[liberationtech] Maliciously Repackaged Psiphon Found

Nariman Gharib nariman.gh at gmail.com
Thu Mar 13 14:46:21 PDT 2014 

Hi Ronald,
as you knew that it's not the first time and also they did similar thing to
Psiphon ( Iranian version ) .

https:// malwr
.com/analysis/Y2ZiNTVjYjdiODk5NGM5NGIzZmVkYzY4YTQ1MDI4ZGE/#signature_infostealer_browser

Personally I will start to teaching people from tomorrow to how they can
recognize fake/malware version of Psiphon and the real/original one.

Thanks for it. it's very useful.

Nariman


On Thu, Mar 13, 2014 at 6:30 PM, Ronald Deibert <r.deibert at utoronto.ca>wrote:

> Dear Libtech,
>
> In the past 24 hours Citizen Lab researchers have been tracking a
> maliciously re-packaged version of Psiphon 3, the popular circumvention
> tool.  The file drops a working copy of Psiphon 3 as well as an njRAT
> implant.  This is likely part of a targeted attack against the Syrian
> opposition by a known actor, not all users of Psiphon.
>
> This brief note describes the implant’s appearance and behavior, then
> explains how to obtain and verify genuine copies of Psiphon 3. The Psiphon
> team is monitoring the attack, and give these instructions on how to
> check your copy of Psiphon 3<https://psiphon.ca/en/faq.html#authentic-windows>
> .
>
> Click Here to read the full note<https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/> by
> Research Fellow John Scott-Railton.
>
> And I am copying and pasting the report below:
>
> Maliciously Repackaged Psiphon Found
>
> *March 13, 2014*
>
> Tagged: Malware <https://citizenlab.org/tag/malware/>, Psiphon 3<https://citizenlab.org/tag/psiphon-3/>
> , Surveillance <https://citizenlab.org/tag/surveillance/>, Syria<https://citizenlab.org/tag/syria/>
> Categories: Reports and Briefings<https://citizenlab.org/category/research-news/reports-briefings/>
>
> *Author: John Scott-Railton*
> Summary
>
> The Citizen Lab developed the original design of Psiphon, a censorship
> circumvention software, which was spun out of the lab into a private
> Canadian corporation (Psiphon Inc.) in 2008. In the past 24 hours, we have
> identified a* malicious repackaging of the Psiphon 3* circumvention tool.
>  The malware contains both a functioning copy of Psiphon, and the njRAT
> trojan. When executed, the implant communicates with a Syrian Command and
> Control server.  *This is likely part of a targeted attack against the
> Syrian opposition by a known actor, not all users of Psiphon*.
>
> Interestingly, this is not the first time we identified a malicious
> repackaging of circumvention programs in the context of the Syrian
> conflict.  For example, in June 2013 we published a report describing how
> attackers had maliciously modified the proxy software Freegate<https://citizenlab.org/2013/06/a-call-to-harm/>
> .
>
> This brief note describes the implant’s appearance and behavior, then
> explains how to obtain and verify genuine copies of Psiphon 3.  The Psiphon
> team is monitoring the attack, and Karl Kathuria (Psiphon’s VP) encourages
> all new users of Psiphon to check the validity of their client. If in
> doubt, visit psiphon.ca <https://psiphon.ca/en/index.html> to download a
> new copy.
> Details and Appearance of the Malware
>
> The file name and icon are intended to appear identical to a genuine
> Psiphon 3 executable file.  The malware is believed to be part of an active
> campaign.
> [image: Malicious (left) and genuine (right) Psiphon 3 icons]
>
> Malicious (left) and genuine (right) Psiphon 3 icons
>
> *File Properties*
> Filename: psiphon.exe
> MD5: 28bf01f67db4a5e8e6174b066775eae0
>
> The malware was first observed on the night of 11 March 2014 (Pacific
> Time):  Virus Total has the binary<https://www.virustotal.com/en/file/1182ffd81b4ee9bed90ca490ca5bb258e19cce68175d1a69f054030db1075df6/analysis/> with
> detection of 3/50 at time of writing.
>
> Examination of the properties of a malicious and genuine Psiphon 3
> provides the first clue that the file may not be what it seems.  The
> malicious packaging is unsigned, whereas Psiphon 3 is always signed.
> [image: Malicious package (left) and legitimate Psiphon 3 (right). Note
> the original "Windows.exe" file name and the absence of a digital signature
> in the malicious file.]<https://citizenlab.org/wp-content/uploads/2014/03/comparison_properties.png>
>
> *Malicious file (left)* and *genuine Psiphon 3 (right)*. Note the
> original “Windows.exe” file name and the absence of a digital signature in
> the fake.
>
> The file appears to have been written in Visual Studio, and the PE is .NET
> dependent.  Examination of strings in the binary indicate limited
> operational security (or deliberate misinformation) on the part of the
> attackers.
>
> For example:
> c:\users\allosh hacker\documents\visual studio
> 2012\Projects\allosh\allosh\obj\Debug\Windows.pdb
> Infection & Persistence
>
>  Once executed, the user sees the Psiphon 3 GUI. The malware has, in fact,
> dropped and executed a *working copy of Psiphon 3*alongside the implant.
> [image: Psi_splash]<https://citizenlab.org/wp-content/uploads/2014/03/Psi_splash.png>
>
> Psiphon 3 GUI shown to the victim while the implant is dropped.
>
> A malicious file is dropped by  psiphon.exe into the User’s AppData\Local
> folder:
> C:\Users\[USER]\AppData\Local\Tempserver.exe
> MD5: e1f2b15ec9f9a282065c931ec32a44b0
>
> Psiphon 3 is dropped and run from the same directory:
> C:\Users\[USER]\AppData\Local\Temppsiphon3.exe
> MD5: 81287134d7aa541beae4b000d4ab3f19
> The Psiphon 3 binary is functional, and is digitally signed by Psiphon.
>  The attacker appears to have used a very recent copy of Psiphon 3.
>
> Meanwhile, Tempserver.exe makes the infection permanent by adding a copy
> of itself to the Windows Startup folder named “chrome.exe.”
> C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start
> Menu\Programs\Startup\chrome.exe
> MD5: e1f2b15ec9f9a282065c931ec32a44b0
>
> Tempserver.exe also copies itself as explorer.exe, and executes the newly
> created PE implant.
> C:\Users\[User]\AppData\Roaming\Explorer.exe
> MD5: e1f2b15ec9f9a282065c931ec32a44b0
>
> This file is, in fact, the trojan njRAT.
> [image: Properties of explorer.exe (njRAT).]<https://citizenlab.org/wp-content/uploads/2014/03/explorer_properties.png>
>
> Properties of explorer.exe (njRAT).
> Some Other Behavior
>
> The implant, explorer.exe, begins collecting keystrokes, and writing the
> output to a file in the directory it was created in.
> C:\Users\[USER]\AppData\Roaming\Explorer.exe.tmp
>
> Here we see the keylogger capturing credentials as the victim enters
> credentials into Gmail.com via Internet Explorer and writing them to
>  Explorer.exe.tmp.
> 14/03/12 iexplore Gmail – Windows Internet Explorer
> dummy.login[TAP]
> dummy.password
>
> Interestingly, the keylogger records “TAB” as “TAP,” a behavior that may
> help in identification.
>
> Among other activities, the implant modifies the Windows Firewall to allow
> itself access to the network by issuing the following command line to
> netsh.exe
> netsh firewall add allowedprogram
> “C:\Users\[User]\AppData\Roaming\Explorer.exe” “Explorer.exe” ENABLE
> Command & Control
>
> The implant initiates a TCP connection with 31.9.48.141 from port 49189 to
> the C2 on port 1960. Whois records for this IP address indicate that it is
> in Syria.
> inetnum: 31.9.0.0 – 31.9.127.255
> netname: SY-ISP-TARASSUL
> descr: Tarassul inetnet Service Provider
> country: SY
> Analysis
>
> Psiphon 3 is a widely used and trusted circumvention product. It is
> unsurprising that it, along with other security and communications tools
> used by Syrian opposition groups, should be maliciously re-purposed.  We do
> not believe this indicates a broader attack against Psiphon 3 users
> throughout the globe.  Instead we suspect this was developed for yet
> another targeted attack against the opposition.  Similarly, njRAT has been
> widely used by attackers in Syria, and is frequently packaged with dummy or
> functional programs.  The continued targeting of security and
> communications is insidious: it reflects a well-informed approach to
> targeting the Syrian opposition with social engineering.
>
> Attacks similar to this are complemented by others using intriguing
> political or religious content, and other forms of social engineering.
>  Such attacks have been extensively analyzed by my Citizen Lab colleague
> Morgan Marquis-Boire and reported by Eva Galperin of the EFF, as well as
> many<http://blog.trendmicro.com/trendlabs-security-intelligence/fake-skype-encryption-software-cloaks-darkcomet-trojan/>
>  other<http://blog.malwarebytes.org/intelligence/2012/06/blackshades-in-syria/>
>  researchers<https://docs.google.com/file/d/0B2lkfUkdFSQjWVlKbTVMQ3dNY3M/edit>.
>  The most recent joint Citizen Lab and EFF report (December 2013) can be
> found here<https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns>
> .
> Actions to Take
>
> The developers of Psiphon were notified of the malware and suggest
> concerned users take the following steps (content adapted from their
> website).
>
>    1. Check your copy of Psiphon for windows by following these simple
>    steps outlined by Psiphon<https://psiphon.ca/en/faq.html#authentic-windows> on
>    their website:
>    2.  Right click on the Psiphon icon and select “Properties”
>    3. You should see a “Digital Signatures” tab.  Click it. *If you do
>    not see this tab, you may be looking at malware.*
>    4. Examine the Digital Signatures Tab.  Does it look like the image
>    below? (Click for larger image)[image: faq-authentic-windows]<https://citizenlab.org/wp-content/uploads/2014/03/faq-authentic-windows.png>
>    5. Psiphon’s website states:”The SHA1 thumbprint for the Psiphon Inc.
>    certificate public key is displayed in the Certificate dialog Details tab.
>    For the certificate valid for the period June 16, 2011 to June 21, 2012 the
>    SHA1 thumbprint is:
>    8f:b7:ef:bd:20:a9:20:3a:38:37:08:a2:1e:0a:1d:2e:ad:7b:ee:6dThe
>    certificate valid for the for the period May 21, 2011 to July 30, 2014 the
>    SHA1 thumbprint is:
>    84:c5:13:5b:13:d1:53:96:7e:88:c9:13:86:0e:83:ee:ef:48:8e:91Psiphon for
>    Windows auto-updates itself, and this process automatically verifies that
>    each update is authentic.”
>    6. Note: while the malware does drop a working copy of Psiphon 3 (with
>    a digital signature), it will be in a different directory than the one you
>    executed Psiphon from (C:\Users\[USER]\AppData\Local\Temppsiphon3.exe)
>    7. The developers of Psiphon encourage anyone interested in Psiphon 3
>    to take these steps to ensure their copy of Psiphon is genuine. If in
>    doubt, send a blank email to get at psiphon3.com to receive a new copy.
>    Any questions for Psiphon’s developer team can be sent to
>    info at psiphon.ca.
>
> In addition, while the malicious packaging results in a working copy of
> Psiphon and has a visually indistinguishable icon, the malware also leaves
> a number of files, any of which should be considered strong evidence of an
> infection.  Here are several to watch out for:
> C:\Users\[Your Username]\AppData\Local\Tempserver.exe
> C:\Users\[Your Username]\AppData\Roaming\Microsoft\Windows\Start
> Menu\Programs\Startup\chrome.exe
> C:\Users\[Your Username]\AppData\Roaming\Explorer.exe
> C:\Users\[Your Username]\AppData\Roaming\Explorer.exe.tmp
>
> If these files are found, Machines should be disconnected from the
> internet and reformatted.  Additionally, users should take immediate steps
> to secure their accounts, as well as contacting others whose sensitive
> information may have been incidentally exposed.
>
> *In addition to these recommendations, we also suggest that, when
> possible, users make use of 2 factor authentication.*
>
>    -  To learn more about how to enable 2-Factor Authentication, see the
>    links below for guides on how to do this on Facebook, Gmail and Twitter.
>
> 2 Factor Tutorial for Facebook<https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/techblog.avira.com/2013/01/15/how-to-enable-two-factor-authentication-for-facebook/en/>
> Enable 2 Factor for Gmail <http://www.google.com/landing/2step/>
> Enable 2 Factor for Twitter<https://blog.twitter.com/2013/getting-started-with-login-verification>
>
> We note, however, that it is difficult for users in Syria to implement 2
> factor authentication.  The Google Play store is blocked for Syrian users
> by Google because of current Sanctions and Export Control regulations. This
> makes it difficult to obtain the 2-factor authentication app.  Use of SMS
> messages as an alternative may present an unacceptable risk of exposure to
> surveillance. This remains an unresolved problem.
> Acknowledgments
>
> Psiphon Team and Karl Kathuria, Nart Villeneuve<http://www.fireeye.com/blog/author/narottama-villeneuve> (FireEye)
> for first conclusively identifying this as njRAT, Morgan Marquis-Boire
> (Citizen Lab),  Seth Hardy (Citizen Lab) and Irene Poetranto (Citizen Lab).
>  <https://addthis.com/bookmark.php?v=300>
>
> Ronald Deibert
> Director, the Citizen Lab
> and the Canada Centre for Global Security Studies
> Munk School of Global Affairs
> University of Toronto
> (416) 946-8916
> PGP: http://deibert.citizenlab.org/pubkey.txt
> http://deibert.citizenlab.org/
> twitter.com/citizenlab
> r.deibert at utoronto.ca
>
>
>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>



-- 
PGP: 084F 95C0 BD1B B15A 129C 90DB A539 6393 6999 CBB6
www.NARIMAN.Tel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140313/1ffa1ac8/attachment.html>

More information about the liberationtech mailing list