LATEST REMCOS (Remote Control & Surveillance Software) V2.5.0 IS BEING USED BY MALWARE AUTHORS

/in /by

SonicWall RTDMI ™ engine has recently detected a malware file which is using REMCOS (Remote Control & Surveillance Software) as payload. The malware is delivered to the victim’s computer as an email attachment. Archive file contains the executable file has shown below:

Unavailability of the archive file and Portable Executable (PE) file inside the archive in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

 

PE Static Information:



 

Malware Execution:

The malware creates a copy of itself in %AppData%\Roaming\hpsupportk\ hpsupportw.exe and uses install.vbs to delete itself and execute hpsupportw.exe from %APPDATA% directory.


The malware decrypts and executes highly obfuscated code in multiple layers which makes the analysis of the malware difficult for reverse engineers.

First Layer Execution:

The malware code has thousands of instruction in which only few instructions are real. The malware does not contain any decryption key to decrypt encrypted data; instead it generates the key using a fascinating logic.

The malware picks the initial DWORD of encrypted data as MarkerValue and takes a stack address as KeyValue. Malware keeps performing XOR operation on MarkerValue and KeyValue, decrementing KeyValue by 1 in each iteration until the result value matches to 0x41414141. Now the KeyValue is the actual key to decrypt the second layer code:



The malware decrypts the second layer code using the previously generated decryption key as shown below:


Second Layer Execution:

The malware reads the PEB_LDR_DATA structure from Process Environment Block (PEB) to iterate loaded modules and looks for the MSVBVM60.DLL:



The malware iterates the exports directory of MSVBVM60.DLL and looks for DllFunctionCall Application programming interface (API) by matching initial bytes of the API module. The malware now retrieves address of all required Windows APIs using the DllFunctionCall API.


Anti-Debugging:

GetTickCount:

 

ThreadHideFromDebugger:

The malware calls ZwSetInformationThread API by setting ThreadInformationClass argument as ThreadHideFromDebugger which detaches the debugger and terminates the process immediately, if running inside a debugger:

 

Hardware Breakpoints:

The Malware calls ZwGetContextThread API by setting ContextFlags argument as CONTEXT_DEBUG_REGISTERS.  The API gives us the values of debug registers which are used for hardware breakpoints. The malware examines retrieved values and if it finds any hardware breakpoint, it terminates the execution:

 

Software Breakpoints:

The malware checks for software breakpoints and undefined instruction at the beginning of Windows APIs before calling it:

 

Sandbox Evasion:

The malware uses GetCursorPos API to monitor the mouse movement:

 

Malware iterates in loop checking for hardware breakpoints, software breakpoints and cursor position until cursor position is changed. The malware encrypts the second layer code when it is not in use and decrypts it back when the code needs to be executed.

Finding start of decrypted code:

 

Encrypting second layer code:

 

Decrypting second layer code:

Persistence:

The malware creates Run key in the registry to maintain persistence on the system as shown below:

 

Bringing REMCOS in action:

The malware contains REMCOS executable’s encrypted bytes in chunks of 97 bytes and uses 0s padding after each chunk. The malware keeps count of padding bytes in a data structure. It brings all encrypted bytes which are contiguous in memory as shown below:

The malware decrypts the REMCOS executable’s bytes using 34 bytes key. It does not bring MZ at e_magic field in memory to prevent understanding of a PE file decryption by reverse engineers:

 

After completing decryption and correcting e_magic field to MZ, the malware loads and start executing the REMCOS executables.

 

About REMCOS

REMCOS designed as Remote Control and Surveillance tool for legitimate purpose but it is being used by malware authors from a few years. Free edition with limited capabilities can be downloaded from the official website as shown below:

 

REMCOS in Action

REMCOS keeps the configuration information in the resource named as settings. The very first byte tells us the RC4 key size, followed by RC4 key which is further followed by the encrypted configuration information:

 

REMCOS reads the key from the resource and decrypts configuration data using RC4 algorithm which contains Command and Control (C&C) server’s IP address, port number, password, REMCOS executable’s name and key logging filename etc.:

 

REMCOS gathers victim’s system information which contains REMCOS executable’s name, computer name, Windows version, RAM information, REMCOS version (2.5.0 Pro), keylogging file path and CPU information etc. REMCOS uses “|cmd|” as delimiter which is as shown below:

 

Network:

REMCOS encrypts collected system information using RC4 algorithm with the key “pass” retrieved from configuration data and sends it to the C&C server:

 

Key Logging:

REMCOS records keystroke and saves them into %AppData%\Roaming\hpsupportl\logs.dat:

 

Additional capabilities of REMCOS

  • Screen Capture
  • Remote CommandLine
  • Remote Registry Editor
  • Download, Upload and Execute files
  • Logins cleaner

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Nemty 1.6 ransomware released. Uses 8192-bit encryption.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new version of Nemty ransomware being delivered via the RIG exploit kit. Previous versions of Nemty have used a variety of methods to infect users including a phishing techniques using a fake Paypal website. Released in August 2019, Nemty has undergone various changes including using 8192-bit encryption keys to encrypt files.  The proposed cost of decryption is 0.17968 BTC (around $1500 USD at the time of writing).

 

Infection Cycle:

 

The trojan uses the following icon:

 

Upon infection, files on the system are encrypted and “_NEMTY_8MD1JU0_” is appended to each filename.

 

The following ransom note is displayed on the desktop:

 

The trojan adds the following file to the system:

  • %USERPROFILE%\AdobeUpdate.exe (copy of original) [Detected as GAV: Nemty.FN_2 (Trojan)]

 

The trojan adds the following data to the registry to keep track of crypto key information:

  • HKEY_CURRENT_USER\Software\NEMTY
  • HKEY_CURRENT_USER\Software\NEMTY fid “_NEMTY_8MD1JU0_”
  • HKEY_CURRENT_USER\Software\NEMTY pbkey “BgIAAACkAABSU0ExAAgAA….”
  • HKEY_CURRENT_USER\Software\NEMTY cfg “ydtMmiDIWOLCeoUK…..”

 

It adds a scheduled task so that it starts up after reboot via the following command:

 

The trojan is packed with TitanCrypt in an attempt to thwart debugging:

 

The trojan obtains the systems public IP address and geolocation:

 

The ransom note contains instructions to go to https://nemty.hk/pay in order to decrypt files.

The link leads to a page with the following dialog:

 

After uploading the ransom note that contains the “NEMTY DECRYPTION KEY“, you are able to upload a sample file to decrypt:

 

The following page allows you to download the decrypted file and also chat with the operators via the chat box.  At the time of our analysis no one responded to our questions.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Nemty.RSM (Trojan)
  • GAV: Nemty.RSM_2 (Trojan)
  • GAV: Nemty.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cyber Security News & Trends – 10-11-19

/0 Comments/in /by

This week, SonicWall partners with Etisalat Digital and appears at GITEX Technology Week 2019. Meanwhile, several governmental level warnings about cyberthreats are issued, and the Magecart group chalks up another successful month.

SonicWall Spotlight

SonicWall, Etisalat Digital Partnership Delivers Network Security in Bundle Offer to SMBs – SonicWall Press Release

  • Etisalat Digital is now offering SonicWall technology in its ‘Business Quick Start’ SMB bundle that provides businesses with telco-grade network security devices and a zero-touch feature, making installation less than one hour. SonicWall and Etisalat celebrated this news with a ceremony at GITEX Tech Week.

SonicWall at GITEX Tech Week 2019 – Tahawultech.com

  • GITEX Technology Week, the biggest tech show in the Middle East, North Africa and South Asia, took place this week at the Dubai World Trade Centre. SonicWall showcased its networking and security solutions including our powerful Capture ATP with RTDMI technology. At the show, SonicWall’s Michael Berg was kept busy with interviews at outlets like Tahawultech and ChatterBoxPRE.

5 Steps to Deploy Fast, Secure WiFi in K-12 Schools – MSSPAlert

  • Schools and school districts connecting to the internet via Wi-Fi is par for the course in 2010; SonicWall’s Srudi Dineshan lists five ways K-12 schools can protect themselves from cyber threats.

Cybersecurity News

In the Last 10 Months, 140 Local Governments, Police Stations and Hospitals Have Been Held Hostage by Ransomware Attacks – CNN

  • With ransomware increasingly recognized as much more than a niche concern, CNN has created an accessible article with video and text intended to introduce the malware method and execution to a wider audience.

White-Hat Hacks Muhstik Ransomware Gang and Releases Decryption Keys – ZDNet

  • A frustrated hacker, annoyed after being caught by a successful ransomware attack, analyzed the ransomware software and successfully infiltrated the online database connected to the database. As a result, he has now released a free decryption method for anyone else caught by the same ransomware.

Copycat Coders Create ‘Vulnerable’ Apps – BBC News

  • A new study has found that developers who take shortcuts by copying and pasting code are leaving applications with security holes. Code chunks with no purpose have been found to be riddled with obsolete commands that could be taken advantage of by a hacker who recognized the programming.

EU Warns of 5G Cybersecurity Risks, Stops Short of Singling out China – Reuters

  • The European Union had issued a warning about the risk of increased cyberattacks by state-backed entities, especially with the advent of next-gen 5G mobile and Internet of Things objects.

NIST is Hunting for Tech to Secure the Energy Sector’s Network – NextGov

  • With the thoughts of a nationwide cyberattack on the power grid growing in people’s minds, the National Institute of Standards and Technology is seeking input from tech and cyber experts on how to secure the countless internet-connected devices that could be used as a way in to the network.
And Finally:

Magecart Attack on eCommerce Platform Hits Thousands of Online Shops – SecurityWeek

  • Everyone’s least favorite online card skimming group Magecart has continued its hacking spree with another successful campaign on online retailers. In the past month the group has been found to be active on over 3 thousand online stores, including the Sesame Street Live online store.

In Case You Missed It

2019 North America Roadshow Series: SonicWall Showcases Complete Cybersecurity Portfolio, Capture Cloud Platform

/1 Comment/in /by

As a company 100% committed to the channel, SonicWall has a proud, long-held tradition of putting our partners and customers first. Our 2019 North America Roadshow Series is one of our favorite opportunities to get some direct time with our committed partners and provide exciting and useful information to our customers.

This year, we are continuing our roadshow with remaining events taking place Oct. 1 through Dec. 5 in select cities across North America. We’re taking a unique, targeted approach to this year’s roadshow structure, by having separate dedicated sessions for our SecureFirst Partners, and additional demonstrations, meetings and activities opened up to both our partners and customers.

For SonicWall partners

The roadshow will give SecureFirst partners an exclusive opportunity to learn about the future direction of the company, spend valuable time with SonicWall product experts, and learn new ways to build their business. Partners will also get the opportunity to hear valuable feedback from each other and exchange ideas with their local SonicWall team.

In our partner-only sessions we will cover a variety of topics, including:

  • Introduction to the complete SonicWall portfolio and the Capture Cloud Platform
  • Overview of the newest elements added to the SecureFirst Partner Program
  • SonicWall Overdrive, the Partner Marketing Engine
  • Promotions and incentives
  • Unique insights into SonicWall’s product roadmap

This is an exciting opportunity for our SecureFirst partners to gain insight into our 2019/20 focus areas and go-to-market strategy.

For SonicWall customers

During our roadshow, SonicWall customers will experience an immersive day of practical content, including training and updates, on a variety of valuable areas:

Customers will also get the opportunity to hear valuable feedback from each other and exchange ideas with their local SonicWall team.

We are also delighted to provide meals, entertainment activities and opportunity for business networking during our events, ensuring the day is not only useful, but fun as well. The activities vary for each location. Please check out the registration page for each individual event for more details.

Register now

If you are interested in attending an upcoming roadshow event in North America, please reference the table below and register for a city near you.

DateLocationPartners OnlyPartners & Customers
October 1Los Angeles, CARegistration FullRegistration Full
October 3San Diego, CARegistration FullRegistration Full
October 3Hartford, CTRegistration FullRegistration Full
October 8Montreal, QCRegistration FullRegistration Full
October 8Detroit, MIRegistration FullRegistration Full
October 9Charlotte, NC-Registration Full
October 10Nashville, TN-Registration Full
October 10Raleigh, NC-Registration Full
October 10Pittsburgh, PA-Registration Full
October 16San Jose, CA-Registration Full
October 16Toronto, ONRegistration FullRegistration Full
October 17Sacramento, CA-Registration Full
October 17Phoenix, AZRegistration Full-
October 23Denver, CO-Registration Full
October 24Kansas City, KSRegistration FullRegistration Full
October 24Orlando, FLRegistration FullRegistration Full
October 28Baltimore, MD-Registration Full
October 30Ashburn, VA-Registration Full
November 8Seattle, WA-Registration Full
November 12New York, NYRegistration FullRegistration Full
November 14King Of Prussia, PA-Registration Full
December 5Milwaukee, WI-Registration Full

Please note availability is strictly limited and this event is targeted to the SonicWall SecureFirst partner community.

More partner news

Keep up with partner news from SonicWall by following us on social media and by following our dedicated partner-focused Twitter account: @SNWLSecChannel

Microsoft Security Bulletin Coverage for October 2019

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of October 2019. A list of issues reported, along with SonicWall coverage information are as follows:
CVE-2019-0608 Microsoft Browser Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1060 MS XML Remote Code Execution Vulnerability
IPS 14437: MS XML Remote Code Execution Vulnerability (OCT 19)

CVE-2019-1070 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.

CVE-2019-1166 Windows NTLM Tampering Vulnerability
There are no known exploits in the wild.

CVE-2019-1230 Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1238 VBScript Remote Code Execution Vulnerability
IPS 14438: VBScript Engine Remote Code Execution Vulnerability (OCT19) 1

CVE-2019-1239 VBScript Remote Code Execution Vulnerability
IPS 14439: VBScript Engine Remote Code Execution Vulnerability (OCT19) 2

CVE-2019-1307 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14440: Chakra Scripting Engine Memory Corruption Vulnerability (OCT 19) 2

CVE-2019-1308 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14441: Chakra Scripting Engine Memory Corruption Vulnerability (OCT 19) 3

CVE-2019-1311 Windows Imaging API Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1313 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1314 Windows 10 Mobile Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1315 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1316 Microsoft Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1317 Microsoft Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1318 Microsoft Windows Transport Layer Security Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1319 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1320 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1321 Microsoft Windows CloudStore Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1322 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1323 Microsoft Windows Update Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1325 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1326 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1327 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1328 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1329 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1330 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1331 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1333 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 5737: Malformed-File exe.MP.108

CVE-2019-1334 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1335 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14435: Chakra Scripting Engine Memory Corruption Vulnerability (OCT 19) 1

CVE-2019-1336 Microsoft Windows Update Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1337 Windows Update Client Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1338 Windows NTLM Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1339 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1340 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1341 Windows Power Service Elevation of Privilege Vulnerability
ASPY 5734: Malformed-File exe.MP.106

CVE-2019-1342 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1343 Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1344 Windows Code Integrity Module Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1345 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1346 Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1347 Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1356 Microsoft Edge based on Edge HTML Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1357 Microsoft Browser Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1358 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1359 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1361 Microsoft Graphics Components Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1362 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1363 Windows GDI Information Disclosure Vulnerability
ASPY 5734: Malformed-File exe.MP.107

CVE-2019-1364 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1365 Microsoft IIS Server Elevation of Privilege Vulnerability
ASPY 5736: Malformed-File ttf.MP.28

CVE-2019-1366 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14442: Chakra Scripting Engine Memory Corruption Vulnerability (OCT 19) 4

CVE-2019-1368 Windows Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1369 Open Enclave SDK Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1371 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1372 Azure App Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1375 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.

CVE-2019-1376 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1378 Windows 10 Update Assistant Elevation of Privilege Vulnerability
There are no known exploits in the wild.

What is Your Disaster Recovery Plan? 5 Core Practices to Ensure Business Continuity

/6 Comments/in , /by

While most of today’s focus is stopping cyberattacks, threats come in many shapes and forms. Being prepared for the unexpected — or the seemingly impossible — should drive your organization to draft, refine and implement a sound disaster recovery and business continuity plan.

On the surface, the idea is simple: prepare for disaster (e.g., hurricanes, earthquakes, fire, snow storms, flooding, etc.) before it happens. Most small- and medium-sized businesses (SMB) don’t devote enough time thinking about disaster recovery (and some enterprises, too), but a “we’ll deal with it when it happens” attitude can mean the end to any company — successful or not.

This level of preparedness is not quick or easy, which can unfortunately lead to irresponsible procrastination. To kickstart your disaster recovery plan — or ensure your current approach is optimized — explore five best practices to help prepare SMBs for worst-case scenarios.

Have a practiced plan in place

It seems obvious enough, but the first component of ensuring business continuity in the face of disaster is to actually have a plan — and then train for it. After any major disaster, people will be under extreme stress and not thinking clearly.

Therefore, it is critical to have a thought-out plan in place that outlines procedures and instructions to follow after a catastrophe. In the business world, this is more commonly referred to as a business continuity plan (BCP).

A BCP coordinates the efforts of all teams (e.g., communications, security, IT, HR, finance, engineering, supply chain, etc.) and helps identify leaders, manage assets and maintain customer expectations. Training and simulations are required to successfully implement a plan; without them, it’s just a piece of paper.

Ensure data is accessible

Network access may not be available after a disaster. The best efforts will have gone to waste if the disaster recovery plan is on a network drive or internal computer that no one can reach.

The same goes for email access. If a company maintains an on-prem secure email server and connectivity is down, communication will be handicapped. A popular solution is to have email and data repositories in the cloud.

Another scenario could be that connectivity is down only to the main site, but a secondary site is available which people don’t know how to reach. For example, a SonicWall Secure Mobile Access (SMA) appliance will make remote access transparent as it will automatically set up a VPN to the closest online site and reroute access as needed.

Build communications options

The ability to communicate effectively with your team, company leaders, customers, vendors and partners has a direct correlation to how quickly a company recovers from a disaster.

Email is the main form of communication in all companies, but this may not be available. As a backup, use social media to coordinate efforts. Applications like Teams, Slack and WhatsApp are good options for coordinating with internal groups. Twitter and the company website also can be used for public communications.

Maintain cyberattack awareness

While cybersecurity awareness should be practiced at all times, it’s critical to be even more vigilant during times of disaster.

Cybercriminals are opportunistic and will launch targeted attacks (e.g., phishing campaigns, ransomware attacks) at areas, regions, companies or organizations looking to either take advantage of those trying to help or hoping the chaos has caused targets’ guards to drop.

Sadly, many non-profit organizations, including the Red Cross, FEMA, FCC and more, are forced to issue repeated scam warnings during disasters. Should one of these attacks compromise an employee or partner, it may be a pathway into your network. If the proper network security firewalls and secure email controls are not already in place, it only takes one click to breach a network or infect a machine.

Some basic best practices will protect users during times of disaster and ensure that contingency networks and access are protected, including two-factor authentication (2FA) or multifactor authentication (MFA), and next-generation antivirus (NGAV) or endpoint protection, such as SonicWall Capture Client.

Together, these will help validate a user’s identity even if his/her credentials are compromised and prevent malicious files from being executed and installed on company machines in the case of infection.

Prepare now

A proper disaster recovery and business continuity plan should not be put off. A catastrophic event or natural disaster could cause far more damage to your business, customers, employees and brand than a proactive, responsible investment in sound cybersecurity, redundant networks and failover controls.

Preparing for disaster not only helps safeguard you during times of crisis, but the same controls will likely protect your networks and data during everyday cyberattacks (e.g., ransomware, email attacks, encrypted threats, insider threats and other malicious threats) against your organization.

OBFUSCATED JAVASCRIPT BEING USED BY WSHRAT V2.0

/in /by

SonicWall RTDMI engine has been detecting obfuscated JavaScript malware files since last two weeks. After analysis, we found that these files belong to WSHRAT malware family. Archive file carries the WSHRAT JavaScript file shown below:

Background:

WSHRAT was first spotted in the wild in year 2013, since then it has been periodically upgrading its Remote Access Trojan (RAT) capabilities. The current version is 2.0, this version information is present in the RAT itself. The programming language used by this malware separates it from other RATs because it has been completely written in JavaScript. The malware has been also written in VBScript.

 

RAT Capabilities:

  • Installing, uninstalling and upgrading itself
  • Key logging and stealing passwords
  • Downloading, uploading and executing files
  • Remote desktop access
  • Executing various commands and sending data to the Command and Control (C&C) server.
  • Reversing proxy
  • Browser’s log stealing
  • Process enumeration and termination
  • USB drive infection

 

Persistence:

WSHRAT copies itself in the Startup folder and makes Run entry in the registry. It uses “%temp%\wshsdk\” directory to install its components.

 

Network:

WSHRAT collects and sends system information to its Command and Control (C&C) server. It uses “|” as separator while sending information to the C&C server.

 

C&C Communication:

WHSRAT supports large number of commands which are listed below.

 

Command Action
disconnect Terminates itself
reboot Reboots the system
shutdown Turns the system off
execute Executes the command using “eval” function
install-sdk If %temp%\wshrat\python.exe file is present, malware sends status “SDK+Already+Installed” else downloads wshsk.zip from “hxxp://2813.noip.me:2813/moz-sdk”. Malware extracts downloaded file into %temp%\wshrat and sends SDK+Installed” message to the C&C server.
get-pass Retrieves and sends specified browser’s passwords to the C&C server.
get-pass-offline Retrieves and send all installed browser’s passwords to the C&C server.
Update Downloads and executes latest JavaScript file from the C&C server.
Uninstall Deletes all the registry entries, Startup entries and all file system traces related to WSHRAT and terminates the execution of malware.
up-n-exec Downloads and executes the specified executable file from the C&C server.
bring-log Sends specified log file to the C&C server.
down-n-exec Downloads and executes the specified executable file from the specified URL.
filemanager Downloads executable file from specified URL and saves it as “fm-plugin.exe”. The malware executes downloaded file with parameters “m-plugin.exe 2813.noip.me 2813 \{Gathered Information}”
rdp Drops rd-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “rd-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ true (is_offline_flag)”
rev-proxy Drops rprox.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “rprox.exe 2813.noip.me 2813 {filearg}”
exit-proxy Terminates rprox.exe process.
keylogger Drops kl-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “kl-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ false (is_offline_flag)”
offline-keylogger Drops kl-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “kl-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ true (is_offline_flag)”
browse-logs Enumerates “wshlogs” directory and sends collected information to the C&C server.
cmd-shell Executes specified command on “Command Shell” and sends the output to the C&C server.
get-processes Enumerates running processes using WMI query (select * from win32_process) and sends process names, process ids and executable paths to the C&C server.
disable-uac Modifies values of EnableLUA, ConsentPromptBehaviorAdmin and DisableAntiSpyware registry keys. The malware acknowledges changes to the C&C server by sending “UAC+Disabled+(Reboot+Required)” message.
check-eligible If specified file present in the system, malware sends “Is+Eligible” message to the C&C server, otherwise it sends “Not+Eligible”.
force-eligible If specified file present in the system, malware executes the file with specified parameters and sends “SUCCESS” message to the C&C server, otherwise it sends “Component+Missing” message.
elevate If the malware is not elevated already, it restarts itself with elevated privileges and sends “Client+Elevated” message to the C&C server.
if-elevate If the malware is elevated, it sends “Client+Elevated” message to the C&C sever otherwise sends “Client+Not+Elevated” message.
kill-process Terminates process attached with specified process id.
sleep Performs sleep operation for the specified time.

 

Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:

 

Additional Remark:

Please note that the RTDMI engine analyzed and gave us a verdict for these samples as ‘Malicious’ on September 13, 2019 as visible in the report:

Whereas these samples (both the zipped and unzipped versions) were first seen on Virustotal 3 days later – on September 16, 2019 – as evident by the ‘First Submission’ date:

Dridex Malware evading detection using delaying techniques

/in /by

SonicWall Capture Labs Threats Research Team has spotted Dridex malware attacks in the wild. This malware is delivered through phishing emails.

Dridex is an info stealer which tries to steal credentials such as ComputerName, RunningProcess and System Information and send this information to C&C server. Dridex malware is famous for using different technique for encoding and obfuscating data. In this case it uses below technique for delaying the actual execution of the payload.

Infection Cycle

After few instructions from the EntryPoint it calls a function sub_FB2C78 containing the loop which calls OutputDebugStringW by passing  “Installing…\n” as string and then calls Sleep API for 10 millisecond. The loop is iterated 199999100 * 4987 times.


Fig 1

During the course of execution this function is called four times and it also calls NtDelayExecution API,
so as to defeat the sample automation as well as sandbox which rely on specific timeout for analyzing the malware activity.


Fig 2

Using FindFirstFileExW and FindNextFileW APIs  it searches  %system32% directory for *.dll. When it finds the required DLL it uses NTDLL_LdrLoadDll native APIs to load it.

For system profiling it calls the below APIs

  • Process Token Access
  • OpenProcessToken
  • GetTokenInformation
  • AllocateAndInitializeSid
  • EqualSid
  • FreeSid
  • RtlQueryElevationFlags
  • GetSystemInfo

It uses Registry related APIs such as SHRegDuplicateHKey, RegEnumKeyW, RegEnumValueA. Also, it checks values of the key below:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

“ConsentPromptBehaviorAdmin”

“ConsentPromptBehaviorUser”


Fig 3

These values are used for checking the Administrative privileges.

It enumerates the below registry key to get the list of software installed on the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


Fig 4

The malware calls several API functions to collect information such as Windows version information, system and CPU information.

It also collects the names of the running processes and encrypts all the information before sending it to the remote server.


Fig 5

It uses GetComputerName and GetEnvironmentVariableW APIs to find the ComputerName and UserName respectively. Which is then concatenated and uses CryptAcquireContextW(), CryptCreateHash(), CryptHashData() and CryptGetHashParam() API calls to generate the MD5 of it.Which is then used to create the Mutex.


Fig 6

Network Activity

The server list is hardcoded in the unpacked executable file:

    • 104.247.221.104:443
    • 198.199.106.229:5900
    • 92.222.216.44:443

Using InternetOpenA, InternetConnectA,  it tries to connect to one of the server on the mentioned port in the list with NULL field in the Username and Password field.

It uses HttpOpenRequestW API  with lpszVerb  ‘POST’ and  lpszObjectName with ‘/’ for creating HTTP request handle.

While writing the blog the sample tried to establish secure connection with only one of the IPs mentioned above:


Fig 7

 

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • MalAgent.GR (Trojan)

Indicators of Compromise:

  • d013d1ba2fd45429ed679504f5ce6c9a

LOCKID Ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of LOCKID ransomware [LOCKID.RSM] actively spreading in the wild.

The LOCKID ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • % App.path%\ @_READ_TO_RECOVER_FILES_@
      • Instruction for recovery

Once the computer is compromised, the ransomware runs the following commands:

 

The ransomware encrypts all the files but it won’t change the extensions.

Here is an example (Eula.txt Original Content):

Here is an example Encrypted file:

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LOCKID.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Steam – Rust Trainer, DGA & Miner Found

/in /by

Overview:

SonicWall Capture Labs Threat Research Team, recently found a unique Domain Generation Algorithm (DGA) inside a uniquely named file called “Rust Trainer.exe” the sample goes along with the Steam, PC Game called “(RUST)”. The file is deceptively named for use in cheating and creating hacks for the online multiplayer game. However, once executed the file only starts the infection. Injection starts in “svchost.exe”, after injection the sample will start creating domains on the fly. The domain generation algorithm involved in this sample will generate 172 Million Domains. The sample has the ability to look for and install new Coin Mining Software along with an array of other abilities.

Objective of the game:

The only aim in Rust is to survive.

To do this you will need to overcome struggles such as hunger, thirst and cold. Build a fire. Build a shelter. Kill animals for meat. Protect yourself from other players, and kill them for meat. Create alliances with other players and form a town.

Do whatever it takes to survive.

The developers describe the content like this:

This Game may contain content not appropriate for all ages, or may not be appropriate for viewing at work: Nudity or Sexual Content, Frequent Violence or Gore, General Mature Content

Sample Static Information:

Anti-Debugging Techniques Used:

Process Checking – This sample will locate many different processes used in the reverse engineering process. If one of the items is found, it will terminate and delete that process. Along with remove all files associated with that process.

Anti-Debug Cluster – This cluster of Anti-Debugging tricks is absurd. However, it works quite well. To bypass it you will need to have the proper plugins and edit a few areas of the process execution to bypass it. Once bypassed, you can enter into the DGA starting routine.

Standard XOR, TLS Encryption & Decryption:

TLS functions are used inside the Cryptor to decrypt the first quarter of the PE Binary. Once decrypted it will check the associated program directory for a file named “old_filename.exe” If the file is found the Cryptor will go to stage 2 and decrypt the rest of the file. A trick that can be used here would be to put a break point on “CreateProcessA” then follow inside a second debugger for the stage 2 decryption. Once you reach stage 2 you can start analysis of the malware.

OEP Byte Structure:
Original:
C1 78 15 37 91 21 A1 B0 94 F0 98 21

1st decryption:
55 89 E5 C6 05 D0 51 41 00 01 68 D0

2nd decryption:
55 89 E5 53 B8 10 33 45 00 50 E8 51

Understanding the DGA:

Domain generation algorithms are seen in various families of malware. They normally generate large numbers of domain names. Usually, only a handful of domains or one domain are active at a time. This connect back feature allows connections back to their command and control server and/or bot master themselves. Here we see (www.) being added to the random domain generated from the mersenne twister pseudo-random number generator described below and after its generation it adds (.com) to it’s string completing the domain name generation:

Domain Character Generation:

Our character arrays length is: 0x3Eh or 62d, the first element is not indexed and it’s only use is for the length of the array.
>iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf
The mersenne twister algorithms output will be used as an index into this character array.

Pseudo Random Number Generator Information:

Generating good random numbers in software is a complex topic. Software-based random number generators can never generate truly random numbers and are therefore called pseudo-random number generators because they rely on mathematical formulas to give the impression of randomness. The pseudo-random generator in this file is known and called by the Mersenne Twister algorithm. This algorithm has been around since 1997. The implementation of the pseudo-random number generator (PRNG)MT19937, is called the Mersenne Twister it was given it’s name because it has a period of 2^19937 – 1, which is a Mersenne Prime number. Also, it’s the size in bits of the Twister’s engine internal state.

Range Distribution, is from 0x00 to 0x3E:

Mersenne Twister Initialization:

Mersenne Twister Twist Function:

Seed Generation:

You need to initialize the random number generator above. This is also called seeding the random number generator. Most default applications of seeding use the current system time as a seed. This file uses “GetTickCount” which is defined as: (Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days. This function will also wrap around back to zero after 49.7 days have past and start the counting again up to 49.7 days).

You need to make sure that you use a good quality seed for your software-based random number generator. If you initialize the random number generator with the same seed every time, you will create the same sequence of random numbers every time. This is why the seed is usually the current system time. The malware author wants unique random numbers.

Get Seed:

Domains Generated By Algorithm Above:

Using the (n choose r algorithm) to figure out all combinations of indexes into the character array we get a total of 107,518,933,731 index combinations or possible domain names. However, if we divide that by 625 we get the amount of seed values possible from the use of (mersenne twister algorithm and GetTickCount) which is a total of 172,030,293.97. About 172 million possible seed values. Meaning, the algorithm above can only generate one domain name per seed value. That would be 172 million total domains possible if my math is correct. A quick 50 domains are below:

www.yIGntVEPMH.com
www.MGtoYca5Mc.com
www.f0VrN4HH6A.com
www.HL3aPxMS3Y.com
www.wsJjcWQQYi.com
www.QS41X9DIxP.com
www.pNMfQfCMcc.com
www.VWG3uvAFJ5.com
www.xuOEZYTq59.com
www.cO4FBGST1R.com
www.oP3S64bPio.com
www.m6tdbpSTqx.com
www.Mku7nd9aSV.com
www.ba68B1FWwi.com
www.wu8wZ0WHFw.com
www.mXuLDj22ZO.com
www.7lR8sv2HQz.com
www.XIvUqahVFC.com
www.O34IJTfFR3.com
www.9JCjV8tO20.com
www.ObWas8qSis.com
www.WXtFl7etTS.com
www.nFl3bgOHQi.com
www.RDuJLlThUt.com
www.JKY80bY34O.com
www.L1ECJ8EqTy.com
www.nFabIyFbU1.com
www.tLuxaXTSmY.com
www.C8BmA1rt9B.com
www.aR2jHV5Iug.com
www.bU53t9Fvpn.com
www.n3D2ett5DN.com
www.Nc3YLZ5nJA.com
www.qIWoeTCg4A.com
www.N3kVqjPXhz.com
www.vSSYJhcCH0.com
www.KXIOLfXc25.com
www.mPKrYCjfMC.com
www.9rVoNSyQxj.com
www.MyCgdkNVSO.com
www.dqi0XrnSTS.com
www.LYgzgyT2pi.com
www.SRbXhfgCyW.com
www.i9l8ExEEzi.com
www.646C1ofLE2.com
www.Bi3R8QqOMo.com
www.VKE5kAXBig.com
www.8hRjtIsupm.com
www.YgCYcX8iux.com
www.enJZpDk1yv.com

Coin Mining:

Other Related Strings:


Process Injection:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Rust.DGA