Security Blog

Andrew Brandt's picture
Written by
Andrew Brandt

A few months ago, while searching for malware that uses unusual or unexpected methods of data exfiltration, I stumbled upon a relatively new group of Trojans designed to steal banking credentials for banks based in Central and South America.

The malware ends up in a wide variety of "family" definitions when scanned by various AV products, but it uses the internal name NovoKL (probably Portugese for "new keylogger") in strings dumped from the various samples we've been running in the lab since March. It shares some characteristics with other keyloggers that end up branded in the catch-all "Bancos," or slightly more specific "Broban.AQ" antivirus definitions used by a number of companies (except Symantec, which calls it Infostealer.Escelar).

Unlike most other phishing Trojans, the malware uses SQL commands sent over a connection to a database server as its command-and-control, payload delivery, and data exfiltration mechanism. It also seems to be extensible, as we've observed samples in the lab retrieve multiple, varied payloads, some of which add aditional functionality to the core malware.

All of these samples are delivered through the same database connection protocol, known as Tabular Data Streams, or TDS. The default TCP port number for TDS services is 1433; Connections from the various malware samples to a small number of machines hosted in a Brazilian IP address range all have used this standard port for C&C. While I'm familiar with a wide range of both common and weird, bespoke methods for C&C traffic, I hadn't previously seen malware interacting directly with a database server using the formal language of a SQL query.

 

Waylon Grange's picture
Written by
Waylon Grange

A team of researchers from a number of universities, including my own alma mater, recently released a paper outlining yet another cryptographic attack. This time the attack is against the Deffie-Hellmann key exchange used in many modern protocols including TLS, SSH, and many VPN servers.

Chris Larsen's picture
Written by
Chris Larsen

This was going to be another "block this whole Top-level Domain" post in our recent series, as ".ninja" had begun showing up on my personal radar, and I'd also seen it on our list of TLDs with high percent

Andrew Brandt's picture
Written by
Andrew Brandt

We're so often flooded with news about novel attacks involving bespoke zero-day vulnerabilities or highly targeted campaigns operated by nation-states that it can be hard to remember not every cybercriminal is some kind of super genius. In fact, a significant percentage fall into the Wile E. Coyote category of "determined, but throws roadblocks in his own way, threat actor."

This past Friday, I received yet another example of what has to be one of the most elaborately complex, Rube Goldberg-esque malware installation process ever conceived. It's so ridiculously elaborate, I had to diagram it.

But to say that this method -- involving a Macro-enabled Microsoft Word document -- is overly complex, fraught with multiple opportunities for failure, and frankly pretty weird does not mean that the attack isn't effective.

To the contrary: The attack mechanism, when nudged along by a compliant victim (or a motivated security analyst), functions remarkably well, despite its questionable pedigree. I've been following this infection mechanism for several months. While bits and pieces have changed over time, the overall flow of the process has remained relatively static, which indicates to me that at least some victims are playing along right until the end. And the eventual payload, Trojan-Dyre, is not something to treat lightly. But the attack itself is so pointlessly complicated that it makes me question the sanity of its creator.

Snorre Fagerland's picture
Written by
Snorre Fagerland

Article has been updated. See additional information towards the end.

 

Kiel Wadner's picture
Written by
Kiel Wadner
"An anomaly is any variation from the baseline— and what we are primarily searching for is anomalies. Anomalies are things that either do not happen but should, or that do happen but shouldn’t. During any situation, we expect certain things to happen and not to happen.",