Tuesday, August 30, 2016

Amazon Gift Card from Kelihos!

Arsh Arora and Max Gannon, malware researchers in our lab at the University of Alabama at Birmingham (UAB) continue their on-going analysis of the Kelihos botnet.  We call this a "longitudinal malware study."  Today Arsh returns with some interesting observations about the Kelihos botnet as it sends out Amazon Gift Card. 

Arsh take it from here.

Amazon Gift Card from Kelihos botnet! Anyone up for a Nymaim banking trojan or CryptoLocker?

Here it is, the Kelihos botnet back with a bang. Today, Kelihos is in a festive mood and giving away a free “Amazon Gift Card”, especially for US customers.  Instead of ALL American spam recipients receiving the malware, however, only those whose email ends in the country code ".us" received this malware.  As you can see in the sample list below, this means that many school employees will have received this spam, as K-12 schools very commonly use .us domain names.

This is the first time it has geo-targeted US customers, unlike previous occasions where it had targeted Canadian [Canada] , German and UK, [German and UK] and Dutch [Dutch] customers. The delivery mechanism is the same in which the botnet delivers emails containing suspicious links to a Microsoft Word document that will download a Nullsoft installer and eventually affect you with Nymaim/CryptoLocker.

Now, we can surely say that the operators of Kelihos botnet are formulating a strategy in choosing their targets for the spam campaign. Basically, they are trying to gain back the attention of the industry and trying to proclaim its spot of the longest surviving spamming botnet. Recently, the botnet size increased tremendously and has been a hot topic among the cyber industry.

Geo Targeted emails to US based victims
The body of the message sent contains a malicious word doc link

Subject: Amazon Gift Team just wants to make a present for you

Hi our beloved client!
Our company glad to notify, that our improbable promotion special offer to say thanks to limited number of our buyers.
In this greetings list you can find costless Amazon Gift Card for $65 balance!!! It can be redeemed in our online webstore for any further purchase on Amazon. You can activate promo eGift using this link: hxxp://amazon[.]com[.]yougifted[.]pw/Amazon%20Gift%20Code[dot]doc
Hurry up! This offer have limited time, and limited number of promo vouchers available, that can be activated during promo, so do not forget to obtain your one! 
Huge thanks from Amazon for being a part of our team, we really apreciate that!
You can discover useful information using our FAQ on amazon.com/contact-us or via the phone +180012343212
Amazon Promo Team


The most common email subjects we observed being used in the spam campaign are:
Subject: Amazon Gift Team just wants to make a present for you
Subject: Awesome news! You recieved a gift from Amazon!
Subject: Don't wait, get free voucher! Amazon Promo chosen you!
Subject: Gift from Amazon was just recieved, redeem yours now

The URLs  sent in the email are presented below with its corresponding resolved IP address, via WHOIS search

hxxp://amazon.com.yougifted[.]pw/Amazon%20Gift%20Code[dot]doc – 104[.]168[.]181[.]99; Oklahoma
hxxp://amazon.com.youwelcomes[.]pw/Amazon%20Gift%20Code[dot]doc – 104[.]168[.]181[.]99
hxxp://amazon.com.cheappromo[.]pw/Amazon%20Gift%20Code[dot]doc – 149[.]202[.]194[.]178; Nord-pas-de-calais
hxxp://amazon.com.getforless[.]pw/Amazon%20Gift%20Code[dot]doc - 149[.]202[.]194[.]178
hxxp://amazon.com.giftcardservice[.]pw/Amazon%20Gift%20Code[dot]doc – 198[.]105[.]215[.]36; Utah

An interesting observation is that 4 out of 5 Urls share the same Whois contact information[Whois]

Registrant Name: Frank Gilmer
Registrant Organization: Private Person
Registrant Street: 22 Bakinskih komissarov 2k1, 51
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 119571
Registrant Country: RU
Registrant Phone: +7.9681673922
Registrant Email: frankgilmer416@gmail.com

Moving on, the delivery mechanism remains to consistent as seen on previous occasions

Document opened in Protected view with a URL link

After downloading the Word document and viewing its content, it shows the above message. Interestingly, it contains a URL that is meant to excite the victim. So in order to receive this “amazing” offer, the user first has to press the “Enable Editing” button.

Enable Content AKA Encrypt Me!

 After clicking the 'Enable Editing' button, another window asks to 'Enable Macros', aka  "ENCRYPT ME" button. The gift card is still unavailable and can be only be retrieved after clicking the URL in the email.

Congratulating the user!

This behavior has been seen for the first time where the user is asked to click a URL.  While the user is occupied trying to find his/her gift code, the ransomware is performing its task in the background. By the time the user realizes a scam is underway, the machine is already encrypted. Threat actors have perfectly social engineered user behavior in order to succeed in causing damage to the user.

The URL provided in the email doesn't actually exist at Amazon:

Too late to say Sorry!

When the link is clicked, we get Amazon's 404 page -- an image of a cute dog and a message saying “Sorry, we couldn’t find that page”. On the contrary, guess what happens? When you close the browser you will find that your files are encrypted. Unfortunately, we were not able to get our system encrypted as the installer checked registry keys for the presence of the virtual environment.

After not being able to accomplish my mission, I checked virus total for extra information

MD5 of the Word Document - 2843a3b7805ffc7fd058b9fd744ec836 [VT result]

Of course, the Word document was a downloader, but the file that was download was indeed malicious.

MD5 of the NSIS installer named 'Sys_Driver' - 766169d508d0eee096e07619c2a1416a [VT results]

VT results 10/57, CryptoLocker

When we reviewed the malicious file on Virus Total, contradicting results were found. On one side, the AV vendors classified it as Cryptolocker. On the contrary, when I checked the comments section, one user has posted it to be Nymaim.  We believe this is due to targeting, where the same URL may drop different malware depending on the visitor.  Hence, I thought to probably avoid getting into the discussion of who is right, and leave it up to the discretion of the user to pick his side.

#Nymaim in the comments section
While CryptoLocker is unlikely - it hasn't been seen in some time - we don't want to contradict the AV vendors until we can execute the malware ourselves.   

As of now, my colleague Max Gannon, Malware Analyst at UAB, notes that these samples are extraordinarly VM-aware.  It performs the usual registry check for references to Virtualization Software, but it also checks the display adapters and color settings which are harder to disguise and less frequently modified by malware analysts.  It checks the local machine language as well as the keyboard layout which is again not frequently changed.  It checks the clipboard contents and if the clipboard is linked to a Virtual Machine.  Lastly it checks the system for a pre-defined set of programs that it considers indicative of a normal system.  This is a significant increase in the number of checks when compared to similar malware families and may require additional focus and analysis time.

Hopefully, this will widen up the eyes of Amazon and the individuals who have the authority to take action. Eventually, taking appropriate measures to cause damage to the threat actors. Beware American friends.

Stay tuned for latest updates on the Kelihos botnet in the coming future.

Thursday, August 25, 2016

Roman Seleznev (AKA Track2 / Bulba / Zagreb / smaus) Found Guilty on 38 of 40 Charges

Roman Seleznev has been found guilty to 38 of 40 charges against him by a Seattle-based jury.  Seleznev's case created an international stir when he was arrested while vacationing in the Maldives and arraigned in July of 2014 in the US Territory of Guam (as we wrote about.  See: "Roman Seleznev (AKA Bulba, AKA Track2, AKA NCUX) appears in US Court in Guam").

According to the DOJ Press release: "Evidence presented at trial demonstrated that the malware would steal the credit card data from the point-of-sale systems and send it to other servers that Seleznev controlled in Russia, the Ukraine or in McLean, Virginia.  Seleznev then bundled the credit card information into groups called “bases” and sold the information on various “carding” websites to buyers who would then use the credit card numbers for fraudulent purchases, according to the trial evidence.  Testimony at trial revealed that Seleznev’s scheme caused 3,700 financial institutions more than $169 million in losses."

Sentencing will be held Dec 2, 2016.

Some of the charges to which he was found guilty include five counts of Bank Fraud,  eight counts of Intentional Damage to a Protected Computer, eight counts of Obtaining Information from a Protected Computer, one count of "Posession of Fifteen or More Unauthorized Access Devices" (yes, 1.7 million is more than 15!), two counts of Trafficking in Unauthorized Access Devices, and five counts of Aggravated Identity Theft.

The Seattle Case

While Seleznev was indicted in a RICO racketeering case regarding his role in the Carder.su website, the trial that concluded this week was about his personal hacking and carding campaign, beginning with his attacks against restaurants in Seattle, Washington.

According to the PACER Records, on Day 1 of the trial (August 15, 2016) the jurors were empanelled and received instructions, and the government made their opening statement.  On Day 2 the defense made their opening statement, and presented witnesses including Special Agent in Charge David Iacovetti, Andrei Medvedev, and Detective David Dunn, who also testified on Day 3.  On Day 4, Special Agents John Szydlik, David Mills, and Michael Fischlin testified.  On Day 5, witnesses included Richard Noel, Jason Winship, and Special Agents Keith Wojcieszek and Michael Fischlin. On Day 6 (August 22, 2016), C.J. Saretto, Bob Kerr, Chirstopher Forsyth, Diane Cole, Joe Angelastri, and Megan Wood testified. On Day 7, witnesses Steven Bussing, Christopher Doyle, and Sidney Fanarof testified.  The defense called a single witness, Eric Blank.

Day 8 of the trial was primarily closing arguments and jury instructions.  The jury returned their verdict on Day 9: Guilty on counts 1-10, 12-19, 21-40.  Not guilty on counts 11 and 20.

The Trial Exhibit List is amazing!  Forensic Evidence extracts from many of the restaurants involved, including Schlotsky's, Broadway Grill, Mad Pizza (5 locations), Casa Mia, Grand Central Baking, Village Pizza, Red Pepper Pizza.   Screen shots of the "Bulba.cc" and "Track2.name" webpages, including the order screen, and evidence of undercover purchases made in April 2011.  They seized the hard drives from a server hosted at Hop One's data center in Indonesia, and showed the log files for that server, as well as domain registration information for ncux.asia, ncux.tv, bulba.cc, track2.name, 2pac.cc, POSDumps.com, track2.tv, track2vip.tv, and track2.cc.  Many other emails showing that emails controlled by Seleznev were used to transact business related to all of the above were also introduced.  Posts made using the nCuX userid at Carder Planet, Carding World, Dark Market, and Carder.su were shown.  Transaction records, with IP addresses, for Liberty Reserve Accounts controlled by Seleznev were also provided.  Seleznev's laptop, iPhone, and iPad and reports of data from those devices were also provided, including a userid and password file (1Back14May.txt) and search histories and chat logs recovered from those devices.  The whole trial exhibits list is 23 pages long!

This screen shot from Bulba.cc was provided by Brian Krebs, in his story "Feds Charge Carding King in Retail Hacks" from July 2014.

The malware C&C locations from shmak.fvds.ru - located at, was where the Point of Sale malware was installed from.  According to the InfoSec Institute story, "Malware based attacks against POS systems", the malware used was BlackPOS, likely purchased from the hacker "Ree[4]" who is believed to be Rinat Shabayev, working on code developed by Sergey Taraspov.  In interviews with Russian media, Shabayev indicates that he modified and distributed the POS malware, Картоха, used in the Target breach.

While Seleznev is part of the Carders.su case in Las Vegas, the point of the separate trial was to address his use of Point of Sale malware to directly steal credit card data and sell it on websites that he created and controlled.  Just on the bulba.cc and Track2.name websites, from November 15, 2010 to February 22, 2011, Seleznev posted 200,000 credit card numbers and sold 140,000 of them, earning more than $2 million from the direct sale.

The rest of the dollar losses came from the forensic accounting that had to come next.  Given this list of cards, can we demonstrate loss due to fraudulent use of those cards.  For example, from page 10 of the indictment, just the cards stolen at the Broadway Grill -- over 32,000 cards stolen between December 1, 2009 and October 22, 2010 -- caused actual losses of $79,317.00 just at the Boeing Employees Credit Union there in Seattle, and losses to other banks of $1,175,217.37. 

Seattle Detective David Dunn, who we've written about in this blog before (See the Christopher Schroebel case), was the star witness in this case.  It was his forensics work at the Broadway Grill that started the case. By tracking the malware at the Broadway Grill, Dunn was able to then look for other Seattle properties that were also communicating to the Command & Control Server.  These turned out to include Grand Central Baking Company, four Mad Pizza restaurants, Village Pizza in Anacortes, Washington, and Casa Mia Italian restaurant.   Once Dunn realized the scope of the case, he referred other log file entries to other jurisdictions, working in his capacity as a member of the US Secret Service's Electronic Crimes Task Froce.   This led to the discovery of active malware in a Schlotzsky's Deli in Idaho, a Jewelrey store in Maine, Latitude Bar and Grill in NYC, Grand Canyon Theatre in Arizona, the Phoenix Zoo, Mary's Pizza Shack in Sonoma, California, and multiple locations in Evanston and Chicago, Illinois.

To make their case, the detectives, Special Agents, and prosecutors then had to compile all of those stolen cards and work with the financial institutions where the cards came from in order to figure out how many dollars in fraud were generated.  That's the process by which they demonstrated 3,700 financial institutions had lost more than $169 million in fraudulent charges based on the cards that Seleznev had stolen alone!

Operation Open Market

In addition to running his own exclusive carding sites as shown in the Seattle case, Seleznev was also a major player in a larger carding market known as Carders.su.   (SU is the country code for Soviet Union).  Operation Open Market is the Las Vegas case where many criminals have already been sentenced for their role in the carders.su website.  That case focused on Cameron Harrison, aka Kilobit, and 55 co-defendants, including Seleznev.  The investigation began back in March 2007 when an alert manager of a Whole Foods recognized Justin Todd Moss as someone who had used fake ID to steal from his store.  Moss turned out to be "Celtic", a seller of online ids.  Secret Service agent Mike Adams assumed Moss's online persona, and began selling counterfeit identifications to several of the people who have now found themselves in prison because of this investigation.  WIRED magazine's Kevin Poulsen has a great write-up on that aspect of the case.  (See: "The Secret Service Agent Who Collared Cybercrooks By Selling Them Fake IDs"). 

In total, at least 33 of the 56 indicted criminals have already been sentenced, although several, including at least two of the leaders, are still at large with rewards pending for their arrest.  Want to make some money?

Konstantin Lopatin, aka Graf, DOB 09/11/1982, Russian.  $1 Million reward:

Roman Olegovich Zolotarev, aka Admin, aka DJ Goren, DOB: 10/20/1985. $2 Million reward

The case was broken down into several trials. Case No: 2:12-CR-004 was specifically focused on the Carder.su activities:

Harrison, aka Kilobit was a 28 year old hacked from Augusta, Georgia, who was sentenced to 115 months in prison for his part in causing $50 Million in online identity theft trouble.  When he was arrested he was found to be in possession of 260 compromised credit and debit card numbers.  Seleznev possessed 1.7 million cards.

Alexander Kostyukov, aka Temp, aka KLBS, 29, of Miami - sentenced to 9 years on December 9, 2015

Jermaine Smith, aka SirCharlie57, aka Fairbusinessman, 34, of New Jersey - sentenced to 150 months on April 9, 2015

Makyl Haggerty, aka Wave, aka G5, 24, of Oakland, California - sentenced to 100 months on August 22, 2014

Michael Lofton, aka Killit aka Lofeazy, 36, of Las Vegas - sentenced to 24 months May 28, 2014 and 63 months on May 22, 2014 - he committed additional crimes while awaiting sentencing on the first case!

David Ray Camez, aka Bad Man, aka doctorsex, 22 years old - sentenced to 20 years in prison on May 15, 2014.

Case No: 2:12-CR-083 also was concerned with Stolen Identity Refund crimes against the IRS, but all of these were also members of carder.su:

Jason Maclaskey, aka Shinnerbock, aka That Guy, of Spring, Texas - sentenced to 10 years + 3 years supervised release on July 27, 2015.   Sentenced at the same time as Jason were Omar and Heather:

Omar Butt, aka Fear, of Brooklyn, New York - sentenced to 40 months on July 27, 2015.

Heather Dale, 25, of Grant Alabama - sentenced to 24 months.

Billy Steffey, aka Oink Oink, aka FredFlintstone, aka Yomamma,

Case No. 2:12-CR-084 included Thomas Lamb, Jonathan Vergnetti, Roger Grodesky, and John Holsheimer.

As more links to sentencing documents are found, we'll update this page.  In the meantime, to see which charges were brought against which vendors, please see "Operation Open Market: The Vendors"

Tuesday, August 16, 2016

Kelihos Botnet sending geo-targeted Desjardins Phish to Canadians

As we mentioned in our blog last week (see: Kelihos botnet sending Panda Zeus to German and UK Banking Customers), the Kelihos botnet is now using "geo-targeting" based on the ccTLD portion of email addresses.  Today, those recipients whose email address ends in ".ca" are receiving a French language spam message advertising one of many Desjardins phishing websites:

<== French Desjardins Phishing Email || Google Translate ==> 
Some of the email subjects being used include:

Subject:  Renouvellement de votre compte Desjardins
Subject:  Solutions en ligne Desjardins
Subject:  Veuillez regulariser votre compte Acces
Subject:  Desjardins Reactivation
Subject:  Reactivation de votre compte AccesD

Each of these URLs is currently resolving to the IP address


Here is a pictorial walk-through of the phishing website:

We begin by entering a Credit Card number -- it must be a number that passes a Luhn check:

After entering a valid CC#, the next page asks the phishing victim for three security questions and their answers:

And lastly, the phisher's try to get any and all possible additional information they can!

Only after entering a valid password and a number that matches the mathematical rules for a Canadian Social Insurance Number does the phisher send the victim to the real Desjardins website!

Beware, Canadian friends!   And let us hope that our shared victimization increases our mutual law enforcement agencies desire to stop this botnet!

Friday, August 12, 2016

Kelihos botnet sending Panda Zeus to German and UK Banking Customers

On August 11th and August 12th the Kelihos botnet has been observed sending malware again.  Unlike the Ransomware that we've seen it send recently (see Kelihos spamming American Airlines Ransomware and Kelihos spamming Dutch Wildfire Ransomware ), this time it is sending links to a Word document that will drop a variant of Zeus.

One interesting observation about the spam is that it is doing "geo-targeting" based on the ccTLD of the email recipient.  Max Gannon, a UAB malware researcher in our lab, has modified his copy of Wireshark with a couple nice extra columns -- "imf.to" "imf.from" "imf.subject"

Now we can do a filter in Wireshark like this:

Filter:  imf.to contains .co.uk

which reveals only the subject lines that were sent to people in the UK!

The subjects in this run for .co.uk people were:

Subject: Barclays Personal Banking
Subject: Detected suspicious transaction on your account
Subject: HSBC Personal Banking
Subject: Incomplete transaction
Subject: Locked transaction

(There was also one "The truth about male power" but that's just a counterfeit pharmaceutical website, which is the main thing Kelihos spams when it is not on a special mission!)

Here's an example of the Barclays spam:

And an example of the HSBC spam:

The .de people also got a special German invitation to be infected:

Subject: Bitte beachten Sie in ihre Postbank konto
Subject: Geehrter Kunde
Subject: Info von ihre Bank
Subject: Inkasso von Anton Weber
Subject: Mahnung abhleichen
Subject: Postbank AG
Subject: Postbank info abteilung
Subject: Rechnung bei Postbank AG
Subject: Rechtsanwalt T. Hoffman
Subject: Von Ihre Bank
Subject: Von Postbank
Subject: Weitere Mahnung erfolgt in Ihre bank
Subject: Wir erwarten die Zahlung

(And they also had a few pill-spam subject, "Win your female partner's addiction", etc.)

Here's one of the PostBank samples:

The malicious URL in each of these emails, dropped from several sites, including:

 www dot 1800cloud dot com / infos / report dot doc
 guestlistalamode.com / bank / report dot doc

VirusTotal hint leads to . . . ZEUS!

A very curious thing when we looked at the file on VirusTotal is that there is an "EXIF comments" section that contains a goodly blob of characters that looked ASCII range to me ... so ...

when decoded by an awesome tool former UAB MS/CFSM student Vicki Carleton built for me 8-) ...

becomes a URL!

and THAT ... is Zeus! (with an 8 of 55 detection rate at VirusTotal as of this writing...)

The Zeus file, when executed, creates a .bat file, which deletes itself after running . . . and then stops me because it is 5:00 PM and I'm hungry . . .

The rest, as we say in Academia, is left as an exercise for the reader . . .

We'll let others dig into the actual Zeus malware that is dropped next, but for now, we have it on good authority that this is the "Panda Zeus" malware, discovered by Fox-IT back in April and blogged about more recently by Arbor Networks and IBM Security Intelligence.

The other Kelihos spam?

100% of the ".com", ".net", and ".pl"  addresses were pill spam
Subject: Achieve pure fun
Subject: Ancient secret of immeasurable nights of happiness
Subject: Are you ready to amaze your woman this night?
Subject: Big dignity will please your lady
(ok, i'll stop ...)

The only other geo-targeted spam was in Italian and targeted only at ".it" email addresses. It seemed to be a romance scam invitation.   (lyudmilafedoji@gmail.com wants me, and a few million other people, to "scrivere" her "su un personal mail.:)

Lyudmilafedoji had her own set of subject lines:
Al di mare grande, si sei ora?
Avete tuo piani per stasera?
Buon Pomeriggio, come stai?
Buona sera, siamo a conoscenza.
Ciao, come ti nome?
Ciao, scrivimi me.
Ciaooo, io ti conosco!
Forse tu sei tu persona che sara felice
Hi, come stai?
Io voglio il vero amore!
Io voglio incontrarmi con tuo.
and many more . . .
(So for my Italian readers, beware!  She's interested in EVERYONE!)