Deep Dive on the DragonOK Rambo Backdoor

 

Summary:

MiKey – A Linux keylogger

 

Linux malware is slowly becoming more popular.  Within the past couple years there were several major incidents that cited the use of Windows backdoors being ported to Linux.  Through our research on the Windows KLRD keylogger from the

KLRD Keylogger

 

Symantec released a report in the beginning of October that talks about Odinaff, which is a new piece of malware used in campaigns targeting financial institutions.  In the report, Symantec posts several of the auxiliary tools used in the campaign and many of the associated droppers.  Morphick Intelligence Analysts wanted to take a closer look at some of these binaries and post some analysis so that network defenders can better understand how these tools work.&

How deep of analysis can a SOC analyst actually provide?

 

How accurate of a story can an analyst present without having everything in front of them? (In this case, everything being a completely reverse engineered piece of malware along with supporting network traffic.)

ScanPOS, new POS malware being distributed by Kronos

 

Just in time for the holidays, a brand new Point Of Sale (POS) malware family has been discovered. 

Morphick responded to a Kronos phishing campaign that involved a document with a malicious macro that downloaded the Kronos banking malware.  When running, the Kronos payload will download several other pieces of malware, but the one that caught our eye is a new credit card dumper with very low detection.  Morphick is tracking this malware under the name ScanPOS due to the build string present in the malware.

Hundter’s Keylogger

 

Tying malware back to its earlier versions gives us the ability to look at more rudimentary versions of the code. The versions where the malware writer was just trying to see if all their tricks worked before doing their best to hide them. We came across a small keylogger that was missed by over 90% of anti-virus engines (5/56 on virustotal).  What caught our eye most was that this sample still had a lot of debugging output and hardcoded values in it, which led us to believe that it’s an early version of what might turn out to be a fully fledged keylogger.  

Incident Response is a Team Sport

 

Responding to and recovering from a cyber security incident is often one of the most challenging events an organization will face.  The challenge is often exacerbated by immense pressure to eliminate the threat, possible production downtime, and generally a large degree of unknown factors.

Morphick is often engaged during incidents where our purpose is simply to guide the process rather than independently complete the process. While counterintuitive, our primary task during professional services can be akin to air traffic control. 

Monster in your Pocket. Simple ways to secure your mobile devices.

 

The mobile device sector has become a target rich environment, and attackers favor the way of least resistance. As Corporate networks lock down, threat actors will adapt and look for creative ways to find a successful vector. The numbers show that this is already the case: 

Malware aimed at Android smartphones alone has grown 76% over the last year (Source, source)

A Closer Look at Hancitor

 

Hancitor is a popular dropper used in phishing campaigns.  It’s often associated with dropping vawtrak and pony.

True Positive False Positive

 

False positives are an everyday occurrence for analysts. To an analyst, a false positive, while sometimes time consuming, offers an opportunity to have a rule tuned or removed in order to save valuable analysis time. However, what happens when a signature hits correctly as it should, though the customer is not at risk? Its a “true positive false positive”.  At Morphick, we call these Benign True Positives.