Posts

Method – MirageFox Malware

On June 18th, malware researcher, Jay Rosenberg released some interesting findings on a binary that was analyzed by the company Intezer. The code was retrieved through VirusTotal hunting. VirusTotal is a tool used by the global cybersecurity community that allows users to upload suspicious executables to an engine to check if antivirus vendors detect anything bad about the file. The Intezer analysis revealed that the binary shared code with a remote access tool (RAT) was very similar to the code that had been mentioned in the 2017 campaign documented by NCC Group where the hacker group APT 15 had hacked entities within the UK Government.

This indicates that the group APT 15 had built a variation of their RoyalAPT malware mentioned by the NCC Group. This malware could’ve then potentially been used to perform a separate attack perhaps on an additional entity. During the article, the author states “Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.” This infers that the author believes the MirageFox and US Navy Contractor hack are tied together. As a result, we have seen additional sources claiming that APT 15 was likely behind the US Navy hack of Operation Sea Dragon. We’d like to point out that the findings of the malware author do not prove this and this is only based on speculation at this time.

Some very interesting findings in the report are the command and control used within the binary. The IP address of the call home was 192.168.0.107. This is an internal IP address used within internal networks. This indicates that the command and control server was on the inside of the network, possibly on a VPN. This is a very abnormal configuration from the attacker and will throw off several types of perimeter security controls without special configuration.

The Proficio Threat Intelligence Recommendations:

  • Block hashes of IOCs on the corporate endpoint solution if possible. The researcher stated the binaries at the time of research had a low antivirus detection rate.
  • Note the internal command and control server and think about this type of attack when configuring perimeter IDPS technologies that look for outbound traffic as a means of command and control.
  • Potentially treat your internal VPN network ranges as an external network when configuring your IDPS controls. The organization will have to validate this will not result in false positive IDPS triggers.

Source of analysis – Click Here

Method: Hidden Cobra TYPEFRAME Malware Activity

On June 14th, US-CERT released a Malware Analysis Report (AR18-165A) that details a set of malware, code-named TYPEFRAME, with the earliest observed sample dating back to 2015. This malware appears to have been leveraged by North Korea’s threat actor HIDDEN COBRA (aka Lazarus). The Trojan has the capability to download and install malware, proxies and remote access tools (RATs), connect to command and control servers and modify the victim’s host based firewall to allow incoming connections.

The multiple executables and malicious document referenced within the report shows that the Trojan TYPEFRAME seems to be quite modular in nature, with different installers appearing to install different malicious modules. In summary, the multiple executables detailed in the report can be summarized as the following:

  • F5A4235EF02F34D547F71AA5434D9BB4 / BFB41BC0C3856AA0A81A5256B7B8DA51 – The installer that sets the RAT as a service on the victim’s machine
  • 10B28DA8EEFAC62CE282154F273B3E34 – This file is an installer designed to set a proxy module as a service on the victim’s machine.
  • 00B0CFB59B088B247C97C8FED383C115 – This file also serves as a proxy module designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. This module listens on port 8443.
  • BF474B8ACD55380B1169BB949D60E9E4 – This file is a RAT designed to install a proxy module as a service on the victim’s system.
  • 6AB301FC3296E1CEB140BF5D294894C5 – This malicious Word document contains a VBA macro to decode a PE binary and execute it.
  • EF9DB20AB0EEBF0B7C55AF4EC0B7BCED – This file is designed to connect to its remote C2 servers on port 443 and wait for instructions.
  • 1C53E7269FE9D84C6DF0A25BA59B822C – This file is a proxy module installed as a service and is designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. Notably, this malware makes use of a fake TLS communication mechanism.

Given the nature of the tactics used by this particular threat actor and the details available in the advisory, the threat is prevented by most common security countermeasures such as an up-to-date corporate antivirus. The risk for most organizations is likely minimal.

The Proficio Threat Intelligence Recommendations

  • Add the seven IP IOCs (indicators of compromise) flagged by US-CERT in the MAR (malware analysis report) to a firewall blocklist / SIEM monitoring watchlist.
  • Make sure to maintain antivirus products are up-to-date as this malware appears to have good detection rates amongst antivirus vendors with the samples analyzed.
  • Disable File and Printer sharing services if not required for business needs.
  • Restrict users’ ability to install and run unwanted software applications.
  • Exercise caution when opening email attachments.
  • Enable personal, host-based firewalls on individual workstations to deny unsolicited connection requests.

Source of Analysis – Click Here

Method: VPNFilter Malware responsible for botnet army of 500,000 devices

Researchers from Cisco Talos with the help of numerous threat intelligence partners, have identified at least 500,000 devices worldwide that have been infected with VPNFilter malware. Large segments of the malware’s code were repurposed from the notorious BlackEnergy malware, which was responsible for massive DDoS attacks targeting Ukrainian infrastructure resulting in widespread power outages.

The majority of known infected hosts are from small office or home network devices which usually act as the perimeter network device with little to no defense in depth.  Many of these devices have publicly known exploits or default credentials that make compromising a device of this type trivial when best practices are not followed.

Known Affected Network Devices:

  • Linksys
  • MikroTik
  • NETGEAR
  • TP-Link
  • QNAP NAS

The capabilities of the VPNFilter are numerous, and  include unrestricted data collection from an affected device including banking credential theft, as well as the ability to execute a kill command to render the device unusable.  Another area of concern is the VPNFilter’s ability to monitor Modbus SCADA protocols, which are commonly used by industrial devices/applications like the BlackEnergy malware, which rendered many of Ukraine’s power substations inoperable.

Proficio Threat Intelligence Recommendations:

  • Users of SOHO routers and/or NAS devices ensure default credentials are changed and reset devices to factory defaults and reboot them in order to remove the non-persistent stage 2 and stage 3 malware.

 

General Info – Click Here

METHOD: HIDDEN COBRA Joanap and Brambul Malware Activity

US-CERT has released a technical advisory regarding a RAT (remote access tool) and an SMB (server message block) worm dubbed respectively Joanap and Brambul. Both claimed to be leveraged by the North Korea’s threat actor HIDDEN COBRA (aka Lazarous) since 2009. HIDDEN COBRA is an alias used to describe global hacking performed by a group tied with supporting the North Korean Government.

Based on the report findings, HIDDEN COBRA is responsible for using these two types of malware to target victims globally across multiple sectors. The worm appears to leverage relatively old and unsophisticated attack methods for spreading. Once infected, a system will attempt to brute force remote shares hosted over the SMB protocol using a set of about 150 common passwords such as “123456” and “cookie123” and “dbpassword.”

Analysis of the IoCs (indicators of compromise) provided in the article revealed that infrastructure primarily located in Latin American, the Middle East, and the Asia Pacific have been compromised with the malware. Command and control for the malware is somewhat unique, in that it gathers details and then attempts to send out emails to two known email addresses (misswang8107@gmail[.]com and redhat@gmail[.]com) with the compromised details of the host.

Luckily, most antivirus vendors have good detection rates for this type of malware since its older and well-known, and it attempts to spread using relatively simple passwords.  The risk for most corporate environments regarding this threat is relatively low.

Proficio Threat Intelligence Recommendations:

  • Deny SMB from the internet at perimeter firewalls
  • Enforce a password policy that does not allow weak passwords as a means to authenticate to SMB shares inside the LAN

General Info – Click Here

Method: RIG Exploit Kit – Grobios Malware

The use of exploit kits has generally been declining over the past two years, however FireEye has recently observed in March active development of the RIG EK capable of delivering a trojan named Grobios, a type of malware.  

Victims are first redirected to a compromised domain with an embedded malicious iframe which then redirects to the RIG EK landing page which loads a malicious Flash file. When the Flash file is executed, it drops the Grobios trojan onto the host and subsequently uses various techniques to evade detection and gain persistence.

The techniques used for evasion/persistence include masquerading as legitimate software and detecting VM & malware analysis tools. After detection evasion and persistence is achieved, network communication is established to hardcoded IPs point towards their respective C&C servers awaiting further instruction.  

Proficio Threat Intelligence Recommendations:

  • Ensure network nodes are fully patched to minimize attack surface

 

General Info – Click Here

METHOD: StalinLocker Malware

MalwareHunterTeam has discovered a new screenlocker malware that threatens to wipe the content of all the drives on a victim’s computer. The malware has been dubbed StalinLocker, because it displays a picture representation of the totalitarian dictator, Joseph Stalin on infected devices.

While the USSR anthem is playing in the background, the malware displays a countdown in the lower left corner and then prompts the user to enter the correct code in the next 10 minutes or the computer will be wiped cleaned, losing all user data.

According to MalwareHunterTeam, the correct code is the current date of the execution of the malware minus the date 1922.12.30. December 30, 1922 happens to be the day that the Treaty of Creation of the USSR was signed, establishing post-revolutionary Russia as it stands today. In order to enter the code correctly it needs to be converted into days before input. If the code is entered correctly, the wiper will exit and delete the autorun functionality of Stalin.exe.

Proficio Threat Intelligence Recommendations:

  • There is an unlock code that should be entered within ten minutes of infection or else the contents of drives on the host might be erased. Search for the current unlock code from the information security community. Many in the information security community say the unlock code is the day the malware was executed minus the number of days since 1922.12.30.
    Most antivirus vendors have good detection rates against this malware. Validate your antivirus software is up to date.

General Info – Click Here

Method: TreasureHunter Point-of-Sale Malware source code leak may spawn new variants

The TreasureHunter Point-of-sale (PoS) malware has appeared to have made a return to the spotlight.  A top-tier Russian-speaking forum reportedly leaked the malware’s source code, GUI and admin panel in March 2018.  

A 2016 investigation by FireEye was able to provide a detailed analysis of the malware, which was first deployed in late 2014. Not overly complex, the malware was reported to gain access to poorly secured PoS systems via the use of stolen credentials. In brief, once the malware was installed, persistence was created through a registry ‘run’ key. This key would then run the malware at startup and would scan the device memory, going after primary account numbers, separators and service codes, among others. The harvested data was then sent to a CnC server through HTTP POST requests.

According to Flashpoint, the malware originally had a limited reach and was linked to the underground dump seller “BearsInc”. The reasons for the source code to be released in the open remain unknown, one of the possible consequences would be the spawning of PoS threats against hospitality and retail businesses. Flashpoint warns that based on previous code leaks such as the Zeus banking Trojan or the Alina malware, the leak could result in increased activity by cybercriminals exploiting the information to build their own new variant of the malicious software. As a matter of fact, underground conversations appear to be ongoing on how to improve and weaponize the leaked TreasureHunter source code. On the other hand, the code leak will provide security professionals with invaluable insight into the malware’s operations.

Proficio Threat Intelligence Recommendations:

  • Consider utilizing data loss prevention [DLP] solutions, designed to protect highly sensitive information
  • Consider employing end-to-end encryption starting from the point-of-swipe, which allows to encrypt the customers’ data throughout the whole payment process
  • Consider testing the devices and their implementation procedures, especially if put in place by third parties
  • Consider monitoring for unusual activity on the actual PoS machines

General Info – Click Here

Method: MassMiner Worm Malware

Cryptocurrency mining malware has been on the rise in 2018.  The malware has an especially nasty variant which leverages multiple exploits and hacking tools to spread. The MassMiner worm is a type of mining malware that has been observed propagating from local networks to high value targets, like Microsoft’s SQL servers, with greater mining potential.

Infected hosts attempt to spread the worm by first utilizing the MassScan tool to enumerate potential victims and subsequently running a variety of exploits which include the infamous CVE-2017-0143 EternalBlue exploit, CVE-2017-5638 Apache Struts exploit and CVE-2017-10271 WebServer exploit. MassMiner will also brute force Microsoft SQL servers by using SQLck and then once compromised will run scripts to install MassMiner.  Powershell is used in the same manner to download MassMiner to compromised Weblogic servers and a VisualBasic script is utilized to deploy the worm to compromised Apache Struts servers.

MassMiner then goes through the process of disabling numerous security features including anti-virus, to ensure persistence and evade detection.

MassMiner tactics include:

  • Copying itself to taskhost.exe and the Startup folder
  • Unauthorizing changes to the ACL to grant full access to certain files in the system
  • Disabling Windows Firewall
  • Downloading a config file to point compromised host to C&C server for further instructions

Proficio Threat Intelligence Recommendations:

  • Harden high value assets such as servers by ensuring vulnerabilities are patched by implementing the latest stable updates

 

General Info – Click Here

Method: Roaming Mantis Malware

Kaspersky Labs has detailed Android malware mainly targeting Chinese and Korean users. The malware is designed to steal two-factor authentication codes for Google accounts sent via SMS/MMS.

Kaspersky Labs has detailed a lot of the interesting technical elements of the malware. For example, command and control for samples analyzed were found to lookup strings of web pages hosted on legitimate sites such as sohu.com and baidu.com. Kaspersky also believes the initial infection vector for the Android devices were compromised routers in Asia. The routers were redirecting Android devices towards malicious sites via DNS hijacking. The malware does have a component that appears to target English speaking users, but the HTML code within the malware is written in broken English. Most researchers after additional analysis have attributed this malware to cybercriminals focusing on Chinese and Korean targets.

Proficio Threat Intelligence Recommendations:

  • Do not allow users that have Android devices to bring “rooted” devices into corporate networks (rooted devices were targeted in this campaign)
  • Routers in this attack allowed attackers to perform DNS hijacking in this campaign. Monitoring corporate routers for attacks and compromise should be performed by security operations
  • SOCs (security operation centers) often detect BYOD infected cellular devices in guest networks or corporate wireless networks. Corporate IT should decide on an action (or no action) to be taken when these detections occur

General Information – Click Here

Method: PyRoMine Malware

In early April, Fortinet’s FortiGuard Labs discovered a cryptocurrency mining malware that leverages EternalRomance, a remote code execution attack, that was coined, PyRoMine. The EternalRomance exploit was initially discovered in the giant “treasure trove” that was the NSA data leak last year thanks to the ShadowBrokers.

The malware can be found in the form of a standalone executable file that, when executed, will run as a background process, silently stealing CPU resources unbeknownst to its victims. The end goal of this malware is to mine Monero for profits.

PyRoMine sets up a hidden default account on the user’s machine with system administrator privileges, using the password “P@ssw0rdf0rme,” as well as, enabling Remote Desktop Protocol which could be used in the future for re-infection and/or further attacks.

EternalRomance exploit targets SMBv1 Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft patched this vulnerability very quickly after the tools were made public. However, individuals and enterprises alike have been quite slow when it comes to patching the known vulnerabilities and could still be affected by this malware.

Proficio Threat Intelligence Recommendations:

  • Update Windows hosts to use SMBv2
  • Do not allow Remote Desktop Protocol Open from the internet

General Information –  Click Here