Pre-Login pristatymas su Robert Lipovsky

ESET MALWARE RESEARCH

Robert LipovskySenior Malware Researcher

[email protected]

Malware?

„Downloaders“

„Bootkits “

„Rootkits“

„Injectors“„Worms“

„Scareware“

„Trojans“

„Grayware“

Viruses“„Banking trojans“

„Spyware“

„Grayware“

Cyber-espionage

Attacks against high-value targets

$

Operation Buhtrap

Operation Buhtrap

$

$

Operation Buhtrap

$

Searches for these URLs:

$

Searches for these processes:

$

Operation Buhtrap

Operation Potao Express

“Table of prisoners of Ukrainian armed forces on 05.03.2015”Загальна таблиця захопл та полонених за ЗСУ станом на 05.03.2015.exe

“Exempted military persons between 06.09.2014 and 05.03.2015”Звільнені військовослужбовці з 06.09.2014 по 05.03.2015 .exe

“Exempted from captivity for Chief of the General Staff on 05.03.2015 “на 05.03.2015 зв_льнен_ з полону для НГШ.exe

“List of captured during the ATO on 05.03.2015” Список захопл у ході АТО за ЗСУ станом на 05.03.2015.exe

Attacks against UA government & military

…\Local\Temp\HHDC05.tmp.exe

During our research…

…\Downloads\TrueCrypt\TrueCrypt.exe

…\TrueCrypt Setup 7.1.exe

http://www.truecryptrussia.ru/

TrueCrypt Russia

Another “APT” family…

• 2007 – 1st BlackEnergy variants

• 2014 – switch from crimeware to cyberespionage

• Discovery of PPT 0-day (CVE-2014-4114)

• Presentation @ Virus Bulletin 2014

• 2015 – 2016 – more targeted attacks

• power industry, airport, media, …

BlackEnergy

Cyber-crime

Attacks against individuals and businesses

The Visa botnet

MSIL/Agent.PYO

. . . . .

$

Spyware targeting players of online poker clients

Win32/Spy.Odlanor

Spyware targeting players of online poker clients

Modus Operandi:

1. Infect

2. Join table

3. Peek in opponent’s hand

Win32/Spy.Odlanor

• Installers

• sometimes bundled with Win32/InstallCore PUA

• DAEMON_Tools_Lite.exe, uTorrent.exe, …

• Poker support software – Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, …

Infection Vectors

Conditions for taking screenshots:

• “PokerStarsTableFrameClass”, “Hold’em”, “Omaha”, “Stud”, “Razz”, “Draw”, “Irish”

• “FullTiltPoker”

Technical Details

C&C POST data:%data_size%|||%machine_guid%|||%window_title%|||

%zipped_data%

Technical DetailsTitle of PokerStars / FullTiltPoker window – contains Table ID & Game Type

Screenshots / Passwords

Facebook scams

Ransomware

Petya – From FileCoders to DiskCoders

Ransomware on Android

Lockscreens still alive…

Pre-Login pristatymas su Robert Lipovsky

Software

Transcript of Pre-Login pristatymas su Robert Lipovsky