Taurus was originally built as a fork by the developer behind Predator the thief. It boasts many of the same capabilities as Predator the thief, namely the ability to steal credentials from browsers, FTP, VPN, and email clients as well as cryptocurrency wallets.
Starting in late August, we began noticing large malvertising campaigns, including, in particular, one campaign that we dubbed Malsmoke that distributes Smoke Loader. During the past few days we observed a new infection pushing the Taurus stealer.
Like the other malvertising campaigns we covered, this latest one is also targeting visitors to adult sites. Victims are mostly from the US, but also Australia and the UK.
Traffic is fed into the Fallout exploit kit, probably one of the most dominant drive-by toolsets at the moment. The Taurus stealer is deployed onto vulnerable systems running unpatched versions of Internet Explorer or Flash Player.
Because of code similarities, many sandboxes and security products will detect Taurus as Predator the thief.
The execution flow is indeed pretty much identical with scraping the system for data to steal, exfiltrating it and then loading additional malware payloads. In this instance we observed SystemBC and QBot.
Stealer – loader combo continues to be popular
Stealers are a popular malware payload these days and some families have diversified to become more than plain stealers, not only in terms of advanced features but also as loaders for additional malware.
Even though the threat actors behind Predator the thief have appeared to have handed over a fork of their original creation and disappeared, the market for stealers is still very strong.
Malwarebytes users are protected against this threat via our anti-exploit layer which stops the Fallout exploit kit.
We would like to thank Fumik0_ for background information about Predator the thief and Taurus.
To better understand modern malware detection methods, it’s a good idea to look at sandboxes. In cybersecurity, the use of sandboxes has gained a lot of traction over the last decade or so. With the plethora of new malware coming our way every day, security researchers needed something to test new programs without investing too much of their precious time.
Sandboxes provide ideal, secluded environments to screen certain malware types without giving that malware a chance to spread. Based on the observed behavior, the samples can then be classified as harmless, malicious, or “needs a closer look.”
Running programs in such a secluded environment is referred to as sandboxing and the environment the samples are allowed to run in are called sandboxes.
Definition of sandboxing
Let’s start with a definition so we know what we are talking about. There are many definitions around but I’m partial to this one:
“Sandboxing is a software management strategy that isolates applications from critical system resources and other programs. Sandboxing helps reduce the impact any individual program or app will have on your system.”
I’m not partial to this definition because it is more correct than other definitions, but because it says exactly what we want from a sandbox in malware research: No impact on critical system resources. We want the malware to show us what it does, but we don’t want it to disturb our monitoring or infect other important systems. Preferably, we want it to create a full report and be able to reset the sandbox quickly so it’s ready for the next sample.
Malware detection and sandboxing
Coming from that definition, we can say that a cybersecurity sandbox is a physical or virtual environment used to open files or run programs without the chance of any sample interfering with our monitoring or permanently affecting the device they are running on. Sandboxing is used to test code or applications that could be malicious before serving it up to critical devices.
As sandbox technology development further progressed and as the demand for a quick method to test software arose, we saw the introduction of online sandboxes. These are websites where you can submit a sample and receive a report about the actions of the sample as observed by the online sandbox.
It still takes an experienced eye to determine from these reports whether the submitted sample was malicious or not, but for many system administrators in a small organization, it’s a quick check that lets them decide whether they want to allow something to run inside their security perimeter.
Some of these online sandboxes have even taken this procedure one step further and allow user input during the monitoring process.
This is an ideal setup for those types of situations where the intended victim needs to unzip a password-protected attachment and enable content in a Word document. Or those pesky adware installers that require you to scroll through their End User License Agreement (EULA) and click on “Agree” and “Install.” As you can imagine. these will not do much on a fully automated sandbox, but for a malware analyst, these samples would fall into the category that requires human attention anyway.
In the ongoing “arms race” between malware writers and security professionals, malware writers started to add routines to their programs that check if they are running in a virtual environment. When the programs detect that they are running in a sandbox or on a virtual machine (VM), they throw an error or just stop running silently. Some even perform some harmless task to throw us off their track. Either way, these sandbox-evading malware samples don’t execute their malicious code when they detect that they are running inside a controlled environment. Their main concern is that researchers would be able to monitor the behavior and come up with counter strategies, like blocking the URLs that the sample tries to contact.
Some of the methods that malware uses to determine whether it is running in a sandbox are:
Delaying execution to make use of the time-out that is built into most sandboxes.
Hardware fingerprinting. Sandboxes and Virtual Machines can be recognized as they are typically different from physical machines. A much lower usage of resources, for example, is one such indicator.
Measuring user interaction. Some malware requires the user to be active for it to run, even if it’s only a moving mouse-pointer.
Network detection. Some samples will not run on non-networked systems.
Checking other running programs. Some samples look for processes that are known to be used for monitoring and refuse to run when they are active. Also the absence of other software may be considered an indicator of running on a sandbox.
Sandboxes and virtual machines
In the previous paragraph we referenced both virtual machines and sandboxes. However, while sandboxes and virtual machines share enough characteristics to get them confused for one another, they are in fact two different technologies.
What really sets them apart is that the Virtual Machine is always acting as if it were a complete system. A sandbox can be made much more limited. For instance, a sandbox can be made to run only in the browser and none of the other applications on the system would notice it was even there. On the other hand, a Virtual Machine that is entirely separated from the rest of the world, including its host, would be considered a sandbox.
To make the circle complete, so to speak, we have seen malware delivered in the form of a VM. This type of attack was observed in two separate families, Maze and Ragnar Locker. The Maze threat actors bundled a VirtualBox installer and the weaponized VM virtual drive inside a msi file (Windows installer package). The attackers then used a batch script called starter.bat to launch the attack from within the VM.
Keeping in mind that containerization and virtual machines are becoming more common as a replacement for physical machines, we wonder whether cybercriminals can afford to cancel their attack when they find out they are running on a sandbox or virtual machine.
On the other hand, the malware detection methods developed around sandboxes are getting more sophisticated every day.
So, could this be the field where the arms race is in favor of the good guys? Only the future will be able tell us.
This training link is also available on Security Awareness Training.
Use the URL: training[.]knowbe[.]4[.]com/login if you like to access the training outside of the network. Please use your email on the initial KnowBe4 login screen. Once the browser directs you to authentication page, please enter your username, password, and click the “Sign in” button to access the training.
Your training record will be available within 30 days after the campaign is concluded.
Thank you for helping to keep our organization safe from cybercrime.
Information Security Officer
“Poor English” is usually a hallmark of a scam email, according to majority of cybersecurity experts, and phishing emails are notoriously known for it. The above training-themed email may have fooled several recipients who are quite forgiving to some English errors—after all, typos do happen.
However, we should remember to also look at the URLs closely, both on the email and where it really leads to when you hover a mouse pointer over each one of them. Granted this is a straightforward, unsophisticated scam, which makes discerning it easier. It also gives us the notion that whoever the campaign is trying to bag, they’re only after those who aren’t careful enough to look closely or critical enough to perceive that something is amiss.
To the seemingly untrained eye, the URLs on the email may seem genuine, but they’re not. If you’re familiar with a URL’s structure, you’ll realize quickly that they’re not even close to being genuine. Take, for example, training[.]knowb[.]e4[.]com. The main domain here is e4[.]com. As for training[.]knowbe[.]4[.]com, the main domain is 4[.]com. Basic familiarity to URLs can save you from falling for scams like this.
Once users click any of the links, they are directed to a destination that doesn’t bear the KnowBe4 brand but to what appears to be a Microsoft Outlook sign in page, asking for credentials.
Again, take note of the URL in the address bar.
According to Cofense, similar phishing pages like this are hosted on at least 30 sites since April of this year. They also found traces of other current or previous phishing campaigns that were themed around sexual harassment training, another learning course many organizations require their employees to take.
Going back: Once the Outlook username and password combination were provided and the user clicks “sign in”, they are directed to another Outlook page, this time asking for details that are more personal, such as date of birth and physical address.
As the phishing kit had already been taken down at the time of writing, testing couldn’t show what happens next after clicking “Verify Now”. But based on the sexual harassment training phishing campaign, which used the same kit, redirecting to a legitimate sexual harassment training page, it’s logical to conclude that users would also be directed to a security awareness training website, which may or may not necessarily be KnowBe4.
This isn’t the first time the KnowBe4 brand—or other cybersecurity brands for that matter—have been abused to defraud people. The company was first used in phishing campaigns in September 2018 and in January 2019.
In February of this year, a NortonLifeLock phishing scam, wherein threat actors forced a remote access Trojan (RAT) installation onto victim systems by making a malformed Word document appear to be password-protected by NortonLifeLock, was found in the wild.
In April 2019, sophisticated Office 365 credential stealers didn’t only craft fake Microsoft alert types around certain Microsoft products, they also mimicked the return path of Barracuda Networks, a well-known email security provider, and include it in the phishing email’s Received header, making the email appear that it passed through Barracuda servers. This would make it seem like it could be trusted, and thus, safe to open, when—upon closer inspection—it’s not.
Every organization has a brand to protect. And the first step to do this is to realize early on that their brand could be misused or abused by those who want to make illicit gains. That said, no brand is truly safe. Heck, even Malwarebytes has doppelgängers.
Businesses must be actively looking for those banking on their names online. Customers, on the other hand, must know and accept that online criminals can get to them through the services they use by pretending to be these companies. It’s no longer enough to readily trust emails based on the logos they purport to bear. It’s time to start carefully reading emails you care about and scrutinizing them, from the supposed sender to the email links and/or attachments.
Never attempt to click anything on dubious emails or visit the destinations by copying and pasting them on a browser unless you’re in a virtual machine. And if you don’t have time to do the investigative work yourself, ask. Give your service provider a call or report a potential phishing attempt. This way, you’re not only helping yourself but also alerting your provider and helping those who would have fallen for a scam if not for your efforts.
Even though some organizations and companies may not realize it, their domain name is an important asset. Their web presence can even make or break companies. Therefor, “domain name abuse” is something that can ruin your reputation.
There are several ways in which perpetrators can abuse your good name to make a profit for themselves, while ruining your good name in the process.
Domain name hijacking
Domain name abuse
The first two are closely related and are usually the result of an attack or breach of some kind.
Domain name hijacking can be the result of someone getting hold of your credentials and changing the server that gets to display the information when the domain is queried. Generally speaking, this is done by changing the DNS records for the domain and if the attackers are planning to prolong the use of your domain, they will move the domain registration to a different registrar. This is done to make it harder for the original owner to get control back over the domain. To pull this off they will need to get hold of your login credentials with the original registrar, either by phishing or by a data breach at the registrar. Many registrars will also ask for an Auth-Code when a domain holder wants to transfer a domain name from one registrar to another. So, it is wise to store this separate from your login credentials. Worst case scenario: the registrar cannot solve the issue for you. Even the ICANN will not be able to remediate the illegal domain transfer if your requests to the original and new registrar do not manage to get your control back.
Webserver takeovers are more of a physical attack on your own servers, whether they are on premise, hosted, or in the cloud. This is what we often see when websites are defaced or other attacks with a shorter lifespan. The results are easier to remedy as it usually only takes a backup of the old website to restore it to its old glory. Sometimes all you need to do is remove a few files that were added by the attacker. But the important part here is to find out how the attacker got access to the webserver(s) and how you can prevent it in the future.
A whole different, but related topic, we have discussed before is the use of expired domains for malvertising. While the technique is totally different, the end goal—malvertising— is of common interest.
Domain name abuse
But the main topic for this post will be domain name abuse, a much harder to grasp subject as it does not involve access to something that belongs to you. At best (or worst rather) the infringement is on your intellectual property.
Domain name registration under another Top Level Domain (TLD)
Replacing country code TLD’s (ccTLD’s)
Using ccTLD’s to replace .com or other general TLD’s
Depending on the objective of the domain name abuse some strategies will make more sense then others. If the motive is email fraud then making the website look exactly like the one the perpetrator wants to mimic is more important than having a convincingly deceiving domain name. Especially since spoofing is another option that is often used in email fraud.
Typosquatting is the method of using domain names that are only a little bit different from the real one. They are usually only one typo away, hence the name. These names are often used on highly popular domain names to increase the chance of success. To use an example: goggle[.]com. (See? At first glance, it kind of works.)
Changing the TLD means the holder of the new domain changed the TLD expecting the reader will not notice or be aware of the switch they made. Yet another example: whitehouse[.]com.
Replacing country code TLD is basically the same method but this is a technique often used for banking fraud sites where a national bank is impersonated by giving it a more international TLD. For example: localbank.us becomes localbank.com.
The other way around happens as well. The international TLD gets replaced with a country code TLD Which also makes sense since many internationals use this method to direct traffic for local dealerships to the localized website. For example: Chevrolet also owns Chevrolet.de besides their own Chevrolet.com.
What is the purpose of the abuse?
Before we look at how we can respond to domain name abuse, it is important to establish what the purpose of the abuser is. The motives can range from downright malicious and illegal to trying to grab some extra traffic using your brand, which is not immediately illegal, per se. There are some grey areas between the two where legal actions may or may not have the desired result.
What is definitely not allowed is when the abuser tries to pretend to be a representative for your company or to act in your name without your consent. On the other hand, it is not illegal to hope that someone makes a typo. But like we said there is a big grey area between these two. Let’s look at an example.
In most countries it is not illegal to act as an intermediary between the public and an organization. Let’s take for example the intermediaries that ask for money to do the necessary paperwork for a US Green Card. Probably every country has at least one that offers to assist you to apply for one. For a fee of course. There is nothing illegal about most of them. The terrain gets shady, though, when the intermediary uses a domain name that could make the visitor think they are dealing with the U.S. Citizenship and Immigration Services (USCIS) directly. For example, by using the domain uscis[.]us. It gets downright illegal when the owner of the domain puts official logos of another company on his website. At that point they are impersonating the USCIS and can expect a takedown. For commercial companies such behavior can also be treated as an infringement on intellectual property.
What are your options when you notice, or worse, get notified about domain name abuse? There are a few options to deal with websites that throw a negative shadow over your own:
Ignore. In some cases, there are few other options, so your best strategy may be to not waste any time on the matter and hope it goes away.
Contact the owner. If you look up the domain name there will be a contact email or abuse email of the registrar provided. This method may help in cases of an honest mistake, but your efforts are likely to be futile when there is malicious intent.
Contact the registrar. You will need some luck and provide decent evidence to get a registrar to take down a website of one of their customers. Some registrars are known for their slow and reluctance to help victims of domain name abuse.
In those cases you will have to resort to a so-called “Notice and takedown” procedure. Many countries have an independent authority that you can contact with complaints about their ccTLD’s. But these authorities will not be able to help you with international TLDs.
Take them to court. Easier said then done when you don’t know who you’re dealing with. And even if you do, court rulings can take a long time and are costly. But sometimes threatening with legal proceedings is enough since they are costly for the other party as well.
Make sure nobody finds the offensive sites. When the owners rely on search engines to find their site you can counter them there. Often, new sites rely on paid advertisements with search engines to bring in the necessary traffic. Your options are to file a complaint with the search engine or to simply outbid the opponent by paying more for advertisements pointing to your own site.
Required level of protection
There are very different levels of necessity for specialized services and systems that watch and report possible domain name abuse on your domain. Banks and other financials will probably have a whole department involved in takedowns, where your run of the mill pop and mom shop will be satisfied if they can keep their own site updated. Some companies will have an in-house department to keep an eye on possible domain name abuse which will be backed by a legal department that gets called in when necessary. Others will hire a specialized company to do this for them, while the vast majority has taken no precautions at all and will respond whenever a problem should arise.
And as long as your company is considered to be in the appropriate category there is not much reason to make any changes. Having a specialized department when there is absolutely no track record of domain name abuse and none is to be expected is a waste of time and money.