Posts

Method: FakeSpy – Android Trojan targeting Japanese and Korean Speaking Users

On June 19th, TrendMicro released technical analysis on FakeSpy malware targeting Korean and Japanese mobile users. FakeSpy has been observed sending mobile text messages with a malicious link message that prompts a malicious Android application package. This application masquerades itself as an app for local consumer financial service companies to Korean users. For Japanese users, it pretends to be an application for transportation, logistics, courier and e-commerce companies. This application is known to monitor for text messages and send these messages back to a C&C server. It has also been observed adding contacts to the devices, resetting the device, setting it to mute, updating configurations and stealing device information.

FakeSpy has also been known to check for banking related applications and replace it with counterfeit versions. These applications will then phish for user’s credentials by informing the users that their application needs to be updated and asks them to input their key. FakeSpy hides and updates their C2 server by making use of social media. The application will access the Twitter Page that the handler maintains and parse its content to retrieve the C2 IP address.

The Proficio Threat Intelligence Recommendations:

  • Considering that FakeSpy is distributed via phishing messages, users can avoid being a victim by practicing good security habits including checking for grammatical errors and avoiding unsolicited messages that contain URL links.

Technical Analysis of Malware – Click Here

METHOD – RANCOR Malware: Southeast Asia

A new malware campaign was observed this month, which appears to be politically driven and targets organizations operating in southeast Asia. The malware was dubbed “RANCOR” by Palo Alto researchers and falls under the Trojan malware classification. Additionally, the malware appears to make use of code from two malware families: DDKONG and PLAINTEE.

The malware has been observed in at least three cases, in which high profile individuals were targeted in spear phishing emails. The email contained malicious attachments in the form of .hta, .xlxs, and .dll file types. When opened, these attachments open decoy PDFs or web pages that claim to be related to political parties from the given country. However, these attachments would also execute scripts in the background in order to complete their installation on the host system.

While this behavior might seem easy to detect at first glance, the closer look reveals the malware writers took several steps to evade detection. Researchers noted that the malicious scripts were typically hidden in the metadata of the files and executed when certain conditions were met. Additionally, in the case of web pages opening, the websites of legitimate government
organizations and Facebook were compromised in order to bypass security.

Though current findings show only Cambodia and Singapore have been targeted thus far in the RANCOR campaign, a number of other countries located in Asia Pacific could be targeted as well and it is recommended to update security controls to detect the IOCs associated with this attack. One tell tale sign of some RANCOR variants is the rare use of a custom UDP protocol. This protocol may be detected by some heuristic IDPS devices searching for file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows and corresponding to the SHA256 hash below.

IDPS devices can be updated to trigger on the following additional signatures that have been observed:

  • Domain: www.facebook-apps.com
  • IPv4: 89.46.222.97
  • SHA256: 0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855
  • SHA256: c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d

The Proficio Threat Intelligence Recommendations:

  • Ensure security devices are updated to latest stable firmware.
  • Monitor for IOCs related to file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows.
  • Change the default handler for “.hta” files in your enterprise environment so that they cannot be directly executed.

Source of Analysis – Click Here

Method – MirageFox Malware

On June 18th, malware researcher, Jay Rosenberg released some interesting findings on a binary that was analyzed by the company Intezer. The code was retrieved through VirusTotal hunting. VirusTotal is a tool used by the global cybersecurity community that allows users to upload suspicious executables to an engine to check if antivirus vendors detect anything bad about the file. The Intezer analysis revealed that the binary shared code with a remote access tool (RAT) was very similar to the code that had been mentioned in the 2017 campaign documented by NCC Group where the hacker group APT 15 had hacked entities within the UK Government.

This indicates that the group APT 15 had built a variation of their RoyalAPT malware mentioned by the NCC Group. This malware could’ve then potentially been used to perform a separate attack perhaps on an additional entity. During the article, the author states “Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.” This infers that the author believes the MirageFox and US Navy Contractor hack are tied together. As a result, we have seen additional sources claiming that APT 15 was likely behind the US Navy hack of Operation Sea Dragon. We’d like to point out that the findings of the malware author do not prove this and this is only based on speculation at this time.

Some very interesting findings in the report are the command and control used within the binary. The IP address of the call home was 192.168.0.107. This is an internal IP address used within internal networks. This indicates that the command and control server was on the inside of the network, possibly on a VPN. This is a very abnormal configuration from the attacker and will throw off several types of perimeter security controls without special configuration.

The Proficio Threat Intelligence Recommendations:

  • Block hashes of IOCs on the corporate endpoint solution if possible. The researcher stated the binaries at the time of research had a low antivirus detection rate.
  • Note the internal command and control server and think about this type of attack when configuring perimeter IDPS technologies that look for outbound traffic as a means of command and control.
  • Potentially treat your internal VPN network ranges as an external network when configuring your IDPS controls. The organization will have to validate this will not result in false positive IDPS triggers.

Source of analysis – Click Here

Method: Hidden Cobra TYPEFRAME Malware Activity

On June 14th, US-CERT released a Malware Analysis Report (AR18-165A) that details a set of malware, code-named TYPEFRAME, with the earliest observed sample dating back to 2015. This malware appears to have been leveraged by North Korea’s threat actor HIDDEN COBRA (aka Lazarus). The Trojan has the capability to download and install malware, proxies and remote access tools (RATs), connect to command and control servers and modify the victim’s host based firewall to allow incoming connections.

The multiple executables and malicious document referenced within the report shows that the Trojan TYPEFRAME seems to be quite modular in nature, with different installers appearing to install different malicious modules. In summary, the multiple executables detailed in the report can be summarized as the following:

  • F5A4235EF02F34D547F71AA5434D9BB4 / BFB41BC0C3856AA0A81A5256B7B8DA51 – The installer that sets the RAT as a service on the victim’s machine
  • 10B28DA8EEFAC62CE282154F273B3E34 – This file is an installer designed to set a proxy module as a service on the victim’s machine.
  • 00B0CFB59B088B247C97C8FED383C115 – This file also serves as a proxy module designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. This module listens on port 8443.
  • BF474B8ACD55380B1169BB949D60E9E4 – This file is a RAT designed to install a proxy module as a service on the victim’s system.
  • 6AB301FC3296E1CEB140BF5D294894C5 – This malicious Word document contains a VBA macro to decode a PE binary and execute it.
  • EF9DB20AB0EEBF0B7C55AF4EC0B7BCED – This file is designed to connect to its remote C2 servers on port 443 and wait for instructions.
  • 1C53E7269FE9D84C6DF0A25BA59B822C – This file is a proxy module installed as a service and is designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. Notably, this malware makes use of a fake TLS communication mechanism.

Given the nature of the tactics used by this particular threat actor and the details available in the advisory, the threat is prevented by most common security countermeasures such as an up-to-date corporate antivirus. The risk for most organizations is likely minimal.

The Proficio Threat Intelligence Recommendations

  • Add the seven IP IOCs (indicators of compromise) flagged by US-CERT in the MAR (malware analysis report) to a firewall blocklist / SIEM monitoring watchlist.
  • Make sure to maintain antivirus products are up-to-date as this malware appears to have good detection rates amongst antivirus vendors with the samples analyzed.
  • Disable File and Printer sharing services if not required for business needs.
  • Restrict users’ ability to install and run unwanted software applications.
  • Exercise caution when opening email attachments.
  • Enable personal, host-based firewalls on individual workstations to deny unsolicited connection requests.

Source of Analysis – Click Here

TARGET: Nuance Communications – Lost Revenue and PHI

Nuance Communications, a healthcare software company which specializes in speech and imaging, has had a run of bad luck with external and internal incidents in 2017.

Last year NotPetya malware cost the company $92 million in revenue, mainly from the disruption of transcription services and systems used by healthcare customers. Nuance quickly attempted to restore client functionality which took over a month for complete remediation and restoration. This attack constituted a security incident under the HIPPA Security Rule but not a breach of PHI under the BNR (Breach Notification Rules).

In December 2017, only months following the NotPetya incident, there was an unrelated data breach from a former Nuance employee involving the PHI of 45,000 individuals. The records included healthcare provider’s patient assessments, diagnoses, dates of service and care plans. The attacker  stole these records through an unauthorized access of a transcription platform.

Nuance stated that it continues to enhance its security protection to prevent further cyberattacks as these incidents have resulted in negative press and has lost potential revenue.

Proficio Threat Intelligence Recommendations:

  • Proper network segmentation to mitigate the spread of malware outbreaks
  • Implement and enforce access controls to prevent unauthorized access
  • Backup critical systems and store them off-network

 

General Info – Click Here

Attacker: Xenotime and Trisis ICS Attacks

Dragos, an information security consulting firm that specializes in industrial control system (ICS) security consulting, reported that the threat actor known as “Xenotime” has expanded its presence in compromising ICS systems beyond the Middle East. In late 2017, FireEye and Dragos reported a threat actor had released TRISIS malware that had targeted a Middle East oil company. The attack resulted in a complete shutdown of the oil and gas facility. Forensics revealed that malware had targeted the safety instrumentation system (SIS) component of a Schneider Electric’s Triconex system that was present within the facility.

Safety instrumentation systems are responsible for taking action on critical situations within industrial control systems. They could be responsible for opening and closing valves or other types of safety systems. Failure of an SIS may result in loss of life or the disruption in the functionality of a facility. This threat actor is suspected to be state sponsored and was attempting to engineer an attack that could be used to cause physical damage in the event of a political conflict. The new revelation from Dragos indicates that the same party that was targeting the Middle East company has now expanded its presence to multiple regions around the world by targeting multiple types of ICS environments. This is very alarming issue since this threat actor is actively attempting intrusions with the intent to cause physical damage to ICS systems that may result in a loss of life or major disruption of critical industrial facilities.

Proficio Threat Intelligence Recommendations:

  • Validate an ICS monitoring solution is in place.
  • Develop special focused monitoring use cases around assets within ICS networks.
  • Monitor for vulnerability advisories from your ICS vendors.

General Info – Click Here

Method: VPNFilter Malware responsible for botnet army of 500,000 devices

Researchers from Cisco Talos with the help of numerous threat intelligence partners, have identified at least 500,000 devices worldwide that have been infected with VPNFilter malware. Large segments of the malware’s code were repurposed from the notorious BlackEnergy malware, which was responsible for massive DDoS attacks targeting Ukrainian infrastructure resulting in widespread power outages.

The majority of known infected hosts are from small office or home network devices which usually act as the perimeter network device with little to no defense in depth.  Many of these devices have publicly known exploits or default credentials that make compromising a device of this type trivial when best practices are not followed.

Known Affected Network Devices:

  • Linksys
  • MikroTik
  • NETGEAR
  • TP-Link
  • QNAP NAS

The capabilities of the VPNFilter are numerous, and  include unrestricted data collection from an affected device including banking credential theft, as well as the ability to execute a kill command to render the device unusable.  Another area of concern is the VPNFilter’s ability to monitor Modbus SCADA protocols, which are commonly used by industrial devices/applications like the BlackEnergy malware, which rendered many of Ukraine’s power substations inoperable.

Proficio Threat Intelligence Recommendations:

  • Users of SOHO routers and/or NAS devices ensure default credentials are changed and reset devices to factory defaults and reboot them in order to remove the non-persistent stage 2 and stage 3 malware.

 

General Info – Click Here

METHOD: HIDDEN COBRA Joanap and Brambul Malware Activity

US-CERT has released a technical advisory regarding a RAT (remote access tool) and an SMB (server message block) worm dubbed respectively Joanap and Brambul. Both claimed to be leveraged by the North Korea’s threat actor HIDDEN COBRA (aka Lazarous) since 2009. HIDDEN COBRA is an alias used to describe global hacking performed by a group tied with supporting the North Korean Government.

Based on the report findings, HIDDEN COBRA is responsible for using these two types of malware to target victims globally across multiple sectors. The worm appears to leverage relatively old and unsophisticated attack methods for spreading. Once infected, a system will attempt to brute force remote shares hosted over the SMB protocol using a set of about 150 common passwords such as “123456” and “cookie123” and “dbpassword.”

Analysis of the IoCs (indicators of compromise) provided in the article revealed that infrastructure primarily located in Latin American, the Middle East, and the Asia Pacific have been compromised with the malware. Command and control for the malware is somewhat unique, in that it gathers details and then attempts to send out emails to two known email addresses (misswang8107@gmail[.]com and redhat@gmail[.]com) with the compromised details of the host.

Luckily, most antivirus vendors have good detection rates for this type of malware since its older and well-known, and it attempts to spread using relatively simple passwords.  The risk for most corporate environments regarding this threat is relatively low.

Proficio Threat Intelligence Recommendations:

  • Deny SMB from the internet at perimeter firewalls
  • Enforce a password policy that does not allow weak passwords as a means to authenticate to SMB shares inside the LAN

General Info – Click Here

Method: RIG Exploit Kit – Grobios Malware

The use of exploit kits has generally been declining over the past two years, however FireEye has recently observed in March active development of the RIG EK capable of delivering a trojan named Grobios, a type of malware.  

Victims are first redirected to a compromised domain with an embedded malicious iframe which then redirects to the RIG EK landing page which loads a malicious Flash file. When the Flash file is executed, it drops the Grobios trojan onto the host and subsequently uses various techniques to evade detection and gain persistence.

The techniques used for evasion/persistence include masquerading as legitimate software and detecting VM & malware analysis tools. After detection evasion and persistence is achieved, network communication is established to hardcoded IPs point towards their respective C&C servers awaiting further instruction.  

Proficio Threat Intelligence Recommendations:

  • Ensure network nodes are fully patched to minimize attack surface

 

General Info – Click Here

METHOD: StalinLocker Malware

MalwareHunterTeam has discovered a new screenlocker malware that threatens to wipe the content of all the drives on a victim’s computer. The malware has been dubbed StalinLocker, because it displays a picture representation of the totalitarian dictator, Joseph Stalin on infected devices.

While the USSR anthem is playing in the background, the malware displays a countdown in the lower left corner and then prompts the user to enter the correct code in the next 10 minutes or the computer will be wiped cleaned, losing all user data.

According to MalwareHunterTeam, the correct code is the current date of the execution of the malware minus the date 1922.12.30. December 30, 1922 happens to be the day that the Treaty of Creation of the USSR was signed, establishing post-revolutionary Russia as it stands today. In order to enter the code correctly it needs to be converted into days before input. If the code is entered correctly, the wiper will exit and delete the autorun functionality of Stalin.exe.

Proficio Threat Intelligence Recommendations:

  • There is an unlock code that should be entered within ten minutes of infection or else the contents of drives on the host might be erased. Search for the current unlock code from the information security community. Many in the information security community say the unlock code is the day the malware was executed minus the number of days since 1922.12.30.
    Most antivirus vendors have good detection rates against this malware. Validate your antivirus software is up to date.

General Info – Click Here