Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Targeted e-mail attacks asking to verify wire transfer details

Published: 2009-06-04
Last Updated: 2009-06-04 23:07:51 UTC
by Raul Siles (Version: 2)
1 comment(s)

There is a new e-mail wave doing the rounds (we have reports from June 3 & 4). It is a very targeted e-mail attack against different organizations, that contains an attached malware specimen in the form of a RTF file, called "details.rtf". The mail asks the victim to verify a wire transfer, being the malicious attachment the alleged wire statement.

In some of the cases, the victims are indeed financial personel within the target organization in charge of daily wire transfers. Time to spread an internal awareness campaign in your financial departments!

The current AV detection rate is low (according to VirusTotal) for the samples we have received:

  • 7/39 - SHA1  : 0f7288043f556542744fd2c87511ff002b5d5379
  • 4/39 - SHA1  : e248fd659415f15d1238063efd1f122f91ac071c

The spare phishing e-mail looks like this:

--
From: Kenneth Duford [mailto:ken.duford@<VARIOUS-DOMAINS>]
Sent: Wednesday, June 0X, 2009 XX:XX PM
To: <VICTIM E-MAIL>
Subject: Re:Please verify wire details
<VICTIM NAME>

The wire transfer has been released.

BENEFICIARY : <VICTIM NAME>
ABA ROUTING# : XXXX1197
ACCOUNT# : XXX-XXX-XXX394
AMMOUNT : $17,653.15

<TARGETED VICTIM COMPANY NAME>

Please check the wire statement attached and let me know if everything is correct.
I am waiting for your reply.

Kenneth Duford

--- On Sun, 02/06/09, <VICTIM NAME> <VICTIM E-MAIL> wrote:

From: <VICTIM NAME> <VICTIM E-MAIL>
Subject: wire transfer
To: ken.duford@<VARIOUS-DOMAINS>
Date: Mon, 1 June 2009, 10:47 AM


We still haven't received the wire transfer.
Thank you
<VICTIM NAME>

--

Some of the domains we have seen in the "From" field are pinnaclerestaurantcorp.com and teoinc.com.

An early analysis thanks to fellow handlers Pedro and Daniel confirms the details above. Additionally, the exe (or .scr) component is trying to connec to "abfforms.com", with this specific URL: "/bluehost/index.php?open=myid". Currently the site is suspended.

Thanks to the ISC readers (that want to remain anonymous) for the initial details and samples.

--
Raul Siles
www.raulsiles.com

1 comment(s)

Malware targetting banks ATM's

Published: 2009-06-04
Last Updated: 2009-06-04 11:13:34 UTC
by Raul Siles (Version: 2)
3 comment(s)

Interesting recent article (June 2009), thanks Martin, about evolving malware specimens targeting and compromissing bank ATM (Automated Teller Machines) devices in Eastern Europe. It complements a previous similar article (March 2009, original post) . Additional  technical details are available here (PDF file).

The most interesting sections are its advanced ATM specific capabilities (hey, the ATM has a printer, so let's use it), the backdoor management interface (with different privilege levels), the option to force the machine to dispense all its cash, and that it works against ATM's from multiple vendors (although all ATM's were Windows XP based).

The main point is, really, how did the ATM's get infected in the first place? Physical access is mentioned (insider threat?), but I wonder: Would we see this kind of malware silently spreading through the banks private financial networks?

Do you trust your bank ATM's?

--
Raul Siles
www.raulsiles.com

Keywords: ATM malware
3 comment(s)

New version (v 1.4.3.1) of BASE available

Published: 2009-06-04
Last Updated: 2009-06-04 00:17:10 UTC
by Raul Siles (Version: 1)
2 comment(s)

A new version of BASE (v.1.4.3.1) has been released, fixing a number of XSS flaws as well as a potential SQL injection flaw that have existed through numerous releases of BASE. BASE is a web-based interface to perform analysis of network intrusion data gathered by Snort.  You can download the latest version here.

As these vulnerabilities were publicly announced previously on the Internet, without prior notification to Kevin Johnson (main BASE author) or the BASE project team, I want to emphasize how important responsible full disclosure is. Specially for open-source projects, where the authors devote their time to make the project freely available for everybody, it is fair to let them know first and give them a reasonable time to fix the vulnerability. In this case, only a few days (in particular 6 days) after the announcement a new version was ready. Not bad in my opinion.

Additionally, these flaws can be exploited being authenticated or not, depending on your BASE set up.  Still today, lot of people do not require authentication to use BASE, which is a mistake. If it is your case, please, act as soon as possible!

Finally, as we have seen in the past a few times, do not expose your BASE web interface to the whole Internet. Keep it private within a protected management network.

--
Raul Siles
www.raulsiles.com

Keywords: BASE
2 comment(s)
Diary Archives