A botnet dubbed Brain Food is giving webmasters indigestion with related attacks that push bogus diet pills and IQ-boosting pills via web pages hosted on legitimate sites. So far, spammers have been successful, thanks to an effective Hypertext Preprocessor (PHP) script (also called Brain Food) that has adroitly avoided detection on websites hosting the pitches.
Over the past four months, researchers at Proofpoint said they have tracked 5,000 Brain Food compromised websites. In a post outlining its research Friday, Proofpoint said 2,400 of those compromised sites have been active over the past seven days pushing dubious pills under the false premise the product claims made were originally on television shows Shark Tank and on identified as Entertainment Today.
“While this botnet is small compared to other spam sending infrastructure, the size of this botnet is sufficient to provide the operators with easily reconfigured redirects,” wrote Kevin Epstein, VP Threat Operations, at Proofpoint in an email interview with Threatpost.
Domain registrar and hosting firm GoDaddy has been disproportionately impacted by the Brain Food script, accounting for 40 percent of the 5,000 compromised sites. That’s followed by hosting firms DreamHost, UnitedLayer and CyrusOne.
“An individual website may contain multiple copies of the PHP script. We have observed this script installed on websites using different content management systems including WordPress and Joomla,” researchers wrote.
Spam attacks hit inboxes in the form of stripped down email messages typically with no subject and basic greeting (see below).
The body of the message contained a URL shortener link using Google’s goog.gl and bit.ly. Spammers had been blocked by Google’s URL shortener service when Google stopped allowing anonymous users from creating goo.gl links. “By the end of April, the spammer appears to have found a means of circumventing the Google restrictions,” wrote researchers.
Recipients who click on the link are redirected to the compromised website that hosts the diet or intelligence-boosting pill pitch.
Brain Food: Malicious PHP Script
The script itself employs several layers of defense to evade detection by researchers and search engine crawlers. “The code is polymorphic and obfuscated with multiple layers of base64 encoding,” they said. “A version recently uploaded to a malware repository was not flagged by any antivirus engine.”
When a site is infected with the malicious Brain Food PHP code and crawled, the script redirects to the correct page. Next, it staggers for five seconds and “redirects to the root of the compromised domain, delays and returns nothing, or redirects to the UNICEF website,” researchers said.
“The attackers want victims to get redirected. But it wants search engines, analysts and sandboxes to get redirected to an innocuous site – whether it be the root of the compromised domain or the UNICEF website. The built-in delays are enough for many automated analysis systems to time out without detecting a potentially malicious redirect,” Epstein said.
Criminals maintain control over the landing pages and keep stats on the campaigns from C2 servers prostodomen1[.]com and thptlienson[.]com.
Even more worrisome, is a backdoor in the Brain Food code that allows “remote execution of shell code on web servers which are configured to allow the PHP ‘system’ command,” researchers wrote.
Epstein told Threatpost, the backdoor feature is not currently being utilized. “Many web hosts do not allow access to the PHP system command. Exact potential impact depends on backend configurations and security settings,” he said.
Thousands of accounts for TeenSafe, which is a mobile app that parents can use to monitor what their kids are doing online, have been exposed in the latest Amazon Web Services cloud misconfiguration.
According to a report from ZDNet, which verified the data breach, there were at least two servers left open to the internet without a password, with information easily available in plaintext.
The leaky servers were discovered by security researcher Robert Wiggins, who told ZDNet that the information trove contained parental email addresses, Apple ID information including emails and passwords, the name of the teen’s device and the phone’s unique identifier. Fortunately, no location information, nor photos or message content was made public, but the info that was on offer is certainly enough to mount a phishing expedition or log into an account and hijack it.
“This breach is a perfect example of all information security and security development best practices being violated or not implemented whatsoever,” Rishi Bhargava, co-founder at Demisto, told Threatpost. “Clear-text passwords are evil and there is no reason to store any password in [a] database without encryption. There are so many open source libraries to do basic encryption that encrypting passwords is not additional work at all.”
Analysis of the bucket found that there were about 10,200 of the aforementioned records found in the main server, some of them duplicates; the other contained only test data by all appearances. TeenSafe has since removed the public access for both, and the company said that it’s in the process of notifying those affected. It didn’t say whether the information had been accessed by bad actors.
The app is a privacy and security researcher’s nightmare in many ways. On the former front, it allows parents to spy on their children in very invasive ways. These include being able to read all text messages, including those that were deleted, along with messages sent by third-party services, such as WhatsApp. It also records call logs, both outgoing and incoming; allows location-tracking and location history review; and gives parents a window into browsing history and bookmarks. The service allow allows parents to block access to certain apps and shut down the device entirely. All of this can be done without the teen’s consent.
Meanwhile, the service actually requires the disabling of two-factor authentication in order to use it. And no hashes or other precautionary measures were found among the data, even though the company claims on its homepage that it encrypts its data: “industry-leading SSL and vormetric data encryption to secure your child’s data,” it says, adding, “child’s data is encrypted – and remains encrypted – until delivered to you, the parent.”
“It is absolutely shocking that a company that promotes security and protecting your most valuable assets, your children, have completely left sensitive data unsecured and available to cybercriminals who will abuse it,” Joseph Carson, chief security scientist at Thycotic, told Threatpost via email. “The ironic thing is that they require two-factor authentication to be turned off (yes turned OFF), and that they store passwords in clear text. It’s surprising that companies still do such irresponsible actions against cybersecurity best practices.”
He added that with only four days until the EU’s GDPR privacy regulation is enforced, TeenSafe appears to have been lucky with the timing of this incident.
“I’m sure it might not be the last we hear about how this impacts EU citizens’ data, which should make May 26th an interesting day related to this particular data breach,” he said.
The misconfiguration of cloud storage buckets resulting in data exposure of sensitive information has been an ongoing problem for companies and organizations of all sizes, even at the US Department of Defense. Billions of records have been inadvertently exposed to the public internet in the past few quarters.
“This is yet another example of organizations, in this case one developing monitoring applications, deploying in the cloud without understanding the security implications,” said Mukul Kumar, CISO and vice president of cyber practice at Cavirin, via email. “Under the shared responsibility model, TeenSafe has the responsibility to protect the data, but their IT team obviously didn’t uphold their part of the shared-responsibility bargain. The cloud providers probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise. When spinning up on EC2 instance and S3 storage buckets is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge. Parents deploying these types of applications also need to better understand the nuances of these applications, but we know that won’t happen.”
The Roaming Mantis mobile banking trojan is roaming further afield than it ever has before. Recent analysis shows that the malware has rapidly evolved just in the past month. It’s now targeting Europe and the Middle East in addition to Asian countries. According to researchers, it’s following the cyber-zeitgeist by expanding its capabilities to include cryptomining (and iOS phishing).
Roaming Mantis is a mostly-mobile malware which this year has been spreading via DNS hijacking. Potential victims are typically redirected to a malicious webpage that distributes a trojanized application that pretends to be either Facebook or Chrome. Once installed manually by users, a trojan banker will execute.
Its sights have become much wider, however.
“Roaming Mantis has evolved quickly,” said Kaspersky Lab researcher Suguru Ishimaru, in an analysis posted on Friday. “The actors behind it have been quite active in improving their tools. The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”
Global Infections
On the multilingual front, Roaming Mantis (a.k.a. MoqHao or XLoader) was seen this month to have significantly tweaked its landing pages and malicious APK files to support 27 languages – a serious expansion from the four languages it used in campaigns just a month ago.
In campaigns observed in April, its activity was located mostly in Bangladesh, Japan and South Korea, according to Ishimaru. Kaspersky Lab has now confirmed that several more languages have been hardcoded in the HTML source of the landing page.
These include; Arabic, Armenian, Bulgarian, Bengali, both traditional and simplified Chinese, Czech, English, Georgian, German, Hebrew, Hindi, Indonesian, Italian, Japanese, Korean, Malay, Polish, Portuguese, Russian, Serbo-Croatian, Spanish, Tagalog, Thai, Turkish, Ukrainian and Vietnamese.
The expansion is succeeding in terms of garnering more victims: “We believe the attacker made use of an easy method to potentially infect more users, by translating their initial set of languages with an automatic translator,” Ishimaru said. “It’s clear from [our data] that South Korea, Bangladesh and Japan are no longer the worst affected countries; instead, Russia, Ukraine and India [bear] the brunt.”
New Targets and Tactics
In addition to broadening its target range, an analysis of the Roaming Mantis code reveals the criminals behind the malware have added a phishing option that targets iOS device users and a cryptomining option targeting PCs. This is a departure from the group’s primary focus on the Android platform, researchers said.
“When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple[dot]com/’,” Ishimaru explained. “A legitimate DNS server wouldn’t be able to resolve a domain name like that, because it simply doesn’t exist. However, a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172[.]247[.]116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘security.apple[dot]com’ in the address bar of the browser.”
The phishing site steals user IDs, passwords, card numbers, card expiration dates and CVVs. Here is where researchers said the HTML source of the phishing site supported 25 languages. Notably, the languages Bengali and Georgian are missing from the phishing site.
Meanwhile, the perpetrators have added a new feature such as web mining via a the CoinHive script executed in the browser. “When a user connects to the landing page from a PC, the CPU usage will drastically increase because of the cryptomining activity in the browser,” Ishimaru said.
Better Evasion Techniques
“The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in [the Kaspersky Lab post] include a new method of retrieving the C2 by using the email POP protocol, server-side dynamic auto-generation of changing APK file names, and the inclusion of an additional command to potentially assist in identifying research environments,” researchers wrote.
The dynamic auto-generation helps avoid blacklisting, they said.
“Aside from the filename, we also observed that all the downloaded malicious APK files are unique due to package generation in real time as of May 16, 2018,” explained Ishimaru. “It seems the actor added automatic generation of APK per download to avoid blacklisting by file hashes. This is a new feature.”
Meanwhile, older Roaming Mantis samples connected to the C2 by accessing a “legitimate website, extracting a Chinese string from a specific part of the HTML code, and decoding it,” said the researcher. In the most recent sample, instead of using HTML protocol, Roaming Mantis uses email protocol to retrieve the C2.
“The malware connects to an email inbox using hardcoded outlook.com credentials via POP3,” Ishimaru said. “It then obtains the email subject (in Chinese) and extracts the real C2 address using the string ‘abcd’ as an anchor.”
Also, the previous malicious APK from April “had 18 backdoor commands to confirm victims’ environments and to control devices.” It’s now added a feature that calls the OS ping command with the IP address of the C2 server.
“By running this, the attackers validate the availability of the server, packet travel time or detect network filtering in the target network,” he said. “This feature can also be used to detect semi-isolated research environments.”
In August 2017, McAfee first identified and reported the existence of Roaming Mantis. At that time, the distribution method was SMS and South Korea was its only target. “[By] April 2018, it had already implemented DNS hijacking and expanded its targets to the wider Asian region,” Ishimaru said.
This latest expansion indicates that the actors behind the malware have no intention of slowing down their attack rate.
