Sudden spike in Slempo samples observed for Android (June 7, 2018)

/in /by

Code leak of a popular malware can be both a good as well as a bad thing. Positive aspect of a code leak is that security researchers get to learn more about the malware and come up with solutions to better protect from it. However a negative thing is that malicious actors do the same and they modify this code to create more strains of this malware. Same behavior is often observed in the Android malware space where the source of a malware can be traced to a leaked code of a popular malware in the recent or far past.

SonicWall Capture Labs Threat Research Team observed a sudden surge in a particular malware family that goes by different names – Slempo, Acecard, GM bot, SlemBunk. The source of this malware can be traced back to GM Bot whose source code got leaked in December 2015. The source code has been hosted for research purposes and can be found easily by both researchers and malicious malware writers.

The spike

Over the past few days we observed a rise in samples belonging to the Slempo campaign. Even though the numbers are not very high, its worth noting that new samples were circulating for a few days following which the numbers have fallen down again:

The graph shows a classic wave pattern, where samples spread in high numbers for a small period of time and then die out slowly.

Revisiting Slempo

The earliest Slempo sample can be traced back to late 2014 and over the years the samples have not shown a big change in terms of their functionality. The main objectives of this threat still remains the same:

  • Steal sensitive device related data from the infected device
  • Target certain apps and steal their credentials
  • Accept and execute commands from the attacker via SMS messages
  • Steal Credit Card number of the victim

Samples belonging to the Slempo campaign are essentially tasked with stealing login credentials from the infected device. The targets are hardcoded in the apk:

Upon infecting the victim device, the app requests for device admin privileges. This allows the apps to gain access to sensitive data on the device and also makes it difficult to remove the app if the user suspects anything malicious:

Sensitive information pertaining to the device is sent to the attacker, including the names of most used apps:

When the victim opens a targeted app he sees a fake login page, upon entering the details the credentials are sent to the attacker. Below is an instance when we opened Facebook on an infected device, a fake overlay was added on top of the Facebook app which requests for the credentials:

If the victim does not suspect anything and enters the credentials, they are sent to the attacker:

A look back in time

We compared the new Slempo samples with few samples from 2014 and 2015. Here are a few observations:

  • The developer names are the same – 123 and Android
  • The code structure is the same:

  • Majority of Slempo samples spread using the same set of package names:
    • MX Codec Pack
    • Adobe Flash Player
    • Flash Player
  • Most of the hardcoded target apps still remain the same:
    • Westpack
    • Commbank
    • Facebook
    • Twitter
    • StGeorge
  • We saw a component which shows an overlay for Credit Card information in majority of the new samples that were spreading for the past few days. This component did not appear as frequently in the samples from the past. A good reason may be that a large number of malware presently target Credit card numbers from the victims, maybe Slempo writers want a piece of this pie a well. Once the victim opens Google Play Store app the Credit Card overlay shows up. Without entering this information the victim wont be able to use the Play Store:

The reason behind the sudden spike of Slempo samples is not clear at the moment. It is possible that new additions to the feature set of Slempo might be on the way.

SonicWALL Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Slempo.SPY (Trojan)

eWeek Goes 1-on-1 with SonicWall CEO Bill Conner

/0 Comments/in /by

Bill Conner has a plan for SonicWall. And he’s already ahead of it.

In a recent interview with eWeek, the SonicWall CEO provided high-level perspective on not only where SonicWall is and how it got here, but also where it’s going in the future. It was a candid, one-on-one conversation that really lets the industry get to know SonicWall as a company.

“Everything comes through some kind of a network … where we think the market is going is really going to be about automated, real-time breach detection and prevention,” said Conner.

Announced in May 2018, SonicWall financially separated from Quest with oversubscribed investment interest and unprecedented growth in the last six quarters. This success is less than two years removed from Francisco Partner’s purchase of SonicWall from Dell.

“We still have Dell as a partner, and as an OEM, and still do a great deal of business with them,” Conner told eWeek. “We also have business that has nothing to do with Dell.”

Conner walked eWeek through the last 10 months of fast-moving growth for SonicWall, which included 12 new products that featured updates to trusted firewalls, introduced new virtual firewall offerings and unveiled the SonicWall Capture Cloud Platform.

Conner stressed that all of the development into defending endpoints, email and other areas of vulnerability does not mean that SonicWall is diverging from its true nature, which is primarily that of a network security company. SonicWall is simply expanding the breadth of its cyber security portfolio to deliver more cost-effective, real-time protection to customers and partners.

“One of the big questions when I came in was, ‘Is the brand going to be alive?’” said Conner. “Then there were questions about our roadmap and ability to deliver … Now our vision, that I started talking about six quarters ago, is starting to be real.”

This fiscal year SonicWall also added over 24,000 SecureFirst partner organizations, a 60 percent year-over-year increase, while closing $530 million in partner deal registrations. Since the start of 2018, SonicWall has collected 27 cybersecurity industry accolades, most recently being named the Editor’s Choice Security Company of the Year by Cyber Defense Magazine.

Report: Low Confidence in Stopping Business Email Compromise (BEC), CEO Fraud

/in /by

Email is the primary tool for business communications and it’s used across the globe by organizations of all sizes. So, it’s no surprise that email is also today’s No. 1 threat vector for cyberattacks.

The cyber threat landscape has evolved to a great extent. Today, email attacks are highly targeted and cybercriminals engage in extensive social engineering activities to learn information about their targets in order to craft personalized emails.

Such targeted and sophisticated phishing attacks have a higher success rate than mass campaigns. Users implicitly trust a familiar name or email with personal information. These email may contain malicious attachments, weaponized URLs to deliver malicious payloads, phishing websites with fake login pages to steal login credentials, or malware-less email that seeks confidential information or a wire transfer.

With the changing threat landscape, coupled with the lack of human and financial resources to keep pace, organizations find themselves as susceptible targets for email-based attacks, such as spear-phishing and CEO fraud/business email compromise (BEC).

To that end, SonicWall recently worked with the Osterman Research and surveyed organizations to understand:

  • What are the top concerns for IT security decision-makers?
  • Why are cyberattacks succeeding?
  • How do you evaluate your current security posture?

Some of the key survey findings include:

  • Cyber threats are becoming more sophisticated as well-financed cybercriminal gangs develop improved variants of malware and social-engineering attacks. The perceived effectiveness of current security solutions is not improving – or is actually getting worse – for many organizations.
  • Most decision-makers have little confidence that their security infrastructure can adequately address infections on mobile devices, CEO fraud/BEC and preventing user’s personal devices from introducing malware into the corporate network.
  • To address the worsening threat landscape, security spending at mid-sized and large organizations will increase by an average of seven percent in 2018 compared to 2017.

The white paper also discusses the level of confidence that security professionals have in defending against these advanced threats. For example, 58 percent of those surveyed believe that their current solutions to eliminate malware before it reaches end users are either “very good” or “excellent,” and 55 percent believe that their ability to protect users from ransomware is this effective.

Unfortunately, things get worse from there: fewer than half of respondents believe their ability to block phishing attempts from end-users, eliminate account takeover attempts before they reach senior executives, and protect sensitive data is either “very good” or “excellent.”

Finally, some best practices that decision-makers must consider to protect against these advanced threats are:

  • Deploy a multi-layer approach for email security
  • View security holistically from cloud services to endpoint, with end-to-end monitoring
  • Train all users, including senior executives
  • Use adequate threat intelligence
  • Establish detailed and thorough policies

Get the In-Depth Osterman Report

Download the exclusive Osterman white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud,” compliments of SonicWall. The paper explores issues that security professionals face, how to evaluate your current security posture and best practices to consider implementing for sound email security.

DOWNLOAD THE PAPER

Ramnit keeps coming back

/in /by
SonicWall has been observing a new variant of Ramnit lately. Ramnit a persistent VBScript worm first appeared around 2010, known for spreading aggressively by self-replicating & injecting into other processes, executables, dll & html files. To give some history, Ramnit use compromised websites to host malicious VBScript to infect users visiting those pages.  Ramnit botnet infrastructure caught lot of attention & it has been taken down in a major attempt.

 

Infection Cycle:

Using social engineering attacks or phishing email campaign, payload file can be delivered to users. Upon launching the file, it executes VBScript & drops the malicious executable “svchost.exe” that replicates & injects itself  into the system files & processes. Later it opens a back door and connect to a C&C server to steal information from the compromised computer.

 

Although the file extension is .html, its header & format has been crafted to look like a PDF to evade from detection. PDF static analyzer would fail to parse VBScript stream content and
dynamic analysis would not help either as PDF do not support VBScript.
As shown below, malicious VBScript is appended after the PDF content
Upon launching the file in IE, activex warning pops up in the newer versions of IE. 
VBScript in the html page gets executed after allowing activex. It then creates svchost.exe, drops it into the user %Temp% directory and finally runs it from the same path.
svchost.exe creates more executable files “Desktoplayer.exe” & “DesktoplayerSrv.exe”
It starts looking for html files in the system and infect them by appending the malicious VBScript to it.
svchost.exe running from the %Temp% location, changes the system registry entries, spawns the process “chrome.exe” & later injects itself into it.
Malicious svchost.exe running under the spawned process “chrome.exe”
When the system is compromised, it connects to C2C server fget-career.com, which has previously involved in Ramnit campaigns.
Find below the activity of Ramnit in PDF format

SonicWALL Threat Lab provides protection against this threat via the following signature:

  • Ramnit.VBS.Dropper

Ransomware possibly being used to teach "Ethical" hacking

/in /by

Ransomware has been so rampant that we receive multiple different variants daily. The SonicWall Capture Labs Threat Research Team has recently received a sample of the Jigsaw ransomware and at first glance is not different from any other ransomware. We have been tracking and analyzing this ransomware since we first spotted it in 2016. This newer sample however appears to have added a functionality to communicate to a remote command and control server. We also noticed that this build could have possibly been used as a school project which one might find odd considering how ransomware continues to be lucrative, albeit unethical, business. Are we teaching how to create your own ransomware in school nowadays?

Infection Cycle:

This ransomware arrives in the system pretending to be a PDF file using the following icon:

Upon execution, it copies itself to the following directories as firefox.exe and drpbx.exe:

  • %Appdata%/Frfx/firefox.exe
  • %Appdata%/Drpbx/drpbx.exe

It then sends information such as username and computer name to a remote server:

It then proceeds to encrypt files in the victim’s machine and appends a “.fun” file extension to all encrypted files.

It also creates a file named EncrypteFileList.txt in the root directory that has the list of all files that has been encrypted.

It then displays an image of the fictional character, Jigsaw, reminiscent of the horror movie Saw with the warning and instructions on how to pay the ransom.

It also adds a run key in the registry to ensure persistence in an event of a system reboot.

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run  firefox.exe %Appdata%\Frfx\firefox.exe

Upon further analysis, we also noted references to compiler debugging information in its strings which suggests that this ransomware might have been used as a project for the 6th semester of “Ethical Hacking.”

We are split on “ethics” in terms of the use of this program. Does promoting its use supports this kind of behavior and ultimately makes it even more of a threat for everyone?

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Jigsaw.RSM_16 (Trojan)

Cybersecurity News & Trends – 06-01-18

/0 Comments/in , /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Cybersecurity 500 List, 2018 Edition Cybersecurity Ventures

  • SonicWall is announced as #36 on Cybersecurity Ventures Cybersecurity 500: 2018 Edition List which includes the world’s hottest and most innovative cybersecurity companies to watch in 2018.

British Businesses Facing Cyber Ransom Demands of up to £200,000 The Daily Telegraph

  • Cyber criminals are arming themselves with “malware cocktails”, expertly blended using old variants of malicious computer code. The new viruses are more potent than their predecessors because they have adapted to companies’ cyber defenses, like a digital version of antibiotic-resistant superbugs.

Securing Your Journey to Success With Innovation and Security: SonicWall Silicon Review

  • Recently announced as one of the 10 Best Security Companies in 2018, SonicWall is featured in an editorial highlighting the company’s history and success with CEO Bill Conner at the forefront.

10 Best Security Companies in 2018 Silicon Review

  • SonicWall is announced as one of the 10 Best Security Companies in 2018.

Cyber Security News

Cybercriminals on Average Have Seven-Day Window of Opportunity to Attack SC Magazine

  • Once a vulnerability is announced, the average attacker has a seven-day window of opportunity to exploit the flaw before a defender is even aware they are vulnerable, according to report from Tenable.

Deadly Attacks Feared as Hackers Target Industrial Sites The Hill

  • The hacking threat to critical infrastructure in the United States and beyond is growing larger, with nation states and other malicious actors looking to gain a foothold in sensitive technologies to conduct espionage and potentially stage disruptive or destructive attacks.

U.S. Judge Dismisses Kaspersky Suits to Overturn Government Ban Reuters

  • A U.S. federal judge on Wednesday dismissed two lawsuits by Moscow-based Kaspersky Lab that sought to overturn bans on the use of the security software maker’s products in U.S. government networks.

BackSwap Banking Malware Bypasses Browser Protections With Clever Technique SC Magazine

  • A new banking malware called BackSwap has replaced tricky conventional browser injections with a simpler browser manipulation technique.

Over 5K Gas Station Tank Gauges Sit Exposed on the Public Net Dark Reading

  • It’s been three years since researchers first discovered automated tank gauges (ATGs) at some 5,000 US gas stations exposed on the public Internet without password protection, and a recent scan found 5,635 locations were vulnerable to the same issue.

In Case You Missed It

Upcoming Webinars & Events

June 4
Webinar
1 a.m. PDT
Technical Deep Dive – Securing Office 365 with SonicWall Email Security
> Register Now