, of course, is to use good security products. If they cannot perform this manually,
they don't have the necessary information about protection.
They should have anti-phishing, anti-spam or malware protection solutions.
Yeah, I mean, it strikes me that this was so well crafted. There really wasn't anything in
this phishing email that looks out of the ordinary or would raise any red flags.
For this one, yes, you're right. It's very hard to detect.
The only suspicious part would be the executable files, which is downloaded from a web browser.
Any executable is potentially suspicious. Usually, even FedEx or other legal entities,
even FedEx or other legal entities, if you get an email, it's wise to just log in to the account that you know without using the link inside the email and check from your account, from
your own visit to the page. So that might be a protection from end users.
They can validate if this is a legit URL or not.
Our thanks to Fatih Orhan from Komodo for joining us. You can read the complete report
on the Lebal malware on the Komodo website. It's in the blog section. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. Thank you.