Sunday, November 20, 2016

Nemucod downloader spreading via Facebook


Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook's file extension filter:

'Photo_9166.svg'




















What is an .svg file? From Wikipedia:

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.
This means, more specifically, that you can embed any content you want (such as JavaScript). Moreover, any modern browser will therefore be able to open this file.


Contents of our 'photo' are as follows:

Copy of file on Pastebin here












It's a heavily obfuscated script, which, after opening, redirects you to the following website:


Fake Youtube - "You must install the codec extension to watch this video."















A website purporting to be Youtube, including a video from Facebook - of course, you'll need to install an additional extension to view it :)

The extension has no icon and thus seems invisible and has the following permissions:





















Currently, I'm not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook (harvesting your credentials in the process), but likely it downloads other malware to your machine.

One of my security colleagues had in fact noticed similar behavior and got ransomware (Locky) as payload:



The extensions' description can be one of the following, and seem semi-random. Note that other variations are possible:

One ecavu futolaz corabination timefu episu voloda 
Ubo oziha jisuyes oyemedu kira nego mosetiv zuhum

The Facebook security team as well as Google Chrome's store security team have been notified.

UPDATE 22/11/2016

  • The rogue Chrome extensions are removed from the store. 
  • Facebook is now filtering for SVG files as well:


Test.svg, containing just a window.alert() method







Removal


Remove the malicious extension from your browser immediately:








Additionally, run a scan with your antivirus and change your Facebook password afterwards.

Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected. If you keep receiving the same message from your friend, you may want to temporarily block their messages.



Conclusion

As always, be wary when someone sends you just an 'image' - especially when it is not how he or she would usually behave.

Additionally, even though both Facebook and Google have excellent security controls/measures in place, something bad can always happen.

For those interested, all related files have been uploaded to VirusTotal, and their hashes and domains can be found, as always, on AlienVault's OTX:

Monday, November 14, 2016

Cybercrime Report Template



In this blog post I'll be contributing a template or form, made as simple as possible, to enable you to report cybercrime in a more efficient way. Scroll down if you're not interested in the background story.

The purpose or need of this form arose several years ago, when I wrote a blog post about the 'blame game'. In short, I wrote about how we are all guilty of pointing fingers when a cyberincident occurs.

In reality, the only person or entity to blame, is the one that infected you or your organisation. Since publishing that specific post, cooperation has definitely improved - whether that is due to my post or not, I'll leave aside - an example is the No More Ransom project.

The blog post concluded stating that post-infection information is scarce: there is prevention, incident handling, malware cleaning all around - but available information on what to do afterwards was rather poor.

In short: report it to your CERT or local police department!

You can fill in the template below and download and/or print it as a PDF, which you can submit or include to an organisation of your choosing.




The template is also available on the following link:
Cybercrime Report Template

Disclaimer: no information will be sent to me or Jotform at any point.

Additionally to the template included in this blog post, or in link above, it is also seperately available as a PDF.

Organisations that wish to use this template, are free to do so. I have added the source on Github, which you'll be able to find here.



Resources

Please refer to the following websites if you would also like to report this seperately:
Report Cybercrime Online (EU)
IC3 Complaint Referral Form (US)

In case you do not want to report this to a specific law enforcement agency seperately, just fill in the form above. If you are willing, it is possible to share any information through Criminal Intelligence teams - this can be completely anonymous, similar to this form.

Be sure to contact your CERT or local police department to ask if they have such a team or anonymous reporting possiblity (see also links above).

You can find a list of CERTs here:
CERTs by Country - Interactive Map
List of National CSIRTs

APCERT team members