Incidents

New Twitter worm redirects to Fake AV

A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.

The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV. The webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Our users are protected from this worm and all the URLS are being denylisted in our products.

Here are some of the technical details:

  1. Redirection Chains

    Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:

    This html page will then redirects users to a static domain with a Ukrainian top level domain:

    As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:

    This IP address will then do its final redirection job, which leads to the Fake AV website:

  2. The Rogue AV site

    Once you are on this website, you will get warning that your machine is running suspicious applications and you are encouraged to scan it:

    After approval, the scanning begins:

    The user is invited to remove all the threats from their computer, and will download a fake Anti Virus application called “Security Shield”:

    The graphical user interface gets translated to the language of the OS the Rogue AV is running on. During my test, a French version of Windows XP was used, hence the French translation of the interface.

  3. Rogue AV web site uses RSA for code obfuscation

    Obfuscation techniques are very common for malicious web sites. Here is a quick look into the one used by the Rogue AV web site.

    While looking at the obfuscation, I found out that it is comprised of two steps:

    • Base64 Decode (trivial)
    • RSA with a very small Modulus

    Here is chunk of code from the obfuscated page:

    Both the Class and the Method used are using random names. The “camunqjr” method is taking a BASE64 decoded parameter.

    If we investigate the class, we end up right inside the RSA algorithm:

    Anyone familiar with cryptography will recognize the RSA algorithm here. We have a function taking 3 parameters: C, D and N which is using the “powmod” operator.

    They are using RSA to decrypt the JavaScript locally

    • ‘c’ is known as the cyphertext
    • ‘d’ is known as the secret exponent or decryption exponent
    • ‘n’ is known as the modulus

    In order to get ‘m’ (Message) , the decryption goes like this: m = cd mod n

    RSA is used as an obfuscation technique more frequently than any other, since the private key is available in the JavaScript page. The modulus “N” seems to be 26 bits in length most of the time, which is ridiculously small.

    Here is a screenshot of the parameters taken from the JavaScript:

    Bear in mind that clicking on random links may lead to severe infection of your machine.

New Twitter worm redirects to Fake AV

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox