Data stealing Trojan was found using Windows PowerShell Remoting (May 28, 2015)

/in /by

Whether is it a ransomware trying to hold your files for a fee or a botnet trying to take down your servers, much of today’s malware use several different techniques to evade detection by security products and to stay hidden during execution. The Dell SonicWALL Threats Research team has discovered a data stealing Trojan using Windows PowerShell and Windows Remote Management in an attempt to fly under the radar. The Trojan leverages these technologies to establish a persistent connection to the victim’s computer and allow it to run PowerShell commands directly on the remote machine. This enables cyber attackers to query the machine’s file system, the registry, running processes, stop system services or scheduled jobs, and more without being flagged as suspicious by the victim’s security product.

Infection Cycle:

The Trojan uses the following icon:

Figure 1: Trojan purports to be Wise Cleaner application

Upon execution The Trojan spawns svchost.exe and injects its own code:

Figure 2: Trojan creating a new process – svchost.exe

Svchost.exe then downloads the Windows Management Framework Core package.

Figure 3: HTTP GET request for KB968930 on microsoft.com

Figure 4: Showing svchost.exe as the parent process which executed the downloaded file

The downloaded file is then unpacked in a temporary directory which will then be deleted after files are moved over to appropriate system directories:

  • c:7dd9ff4d2e44e82ca3dd98ddcf8e

Several other legitimate processes are then executed to carry out the full installation of Windows Remote Management and PowerShell. The following are just some of the commands executed to perform the installation and configuration:

  • c:7dd9ff4d2e44e82ca3dd98ddcf8eupdateupdate.exe /quiet /norestart
  • C:WINDOWSsystem32cmd.exe [C:WINDOWSsystem32cmd.exe /c copy /y C:WINDOWSassemblyGAC_MSILSystem.Management.Automation1.0.0.0__31bf3856ad364e35System.Management.Automation.dll C:WINDOWSsystem32WindowsPowerShellv1.0]
  • C:WINDOWSsystem32cmd.exe [C:WINDOWSsystem32cmd.exe /c copy /y C:WINDOWSassemblyGAC_MSILMicrosoft.PowerShell.ConsoleHost1.0.0.0__31bf3856ad364e35Microsoft.PowerShell.ConsoleHost.dll C:WINDOWSsystem32WindowsPowerShellv1.0]
  • C:WINDOWSsystem32cmd.exe [“C:WINDOWSsystem32cmd.exe” /c move /y “C:Documents and SettingsAll UsersStart MenuProgramsWindows PowerShell 1.0Windows PowerShell.lnk” “C:WINDOWS$NtUninstallKB968930$Windows PowerShell.lnk”]
  • C:WINDOWSsystem32wsmanhttpconfig.exe install
  • C:WINDOWSsystem32wsmanhttpconfig.exe downlevelsetup
  • C:WINDOWSsystem32wbemmofcomp.exe C:WINDOWSsystem32winrmprov.mof
  • C:WINDOWS$968930Uinstall_KB968930$PSCustomSetupUtil.exe” /install
  • C:WINDOWSMicrosoft.NETFrameworkv2.0.50727ngen.exe install /queue:1 /silent /nologo /NoDependencies “System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil”]

In order to ensure uninterrupted communication over certain ports it adds the following values into the registry (Note that by default, WS-Man and PowerShell remoting use port 5985 and 5986 for connections over HTTP and HTTPS, respectively):

  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist[5985:tcp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist[80:tcp]
  • HKLMsystemcurrentcontrolsetserviceshttpparametersurlaclinfo[http://+:47001/wsman/]
  • HKLMsystemcurrentcontrolsetserviceshttpparametersurlaclinfo[http://+:5985/wsman/]
  • HKLMsystemcurrentcontrolsetserviceshttpparametersurlaclinfo[https://+:5986/wsman/]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist[5985:tcp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist[80:tcp]
  • HKLMsystemcurrentcontrolsetservicessens[start]4 (disables system event notification service)

It creates a copy of itself with a random folder and filename in the following directory:

  • %APPDATA%gixojgixoj.exe

In order to start after reboot the Trojan adds the following key to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun [null] “%APPDATA%gixojgixoj.exe”

It then sends TCP connection requests from random source addresses.

Figure 5: SYN flood attack

At one instance, it rendered the machine useless and caused it to crash.

Figure 6: Trojan causing the machine to bluescreen

It periodically sends encrypted data to remote servers:

Figure 7: Encrypted data sent to different remote servers

While we did not observe any powershell commands executed remotely during our analysis, this malware still poses a big threat. Depending on the initial data sent out to its remote servers, these cyber criminals may intend to use this on more lucrative targets like governments and businesses to retrieve useful critical information and gain control over their systems.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Kovter.POW_2 (Trojan)

Another TLS Vulnerability – Logjam Found Last Week (May 28, 2015)

/in /by

Another major vulnerability Logjam in TLS was released last week. Logjam actually involve two related but separated vulnerabilities, one is man-in-the-middle security suite downgrade, which is similar to FREAK vulnerability in TLS released in March 2015; the other is exploiting EXPORT cryptography or small DH parameters encrypted traffic by force. An attacker can exploit the vulnerabilities and eavesdrop all of the encrypted traffic without target’s knowledge.

To accomplish an attack by exploiting the first vulnerability, a man-in-the-middle attacker needs to intercepts the target’s traffic to the server with the following steps:

  1. The client hello info with accepted cipher suites should be replaced with only DHE_EXPORT ones. A sample of DHE_EXPORT client hello is showed below:

  2. The server accepted and pick a DHE_EXPORT cipher suite and send it back to client.
  3. The attacker should be able to decrypt the weak DHE_EXPORT encryption, then recover the keys with further attacks without target’s knowledge.

To decide if the server is vulnerable, OpenSSL suggests using the following commands to verify the length of the key and the support of Export cipher suites:

  • $ openssl s_client -connect [yourwebsite].com:443 -cipher “EDH”
  • $ openssl s_client -connect www.example.com:443 -cipher “ECDHE”
  • $ openssl s_client -connect www.example:com:443 -cipher “EXP”

A typical reply for DH configuration test is listed below. It comes with 1024 bit server public key and DHE RSA encryption:

Dell SonicWALL threat team has created the following IPS signatures to protect their customers:

  • IPS:6366 “Client Hello with EXPORT Cipher Suites 1”
  • IPS:6412 “Client Hello with EXPORT Cipher Suites 2”
  • IPS:6428 “Server Hello with EXPORT Cipher Suite”

Security Wins Big at Interop in Las Vegas

/0 Comments/in /by

Las Vegas welcomed thousands of technology professionals last week for the annual Interop IT show to discover the most current and cutting-edge technology innovations and strategies to drive their organizations’ success. SonicWall Security participated in force, launching the new SonicWall TZ firewall line and demonstrating our innovative enterprise computing, networking and security product portfolios.

A highlight of the event for the SonicWall team was participating in the coveted Interop Best of Show awards. We were honored to have the SonicWall Secure Remote Access (SRA) series receive the prestigious “Best of Interop 2015 Security Winner” award.

Part of the SonicWall Secure Mobile Access solution, the (SRA) series appliances provide mobile and remote workers using smart phones, tablets or laptops “” whether managed or unmanaged “” with policy-enforced SSL VPN access to mission-critical applications, data and resources without compromising security. iOS, Android, Kindle Fire, Windows, and Mac OS X smartphones, tablets and laptops can securely access allowed network resources and data, including shared folders, client-server applications, intranet sites, email, and remote and virtual desktop services, all from a single gateway. Interested in learning more about how SonicWall Secure Mobile Access can held enable mobile productivity without compromising security for your business? Read our Ebook.

Secure Email Data for HIPAA Compliance: Protect Your Business

/0 Comments/in /by

Protecting sensitive or confidential data is not just good business. For some, it’s legally required and subject to audit. For example, HIPAA regulations require organizations to take reasonable steps to ensure the confidentiality of all communications that contain patient or customer information. Health service providers and their business associates and contractors who touch or handle Protected Health Information (PHI) are subject to these rules.

Organizations such as physician’s offices, hospitals, health plans, self-insured employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities could all be considered covered entities and/or business associates or their subcontractors. In addition, mandatory reporting is required for HIPAA violations, even when the data is lost by a third party.

This increases the need for subcontractors to implement the same level of security typically found in larger organizations. The penalties for failure to conform to HIPAA regulations go far beyond the hundreds of thousands of dollars in fines. They include public humiliation, loss of reputation, brand damage, class-action lawsuits, and yes, even prison. But there are practical ways to avoid these penalties.

Here are some methods to secure your moving data:

1. Do an assessment.

If you do nothing else, at least do an assessment of where your PHI resides, how you get it and where you send it. Knowing where the data is that you need to protect, and how it travels, is the first step.

2. Add layers of security in case people make mistakes.

One of the most common causes of any kind of security breach is human error. Whether conscious, accidental, or simply due to laziness, human error can result in Personally Identifiable Information (PII) or Protected Health Information (PHI) being sent over the Internet as unencrypted text unless content filters are put in place to detect these messages and encode or reroute them safely. You need to:

  • Install smart filters that analyze both the email and its attachments
  • Correlate fields in both documents and attempt to match them to known patient databases
  • Encrypt messages before they’re sent over the Internet

3. Make sure the boundaries between systems are secure.

Communication security breaches commonly occur when data is transferred between two or more systems. It can happen whenever data is transferred between:

  • People within your organization’s firewall
  • People inside and outside your organization’s firewall
  • Your employees and your business associates (and their subcontractors)
  • Your employees and your customers/ patients
  • Two different systems

Whenever information passes between systems and people, the data needs to be secured at all times, even when in transit. You must also ensure the data that is sent to people outside your firewall is always sent in encrypted format, so that no one but its intended recipients can read it.

4. Make sure your internal communications are secure.

Employees who work from home present HIPAA boundary issues. It is critical that they securely transfer data from work to their home computers. Even though your business information will remain within your company it must still pass across the Internet securely. To prevent a mistake that compromises protected information, provide email encryption to any employee with access to PHI.

5. Make sure your business associate and subcontractor communications are secure.

Another boundary issue arises when employees interact with external business associates and subcontractors. It’s likely that they must regularly transfer sensitive information with these external contacts. And they may use different email systems than those in your office. Often, client or patient PII and/or PHI needs to be sent via email. Be sure to secure these emails with encryption that works with many different systems and devices, including mobile devices i.e., smartphones and tablets. Healthcare related institutions must use solutions that make it possible to communicate with anyone, anytime, anywhere, no matter what email system or device the other party uses. Likewise, you must demand the ability to securely transfer large files with all these same people.

6. Make sure your communications with telecommuters are secure.

Employees who telecommute comprise another set of boundary issues.

More medical professionals are working from home and often need to transfer large, important and time-sensitive files such as x-rays or mammograms as attachments through your email system. Because the files can be so large, they have the potential to bring your email system to a standstill.

Not only do you need to exchange these files securely, you need to send them in a way that does not overload or crash your email system. So you either must find the time, the budget, and the resources to set up file transfer sites for these large files or you can use encrypted email with a secure large file attachment capability. Either way, you must make absolutely sure that they comply with encryption guidelines.

7. Make sure when your patients communicate with you, everything they do is secure.

Your patients must often submit forms, ask questions of specific people and departments, or submit follow -up information about an ongoing illness or other matter. These communications often contain PHI. Until recently, these needs were served by paper-based processes, but now can be handled through secure electronic forms on your website. But how do you ensure that this data reaches the right department or employee to process it? And can this data be integrated into existing knowledge worker software to track its status? If the request contains sensitive information, is it received from the patient in a secure manner, or did the method of collecting data cause a privacy violation? And if any follow up is needed with the patient, can this be sent securely? With a messaging system in place that provides secure inbound and outbound service, uses email encryption and secure electronic forms, and provides workflow integration, you can streamline your operations and cost-effectively serve patients.

8. Make it easy to transfer even very large files securely.

FTP, or file transfer protocol, is the standard way to transfer files across the Internet. However, it transmits user login credentials and the contents of files in an unencrypted manner. So this is not the secure method needed for transferring. You need a secure messaging system that automatically routes large files, alerts the recipient that they are available, and that tells you when they’ve been opened and by whom.

9. Make sure you can demonstrate that your system is secure.

After an email message is sent, how do you know what happened to it? Did its intended recipient open it? Were its attachments opened? Is there proof that the message was received and was read? Should a question arise about who viewed a message or its attachments, can you prove who read them to an auditor? It’s increasingly obvious that a secure messaging system must be trackable and auditable. To make this possible, messages and their attachments, their metadata and the fingerprinting data must be both viewable and traceable. The fingerprint data must record permanently the IP addresses of the recipient’s computers, and the system’s time must be synchronized with an atomic clock so that message times are never a point of dispute. Such a system would allow your administrators and, if necessary, auditors to easily review and sort through volumes of message information, and quickly retrieve a particular message, as well as all the tracking and fingerprint information associated with it.

If you’re interested in learning more about requirements for protecting sensitive data, including how to ensure the secure exchange of email containing sensitive customer data and simplify compliance in the process.

Read this white paper for details about achieving regulatory and industry compliance when moving:

  • PII
  • PHI
  • Proprietary data
  • Any other types of sensitive information

You’ll get a side-by-side look at specific HIPAA/HITECH and PCI-DSS compliance regulations, and how the  SonicWall Email Encryption service helps you meet each of them.

DOWNLOAD WHITE PAPER

POS Attacks Persist: Top 5 Defense Strategies to Protect Retail Networks

/0 Comments/in /by

No one needs reminding that 2014 was one of the most profitable years for cyber-criminals. The timeline graphic below takes us back to memory lane of what happened to large retailers such as Target, Home Depots and others. Despite efforts to comply with the Payment Card Industry – Data Security Standards (PCI-DSS) and other security measures for protecting electronic transactions and consumer data, U.S.-based retailers were hit hard by data breaches last year. Stores continued to be soft targets not just because they were easy victims per se, but more profoundly, due to the availability of good and effective hacking tools and techniques used by the cyber-criminals to successfully attack and compromise payment card infrastructures.

Although the sound of alarming retail breach headlines has been relatively quiet so far in 2015, the bad news is that POS attacks resumed where they left off in 2014. The SonicWall Security Threat Research team has been busy developing countermeasures to defeat newer forms of POS malware that have been found actively spreading in the wild. This is a noticeable development that carried over from the previous year. Cyber-criminals are obviously investing more in the malware economy and research as well as development efforts to create smarter methods of attacks that do greater harm. This is indicative of the Threat Research team’s 2015 Annual Threat Report prediction that more sophisticated POS malware variants are expected and additional attacks will target payment infrastructures throughout 2015, especially smaller regional chains that are more susceptible to attacks.

Debit/credit card payment

SonicWall Security researchers have already developed counter-measures to block several POS bot families including:

  1. Punkey: this Trojan was discovered in April 2015 and has versions for both 32-bit and 64-bit Windows-based POS terminals. Punkey is particularly dangerous not only because it can record payment card data while it’s being processed but it’s also capable of installing a keylogger to capture what employees type on systems including the card verification value (CVV) during a transaction.
  2. NewPosThings.C: this Trojan was also uncovered in April of 2015. NewPosThings.C adds system files and keys to the Windows registry to ensure its permanency upon reboot. It also searches the registry for VNC passwords, scans system memory to gather credit card track data, checks if data is available for transfer to its command and control (C&C) server periodically and sends credit card information in Base64 format to avoid detection.
  3. PoSeidon and POS.UCC: these Trojans were detected in March and February of 2015 respectively. Both exhibit similar behaviors as described in the NewPosThings.C. Trojan.

If you are in retail and still nervous about whether or not you have the proper security measures in place to protect your retail network, SonicWall Security recommends the following five key defense strategies to secure your payment card infrastructure.

  1. Traditional POS applications run on terminals connected to a central computer. Often, the operating system (OS) of this central computer is not kept updated, which can make the POS system as a whole highly vulnerable. It’s important to keep the OS patched and all software updated continually.
  2. Restrict activity on terminals to only POS-related activities (no web browsing) such as permitting data from POS system to advance to another trusted server on a different secured network for payment processing while preventing it from going elsewhere. To do this, keep the POS system isolated from the rest of the network. Separate groups and zones and make sure POS systems can only communicate with valid IP addresses. Communication between these systems should also be controlled and sanctioned only by the firewall via Access Control List (ACLs) to keep attackers who have gained network access from penetrating further and preventing them from siphoning data off to their own servers.
  3. Install a capable next-generation firewall with integrated intrusion prevention system (IPS) and SSL decryption between network segments and in the B2B portal to inspect all network traffic including encrypted connections to protect the network from internal and external attacks.
  4. Adopt a security policy that trusts nothing (networks, resources, etc.) and no one (vendors, franchisees, internal personnel, etc.), and then add explicit exceptions.
  5. Make security training a significant part of employee onboarding and ongoing communications. SonicWall’s recent Global Technology Adoption Index (GTAI) showed that employee security training is lacking in all industries, including retail. An astounding 56% of companies admit that not all of their employees are aware of security rules.

Download this exclusive white paper for additional guidelines on how you can protect your retail network.

DOWNLOAD WHITE PAPER

Tackle Your Compliance Demands with SonicWall’s New Hosted Email Encryption

/0 Comments/in /by

Email security is critical to protect your email from threats including spam, phishing attacks and malware. What’s more, government regulations now hold businesses and organizations accountable for protecting confidential data, ensuring it is not leaked and ensuring the secure exchange of email containing sensitive customer data or confidential information.

Contech Engineering Frees up IT Resources with SonicWall Hosted Email Security

Contech Engineered Solutions needed a better way to control spam and viruses, which IT spent too much time managing. The company deployed a hosted SonicWall email security solution and now saves 10 hours per month due to reduced support call volume, freeing up IT to handle more proactive tasks.

“Maintaining SonicWall Hosted Email Security has been a dream. It basically runs itself and allows our employees lots of flexibility to determine their own level of spam filtering,”said Matt Alvord, Senior Systems Engineer, Contech Engineered Solutions.

Contech now has the ability to respond faster to customers, because the SonicWall solution blocks spam and viruses in the cloud, so only legitimate email can be delivered to the company’s email infrastructure. As a result, network bandwidth is preserved. And, Contech receives strong, unified support from a single vendor because it has multiple SonicWall products, including the email security solution, network monitoring tools and laptops.

Mobile-Ready Secure Email Exchange

If your email security needs are evolving to include protection of confidential information to meet email compliance demands, consider SonicWall for a powerful solution that provides advanced compliance scanning and management as well as email encryption for mobile-ready secure email exchange.

The SonicWall Hosted Email Security service offers superior cloud-based protection from inbound and outbound email threats at an affordable, predictable and flexible monthly or annual subscription price. Available now, the service adds:

  • Compliance scanning and management to prevent confidential data leaks and regulatory violations.
  • An optional, integrated email encryption service that ensures secure exchange of confidential information.

Reduce Phishing Attacks with DMARC Advanced Email Authentication

In addition to new features to protect from compliance violations, the Hosted Email Security service also adds advanced email authentication technology and reporting. Now available, the service supports SPF, DKIM and DMARC technologies that help identify spoofed mail, reduce spam and phishing attacks, DMARC also enables reporting on sources and senders of email. This empowers you to identify and shut down unauthorized senders falsifying your email address to protect your brand. And for faster, more efficient administration, the service now includes a customizable, drag and drop dashboard and reports.

Learn More about SonicWall Hosted Email Security and Encryption Services

The new Hosted Email Security features and optional Email Encryption service are now available to our subscribers.

For more information about SonicWall Hosted Email Security and our new Email Encryption service, please visit our website or contact a SonicWall representative at 1.888.557.6642, or email sales@sonicwall.com.

Spam campaign roundup: The Memorial Day Edition (May 22, 2015)

/in /by

Memorial Day is a federal holiday in the United States for remembering the people who died while serving in the country’s armed forces. This holiday is observed every year on the last Monday of May, which is the 25th this year.This day typically marks the start of summer vacation season. So, this weekend also happens to be one of the biggest sale weekends of the year. Cyber criminals are taking advantage of innocent customers by sending unsolicited advertisements for products which may lead to malware.

Over the last week, the Dell SonicWALL threats research team has been tracking down all Memorial Day related spam emails.

As the Memorial Day weekend approaches, we are receiving an increasing amount of this holiday related spam emails. These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to deep discounts and offers. Most of these emails are poorly crafted with evident errors in grammar and spelling. The following are some of the most common email subjects:

  • Start Summer with a Flat Tummy, Drop 23# by Memorial Day -5735730
  • Be Bikini-ready, Drop 13# by Memorial Day, Free-Sample Today -21045784
  • Memorial Day Clearance Invitation: All remaining 2015 (Make) Must Go
  • 25 Hour Jet Card Memorial Day Sale!!!
  • Memorial Day-Survey: Confirm your $100**

Some emails are purporting to come from popular department stores or restaurant chains promising gift cards or coupons, that when clicked would take you to a URL different from the real merchant’s website. The consumer will then be asked to enter their personal information and to participate in a number of “offers” often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWall Email Security and NGFW Threat Prevention solutions monitor and provide constant protection against such malicious spam and phishing threats.

TeslaCrypt ransomware joins the fee-for-file-recovery trend (May 22nd, 2015)

/in /by

The Dell Sonicwall Threats Research team has received reports of a new file encrypting ransomware called TeslaCrypt. Like other file encrypting ransomware such as Cryptolocker and Cryptowall this trojan holds files ransom for a fee. Communication to the C&C/key server is encrypted and takes place over the tor network. Bitcoin is used as the currency of choice in making payments for file recovery and aids in making it difficult for authorities to trace operators. Ransomware of this nature has proven to be a very effective and lucrative business model. It is a trend that we expect to continue throughout 2015.

Infection cycle:

Upon infection the Trojan displays the following text on the desktop background:

It also displays the following dialog in the foreground:

The Trojan makes the following DNS queries:

      7tno4hib47vlep5o.42kjb11.net
      7tno4hib47vlep5o.42kdb12.net
      7tno4hib47vlep5o.tor2web.fi
      7tno4hib47vlep5o.tor2web.bluemagie.de

The Trojan adds the following files to the filesystem:

  • %APPDATA%key.dat
  • %APPDATA%log.html
  • %APPDATA%nvpdpcv.exe [Detected as GAV: TeslaCrypt.A_6 (Trojan)]
  • %USERPROFILE%DesktopCryptoLocker.lnk (link to nvpdpcv.exe)
  • %USERPROFILE%DesktopHELP_TO_SAVE_YOUR_FILES.bmp
  • %USERPROFILE%DesktopHELP_TO_SAVE_YOUR_FILES.txt

The Trojan adds the following keys to the windows registry to enable startup after reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun svv_e “%APPDATA%nvpdpcv.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce *svv_e “%APPDATA%nvpdpcv.exe”

It issues the following command to clean up after infection:

      "%WINDIR%system32cmd.exe" /c del {run location}nvpdpcv.exe >> NUL

It also issues the following command to delete any volume shadow copies on the system:

      "%WINDIR%system32vssadmin.exe" delete shadows /all /Quiet

The Trojan appears to be inspired by Cryptolocker. CryptoLocker.lnk uses the following icon:

key.dat contains the following data which includes the bitcoin address to send funds to:

Files on the system and any attached shares are encrypted with the RSA-2048 algorithm as stated in the displayed splash screen. log.html contains a list of all the files that were encrypted:

The Trojan contacts ipinfo.io in order to obtain the public IP of the infected machine:

The Trojan was observed sending encrypted information over the tor network to a remote C&C/key server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: TeslaCrypt.A (Trojan)
  • GAV: TeslaCrypt.A_2 (Trojan)
  • GAV: TeslaCrypt.A_3 (Trojan)
  • GAV: TeslaCrypt.A_4 (Trojan)
  • GAV: TeslaCrypt.A_5 (Trojan)
  • GAV: TeslaCrypt.A_6 (Trojan)

ProFTPD Unauthenticated Remote File Copying (May 22, 2015)

/in /by

ProFTPD includes a number of modules to allow a FTP server to be extended. The mod_copy module contained in the mod_copy.c file for ProFTPD 1.3.x implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server without having to transfer the data to the client and back.

However, an access control weakness exists in mod_copy module. The vulnerability is due to a lack of access control and allows a remote, unauthenticated user to manipulate files on the target system. A remote attacker could exploit this vulnerability by sending crafted FTP commands to the affected service. Successful exploitation would result in arbitrary code execution on the target system.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

10923 ProFTPD Unauthenticated Remote File Copying

Runnerx.CHM , a Microsoft Help file Malware Targets JPMorgan Chase Customers.

/in /by

The Dell Sonicwall Threats Research team observed reports of a Malware family named GAV: Runnerx.CHM (Trojan) Targets global financial services firm specially JPMorgan Chase Customers in the wild. This time attackers used an attached Microsoft Compiled HTML .chm file attached to spam messages. A Microsoft Help file is a binary file, which encompasses a set of HTML files.

The spam arrives via spam email posting as coming from JPMorgan Chase with subject of Chase Bank

Here is an example:

Infection Cycle:

The Malware uses the following icons:

Md5s:

  • 14b166abd7279baa483cfc6e33fc5a3e – Email Attachment (Message.CHM)

  • e821100cd69a0902d6ac5b1e56874692 – Executable Dropper (test.exe)

  • 72841b43391206f983b0fa2ea0be331a – Executable Dropper (p2804us77.exe)

The Malware adds the following files to the system:

  • Message.CHM

    • %TEMP% natmasla2.exe Detected as GAV: Runnerxd1.CHM ( Trojan )

The Malware uses Microsoft Help file scripts to malicious files on the target system such as following:

Once the computer is compromised, the target user sees a fake message from JPMorgan Corporation.

But in the background the Malware runs the following commands on the system:

The file natmasla2.exe is dropped after malware launches on the target system, the malware uses Powershell.exe (Windows PowerShell management framework) for downloading the droppers from C&C server and then starts to inject Svchost.exe to collecting information from target system.

When Powershell.exe was successfully launched on the target system its drops the natmasla2.exe into Temp Folder.

After a while malware tries to generate a dummy URL to download Flash-player from Adobe website.

Then it will download second dropper detected as GAV: Runnerxd2.CHM it is variant of Dyre banking Trojan.

  • 72841b43391206f983b0fa2ea0be331a – Executable Dropper (p2804us77.exe)

Dyre has been designed to target certain banks such as Bank of America and Citi Bank before. Dyre injects malicious code into web browsers, ready to steal information when victims visit their banking site. We recently released observed reports of aDyre.E ,Dyre.F and Dyre.L.

Command and Control (C&C) Traffic

Runnerx.CHM performs C&C communication over HTTP protocol. The malware tries to download droppers from C&C server, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Runnerx.CHM (Trojan)

  • GAV: Runnerxd1.CHM (Trojan)

  • GAV: Runnerxd2.CHM (Trojan)