Hi Ronald, as you knew that it's not the first time and also they did similar thing to Psiphon ( Iranian version ) .
https:// malwr .com/analysis/Y2ZiNTVjYjdiODk5NGM5NGIzZmVkYzY4YTQ1MDI4ZGE/#signature_infostealer_browser Personally I will start to teaching people from tomorrow to how they can recognize fake/malware version of Psiphon and the real/original one. Thanks for it. it's very useful. Nariman On Thu, Mar 13, 2014 at 6:30 PM, Ronald Deibert <[email protected]>wrote: > Dear Libtech, > > In the past 24 hours Citizen Lab researchers have been tracking a > maliciously re-packaged version of Psiphon 3, the popular circumvention > tool. The file drops a working copy of Psiphon 3 as well as an njRAT > implant. This is likely part of a targeted attack against the Syrian > opposition by a known actor, not all users of Psiphon. > > This brief note describes the implant’s appearance and behavior, then > explains how to obtain and verify genuine copies of Psiphon 3. The Psiphon > team is monitoring the attack, and give these instructions on how to > check your copy of Psiphon 3<https://psiphon.ca/en/faq.html#authentic-windows> > . > > Click Here to read the full > note<https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/> by > Research Fellow John Scott-Railton. > > And I am copying and pasting the report below: > > Maliciously Repackaged Psiphon Found > > *March 13, 2014* > > Tagged: Malware <https://citizenlab.org/tag/malware/>, Psiphon > 3<https://citizenlab.org/tag/psiphon-3/> > , Surveillance <https://citizenlab.org/tag/surveillance/>, > Syria<https://citizenlab.org/tag/syria/> > Categories: Reports and > Briefings<https://citizenlab.org/category/research-news/reports-briefings/> > > *Author: John Scott-Railton* > Summary > > The Citizen Lab developed the original design of Psiphon, a censorship > circumvention software, which was spun out of the lab into a private > Canadian corporation (Psiphon Inc.) in 2008. In the past 24 hours, we have > identified a* malicious repackaging of the Psiphon 3* circumvention tool. > The malware contains both a functioning copy of Psiphon, and the njRAT > trojan. When executed, the implant communicates with a Syrian Command and > Control server. *This is likely part of a targeted attack against the > Syrian opposition by a known actor, not all users of Psiphon*. > > Interestingly, this is not the first time we identified a malicious > repackaging of circumvention programs in the context of the Syrian > conflict. For example, in June 2013 we published a report describing how > attackers had maliciously modified the proxy software > Freegate<https://citizenlab.org/2013/06/a-call-to-harm/> > . > > This brief note describes the implant’s appearance and behavior, then > explains how to obtain and verify genuine copies of Psiphon 3. The Psiphon > team is monitoring the attack, and Karl Kathuria (Psiphon’s VP) encourages > all new users of Psiphon to check the validity of their client. If in > doubt, visit psiphon.ca <https://psiphon.ca/en/index.html> to download a > new copy. > Details and Appearance of the Malware > > The file name and icon are intended to appear identical to a genuine > Psiphon 3 executable file. The malware is believed to be part of an active > campaign. > [image: Malicious (left) and genuine (right) Psiphon 3 icons] > > Malicious (left) and genuine (right) Psiphon 3 icons > > *File Properties* > Filename: psiphon.exe > MD5: 28bf01f67db4a5e8e6174b066775eae0 > > The malware was first observed on the night of 11 March 2014 (Pacific > Time): Virus Total has the > binary<https://www.virustotal.com/en/file/1182ffd81b4ee9bed90ca490ca5bb258e19cce68175d1a69f054030db1075df6/analysis/> > with > detection of 3/50 at time of writing. > > Examination of the properties of a malicious and genuine Psiphon 3 > provides the first clue that the file may not be what it seems. The > malicious packaging is unsigned, whereas Psiphon 3 is always signed. > [image: Malicious package (left) and legitimate Psiphon 3 (right). Note > the original "Windows.exe" file name and the absence of a digital signature > in the malicious > file.]<https://citizenlab.org/wp-content/uploads/2014/03/comparison_properties.png> > > *Malicious file (left)* and *genuine Psiphon 3 (right)*. Note the > original “Windows.exe” file name and the absence of a digital signature in > the fake. > > The file appears to have been written in Visual Studio, and the PE is .NET > dependent. Examination of strings in the binary indicate limited > operational security (or deliberate misinformation) on the part of the > attackers. > > For example: > c:\users\allosh hacker\documents\visual studio > 2012\Projects\allosh\allosh\obj\Debug\Windows.pdb > Infection & Persistence > > Once executed, the user sees the Psiphon 3 GUI. The malware has, in fact, > dropped and executed a *working copy of Psiphon 3*alongside the implant. > [image: > Psi_splash]<https://citizenlab.org/wp-content/uploads/2014/03/Psi_splash.png> > > Psiphon 3 GUI shown to the victim while the implant is dropped. > > A malicious file is dropped by psiphon.exe into the User’s AppData\Local > folder: > C:\Users\[USER]\AppData\Local\Tempserver.exe > MD5: e1f2b15ec9f9a282065c931ec32a44b0 > > Psiphon 3 is dropped and run from the same directory: > C:\Users\[USER]\AppData\Local\Temppsiphon3.exe > MD5: 81287134d7aa541beae4b000d4ab3f19 > The Psiphon 3 binary is functional, and is digitally signed by Psiphon. > The attacker appears to have used a very recent copy of Psiphon 3. > > Meanwhile, Tempserver.exe makes the infection permanent by adding a copy > of itself to the Windows Startup folder named “chrome.exe.” > C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start > Menu\Programs\Startup\chrome.exe > MD5: e1f2b15ec9f9a282065c931ec32a44b0 > > Tempserver.exe also copies itself as explorer.exe, and executes the newly > created PE implant. > C:\Users\[User]\AppData\Roaming\Explorer.exe > MD5: e1f2b15ec9f9a282065c931ec32a44b0 > > This file is, in fact, the trojan njRAT. > [image: Properties of explorer.exe > (njRAT).]<https://citizenlab.org/wp-content/uploads/2014/03/explorer_properties.png> > > Properties of explorer.exe (njRAT). > Some Other Behavior > > The implant, explorer.exe, begins collecting keystrokes, and writing the > output to a file in the directory it was created in. > C:\Users\[USER]\AppData\Roaming\Explorer.exe.tmp > > Here we see the keylogger capturing credentials as the victim enters > credentials into Gmail.com via Internet Explorer and writing them to > Explorer.exe.tmp. > 14/03/12 iexplore Gmail – Windows Internet Explorer > dummy.login[TAP] > dummy.password > > Interestingly, the keylogger records “TAB” as “TAP,” a behavior that may > help in identification. > > Among other activities, the implant modifies the Windows Firewall to allow > itself access to the network by issuing the following command line to > netsh.exe > netsh firewall add allowedprogram > “C:\Users\[User]\AppData\Roaming\Explorer.exe” “Explorer.exe” ENABLE > Command & Control > > The implant initiates a TCP connection with 31.9.48.141 from port 49189 to > the C2 on port 1960. Whois records for this IP address indicate that it is > in Syria. > inetnum: 31.9.0.0 – 31.9.127.255 > netname: SY-ISP-TARASSUL > descr: Tarassul inetnet Service Provider > country: SY > Analysis > > Psiphon 3 is a widely used and trusted circumvention product. It is > unsurprising that it, along with other security and communications tools > used by Syrian opposition groups, should be maliciously re-purposed. We do > not believe this indicates a broader attack against Psiphon 3 users > throughout the globe. Instead we suspect this was developed for yet > another targeted attack against the opposition. Similarly, njRAT has been > widely used by attackers in Syria, and is frequently packaged with dummy or > functional programs. The continued targeting of security and > communications is insidious: it reflects a well-informed approach to > targeting the Syrian opposition with social engineering. > > Attacks similar to this are complemented by others using intriguing > political or religious content, and other forms of social engineering. > Such attacks have been extensively analyzed by my Citizen Lab colleague > Morgan Marquis-Boire and reported by Eva Galperin of the EFF, as well as > many<http://blog.trendmicro.com/trendlabs-security-intelligence/fake-skype-encryption-software-cloaks-darkcomet-trojan/> > > other<http://blog.malwarebytes.org/intelligence/2012/06/blackshades-in-syria/> > > researchers<https://docs.google.com/file/d/0B2lkfUkdFSQjWVlKbTVMQ3dNY3M/edit>. > The most recent joint Citizen Lab and EFF report (December 2013) can be > found > here<https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns> > . > Actions to Take > > The developers of Psiphon were notified of the malware and suggest > concerned users take the following steps (content adapted from their > website). > > 1. Check your copy of Psiphon for windows by following these simple > steps outlined by > Psiphon<https://psiphon.ca/en/faq.html#authentic-windows> on > their website: > 2. Right click on the Psiphon icon and select “Properties” > 3. You should see a “Digital Signatures” tab. Click it. *If you do > not see this tab, you may be looking at malware.* > 4. Examine the Digital Signatures Tab. Does it look like the image > below? (Click for larger image)[image: > faq-authentic-windows]<https://citizenlab.org/wp-content/uploads/2014/03/faq-authentic-windows.png> > 5. Psiphon’s website states:”The SHA1 thumbprint for the Psiphon Inc. > certificate public key is displayed in the Certificate dialog Details tab. > For the certificate valid for the period June 16, 2011 to June 21, 2012 the > SHA1 thumbprint is: > 8f:b7:ef:bd:20:a9:20:3a:38:37:08:a2:1e:0a:1d:2e:ad:7b:ee:6dThe > certificate valid for the for the period May 21, 2011 to July 30, 2014 the > SHA1 thumbprint is: > 84:c5:13:5b:13:d1:53:96:7e:88:c9:13:86:0e:83:ee:ef:48:8e:91Psiphon for > Windows auto-updates itself, and this process automatically verifies that > each update is authentic.” > 6. Note: while the malware does drop a working copy of Psiphon 3 (with > a digital signature), it will be in a different directory than the one you > executed Psiphon from (C:\Users\[USER]\AppData\Local\Temppsiphon3.exe) > 7. The developers of Psiphon encourage anyone interested in Psiphon 3 > to take these steps to ensure their copy of Psiphon is genuine. If in > doubt, send a blank email to [email protected] to receive a new copy. > Any questions for Psiphon’s developer team can be sent to > [email protected]. > > In addition, while the malicious packaging results in a working copy of > Psiphon and has a visually indistinguishable icon, the malware also leaves > a number of files, any of which should be considered strong evidence of an > infection. Here are several to watch out for: > C:\Users\[Your Username]\AppData\Local\Tempserver.exe > C:\Users\[Your Username]\AppData\Roaming\Microsoft\Windows\Start > Menu\Programs\Startup\chrome.exe > C:\Users\[Your Username]\AppData\Roaming\Explorer.exe > C:\Users\[Your Username]\AppData\Roaming\Explorer.exe.tmp > > If these files are found, Machines should be disconnected from the > internet and reformatted. Additionally, users should take immediate steps > to secure their accounts, as well as contacting others whose sensitive > information may have been incidentally exposed. > > *In addition to these recommendations, we also suggest that, when > possible, users make use of 2 factor authentication.* > > - To learn more about how to enable 2-Factor Authentication, see the > links below for guides on how to do this on Facebook, Gmail and Twitter. > > 2 Factor Tutorial for > Facebook<https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/techblog.avira.com/2013/01/15/how-to-enable-two-factor-authentication-for-facebook/en/> > Enable 2 Factor for Gmail <http://www.google.com/landing/2step/> > Enable 2 Factor for > Twitter<https://blog.twitter.com/2013/getting-started-with-login-verification> > > We note, however, that it is difficult for users in Syria to implement 2 > factor authentication. The Google Play store is blocked for Syrian users > by Google because of current Sanctions and Export Control regulations. This > makes it difficult to obtain the 2-factor authentication app. Use of SMS > messages as an alternative may present an unacceptable risk of exposure to > surveillance. This remains an unresolved problem. > Acknowledgments > > Psiphon Team and Karl Kathuria, Nart > Villeneuve<http://www.fireeye.com/blog/author/narottama-villeneuve> (FireEye) > for first conclusively identifying this as njRAT, Morgan Marquis-Boire > (Citizen Lab), Seth Hardy (Citizen Lab) and Irene Poetranto (Citizen Lab). > <https://addthis.com/bookmark.php?v=300> > > Ronald Deibert > Director, the Citizen Lab > and the Canada Centre for Global Security Studies > Munk School of Global Affairs > University of Toronto > (416) 946-8916 > PGP: http://deibert.citizenlab.org/pubkey.txt > http://deibert.citizenlab.org/ > twitter.com/citizenlab > [email protected] > > > > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. > -- PGP: 084F 95C0 BD1B B15A 129C 90DB A539 6393 6999 CBB6 www.NARIMAN.Tel
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
