Threat Round-up for July 14 - July 21

July 21, 2017, 9:34 am

≫ Next: Vulnerability Spotlight: FreeRDP Multiple Vulnerabilities

≪ Previous: Vulnerability Spotlight: Multiple Vulnerabilities in CorelDRAW X8

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 14 and July 21. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Downloader.Agent-6333860-0
Document Macro obfuscation
These document downloaders are Excel worksheets which use obfuscated macros to trigge Shell functions and leverage cmd calling powershell. The execution chain typically is Excel -> CMD -> PowerShell download and execute.
Doc.Dropper.Agent-6333859-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
Doc.Macro.Obfuscation-6332451-0
Office Macro
Malware authors leverage Office documents to compromise a target system. To bypass anti-virus products they will employ obfuscation techniques. This cluster uses Arrays to indirectly access data and reform it into the required data to evaluate.
Js.Dropper.sPowerShell-6333821-0
Dropper
sPowerShell is a JavaScript dropper for both ransomware & information stealers that are written as PowerShell scripts. The script itself is encoded with Base64; the original JS script is responsible for decoding it. Once decoded, the PowerShell ransomware gets to work on encrypting files based on an inclusion list for file extensions. It will not change the file extension for affected files, & it's up to the user to discover these modified files or the ransom note that is left for them. There is no automatic prompt for the dropped ransom note.
Win.Trojan.Agent-1388716
Trojan
This polymorphic sample is a dropper that will create copies of itself on the hard drive under different random names to ensure persistence. It can carry different malicious payloads, so it can be used as a delivery mechanism for different types of threats.
Win.Trojan.AutoIT-6333854-0
Trojan
This is an AutoIT malware which is packed in a self-executing RAR archive. The malware is using process hollowing to hide itself from a debugger, is communicating with a remote web server, steals passwords from Firefox' password store and adds an autorun registry key to achieve persistence.
Win.Trojan.DelphiSpamDown-6333856-0
Downloader
This sample is a Delphi downloader. It is spread in the wild and it is related to a massive spam campaign. The binary is written in Delphi and contains anti-debug and anti-vm tricks and tries to contact a remote server to download additional resources.
Win.Virus.Virlock-6332874-0
Virus
VirLock and its variants are polymorphic ransomware that not only encrypts the files on the system, but also infects them by inserting a modified version of its own code at the beginning of each file. It will replace each file by an executable disguised as the original file, with the same icon and its "exe" extension hidden. Once executed, it will infect the system and show the contents of the original file. Additionally, it locks the screen and asks the user to pay a ransom. It will try to connect to google.com to check if it gets redirected to some localized google page such as google.co.uk or google.au. It will also try to spread to network shares or cloud storage platforms, in an attempt to increase the damage and potentially infect other users that may inadvertently open shared infected files.

Threats

Doc.Downloader.Agent-6333860-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

52[.]14[.]80[.]76
52[.]173[.]193[.]166

Domain Names

farmona[.]co

Files and or directories created

%TEMP%\CVR668.tmp.cvr
%AppData%.exe

File Hashes

01c4f96c8117df219cf9f50723454ace242edcf2d22b09e8e72c5d0c92aad540
01ed6302a7ea8d4c54d439b7016b99b6dca275f85d22611811bac8c135309d41
0634216b34baf0fdc293002632932312293fc4854701b143c6f4735e8cd98b45
070e56e7170fc63c1c42c3b0b37df5a25f5c7e2e0a5fd454e8e8e63de2b71bdf
07aa3365d733098e11e91ece1628130217414488d3fce0e2e261bfb29ab6fed9
0be6e5bb277cbe815beced059aa5fb5160954dc8fd3fef918746caf276cc82a3
0fc8af1a3deb4d2895b9bb202278299369a16950239288577472bc06fbf07e4b
13fd575d1474ae579f55615733f75fa50231447b8653e6eb58678103ee82e99e
1b01632e1a44445124165ed61592527fe649a32ed889ee75fdb73d07bf396812
2248f89b848781c0405cc0cead60172ec75e035aca12e8c147818192fde2266d
204ecc72a94c1d1ef60a08ccb132a5123d2e8dcfc16ef1cacebb20887049ec2d

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Dropper.Agent-6333859-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

atlon-mebel[.]ru
ayurvoyage[.]com
enzyma[.]es
inormann[.]it
kms2017[.]com
pta-babel[.]net
studio80[.]biz
sxmht[.]com
test[.]atlon-mebel[.]ru
tidytrend[.]com
westsussexcentre[.]org[.]uk
wizbam[.]com

Files and or directories created

%TEMP%\proshuto8.exe
%TEMP%\~DFFD1107AB284DD884.TMP
%TEMP%\serenade8.TEMP

File Hashes

026b944764ec5f0f342b2f532e18093627930a1c9810d235a4893ecbbbe4eaee
04f5160bf3126ad52a819a86cf4807dc83c89a4e5a2643b49b3fe60bf01c8419
09a43a41f182b0677d28b7e9cc685d1217f5c1fca63af4418f0a9ef776f6dd0a
0a0bf44d664575b194063536138d0b5ea9d3583e956e675462b55decf4ad73a9
0ea9107334209b304b650ff86854862d4eed68e616aec015618853b1d6a3c001
1c32493b72d3c3da9b7d4b9022edfdec445a7feaa261e621799c1e45241b5b2f
1dd941235ba3aae55c0f876131d6381ef47c4c37f6be0116b61a5ff0ddf4da6a
201a567836576380edc8d7a1b7f2e70c4127faa7ea541da4d7e0457401b2b492
2debe28ebdeea8789a136170782018789d7ba6e8d07b8289231c8b6aa509a839
351376c7a04ab7bf3f4a22b124165c4817d7fefe35dd2d0834cd3fcf3c580043
36ac209d2115d4b64b3b2b41b8731235168ac71d744740dbbc73f6c13cc85bab
3ceb74963648d8adf4b47303d74d344628257dc36cf87a4330099fc264fe6ae5
46bdd38ab49faaed1aa40c17d17e2a45ba87236dee0802c6e9e1385bfc1fe261
4aca7a72441a2100f4d40348e813ce0bcdb87e7d311e4e2e3b1dc53eecd9f149
4b62feae568e3aaf8510897ab6c674283a7d133d4e72b4aaa4864a465bd88807
4d4906439c50c3c8e80b40e0f1135f3c6df31b1fa596f668d4f8c48ead902dc3
5e7442c9c6b95f9a7af5ce9a08b1d61852e1da901ddf96e1604374be36d823c1
6274606653a2bb4470d3acdd72f11af37827253f5a728d539da9be0a6fb12db3
631e4b651c157a1179bd28fc71cc072a933ec7a9be962fa4e758963c4f450673
6994c078ad88915221a6679dcab25f942a6799c998bfffd36004f500faf1d2aa
69fee7f159df45b2f3fe177b0e4f8377b2f281d907c15ce69b3f5fd43592d297
6a7fcf70672bec03c73443dc26ad8cd5dbed6227de7073d7d37d2c920d3ca5b7
77deb4917f19577c06643e0268b96b12050d6814c07e961f84bd143189ba23b8
7b28472b8552e2f9f63126a66ef1bec226acf49919e821c8204e0142864af7c2
7c31ebd234e9ea4e8e5176cca74f95cf6d0f8ebdad6f5bae0aa07229cff3557a
8046e1b4a24d714812f4fcfa7f7debfa2057a83c8631b7e2112d37653c83aa04
8902a87a99470edc2210af7f660ae3f1d032a4e764ae5415f00b3de4e873715b
9217691c969ca90bba7e68648c5d52c1fec4183f2837adb407b55e6957cc62c8
95dfa7cb08275d55c2daa3dab39cd3502ed8e9221501ccd43096c4dcb69574df
9a7972ec543717861bf0030e35069c5d672ed0447a1f7690f8e3992329b4e08f
a5067cd834500ad631443d66f52a8454adedcc316bdd9a9f340587efe3d71862
a912eebe77cd06413744e8bca95c7bc4d7200a82097178cbfd478778d89afc16
af598ffbba3c59ce109d2ddd9ef58425bd3a8a70bbbea48b14460dcef21704d7
b1828e83a4d01b45adb238165e17520f5853a2a8d1ac083d2f6130be8813e5fb
ba9ae0515d7d720634114de6f669bcb9c9bc8bebb9b30df98585b8c2751cb419
d34e29aeae628324e27067f1b0ed9895b335a99eed2bad836b2cb08cc311276e
d3a1dc1018514102ce83b054374a0422328ba812f78a9fee7d17b224a7b7fb9b
e3a122deee0913710df8e2d8137f089123e455195a6d71dac072343fc8e48c2e
ec67964a20940b42a58a3149327e519c97505ae0227566d31a72e94a31add0b4
ed8779e9e0231c4882152bae2be367a9cac0d2b270a5fba8d9dd56ccd6ddcb34
ee5b16b15dd712ff7e0ada9e6b93da04fcfe9043e53a605d0ace1fe365f0bd54
f0892554e22c923645f20e9de0920199a791f744dee18f9c8df7f0b0ffa954e0
f921d1fd16fe5735f1abab55e836fd6817e9d6e340d0d056af25b7214559cf7b
ff29411724d4cac3a6553ab621180f8a2c05cf01573c97873061b9df9ba57246

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Macro.Obfuscation-6332451-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

185[.]165[.]29[.]36
52[.]173[.]193[.]166

Domain Names

Files and or directories created

%TEMP%\CVR65CC.tmp.cvr

File Hashes

41b9c93fed52bffe68d03abbcbe42086a9baf743d56f9262abd5b4c7fcbff951
4c5f92378c3fe002163abb763ab30de3b167512255af8f90c0ab7ca85e15fe7f
8c0559c86e7879ecf25442bc0a8105193d44e9641ac939077d43f6c4dcfc4e9c
727d8957c910dd733b4960f22535e61375e417cc521b820ae8a917597af86295
a84e3659977948b8f14cb2bfacef19d997463e779fed8750fa2d44b4342584b4
a4e076bdea2bdc1028d232079b0bcf42a9b4997fb43e78fbda745f6bb047612c
404de9c0ea3f8061c69e0dac80c6706e9ad263059ed845f1d69fc77b367a51aa
7ac2d7693119e8e07ee9ab0979a219f99763deb2b4134e8a6c18cec7aba1a76a
29015d08a221749ca7cd1b9526ae4c434457199ac3226236f9e57fdb01b21213
1259e834561574787f5e8c6f0fd7e3af62ce566317275ad6e0484b2d2d02904e
341b86bd427dfca140ef6b3f47c7f269fe3ada974692237cc038f5910326d806
5d91e7426fb87e5f2c9a5aa575d8bc0e98b7e1a09947dcb4e4943c5c047933d9
f11534d903c19da7f9b951419fb31fc8027c27f7ed7e3fdb89a923004a838ca1
513a70f9692100bab9aee761125a446c7a7fb2ddd8395810f64c73cedd664f8e
f2fee82c08af4579275a7bfd7859bd9031c43a4c871ab6bb1d3fe1d699c020ca
a0b29989213e1c2e08bcb136d77164251fcff105c640a9ba75f9ed87c6a0407b
f04ce92cb9f190f8c06d444ac5431f637b6ea8ba864201a549903e3115968403
3743bc035609dc41608e2580bd9ee1555bbd8e9311dcf879e12821ce40727db5
ab004137cd4eeff2528c749bc80fa8c05be279fbadf54fd48eb433a63ba9ebaf
2611831b22f6b0df892e363d429a666b5a4bb9303a97b30c527fb4f43379a462
0dd337e3bef51dd39867317b47870076c8bda3efede772fc571b48d59ff79bcf
ec0aba7dec0510afc007260370f08f166f6aeadbf0e38206aef3b2df96c6fddb
58bcd393831d35adf5343ddeaedc3de4f9b4c11565cbcb21e220ef20d34061d6
7531238a3e7a788700bef153d999c6527975c108176e435a0ca200e15fa08d5a
5702fa93b08399d8f8d7d1ef1eb2902e7f37a9bbaaf5d9aa6b85a2844224662e

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Js.Dropper.sPowerShell-6333821-0

Indicators of Compromise

Registry Keys

HKLM\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

Mutexes

Sessions\1\BaseNamedObjects\_SHuassist.mtx
Sessions\1\BaseNamedObjects\DBWinMutex

IP Addresses

Domain Names

joelosteel[.]gdn
ipcaservices[.]xyz

Files and or directories created

%USERPROFILE%\Desktop\_README-Encrypted-Files.html
%USERPROFILE%\Documents\_README-Encrypted-Files.html

File Hashes

7a6d5ae7d7bc2849ea40907912a27e8aa6c83fafd952168f9e2d43f76881300c
cce0da7814b5966ffacfecacec0e87aec83989889b56e4dc37eed7873b51617f

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Trojan.Agent-1388716

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\e86nw5.exe
%SystemDrive%\4kh4ht.exe
%SystemDrive%\ucrr38u.exe
%SystemDrive%\fllx91x.exe
%SystemDrive%\9f2c5u7.exe
%SystemDrive%\022240c.exe

File Hashes

6ffc7684a7ce4e263d0018310e03f4c81df776cd2ad1fdb26e0cb46ee5a9d899
588d681952c3d07a6f2dd740e6253a6160a37ec3d80d376f742b2f1c9e9fa3a5
0c27abc4b32cd84d8ed11907d8b47e0caa41af884efbe599e287978ad56cc6d4
56fc60eff1ce21bc0662abce0ce74834e530b4baf297f055bdfdc5bb77c22ec6

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.AutoIT-6333854-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Mutexes

IP Addresses

Domain Names

cn67975[.]tmweb[.]ru

Files and or directories created

%TEMP%\fjs\[a-z]{3}.(ppt|xl|icm|pdf|txt|bat|docx|mp4|bmp|ico|jog|dat)
%TEMP%\667796.bat
%TEMP%\fjs\svu-mkc

File Hashes

927bd28d825adc6569d1e307bd3709f73350b3ca2b0f98bbbdd2370526ae19b6
bb51a0200e84137fb1c07e39fbd7f0ded1eda78d3c95cfa1e16887f0762ab665
2cd44a3204106c4fa3e11c310f21a3d0a89795ae90cad00117c779386ea619fd
83a482b1771474915838db7251d00cf12ae5171c04966621bba82c5829e57b4a
a831d5503c549917d333d45c72532f0407ed306ca5c95478dad11cb34342ca60
f8305d63f8d4ebc4b4c4bea7c3dd75b3d3c3f53aa2f28cc789a2573d55b83613
ea047fca20938acaeaf82d7753a86bdf9c6ed1bcb6573634d8f515d15b6ddd13
62f72450c470bd01096766ac25e8b6ca4edb79683c2ee5b2cc89ec2234983c44
38dfdc80844d6f6b0d1a73843f1a4704d7bb12cf2ca61d98a54d1cdb5722ac66
f81a37d816c639fd977d7781f7fe54cc51e2e34aa3bb8bc877c74ae140025003

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.DelphiSpamDown-6333856-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

HKU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKU\Software\WinRAR

Mutexes

DBWinMutex

IP Addresses

92[.]53[.]96[.]122

Domain Names

cg51478[.]tmweb[.]ru

Files and or directories created

\samr
%System32%\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{debd4f12-5573-4e21-a11a-2adccd61a055}\snapshot.etl
%System32%\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{bc3d8877-b46d-4746-b041-b538af5e2cf0}\snapshot.etl
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\713906.bat
\TEMP\scan sample.exe

File Hashes

d603a19fb425aa77308ee7d3527f03e0a455667aed2030b4fc2c46388a230dad
f23220f487d021aed897deee04e7aaada2521d096406517cd3adcacf4754beac
72464898f83126f1a89d76cf76b2867b58655b3b316c2000dd185f2c31a4d786

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Virus.Virlock-6332874-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: ObjectName

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: DisplayName

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: Type

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: Start

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: rgwIEcIs.exe

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: ImagePath

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: IMMwgswc.exe

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

Value: HideFileExt

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

Value: Hidden

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: WOW64

HKU\Software\Microsoft\Windows\CurrentVersion\Run
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VosIYoaG
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Mutexes

\BaseNamedObjects\OeoQEIQU
\BaseNamedObjects\JMcsAgIg
\BaseNamedObjects\eKQoMYQM
\BaseNamedObjects\rgQAYgUk
\BaseNamedObjects\juAkwAUg
\BaseNamedObjects\WUUMAwEY
\BaseNamedObjects\LIAAoosI

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\Documents and Settings\Administrator\mYAMwMEo\aYEsEocI.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eAsoAsoc.bat
%SystemDrive%\Documents and Settings\All Users\xEQswAgE\hEEskAMI.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\file.vbs
%SystemDrive%\Documents and Settings\All Users\keAQYows\Ngwockko.exe
%SystemDrive%\Documents and Settings\All Users\eCQoYwsY\cOIkcIIs.exe
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\f1d2_appcompat.txt
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HAIgcwYY.bat
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JikQIUos.bat
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1aba_appcompat.txt
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BywQYkYY.bat
%System32%\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{a69f0170-8245-4aed-a99e-3b0aad202ce2}\snapshot.etl
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vgMUkcEw.bat
%SystemDrive%\Documents and Settings\Administrator\HQcwsEQk\iUEAMAQY.exe
%SystemDrive%\Documents and Settings\All Users\wkkIwsUo\FcIoIUwU.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\oiwwooMU.bat
%SystemDrive%\Documents and Settings\All Users\UUkwYskE\tIAMksoQ.exe
%SystemDrive%\Documents and Settings\All Users\TiggsEgM\iigYwggc.exe
%SystemDrive%\Documents and Settings\Administrator\josYsEwI\IEkIQAgg.exe
\TEMP\f903440f2b8e05fde78b17ad34bdae047604a33af999aaee8954dc1f689d3298.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\B291D.dmp
%SystemDrive%\Documents and Settings\All Users\OUkAAEIY\qaMAkEQc.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NuYsMUAc.bat
%SystemDrive%\Documents and Settings\All Users\ymYgUYAo\PqUEkQUs.exe
%SystemDrive%\Documents and Settings\Administrator\SKsYAMwU\OugokkEo.exe

File Hashes

81bec8df30db0bd694ecf01d3950fbe91823854ab017c0cb176d32c9ada3f202
d49a98d35bcb6ff16206c6d1e1495d4ddf9f1911f785bccda24c2b1e0bfe3d03
6cff1fdde90a5708301b2d3c48729ebf3be7bb4a8f0e6992406affe034ad0a0f
94549c01f4ca88d7169141b7a8aaa0a79a28e2770811ef84febd639af70c7a74
824eed3471a9f86836ac4bced8a5ce7f57df95048a995dc0219feab771404f28
db2415f2259b7ec9aaa6ab004a659753ad51dafccbc8696f0a5e906750304efc
faaa74146e151d525e94e536ee2605a76c8a0d1699024979181712a03b249f25
7cd99c34887ea6213f18347720d7b1d257969f821bc78f6ad128f55ff137096c
61012a5ae49bcfc6c31110b0117c9ed3d3f810cb8053857ef3017b403aeb4ad0
6161ca5b2cd218ae1c277e6fcc509f571cc409ae4b2aba007d0e1ef28057fd7d
cacc1b16c233ad74c95b051edb5542a2824441314aba3f12e0397b857222c0a9

Coverage

Screenshots of Detection

AMP

ThreatGrid

Screenshot

↧

Vulnerability Spotlight: FreeRDP Multiple Vulnerabilities

July 24, 2017, 8:12 am

≫ Next: Vulnerability Spotlight: EZB Systems UltraISO ISO Parsing Code Execution Vulnerability

≪ Previous: Threat Round-up for July 14 - July 21

Vulnerabilities discovered by Tyler Bohan of Talos

Overview

Talos has discovered multiple vulnerabilities in the FreeRDP product. FreeRDP is a free implementation of the Remote Desktop Protocol (RDP) originally developed by Microsoft. RDP allows users to connect remotely to systems so they can be operated from afar. The open source nature of the FreeRDP library means that it is integrated into many commercial remote desktop protocol applications.

We identified a number of vulnerabilities falling into 2 classes:

2 Code Executions;
4 Denials Of Service.

The first category allows code execution on the client side through a specially crafted response from a RDP server. The second category can cause the termination of the FreeRDP client. The vulnerabilities result from weaknesses in the handling of network packets sent from the RDP server. Indeed, the size of the data needed to be parsed is sent from the server without checks on the client side. An attacker can compromise the server or use a man in the middle attack to trigger these vulnerabilities.

Details

Code Execution

TALOS-2017-0336 (CVE-2017-2834) - FreeRDP Rdp Client License Recv Code Execution Vulnerability

The vulnerability is located in the license server handling. The license message sent by the server contains a length field, which is not correctly verified by FreeRDP. For internal purposes, the library decreases this value by 4, if the server is sent a value inferior to 3, this will result in a negative value and the writing of packet contents outside of the allocated buffer in memory. This vulnerability can allow the execution of arbitrary code on the FreeRDP client side.

More details can be found in the vulnerability report: TALOS-2017-0336

TALOS-2017-0337 (CVE-2017-2835) - FreeRDP RDP Client Recv RDP Code Execution Vulnerability

The vulnerability is located in the RDP received function of FreeRDP. Similar to the previous vulnerability, the RDP message sent from the server contains a length field, but this field is not verified by the FreeRDP client code. This length can become negative and allows the attacker to execute code on the client side.

More details can be found in the vulnerability report: TALOS-2017-0337

Denial Of Service

TALOS-2017-0338 (CVE-2017-2836) - FreeRDP RDP Client Read Server Proprietary Certificate Denial of Service Vulnerability

The vulnerability is located in the parsing of proprietary certificates. In this function, the public key is parsed by the FreeRDP library. However the size of the key specified in the server message packet is inferior to 8, the FreeRDP library crashes.

More details can be found in the vulnerability report: TALOS-2017-0338

TALOS-2017-0339 (CVE-2017-2837) - FreeRDP RDP Client GCC Read Server Security Data Denial of Service Vulnerability

This vulnerability is located in the handling of security data function. The function reads a length value from the server packet. A malicious actor can send a specially crafted packet with a modified length value causing the client to crash and causing a denial of service condition.

More details can be found in the vulnerability report: TALOS-2017-0339

TALOS-2017-0340 (CVE-2017-2838) - FreeRDP RDP Client License Read Product Info Denial of Service Vulnerability

The vulnerability is located in the license read product info handling. A malicious crafted packet may cause the application to crash. The vulnerable code reads in an unsigned integer from the server message which then incremented by four as part of a length check. However, the size of the unsigned integer is never validated and thus the addition of four could cause an overflow and result in the client crashing.

More details can be found in the vulnerability report: TALOS-2017-0340

TALOS-2017-0341 (CVE-2017-2839) - FreeRDP RDP Client License Read Challenge Packet Denial of Service Vulnerability

The vulnerability is located in the license read challenge packet handling. A malicious crafted packet may cause the application to crash. The vulnerability is the same than on TALOS-2017-0340 previously mentioned.

More details can be found in the vulnerability report: TALOS-2017-0341

Tested Versions:

FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 42941,42973,42998,42974-42975

↧

Vulnerability Spotlight: EZB Systems UltraISO ISO Parsing Code Execution Vulnerability

August 2, 2017, 1:52 am

≫ Next: Taking the FIRST look at Crypt0l0cker

≪ Previous: Vulnerability Spotlight: FreeRDP Multiple Vulnerabilities

Discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of a new vulnerability discovered within the EZB Systems UltraISO ISO disk image creator software. TALOS-2017-0342 (CVE-2017-2840) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the UltraISO software.

Overview

The vulnerability is present in the EZB Systems UltraISO software, an ISO CD/DVD image file creating/editing/converting tool and a bootable CD/DVD maker. UltraISO can directly edit the CD/DVD image file and extract files and folders from it, as well as directly make ISO files from a CD/DVD-ROM or hard drive.

ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.

Technical details

A buffer overflow vulnerability exists within EZB Systems UltraISO. After "NM" entry is located in the .ISO file UltraISO executes _strncpy function with maxlen argument calculated directly from the ISO header byte field NM_hdr.len - length of alternate name.

UltraISO assumes this field is always larger than 5 bytes. However, if an attacker forces it to be
less than that value the maxlen parameter for the _strncpy function will be extremely big (NM_hdr.len - 5, result is unsigned).

Later, the memset function (inside the _strncpy function) is executed where the extremely big size parameter is used which leads to memory corruption and potential remote code execution.

More details of the vulnerability can be found in the report TALOS-2017-0342.

Discussion

ISO 9660 file format is one of the older formats and its original specification contains several limitations on the file name length, directory depth as well as the maximum file size. These limitations are inherited from older operating systems. Specifically, filename lengths in ISO 9660 file system are limited to maximum 8 characters with maximum 3 characters reserved for the file extension.

Over time, various extensions have been developed to overcome the limitation of the original file format specification. One of the extensions, so called Rock Ridge extension, allows for alternative names to the original file. The alternative name can be longer than the default 8 characters.

A vulnerability in UltraISO software exists when parsing the alternative name (NM) System Use Entry. The structure of the alternative name contains a single byte length field which can be manipulated by the attacker to cause a buffer overflow that may allow remote code execution of code in the context of the UltraISO user.

Although third party disk image utilities can be useful in many cases, it is worth checking if the default operating system functionality satisfies user's needs. Specifically, Windows 8 and later has the built-in capability to mount ISO images, which may remove the need for third party disk imaging utilities.

Users that still have a requirement for a third party disk imaging software should ensure that security updates are applied for the product as soon as they are released to remediate potential attack vectors.

Affected versions

UltraISO version prior to 9.7.0.3476, which includes a fix for the vulnerability.

Coverage

↧

Taking the FIRST look at Crypt0l0cker

August 3, 2017, 8:35 am

≫ Next: Vulnerability Spotlight: Kakadu SDK Vulnerabilities

≪ Previous: Vulnerability Spotlight: EZB Systems UltraISO ISO Parsing Code Execution Vulnerability

This post is authored by Matthew Molyett.

Executive Summary

In March, Talos reported on the details of Crypt0l0cker based on an extensive analysis I carried out on the sample binaries. Binaries -- plural -- because, as noted in the original blog, the Crypt0l0cker payload leveraged numerous executable files which shared the same codebase. Those executables had nearly identical functions in each, but identifying all of those functions repeatedly is tedious and draws time away from improving the analysis. Enter FIRST, the Function Identification and Recovery Signature Tool released by Talos in December 2016.

FIRST allowed me to port my analysis from the unpacking dll to the payload file instantly. Once I was satisfied my analysis across both files, I was then handed a suspected previous version of the sample. FIRST was able to identify similar code across the versions and partially port the analysis back to the older file. When the next version of Crypt0l0cker comes out, I will be able to get a jump on my analysis by using FIRST to port that work forward to the similar code. You can use it to port my work to your sample as well. I will demonstrate doing just that with a Crypt0l0cker sample which appeared on VirusTotal in April 2017, more than a month after the Talos blog about it. There has been no targeted analysis of this file to provide background for this post.

Locating the Sample

Procuring a malware sample of a known family without analyzing it can feel like a heavy challenge to overcome. Thankfully, Talos can leverage Threat Grid sandbox reports of suspected malware samples that we receive. Such reports can be scanned for family IOCs. Per our previous analysis into Crypt0l0cker, the infection status of that version is stored in a file named ewiwobiz. By searching Cisco Threat Grid telemetry for files which created ewiwobiz, I identified a file which was probably a Crypt0l0cker executable.

With a report to investigate, I needed to procure the actual sample. My sandbox report shows that the suspected Crypt0l0cker file is nearly 400 kb and likely a Nullsoft Installer file, which is a common packager. Static file information gives me the file hash which arms me with the ability to continue my investigation on VirusTotal.

While the sample is clearly malicious, my VirusTotal inspection does not suggest that the sample belongs to any known family. No detections refer to Crypt0l0cker, TorrentLocker, a listed alias in the original Talos blog, nor Teerac.

With a file sample in hand, and no static indication that I have located Crypt0l0cker, I move onto FIRST to discover how similar it is to known files.

Exploring the Sample

As the FIRST client code is an IDA Pro plugin, my first step was opening the file in my local IDA copy and allow auto-analysis. Upon completion, the start function was displayed in front of me at the graph view. I opened up the graph view context menu and requested FIRST lookups for all of the discovered functions.

After a minute, the FIRST display shows that 13 of the functions have been previously identified and uploaded.

Expanding the matched functions displays the metadata associated with that function, including a proposed name and function prototype. Notice that the files detected in this installer have been named to draw attention to the fact that these functions are known to be in NullSoft Installers. I had previously marked up a different NullSoft Installer before and uploaded significant functions from it to assure that I would not do so again. In general, a malware analyst is wasting any time spent inspecting such a file. Identifying when a packer is in use and moving along to the true payload is a much better use of time.

Check the Select Highest Ranked checkbox and click Apply. The function names get applied across the database and we can see clearly that the sandbox analysis was correct. This file is a packer and we need to extract the original.

Unpacking the Sample

I admit that at this point I cheated to perform the unpack. From previous extraction of Crypt0l0cker files protected with NullSoft I already knew that the install script consisted of consuming multiple encrypted blobs, internally decrypt the payload, and run it via Process Hollowing. As such, allowing it to run debugged and breaking on WriteProcessMemory should present the payload buffer to me.

There was a complication though, because the install script loaded and unloaded System.dll many times. The ModLoad notification caused the debugger to consume the majority of the process cycles, effectively causing a denial of service against the debugger. I allowed this system to run for over an hour without getting beyond this delay.

By disabling the ModLoad notification via `sxi ld` I could get my debugger to allow the System.dll file to be loaded without triggering the significant extra processing. Crypt0l0cker then was able to spike up to 99% of the CPU use to, rather than the debugger holding on to 80%.

I dumped out the PE image file and prepared to continue with FIRST.

Exploring the Real File

Again, the first step of using FIRST was opening the extracted file in IDA Pro. This file was built as a Windows GUI file on top of the Visual Studio C runtime. Thus, the runtime was identified during auto-analysis and I was left with a graph view displaying the _WinMain@16 function. Using the FIRST command from the context menu, I checked for the existence of metadata for just that one function. It was discovered as Crytp0l0cker_WinMain@16. Looking pretty likely that this is, in fact, Crytp0l0cker.

With confidence that FIRST will be useful, since it had a result for _WinMain@16, I began the search for the full file. At 436 functions this is not a quick lookup, so go get a fresh cup of coffee and let FIRST work. Since this file uses a known runtime, the runtime files are also known to FIRST. You can filter those functions with the Show only "sub_" functions checkbox.

After FIRST completes 78 new function markups are applied out of 295 total known functions. With 78 Crytp0l0cker_* functions identified, you can now dig in on the shoulder of days of professional malware analysis.

Conclusion

FIRST provides the ability to share your work from one file to a similar file, whether that other file is a previous or future version or even an additional step in the module execution. When opening up a new file, FIRST can provide hints as to whether the file is interesting or just needs to be unpacked. When finally extracting a new, embedded binary, FIRST can migrate your notes from the current file to the shared code in the new file. Use FIRST to save your notes, share your discoveries, and speed up your next analysis.

IOC

File Hash

d845e4f2292ba78a993dbbf6f1317894ce1a795c096d7959f3d718e583f1cea3

↧

Vulnerability Spotlight: Kakadu SDK Vulnerabilities

August 4, 2017, 9:31 am

≫ Next: Threat Round-up for July 28 - August 4

≪ Previous: Taking the FIRST look at Crypt0l0cker

Vulnerabilities discovered by Aleksandar Nikolic and Tyler Bohan of Cisco Talos.

Today, Talos is disclosing multiple vulnerabilities that have been identified in the Kakadu JPEG 2000 SDK. The vulnerabilities manifest in a way that could be exploited if a user opens a specifically crafted JPEG 2000 file. Talos has coordinated with Kakadu to ensure relevant details regarding the vulnerabilities have been shared. In addition, Talos has developed Snort Rules that can detect attempts to exploit these flaws.

Vulnerability Details

Code execution vulnerabilities exist in the Kakadu SDK 7.9 which are detailed in the Talos vulnerability reports TALOS-2017-0308 and TALOS-2017-0309. In both vulnerabilities a specially crafted JPEG 2000 file can be read by the program and can lead to an out of bounds write causing an exploitable condition to arise. The most likely form of attack would be in a social engineering scenario where a user receives an email containing a malicious JPEG 2000 file that exploits this vulnerability.

Coverage

Talos has developed the following Snort rules to detect attempts to exploit this vulnerability. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.

Snort Rules: 42179-42180, 42191-42194

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/

To review our Vulnerability Disclosure Policy, please visit this site:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html

↧

Threat Round-up for July 28 - August 4

August 4, 2017, 10:01 am

≫ Next: On Conveying Doubt

≪ Previous: Vulnerability Spotlight: Kakadu SDK Vulnerabilities

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 28 and August 04. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Dropper.Agent-6334774-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
Doc.Macro.Obfuscation-6334622-0
Office Macro
Short, heavily obfuscated VB Macros make use of calling functions indirectly to prevent automatic detection.
Vbs.Downloader.Trickbot-6333852-0
Downloader
Trickbot is a banking trojan. The prevalence of this malware has recently spiked and is being distributed through several malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as the VBS scripts. This particular downloader relies on heavy obfuscation, string splitting, and what appears to be widespread use of a name for a legitimate database tool in an effort to evade detection.
Win.Downloader.Psys-6334750-0
Downloader
This malware presents itself as an Adobe update to the user while downloading files using an embedded Tor client. Infected clients are often compromised with bitcoin miners and other malware.
Win.Downloader.Upatre-6333840-1
Downloader
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables such as banking malware.
Win.Packer.VbPack-0-6334882-0
Visual Basic Packed Executable
VbPack executables obfuscate control flow by using call statements where the stored return address points to strings. Series of these calls collect string artifacts like library names and export functions to leverage the WIN32 API to prepare for the execution of a malicious payload.
Win.Trojan.DownloadGuide-6335034-0
Downloader
This malware is a trojan downloader written in C++ that presents itself as an application installer. This malware family leverages techniques to hinder dynamic analysis as well as sets up a proxy. Additional components are download and executed.
Win.Trojan.Madangel-1
Trojan
Win.Trojan.Madangel-1 is a trojan that will replicate itself through network shares and eventually connect to a C2 server to retrieve other executables to install into the system.
Win.Trojan.Nitol-6335025-0
Trojan
This malware family performs DDoS attacks. It copies itself into the \Windows directory and installs a registry key for persistence. Further, it deletes the original executable to hide itself.

Threats

Doc.Dropper.Agent-6334774-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

95[.]110[.]231[.]145
186[.]103[.]161[.]204

Domain Names

kalorsystem[.]com

Files and or directories created

%SystemDrive%\~$7661883.doc
\TEMP\Attach_ID547.doc
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\743234.cvr
%AppData%\Microsoft\Office\Recent\Local Disk (C).LNK
%AppData%\Microsoft\Office\Recent\Attach_ID547.LNK
\TEMP\~WRL0053.tmp
%System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
%AppData%\jottingstributarysthesauri.exe
%System32%\Tasks\services update
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{71906E9D-AD49-4D65-BCF8-C606DEC3CF07}.tmp
\TEMP\~$tach_ID547.doc
%AppData%\Microsoft\Office\Recent\267661883.doc.LNK
%AppData%\Microsoft\Office\Recent\sanctumscutlassesinstrumented.LNK
%AppData%\winapp\insshmfrsqhatsaqxrsgdratqh.exe
%TEMP%\CVRB190.tmp.cvr

File Hashes

619948e1aa1ce2a8dd9c4e97884ed929f5bb3bdf9626d3cb97b2d99cf56d51da
11b39f6d68386a652afdca623783ec7141961db0a6d321a279b1603fc462cd0d
687bc84ce1f1b6dc0a99fc01b0fec5fa00d58b4ab1083bea7867b1bfc7d84ec3
e4c29ce79af3e1d5a6b4d41a6239bbb369cca0ca4742fbb28fdb58cf3a1d6c67
6604d8dcd1ed5a53c5d03c2509f2d5d9a421e3a12b6087dfadb83e69805439ca
4abfd7fd9443a61c98be138d55c84c317c9959893e2c8a297ee9d13ef18d387d
09a9bf51b2f18df57c796993b037b91b7a1f2400716132339d35cd6f8497da1a
f3387add07c0c321189823bfe08296fa6eaa983693421dfd40d9208b8e68543b
324b4a83ee73bb3b3d5a9b4099fc7c3ffc6c0497eec01b62513c6f91731763da
551008d7fe2e292728188a14231d37d741becaa4c64290af671c3dc440ab8743
bc661ec240c941eb0ae04b11cedcfbfed2b81e5487346823c10cbf0e88df59e1
5cbc42190c97da6f9737bca56c30e24f2679467a04030c732b320ce278114ea4
08887558f6388dcac9afb8b0c311558d4e8a34974dc01168f74e5f711ac59535
17504f7f93bb6be7230ff1588623556ee62299082aa3f2dc539d5a48f714593a
e191cbadbe4a2c24427bba011a3abf56ccaea8ba8e991b4b60c07d406412c11d
aa100e2c541e4a1c4fa3a75c077a9b5b94fc99b0d19bd2e194d9baba5bd9f346
75c74b872ecb14b99579321930b72f3749b416a1e1242f906c6d9e8515b7e4d3
af29409564b009d3d71621483b7d62adafe77eb1ada41abd0239ae07c30c2abc
a385c7d8d006d80f6bfdb583aba085c0c4a18afddd05ab07ade49522dc584dbd
83ff2ddc3b76f9c1cba2e7a806f84a50dca2913d55a33e619f650a6b6a6b272c
7dee06e698a8baa78df73f058f9be2b269a5344d2dc449bcdbe87e44000b8310
4255b90bb30c02b4fe1a42ccc55742f641d75810038aa8fdae6057a9a41afb1e
519363cc5308578e3565d9d73e1ace3145156d3e14c17ec1ef7a189bf6bf9381
89983f03a9a2b9b5e9aeb7c8f637fec5ecbeec1378b676de5c326f74e31918a4
06b0105e71ca2e1f9bd63cd417dcf6437a325eea393b57f4c622eb413f922265
47833122bc78d99040f29bb2f5c01b5c0b9f4b5b81b09b6a6951e7fa67509f8a
427d8860cbb12f680692c1a54da26e189b4498b2314984932112400d138eaae3
ff6ff8c4af0499c0ff4379378cbb9d3eddbd48b197fe07277371c20e2dae70d8
1bf710707642000bcf37c0774c12b004127235b710dd7116f08d86bfb04a28c8
c3e10665750030082cf2e37c8e882b8572a8be65d6ee51bfc253853a70d1db90

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Macro.Obfuscation-6334622-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

178[.]175[.]138[.]162
176[.]123[.]0[.]55

Domain Names

halohh[.]tk

Files and or directories created

%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\driv.exe

File Hashes

4cd9c04390f2b7171e50e1c0b1afde499160aac0da9aed28ee5677863a389c5e
0bb9ba9d3ba8fe8f8fd4c464f27674e07a3d231642a21571e03e0f08bac6909e
617ac6d026a110629694b28c977bf5e8d445eb25ccd83f14b925ca032f779cec
98233482a8e37abaaf5cf6a36fdee60c3a9a0a4d075a6e8807798fe5e443106a
268571fc240204b17d9989379d184efb984458ce5b6a593ed3178e8a4b62cc17
8814e9aad599c98bb01ea9690c1afbb8d891bf1e6f50f0bc1d23fd8887e7411b
4cd9c04390f2b7171e50e1c0b1afde499160aac0da9aed28ee5677863a389c5e
753113c77192320f1844f132143f106e5dc73b271e44c2a3b214205eea8e42df
17224da53b266c1a7e487d95b57ad47c21dec82ca42056a785dd816555d46967
db4703a6cea9b700cc17b527e7d0a4e228bdd41659bece18c65f0877724c87a4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Vbs.Downloader.Trickbot-6333852-0

Indicators of Compromise

Registry Keys

Mutexes

Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetConnectionMutex
Local\_!MSFTHISTORY!_

IP Addresses

37[.]220[.]90[.]208

Domain Names

annmcclean[.]co[.]uk

Files and or directories created

%TEMP%\cNyXqxuTxfU.exeA
%TEMP%\cNyXqxuTxfU.exe

File Hashes

42747cdefebee5af8ae2899825fa6d0bbd1d52a853ec1262f1395310a42d4726
43be972338fd27a180a5b6540b212513377491f3a16cc750b67c8150e8e0d3f1
9033a377113f80beedde5575de1fe832bb0e49b9bc6e33851b26e8c8a47fd6d8
cd0e8181c7276b138793366c3fbb3a58275225fed8c434185db56dfcda421f7b
e10be1a5388458c128fc832afca671d3fdaa30195737b0935fd8ef80314afc68

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Downloader.Psys-6334750-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

thephotoblog[.]xyz

Files and or directories created

%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\[0-9]{9}.exe
%SystemDrive%\psys2\psys.rar
%SystemDrive%\psys2\<extracted rar achive files>

File Hashes

1beb16a8467a8957d1a752c396e1a50fceab554498ce9ea65396c37d07e8a28d
498a9cf24d40c098ec793e13e96f7a5001984b3f6436271fdde5ff88c23b88f5
6d7ed964e02fc1a370777d3f2baf1a279ff6bd85f5240d49735f62f909978542
9e21521a7264a76e4ba6b6f3f2f518fb8f95b4b3cfa2a45028fa43be46916095
e1d407c2b954c9c705431fe9c7d7a9f8995441015414a20381bdc502534c50eb
f4313a33210b75ba928e5bf91df91f2d1fe7b75d2971b2c9e11c0f4d76dedb35
fb536d40d118322f31746a577c400488e1020ea8073cf36cfe37712f91e27cb3

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Downloader.Upatre-6333840-1

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

technopoleci[.]com
pearlstours[.]com

Files and or directories created

%Temp%\lisca.exe

File Hashes

0f6325d3fd6177cee19770b12d97efa8da46cb23a7173e227efc2291e59034d3
19a4c65bc812eb74df5b41c058f345c5a4fbc838de59e4127e4cf784770a63df
23da35463015938e649624b1e606507fc1c36998a3cdb730f02309055609bd2f
249698d153aec8b19f511529aae5efc852cacbbc4f45020e4b9a3bdea933a6fa
570323e1150fe8e0802b03eb7848452c89ea1247512365bdb8621ecac4d15507
5f2c8ac317bf4d58610c803c01c95d358cb25600f632644e01d5c31a74fd2554
5f3a9efa98d7acfb0793292b2475eba2d547632c63f3b4ca5d1958731d264506
6c44efb2baabb7b66849e69567c8b3394919efdb2491a1392ff237090c380f1f
75309ff6942162fa19e4c7d430456a699cbee26106afeffc71f02325c9ab37c4
8978bcef1799a5ea3324ce88b9a848e85987958b8ea7dcc0ba511120e6602aa0
9d4effa16fa83e12179a674966af8a49bb592fa58de53ee2866f5ceda8206733
a67638a9940841bc5222a160b0d28930c5244be769e6091122cfc7aaefa71335
ad54d0d8d9b80aff216cc9097849efc52b2990a6b8f9d6a24f9a22709be35267
c707645487cd7d7c8001fa40cfa2475c23705f65048c3831eefb5580e39b3845
c75bc2341ed612c8e5154cb88e7110544e3ff59fed30af28e441c0d31d088da8
c9975f106e8e0e7ceee70bd285159226e7687076a0e3b84c525a953657f6b1ff
eb0601efd61b34a2fac8468b613913983c2b1968b77aec8848c2dddf4443e952
ec439a41172d7683ee803e336e4b175b8baebc8d4ceed40c6b63b5649d7855ff
f6ae56489c1063a48079b1cf5c1252a8f1f3af70918c58fed90ce453bd6cec9e
fc0f51ffddad995a4588fbc28d10d0037cc36708e4875a057629bd5a2d975a43

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Packer.VbPack-0-6334882-0

Indicators of Compromise

Registry Keys

Mutexes

\BaseNamedObjects\4EAB18A7EBDA2A0128649942

IP Addresses

Domain Names

Files and or directories created

%AppData%\7EBDA2\2A0128.hdb
%AppData%\win32.exe
\samr
%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\win32.vbe

File Hashes

2095d70fb739a0fe1af7a0c17d28934fff79fdabe5412c90d01aa103ba409452
29a438f87f3cba8d92f0892d551d9a1392fa4f00790aa006cdf098f377c3e419
2f6ba28b1e011f466c697853af8033986a2d2d629ad4e7c833f8e34762d357a9
342a928efa083ab47f29d83c3886799fc9c344e1d4122f628299c0acf85b12d8
507af0c158e03bd967d856d6310c842acd8aa3118612840fa395c201185ace9d
5a20fefb3bdb7b6357f7e00bf66bb7fca4d3a6be566856370793088e94118a1d
69aca79fc824166616de124a89c7a78cd25c097a6df951ba9943ea6867afbb6d
714264ce71ef28fa86a37abcdb8eaa726ce80e52a87e4b1fb20c1522e72088f9
799b05b59250e3316a1f1b583e1a5e82f66f0f3756dc8616b7f572e723a208cf
7cb3eca68f707bfeb7fda5cf549b9c1cebe9ed4cb06dd3a17cd5c1d07364462e
80d0e916ee763752670f8425bbb3df60db22d96566f3e8bc273fb9cf1ca57dee
8a0de6f0099dd38a0a34d7eb3319d6eb89b4ef3bc9835ea9dcb33dcb1dd0a47e
b5b5a289ff062eec0d5db7a081fe69e85c16500194dc45be18e038aa6f7cd109
d2cb512fa85e3d77072a10e9a107d44e79e2017b7c182db29008b5edabc53e00
dfa7f428e0cee8bf254d8a33b685082e90723cd318bce9df59450dfa7a3fb6d0

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.DownloadGuide-6335034-0

Indicators of Compromise

Registry Keys

<HKCU>\Software\Microsoft\Internet Explorer\Main\WindowsSearch
HKU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017080320170804
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKLM>\Software\Wow6432Node\Microsoft\Tracing

Mutexes

DlgCpp
MSIMGSIZECacheMutex
_!SHMSFTHISTORY!_
Local\WininetConnectionMutex
Local\_!MSFTHISTORY!_
\BaseNamedObjects\DlgCpp
RasPbFile
Local\ZonesCacheCounterMutex
Local\WininetStartupMutex
Local\IESQMMUTEX_0_274

IP Addresses

104[.]40[.]188[.]185
72[.]21[.]81[.]200
104[.]40[.]156[.]71

Domain Names

cs9[.]wpc[.]v0cdn[.]net
dlg-messages[.]buzzrin[.]de
dlg-configs[.]buzzrin[.]de
dlg-configs-weu[.]cloudapp[.]net
az687722[.]vo[.]msecnd[.]net
dlg-messages-weu[.]cloudapp[.]net

Files and or directories created

%TEMP%\DLG\ui\offers\3cc9566f4a803e726fe2ff36e63a6bc3\uifile.zip
\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017080320170804\index.dat
%TEMP%\DLG\ui\offers\2f682d34f7ca97e9988360367f18412e\uifile.zip
%TEMP%\DLGCBB2.tmp
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\offers\3cc9566f4a803e726fe2ff36e63a6bc3\uifile.zip (copy)
%TEMP%\DLG\ui\offers\4eee8661eff0ab9af2f73a9c050f7d06\uifile.zip
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\offers\2f682d34f7ca97e9988360367f18412e\uifile.zip (copy)
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\offers\2f682d34f7ca97e9988360367f18412e\uifile.zip.part
%TEMP%\DLG\ui\common\progress\progress.zip
\TEMP\8b55500ba6953f1a232fb2fffa7c55a29a4fbec6a353f3ad6da670fc911aac33.exe
%System32%\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{bc3d8877-b46d-4746-b041-b538af5e2cf0}\snapshot.etl
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\common\progress\progress.zip (copy)
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLGD.tmp
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\offers\18b3f294321c1361e5232935c8e4ab35\uifile.zip (copy)
%System32%\wdi\LogFiles\WdiContextLog.etl.001
%TEMP%\DLG\ui\offers\18b3f294321c1361e5232935c8e4ab35\uifile.zip
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\offers\b027951991b0ce592b2d579b8888057c\uifile.zip (copy)
%TEMP%\DLG\ui\common\base\base.zip
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\offers\b027951991b0ce592b2d579b8888057c\uifile.zip.part
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\common\progress\progress.zip.part
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\offers\18b3f294321c1361e5232935c8e4ab35\uifile.zip.part
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\common\base\base.zip.part
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\common\base\base.zip (copy)
%System32%\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{a69f0170-8245-4aed-a99e-3b0aad202ce2}\snapshot.etl

File Hashes

8b55500ba6953f1a232fb2fffa7c55a29a4fbec6a353f3ad6da670fc911aac33
756901560838b9d1ec9fe20300c772d336629d1d3e8a798626bc2009d433620d
17d58fb6ca87a08d515681c3f11ebc72667aae66fd59cc5f400cf893189b5ce1
3cc8c8b086f33d5ed62a5d9088d53693f31237473cbcf5268919c7cea016193e
b5b6de4fd07c9929f1a066dd3d27fc3f0ccc72a6f0f3f9336b60f9445150e336
37da3a745745ad81a3b20bcbbc43a0bca6e88991a7812f833751b8be642e3bc0

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Madangel-1

Indicators of Compromise

Registry Keys

HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LANMANSERVER\PARAMETERS

Value: AutoShareWks

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: internat.exe

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LANMANSERVER\PARAMETERS

Value: AutoShareServer

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: Serverx

<HKLM>\SYSTEM\ControlSet001\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider
<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Mutexes

Angry Angel v3.0
shqq
\BaseNamedObjects\Angry Angel v3.0

IP Addresses

Domain Names

sys[.]zief[.]pl

Files and or directories created

%WinDir%\Prefetch\WMIPRVSE.EXE-28F301A9.pf
%WinDir%\SysWOW64\Serverx.exe
%System32%\drivers\etc\hosts

File Hashes

4080076d8016be14b7493a4fd365b03073ae90cba70590b25039ef76b2d36aea
7ad3924efe8802153b9dadc5bc055b329ec8c2850b91dc5f5a1bba42533a8758
3ad3d18277238e0a6e0a84a6e901395ad647466a0e68275a7426203216b05025
fbf9d40bc0abe116c19404298d324fcb5a2ddd19d2d97dc31418446be3637a22
a010da80c2d35d420958b858fc1e5e700fab866799aa786e1feab4fba5ee6dbb

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Nitol-6335025-0

Indicators of Compromise

Registry Keys

<HKLM>\System\ControlSet001\Services\Sertiey\ImagePath

Mutexes

IP Addresses

103[.]235[.]46[.]39
119[.]29[.]112[.]122

Domain Names

www[.]a[.]shifen[.]com
www[.]baidu[.]com
ubcRCeHZx[.]nnnn[.]eu[.]org

Files and or directories created

%WinDir%\Debug\eiahost.exe

File Hashes

917b400da5befe32d00e0503a05cb2f1d635ace6029e30e2ba034da93d4927af
2136e6be115617349992b506aced588dced1f5496e97443dfcc31344873f624d
2b21ea686281211c8ba3a548128c310b7b239697ca8cd590c26353f5fd14cccf
830c3bf61e613137ce7fc5eb3a4205519bb021ef9ea179382559c398caf24dc2
a82a94d3d964f48d344459f39be5f7b76c09c91f8374517a0315d3e7d069b73c
e018f2cb152ab5c9bedef63a760b223eb91e965703a691877550ca390e46ea84
b359d8aa7b59c52aa7e6ce32f1a8bfbf8ff95e2a50c3b44f434fda77cfbcf82d
c06616aff5c46d7788c48b873b11a6aa9518ab8f1c075e164ef6c968207f845f
3a60cd3ab3cd6e71d0836f24231da876a6996a9d556d4e290d0af70b53b0b659
ed90bd5202eb621c7e44b25e83b1222efbd98094efbfc84d10ed4e12a89cc284

Coverage

Screenshots of Detection

AMP

ThreatGrid

↧

On Conveying Doubt

August 7, 2017, 12:05 pm

≫ Next: Vulnerability Spotlight: Adobe Reader DC Parser Confusion

≪ Previous: Threat Round-up for July 28 - August 4

This post was authored by Matt Olney.

Typically, Talos has the luxury of time when conducting research. We can carefully draft a report that clearly lays out the evidence and leads the reader to a clear understanding of our well supported findings. A great deal of time is spent ensuring that the correct words and logical paths are used so that we are both absolutely clear and absolutely correct. Frequently, the goal is to inform and educate readers about specific threats or techniques.

There are times, however, when we are documenting our research in something very close to real-time. The recent WannaCry and Nyetya events are excellent examples of this. Our goal changes here, as does our process. Here we are racing the clock to get accurate, impactful, and actionable information to help customers react even while new information is coming in.

In these situations, and in certain other kinds of investigations, it is necessary for us to talk about something when we aren’t 100% certain we are correct. I’ll provide two examples from our Nyetya blog posts:

Example 1:

“Given the circumstances of this attack, Talos assesses with high confidence that the intent of the actor behind Nyetya was destructive in nature and not economically motivated.”

This is our response to customers who were asking “If I pay will I get my data back?”. There were a number of indications that made us think that this was unlikely, but we couldn’t necessarily prove that there was no way it could occur at the time we published. We weren’t certain, but it was important to share our analysis quickly because customers needed information in order to make time-sensitive decisions, so we did so with a clear statement that there was room for error.

Example 2:

“This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.”

Here we are speaking about an actor’s thought process. Obviously we aren’t in a position to authoritatively speak about what is going through an actor’s head. But we can look at a broad set of circumstances, analyze them in the light of our past observations and experiences, and then try to understand what underlying meaning they might have. Based on what we saw, we thought it important to express that the actor may have additional capability it had not shown, so again, we spoke in plain language that gave the reader information they could evaluate.

Speaking with doubt doesn’t mean guessing. At Talos it means applying experience and knowledge to a set of information that is incomplete and trying to extract actionable intelligence from that information. When we document our findings externally, we are under an obligation to be crystal clear if we are engaging in some form of speculation in order to develop a thoughtful assessment based on strong indicators. This doesn’t make the information less valuable, but it does allow the reader to correctly weigh the information when prioritizing their own response. As we move ahead, when Talos communicates doubt, we will do so using the following as guidance:

Phrase	Estimated % Confidence
Low Confidence / Possible / Unlikely	<35%
Moderate Confidence / Probable / Likely	35% - 69%
High Confidence / Highly Probable / Highly Likely	>70%

Our primary mission is to place into our reader’s hands the information they need to defend their systems and their networks. We can’t always wait until we are 100% certain of findings, particularly while we are in the midst of an incident. By utilizing this language, we can share findings earlier and give customers the ability to evaluate our information and apply it to their defenses if necessary.

↧

Vulnerability Spotlight: Adobe Reader DC Parser Confusion

August 8, 2017, 9:15 am

≫ Next: Microsoft Patch Tuesday - August 2017

≪ Previous: On Conveying Doubt

Parser vulnerabilities in common software packages such as Adobe Acrobat Reader pose a significant security risk to large portions of the internet. The fact that these software packages typically have a large footprints often gives attackers a broad attack surface they can potentially leverage for malicious purposes. Thus, identifying vulnerabilities and responsibly disclosing them is critical to eliminating attack vectors that may otherwise be exploited.

Today, Talos is disclosing a vulnerability that has been identified in Adobe Acrobat Reader DC. The vulnerability, if exploited, could lead to arbitrary code execution on affected devices. As part of the coordinated effort to responsibly disclose the vulnerability, Adobe has released a software update that addresses the vulnerability. Additionally, Talos has developed Snort rules that detect attempts to exploit the flaw.

Vulnerability Details

This vulnerability was identified by Aleksandar Nikolic of Talos.

TALOS-2017-0361 / CVE-2017-11263 is an arbitrary code execution vulnerability in Adobe Acrobat Reader DC that manifests as a parser confusion vulnerability in the AcroForm parsing functionality. A specifically crafted PDF document designed to trigger this vulnerability could cause the parser to enter an unintended state. As a result, an attacker could abuse an unchecked pointer in memory to access or overwrite arbitrary memory inside the process. This could ultimately lead to arbitrary code execution.

The vulnerability could be leveraged in the context of a social engineering attack, where an attacker sends the intended victim an email containing a malicious PDF.

Coverage

Talos has developed the following Snort rules to detect attempts to exploit the vulnerability. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.

Snort Rules:

43167-43168

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/

To review our Vulnerability Disclosure Policy, please visit this site:

http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html

↧

Microsoft Patch Tuesday - August 2017

August 8, 2017, 11:30 am

≫ Next: WinDBG and JavaScript Analysis

≪ Previous: Vulnerability Spotlight: Adobe Reader DC Parser Confusion

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.

Vulnerabilities Rated Critical

The following vulnerabilities are rated "critical" by Microsoft:

The following briefly describes these vulnerabilities.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the Microsoft Browser JavaScript engine that could allow remote code execution to occur in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory, resulting in memory corruption. Exploitation of these vulnerabilities is achievable if a user visits a specifically crafted web page that contains JavaScript designed to exploit one or more of these vulnerabilities.

The following is a list of CVEs that reflect these vulnerabilities:

CVE-2017-8634
CVE-2017-8635
CVE-2017-8636
CVE-2017-8638
CVE-2017-8639
CVE-2017-8640
CVE-2017-8641
CVE-2017-8645
CVE-2017-8646
CVE-2017-8647
CVE-2017-8655
CVE-2017-8656
CVE-2017-8657
CVE-2017-8670
CVE-2017-8671
CVE-2017-8672
CVE-2017-8674

CVE-2017-8653, CVE-2017-8669 - Microsoft Browser Memory Corruption Vulnerabilities

Two vulnerabilities have been identified in Edge and Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specifically crafted webpage that exploits one of the flaws.

CVE-2017-8661 - Microsoft Edge Memory Corruption Vulnerability

A vulnerability in Microsoft Edge has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-0250 - Microsoft JET Database Engine Remote Code Execution Vulnerability

A buffer overflow vulnerability in the Microsoft JET Database Engine has been identified that could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability can be triggered by opening or previewing a specifically crafted database file on a vulnerable system. Scenarios where this could occur could be an email-based attack where an attacker sends the targeted user a malicious database file to be opened.

CVE-2017-8591 - Windows IME Remote Code Execution Vulnerability

An arbitrary code execution vulnerability in the Windows Input Method Editor (IME) has been identified that could allow an attacker to execute code in the context of the current user. The vulnerability manifests due to improper handling of parameters in a method of a DCOM class. Note that DCOM server is a component of Microsoft Windows that is installed regardless of the language/IMEs used. An attacker who exploits this vulnerability can instantiate the DCOM class and exploit the system, even if IME is disabled.

CVE-2017-0293 - Windows PDF Remote Code Execution Vulnerability

A vulnerability in Windows PDF has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who open a specifically crafted PDF file or who visit a web page containing a specifically crafted PDF could exploit this vulnerability.

CVE-2017-8620 - Windows Search Remote Code Execution Vulnerability

A vulnerability in Windows Search has been identified that could allow an attacker to remotely execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Upon successful exploitation, an attacker with physical access to the affected host could elevate privileges to that of an administrator. This vulnerability could also be exploited in an enterprise environment via an SMB connection to the affected host.

CVE-2017-8622 - Windows Subsystem for Linux Elevation of Privilege Vulnerability

A vulnerability in the Windows System for Linux has been identified that could be used escalate a user's privileges to that of an administrator. This vulnerability manifests due to how the Windows Subsystem for Linux handles NT pipes. Successful exploitation could allow a local, authenticated attacker to execute code as an administrator.

Vulnerabilities Rated Important

The following vulnerabilities are rated "important" by Microsoft:

The following briefly describes these vulnerabilities.

CVE-2017-8644, CVE-2017-8652, CVE-2017-8662 - Microsoft Edge Information Disclosure Vulnerability

Multiple vulnerabilities in Microsoft Edge have been identified that could allow an attacker to discover sensitive information regarding the targeted system. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities could given an attacker the necessary information to further exploit additional vulnerabilities on the system.

CVE-2017-8503 - Microsoft Edge Elevation of Privilege Vulnerability

A vulnerability in Microsoft Edge has been identified that could result in privilege escalation if exploited. This vulnerability manifests as an AppContainter sandbox escape within the browser. Successful exploitation could result in a user obtaining elevated privileges. Note that this vulnerability does not allow arbitrary code execution. However, if used in conjunction with one more vulnerabilities, an attacker could execute arbitrary code in the context of an administrator.

CVE-2017-8642 - Microsoft Edge Elevation of Privilege Vulnerability

A vulnerability in Microsoft Edge has been identified that could result in privilege escalation if exploited. This vulnerability manifests due to improper validation of JavaScript in certain circumstances. Successful exploitation could elevate privileges in affected versions of Microsoft Edge. Note that this vulnerability does not permit arbitrary code execution. However, if used in conjunction with one, an attacker could execute arbitrary code with medium-level integrity, or that of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability

A vulnerability in Internet Explorer has been identified that could be exploited to bypass a security feature. This vulnerability manifests due to Internet Explorer improperly validating User Mode Code Integrity (UMCI) policies. Successful exploitation of this vulnerability could allow an attacker to execute unsigned malicious code as if it were signed. Exploiting this vulnerability is possible if a user visits a specifically crafted website designed to exploit the flaw.

CVE-2017-8691 - Express Compressed Fonts Remote Code Execution Vulnerability

A vulnerability in the Windows Font library has been identified that could permit an attacker to execute arbitrary code in the context of the current user. This vulnerability manifests due to the library improperly handling specially crafted embedded fonts. Exploitation of this vulnerability is possible if a user visits a specifically crafted web page or if a user opens a specifically crafted file that is designed to exploit this vulnerability.

CVE-2017-8654 - Microsoft Office SharePoint XSS Vulnerability

A vulnerability in Microsoft Sharepoint has been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. This vulnerability manifests due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of this vulnerability could allow an attacker to execute script in the context of the current user, read content that the attacker would not have permission to otherwise view, or execute actions on behalf of the affected user.

CVE-2017-8516 - Microsoft SQL Server Analysis Services Information Disclosure Vulnerability

A vulnerability in Microsoft SQL Server Analysis Services has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to SQL Server Analysis Services improperly enforcing permissions. An attacker with valid credentials that permit access to the affected SQL Server could exploit this vulnerability to gain additional database and file information that should otherwise not be permitted.

CVE-2017-8659 - Scripting Engine Information Disclosure Vulnerability

A vulnerability in the Chakra JavaScript Engine has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining information that could then be used to further exploit the system. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8637 - Scripting Engine Security Feature Bypass Vulnerability

A vulnerability in the Microsoft Edge has been identified that could allow an attacker to bypass a security feature. This vulnerability manifests due to way memory is accessed in "code compiled by the Edge Just-In-Time (JIT) compiler that allows Arbitrary Code Guard (ACG) to be bypassed". Note that this exploiting this vulnerability does not result in arbitrary code execution. However, if used in combination with another vulnerability, an attacker could execute arbitrary code on the targeted system. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8668 - Volume Manager Extension Driver Information Disclosure Vulnerability

A vulnerability in the Volume Manager Extension Driver has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to the Volume Manager Extension Driver improperly providing kernel information. Successful exploitation could allow an attacker to gain information that could be used to further compromise a targeted system.

CVE-2017-8593 - Win32k Elevation of Privilege Vulnerability

A vulnerability in the Win32k component in Windows has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-8666 - Win32k Information Disclosure Vulnerability

A vulnerability in the Win32k component in Windows has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to the Win32k component improperly providing kernel information. Successful exploitation could allow an attacker to gain information that could be used to further compromise a targeted system.

CVE-2017-8624 - Windows CLFS Elevation of Privilege Vulnerability

A vulnerability in the Windows Common Log File System (CLFS) driver has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-8633 - Windows Error Reporting Elevation of Privilege Vulnerability

A vulnerability in the Windows Error Reporting (WER) has been identified that could allow a privilege escalation attack to occur. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system.

CVE-2017-8623 - Windows Hyper-V Denial of Service Vulnerability

A vulnerability in the Microsoft Hyper-V Network Switch has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to improper validation of input "from a privileged user on a guest operating system." Successful exploitation of this vulnerability could cause the host server to crash. Exploiting this flaw requires that a privileged user on the guest host runs a specifically crafted executable that exploits this vulnerability, thus causing the host system to crash.

CVE-2017-8664 - Windows Hyper-V Remote Code Execution Vulnerability

A vulnerability in Windows Hyper-V has been identified that could allow arbitrary code execution on the hypervisor system to occur. This vulnerability manifests due to improperly validating "input from an authenticated user on a guest operating system." Exploitation of the vulnerability could be achieved if an attackers runs a specifically crafted application within a guest operating system that causes Hyper-V to execute arbitrary code.

CVE-2017-0174 - Windows NetBIOS Denial of Service Vulnerability

A vulnerability in the Microsoft Windows has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to Windows improperly handling NetBIOS packets. Successful exploitation of this vulnerability could cause the host to become unresponsive. An attacker who sends a series of specifically crafted TCP packets to the targeted system could create a permanent denial of service condition.

CVE-2017-8673 - Windows Remote Desktop Protocol Denial of Service Vulnerability

A vulnerability in Remote Desktop Protocol (RDP) has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to target system improperly handling RDP requests once an attacker has connected to the targeted system. Successful exploitation of this vulnerability could cause the RDP service to become unresponsive.

CVE-2017-8627 - Windows Subsystem for Linux Denial of Service Vulnerability

A vulnerability in the Windows Subsystem for Linux has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to the Subsystem improperly handling objects in memory. Successful exploitation of this vulnerability could cause the local system to become unresponsive.

Vulnerabilities Rated Moderate

The following vulnerabilities are rated "moderate" by Microsoft:

The following briefly describes these vulnerabilities.

CVE-2017-8650 - Microsoft Edge Security Feature Bypass Vulnerability

A vulnerability in Microsoft Edge has been identified that allow an attacker to bypass a security feature. This vulnerability manifests due to improperly enforcement of same-origin policies. Successful exploitation could allow an attacker to "access information from origins outside the current one." Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8651 - Internet Explorer Memory Corruption Vulnerability

A vulnerability in Internet Explorer has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.

Snort Rules:

43847-43848
43851-43852

↧

WinDBG and JavaScript Analysis

August 9, 2017, 8:41 am

≫ Next: When combining exploits for added effect goes wrong

≪ Previous: Microsoft Patch Tuesday - August 2017

This blog was authored by Paul Rascagneres.

Introduction

JavaScript is frequently used by malware authors to execute malicious code on Windows systems because it is powerful, natively available and rarely disabled. Our previous article on .NET analysis generated much interest relating to how to use WinDBG to analyse .js files. In this post we extend our description of using WinDBG to describe the analysis of JavaScript using the 64 bit version of wscript.exe. It is strongly recommended to read our previous article first.

Object Loading on Windows Systems

JavaScript often needs to load external objects, in order to obtain access to additional features not included by default in the Windows interpreter. This can be achieved by using the ActiveXObject() API (to load ActiveX objects) or WScript.CreateObject() API (to load COM objects). The mechanisms behind these 2 API are the same: loading an external library to enable access to new objects. Here are 2 examples:

new ActiveXObject("Shell.Application");
WScript.CreateObject("Wscript.Shell");

The first point is to understand which library is behind these two objects. This information is stored in the registry. First we need to get the CLSID associated to the object name in the following registry name: HKEY_CLASSES_ROOT\OBJECT_NAME\CLSID.

Here is an example for the Shell.Application object name:

This shows that the CLSID is {13709620-C279-11CE-A49E-444553540000}. With this information we are able to get the dll path of the object in HKEY_CLASSES_ROOT\CLSID\{THE_CLSID}:

In this case, the library in which the Shell.Application object is located is shell32.dll. With this information, we are able to start WinDBG in order to analyse object loading and execution.

WinDBG Analysis

The analysis of JavaScript execution is performed by debugging the wscript.exe binary. This can be executed with the following command:

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" C:\Windows\System32\wscript.exe c:\Users\User\to_be_analysed.js

The technique is often the same:

Breakpoint when the object library is loaded;
Identification and breakpoint on the wanted function;
Get arguments of the function

Case Study #1: ActiveX Object

Consider the following code:

var oShell = new ActiveXObject("Shell.Application");
var commandtoRun = "calc.exe";
oShell.ShellExecute(commandtoRun,"","","","1");

The first task is to find where the "Shell.Application" library object is located in the registry:

c:\Users\user> script.py Shell.Application
Object Name: Shell.Application
CLSID: {13709620-C279-11CE-A49E-444553540000}
Description: Shell Automation Service
dll: %SystemRoot%\system32\shell32.dll

This tells us that we should analyse shell32.dll. Let's execute this script and introduce a breakpoint when the library is loaded:

0:000> sxe ld shell32 ; g
ModLoad: 00007fff`c6af0000 00007fff`c7f27000   C:\WINDOWS\System32\SHELL32.dll
ntdll!NtMapViewOfSection+0x14:
00007fff`c8e658a4 c3              ret
The next step is to identify the ShellExecute function:
0:000> x shell32!ShellExecute

Unfortunately, the function does not have the same name in JavaScript and in the library. However, we can search for it using a regular expression:

0:000> x shell32!ShellExecute*
00007fff`c6b13dd0 SHELL32!ShellExecuteExW (void)
00007fff`c6b13e44 SHELL32!ShellExecuteNormal (void)
00007fff`c6cb1630 SHELL32!ShellExecuteExA (<no parameter info>)
00007fff`c6fa8d58 SHELL32!ShellExecuteRegApp (<no parameter info>)
00007fff`c6bef560 SHELL32!ShellExecuteW (<no parameter info>)
00007fff`c6cb15a0 SHELL32!ShellExecuteA (<no parameter info>)
00007fff`c6fa9058 SHELL32!ShellExecuteRunApp (<no parameter info>)

In our case, we can add a breakpoint for ShellExecuteNormal:

0:000> bp shell32!ShellExecuteNormal
0:000> g
Breakpoint 0 hit
SHELL32!ShellExecuteNormal:
00007fff`c6b13e44 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000029`cb56c7a0=00000029cb56cc90

We can now retrieve the argument directly via the RCX register:

0:000> r $t1=poi(rcx+0x18);du $t1
000001ee`350d055c  "calc.exe"

At first glance, it's not obvious why there is an offset of 0x18. This is due to the argument being passed to ShellExecuteNormal() is a pointer to a SHELLEXECUTEINFO structure. The Microsoft documentation describes than in these cases, the structure is located with the offset 0x18.

Case Study #2: WScript Shell Object

Let's consider a second example:

var shell = WScript.CreateObject("Wscript.Shell");
var command = "calc.exe"; 
shell.Run(command, true, false);

As previously, the first task consists of finding the library where Wscript.Shell is located:

c:\Users\user> script.py Wscript.Shell
Object Name: Wscript.Shell
CLSID: {72C24DD5-D70A-438B-8A42-98424B88AFB8}
Description: Windows Script Host Shell Object
dll: C:\Windows\System32\wshom.ocx

Let's try to identify the function name:

0:000> sxe ld wshom
0:000> g
ModLoad: 00007fff`b5630000 00007fff`b5657000   C:\Windows\System32\wshom.ocx
ntdll!NtMapViewOfSection+0x14:
00007fff`c8e658a4 c3              ret
0:000> x wshom!*Run*
00007fff`b5640930 wshom!CUnknown::InnerUnknown::`vftable' = <no type information>
00007fff`b563d530 wshom!CUnknown::InnerUnknown::QueryInterface (<no parameter info>)
00007fff`b5648084 wshom!_IMPORT_DESCRIPTOR_ScrRun = <no type information>
00007fff`b563d570 wshom!CUnknown::InnerUnknown::Release (<no parameter info>)
00007fff`b5643d30 wshom!ScrRun_NULL_THUNK_DATA = <no type information>
00007fff`b563bbb0 wshom!CWshShell::Run (<no parameter info>)
00007fff`b5631000 wshom!CUnknown::InnerUnknown::AddRef (<no parameter info>)
00007fff`b5644518 wshom!LIBID_IWshRuntimeLibrary = <no type information>)

The function is wshom!CWshShell::Run, we can breakpoint on this and check for the argument:

0:000> bp wshom!CWshShell::Run
0:000> g
Breakpoint 0 hit
wshom!CWshShell::Run:
00007fff`b563bbb0 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000020`7ccfd520=0000013f3d650420
0:000> du rdx
0000013f`3d65055c  "calc.exe"

In contrary to the previous case study, the argument is directly a string and not a structure, therefore there is no offset required to retrieve the argument

Case Study #3: WScript XMLHTTP Object

Here is the source code for this case study:

var httpStream = WScript.CreateObject("MSXML2.XMLHTTP");
httpStream.open("GET", 'http://blog.talosintelligence.com');
httpStream.send();

The library associated with the MSXML2.XMLHTTP object:

c:\Users\user> script.py MSXML2.XMLHTTP
Object Name: MSXML2.XMLHTTP
CLSID: {F6D90F16-9C73-11D3-B32E-00C04F990BB4}
Description: XML HTTP
dll: %SystemRoot%\System32\msxml3.dll

We can use the same technique as before:

0:000> sxe ld msxml3
0:000> g
ModLoad: 00007fff`8dc40000 00007fff`8de68000   C:\WINDOWS\System32\msxml3.dll
ntdll!NtMapViewOfSection+0x14:
00007fff`c8e658a4 c3              ret

This time, we use a regular expression to breakpoint on all the APIs that contain the word "Open":

0:000> bm msxml3!*Open*
1: 00007fff`8dc43030 @!"msxml3!ErrorHelper::CHTMLWindow2::open"
breakpoint 1 redefined
1: 00007fff`8dc43030 @!"msxml3!FakeHTMLDoc::open"
2: 00007fff`8dd4c5fc @!"msxml3!HTTPStream::OpenRequest"
3: 00007fff`8dcaa407 @!"msxml3!_imp_load_CertOpenStore"
breakpoint 1 redefined
1: 00007fff`8dc43030 @!"msxml3!ErrorHelper::CHTMLWindow2::get_opener"
4: 00007fff`8dc48eb4 @!"msxml3!ContentModel::openGroup"
5: 00007fff`8dd4cb00 @!"msxml3!HTTPStream::deferedOpen"
breakpoint 1 redefined
1: 00007fff`8dc43030 @!"msxml3!ErrorHelper::CHTMLDocument2::open"
breakpoint 1 redefined
1: 00007fff`8dc43030 @!"msxml3!ErrorHelper::CHTMLWindow2::put_opener"
6: 00007fff`8dd4a050 @!"msxml3!URLMONRequest::open"
7: 00007fff`8dc8f4d0 @!"msxml3!FileStream::deferedOpen"
8: 00007fff`8dd34e80 @!"msxml3!XMLHttp::open"
9: 00007fff`8dc597e0 @!"msxml3!URLMONStream::deferedOpen"
10: 00007fff`8dc70ddc @!"msxml3!NamespaceMgr::popEntry"
11: 00007fff`8dcaa3bf @!"msxml3!_imp_load_WinHttpOpen"
12: 00007fff`8dcaa3e3 @!"msxml3!_imp_load_WinHttpOpenRequest"
13: 00007fff`8dd47340 @!"msxml3!HTTPRequest::open"
14: 00007fff`8dd47660 @!"msxml3!HTTPRequest::openWithCredentials"
15: 00007fff`8dc8f37c @!"msxml3!FileStream::open"
16: 00007fff`8dd4c128 @!"msxml3!URLStream::OpenPreloadResource"
17: 00007fff`8dd4b410 @!"msxml3!URLRequest::open"
0:000> g
Breakpoint 8 hit
msxml3!XMLHttp::open:
00007fff`8dd34e80 488bc4          mov     rax,rsp

We see that the API used is in fact XMLHttp::open() from this we can obtain the argument:

0:000> du rdx
00000173`311a0568  "GET"
0:000> du r8
00000173`311a0578  "http://blog.talosintelligence.co"
00000173`311a05b8  "m"

These arguments are two strings rather than a structure and can be retrieved without offset.

Case Study #4: Eval() Function

The eval() function is frequently used by malware authors to obfuscate code execution. This function is native to JavaScript and does not require an external library. Here is an example of eval() in use:

var test = "var oShell = new ActiveXObject(\"Shell.Application\");var commandtoRun = \"notepad.exe\"; oShell.ShellExecute(commandtoRun,\"\",\"\",\"\",\"1\");"
eval(test) 

var encoded = "dmFyIG9TaGVsbCA9IG5ldyBBY3RpdmVYT2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpO3ZhciBjb21tYW5kdG9SdW4gPSAiY2FsYy5leGUiOyBvU2hlbGwuU2hlbGxFeGVjdXRlKGNvbW1hbmR0b1J1biwiIiwiIiwiIiwiMSIpOwo="
eval(Base64.decode(encoded))

This script executes 2 different kind of eval() calls. The first, contains a string to execute directly (calc.exe execution); the second contains a command used to generate the code to execute (notepad.exe execution encoded with base64).

The eval() function itself is located in the script.dll library: bp jscript!JsEval. The function uses the jscript!COleScript::Compile API to generate the JavaScript code executed via eval():

0:000> sxe ld jscript;g
ModLoad: 00007fff`9e650000 00007fff`9e70c000   C:\Windows\System32\jscript.dll
ntdll!NtMapViewOfSection+0x14:
00007fff`c8e658a4 c3              ret
0:000> bp jscript!JsEval
0:000> g
Breakpoint 0 hit
jscript!JsEval:
00007fff`9e681960 488bc4          mov     rax,rsp
0:000> u rip L50
jscript!JsEval:
00007fff`9e681960 488bc4          mov     rax,rsp
00007fff`9e681963 48895810        mov     qword ptr [rax+10h],rbx
00007fff`9e681967 48897018        mov     qword ptr [rax+18h],rsi
00007fff`9e68196b 48897820        mov     qword ptr [rax+20h],rdi
[...redacted…]
00007fff`9e681a81 488364242000    and     qword ptr [rsp+20h],0
00007fff`9e681a87 e80c3cfdff      call    jscript!COleScript::Compile
00007fff`9e681a8c 89455f          mov     dword ptr [rbp+5Fh],eax
00007fff`9e681a8f 8bf8            mov     edi,eax
00007fff`9e681a91 85c0            test    eax,eax
00007fff`9e681a93 7923            jns     jscript!JsEval+0x158 (00007fff`9e681ab8)

We can breakpoint at jscript!COleScript::Compile to obtain both the unencoded string example calling calc.exe, and the decoded version of the base64 encoded call to notepad.exe:

0:000> bp jscript!COleScript::Compile "r $t1 = poi(rdx+0x10);r $t2 = poi($t1+0x8);du $t2;g";g
jscript!COleScript::Compile:
00007fff`9e715698 4053            push    rbx
0:000> g
0000019b`d23f6408  "var oShell = new ActiveXObject(""
0000019b`d23f6448  "Shell.Application");var commandt"
0000019b`d23f6488  "oRun = "calc.exe"; oShell.ShellE"
0000019b`d23f64c8  "xecute(commandtoRun,"","","","1""
0000019b`d23f6508  ");."
80070002 The system cannot find the file specified.
0000019b`d473a1b0  "var oShell = new ActiveXObject(""
0000019b`d473a1f0  "Shell.Application");var commandt"
0000019b`d473a230  "oRun = "notepad.exe"; oShell.She"
0000019b`d473a270  "llExecute(commandtoRun,"","","","
0000019b`d473a2b0  ""1");"
ntdll!NtTerminateProcess+0x14:
00007fff`c8e65924 c3              ret

Conclusion

WinDBG is an extremely powerful tool that can not only help in the analysis of .NET files, but also help understand the execution of JavaScript by wscript.exe. In many cases, WinDBG may be overkill for understanding the functionality of single JavaScript files. However, using WinDBG can provide a different overview of functionality and facilitate the analysis of complex JavaScript.

Appendix

Python script to get the library from an object name

from _winreg import *
import sys

try:
  objectName = sys.argv[1]
except:
  sys.exit(1)

try:
  hReg = ConnectRegistry(None,HKEY_CLASSES_ROOT)
  hCLSIDKey = OpenKey(hReg, objectName+"\CLSID")
  CLSID=QueryValue(hCLSIDKey, "")
  if CLSID:
    hKey = OpenKey(hReg, "CLSID\\"+CLSID)
    description = QueryValue(hKey, "")
    hKey = OpenKey(hReg, "CLSID\\"+CLSID+"\\InProcServer32")
    dll = QueryValueEx(hKey, "")[0]
    print "Object Name: "+objectName
    print "CLSID: "+CLSID
    print "Description: "+description
    print "dll: "+dll
  else:
    print "No CLSID"
except:
  print "Error"
  sys.exit(2)

↧

When combining exploits for added effect goes wrong

August 14, 2017, 9:55 am

≫ Next: Booters with Chinese Characteristics: The Rise of Chinese Online DDoS Platforms

≪ Previous: WinDBG and JavaScript Analysis

Introduction

Since public disclosure in April 2017, CVE-2017-0199 has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.

In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, CVE-2012-0158, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.

Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor.

Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails.

Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn’t quite work out, or it may be indication of future attacks yet to materialise.

Standard CVE-2017-0199 exploitation

A typical attack exploiting CVE-2017-0199 consists of an email campaign, distributing a malicious RTF document.The vulnerability exists in code that handles Ole2Link embedded objects. Including an Ole2Link in an RTF document allows Word to load other, remote documents within the context of Word.

Standard CVE-2017-0199 flow

If the remote OLE2Link points to an HTML application file (HTA file type), vulnerable Word and WordPad versions will parse and execute the application even if the user chooses not to allow inclusion of the remote content. A possible sign of exploitation attempt of CVE-2017-0199 is this Word prompt to the user:

Word prompt displayed to the user before potential CVE-2017-0199 exploit attempt

Modified CVE-2017-0199 flow

In the case of the modified exploit flow we analyzed, the attack started with an email message containing a malicious attachment. The email employed the usual social engineering tricks to entice the user to open and read the attached document. Referring to the attachment as a purchase order coming from an unknown "partner" is a very common social engineering trick of spammed malware.

Email message launching the modified attack

The document attached to the email message is an RTF file including an Ole2Link to a remote document hosted at hxxp://multplelabs [dot] com/ema/order.doc. In this case, the mime content type of the remote document observed in the packet capture of the attack was not the expected application/hta but rather application/msword which was enough to motivate us to dig a little bit deeper in order to find out what the attackers are trying to achieve.

The first surprising thing is that the vulnerable version of Word I used for the analysis crashed before it managed to display the prompt commonly seen with CVE-2017-0199 exploitation. Instead of displaying the prompt, Word started to convert the downloaded document and then hung before eventually crashing with a memory access fault.

Word crashes without the prompt

The crash was caused not by the first exploit stage using CVE-2017-0199 but rather by the second stage using CVE-2012-0158. Here we see the shellcode embedded into a MSComctlLib.ListViewCtrl.2 ActiveX control, which is a telltale sign of CVE-2012-0158. The shellcode starts with a ROP chain followed by the shellcode which starts executing when the vulnerability is triggered. After the ROP chain sets the right permissions for the memory block containing the rest of the shellcode, the first stage of the shellcode is executed.

First stage shellcode for CVE-2012-0158

This stage is responsible for the application crash. The attackers did not seem to have a good quality assurance process or perhaps the technical expertise to understand what will happen if they simply included an automatically generated CVE-2012-0158 exploit in combination with CVE-2017-0199.

The shellcode starts with resolving several API addresses, which allow the code to traverse all open files by bruteforcing the handle numbers for open files, starting from zero and increasing the handle number by four for every next open file handle. If the handle exists, the shellcode attempts to check the file size using the GetFileSize API that takes the file handle as the parameter. If the file size is within the expected range the shellcode maps it in memory to perform a file type check.

Checking the file size and finding file type

The shellcode here incorrectly assumes that if the found file is an RTF file then all the required conditions are met and the identified RTF file must contain the next shellcode stage. Once the shellcode assumes the file size and type requirements are satisfied, it starts to read the mapped file looking for the next stage shellcode marker which is, in our test, never found because the original CVE-2017-0199 exploiting file is still present in memory. This file satisfies both of the conditions searched for by the first stage shellcode. Since the CVE-2017-0199 exploiting file is open before the CVE-2012-0158 document, its handle is smaller and it is read first by the shellcode.

First stage shellcode looking for the next shellcode stage marker

The shellcode searches for the next stage marker 0xfefefefefeffffffff within the wrong document, without correctly handling reads beyond the document length. This eventually causes a memory protection error by reading memory content past the allocated memory blocks.

If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user.

One possible fix involves fixing a single byte to make the file size limits a bit stricter to exclude the original CVE-2017-0199 file size. The other way, just slightly more complex, is to correctly handle cases when the next stage marker is not found within the RTF and assume that the targeted Word process already has other RTF documents opened which satisfy the file size condition.

Interestingly enough, the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files so we analyzed the remainder for the sake of completeness.

Second stage shellcode

The second stage shellcode is a bit more complex and starts by finding required API functions within ntdll.dll. The API functions are used to launch an instance of svchost.exe in a suspended state, and to overwrite the original entrypoint with the final "download and execute" shellcode stage which eventually launches the executable payload.

Finding ntdll.dll APIs to inject the last stage and resume svchost.exe process

The last shellcode stage, injected into svchost.exe uses UrlDownloadToFile API to download an executable file from the command and control server into the temporary files folder with the filename name.exe, and calls the ShellExecute function to launch the final payload.

Download and execute stage

The downloaded executable payload is a packed VB dropper which drops an older Ramnit version, but it also runs Lokibot, based on the observed traffic to the command and control server. Ramnit is a well known self-replicating information stealing bot which also includes a rootkit to hide its presence from the user and security products and is already well documented. Further analysis of this particular piece of malware is outside of the scope of this blog post. Despite being older, the Ramnit family is still a commonly encountered malware family by Talos. It is possible that in this case the attackers intended to launch a Lokibot attack but the sample got infected by the Ramnit file infection component along the way.

DNS activity for multplelabs.com

The domain hosting the malware and the command and control server was registered in October 2016 and it is likely a compromised site, although it seems to have been used by some other Lokibot campaigns. The DNS activity for the domain shows two distinct spikes, which likely indicate two unsuccessful spam campaigns as there has been no additional activity to show increase in communication from infected systems to the command and control server.

The DNS activity confirms our findings which document the reasons for the attack failure.

Conclusion

CVE-2017-0199 is one of the most commonly used vulnerabilities exploited by malicious documents distributed in spamming campaigns. Previous work indicates that its popularity with attackers overcame the popularity of CVE-2012-0158.

In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain. In the case of this campaign the attackers made a major mistake that prevented the intended download and execution of the Ramnit payload.

Attempted combined attack stages

One has to wonder why did the attackers use the combination of a newer and an older exploit at all? The combination would not be executed if the targeted system had a patch against either of the exploits. In addition, if the targeted system was vulnerable to CVE-2012-0158 it would be much easier for the attackers to use a single exploit targeting this vulnerability.

An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file.

This attack was unsuccessful, potentially indicating poor testing or quality control procedures by the attackers. However, this does show a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise.

Coverage

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella prevents DNS resolution of the domains associated with malicious activity.

Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.

IOCs

Documents

5ae2f13707ee38e4675ad1bc016b19875ee32312227103d6f202874d8543fc2e - CVE-2017-0199
6a84e5fd6c9b2c1685efc7ac8d763048913bad2e767b4958e7b40b4488bacf80 - CVE-2012-0158

Executables

351aec22d926b4fb7efc7bafae9d1603962cadf0aed1e35b1ab4aad237723474
f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6
43624bf57a9c7ec345d786355bb56ca9f76c226380302855c61277bdc490fdfe
d4fbca06989a074133a459c284d79e979293625262a59fbd8b91825dbfbe2a13

URLs

hxxp://multplelabs[dot]com/ema/order.doc - CVE-2012-0158
hxxp://multplelabs[dot]com/ema/nextyl.exe - dropper
hxxp://multplelabs[dot]com/freem/50/fre.php - Lokibot C2

↧

Booters with Chinese Characteristics: The Rise of Chinese Online DDoS Platforms

August 15, 2017, 10:14 am

≫ Next: Threat Round-up for Aug 11 - Aug 18

≪ Previous: When combining exploits for added effect goes wrong

This post was authored by Dave Liebenberg

In the past few months, Talos has observed an uptick in the number of Chinese websites offering online DDoS services. Many of these websites have a nearly identical layout and design, offering a simple interface in which the user selects a target’s host, port, attack method, and duration of attack. In addition, the majority of these sites have been registered within the past six months. However, the websites operate under different group names and have different registrants. In addition, Talos has observed administrators of these websites launching attacks on one another. Talos sought to research the actors responsible for creating these platforms and analyze why they have become more prevalent lately.

In this blog post, we will begin by looking at the DDoS industry in China and charting the shift toward online DDoS platforms. Then we will examine the types of DDoS platforms created recently, noting their similarities and differences. Finally, we will look into the source code likely responsible for the recent increase in these nearly identical DDoS websites.

DDoS-as-a-Service in China

DDoS tools and services remain some of the most popular offerings in the Chinese underground market. A look at one of the most popular Chinese marketplaces, DuTe (独特), reveals a variety of DDoS-related tools, including actual attack tools as well as associated tools such as brute forcers for different vectors including SSH and RDP.

In addition, Chinese social media applications such as WeChat and QQ have hundreds of group chats devoted to DDoS groups, tools, malware, and the exchange of targets. The people interacting in these channels include members of hacking groups, customers, as well as agents and advertisers who can act as intermediaries.

Previously, the predominant offering in these group chats were tools that users could purchase, download, and then operate from their own machine. A good example of this type of tool was the TianFa Pressure Testing System.

TianFa DDoS tool

These kinds of tools manage and provide information about a user’s botnet, and then allow the user to customize an attack event, selecting a target and choosing an attack method. Users can purchase the tool, download a copy, and use it with their own servers and botnets. Occasionally, hacker groups also bundle servers or a certain amount of bots with purchases, or include brute-forcing tools to help users grow their own botnet, but the end-user would be in charge of maintaining and deploying the tool.

The Rise of Online DDoS Platforms

Recently, Talos has noticed a gradual paradigm shift underway in the group chats. Advertisements for online DDoS platforms have begun to appear more frequently.

Advertiser promotes “ShaShen” Online DDoS Website

After inspecting several of these websites, Talos noticed that many had identical login and registration pages, down to the same background image:

In addition, Talos observed that many of these websites have a nearly identical website design and layout, displaying the number of active users and servers online as well as the total number of attacks that have been carried out (although these numbers vary between groups). In addition, the sites contain announcements from group administrators on recent updates to the tool, its capabilities, or restrictions on its use. In the sidebar, users can register an account, purchase an activation code to begin launching an attack, and then attack a target, either through the graphical interface set up on the website or through identical command line calls with look like this:

http://website_name/api.php?username=&password=&host=&port=&time=&method=

Nearly identical website layout for ShaShen DDoS group and Wang Zhe sec DDoS group.

Besides the uncanny similarities in design and function, the majority of the websites had the word “ddos” in their domain names, i.e. “shashenddos.club” or “87ddos.cc.” Since these sites were all recently registered, beside relying on intelligence from Chinese social media, Talos was able to identify several new websites by using Cisco Umbrella’s investigate tool to conduct a regex search for recently-registered domains with the word “ddos” in them. Using these combined search methods, Talos was able to identify 32 nearly-identical Chinese online DDoS websites (presumably there are more out there, since not all of these websites had “ddos” in the their domain name).

Because of the similarities in the pages, and the fact that some individuals registered multiple sites for the same group, we initially suspected that one actor was potentially responsible for all the sites and was merely operating under different aliases. In order to test our theory we registered an account with each site and also used Cisco Umbrella’s investigate tool to examine each site’s registration info.

We soon revised our one-actor theory. After registering accounts at various sites we noticed that many employed different third-party Chinese payment websites where users could purchase activation codes (typical prices range from around 20RMB for a day-use code to around 400RMB for a month-use pass). In addition, the announcements on the pages displayed different tool capabilities (some advertised attack power of 30-80gbps, while others went as high as 300gbps), as well as different contact information, including various QQ accounts for customer service as well as group chat numbers for customers and administrators to interact. There were also vast differences in the numbers of attacks and users, with one page (www[.]dk[.]ps88[.]org) listing 168,423 attacks made by 44,238 users and another (www[.]pc4[.]tw) listing 24 attacks made by 13 users.

In addition, the websites’ registration information also revealed key differences. Most of the websites had different registrant names and emails, as well as different registrar’s listed. However, there were some similarities as well: almost all had used Chinese registrars, the majority were registered in the past 3 months, and nearly all were registered in the past year. In addition, over half were hosted on Cloudflare IPs.

Our final confirmation that different actors were behind these websites came when Talos was monitoring a QQ group chat channel affiliated with one of these online DDoS platforms called Wang Zhe sec. We observed a group member requesting an attack on a rival online DDoS group, 87 DDoS, with which we had also already registered an account.

A member of Wang Zhe sec chat group requests attack on rival online DDoS website

Talos joined a number of group chats associated with online DDoS platforms and observed multiple actors discussing launching DDoS attacks on rival groups. Indeed, a look at some of the traffic of these online DDoS websites indicates that they had possibly experienced DDoS attacks.

Traffic for the website of 87 DDoS reveals dramatic spike around July 1, 2017

A Glimpse Behind the Curtain

We had strong indications that multiple groups were building nearly identical online DDoS platforms, but still had no idea why they were using the same layout or why they had all begun to appear so recently. We began to gain insight into the story behind these questions after an actor in a group chat run by a Chinese hacker group posted a screenshot of the admin page for his online DDoS platform:

An actor posts a screenshot of their admin panel for their online DDoS platform

The screenshot showed a setup page where the actor could choose a name for the site, write a description, and provide links to the terms of service and URLs. Several items of interest jumped out at us, providing further avenues for research. First we noticed the word “Gemini” in the top right corner. Second, we noticed the unique URL of “/yolo/admin/settings.” Finally, we noticed a button at the bottom of the screen where an administrator could select “Cloudflare mode”, which reminded us how many of the websites had been hosted on Cloudflare IPs

Finding and Analyzing the Source Code

We now had a hunch that the rise of these nearly identical websites was due to some sort of shared source code, which was likely being offered on Chinese underground hacking forums and marketplaces. We went to several of the forums and searched for the “/yolo/admin/settings” URL present in the screenshot. We discovered that several forums had posts offering the sale of source code for an online DDoS platform, all identifying it as a foreign DDoS platform that had been translated into Chinese.

Many of the postings were made in early 2017 or late 2016, corresponding to the timeline of the rise in the DDoS platforms. And the pictures in the advertisements looked identical to websites we had been seeing:

Example of an advertisement for the DDoS platform source code. Description reads: “This is a foreign DDoS platform source code, it has already been Sinicized, everybody is welcome to test if they want to start a DDoS platform.” Note the design and the settings panel which looks similar to the screenshot an actor posted in a QQ channel, and includes the “Gemini” in the top right corner.

Talos was able to obtain a copy of the source code and went about analyzing it. It was clear that the source code corresponded to the DDoS websites we observed. The PHP files contained icons that matched those found on the websites. In addition, the background that the majority of these sites employ was also found in the images folder:

The source code revealed that the platform relied on Bootstrap front-end design and ajax to load content. In the CSS files we found an author named as Pixelcave. Researching Pixelcave, we discovered that they offered Bootstrap-based website designs that looked similar to the online Chinese DDoS websites we had examined. We also noticed that Pixelcave’s logo was present in the top right hand corner of many of the DDoS websites we had found and was also included as an icon in the source code.

Logo for Pixelcave, which was present on all the DDoS websites we identified.

According to the source code, the platform has functions which pull information from mysql databases and assess a user’s standing (i.e. the amount of attacks, duration of attacks, and number of concurrent attacks a user is allowed based on payments they have made). It then allows a user to input a host, select an attack method, (i.e. NTP, L7) and duration. Provided that the method is supported by the actors and the target is not blacklisted, it calls servers to begin carrying out the attacks.

Interestingly, the source code provides a blacklist for sites that cannot be attacked, and includes “.gov” and “.edu” sites among them, although these can obviously be modified. In addition, it comes with a preloaded Terms of Service (in Mandarin) which absolves the administrators of the site from any responsibility for “illegal” acts and asserts that its services are only meant for testing purposes.

The code also allows administrators to monitor payments made, outstanding tickets, as well as an overview of the total amount of logins and attacks being contracted, and details about the attacks such as the host, duration of the attack, and which server is conducting the attack. The administrator can also set up an activation code system.

It is clear that the source code was originally written in English, but was modified so that the final platform would display Chinese language graphics (as advertised). The source code also provides options for administrators to set up payment systems through Paypal and Bitcoin. It is likely that Chinese actors would modify this by switching it to a Chinese payment system, like third-party payment sites or Chinese services like Alipay. In fact the icon for Paypal in one image folder is altered to resemble the Alipay icon.

It is unclear as of the time of this writing where the original source code derived from. However, there are several English language websites that offer online DDoS services, such as the tool DataBooter. These websites have some similarities to the Chinese DDoS platforms. For instance, they have a bootstrap-based design, are hosted on Cloudflare, and have similar graphics conveying the number of attacks, users, and servers online.

Layout for databooter[.]com. The layout is somewhat similar to the Chinese online DDoS websites.

Talos has observed actors selling source code for these types of English-language DDoS platforms on hacker forums in the past few years. It is possible that Chinese actors obtained this source code, or code based on it, and modified it to localize it more to Chinese consumers, though we have not found direct evidence of this.

Conclusion

The recent uptick in Chinese online DDoS platforms seems to be connected to source code for sale on Chinese hacker forums. This source code appears to be a localized version of code originally written for English language online booters.

Online DDoS platforms remain popular because of their easy-to-use interfaces and the fact that they already provide all necessary infrastructure to the user, so there is no need to build a botnet or purchase additional services. Instead, the user purchases an activation code through a trusted payment site and then simply enters in their target. This serves the function of enabling even the most novice of actors the capability to launch powerful attacks, depending on the strength of the DDoS group’s backend infrastructure.

Talos will continue to monitor Chinese hacker forums and group chats for newly-created online Chinese DDoS platforms as well as greater trends emerging in the Chinese DDoS industry.

IOCs:

Online DDoS Websites

www[.]794ddos[.]cn
www[.]dk.ps88[.]org
www[.]tmddos[.]top
www[.]wm-ddos[.]win
www[.]tc4[.]pw
www[.]hkddos[.]cn
www[.]ppddos[.]club
www[.]lnddos[.]cn
www[.]711ddos[.]cn
www[.]830ddos[.]top
www[.]bbddos[.]com
www[.]941ddos[.]club
www[.]123ddos[.]net
www[.]the-dos[.]com
www[.]etddos[.]cn
www[.]jtddos[.]me
www[.]ccddos[.]ml
www[.]87ddos[.]cc
www[.]ddos[.]cx
www[.]hackdd[.]cn
www[.]shashenddos[.]club
www[.]minddos[.]club
www[.]caihongtangddos[.]cn
www[.]zfxcb[.]top
www[.]91moyu[.]top
www[.]xcbzy[.]club
www[.]this-ddos[.]cn
www[.]aaajb[.]top
www[.]ddos[.]qv5[.]pw
www[.]tdddos[.]com
www[.]ddos[.]blue

IPs

104[.]18.54.93
104[.]18.40.150
115[.]159.30.202
104[.]27.161.160
104[.]27.174.49
104[.]27.128.111
144[.]217.162.94
104[.]27.130.205
103[.]255.237.138
45[.]76.202.77
104[.]27.177.67
104[.]31.86.177
103[.]42.212.68
142[.]4.210.15
104[.]18.33.110
104[.]27.154.16
104[.]27.137.58
23[.]230.235.62
104[.]18.42.18
162[.]251.93.27
104[.]18.62.202
104[.]24.117.44
104[.]28.4.180
104[.]31.76.30

↧

Threat Round-up for Aug 11 - Aug 18

August 18, 2017, 11:15 am

≫ Next: Vulnerability Spotlight: Lexmark Perceptive Document Filters Code Execution Bugs

≪ Previous: Booters with Chinese Characteristics: The Rise of Chinese Online DDoS Platforms

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 11 and August 18. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Downloader.Agent-6335676-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. The execution chain typically is Word -> Shell function -> CMD -> PowerShell download and execute.
Doc.Dropper.Agent-6335671-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
Doc.Macro.JunkCode-6335442-0
Office Macro
Malicious Office Macros are obfuscated to prevent easy analysis. At times this results in no-operation like instructions. These no-operation (junk) instructions create artifacts that can be detected.
Win.Trojan.Expiro-6335658-0
Trojan
This sample is a Trojan. It complicates the automated analysis and the manual debugging by using anti-debug techniques. The sample needs a proper installation of the sandbox in order to run.
Win.Trojan.Ovidiy-6333880-0
Trojan
Ovidiy, or Ovidiy Stealer, is a Windows trojan that is still under active development. It serves as a credential stealer. Although modular in nature, it mostly targets credentials from web browser sessions. It does include some C2 functionality & will beacon out with select host information. The trojan itself is written in a .NET language & discovered samples are commonly protected with several packers specifically tailored to .NET binaries.
Win.Trojan.Tinba-6333828-1
Trojan
Tinba is a tiny banking trojan primarily focused on stealing sensitive information from its victims via javascript injected into web browsers. The source code for Tinba was leaked in 2014, making it very easy for malware developers to adopt and modify its functionality.

Threats

Doc.Downloader.Agent-6335676-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

78[.]47[.]139[.]102
193[.]227[.]248[.]241
104[.]160[.]185[.]215

Domain Names

campusassas[.]com
campuslinne[.]com

Files and or directories created

%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\qdvjnh.bat
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\plzea.exe

File Hashes

7ffabe10f4147ce48fc9ae40cdc7778d08ac7881b779743720e2c4313592445b
c2a3dcd915905c09026044e8da533455a2742196e4294cfffc000c048c1ea9cc
f756ea3c00d7a3dc3ff1c0224add01e8189375a64fbcd5c97f551d64c80cbdba

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Dropper.Agent-6335671-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

iesimpianti[.]it
janssen-st[.]de

Files and or directories created

%TEMP%\7E94\3F4A.bat
%AppData%\Microsoft\Office\Recent\270700481.doc.LNK
%AppData%\Microsoft\Office\Recent\fatt.348.LNK
\Users\Administrator\Documents\20170810\PowerShell_transcript.PC.PbSYjzuP.20170810091133.txt
%SystemDrive%\~$0700481.doc
%AppData%\Microsoft\CHxRthlp\api-pntw.exe
\TEMP\~$tt.348.doc
%TEMP%\33513.exe
%TEMP%\7E94\3F4A.tmp
\TEMP\fatt.348.doc

File Hashes

5edbc08d4e919f7186aa2b8a6e3d49ef38035c2a55b6e226910fcc60fe26a335
bbe5988f2470a296186ca43a76636fceb523b45273a32e83aa14a8cc1f4e3a8e
acdae0dde63863e8be98935254c901439b5fc36fb45f974fd7ce7c298e3ca0ca
b05c34ffdc8c82862b408a1f628b21bb08362de4340d768a08c511132ce7d34d
cad134945e7f20e99efed18650d4a7c573f8902b32c10ae89639518f94e646d0
0752a00c66125520f78673e70af10123cb5b78fe4786d368f7beb586d5ce3531
ffc6c04d292e6618826bb09c8c63a06af3993e7b6b14171c45c7b44619b4421a
758a4e1ea1fc0c9846d21f643013fd934fd23b187ca1fd32c90334ff48a60372
4111dc9ca29508aa89caf873ac9359ad579270c3b3025ab0ba8098dea9c3c459
0524147db311dedc4631e0749bb79865ac673763bd5ebc576855fcb9431de98b
0e5240bf70e304781511de29a000c308f675d6209735c118cd0054b519eaa096
09f89667dbbd0f72478f317aed5196f743693190aa3afe1f1cfccc67dad88fb6
4cf480e7bab22fdd7d64c43d8f18c3c5358c25fbd063bc2d2855885b886718ac
6ea7a564a6a7ba8f4c97e2eaefbedafab6dd1424d56716f1255b03f8b5879161
3728cecd2be075b09a3a6d8d8c5923fe14cf381e3070266cf05fa51585def305
bec41e3e8d3093b58170d743ca905af81ed745a4828a42a9d39cd3373252a84d
bd7ed9514afabc723da282f32ad1dcfe81796a83555b7b4a6738dd0254c06ccd
4b495c54056aa68e91fd481168a7ddc5d5a6cae713ab359777340f1ba901ae65
b588aa1d5901e2ded7dfc9fe8efbd13304f2bed37086b5c9aa498fdffaed48ba
717f927b9c0b01a60eb94254d39ac5eeee24a2c10d0c59266252630202a36323
056bce922fab367aabfd43f5e85bb5397755db08afcc8c38d992ffb4fe8f766f
3ca148e6d17868544170351c7e0dbef38e58de9435a2f33fe174c83ea9a5a7f5
6250f069e1268801cb3afaee2523df1aca628fa791a666f1d05b6cb981913461
1496ddfb94f11120267fe9d6bf233ba4726754bebf3075340496a144777a6539
5f1827ab138eb25289a1a76910f5dc9c96aed87dd8aa2db7e3b0d310267a5a67
d08c719c8ea6e5d7546e6449e6aed748ce74359e7c0dbd1f9bd08e2e8b795c68
168c49c8207019008bdf746d0fa4ab33a154277c5fe50fd4900e9d77ec6a2e7d
e92710c582f71c4a9cb127774fa4cce0d8abb837a38d50d22d17ef7061646c92
f20256df607a29ef83bd035ee27fc424307712e59298f54803150a88ea5c5ece
190cda0ade0c0348786652b7ee12fde595e12ab561d893224cfdafbd58ec7b75
cccb32f7f0408b32f3ad7f5a75adf1b955ba83a712e59c64f16b07713a6b44b8
31b34ac21405f6450bef3c18249e83a7bc464dea5cd4fb239becfe0a800875a2
db8ee4755c2b30756abb68e14e30b7c10d283b2f989fc7f3556f92389a2c32b9
d26ebbc2bdf6a6b59d805f7f1e9a9b505b6ff6e8b99e254f9c5c36413142d3f8
f2fbac0942b08720073373536520b471229c918474cabb63fd19c3d006caaa1b
366f1f331e940a462447e2b4abe9196ae7b977d281c2b9fe5e19bb0c2927b705
9859e621b4d259798b2813377f9cd1736497f51cb501c6b3ea44ccae57d4e4fa
94395a2b7bd0a120b55e39b3107f934f9b76faa9e2679dbae1237f69f2c3f1b9
5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7
5624e26cace481fa4144f5ccd5bdcc7b5c3d42c035c88250312833041cf55807
b0610f20ce7be29f5864a02d72bcfa54e215d3159bf381d05fac58d2fa703f0d
1c364ed502fa3710d9fa3c5a4a2ac6688bea3610acee2a6f958220d8ffca908b
36472a674c751c65c15cbaab276c0fba8f3f1709750473b24e5d3c21e468617f
0419cd8e5884e2918c5f0746d54efe2e2d9f0385523ecdbc395200df4004d87a
29a7f99f81dd37bcbd196d635837c01d2aa48045ce4efd999a6d0da92bfbe917
6451b45a4f8bdccdbce6bcd14e5fda1f976c81efed2c4dfd028386cce31250d1
7a703a5e7f30a1621e204669ffefe91f22a1619814c4ef40872cd750cffb9125
5de158f2b9e0039b76588fd190565bcf4e02398ec8bff57d1c55bcc1626de5f3
f8913513ec19ea386cb812e5e7249d44a4e4a3092fbfcea23fce692d7ed88970
6dc6070451995a7dae4d5b741e291ce525aec2cf3144d9fdb8484f39079ef9e2
4808a9fc9a33cf5df06d5a56f85b6e2dfdb8fc5fbb4cbd2ede05488dd566f6f5
eb99cecc433a5134414024c98c227f52bae7660343a36469ccf0e6a8f5af4a6d
b3dc9a164f1548ca0fd4618dbaae44c6a9ea05f66aafcf67758d9985b1409cb0
e14472604877ad85c119703225fb6086053bcaa2ebae60d38762bbdd192e2244
e631b1dd070f71e53dd7b5c36a1921c027257f0c79bc7964551f27d0f4ece78b
e342cae3c710674f0e73ea2ed1e72085d790a653e249e1b5e4d8e6696e110041
9f404502e944f4cd76b902abf67717054732528a9399e23b3d90e2825316818d
f6c2aea9dbc12ff2dbf77637560093234465cdae03c40ee4f0afcf8365ebfab7
b3fffd7e92a3bb920456b149717c353c8779e45a947c0e756889956c6bc48d7a
45112ef00b7d34a471655f3a7318fd2b69de1ade1889647839ff897c6e6f1c67
9d52dd2437d0408e5971598b44c5dc1e1475004241bb5928d1eaee9a9aea51e1
947ec2662ab377aca91f9ccb5b2a0e823ab5b814be719494c5cb8f0e7e228252
d076c672bdb9bd3b738edb882560482bebde469d02acd1ccda11e9c9cb6feaeb
dcfddf26b9699622bde12c6b64a78e5446172e57c5a29c3ea0267a0df85bc1e3
0db7513e4ec8cea44afdce2d37991f5f9cbde0bb779856c10d9ffa75bed53d0f
b1e4e3be5dd686424763f39f8930e28044a9cda7a48d8962ba6e8978ef532fa0
31755c56408a13f44d620971a60342bb0170ad78217c923c518fe4b58b4da365
27772ef48d027d7e23e1f78d8ea86cb1bbcf4240cd59a8dc7ebc82f8a3a8b6dd
a31cbc1ce4abaa2ba7cab9ff97e1f647c3b1264c9cb7db0e20c74d151db2634d
c685f1c782e6b9250035f922ebc80400f2d6515e5f343a933c6c12920eb89e92
5dd873a5cd07c4ac6edc7bfad7c92e1111cbddab5e72de96291e2990e0ab62e0
8c43427b886d65c06a43f823511f0927b85dc5956dc7bd1bd16c59af548db6b8
2aaf7791ed0a57e48c3d363b46ba5247e78a2290549bfd7f98793e9bee4c3e55
9b6d3e01584f4d1238a55050c7ffad0e14299e911db8497b81529bd58afa4bc7
d526ffe1710b4b39866bebceb3660e1386e41df17b13a6055078b0ce7db74fbe
425e004b3c9034aa17071b137ca1d4ae7a35dde5f588c05295e491b716125e2a
8c4813043fa78b4aec7ada10556ddbe06eedbc81b115e4ff08371d8ee132d645
c7cab605153ac4718af23d87c506e46b8f62ee2bc7e7a3e6140210c0aeb83d48
d52318c1f83d086fcb94b8ae7288f2acb85f6e441c66a3f1d09365a1018c80bd
44b6060a5406112556049bd3efef8d876fe335bb4aa0f0a6f7d0210184918c71
4e812653205426b75038ce2796be5b254b61ee02da376462f3ad1ac23d898282
454ed2ca7a116ad34864d4e8b232dcb50c063ffbd70f23753262aabb6b34d24e
bf958c7ba44b9dfdcba50eeb6f7b59fe3bd2948f1ab1a7c8ee0f162b7cac3b2c
de0e7aae207f7a7a1f242d849bb61c7f4e98d84f74b228439d296e6a46b2f812
712a907f98efa76de2b349c90084fbef6d40d9df32a41df98fc62e19fab5329d
3d081fe6a220b546af09139fda7deceb5e7f16b52fb47d15ff4e69bab9175734
f0b670afe4781d3e8899bf742fbd613636424681f56c4388168acea84ea344af
976c6ce6c484aef7d0d801c2f5ee31c984136d91636656a7e5425fbc4e848029
37e79b45ee53bc266d3602ec2cb79762a3c6360b5c173e89da045491150dbfb1
a4692d62273960b017d80e2b3ee9befe9b186d0609dbf4aedd1dcaf6d3aef671
c3e6a58e8a68518ffb43ee9026508b6520016e8d7096bf94ec2d1ed5cd328d76
e8290589cab3707f80ada754a31263e239b870dac5bdece15bf2e331cae5acf1

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Macro.JunkCode-6335442-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: internat.exe

Mutexes

Local\_!MSFTHISTORY!_

IP Addresses

52[.]173[.]193[.]166
185[.]206[.]144[.]152
190[.]107[.]177[.]115

Domain Names

plantatulapiz[.]cl
kalawatu[.]site

Files and or directories created

%TEMP%\CVRDF32.tmp.cvr

File Hashes

a5eb0f2e7d972b47c5016dd755bfce2e794822ef6933ff9759fd70e72b137a16
404987cbcc932ba68aa9abd4607ea81ba4feb167c3f333c800a56cb2620ffd9f
046809ff996329f2bb539128d51a0c21179ac6d117688281dd927df4b0aaf85b
9679b02ca07d40f2d2d84445b5683fe2c1a135ecf73886d2ed27dc387b108417
3a79a33855731c0066016de8baf9ef6b946b06b1ce4fda28f3c68265afa6c89a
3b0997b98551548002dd9cd977cd3f881f0496ab2f86ef1a90d6c7a13765366c
148b0ed81c95496d80778c7d3d093627a7395b76bf9b457f958201be66e8ea1f
9ba948417071478c1fa3fe89c46c19c56190f47f2ba141a446166eff5a71fbb4
1a1a48c35aee34ba91d83ae97865d75319112165ee8e7dad7cb7714ab57c40b7
5b1e2ebb1baa600fba198e5c233ebb431311c976ef23f5c2f2c74ff03392a824

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Expiro-6335658-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

Mutexes

IP Addresses

Domain Names

Files and or directories created

\TEMP\60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0.exe

File Hashes

60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0
5fd134b6abe1473fd5a7f96c711a4270fbc364bc6e3b10b5b344e0a1bfb0e4d8
5f5e9e5952765887211883b42e508b4b14c62a1685092978f98c6619229796b5
5fe205ea4f5f975703e242e8079dc471a5363538535d76584e7138ed3fb67546
5ffa0097ebcba0e1921c6607a644e2649532ae07b1c7d6533a3cbef52ee51620

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Ovidiy-6333880-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32

Value: EnableFileTracing

<HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASMANCS

Value: ConsoleTracingMask

<HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32

Value: EnableConsoleTracing

<HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32

Value: FileTracingMask

<HKLM>\Software\Microsoft\WBEM\CIMOM
<HKCU>\Software\Microsoft\SystemCertificates\My
<HKLM>\System\CurrentControlSet\Services\EventLog\System\Schannel
<HKLM>\Software\Microsoft\SystemCertificates\CA
<HKLM>\Software\Microsoft\SystemCertificates\Disallowed
<HKLM>\Software\Microsoft\SystemCertificates\TrustedPeople
<HKLM>\Software\Microsoft\SystemCertificates\trust
<HKLM>\Software\Microsoft\Tracing\6838bce2f6c831414df831040fc14287_RASMANCS

Mutexes

IP Addresses

104[.]27[.]132[.]79
104[.]27[.]133[.]79

Domain Names

ovidiystealer[.]ru

Files and or directories created

File Hashes

c16408967de0ca4d3a1d28530453e1c395a5166b469893f14c47fc6683033cb3
062bd1d88e7b5c08444de559961f68694a445bc69807f57aa4ac581c377bc432
22fc445798cd3481018c66b308af8545821b2f8f7f5a86133f562b362fc17a05
80d450ca5b01a086806855356611405b2c87b3822c0c1c38a118bca57d87c410
8f6939ac776dac54c2433b33386169b4d45cfea9b8eb59fef3b922d994313b71

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Tinba-6333828-1

Indicators of Compromise

Registry Keys

HKU\Software\Microsoft\Windows\CurrentVersion\Run

Mutexes

\BaseNamedObjects\5E60878D

IP Addresses

Domain Names

recdataoneveter[.]cc

Files and or directories created

%AppData%\5E60878D\bin.exe

File Hashes

0ce6189ecd16fbf2f885a8516836c7bb9d0685f6ff2c4a3df80e236ef5d0d803
33fd66f4cee5bdd9f30eb2e5bd7a65367e10f55495c1122430685a8ff0d90fcc
51769c916a89522975cb1babb4c9c7b18f3530286c66f3d735751cbdac02a160
56f91537753491cd32a250428b146d7685362c762c7e8f39703b4cf6cd92c020
6fd80f8da071c3dc482314cbc994b22f105bce22acdad9e9bd86bae5abed53d9
7607a0e1be2a8f50959ef42b78edd156aa76741fdc8ee2be9d375610c0b130b2
7bbd6d3d6bf6e991e023395e3cb31c18b2a106eef036ad175736a17fb1099b39
856ed534a7c32ab7799756c33f7ee104718c89add001428a41dc57e8449167c8
968ff771eab9d14d1847f489f425e44532522c7b9fe7407b09d7cc594da0eb84
e2776a037dcad9e2c752ac4f07dfae0412312ba9b1b748a48922ed572f83eb9c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

↧

Vulnerability Spotlight: Lexmark Perceptive Document Filters Code Execution Bugs

August 28, 2017, 8:30 am

≫ Next: Beers with Talos EP11 - This is How the World Ends, Not with a Whimper but with Cyber Mercenaries

≪ Previous: Threat Round-up for Aug 11 - Aug 18

Overview

Talos is disclosing a pair of code execution vulnerabilities in Lexmark Perceptive Document Filters. Perceptive Document Filters are a series of libraries that are used to parse massive amounts of different types of file formats for multiple purposes. Talos has previously discussed in detail these filters and how they operate. The software update to resolve these vulnerabilities can be found here.

TALOS-2017-0322

Discovered by Marcin Noga of Cisco Talos

TALOS-2017-0322 / CVE-2017-2821 is a code execution vulnerability in the PDF parsing functionality of the Lexmark Perceptive Document Filters. This particular vulnerability is an use-after-free issue related to the 'GfxFont' variable and can be triggered via a specially crafted PDF document resulting in code execution. Full details of the vulnerability are available here.

TALOS-2017-0323

Discovered by Marcin Noga & Lillyth Wyatt of Cisco Talos

TALOS-2017-0323 / CVE-2017-2822 is a code execution vulnerability in the image rendering functionality of Lexmark Perceptive Document Filters. This particular vulnerability can be triggered via a specially crafted PDF document causing a function call to a corrupted DCTStream, eventually resulting in user controlled data being written to the stack. Full details of the vulnerability are available here.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 42313-42314, 42399-42400

↧

Beers with Talos EP11 - This is How the World Ends, Not with a Whimper but with Cyber Mercenaries

August 29, 2017, 7:14 am

≫ Next: Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

≪ Previous: Vulnerability Spotlight: Lexmark Perceptive Document Filters Code Execution Bugs

Beers with Talos (BWT) Podcast Episode 11 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

Show Notes:

Better late than never? On top of being distributed all around the planet this week, we had some technical issues with our recording platform that created a nice audio jigsaw puzzle to solve. Matt’s audio remained a challenge; it is rough this week. Bear with us, the audio quality will be back to what you have come to expect next episode. If you would like to speak to the manager, please hold.

The last several years have seen a continuing surge in booters, DDOS, and combined exploit campaigns for-hire coming out of Asia and other regions. What does this tell us about the continued “professionalization” of the cyber criminal enterprise? What happens now that the playing field is leveled and launching these attacks requires nothing more than a few hundred USD in cryptocurrency?

We also discuss “hacking back” - some say it should be legal. Most people who know what they are talking about seem to think otherwise. Despite several strained analogies involving arms dealers, various calibers of ammo, and other nonsense, the crew makes a point about what it actually solves (hint: not much, especially considering the low chances of 100% certainty for most observers)

Episode Timetable:

00:47 - Roundtable
16:13 - Booters, DDOS, and Combo Exploits, oh my!
30:45 - Hacking back - the ACDC Act (copyright 2017 Talos) and other terrible ideas
58:15 - Parting shots - How to win Powerball with this one weird timezone trick!

==========
Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

↧

Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

August 29, 2017, 8:09 am

≫ Next: Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities

≪ Previous: Beers with Talos EP11 - This is How the World Ends, Not with a Whimper but with Cyber Mercenaries

Vulnerability discovered by Cory Duplantis of Cisco Talos.

Overview

LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a code execution vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW.

TALOS-2017-0273 code execution vulnerability (CVE-2017-2779)

The VI file format describes various systems implemented in LabVIEW. Although there is no published specification for the file format, inspecting the files shows that they contain a section named ‘RSRC’, presumably containing resource information. Modulating the values within this section of a VI file can cause a controlled looping condition resulting in an arbitrary null write. This vulnerability can be used by an attacker to create a specially crafted VI file that when opened results in the execution of code supplied by the attacker.

Full details of the vulnerability are available here.

National Instruments does not consider that this issue constitutes a vulnerability in their product, since any .exe like file format can be modified to replace legitimate content with malicious and has declined to release a patch. Talos disagrees. There are similarities between this vulnerability and the .NET PE loader vulnerability CVE-2007-0041 which was patched in MS07-040. Additionally, many users may be unaware that VI files are analogous to .exe files and should be accorded the same security requirements.

Known vulnerable versions:

LabVIEW 2016 version 16.0

Discussion

We have previously disclosed a vulnerability in the same software. As with the previous disclosure, organisations should be aware that proprietary file formats without a published specification are nevertheless amenable to inspection to identify vulnerabilities. The consequences of a successful compromise of a system that interacts with the physical world, such as a data acquisition and control systems, may be critical to safety. Organisations that deploy such systems, even as pilot projects, should be aware of the risk posed by vulnerabilities such as these and adequately protect systems.

Coverage

Snort Rules: 41368- 41369

↧

Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities

August 30, 2017, 12:06 pm

≫ Next: Back to Basics: Worm Defense in the Ransomware Age

≪ Previous: Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

Overview

Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted TIFF or JPEG image and entices the victim to open it, the attackers code will be executed with the privileges of the local user.

Details

TALOS-2017-0377 -- CVE-2017-2870

Vulnerability discovered by Marcin Noga of Cisco Talos and also independently discovered by Tobias Mueller from GDK Security.

An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 toolkit. A specially crafted TIFF file can cause a heap-overflow resulting in remote code execution. The vulnerability exists in the TIFF parser and only happens if the library is compiled with the high optimization flag `-O3` (tested with clang). The toolkit comes with a few defined `if statements` inside the `tiff_image_parse` function. Their intention is to check for integer overflows. Unfortunately, with compiler optimization, the compiler removes these checks. The problem is that the compiler recognizes them as "Undefined Behavior" and removes them for optimization. Finally, the lack of proper integer overflows checks leads to a heap overflow and can allow an attacker to execute arbitrary code.

TALOS-2017-0366 -- CVE-2017-2862

Vulnerability discovered by Marcin Noga of Cisco Talos.

An exploitable heap-overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap-overflow resulting in remote code execution. The vulnerability exists in the JPEG parser and it is based on an incorrect calculation size for the output buffer in `gdk_pixbuf__jpeg_image_load_increment` function, which later causes the heap-overflow during content conversion inside the libjpeg `null_convert` function.

Coverage

The following Snort Rules will detect exploitation attempts of this vulnerability. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org

Snort rules: 39607, 39615, 43214-43215

↧

Back to Basics: Worm Defense in the Ransomware Age

August 31, 2017, 8:05 am

≫ Next: Threat Round Up for Aug 25 - Sep 1

≪ Previous: Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities

This post was authored by Edmund Brumaghin

"Those who cannot remember the past are condemned to repeat it." - George Santayana

The Prequel

In March 2017, Microsoft released a security update for various versions of Windows, which addressed a remote code execution vulnerability affecting a protocol called SMBv1 (MS17-010). As this vulnerability could allow a remote attacker to completely compromise an affected system, the vulnerability was rated "Critical" with organizations being advised to implement the security update. Additionally, Microsoft released workaround guidance for removing this vulnerability in environments that were unable to apply the security update directly. At the same time, Cisco released coverage to ensure that customers remained protected.

The following month, April 2017, a group publishing under the moniker "TheShadowBrokers" publicly released several exploits on the internet. These exploits targeted various vulnerabilities including those that were addressed by MS17-010 a month earlier. As is always the case, whenever new exploit code is released into the wild, it becomes a focus of research for both the information security industry as well as cybercriminals. While the good guys take information and use it for the greater good by improving security, cybercriminals also take the code and attempt to find ways to leverage it to achieve their objectives, whether that be financial gain, to create disruption, etc.

Ransomware Worms

Computer worms are not a new concept. Worms are different from other malware in that they self-propagate within and between systems; for example, Conficker is a computer worm that used a Windows vulnerability to propagate (MS08-067) and dates back to 2008. In fact, Conficker is still floating around the internet spreading from vulnerable system to vulnerable system almost 10 years later. What the past has taught us is that whenever exploit code is released in the wild for vulnerabilities that are "wormable", worms will be created and distributed. While this doesn't happen often, when it does, the impact worms can have around the world is significant. In 2017, we have seen this twice so far. What is new, however, is the use of computer worms to spread ransomware and other destructive malware. Enter WannaCry and Nyetya.

WannaCry

Moving forward in time, in May 2017, we saw the introduction of WannaCry into the threat landscape. WannaCry was created as a ransomware worm, meaning that it leveraged vulnerabilities in Windows to spread itself and infect additional systems without requiring explicit user interaction. WannaCry leveraged the vulnerability addressed two months prior (MS17-010) to perform this propagation. Once systems were infected, ransomware would be installed and their system would be used to propagate the attack to other systems. This quickly lead to a snowball effect with more and more systems becoming infected and actively attempting to spread the malware. The damage created by WannaCry was global, with many organizations around the world either directly affected due to infections, or indirectly due to issues caused elsewhere by the malware.

Nyetya

Fast forwarding to June 2017, a second, more sophisticated attack leveraged the same vulnerabilities, for which security updates had been released months prior. This particular attack can be labeled as more sophisticated for a number of reasons. First, it leveraged what's known as a "supply-chain attack" as the initial vector for compromising organizations. In supply-chain attacks, the attackers take advantage of a trusted relationship between an organization and a vendor or supplier. In this case, the attackers behind Nyetya compromised a software update server used extensively by businesses and organizations in Ukraine. They leveraged the compromised server to deploy backdoored versions of the software under the guise of software updates. Once backdoored, the attackers could distribute their malware directly into the targeted environments. In this particular case, the malware caused significant system impact and leveraged multiple methods for propagating throughout the network in compromised organizations. In a similar fashion to WannaCry, this resulted in many organizations facing significant operational disruption, however in this case, the damage was mainly focused within Ukraine.

WannaCry vs. Nyetya

There are significant differences between these two pieces of malware. As previously mentioned, Nyetya can be considered significantly more sophisticated for a number of different reasons, which are detailed in the following sections. One example of the difference in sophistication between these two worms lies in the code itself. WannaCry featured multiple bugs (including a broken scanning function) which might be indicative of differences in the skill level of the attackers who created WannaCry versus those who created Nyetya. The major differences between these two worms can be characterized by how malware was delivered, the methods of propagation used by the malware, as well as the mission objective of the attackers who distributed them.

Delivery

The delivery mechanism used by the two malware families was significantly different. WannaCry was simple: find or build a vulnerable SMBv1 server and infect it causing it to scan the internet and propagate. Nyetya was significantly more advanced. The attackers behind the Nyetya worm were able to successfully compromise a server used to distribute software updates for a piece of software used extensively within a specific geographic region. As mentioned in our blog post here, it is possible that the reason the attacker chose to expose, or make known that they had this level of access to systems within the targeted geographic region is due to them having additional comparable capabilities that may be used in the future.

Propagation

The propagation mechanisms used by Nyetya, featuring similar capabilities as WannaCry, included several additional methods that were available to Nyetya, and included credential compromise. Rather than simply relying on the SMBv1 vulnerability, Nyetya also featured the ability to leverage PSExec and WMI. Additionally, while WannaCry was programmed to spread across both internal and external networks and contained code level issues with the scanning functionality leading to performance deficiencies, Nyetya only propagated internally within compromised environments. It is possible that this was done to limit the impact of the malware to only the specific region or organizations being targeted.

Mission Objective

The suspected mission objectives for both of these cases were also different. With WannaCry, it seems reasonable to conclude that the malware was simply a poorly executed attempt to generate revenue through the mass deployment of ransomware. The inclusion of what is referred to as a "killswitch", a single domain designated to control the malware spread, made it easy for security researchers to stop the spread of this malware and indicates how unsophisticated the programmer(s) really were. The attacker's later movement of the bitcoins from the WannaCry bitcoin wallets also seems to further support that hypothesis. With Nyetya, the mission objective appears to have been causing operational disruption within a targeted environment. Nyetya wiping portions of the hard drive of infected systems and providing no mechanism for reversing that process also seems to support this hypothesis.

What Could Have Been Done Differently?

Getting back to the basics of information security would have been an effective means of either preventing or seriously limiting the impact of both of these threats.

Patching

WannaCry was easily avoidable for most organizations. Simply installing the security update associated with MS17-010 would have prevented a successful WannaCry infection. There have been several arguments made about whether or not this was possible on older systems still being actively used in some organizations. WannaCry's implementation of the exploit code targeting the MS17-010 vulnerability did not even run properly on most of these systems. Microsoft eventually released updates for MS17-010 for these older operating systems as well.

As has been emphasized by the security community for many years, effective patch management is a vital security control that organizations simply must implement within their environments. We have seen many attacks become successful simply because an organization failed to patch their environments. Reliable exploits for 0-day vulnerabilities are often very expensive for attackers, while patched public exploits are very cheap. Attackers simply will not typically utilize a 0-day vulnerability if they can find a cheaper means to achieve their mission objective. As an organization, in most cases if a system within your environment is compromised due to a 0-day vulnerability being exploited, that is a good indicator that you are doing everything else effectively because it means that the attacker likely could not find another cheaper avenue to breach your defenses.

Least Functionality

Only implement system functionality that is required for systems to perform their intended role or function. Microsoft recommends disabling SMBv1 if it is not required. Likewise, limiting access to systems and services is another vital security control. Even if SMBv1 is in use on a system, it is rare for it to be required to be exposed to hostile network environments like the internet. Leveraging host-based firewalls, like the one built into the Windows operating system even on internal network segments is another way to control access to these services.

Least Privilege

Limit the use of administrative tools like WMI and PSExec to only those systems from which system administrators are performing system management functions. Monitoring for the use of these tools across an organization's network, while not necessarily a preventative security control, can be used to quickly identify compromised systems and enable organizations to initiate appropriate incident response processes.

System and Network Monitoring

Computer worms typically propagate very quickly, making them extremely loud in most environments. In both of these cases, the worm would initiate a scanning function to identify new hosts to propagate to. Monitoring the environment for service sweeps, or attempts to connect to many systems by a single system on a network within a short period of time could allow for early identification of compromised systems so that the issue can be addressed before it causes a larger organizational impact.

Network Segmentation

Even in environments where it was simply not possible to install the security update associated with MS17-010, network segmentation is a good way to either prevent a successful attack or limit the possible impact of a successful attack to the rest of the organization's environment. Creating "choke-points" in communications pathways is a great way to not only limit the impact of a successful compromise, but also provides an ideal location to deploy network-based security controls that can be used to prevent a successful attack from occurring in the first place. As was previously described, the principle of least functionality would dictate that at each of these choke-points, access controls would be deployed to limit communications to only what is actually required for systems to serve their role within the business. Flat networks, while easy to manage and maintain, afford little in the way of mitigating the impact of an attack like WannaCry or Nyetya.

Processes and Policies

It is essential that organizations have established policies and processes in place to ensure that they are prepared to respond appropriately and effectively when the unexpected happens. Disaster Recovery and Business Continuity Plans enable organizations to recover from unplanned system outages or disasters. In order for these processes to remain effective over time, organizations must not only have the plans in place, but they must be tested and validated over time to ensure that they continue to meet the needs of the organization. Can your organization recover from a system outage quickly enough to meet its business needs? Is your backup strategy working (i.e. can you recover using your backups alone?) These needs change over time and testing these processes will help ensure they remain effective before an outage or disaster occurs. Incident Response is another example of a process that should be in place and tested periodically through the use of hunting exercises, tabletop exercises, and walkthroughs. This is the only way to truly ensure that the incident response team has the knowledge and tools necessary to effectively respond when security events occur within an environment.

Conclusion

WannaCry and Nyetya are two examples of events that resulted in many organizations around the world being significantly impacted by malware. These events underscore the need to get back to the basics from an information security perspective to ensure that organizations are adequately protected and ready to respond to disruptive events that may occur within their environments. Computer worms are nothing new, they have been around for decades. Having a sound, layered, defense-in-depth strategy in place will ensure that organizations can prevent widespread system outages, and detect and respond when system compromise occurs within their environments to minimize the impact these events may have.

The National Institute of Standards and Technology (NIST) has released Special Publication 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations" which provides comprehensive guidance regarding recommended best practices and the selection of security controls that can be implemented to establish a sound defensive architecture within networked environments. This guidance is available here.

↧

Threat Round Up for Aug 25 - Sep 1

September 1, 2017, 10:12 am

≫ Next: Graftor - But I Never Asked for This…

≪ Previous: Back to Basics: Worm Defense in the Ransomware Age

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 25 and September 1. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Downloader.TrickBot-6336123-0
Downloader
Campaigns continue to distribute new TrickBot samples through malspam & document based downloaders. This recent variant of downloader mimics account correspondence from a large financial institution, but the macro used for fetching a TrickBot sample has been stripped down to a simple deobfuscation & shell invocation.
Doc.Dropper.Agent-6336106-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
Doc.Macro.Obfuscation-6336014-0
Office Macro
This cluster of Office Macro documents use the same obfuscation technique to prevent quick analysis. Manual analysis of the obfuscation technique shows many variables and instructions that are not used or evaulated to junk code.
Doc.Trojan.Agent-6336128-0
Office Macro based downloader
This set of downloaders uses string obfuscation in VBA to build a download command for the shell and execute it with the VBA Shell function. It was recently observed delivering TrickBot among other paylods.
Vbs.Trojan.VBSTrojan-6336102-0
Trojan
This Visual Basic script downloader fetches a binary from the internet and install it into the system.
Win.Malware.Dinwod-6336124-0
Dropper
Dinwod is a polymorphic dropper. It copies modified versions of itself to the root directory then deletes the original file. The copies drop the payload DLL in the Windows directory, then force legitimate processes to run the payload via DLL injection.
Win.Trojan.AlmanCloud-6336008
Trojan
This is a Trojan. It contains many anti-debugging and anti-vm tricks to hinder the dynamic analysis and detect instrumented envrionments. The binary can try also to register itself as a Windows service and it modifies the host file. Moreover, it has functionalities to infect USB drives plugged to the victim's computer and it may work also as keylogger. Finally, it has code to contact remote servers and upload the collected information.
Win.Trojan.Cuegoe-6336130-0
Trojan
This is a trojan downloader. The payload varies and is unpacked inside a lengthy linear decryption routine.

Threats

Doc.Downloader.TrickBot-6336123-0

Indicators of Compromise

Registry Keys

Mutexes

Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
Outlook_Perf_Library_Lock_PID_90c

IP Addresses

210[.]16[.]102[.]251
216[.]239[.]32[.]21
93[.]114[.]64[.]118
5[.]152[.]210[.]179
146[.]255[.]36[.]1

Domain Names

evaluator-expert[.]ro

Files and or directories created

%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\bicprcv.exe
%AppData%\winapp\Modules\systeminfo64
\srvsvc
%TEMP%\cdqfm.bat
%AppData%\winapp\group_tag
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\cdqfm.bat
%TEMP%\bicprcv.exe
%AppData%\winapp\Modules\injectDll64_configs\dpost
%AppData%\winapp\Modules\injectDll64_configs\dinj
%AppData%\winapp\aganpat.exe
%AppData%\winapp\Modules\injectDll64
%AppData%\winapp\client_id
%AppData%\winapp\ahboqbu.exe
%AppData%\winapp\Modules\injectDll64_configs\sinj

File Hashes

14ab690a2f5d4fd74f280804a1b59f5c5442c1280e79ee861e68a421cac80ce3
2419210bdd20b352b357573e72eb82bafa801b078f25517546bd348e2e93a505

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Dropper.Agent-6336106-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

185[.]165[.]29[.]27
185[.]165[.]29[.]129

Domain Names

oceanclubsreloaded[.]us
oceanfreightclubs[.]ir

Files and or directories created

\TEMP\New Purchase Order.xls
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40DVD2HR\OT[1].exe
%AppData%\Microsoft\Office\Recent\New Purchase Order.LNK
%AppData%\Microsoft\Office\Recent\272622119.xls.LNK
%TEMP%\wbfg.exe

File Hashes

56ef4bb6608968653af98649fddf204933134038b6b27b118ebedcdc5ec5af0e
946def9e50a762ef29de5b56086d976f26446f0bcb5f2590c0354eae1318e0fb
220128b685d4e96e793756636e32257b8fd22e038890d8f194d1681343bea923
a4ad5629d490b466e4e62bf9048968ff45466c73849609b64d6617bf32e5cc5f
d6ece69e9f8035de573411d57ea11e0bb22d243e0d47b620b9cb99793218b121
aecf2b9c77b76f08c6a240cd5b0782f3abba0a872caea783f5105b3b3f42851a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Macro.Obfuscation-6336014-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION

Value: PnpInstanceID

<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES

Value: 3488D8938CAA8400F802C2439F4B8FCDCE406396

<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\3488D8938CAA8400F802C2439F4B8FCDCE406396

Mutexes

socket.1
socket.0
tty_list::mutex.0
socket.2
Global\刐ƶ

IP Addresses

82[.]195[.]75[.]101
91[.]219[.]237[.]229
109[.]163[.]234[.]8
38[.]229[.]72[.]16
23[.]21[.]138[.]252
31[.]185[.]104[.]20
78[.]47[.]38[.]226
104[.]20[.]73[.]28
184[.]73[.]220[.]206
46[.]28[.]110[.]244
81[.]7[.]16[.]182
198[.]199[.]64[.]217
174[.]129[.]241[.]106
50[.]19[.]238[.]1
154[.]35[.]132[.]70
62[.]210[.]92[.]11
72[.]21[.]81[.]200
151[.]80[.]42[.]103
5[.]39[.]92[.]199
86[.]59[.]21[.]38
192[.]30[.]255[.]120
192[.]30[.]255[.]121
185[.]100[.]86[.]128
144[.]76[.]163[.]93
178[.]62[.]22[.]36
104[.]20[.]74[.]28
51[.]254[.]101[.]242
46[.]252[.]26[.]2
89[.]45[.]235[.]21
192[.]168[.]1[.]1
178[.]62[.]86[.]96
178[.]62[.]197[.]82
52[.]173[.]193[.]166
192[.]168[.]1[.]255
120[.]29[.]217[.]46
138[.]201[.]14[.]197
86[.]59[.]119[.]88
192[.]30[.]255[.]113
192[.]30[.]255[.]112
85[.]25[.]116[.]81
107[.]22[.]255[.]198
23[.]23[.]170[.]235
192[.]168[.]1[.]127

Domain Names

fv-st-konrad[.]de
www[.]fv-st-konrad[.]de
api[.]ipify[.]org
api[.]nuget[.]org
chocolatey[.]org
dist[.]torproject[.]org

Files and or directories created

%AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\cert8.db
%TEMP%\ts\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
%TEMP%\ts\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
%AppData%\MS\s\SECURITY
%AppData%\MS\s\EXAMPLES
%AppData%\MS\s\socat.exe
%TEMP%\ts\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
%AppData%\MS\Tor\tor.exe
%AppData%\tor\cached-microdescs.new
%AppData%\tor\lock
%TEMP%\ts\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%TEMP%\ts\_rels\.rels
%AppData%\MS\Tor\libgcc_s_sjlj-1.dll
\TEMP\~$L Information.doc
%TEMP%\ts\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
%System32%\Tasks\MRT
%System32%\Tasks\SC
%TEMP%\ts\lib\net40\JetBrains.Annotations.xml
%AppData%\MS\Tor\libevent_core-2-0-5.dll
%TEMP%\ts\lib\net40\JetBrains.Annotations.dll
%AppData%\MS\s\cygreadline7.dll
%TEMP%\ts\lib\net20\JetBrains.Annotations.xml
%AppData%\MS\Data\Tor\geoip6
%AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js
%TEMP%\ts\lib\net20\Microsoft.Win32.TaskScheduler.XML
%TEMP%\ts\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%TEMP%\ts\lib\net20\JetBrains.Annotations.dll
%WinDir%\AppCompat\Programs\RecentFileCache.bcf
%AppData%\MS\Tor\zlib1.dll
\Users\Administrator\Documents\20170822\PowerShell_transcript.PC.SLCVvGfn.20170822125043.txt
%AppData%\tor\cached-microdesc-consensus
%TEMP%\ts\lib\net40\Microsoft.Win32.TaskScheduler.XML
%TEMP%\ts\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
%TEMP%\ts\lib\net20\Microsoft.Win32.TaskScheduler.dll
%AppData%\MS\Tor\libevent-2-0-5.dll
%AppData%\MS\Tor\tor-gencert.exe
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16FC3937-61E8-4A38-8962-5CC96E748100}.tmp
%AppData%\MS\s\cygssl-1.0.0.dll
%TEMP%\ts\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
\Users\Administrator\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_mshta.exe_b620274e31657385a0786969c6cab647bc5a5eb0_48824423\Report.wer
%TEMP%\ts\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
%AppData%\MS\s\cygwrap-0.dll
%TEMP%\ts\lib\net452\Microsoft.Win32.TaskScheduler.dll
%AppData%\MS\s\cygncursesw-10.dll
%AppData%\MS\s\VERSION
%AppData%\MS\Data\Tor\geoip
%AppData%\MS\s\README
%TEMP%\ts\lib\net35\JetBrains.Annotations.dll
%TEMP%\ts\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
%TEMP%\ts\lib\net35\JetBrains.Annotations.xml
%TEMP%\ts\[Content_Types].xml
\Users\Administrator\Documents\20170822\PowerShell_transcript.PC.tnwsG1BN.20170822125100.txt
%TEMP%\ts\lib\net40\Microsoft.Win32.TaskScheduler.dll
%AppData%\MS\s\cygcrypto-1.0.0.dll
%AppData%\MS\Tor\libssp-0.dll
%TEMP%\ts\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
\TEMP\DHL Information.doc
%TEMP%\ts\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
%AppData%\MS\Tor\libevent_extra-2-0-5.dll
%TEMP%\ts\lib\net452\Microsoft.Win32.TaskScheduler.XML
%AppData%\tor\cached-certs
\Users\Administrator\Documents\20170822\PowerShell_transcript.PC.PBM+k85t.20170822125056.txt
%TEMP%\ts\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
%System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms
%AppData%\MS\s\BUGREPORTS
%TEMP%\ts\package\services\metadata\core-properties\b413d53c92364baa9958fdda02cd8e9a.psmdcp
%TEMP%\ts\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
%AppData%\MS\Tor\libeay32.dll
%TEMP%\ts\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
%AppData%\MS\Tor\ssleay32.dll
%TEMP%\ts\lib\net452\JetBrains.Annotations.dll
%TEMP%\ts\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40DVD2HR\api_ipify_org[1].txt
%TEMP%\ts\lib\net35\Microsoft.Win32.TaskScheduler.dll
%TEMP%\ts\lib\net452\JetBrains.Annotations.xml
%AppData%\MS\s\FAQ
%TEMP%\ts\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
\Users\Administrator\Documents\20170822\PowerShell_transcript.PC.MiXmZ0jf.20170822125034.txt
%System32%\Tasks\SUT
%AppData%\tor\state
%TEMP%\ts\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%TEMP%\7238.exe
%TEMP%\CVRD4FC.tmp.cvr
%AppData%\MS\s\CHANGES
%TEMP%\ts\TaskScheduler.nuspec
%TEMP%\ts\lib\net35\Microsoft.Win32.TaskScheduler.XML
%AppData%\MS\s\README.md
%AppData%\Microsoft\Office\Recent\DHL Information.LNK

File Hashes

bce01bde972b5d97e6bc163cd632fa7c2a1e9f1913abe69f8eb25d22a06063c8
029923c7508a27907e2c88baf9cc2effa2f78e81f4728eae2c185935f2a51fbd
07b63a132b60b293532787b50c7765c6af9cebcc0449592ad31dec1198fc8b5a
12c9ae29a83bf6ecf5766d9f51a2927d586bed20c3d37e4e150ffecadf8cd010
2d1cbae9da80482fffdbbcc4f761e5b12ffbfeb2446026862d381ac80fa0f335
4c5c70e7c517e35f93fd65aa493a9bbad63561ad7dc8b5235e23ca843c9c274e
5d683f41aa10da94c4737aa8901fc92b93d4f5484f4728bcbd802b9336275d59
8b3c33104719d76829977a595901992bb7183ded8f5d1ef379281c7c158ef803
900df27eff06c022c5fc9f6ebdb6f5f1a1e9d65c2de1d5f6300c899937bb95e7
9ef470811ceaab0d47bb4b8e0abdf7d783902c208fedda35f8292b60af7f6870
d3bc718d0cb24a9ffb25ae75d413f29fdb173e9174fd07d06ee8bb49ebec2330
e433044ade8b09c97cd4b2008bccb9f12d45e32f84a94efbc800754c58ed3eb2
efe8092be61ec8c11d6152fbf569517299f3a17322a14d5e1c13350ceaeac223
ff428dd61e1f50b36e6fc6707054840c0912455bea073edc5806467ca8cb7046
0009657099e7e3f555a68ae39827099905339f5dafe648585175de089a75ba6b
3724ecf98a0a71f54c227e00417bf0ea603ca480ac6db2a2708cc275f6227104
44cd48611f0044d98082ba3dd816b61fe80ee91812fc05ee1f3f37690f51bacc
488f6347913c580600ca24527ab8a0f3d2129c597a6398cc857eec4f1b0348c1
4b9f88762b2eb226b86c5bb4ce04b4ffcd07d0e332bbc92ed6dd2d7d451c8269
57c8d5b413e5ddc4bbf416ef8ac9b902eb1058e18b79e76ef5340c835c9cfa73
6fe1e272df58349481d71357488f08fda7bf4709cd72be00ce5e42c244783649
6fef1c02e5d06c9cd2b29fee73e796791b7b84a1875ff19296140d49823621ae
6ff2121b359d8a2776c25293aa96b823759b0796e559e70bc6d2e8adaf208fd7
8b0d3d287580a5095e92aaf357bb39e1ab754dd3eaa4ca9c2f7ee4727f5649dd
8e03b31baaa847ffef1df04336d7629bd8c8ca169406768479114b91b96c9092

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Trojan.Agent-6336128-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

216[.]138[.]226[.]110
64[.]182[.]208[.]181
5[.]152[.]210[.]176

Domain Names

keybeautysystemswest[.]com
icanhazip[.]com

Files and or directories created

%AppData%\winapp\Nkahvx.exe
%AppData%\winapp\client_id
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\Olaiwy.exe
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\lubuj.bat
%AppData%\winapp\group_tag
%WinDir%\Tasks\services update.job

File Hashes

9557c5337e1ebcc8dfe36e284be35c32ce22d2a4fbac56602d326598594899a8
b20fac264fb5724f17caafc34df08fc57879c0b30d360352a8e2b1ae3f9c2022
e77b85c8d93c7d1093eeea80621ad45ab3f091d537837a425b4e8829a2041aa4
fef300c8fad4477c75fd83aaa5a0033ee79c46e948148b4a7ed372943c306f5d

Coverage

Screenshots of Detection

AMP

Umbrella

Screenshot

Vbs.Trojan.VBSTrojan-6336102-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: AutoDetect

<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness

Mutexes

IP Addresses

138[.]128[.]191[.]146

Domain Names

www[.]flemingz[.]com
flemingz[.]com

Files and or directories created

%TEMP%\ReAIquyDcG.exe
%TEMP%\ReAIquyDcG.exeA

File Hashes

940723f511b9ecaf14478330baa01d4384f168de4b9c25a42e2865fde11067e4
5bf717cf8794bc159f95b59fb73e46d8e46fcca03d5dca9b47d0b398fb9db17a
a9832474a614d15382a50954c3adf5ab7774698dcf57417c80f2abc640399639

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Dinwod-6336124-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\jr8g6w6.exe
%SystemDrive%\3t9bd.exe
%SystemDrive%\dvdvv.exe
%SystemDrive%\69w460.exe
C:\Windows\friendl.dll

File Hashes

002eb4fddf6e8f9165e28694da6f368626282bd7e99c11f1eaeb365339c2331a
01b538e451a390f7cfcdc263355dca070ea1a578d083fa94762912cff36b226b
026a7284b6420e06f20e683054e0ed01a0afa14321fe4094c14bdb63a46ee17f
04d8c0fd0f85b534c8a225be38e7bda9dc7edc248b1f6419fb64a99fde5b4b11
050e9daae7c0778e00b17a71d70f34a9ec60c7ac1d309d53ffd23e7a74f81b2e
06ebf78a7f2f3cbc7a8961051f3bfe9211b8dc8fd255be6f9df7b96f261a46ad
07509506034c49b52314ee53984af6556396da7070c9d0069324f555f722db6d
076e08eb3eae357b4ee75f9bc1e9fe8a9ea3b3e3ddafe244e0583e320a0bfd26
07ab8a56baed7f7014781b275e8324e8bb7974360ac05d017c65d40ed05e1869
07b5361cde1a670a587bd7d58160c97282415a025b4b9d1efa806a121e577027

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.AlmanCloud-6336008

Indicators of Compromise

Registry Keys

<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
<HKU>\SessionInformation
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKLM>\SYSTEM\ControlSet001\Services\Eventlog\Application
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
<HKU>\SessionInformation
<HKLM>\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control
<HKLM>\SYSTEM\ControlSet001\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider
<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<HKLM>\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control

Mutexes

\BaseNamedObjects\Global\RAS_MO_01
Local\MSCTF.Asm.MutexDefault1
\BaseNamedObjects\RAS_MO_02

IP Addresses

148[.]81[.]111[.]121

Domain Names

klcwba[.]com
ajiyoh[.]com
dpwrjl[.]com
uatcte[.]com
imtxxh[.]com
lobsyb[.]com
xcckyn[.]com
uvebwz[.]com
iazfmh[.]com
zisbon[.]com
wyspqd[.]com
oeuuvh[.]com
udvjli[.]com
abvjlx[.]com
aoogeq[.]com
ilo[.]brenz[.]pl
lxoalw[.]com
wvnyqa[.]com
gnapgq[.]com
cxniir[.]com
gzoiji[.]com
rrbuas[.]com
tdsuye[.]com
kfgsia[.]com
vdbqhy[.]com
ygmyqt[.]com
upeuoz[.]com
eqyaud[.]com
wouaoc[.]com
omkbel[.]com
ioiufb[.]com
eyakmj[.]com
ukjqcx[.]com
twngee[.]com
bkegyi[.]com
dgyolj[.]com
ycztdl[.]com
dtptuw[.]com
aqqvuo[.]com
ioafts[.]com
caqiny[.]com
zqkqzt[.]com
dezims[.]com
ukngdn[.]com
ousvfo[.]com
bdgxqr[.]com
axqeuo[.]com
bidnxy[.]com
heuaot[.]com
gqugaq[.]com
aikuul[.]com
eiijba[.]com
qsjite[.]com
btaeqx[.]com
teioez[.]com
obwijg[.]com

Files and or directories created

%System32%\wbem\Logs\wbemess.log
\Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
\Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{684B4A19-F6D3-453D-B879-0BEB15FECE08}.FSD
%System32%\drivers\etc\hosts
\Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
\ntsvcs
%WinDir%\Prefetch\273142363.EXE-3748BAA7.pf
\lsass

File Hashes

a0fc82de8afd8ac9d2a9df4c5f94ea0d44abdad70af70624f168c3c34036d35b
5e0fcf513867bb834af4ebb405a328d66838e528e32e420a89eab7b8619f1830
64091a671d00602e4f81f987207ac2b16f5c3e86f98add903bf369b528db2d38
9727223d176381c88f6f5f17a2e7f99981eaba31282a41c1ceb3158bccbe08f4
f095ae655db18fb27667ece1c168b97d42b1b164991cda154022d6f8e270cd49

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Cuegoe-6336130-0

Indicators of Compromise

Registry Keys

HKU\Software\Microsoft\Office\12.0\Word
HKU\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems

Mutexes

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\D.tmp
%SystemDrive%\~$runme.docx
%SystemDrive%\runme.exe
%AppData%\Microsoft\Templates\~$Normal.dotm
%SystemDrive%\runme.docx (copy)

File Hashes

73c4f4e0dbe8bb08fa68c7aa73e44651a322d5a04e462e546d6cf0c9e4897235
6d20ac8668c1876117cfb7686d1dd71a82a88bc69595a9d698591a5ea41878b6
c8810c54be65f65747458e905afaaf534202d2c6bd5dc681309a1872042946b3
f3b527e625e6f198b5d44150bd4b5408935e57b7f7b395deba33f1662e2a2737
c95ad921fa61c90a84ce29748ee334827fab456bb5807ad2f3e5c688bc539903
5f312c0ec89ad31cb819663059c97505cc72032f429cff33c61995ca651d52c0
afc27b6c6deace69313e1e164257ca0b5e5ce003c34c79ca1dc43dd67129f081
55a8224f9b571776935e0340c9093b35b90b9138ef87e8484429b27c9ea61681
9edbd6e5cf7cfa8f6c5ca9a80a487e420996cae0982fbcbfe72206c0b85845db
e0d385356bc5dc0a7619553d391259b8acd0f226dafb719b505bec4cba58fb46

Coverage

Screenshots of Detection

AMP

ThreatGrid

↧

Graftor - But I Never Asked for This…

September 5, 2017, 8:00 am

≫ Next: Vulnerability Spotlight: Content Security Policy bypass in Microsoft Edge, Google Chrome and Apple Safari

≪ Previous: Threat Round Up for Aug 25 - Sep 1

This post is authored by Holger Unterbrink and Matthew Molyett

Overview

Free software often downloaded from large freeware distribution sites is a boon for the internet, providing users with functionality that otherwise they would not be able to use. Often users, happy that they are getting something free, fail to pay attention to the hints in the licence agreement that they are receiving additional software services bundled with the freeware they desire.
Graftor aka LoadMoney adware dropper is a potentially unwanted program often installed as part of freeware software installers. We wanted to investigate the effects this software has on a user’s system. According to the analysis performed in our sandbox, Graftor and the associated affiliate files it downloads perform the following functions:

Hijacks the user's browser and injects advertising banners
Installs other potentially unwanted applications from partners like mail.ru
It does not ask the user, it just silently installs these programs
Random web page text is turned into links
Adds Desktop and Browser Quick Launch links
User’s homepage is changed
User’s search provider is changed
Partner adware is executed and it social engineers the user to install further software
Checks for installed AV software
Checks for sandbox environments
Anti-Analysis protection
Unnecessary API calls to overflow sandbox environments
Creates/Modifies system certificates

Functionality

One of the first actions of the software is to install additional software on the user’s desktop, and change browser settings to point to third party websites (Fig.1):

Fig. 1

Looking at the Cisco Umbrella DNS data for the CnC domain used in this campaign, we can see that the campaign only lasted for a couple of days (Fig. 2a), but affected a significant number of people. Fig. 2b and 2c show domains of two of the affiliate applications which Graftor installed during our sandbox run. It is very likely that this includes users who didn’t intend to install these additional applications.

Regularfood[.]gdn (Command and Control Server Domain)

Fig. 2a

Affiliates (programs installed by Graftor):

Fig. 2b

Fig. 3b

Technical Details

A few minutes after executing the original Graftor dropper (2263387661.exe), the software downloaded and installed a series of additional executables. This results in the process tree looking like this (Fig.3):

Fig. 3

We analysed the Graftor dropper/downloader (2263387661.exe). It comes with multiple stages of obfuscation. The first unpacking stage of the executable uses a heavily obfuscated but fairly simple unpacking algorithm which we will describe in the following section.

This algorithm is obfuscated in the WinMain function distributed over several sub functions. Fig.4 shows you the complexity of the WinMain function in IDA, many of these building blocks are combined with further sub functions, jumping back and forth, which makes analysis particularly challenging.

Fig. 4

First, a new buffer is allocated (see Fig.5 at 00401395) :

Fig. 5

Then the bytes from 00416B6A (see Fig. 9 below) are decoded by different sub functions within the WinMain function. For example see loc_4013EC in Fig.6.
The code avoids calling functions by address values, but instead calls them via the values stored in registers or variables. For example the call ebx instruction in Fig. 5 at 00401395 results in a VirtualAlloc call. This makes the static analysis of the code harder. E.g without deeper analysis it is difficult to identify the destination of the call at 00401395 shown in Fig. 5.

Fig. 6

Finally the decoded bytes are handed over to a function (Fig. 7 write_unpkd_bytes2buf), which writes these bytes into a buffer. This is the buffer which was allocated in Fig.5 at 00401395. The decoding loop starts again until all bytes are decoded:

Fig. 7

Fig. 8 shows the write_unpkd_bytes2buf function itself:

Fig. 8

The end result is that despite all of the complexity and obfuscation, the unpacking algorithm is remarkably simple and translates to the following pseudo-code (see Fig. 9 comments):

Fig. 9

This first stage of unpacking extracts the code into memory. After successfully unpacking this code it is executed via call ecx (see Fig. 10) - the second stage of the unpacker:

Fig. 10

This second stage code is position independent. It is loaded into a random address space picked by the operating system. The VirtualAlloc function in Fig.5 which we have mentioned above, is called with LPVOID lpAddress set to NULL, which means that the system determines where to allocate the memory region. This second stage is even more obfuscated by spaghetti code than the first stage. It’s main task is to rebuild the Import Address Table (IAT) and resolve the addresses of certain library functions (Fig. 11), plus modify the original PE file.

Fig. 11

It stores the function addresses in different local variables. These are passed as arguments to several setup functions, for example: change memory region 0x400000 - 0x59C000 to read/write/execute (see Fig. 12). In other words, change the whole .text, .rdata, .data, and .rsrc section of the original PE file to read/write/execute. This enables the dropper to modify and execute the code stored in these regions. As we have already seen, in order to frustrate static analysis, most calls are obfuscated by either calling registers or variables (Fig.12).

Fig. 12

Next step at 002A14F6 is to allocate a buffer located at 01DC0000:

Fig. 13

This buffer is filled with the bytes copied from 0042d049 from the original packed PE file:

Fig. 14

Fig. 15

This data is an encoded PE file. After copying the bytes to memory, it decodes them and writes them back to the buffer (Fig. 16a) at 01DC0000 (Fig. 16b)

Fig. 16a

Fig. 16b

This stage is protected with an Anti-Debugging technique. The executable uses the following two GetTickCount calls to measure the time between the two calls (Fig. 17a and 17b). If it takes too long the executable will crash.

Fig. 17a

Fig. 17b

After resolving more library function addresses and fixing the IAT of the PE file in memory, it sleeps for 258 milliseconds and jumps back to 004897D3, which we will call the third stage from now on.

Fig. 18

The 2nd unpacking stage, the one we have just discussed, also decodes the URL which is later used to contact the command and control server. First it allocates a buffer e.g. at 002B0000 (Fig. 19a) and reads the encrypted URL from the original sample at 004020c0, decodes it and stores it in the allocated buffer i.e. 002B0000 again (Fig. 19b).

Fig.19a

Fig. 19b

The third stage (see above) is a C++ executable compiled with Visual Studio. Global object initializers allow custom classes to run during the C runtime initialization, before the apparent WinMain entry point. Organizing code in this way allows the malware to prepare the system survey in a way that is hidden from analysts who commence their analysis from WinMain. Later, when the associated code is used, the execution is masked by memory redirection and virtual function calls.
Below you can see the callback function addresses stored in the .rdata segment of the PE file (Fig.20) and its initialization function InitCallbacks (Fig.21 and Fig. 23).

Fig. 20

Fig. 21

From the pre-WinMain C Run Time library (CRT) initialization, the Callback function list gets created and populated with an association of named strings (e.g. “OS”), later observed in the CnC traffic and several system information collection callback functions. For example a "systemFS" string in the CnC traffic, leads to a call to the Graftor_CollectSystemVolumeInformation function or "OS" triggers the call of Graftor_CollectWindowsInformation.
Fig. 22 shows an example of such function calls and pseudo code which would lead to a similar assembler code as discussed.

Fig. 22

The created list is linked to a global address location, which is later linked back again to local variables.

Fig. 23

Such redirection is subtle in source code, but the resulting execution means that chains of memory accesses are seen instead of just nice clean references to the object.

Fig. 24

Later on, a string is passed along to look up the callback and call it indirectly (Fig.25).

Fig. 25

By using std::basic_string<wchar_t> instead of just plain wchar_t arrays, every string interaction adds two function calls and indirection. Instead of the analyst seeing a wide string being pushed to one function, it is instead a series of three. Before significant markup is performed (or when viewed in a debugger) this is just a mess of function calls and memory manipulation. Complicating the matter is that the std library is included rather than dynamically linked, so the analyst doesn’t get dll calls as hints.
Further on, this 3rd stage is protected by another anti-debugging technique: the sample registers a VectoredExceptionHandler for FirstChanceExceptions (C0000005) as you can see in Fig. 26 and 27:

Fig. 26

Fig. 27

Then it marks the code section as PAGE_NOACCESS.


Fig. 28a

Fig. 28b

This means an exception is triggered for every single instruction in this section. The exception handler function (see Fig. 27 above) overwrites the PAGE_NOACCESS access right for the memory location which caused the exception, with a PAGE_EXECUTE_READWRITE, so it can be executed. Then the exception handler function returns to the initial instruction, it can now be executed, but the next instruction is still protected by PAGE_NOACCESS and will cause the next exception. With a debugger attached, this interrupts the debugging session for every instruction. Even if the exceptions are directly passed back to the executable, it massively slows down the execution speed.

At 004BB3FA the software starts preparing the internet request to the CnC server and encrypts the collected information to perform a GET request (Fig. 29a-c):

Fig. 29a

Fig. 29b

Fig. 29c

Talos has decrypted the GET request that is sent to the CnC server. The decoded content consists of a JSON file, which you can downloadhere.

The executable is capable of sending the following informations to the C2 server:

MAC, SID, HD serial number, username, GUID, hostname, HD size, HD devicename, Filesystem, OS version, browser version, DotNET version, Video Driver, Language Settings, Memory, system bios version, domainname, computername, several processor related parameters, number of processors, other installed adware and unwanted programs, running processes, keyboard settings, Antispyware, Firewall, Antivirus and more.

The server responds to this with an encrypted configuration file which is processed here:

Fig. 30

The same decryption algorithm which is used for the GET request, is also used to decrypt the CnC servers response. It generates a fairly simple stream seeded by the first byte of the packet and XORs it with the data. Underneath the encryption is a simple gzip stream.

The full decrypted file can be downloaded here. It contains the adware and other unwanted programs the Graftor downloader is supposed to install for it’s partners/customers. You can see an example in Fig. 31.

Fig. 31

The first URL from the ‘l’ key is used to download the partner executable and install it. The ‘a’ key is used as its command line parameters. We have yet to identify the exact meaning of all the keys; they are passed as parameters to a quite large JSON library. This library is also statically compiled into the binary. Besides the JSON library we also found a statically compiled SQLite library, we haven’t fully investigated how it is used by the executable. However at this point we have enough information to detect and stop this adware downloader.
The information presented so far clearly shows the sophistication of this piece of software. With the data presented in the two decoded files, you have a good idea of the capabilities of the software and the impact it has on infected systems.
Graftor, and the applications that it downloads also heavily check for AV products and use various techniques to detect if it is running in a sandbox environment. These are very similar to techniques commonly observed in malware.

Fig. 32a

Fig. 32b

Fig. 32c

Fig. 32d

Fig.32e

The software makes many excessive API calls such as the following (Fig. 33) which has the effect of polluting sandbox analysis.

Fig. 33

Conclusion

Graftor continues to be one of the most notorious potentially-unwanted-software downloaders we see in the wild. Users may be unaware that it is being bundled and executed as part of the freeware installation, since these installation files silently execute Graftor alongside the freeware.
Once Graftor is running, it exfiltrates a huge amount of user and machine identifiable information and installs additional potentially-unwanted-applications from its partners. The downloader requests administrative rights on the local machine, with this access, it can do anything it wants to do on the user's machine.
Solutions such as AMP for endpoints and AMP on network devices give administrators visibility of when software such as Graftor, and the further packages it downloads, are installed on devices. Similarly, network based detection can identify and block the CnC activity (Snort SID 44214). Thought should be given to blocking access to freeware websites to prevent the download of the Graftor installer. However, much freeware does not come bundled with Graftor and may be of great use to some users.
At the end of the day, keep in mind that if the software is free, you might be the product. Anyone using freeware should closely review the EULA before installing it. We know it is painful, but trying to remove this kind of software is likely more painful.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network

IOC

Alternate Data Streams(ADS):
C:\Users\dex\AppData\Local\Temp\2263387661.exe:Zone.Identifier
C:\Users\dex\AppData\Local\Temp\QBPO5ppcuhJG.exe:tmp
C:\Users\dex\AppData\Local\Temp\2263387661.exe:tmp
C:\Users\dex\AppData\Local\Temp\AyWdp7tHPIeU.exe:tmp
C:\Windows\System32\regsvr32.exe:Zone.Identifier

Hashes:

2263387661.exe (Graftor Dropper)
9b9ce661a764d84a4636812e1dfcb03b (MD5)
Fd3ccf65eab21a77d2e440bd23c59d52e96a03a4 (SHA1)
41474cd23ff0a861625ec1304f882891826829ed26ed1662aae2e7ebbe3605f2 (SHA256)

Dumped 2nd stage:
40bde09fc059f205f67b181c34de666b (MD5)
99c7627708c4ab1fca3222738c573e7376ab4070 (SHA1)
Eefdbe891e35390b84181eabe0ace6e202f5b2a050e800fb8e82327d5e57336d (SHA256)

Dumped 3rd stage:
1e9f40e70ed3ab0ca9a52c216f807eff (MD5)
7c4cd0ff0e004a62c9ab7f8bd991094226eca842 (SHA1)
5eb2333956bebb81da365a26e56fea874797fa003107f95cda21273045d98385 (SHA256)

URLs:

Command and Control Server GET Request:
hxxp://kskmasdqsjuzom[.]regularfood[.]gdn/J/ZGF0YV9maWxlcz0yMyZ0eXBlPXN0YXRpYyZuYW1lPVRlbXAlNUMyMjYzMzg3NjYxLmV4ZSZybmQ9ZTY5NjM5ZjJjYTdlNWNiNDU2ZmYwMDUyN2M2ODBlNDMxMTY0YmFhZGJlZWI3MTI5YjIwZGYzM2M3YzIzNTc1YQ...

Set-Cookie: GSID=3746aecf3b94384b9de720158c4e7d88; expires=Sat, 12-Aug-2017 15

Command and Control Server POST Request
hxxp://kskmasdqsjuzom[.]regularfood[.]gdn/J/ZGF0YV9maWxlcz0yMyZ0eXBlPXN0YXRpYyZuYW1lPVRlbXAlNUMyMjYzMzg3NjYxLmV4ZSZybmQ9ZTY5NjM5ZjJjYTdlNWNiNDU2ZmYwMDUyN2M2ODBlNDMxMTY0YmFhZGJlZWI3MTI5YjIwZGYzM2M3YzIzNTc1YSZkZWxheT0zODk...

Set-Cookie: GSID=3746aecf3b94384b9de720158c4e7d88; expires=Sat, 12-Aug-2017 15

Domains from sandbox run:
arolina[.]torchpound[.]gdn
binupdate[.]mail[.]ru
crl[.]microsoft[.]com
dreple[.]com
gambling577[.]xyz
jvusdtufhlreari[.]twiceprint[.]gdn
kskmasdqsjuzom[.]regularfood[.]gdn
mentalaware[.]gdn
mrds[.]mail[.]ru
nottotrack[.]com
plugpackdownload[.]net
s2[.]symcb[.]com
sputnikmailru[.]cdnmail[.]ru
ss[.]symcd[.]com
xml[.]binupdate[.]mail[.]ru

Snort Rules:
SID 44214

↧