Sunday, August 28, 2016

I Have A Dream!!!

August 28, 1963, Martin Luther King calls to end the racism in USA and also leading to civil rights and economical rights in the country. Nearly two hundred fifty thousand civil right supporters witnessed the speech and inspired millions to stand on that dream.

Everyone must have a dream, but it is worth enough to inspire millions. Dr. Martin Luther King did and inspire the millions.

Thursday, August 25, 2016

Submarine secret Leak

Highly classified information on what makes six submarines being built in Mumbai so crucial for India's security have been leaked - more than 22,000 pages that serve as the operating manual of the Scorpene submarine have been made available with excerpts released online by an Australian newspaper.

The Scorpenes, being built for 3.5 billion dollars at the Mazgaon docks at Mumbai, are considered some of the most advanced of their class in the world. They are so silent underwater that they are extremely difficult, if not impossible to detect. But now their sonar capabilities, the noise they generate and details of the combat system they are armed with are totally exposed.

  •  Secret combat capability of 6 Scorpene submarines leaked
  •  Submarines being built at Mazgaon docks near Mumbai
  •  French manufacturer DCNS landed the $3.5 billion deal​
Post by

Saturday, August 20, 2016

Malware Abusing SWIFT BANKING

SWIFT is aware of a malware that aims to reduce financial institutions' abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT's network or core messaging services
Threat Actor
The shared subroutines are displayed as evidence to relate the SWIFT intrusion activity to the Lazarus group. It is believed to be Lazarus group from North Korea, as threat actor. Because, many of this samples contain the similar subroutines. Their findings supported a claim that these were the only two pieces of software with this shared code.
The Anomali Labs team has conducted deeper research into a very large malware data repository. This process utilized the yara signature below to search for the shared subroutines. At first, we believed it would produce a lot of false positives. Instead, this search not only failed to result in any false positives, but also turned up five other pieces of malware which share this code. We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code.
Malware FamilyMd5 hash Notes
SWIFT BanSwift5d0ffbc8389f27b0649696f0ef5b3cfeevchk.bat dropper
SWIFT Fake Foxit Reader0b9bf941e2539eaa34756a9e2c0d5343A Fake Foxit Reader submitted to Virustotal from Vietnam in December 2015 (similar sample detailed at
SMBWorm558b020ce2c80710605ed30678b6fd0cKnown North Korean Malware
Memory dump with SMBWorm96f4e767aa6bb1a1a5ab22e0662eec86 
Unknown "hkcmd" toolb0ec717aeece8d5d865a4f7481e941c5
1st Submitted from Canada, likely from an AV organization. 2016/04/22.
PE Build Date of December 2010.
imkrmig.exe5a85ea837323554a0578f78f4e7febd8An unknown backdoor posing as a Korean sample of Microsoft Office 2007.
Table 1. Malware families and samples known to include the Lazarus Wipe File routine.
rule AnomaliLABS_Lazarus_wipe_file_routine {
     author = "aaron shelmire"
     date = "2015 May 26"
     desc = "Yara sig to detect File Wiping routine of the Lazarus group"
     $rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }
     /* imports for overwrite function */
     $imp_getTick = "GetTickCount"
     $imp_srand = "srand"
     $imp_CreateFile = "CreateFileA"
     $imp_SetFilePointer = "SetFilePointer"
     $imp_WriteFile = "WriteFile"
     $imp_FlushFileBuffers = "FlushFileBuffers"
     $imp_GetFileSizeEx = "GetFileSizeEx"
     $imp_CloseHandle = "CloseHandle"
     /* imports for rename function */
     $imp_strrchr = "strrchr"
     $imp_rand = "rand"
     $Move_File = "MoveFileA"
     $Move_FileEx = "MoveFileEx"
     $imp_RemoveDir = "RemoveDirectoryA"
     $imp_DeleteFile = "DeleteFileA"
     $imp_GetLastError = "GetLastError"
     $rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))
Other previously known Lazarus Group samples:
Mode of entry - How intrusions usually occur
Even though in this case we do not have all the information about the attack, every intrusion usually follows the steps below:
Gaining access to the internal network
This is the first challenge every external intrusion must overcome. Gaining access to the internal network will allow the attackers to move laterally (gain access to other systems with the same privileges as the one they have accessed) and, eventually, vertically (gaining more privileges in a network).
In order to gain access to the internal network, the attackers use mostly two methods:
-Phishing campaign
A successful phishing campaign targeting the company and deploying a backdoor will allow the attackers to connect to at least one of the computers in the company, from which they can start to move laterally and vertically.
-RCE vulnerability or misconfiguration in the external network
Due to a misconfiguration, or a vulnerability that allows Remote Command Execution (RCE), the attacker will be able to execute commands on the remote host.
This is probably the case for the Bangladesh Bank. The bank was using outdated switches without firewalls to connect to the SWIFT infrastructure.
Taking control of the internal network
Once the attackers have gained access to the internal network, there's usually the need to escalate privileges, all the way up to the user with the most privileges (for example Domain Administrator in Windows networks). This way, they can move freely around the network, entering any system and eventually accessing all the data in the network. This is usually carried-out exploiting vulnerabilities from applications or from the operating system. It's also possible to use social engineering to achieve this goal. In some cases, this second step is not necessary, because the authors may have already accessed the necessary systems to perform the attack.
Files used for the investigation:
MD5: 0b9bf941e2539eaa34756a9e2c0d5343
MD5: 909e1b840909522fe6ba3d4dfd197d93
Entry point:
In the case of the Vietnamese bank, the file used for the attack is a fake version of the popular PDF reader Foxit. The malware installs itself in the original Foxit installation directory and renames the original file to FoxltReader.exe.
Once the user starts using the fake reader, the malware executes and writes to a log file in the temp directory C:\\Windows\temp\\WRTU\ldksetup.tmp. Analyzing this file, we see the log data is XOR encoded using the value 0x47.
Was this malware part of a targeted attack?
 Yes, absolutely. As in the malware used against the Bangladeshi bank, we found the SWIFT code for the target in multiple places in the malware.
image2swift target.png
Yara rules:
rule banswift :banswift {
description = "Yara rule to detect samples that share wiping function with banswift"
threat_level = 10
$snippet1 = {8844240DB9FF03000033C08D7C242DC644242C5F33DBF3AB66AB5368800000006A0353AA8B84244010000053680000004050C644242AFF885C242BC644242C7EC644242DE7}
88 44 24 0D mov [esp+102Ch+var_101F], al
B9 FF 03 00 00 movecx, 3FFh
33 C0 xoreax, eax
8D 7C 24 2D lea edi, [esp+102Ch+var_FFF]
C6 44 24 2C 5F mov [esp+102Ch+var_1000], 5Fh
33 DB xorebx, ebx
F3 AB rep stosd
66 AB stosw
53 push ebx ; _DWORD
68 80 00 00 00 push 80h ; _DWORD
6A 03 push 3 ; _DWORD
53 push ebx ; _DWORD
AA stosb
8B 84 24 40 10 00 00 moveax, [esp+103Ch+arg_0]
53 push ebx ; _DWORD
68 00 00 00 40 push 40000000h ; _DWORD
50 push eax ; _DWORD
C6 44 24 2A FF mov [esp+1048h+var_101E], 0FFh
88 5C 24 2B mov [esp+1048h+var_101D], bl
C6 44 24 2C 7E mov [esp+1048h+var_101C], 7Eh
C6 44 24 2D E7 mov [esp+1048h+var_101B], 0E7h
$snippet2 = {25 FF 00 00 00 B9 00 04 00 00 8A D0 8D 7C 24 30 8A F2 8B C2 C1 E0 10 66 8B C2 F3 AB}
25 FF 00 00 00 and eax, 0FFh
B9 00 04 00 00 movecx, 400h
8A D0 mov dl, al
8D 7C 24 30 lea edi, [esp+30h]
8A F2 mov dh, dl
8B C2 moveax, edx
C1 E0 10 shleax, 10h
66 8B C2 mov ax, dx
F3 AB rep stosd
all of ($snippet*)
In the code, we found that the malware uses the original driver fpdsdk.dll from the Foxit SDK to execute the transformation of the files.

IOC details for this bbswift malware:
Malicious IP:
Network IOC Detection Example for this malware:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN Possible BBSwift/Banswift/Bankswi/Alreay/TSPY_ALSOF status report HTTP Outbound"; content:"GET"; http_method; content:"|2F|al|3F 2D 2D 2D|"; http_uri; fast_pattern; pcre:"/^GET\x20.*\x2F\x2D{3}[CNO]$/U"; classtype:trojan-activity; reference:url,; sid:9000000; rev:1;)
In both attacks we can see that the attackers have done their reconnaissance properly and may have used an insider to get the details they needed to prepare their attacks. In the Bangladeshi case, for example, the malware samples are tuned to the environment and how the banking system operates, including the supported software, databases, and printer. In the Vietnamese case, the malware is also tuned to fit the environment. The attackers knew that the bank used Foxit and replaced it with a fake version. The attackers have a very good understanding of the SWIFT messaging system and how to manipulate the system to prevent the detection of their fraudulent attempts of transferring the money. The malware in each attack was compiled just before the attack happened.
Although both attacks were discovered at some point during the attempts to transfer large amounts of money, the actors may well have executed a few test runs to check their operations before the real attacks.

Post made by


Setting up breakpoints in VirtualAlloc and VirtualProtect during malware analysis:

 Malware analysts add breakpoints in functions like `VirtualProtect` and `VirtualAlloc` for several key reasons: Understanding Malware Behav...