Incidents

New Twitter worm redirects to Fake AV

A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.

The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV. The webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Our users are protected from this worm and all the URLS are being denylisted in our products.

Here are some of the technical details:

  1. Redirection Chains

    Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:

    This html page will then redirects users to a static domain with a Ukrainian top level domain:

    As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:

    This IP address will then do its final redirection job, which leads to the Fake AV website:

  2. The Rogue AV site

    Once you are on this website, you will get warning that your machine is running suspicious applications and you are encouraged to scan it:

    After approval, the scanning begins:

    The user is invited to remove all the threats from their computer, and will download a fake Anti Virus application called “Security Shield”:

    The graphical user interface gets translated to the language of the OS the Rogue AV is running on. During my test, a French version of Windows XP was used, hence the French translation of the interface.

  3. Rogue AV web site uses RSA for code obfuscation

    Obfuscation techniques are very common for malicious web sites. Here is a quick look into the one used by the Rogue AV web site.

    While looking at the obfuscation, I found out that it is comprised of two steps:

    • Base64 Decode (trivial)
    • RSA with a very small Modulus

    Here is chunk of code from the obfuscated page:

    Both the Class and the Method used are using random names. The “camunqjr” method is taking a BASE64 decoded parameter.

    If we investigate the class, we end up right inside the RSA algorithm:

    Anyone familiar with cryptography will recognize the RSA algorithm here. We have a function taking 3 parameters: C, D and N which is using the “powmod” operator.

    They are using RSA to decrypt the JavaScript locally

    • ‘c’ is known as the cyphertext
    • ‘d’ is known as the secret exponent or decryption exponent
    • ‘n’ is known as the modulus

    In order to get ‘m’ (Message) , the decryption goes like this: m = cd mod n

    RSA is used as an obfuscation technique more frequently than any other, since the private key is available in the JavaScript page. The modulus “N” seems to be 26 bits in length most of the time, which is ridiculously small.

    Here is a screenshot of the parameters taken from the JavaScript:

    Bear in mind that clicking on random links may lead to severe infection of your machine.

New Twitter worm redirects to Fake AV

Your email address will not be published.

 

Reports

The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox