WannaCry Ransomware: UPDATE

WannaCry Ransomware: UPDATE

Update Published: Thursday, May 18, 2017

In Short

DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!
*ASAP because prime numbers may be over written in memory after a while. More details available from the Author

Update Published: Tuesday, May 16, 2017 5:04PM IST

How it all started?

During the first week of February 2017, a security researcher publicly disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.

 

The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.

According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.

“By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”Current Day Scenario

WannaCry Ransomware: 22-year-old ‘accidentally’ stops attacks, warns against more to come. WannaCry ransomware has affected more than 200,000 victims in 150 countries, which also includes India.

Very recently, a 22-year-old came in as a blessing in disguise when he accidentally put a halt to a vast number of attacks by the devastating WannaCry ransomware by buying a domain name hidden in the program for about £8.29 (Rs 700 approximately). WannaCry ransomware essentially locks a user out of their computer and demands a ransom paid in BitCoin to return control. The young analyst, whose identity is still concealed, tweets by the name of MalwareTech on Twitter, and works for a security firm called Kryptos Logic. He admitted that he had not realized that buying the domain name would have this fortunate effect.

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

— MalwareTech (@MalwareTechBlog) May 13, 2017
How he basically disabled the ransomware attack

The attack was that a particular domain name which was purchased by him, is believed to have been written into the software by the hackers to act as a kill switch. Therefore, each time the program tried to infect a computer, it would try to contact the web page; if it failed, WannaCry would carry on with the attack, but if it succeeded it would stop.

In an interview with the Daily Beast, MalwareTech said he noticed the domain name, a string of nonsensical letters ending in gwea.com, in the code. He saw that the domain wasn’t registered and thought of purchasing it. After buying the domain name, he pointed it to a ‘sinkhole’ server, which is used as a safe place to dump malicious web traffic, hoping simply to get more information about WannaCry.

“Immediately we saw five or six thousand connections a second.” He said that appeared to have stopped large numbers of attacks, but confessed he had done this “completely by accident.” However, he warned that despite this accidental save, people need to be precautious because the hackers could simply alter the program to carry on making attacks again. “If we did stop it, there’s like a 100 per cent chance they’re going to fire up a new sample and start that one again,” he said.

The WannaCry ransomware is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that didn’t update their systems remained at risk. Russia and Britain were among the worst-hit countries by the attack. The programme takes control over a user’s system and brings up a message telling users they can recover their files only if they send $300 (which has now believed to be increased to $600) in bitcoins to a specific address.

So far, Criminals behind WannaCry Ransomware have received nearly 100 payments from victims, total 15 Bitcoins, equals to USD $26,090.
Reported incidents from India
  • Till now, the global cyber-attack has affected more than 200,000 victims in 150 countries, which also includes India
  • Four computers of two village panchayats in Kerala were hit, at the Thariyode panchayat office in the hilly district of Wayanad
  • A section of computers of Andhra Pradesh’s police departments were affected too
  • Computers in 18 police units in Chittoor, Krishna, Guntur, Visakhapatnam and Srikakulam districts were affected
What should you do to be safe?
  • Keeping a back up is the safest and most effective way to deal with the threat
  • India’s Computer Emergency Response Team (CERT-In) has advised users to back up all their essential files offline, in a hard disk or pendrive
  • Individual users as well as organisations have been asked to apply patches to their Windows system(s) as mentioned in the Microsoft Bulletin MS17-010, which is marked critical
  • Don’t open emails or links in e-mails from people even in your contact list. E-mail has proven to an effective carrier in the case of ‘Wannacry’ ransomeware
  • Avoid downloading from websites that are not trustworthy; even attachments from unsolicited e-mails
  • Update Antivirus on all your systems and download Microsoft’s latest software patches. For unsuported Windows versions such as XP, Vista etc, the user can download the necessary patch from this link. http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
  • While browsing, one should steer clear from unsafe websites and employ essential filters on your browser.
  • Use security tools on IT ministry website for higher safety
What can be done if you are an victim to ransomware cyber attack?
  • Though there is no way out, there are a few loopholes one could use to either minimise the damage or stop it from spreading. According to CERT-In, the user should immediately disconnect the affected system to stop it from spreading.
  • Since the encryption does not happen instantly, the user should immediately try to back-up the essential files as soon as possible. This will help minimise the damage.
  • According to CERT-In, victims of the ransomware are advised not to pay the ransom as there is no gaurantee that the files will be returned. Instead, report any such case with CERT-In at Incident@cert.org.in and other law enforcement agencies. 
References
Also Read:

WannaCry Ransomware Analysis

What has happened?

On May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.

What is the WannaCry ransomware?

WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

Figure 1 Ransom demand screen displayed by WannaCry Trojan
Figure 1 Ransom demand screen displayed by WannaCry Trojan

It also drops a file named !Please Read Me!.txt which contains the ransom note.

Figure 2 Ransom demand note from WannaCry Trojan
Figure 2 Ransom demand note from WannaCry Trojan

WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:

  • .123; .3dm; .3ds; .3g2; .3gp; .602; .7z; .ARC; .PAQ; .accdb; .aes; .ai; .asc; .asf; .asm; .asp; .avi; .backup; .bak; .bat; .bmp; .brd; .bz2; .cgm; .class; .cmd; .cpp; .crt; .cs; .csr; .csv; .db; .dbf; .dch; .der; .dif; .dip; .djvu; .doc; .docb; .docm; .docx; .dot; .dotm; .dotx; .dwg; .edb; .eml; .fla; .flv; .frm; .gif; .gpg; .gz; .hwp; .ibd; .iso; .jar; .java; .jpeg; .jpg; .js; .jsp; .key; .lay; .lay6; .ldf; .m3u; .m4u; .max; .mdb; .mdf; .mid; .mkv; .mml; .mov; .mp3; .mp4; .mpeg; .mpg; .msg; .myd; .myi; .nef; .odb; .odg; .odp; .ods; .odt; .onetoc2; .ost; .otg; .otp; .ots; .ott; .p12; .pas; .pdf; .pem; .pfx; .php; .pl; .png; .pot; .potm; .potx; .ppam; .pps; .ppsm; .ppsx; .ppt; .pptm; .pptx; .ps1; .psd; .pst; .rar; .raw; .rb; .rtf; .sch; .sh; .sldm; .sldx; .slk; .sln; .snt; .sql; .sqlite3; .sqlitedb; .stc; .std; .sti; .stw; .suo; .svg; .swf; .sxc; .sxd; .sxi; .sxm; .sxw; .tar; .tbk; .tgz; .tif; .tiff; .txt; .uop; .uot; .vb; .vbs; .vcd; .vdi; .vmdk; .vmx; .vob; .vsd; .vsdx; .wav; .wb2; .wk1; .wks; .wma; .wmv; .xlc; .xlm; .xls; .xlsb; .xlsm; .xlsx; .xlt; .xltm; .xltx; .xlw; .zip
Figure 3 How Ransomware Works
Figure 3 How Ransomware Works

It propagates to other computers by exploiting a known SMB remote code execution vulnerability in Microsoft Windows computers. (MS17-010)

Who is impacted?

A number of organizations globally have been affected, the majority of which are in Europe and China.

Is this a targeted attack?

No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.

Am I protected against this threat?

The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.

Symantec and Norton customers are protected against WannaCry using a combination of technologies.

Antivirus

Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:

  • 20170512.009

SONAR protection

Network based protection

Symantec also has the following IPS protection in place which has proven highly effective in proactively blocking attempts to exploit the MS17-010 vulnerability:

The following IPS signature also blocks activity related to Ransom.Wannacry:

Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers which do not have the latest Windows security updates applied are at risk of infection.

Can I recover the encrypted files?

Decryption is not available at this time but Symantec is investigating. Symantec does not recommend paying the ransom. Encrypted files should be restored from back-ups where possible.

What are best practices for protecting against ransomware?

  • New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
  • Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
  • Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

Additional indicators and technical information about Ransom.Wannacry

When the Trojan is executed, it drops the following files:

  • [PATH_TO_TROJAN]\!WannaDecryptor!.exe
  • [PATH_TO_TROJAN]\c.wry
  • [PATH_TO_TROJAN]\f.wry
  • [PATH_TO_TROJAN]\m.wry
  • [PATH_TO_TROJAN]\r.wry
  • [PATH_TO_TROJAN]\t.wry
  • [PATH_TO_TROJAN]\u.wry
  • [PATH_TO_TROJAN]\TaskHost
  • [PATH_TO_TROJAN]\00000000.eky
  • [PATH_TO_TROJAN]\00000000.pky
  • [PATH_TO_TROJAN]\00000000.res
  • %Temp%\0.WCRYT
  • %Temp%\1.WCRYT
  • %Temp%\2.WCRYT
  • %Temp%\3.WCRYT
  • %Temp%\4.WCRYT
  • %Temp%\5.WCRYT
  • %Temp%\hibsys.WCRYT

Note: [PATH_TO_TROJAN] is the path where the Trojan was originally executed.

The Trojan then creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Microsoft Update Task Scheduler” = “”[PATH_TO_TROJAN]\[TROJAN_EXE_NAME]” /r”
  • HKEY_LOCAL_MACHINE\SOFTWARE\WannaCryptor\”wd” = “[PATH_TO_TROJAN]”

The Trojan also sets the following registry entry:

  • HKEY_CURRENT_USER\Control Panel\Desktop\”Wallpaper” = “%UserProfile%\Desktop\!WannaCryptor!.bmp”

The Trojan creates the following mutexes:

  • Global\WINDOWS_TASKOSHT_MUTEX0
  • Global\WINDOWS_TASKCST_MUTEX

The Trojan then terminates the following processes using taskkil /f /iml:

  • sqlwriter.exe
  • sqlserver.exe
  • Microsoft.Exchange.*
  • MSExchange*

It then searches for and encrypts files with the following extensions:

  • .123; .3dm; .3ds; .3g2; .3gp; .602; .7z; .ARC; .PAQ; .accdb; .aes; .ai; .asc; .asf; .asm; .asp; .avi; .backup; .bak; .bat; .bmp; .brd; .bz2; .cgm; .class; .cmd; .cpp; .crt; .cs; .csr; .csv; .db; .dbf; .dch; .der; .dif; .dip; .djvu; .doc; .docb; .docm; .docx; .dot; .dotm; .dotx; .dwg; .edb; .eml; .fla; .flv; .frm; .gif; .gpg; .gz; .hwp; .ibd; .iso; .jar; .java; .jpeg; .jpg; .js; .jsp; .key; .lay; .lay6; .ldf; .m3u; .m4u; .max; .mdb; .mdf; .mid; .mkv; .mml; .mov; .mp3; .mp4; .mpeg; .mpg; .msg; .myd; .myi; .nef; .odb; .odg; .odp; .ods; .odt; .onetoc2; .ost; .otg; .otp; .ots; .ott; .p12; .pas; .pdf; .pem; .pfx; .php; .pl; .png; .pot; .potm; .potx; .ppam; .pps; .ppsm; .ppsx; .ppt; .pptm; .pptx; .ps1; .psd; .pst; .rar; .raw; .rb; .rtf; .sch; .sh; .sldm; .sldx; .slk; .sln; .snt; .sql; .sqlite3; .sqlitedb; .stc; .std; .sti; .stw; .suo; .svg; .swf; .sxc; .sxd; .sxi; .sxm; .sxw; .tar; .tbk; .tgz; .tif; .tiff; .txt; .uop; .uot; .vb; .vbs; .vcd; .vdi; .vmdk; .vmx; .vob; .vsd; .vsdx; .wav; .wb2; .wk1; .wks; .wma; .wmv; .xlc; .xlm; .xls; .xlsb; .xlsm; .xlsx; .xlt; .xltm; .xltx; .xlw; .zip

Encrypted files will have .WCRY appended to the end of the file names.

The Trojan then deletes the shadow copies of the encrypted files.

The Trojan drops the following files in every folder where files are encrypted:

  • !WannaDecryptor!.exe.lnk
  • !Please Read Me!.txt

The contents of the !Please Read Me!.txt is a text version of the ransom note with details of how to pay the ransom.

The Trojan downloads Tor and uses it to connect to a server using the Tor network.

It then displays a ransom note explaining to the user what has happened and how to pay the ransom.

Indicators of compromise

Hashes

  • dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696
  • 201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9
  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
  • aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56
  • 21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd
  • 2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32
  • 9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13
  • 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
  • be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
  • 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
  • 76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf
  • fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a
  • eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb
  • 043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2
  • 57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4
  • ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
  • f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494
  • 3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9
  • 9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
  • 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • 3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301

IP Addresses

  • 231.221.221:9001
  • 31.0.39:9191
  • 202.160.69:9001
  • 101.166.19:9090
  • 121.65.179:9001
  • 3.69.209:9001
  • 0.32.144:9001
  • 7.161.218:9001
  • 79.179.177:9001
  • 61.66.116:9003
  • 47.232.237:9001
  • 30.158.223:9001
  • 172.193.32:443
  • 229.72.16:443

Domains

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (sinkholed)
  • Rphjmrpwmfv6v2e[dot]onion
  • Gx7ekbenv2riucmf[dot]onion
  • 57g7spgrzlojinas[dot]onion
  • xxlvbrloxvriy2c5[dot]onion
  • 76jdd2ir2embyv47[dot]onion
  • cwwnhwhlz52maqm7[dot]onion

Filenames

  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe
  • @WanaDecryptor@.exe.lnk
  • Please Read Me!.txt (Older variant)
  • C:\WINDOWS\tasksche.exe
  • C:\WINDOWS\qeriuwjhrf
  • bat
  • bat
  • bat
  • [0-9]{15}.bat #regex
  • !WannaDecryptor!.exe.lnk
  • pky
  • eky
  • res
  • C:\WINDOWS\system32\taskdl.exe

Bitcoin Wallets

  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Here is a snort rule submitted to Sans from Marco Novak:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

And other SNORT rules from Emerging Threats:

(http://docs.emergingthreats.net/bin/view/Main/2024218)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

 

Yara:

rule wannacry_1 : ransom

{

meta:

author = “Joshua Cannell”

description = “WannaCry Ransomware strings”

weight = 100

date = “2017-05-12”




Strings:

$s1 = “Ooops, your files have been encrypted!” wide ascii nocase

$s2 = “Wanna Decryptor” wide ascii nocase

$s3 = “.wcry” wide ascii nocase

$s4 = “WANNACRY” wide ascii nocase

$s5 = “WANACRY!” wide ascii nocase

$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase




Condition:

any of them

}

rule wannacry_2{

meta:

author = “Harold Ogden”

description = “WannaCry Ransomware Strings”

date = “2017-05-12”

weight = 100

strings:

$string1 = “msg/m_bulgarian.wnry”

$string2 = “msg/m_chinese (simplified).wnry”

$string3 = “msg/m_chinese (traditional).wnry”

$string4 = “msg/m_croatian.wnry”

$string5 = “msg/m_czech.wnry”

$string6 = “msg/m_danish.wnry”

$string7 = “msg/m_dutch.wnry”

$string8 = “msg/m_english.wnry”

$string9 = “msg/m_filipino.wnry”

$string10 = “msg/m_finnish.wnry”

$string11 = “msg/m_french.wnry”

$string12 = “msg/m_german.wnry”

$string13 = “msg/m_greek.wnry”

$string14 = “msg/m_indonesian.wnry”

$string15 = “msg/m_italian.wnry”

$string16 = “msg/m_japanese.wnry”

$string17 = “msg/m_korean.wnry”

$string18 = “msg/m_latvian.wnry”

$string19 = “msg/m_norwegian.wnry”

$string20 = “msg/m_polish.wnry”

$string21 = “msg/m_portuguese.wnry”

$string22 = “msg/m_romanian.wnry”

$string23 = “msg/m_russian.wnry”

$string24 = “msg/m_slovak.wnry”

$string25 = “msg/m_spanish.wnry”

$string26 = “msg/m_swedish.wnry”

$string27 = “msg/m_turkish.wnry”

$string28 = “msg/m_vietnamese.wnry”

condition:

any of ($string*)

}

 

McAfee urges all its customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We furthermore advise customers to be diligent in applying security updates for all the software solutions they use.

References:

NSA Targeting SWIFT Messaging Network

A hacking group – Shadow Brokers who claimed to have access to tools used by NSA had earlier released the password for an encrypted cache of Unix exploits, including a remote root zero-day exploit for Solaris OS, and the TOAST framework the group put on auction last summer.

Again on the 14th of April 2017 more hacking tools and exploits were released by the Shadow Brokers.

These hacking tools have been named as OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar, and others.

The latest dump comprises of 3 folders: Windows, Swift, and OddJob.

The SWIFT folder contains PowerPoint presentations, evidence, credentials and internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.

SWIFT Architecture
SWIFT Architecture

SWIFT (Society for Worldwide Interbank Telecommunication) is a global financial messaging system that thousands of banks and organizations across the world use to transfer billions of dollars every day.

“A SWIFT Service Bureau is the kind of the equivalent of the Cloud for Banks when it comes to their SWIFT transactions and messages; the banks’ transactions are hosted and managed by the SWIFT Service Bureau via an Oracle Database and the SWIFT Softwares,” security researcher Matt Suiche explains in a blog post.

The folder includes SQL scripts that search for information from the Oracle Database like the list of database users and the SWIFT message queries.

nsa-hacking-swift-banking

Besides this, the folder also contains Excel files that indicate that the NSA’s elite cyber attack unit Equation Group had hacked and gained access to many banks around the world, the majority of which are located in the Middle East like UAE, Kuwait, Qatar, Palestine, and Yemen.

“SWIFT Host of Palestinian Bank was running Windows 2008 R2 vulnerable to exploit framework FUZZBUNCH.” Matt tweeted.

Malware targeting Banking apps on Google Play

Reported as on 22 FEB 2017 about a banking malware Good weather that infected 5000 users in just two days after the malicious app managed to bypass Google’s security mechanisms and appeared in the store on February 4, 2017.


How does this malware work?

  • An unsuspecting user installs the app from Google playstore on his Android mobile

descripcion-good-weather

Malicious app description as found on Google Play
Malicious app description as found on Google Play
  • The infected device then displays a fake system screen requesting device administrator rights on behalf of fictitious “System update”. By enabling these rights, the victim allows the malware to Change the screen-unlock password and Lock the screen.
Green – legitimate Good Weather icon, Red – malicious version
Green – legitimate Good Weather icon, Red – malicious version
Fake “System update” demanding device administrator rights
Fake “System update” demanding device administrator rights
  • The trojan displays a fake login screen once the user runs one of the targeted banking apps and sends entered data to the attacker. Thanks to the permission to intercept the victims’ text messages, the malware is also able to bypass SMS-based two-factor authentication.

Is this the only malicious app on Google play that we need to worry about?

No, this is just one of such apps on Google play. A security researcher recently posted about another such banking malware Funny Videos 2017 which was updated on Google play as recent as April 8, 2017 and had 1k to 5k installs (which is a lot for banking malware).

Funny Videos 2017 app in Google Play (no longer available)
Funny Videos 2017 app in Google Play (no longer available)
additional Google Play app info
additional Google Play app info

Precautionary measures from Google:

Google has decided to take the app out of the Play Store. As it turns out, the malware is mostly phishing for credit card details and internet banking credentials. Screenshots of some of the phishing overlays can be seen in the image below.

List of apps pulled down from Google Play store
List of apps pulled down from Google Play store

Targeted apps

A long list of over 420 Banks worldwide are affected by such banking malwares. The list as on April, 2017 is:

aib.ibank.android
aib.ibank.android.tablet
ar.bapro
ar.bapro.tablet
ar.com.redlink.ciudad
ar.com.santander.rio.mbanking
ar.macro
ar.nbad.emobile.android.mobilebank
at.bawag.mbanking
at.bawag.tablet
at.easybank.mbanking
at.erstebank.george
at.ing.diba.client.onlinebanking
at.oberbank.mbanking
at.psa.app.bawag
at.spardat.netbanking
at.volksbank.volksbankmobile
au.com.amp.myportfolio.android
au.com.bankwest.mobile
au.com.heritage.app
au.com.ingdirect.android
au.com.macquarie.banking
au.com.mebank.banking
au.com.nab.mobile
au.com.nab.mobile.android.nabconnect
au.com.pnbank.android
au.com.suncorp.SuncorpBank
biz.mobinex.android.apps.cep_sifrematik
cedacri.mobile.bank.asti
cedacri.mobile.bank.bppb
cedacri.mobile.bank.desio.brianza
ch.raiffeisen.android
ch.raiffeisen.phototan
co.uk.Nationwide.Mobile
com.AlinmaSoftToken
com.BOQSecure
com.BankAlBilad
com.CredemMobile
com.EurobankEFG
com.IngDirectAndroid
com.QIIB
com.SifrebazCep
com.VBSmartPhoneApp
com.a2a.android.burgan
com.abnamro.grip
com.abnamro.nl.mobile.payments
com.abnamro.nl.mobile.wallet
com.adcb.bank
com.adib.mbs
com.akbank.android.apps.akbank_direkt
com.akbank.android.apps.akbank_direkt_tablet
com.akbank.softotp
com.alahli.mobile.android
com.alinma.smartphone
com.alpha.pass
com.amanalrajhi
com.anz.android.gomoney
com.appfactory.tmb
com.arabbank.arabimobile
com.axabanque.fr
com.axis.cbk
com.bancamarch.bancamovil
com.bancomer.mbanking
com.bancsabadell.wallet
com.bankaustria.android.olb
com.bankia.wallet
com.bankinter.launcher
com.bankinter.portugal.bmb
com.bankofireland.mobilebanking
com.bankofqueensland.boq
com.bankofqueensland.boqtablet
com.barclays.android.barclaysmobilebanking
com.barclays.bca
com.barclays.portugal.ui
com.bawagpsk.securityapp
com.bbva.bbvacontigo
com.bbva.bbvawalletmx
com.bbva.netcash
com.bbva.netcashar
com.bbva.nxt_tablet
com.bendigobank.mobile
com.binckbank.evolution
com.bnpp.easybanking
com.boi.tablet365
com.boubyanapp.boubyan.bank
com.boursorama.android.clients
com.bsffm
com.business_token
com.caisse.epargne.android.tablette
com.caisseepargne.android.mobilebanking
com.cajamar.GCCajamar
com.cajasur.android
com.carrefour.bank
com.cba.android.netbank
com.cba.shiraz
com.cbd.mobile
com.cbq.CBMobile
com.cic_prod.bad
com.cic_prod_tablet.bad
com.citi.regional.argentina
com.citibank.mobile.au
com.citibank.mobile.citiuaePAT
com.cleverlance.csas.servis24
com.cm_prod.bad
com.cm_prod_tablet.bad
com.comarch.mobile
com.comarch.mobile.banking.bnpparibas
com.comarch.security.mobilebanking
com.comdirect.phototan
com.commbank.netbank
com.commerzbank.kontostand
com.commerzbank.photoTAN
com.cs.vasco
com.csg.cs.dnmb
com.db.mm.deutschebank
com.db.mobilebanking
com.db.pbc.miabanca
com.db.pbc.mibanco
com.db.pbc.phototan.db
com.db.tabbanking
com.defencebank.locationapp
com.dib.app
com.ducont.meethaq
com.ducont.muscatbank
com.entersekt.authapp.dkb
com.ezmcom.softtoken.adcb
com.finansbank.mobile.cepsube
com.finanteq.finance.ca
com.firstdirect.bankingonthego
com.fpe.comptenickel
com.fullsix.android.labanquepostale.accountaccess
com.fusion.banking
com.fusion.beyondbank
com.garanti.bonusapp
com.garanti.cepbank
com.garanti.cepsubesi
com.getingroup.mobilebanking
com.gieseckedevrient.android.wallet.rabo
com.google.android.1gm1
com.greater.Greater
com.grppl.android.shell.BOS
com.grppl.android.shell.CMBlloydsTSB73
com.grppl.android.shell.halifax
com.hipotecario.mobile
com.hsbc.hsbcukcmb
com.htsu.hsbcpersonalbanking
com.icbc.mobile.abroadARG
com.icomvision.bsc.mobilebank
com.ideaknow.ing
com.ie.capitalone.uk
com.iflex.fcat.mobile.android
com.imb.banking2
com.ing.diba.mbbr2
com.ing.diba.smartsecure2
com.ing.mobile
com.ing.mobilepayments
com.ingbanktr.cuzdan
com.ingbanktr.ingmobil
com.intertech.mobilemoneytransfer.activity
com.isis_papyrus.raiffeisen_pay_eyewdg
com.kbc.mobilebanking
com.kfh.kfhonline
com.kutxabank.android
com.kutxabank.appatxas
com.kuveytturk.mobil
com.latuabanca_tabperandroid
com.latuabancaperandroid
com.latuabancaperandroid.ispb
com.latuabancaperandroid.pg
com.lcl.application.tablette
com.lloydsbank.businessmobile
com.magiclick.odeabank
com.mbanking.nbb
com.mediaengine.allianzbank
com.mediolanum.android.bst
com.mediolanum.android.fullbanca
com.mediolanum.android.wallet
com.mobileloft.alpha.droid
com.mobilenik.bsf
com.mobilenik.ubika.bna
com.monitise.client.android.clydesdale
com.monitise.client.android.yorkshire
com.monitise.coop
com.mosync.app_Banco_Galicia
com.nbo.ar
com.nbo.mobs
com.ncb.softtoken
com.nearform.ptsb
com.niobiumlabs.eurobank.activity
com.ofss.fcdb.mobile.android.phone.bahl.launcher
com.opentecheng.android.webank
com.paypal.android.p2pmobile
com.paypal.here
com.posteitaliane.postemobilestore
com.pozitron.anb
com.pozitron.ingkurumsal
com.pozitron.iscep
com.pozitron.vakifbank
com.rak
com.rbs.mobile.android.natwest
com.rbs.mobile.android.natwestbandc
com.rbs.mobile.android.rbsbandc
com.rbs.mobile.android.rbsm
com.rbs.mobile.android.ubn
com.rev.mobilebanking.westpac
com.rsi
com.rsi.ruralviatablet
com.s4m
com.sa.baj.aljazirasmart
com.sabb
com.samba.mb
com.scb.ae.bmw
com.scrignosa
com.sella.BancaSella
com.softtech.isbankasi
com.solidpass.main.bsf
com.starfinanz.mobile.android.dkbpushtan
com.starfinanz.mobile.android.pushtan
com.starfinanz.smob.android.sbanking
com.starfinanz.smob.android.sbanking.tablet
com.starfinanz.smob.android.sfinanzstatus
com.starfinanz.smob.android.sfinanzstatus.tablet
com.supervielle.mBanking
com.swmind.vcc.android.bzwbk_mobile.app
com.targo_prod.bad
com.targo_prod_tablet.bad
com.teb
com.tecnocom.cajalaboral
com.tescobank.mobile
com.tmob.denizbank
com.tmobtech.halkbank
com.ubank.internetbanking
com.ubs.swidK2Y.android
com.ubs.swidKXJ.android
com.unicajaTabletas
com.unicredit
com.vakifbank.mobile
com.vipera.ts.starter.FGB
com.vipera.ts.starter.MashreqAE
com.vipera.ts.starter.MashreqQA
com.vipera.ts.starter.QNB
com.ykb.android
com.ykb.android.db
com.ykb.android.mobilonay
com.ykb.androidtablet
com.ykb.avm
com.zentity.ing
com.ziraat.ziraatmobil
coop.bancocredicoop.bancamobile
cz.airbank.android
cz.csas.app.mujstav
cz.csas.business24
cz.csob.smartbanking
cz.csob.smartklic
cz.kb.mba.business
cz.mbank
cz.moneta.smartbanka
cz.rb.app.smartphonebanking
cz.sberbankcz
cz.ulikeit.fio
de.adesso.mobile.android.gadfints
de.comdirect
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
de.dkb.portalapp
de.dzbank.kartenregie
de.fgi.ms.securesign
de.fgi.ms.vrsecurecard
de.fiducia.smartphone.android.banking.bb
de.fiducia.smartphone.android.banking.psd
de.fiducia.smartphone.android.banking.vr
de.fiducia.smartphone.android.securego.vr
de.ing_diba.kontostand
de.postbank.finanzassistent
de.sdvrz.ihb.mobile.app
de.sdvrz.ihb.mobile.secureapp.netbank.produktion
de.sdvrz.ihb.mobile.secureapp.sparda.produktion
enbd.mobilebanking
enbd.mobilebanking.ksamobile
enbd.mobilebanking.smartbusiness
es.bancopopular.nbmpopular
es.bancopopular.nbmpopulartablet
es.bancosantander.apps
es.bancosantander.empresas
es.bancosantander.wallet
es.bmn.bmnapp2
es.bmn.cajagranadaapp2
es.bmn.cajamurciaapp2
es.bmn.sanostraapp2
es.caixagalicia.activamovil
es.caixageral.caixageralapp
es.ccm.ccmapp
es.cm.android
es.cm.android.tablet
es.connectis.mobile.alrajhi
es.evobanco.bancamovil
es.lacaixa.hceicon2
es.lacaixa.mobile.android.newwapicon
es.liberbank.cajasturapp
es.redsys.walletmb.app.kutxa.pro
es.redsys.walletmb.app.laboralkutxa.pro
es.santander.money
es.univia.unicajamovil
eu.eleader.mobilebanking.abk
eu.eleader.mobilebanking.bre
eu.eleader.mobilebanking.nbk
eu.eleader.mobilebanking.pekao
eu.eleader.mobilebanking.pekao.firm
eu.eleader.mobilebanking.raiffeisen
eu.inmite.prj.kb.mobilbank
finansbank.enpara
fr.banquepopulaire.cyberplus
fr.banquepopulaire.cyberplus.pro
fr.banquepopulaire.cyberplustablet
fr.bred.fr
fr.creditagricole.androidapp
fr.creditagricole.macarteca
fr.lcl.android.customerarea
fr.lcl.android.entreprise
ftb.ibank.android
gr.winbank.mobile
hr.asseco.android.jimba.mUCI.cz
hr.asseco.android.jimba.mUCI.cz.tablet
hr.asseco.android.mtoken.credem.credemprod
hr.asseco.android.mtoken.pekao
it.bcc.iccrea.mycartabcc
it.bnl.androidTablet
it.bnl.apps.banking
it.bpm.bpmandroid
it.bpm.ptbandroid
it.carige
it.cividale.bpconline
it.copergmps.rt.pf.android.sp.bmps
it.copergmps.rt.pf.android.tab.ui.bmps
it.creval.bancaperta
it.elfisystems.ncbc.droid.tablet
it.elfisystems.ncbc.mobile
it.gruppobper.ams.android.bper
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
it.relaxbanking
it.reply.up.mobile.android
it.secservizi.mobile.atime
it.secservizi.mobile.atime.bpaa
it.secservizi.mobile.atime.bpvi
it.ubi.digitalcode
it.ubiss.mpay
it.volksbank.android
mbanking.NBG
mobi.societegenerale.mobile.lappli
mobi.societegenerale.mobile.lapplipro
mobile.alphabank.myAlphaWallet_android
mobile.santander.de
net.atos.alrajhi.mobilekw
net.bnpparibas.mescomptes
net.inverline.bancosabadell.officelocator.android
nl.asnbank.asnbankieren
nl.rabomobiel
nl.regiobank.regiobankieren
nl.snsbank.snsbankieren
nl.snsbank.snshelp
nz.co.amp.myportfolio.android
nz.co.anz.android.mobilebanking
nz.co.asb.asbmobile
nz.co.asb.mobilebusiness
nz.co.bnz.droidbanking
nz.co.bnz.droidbusinessbanking
nz.co.cooperativebank
nz.co.kiwibank.mobile
nz.co.westpac
org.banelco
org.banelco.ibay
org.banelco.qlms
org.banelco.rbts
org.banelco.sdmr
org.banking.bom.businessconnect
org.banking.bsa.businessconnect
org.banking.stg.businessconnect
org.banksa.bank
org.bom.bank
org.microemu.android.model.common.VTUserApplicationLIN
org.microemu.android.model.common.VTUserApplicationLIN
org.stgeorge.bank
org.westpac.bank
org.westpac.col
pl.aliorbank.kantorwalutowy
pl.bzwbk.bzwbk24
pl.bzwbk.ibiznes24
pl.bzwbk.mobile.tab.bzwbk24
pl.com.suntech.mobileconnect
pl.eurobank
pl.ing.ingmobile
pl.ipko.mobile
pl.mbank
pl.millennium.corpApp
pl.pkobp.iko
posteitaliane.posteapp.appbpol
pt.BancoPopular.android.app
pt.bancobest.android.mobilebanking
pt.bancobpi.mobile.autorizacoesempresas
pt.bancobpi.mobile.fiabilizacao
pt.bes.bestablet
pt.cgd.caixadirecta
pt.cgd.caixadirectaempresas
pt.novobanco.nbapp
pt.santandertotta.mobileparticulares
pt.sibs.android.mbway
riyad.bankingapp.android
rm.beleggen
tr.com.sekerbilisim.mbank
tsb.mobilebanking
uk.co.bankofscotland.businessbank
uk.co.metrobankonline.personal.mobile
uk.co.northernbank.android.tribank
uk.co.santander.businessUK.bb
uk.co.santander.santanderUK
uk.co.tsb.mobilebank
wit.android.bcpBankingApp.activoBank
wit.android.bcpBankingApp.millennium
wit.android.bcpBankingApp.millenniumPL
www.ingdirect.nativeframe
Çom.android.vendin?

How to clean the infected devices?

To clean your device, you can turn to a renowned mobile security solution, such as ESET Mobile Security, or you can remove the malware manually.

How to be safe going forward?

  • Although not flawless, Google Play does employ advanced security mechanisms to keep malware out. As this may not be the case with alternative app stores or other unknown sources, opt for the official Google Play store whenever possible.
  • While downloading from the Play store, make sure to get to know the app permissions before installing or updating.
  • Think about uninstalling apps that run without privileged permissions
  • Even if all fails, a mobile security solution will protect the device from active threats