Posts

METHOD – The Ramnit Trojan Family Evolution Within the “Black” Botnet Campaign

Researchers at Check Point warned a much larger attack could follow the so-called “Black” botnet campaign. This campaign was uncovered between May-July 2018 and used the Ramnit Trojan to create a network of malicious proxy servers operating as a high-centralized botnet or as independent botnets. To date, over 100,000 computers have been infected, researchers said.

Ramnit was first seen in 2011 as one of the most prominent banking malware with extensive information exfiltration capabilities, which targeted industries and banks in North America and the UK throughout 2015 and 2016. Additional Ramnit’s features also include modules such as FTPServer and WebInjects embedded in the malware package and the capability of backdooring infected machines. According to Check Point, Ramnit recently proved to be in fact merely a first-stage compromise, likely distributed via spam campaigns and employed as a loader for a second infection – the Ngioweb malware.

Originally seen in the second half of 2017, Ngioweb is reported as a multifunctional proxy server using two layers of encryption and supporting back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports. After analyzing the malware functionality, Check Point researchers identified two stages of C2 infrastructure used. Meanwhile STAGE -0 C2 server informs the malware is ready to go over an unencrypted HTTP connection, STAGE -1 C2 server later controls the malware via an encrypted channel. In addition, Ngioweb has a dual operational mode, working as both a regular back-connect proxy and a relay proxy. The first allows to access remote service on behalf of an infected host or internal resources in the local network of an infected host, whereas the latter – most powerful – allows the attackers to build chains of proxies, making their services barely traceable. Concerns are that between the two pieces of malicious code, the operators behind the campaign are attempting to build an extended, multi-purpose proxy botnet possibly used to launch further attacks.

Proficio Threat Intelligence Recommendations:

  • Consider educating users on the best practice for email security, especially if the source looks suspicious. In addition, network administrators should also consider implementing an effective anti-spam strategy within their organization.
  • Assess adding the IOCs provided in the Check Point analysis to preventative endpoint security controls.
  • Ensure endpoint security controls are maintained and up-to-date for a higher detection rates.

General Information – Click Here

Attacker: Corporate iPhones Attacked in MDM Campaign

This month security organizations and researchers discovered an attack that utilizes Apple’s popular and open source Mobile Device Management (MDM) system for iPhones. The MDM suite allows enterprises to conveniently deploy and manage employees’ iPhones remotely. The attackers in this campaign appear to have used social engineering to persuade unsuspecting users to enroll in MDM on their iPhones. From there, the attackers used MDM to remotely deploy Trojan spyware applications. Furthermore, they remained undetected for the past three years, while launching multiple successful attacks against targeted corporate employees in India.

The attackers, who are also believed to be operating within India, were able to coax their victims to install unverified certificates for MDM. The unverified certificates used deceptive naming conventions such as hxxp://ios-certificate-update[.]com and allowed for unchecked administrative privileges once installed. Following the initial compromise, it was later possible for the attacker to deploy the Trojan spyware applications on to the mobile devices of the affected users. While the applications appeared to be legitimate software, such as Telegram or WhatsApp, they were in fact modified versions of the legit software, which granted the attackers access to the target’s photos; contacts; real-time location; SMS messages; and application chat logs.

Proficio Threat Intelligence Recommendations:

  • Assess the authenticity of MDM certificates currently in use by your mobile fleet. Apple has already revoked several certifications that were linked to this malicious MDM campaign, but there are likely other malicious certificates that have yet to be canceled.
  • As MDM becomes more popular with large organizations, users should be made aware that installing additional certificates on to their mobile devices may allow unauthorized and/or malicious remote management activity.
  • Update IDS/IPS devices to blacklist certificates and/or traffic made towards the following malicious servers that have been identified thus far: Ios-certificate-update[.]com; www[.]wpitcher[.]com; techwach[.]com; and voguextra[.]com.
  • Update IDS/IPS devices to take appropriate actions when observing the following malicious application hashes: 329e025866bc6e88184af0b633eb3334b2e8b1c0817437c03fcd922987c5cf04 AppsSLoader.ipa aef046b67871076d507019cd87afdaeef602d1d2924b434ec1c165097b781242 MyApp.ipa 4be31095e5f010cc71cf8961f8fe3fc3ed27f8d8788124888a1e90cb90b2bef1 PrayTime.ipa 624689a1fd67891be1399811d6008524a506e7e0b262f549f5aa16a119369aef Telegram.ipa e3872bb33d8a4629846539eb859340940d14fdcf5b1c002b57c7dfe2adf52f08 Wplus.ipa.


General Information – Click Here

Method: FakeSpy – Android Trojan targeting Japanese and Korean Speaking Users

On June 19th, TrendMicro released technical analysis on FakeSpy malware targeting Korean and Japanese mobile users. FakeSpy has been observed sending mobile text messages with a malicious link message that prompts a malicious Android application package. This application masquerades itself as an app for local consumer financial service companies to Korean users. For Japanese users, it pretends to be an application for transportation, logistics, courier and e-commerce companies. This application is known to monitor for text messages and send these messages back to a C&C server. It has also been observed adding contacts to the devices, resetting the device, setting it to mute, updating configurations and stealing device information.

FakeSpy has also been known to check for banking related applications and replace it with counterfeit versions. These applications will then phish for user’s credentials by informing the users that their application needs to be updated and asks them to input their key. FakeSpy hides and updates their C2 server by making use of social media. The application will access the Twitter Page that the handler maintains and parse its content to retrieve the C2 IP address.

The Proficio Threat Intelligence Recommendations:

  • Considering that FakeSpy is distributed via phishing messages, users can avoid being a victim by practicing good security habits including checking for grammatical errors and avoiding unsolicited messages that contain URL links.

Technical Analysis of Malware – Click Here

METHOD – RANCOR Malware: Southeast Asia

A new malware campaign was observed this month, which appears to be politically driven and targets organizations operating in southeast Asia. The malware was dubbed “RANCOR” by Palo Alto researchers and falls under the Trojan malware classification. Additionally, the malware appears to make use of code from two malware families: DDKONG and PLAINTEE.

The malware has been observed in at least three cases, in which high profile individuals were targeted in spear phishing emails. The email contained malicious attachments in the form of .hta, .xlxs, and .dll file types. When opened, these attachments open decoy PDFs or web pages that claim to be related to political parties from the given country. However, these attachments would also execute scripts in the background in order to complete their installation on the host system.

While this behavior might seem easy to detect at first glance, the closer look reveals the malware writers took several steps to evade detection. Researchers noted that the malicious scripts were typically hidden in the metadata of the files and executed when certain conditions were met. Additionally, in the case of web pages opening, the websites of legitimate government
organizations and Facebook were compromised in order to bypass security.

Though current findings show only Cambodia and Singapore have been targeted thus far in the RANCOR campaign, a number of other countries located in Asia Pacific could be targeted as well and it is recommended to update security controls to detect the IOCs associated with this attack. One tell tale sign of some RANCOR variants is the rare use of a custom UDP protocol. This protocol may be detected by some heuristic IDPS devices searching for file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows and corresponding to the SHA256 hash below.

IDPS devices can be updated to trigger on the following additional signatures that have been observed:

  • Domain: www.facebook-apps.com
  • IPv4: 89.46.222.97
  • SHA256: 0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855
  • SHA256: c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d

The Proficio Threat Intelligence Recommendations:

  • Ensure security devices are updated to latest stable firmware.
  • Monitor for IOCs related to file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows.
  • Change the default handler for “.hta” files in your enterprise environment so that they cannot be directly executed.

Source of Analysis – Click Here

Method: RIG Exploit Kit – Grobios Malware

The use of exploit kits has generally been declining over the past two years, however FireEye has recently observed in March active development of the RIG EK capable of delivering a trojan named Grobios, a type of malware.  

Victims are first redirected to a compromised domain with an embedded malicious iframe which then redirects to the RIG EK landing page which loads a malicious Flash file. When the Flash file is executed, it drops the Grobios trojan onto the host and subsequently uses various techniques to evade detection and gain persistence.

The techniques used for evasion/persistence include masquerading as legitimate software and detecting VM & malware analysis tools. After detection evasion and persistence is achieved, network communication is established to hardcoded IPs point towards their respective C&C servers awaiting further instruction.  

Proficio Threat Intelligence Recommendations:

  • Ensure network nodes are fully patched to minimize attack surface

 

General Info – Click Here