<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img src="https://info.threatstop.com/hubfs/0000_Sec_Logo_with_tm.png" alt="0000_Sec_Logo_with_tm.png" width="320" style="width: 320px; display: block; margin-left: auto; margin-right: auto;"></p> <p>Xbot, HawkEye, and AZORult have made recent appearances on the CyberCrime<span style="font-size: 12.1612px; background-color: transparent;">tracker and are now tracked by both the tracker and ThreatSTOP. The goal of the three families is stealing sensitive information from victims.</span></p> <!--more--><h2>Xbot</h2> <p><strong>Xbot</strong> is a Trojan family given its name by <a href="https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/">Palo Alto Networks</a> who also believe the malware is a successor to <strong>Alurin</strong> a previous Android Trojan. The primary difference being the programing languages and libraries used by the malware. With <strong>Xbot</strong> focusing on JavaScript and the Rhino framework from Mozilla, while <strong>Alurin</strong> used .NET and Lua. It appears, however, that the author is the same, having just changed up their toolchain.</p> <p><strong>Xbot</strong> has already appeared in 22 malware apps all targeting Android devices. The distribution seems to be targeting Eastern Europe, Russia, and Australia. With Eastern Europe and Russia confirmed by <a href="https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/">Avast</a>. This targeting is due -- at least in the European and Russian cases -- to the use of non-Google based app markets, instead favoring local app markets which may not have the same level of scrutiny that Google provides.</p> <p>Under active development, it's expected that this Trojan will continue to be an active force for some time. Its primary method of gathering data is to mimic Google Play store payment screens and record the data provided by the user, it can also spoof several banking applications. Additionally, it has the ability to encrypt the device and demand a ransom and will copy all SMS messages, and contact information.</p> <p>The malware's development is extensible, currently targeting banks in Russia and Australia, it can be expanded to target other countries and Android apps. Its main attack method is to hijack the phone's activity and injects itself over applications that are in use. This doesn't attack the application itself but instead poses an interfering layer over an active application. Another attack vector displays an alert which asks the user to input credit card information.</p> <p>In some instances, a command from the C2C system will cause <strong>XBot</strong> to encrypt the phone and demand a ransom. In order for this to occur the malware asks the user to grant it administrator privileges, if granted these permissions and the switch is thrown, then the device encrypts itself.</p> <p>In any case, the end goal of <strong>Xbot</strong> is the same: capture SMS (text message) data, contact information, and banking information and send it to the C2C.</p> <p>Xbot family was added to the following ThreatSTOP targets:</p> <ul> <li>TS Curated – Mobile Threats (Standard and expert)</li> <li>TS Curated – Banking Threats (Standard and expert)</li> <li>CyberCrime Tracker (Expert only)</li> <li>Xbot (Expert only)</li> </ul> <h2>HawkEye</h2> <p>Shifting from Android we're going to look at the <strong><a href="https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/">HawkEye</a></strong> family of malware. <strong>HawkEye</strong> targets Word, but it does something a little different from the usual Word attack.</p> <p>It's worth noting that <strong>HawkEye</strong> itself isn't an actual piece of malware, but rather a category of malware defined by Sophos's security researcher, Gabor Szappanos (Spazi).</p> <p>More traditional Word based attacks have relied on attaching macros (kind of a mini-program) to a Word doc. Then begging the user to turn on macros to get it to run. <strong>HawkEye</strong> doesn't require macros. Instead, it relies on two factors:</p> <ul> <li>The user hasn't patched their version of Word for some time.</li> <li>The user blindly trusts any document sent to them from the Internet.</li> </ul> <p>While a significant number of users patch regularly and aren't in danger of this attack, a small number are.</p> <p><strong>HawkEye</strong> works by using a malformed Word Doc. On opening, the document Word will crash, but still, has programmatic control over the OS. It uses this control to download and install another piece of malware (making this a <a href="http://dochub.threatstop.com/display/TS/D#D-_dropper">dropper</a>), this new malware then carries out whatever nefarious deeds the attacker wants.</p> <p>One of the biggest concerns with this type of attack is that it lowers the bar for attack difficulty. A malicious user, not even a savvy one, can buy malformed Word docs, and embed malware into them. Then a spear phishing campaign could see a decent return for the amount of time invested.</p> <p>The defense against this type of attack is to counteract the two points above. Patch regularly, and don't open unexpected attachments to emails.</p> <p>HawkEye family was added to the following ThreatSTOP targets:</p> <p>TS Curated – Botnets (Standard and expert)</p> <p>CyberCrime (Expert only)</p> <p>HawkEye (Expert only)</p> <p><strong>&nbsp;</strong></p> <h2>AZORult</h2> <p><strong>AZORult</strong> is actually the weakest of this bunch, it's not much of a family. It's a Trojan horse that steals information from a compromised system.</p> <p>After installation and running by another piece of malware (most commonly <strong>Seamless</strong>), <strong>AZORult</strong> begins looking for sensitive data. In particular, it looks for and submits the following to its C2C, as provided by <a href="https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/">malwarebreakdown.com</a>:</p> <ul> <li>Saved passwords from several program types (Browsers, Email, FTP, IM)</li> <li>Cookies from browsers and forms (form history, autofill):</li> <li>Collects wallet.dat files from popular bitcoin clients (Bitcoin, Litecoin, etc.)</li> <li>Skype message history</li> <li>Grabs files from chat history then reads the files with special utilities</li> <li>Desktop files grabber</li> <li>Collects files with specified extensions from Desktop. Filtered by file size. Recursively searches files in folders.</li> <li>List of installed programs</li> <li>List of running processes</li> <li>Username, computer name, OS, RAM</li> </ul> <p><strong>AZORult</strong> needs other malware, like <strong>HawkEye</strong>, <strong>Xbot</strong> or <strong>Seamless</strong>, to get into the computer. From there it can grab its data and submits it to its C2C system. It's also a known and quick to remediate Trojan, with a removal tool already crafted by <a href="https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2016-072914-2700-99">Symantec</a>.</p> <p>AZORult family was added to the following ThreatSTOP targets:</p> <p>TS Curated – Botnets (Standard and Expert)</p> <p>CyberCrime (Expert only)</p> <p>AZORult (Exprt only)</p> <p>&nbsp;</p> <p>To enable ThreatSTOP’s protection against these malware families in your firewall turn on the targets described above in the ThreatSTOP portal.</p> <p>If you don’t have a ThreatSTOP account, . If you do have a ThreatSTOP account, instructions to add targets to <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy">DNS</a> or <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall">IP</a> Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our team.</p></span>