Research Saturday 3.3.18
Ep 25 | 3.3.18

Lebal malware phishes for victims.


Dave Bittner: [00:00:02] Hello everyone and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. And now a moment to tell you about our sponsor the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Fatih Orhan: [00:01:02] We discovered with our sensors that we monitor 24/7 around the globe. We have visibility almost in all countries and we are monitoring suspicious activities in all different security areas. 

Dave Bittner: [00:01:23] That's Fatih Orhan. He's a vice president of Threat labs at Comodo Security Solutions. Today we're discussing his team's research on a recently discovered malware strain called Lebal.

Fatih Orhan: [00:01:32] This case the specific case is brought to our attention because we have seen some phishing emails. An increasing number of phishing emails especially for some industries or some some type of users like universities and private companies. It all started with a phishing email. The email was well-crafted it was different from the others although our systems raised our alerts and detected this. We found it valuable to investigate and to further analyze the case. The email was pretending to be coming from FedEx and it was including a legit email legit link URL that redirects to Google Drive. So from a user standpoint there is nothing that you you might be suspicious or you might get alerted because all seem to be legit.

Dave Bittner: [00:02:28] Yeah FedEx is a legitimate company and certainly Google Drive is legit as well.

Fatih Orhan: [00:02:34] Right. And even when you click the link you get these secure logo you know the HTTPS under so says it's a legit website, the secure logo also creates a sense of trust, a sense of security for the user. But it was an executable that users had to download to his computer and run it. Eventually when their application is run that's the malicious part that comes into picture and it was trying to collect all the data in the computer, all sensitive data. Criminals know how to get their credentials, the credit cards, the bitcoin wallets, all kind of sensitive information. This malware was collecting all and sending to unknown servers, criminals servers mostly.

Dave Bittner: [00:03:28] Yeah, well let's let's walk through it step by step here. So they would get the phishing email and they would click the link in the phishing email and that would take them, that would open a site on their browser and would that site presented them with this file to download, what file was that?

Fatih Orhan: [00:03:46] Yeah, the file itself has an PDF icon that actually it's not a PDF file. So this is also a trick that hackers are being using currently because usually if you connect with your regular email attachment, you would only see the PDF file and you wouldn't suspect that it might be an executable, a malicious executable. The second step of the attack is the download of the malware application which is an executable, but disguised as a PDF file.

Dave Bittner: [00:04:22] And even if you bring up the sort of the "get info" on that file it goes on to try to present itself as an Adobe PDF file.

Fatih Orhan: [00:04:30] Right. Exactly. So Adobe PDF file, all the details, all the information is being that the users are alert to think that is a PDF fire. So usually they are not PDF is usually not seen as a malicious source although it might be still with some scripts but it's more secure than any executables. You know, the users are tricked and the executable is behind this PDF Acrobat image.

Dave Bittner: [00:05:05] So once they download this executable, do they manually have to execute it does it does it automatically does auto execute or do they have to click on it to start running?

Fatih Orhan: [00:05:14] For this case, there is no auto-execute because actually Google is serving this application. This Google Drive is the main source. So we see usually these kind of cloud-based storage services being used for malicious application malicious content distribution. But since they don't have control on Google or any other cloud storage, they cannot initiate trigger the execution of that downloaded application. So the user has to run these applications in this case.

Dave Bittner: [00:05:51] Which is interesting because the name of the file is it really something that I suppose would attract people to run it? But I guess enough people run it that it's problem.

Fatih Orhan: [00:06:02] Right. And yeah usually one person execute this malicious file in the network is enough so that they can copy itself to other computers or other locations as well. 

Dave Bittner: [00:06:16] I see. So once the file is downloaded and they've executed what happens next take us through how it reaches out and the things that it does.

Fatih Orhan: [00:06:24] First there is an investigation phase. Usually the malware tries to stay hidden. Being unaware of the system they try to check some folders specific folders and specific files to extract credentials or wallets crypto currency wallets or any other information. So they know specific applications like FTP clients or browser applications or Bitcoin wallets. They know the locations that these can be stored. So the first step is to investigate all these data, collect all these data.

Dave Bittner: [00:07:06] And then it connects with a command and control server?

Fatih Orhan: [00:07:10] Right, in today's world, it's very easy for a criminal to hack into a server, put a small application as we call it command and control server application and connect the infected computers to these servers and send all credentials directly. And usually we experience that these servers are live less than 24 hours like eight hours 10 hours 12 hours until they are being detected. And then they just jump to another server. But the malware collects the files, the credentials, and all sensitive information and they send to servers.

Dave Bittner: [00:07:51] And so who does it seem like they were targeting with this? Was there anyone specific or was this more of a shotgun approach?

Fatih Orhan: [00:07:58] We know that the crypto currency wallets are also searched by the malware. So as you know Bitcoin is very popular. It's hot now, so as targets Bitcoin users were in the target. But as industry, we know that universities was one of the organizations on the target. And, we had also some government organizations that says there are also private companies, it seems like it was a generic attack towards any any kind of organization.

Dave Bittner: [00:08:35] And do you have any sense for what the scale of the attack? How many how many people they tried to hit?

Fatih Orhan: [00:08:41] By looking to only our data, it should be close to 50,000 people that are being targeted but when we make an estimation about the global target it should be minimum double of these. So a hundred thousand people should be affected, should be receiving at least this e-mail, this phishing e-mail. And depending on their security solutions, they could either receive it in their inbox or they could eliminate these threats.

Dave Bittner: [00:09:12] And you said that these campaigns jump around from server to server. Is this one that you're seeing still being active or did it sort of come and go?

Fatih Orhan: [00:09:21] This analysis is being performed in the first two weeks of January. On the last two weeks, also we saw the same malware being delivered. We had a slightly different phishing so it continuous campaign. And usually the servers are changing very fast. Because we know that criminals are getting organized and they don't use any server for a long time and the security companies also identify these and detect. So it's chasing the tail of the criminals. So it's like a game.

Dave Bittner: [00:10:01] Cat and mouse.

Fatih Orhan: [00:10:04] Cat and mouse. Yes, it's like a cat and mouse game.

Dave Bittner: [00:10:07] Right. 

Fatih Orhan: [00:10:08] We know that criminals are getting organized and usually infrastructure owners are different then the malware producers. The malware creators which are different than the actual phishing attack. The criminals who perform the phishing attacks. So these are different groups but they are working in collaboration. And when seeing this, we can also express that there are organized they are even maybe more organized than some other legit companies or legit security solutions because they can provide these as a service. They provide malicious servers or infected computers as a service. They can provide malware or phishing as a service they can provide delivery as a service. So, we know that usually these type of campaigns are being performed by people who actually don't have control on the malicious server or who don't know how to write the malware that they just get and buy the service from these organized criminal groups.

Dave Bittner: [00:11:21] And, what are your recommendations in terms of people protecting themselves against this?

Fatih Orhan: [00:11:25] In today's world, we can get malware from many different areas. I mean you can download the file you can get an email. When we are talking about phishing, users should be aware that phishing is the first entry point for a malware into your computer. So they should be aware of who is sending this. They should check the links. They should check the sender even if they can be modified or they can give some sense of trust. They should be double checking everything and they should just visit the pages that they know. The alternative is this of course is to use good security products. If they cannot perform this manually, they don't have the necessary information about protection, they should have anti-phishing, anti-spam or malware protection solutions.

Dave Bittner: [00:12:21] Yeah, it's I mean it strikes me that this was so well-crafted. There really wasn't anything in this phishing email that looks out of the ordinary or would raise any red flags.

Fatih Orhan: [00:12:31] For this one, yes, you're right. It's very hard to detect. The only suspicious part would be that the executable file which is downloaded from my web browser. Any executable is potentially suspicious. Usually even FedEx or other legal entities. If you get an email, it's wise to just looking to the account that you know without using the link inside the email and check from from your account from your own visits to the page. That might be protection from end users. They can validate if this is a legit email or not.

Dave Bittner: [00:13:19] Our thanks to Fatih Orhan from Comodo for joining us. You can read the complete report on the Lebal malware on the Comodo website. It's in the blog section. Thanks to the Hewlett Foundation Cyber Initiative for sponsoring our show. You can learn more about them at The CyberWire research Saturday is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. It's produced by Pratt Street Media. The Coordinating Producer is Jennifer Eiben. Editor is John Petrik. Technical Editor is Chris Russell. Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.