Official Blog of Trustwave's SpiderLabs - SpiderLabs is an elite team of ethical hackers, investigators and researchers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world.
Two weeks ago we gave a talk at the Ruxcon 10 conference in Melbourne, Australia titled “Bitcoin Transaction Malleability Theory In Practice”. Despite having the same title as our Blackhat USA 2014 talk, we came to Melbourne with some new insights that we’d also like to share with you here on the SpiderLabs blog.
On October 2014 as part of my talk at the Black Hat Europe 2014 event, I presented a new web attack vector that enables attackers to gain complete control over a victim’s machine by virtually downloading a file from trusted domains. I decided to call this technique Reflected File Download (RFD), as malware can be "downloaded" from highly trusted domains such as Google.com and Bing.com without ever being uploaded.
Over the summer, a U.K. journalist asked the Trustwave SpiderLabs team to target her with an online attack. You might remember that we did the same in 2013 by setting our sites on a U.S.-based reporter.
This scenario, however, would differ from the first. The reporter, Sophie, was our only target. Co-workers, company or family were off limits. Sophie wrote about the experience from her perspective here. Below, we’ll tell the story from the perspective of Trustwave SpiderLabs, playing the role of “theoretical” attacker.
The latest update to the TrustKeeper scan engine that powers our Trustwave Vulnerability Management product (including both internal and external vulnerability scanning) is now available. The update adds a check for a Drupal SQL injection vulnerability (CVE-2014-3704).
Following last week’s announcement of a zero-day vulnerability for PowerPoint (CVE-2014-4114), we suspected it would not be too long before we saw this attack being used via email attachments. So when this email with a PowerPoint attachment appeared in our spam traps, it kinda stuck out, as we don’t typically see a lot of PowerPoint attachments.
A quick look at the unpack tree from our Secure Email Gateway showed the presence of a couple of OLEObject bin files. Hmm, definitely worth a look.
Cybercriminals have inevitably taken advantage of the publicization of the Ebola virus in the news for several months. We’ve spotted a couple of malicious spam samples that reference the Ebola virus in the last week. The image below shows an example of one such e-mail purporting to be from the World Health Organization. The attached file poses as a document about Ebola virus safety tips.
Figure 1: An Ebola-themed malicious spam campaign claiming to be from World Health Organization
Upon closer inspection, the RAR compressed file attachment is not a document file but an executable file of a DarkComet Remote Access Trojan (RAT). This Trojan makes use of its heavily obfuscated AutoIt-based script to run undetected by antivirus software.
The latest update to the TrustKeeper scan engine that powers our Trustwave Vulnerability Management product (including both internal and external vulnerability scanning) is now available. A highlight of the update is an additional check for the recently disclosed POODLE vulnerability in version 3 of the SSL protocol (CVE-2014-3566). This week’s release also includes new tests for an additional 27 vulnerabilities.