H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm  and njRAT/LV  through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.
Cybercriminals continue to respond with lightning speed when they see an opportunity to exploit a national or global news story to spread malware. In fact, the Research Team of Eleven, leading German e-mail security provider, now sees instances of criminals inventing “breaking news” that appears to relate to high-profile current events.
The Eleven Research Team continually analyzes malicious campaigns that exploit breaking news using the CNN name and other prominent news outlets to lure email recipients to malicious sites. The average time between an actual news event and its exploitation hovered around 22 hours during the last three months.
On Friday, September 6, malware distributors invented fake news designed to take advantage of public interest in the possibility of a U.S. airstrike against Syria. The emails used the subject line, “The United States Began Bombing,” and were crafted to appear as a legitimate CNN news alert. It is an example of the cybercriminal community harnessing the interest and anxiousness about current events to increase the success of their malicious campaigns.
via 22 Hours: Average Time It Takes Malware Distributors To Exploit News.
FireEye has discovered a campaign leveraging the recently announced zero-day CVE-2013-3893. This campaign, which we have labeled ‘Operation DeputyDog’, began as early as August 19, 2013 and appears to have targeted organizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor responsible for this campaign. Analysis based on our Dynamic Threat Intelligence cluster shows that this current campaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on Bit9.
FireEye did a part II as well:
Operation DeputyDog Part 2: Zero-Day Exploit Analysis (CVE-2013-3893)
In our previous blog post my colleagues Ned and Nart provided a detailed analysis on the Advanced Persistent Threat (APT) Campaign Operation DeputyDog. The campaign leveraged a zero-day vulnerability of Microsoft Internet Explorer (CVE-2013-3893). Microsoft provided an advisory and ‘Fix it’ blog post.
I am happy to announce that Xiaobo Chen, a well-known security researcher, has recently joined FireEye Labs. We worked together on the analysis of this zero-day vulnerability. In this blog, we will provide a deep dive on the exploitation part of the campaign.
Despite the targeted nature of these attacks, the exploit identifies numerous language packs (en, zh, fr, de, ja, pt, ko, ru) and software versions, which is uses to specify the correct ROP chain. Commented-out code suggests that the exploit initially targeted IE8 XP users, and IE8 and IE9 Windows 7 users who also had MS Office 2007 installed. In our tests, we observed that the exploit ran successfully on systems running both MS Office 2007 and 2010.
Recently, we have observed a new backdoor family which we’ve called BLYPT. This family is called BLYPT because of its use of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey.
Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected.
At approximately 7:29 AM PDT today, we were notified by several security researchers that a fireeye[.]com/careers HR link was inadvertently serving up a drive-by download exploit. Our internal security, IT operations team, and third-party partners quickly researched and discovered that the malicious code was not hosted directly on any FireEye web infrastructure, but rather, it was hosted on a third-party advertiser (aka “malvertisement”) that was linked via one of our third-party web services. The team then responded and immediately removed links to the malicious code in conjunction with our partners in order to protect our website users. More information on this third-party compromise (of video.js) can be found here.
This article from the Houston Chronicle highlights the need for layered security including proper VLAN design to segregate & contain malware as part of security:
Malicious software unintentionally downloaded by offshore oil workers has incapacitated computer networks on some rigs and platforms, exposing gaps in security that could pose serious risks to people and the environment, cybersecurity professionals told the Houston Chronicle.
The worst-case scenario could be catastrophic: A malfunctioning rig and safety systems could cause a well blowout, explosion, oil spill and lost human lives, experts said.
The way the article reads it seems like these platforms have large flat LANs, where employees’ personal equipment is on the same network as the production equipment. I’m a fan of placing SCADA systems in their own VLAN with non-routable IP addressing – Internet and the rest of your local network. Place a physical firewall device between the SCADA LAN and the regular LAN, but lock that firewall down. Selectively open ports for maintenance and restrict when done. Monitor the heck out of the thing.
InfoSec professionals, how would you handle this type of situation?