Loki-Bot: Started Using Image Steganography And Multi-Layered Protection

/in /by

 

Malware authors tend to add multi-layered protection for the final payload in order to prevent detection from security vendors. Loki-Bot is no different from them, it is now using multiple process creation, process injection, process hollowing and steganography as a part of the infection chain.

SonicWall RTDMI ™ engine has recently detected an executable file inside an archive which executes Loki-Bot as final payload. The malware is delivered to the victim’s computer as an email attachment, the archive file contains the executable file has shown below:

 

Unavailability of the archive file and Portable Executable (PE) file inside the archive in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs at the time of writing this blog indicates its uniqueness and limited distribution:

 

 

The malware is a self-extracting executable file, which on execution drops %TEMP%\Good.vbs, %TEMP%\Good\Rvf.bmp and %TEMP%\Rvfffw.exe files. The malware then executes Good.vbs which further executes Rvfffw.exe. The file icon for the Rvfffw.exe is like “Superman Logo: family crest of the House of El” which stands for hope. This makes the impression that the malware author is a fan of Superman:

 

The malware spawns multiple self-processes and uses process injection to achieve different execution every time:

 

FIRST PROCESS (Process ID: 596):

This process acts as part of the infection chain which decrypts and executes another executable in memory. The malware reads encrypted bytes and key to decrypt the next level executable file:

 

Decryption logic:

 

The malware spawns self-process and injects the decrypted Dynamic Link Library (DLL) into it. The malware then injects some code which acts as control transfer code for the injected DLL. The malware calls the control transfer code using CreateRemoteThread Application Programing Interface (API) passing 2 arguments (injected DLL base address and its Entry Point):

 

The control transfer code calls the Entry Point of injected DLL by passing 3 arguments (DLL base address, 1 and 0). In absence of the arguments, the injected DLL will not exhibit the intended behavior and will terminate the execution:

 

SECOND PROCESS (Process ID: 5316):

The process involves image steganography, it extracts hidden data from the BMP (Bitmap) image file. The BMP image used by malware to hide the data, is taken from the Java Digital Image Processing Tutorial available at tutorialspoint.com:

 

The malware reads BMP image %TEMP%\Good\Rvf.bmp to extract the hidden data. The first 3 bytes of the executable are used for BMP image file name:

 

The malware parses the BMP image header to extract image width, image height and size of image data. The malware calculates hidden data start location using the image width and image height. The first 11 bytes represents the metadata for the remaining hidden data.  First 3 bytes tell us about the bits count hidden per byte and next 8 bytes tells the hidden data size. The malware now uses below logic to extract the hidden data:

 

The malware writes the extracted data into %TEMP%\Good\Rvf.ocx which is an encrypted DLL file. The malware uses the same logic used by FIRST PROCESS (Process ID: 596) to decrypt, spawn self-process, inject and transfer control to the injected DLL.

THIRD PROCESS (Process ID: 3412):

This process acts as final loader for Loki-Bot executable. The malware loads resource data for resource entry “DVCLAL” and reverse the data to find another resource name “T__138544594”. The malware now loads and reverse resource data for resource entry “T__138544594”. The malware uses first 24 bytes as marker which is used to extract encrypted bytes offset, encrypted bytes count, first decryption key and second decryption key from the loaded resource data. The malware decrypts the final Loki-Bot executable using the below logic:

 

The malware creates C:\Windows\System32\TapiUnattend.exe process in suspended mode, writes the Loki-Bot executable and then resumes the process execution:

 

LOKI-BOT (Process ID: 2836):

Loki-Bot is an information stealer which is active in the wild since 2015. Loki-Bot has a list of applications, which are being targeted for stealing the stored data, if they are installed on victim’s machine. Few applications are listed below:

  • Mozilla Firefox
  • Comodo IceDragon
  • Google Chrome
  • Apple Safari
  • Internet Explorer
  • Rockmelt
  • Chromium
  • Titan Browser
  • Torch Browser
  • Yandex Browser
  • Epic Privacy Browser
  • CocCoc Browser
  • K-Meleon
  • Vivaldi Web browser

 

We tested by saving some login information in Mozilla Firefox, to let the bot steal that information. The malware reads profile’s path information from %APPDATA%\Mozilla\Firefox\profiles.ini:

 

Loki-Bot now reads the %APPDATA%\Mozilla\Firefox\Profiles\1hoxsxkh.default\logins.json which has login information like hostname, encrypted username and encrypted password etc.:

 

Loki-Bot uses nss3.dll DLL’s Application Programming Interfaces (APIs) to decrypt usernames and passwords from login.json:

 

Loki-Bot steals other information like username, computer name, Windows credentials and screen resolution etc.

 

NETWORK:

Loki-Bot establishes connection to its Command and Control (C&C) server. It compresses the stolen application data using aPLib compression library, append the compressed data to other stolen data and sends the complete data to the (C&C) server:

 

Loki-Bot receives command from the C&C server:

 

REGISTRY ENTRIES:

The malware drops self-copy with hidden attribute in %APPDATA%\971D8A\A22E77.exe and creates below registry entries:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

Top Malware Anti-Analysis Coverage

/in /by

Introduction:

Threat actors and malware authors use various anti-analysis techniques to keep initial access, execution, persistence, privilege escalation, credential access, lateral movement, command and control, and exfiltration of data hidden from the reverse engineers that try to peer inside their code. Usually this makes post-detection analysis more difficult. The malicious binaries below exhibit evasive behaviors which aim to detect or disrupt the analysis in a virtual machine or in your favorite debugger.

SonicWall Capture Labs Threat Research Team will present anti-debugging techniques and main concepts that cover a variety of top malware categories in today’s malware. In anti-debugging, malware detects debuggers by searching for known indicators or artifacts used to implement core debugger functionalities, such as tracing, breakpoints, and hooking.

In this lower section, we cover only anti-debugging techniques used in the top malware families we have categorized below enabling us to present an analysis on the real state of evasion techniques in use by malware today. This is by no means a comprehensive catalog of known anti-debugging techniques used by the Windows API:

NtQuerySystemInformation:

NtQuerySystemInformation() function call of the ntdll.dll can be used with the undocumented SystemKernelDebuggerInformation as a SystemInformationClass parameter to detect the presence of a debugger. The result is stored in the buffer pointed by the SystemInformation parameter that has 2 bytes representing two flags. Each one with 8 bits (LSB KdDebuggerEnabled and MSB KdDebuggerNotPresent). KdDebuggerNotPresent is FALSE if a debugger is present.

NtQueryInformationProcess:

NtQueryInformationProcess() used with ProcessDebugPort as a ProcessInformationClass parameter will set (-1)0xffffffff in the ProcessInformation parameter if a process is being debugged.

NtQueryInformationProcess() used with ProcessDebugObjectHandle as a ProcessInformationClass parameter to query for the debug object handle.

NtQueryInformationProcess() used with ProcessDebugFlags as a ProcessInformationClass parameter to set the inverse of EPROCESS->NoDebugInherit bit in the ProcessInformation parameter.

Windows Debugging Services:

asm { int 2dh }, is the interface for the Win32 kernel and provides kernel debugging services to user level debuggers and remote debuggers such as IMM, Kd and WinDbg.

Hardware Breakpoints:

When an exception occurs, windows creates a context structure to pass to the exception handler. This structure will contain the values of the debug registers. The debug registers will contain values that will reveal the presence of a debugger. Another way includes using GetCurrentThread() and GetThreadContext() then testing the debug registers for values.

CheckRemoteDebuggerPresent:

CheckRemoteDebuggerPresent() is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess() with ProcessDebugPort as a ProcessInformationClass parameter.

Instruction Counting:

An exception handler is registered to deal with the EXCEPTION_SINGLE_STEP(0x80000004) exception. This will include the use of other Win32 APIs such as GetThreadContext(). The handler will simply count how many times it was reached and then change EIP to point to a new instruction and resume execution.

Find Window:

FindWindow() function can be used to find opened debuggers using both parameters, lpClassName and lpWindowName. Example: lpClassName: “OLLYDBG” or lpWindowName: “IDA”.

Execution Timing:

When a debugger is present, the time elapsed between instructions are measured. RDTSC assembly instruction is a very popular anti-debugging technique. However, others are also used such as RDPMC, RDMSR, GetTickCount(), GetLocalTime(), GetSystemTime(), and QueryPerformanceCounter().

 

Malware Family Coverage:

Botnet – (Pushdo):

  • 19b37c17146d9b365529ffc8cc77627e6745ebc1c729c5238256c73c90da51ce
  • 60c3a69e1605ae687d87b25d4b365764b429cb3b9a737ce54a25b26e8c7925ea
  • bc5b8591c1431205e91684b7342b421e1dee6cc48dcf1f979e7b77902357aff5
  • c5a1fe4b4efb6f82f52650a74d26ebf6e9b8bff44159ac950ad853c90cc5e4b1

Fileless – (Kovter):

  • 63b3ccca49e9725f9d23f687aaf49670d7dc3911a9861ef6d5cbf0563daf0c2e
  • 87a03fb02bd6064e26bf0bd10e5ec9e91680aa84b8f22b7950fb4478b80756aca
  • ce2632cb0d044d1ded7bbb8e6641c42068ce8e25fe0bc236265003510a6eafbd
  • f4c13bf9c10f6182d395842155aefff1383f9e3c9e9f9033f0cb865c79256587

Cryptojack – (Coinminer):

  • a5af55d5e2e8c2d493f86c135832d306f4f568ea6749c2d6ff24ad622455c512
  • ac4767ea7f70cc68c6ee85a87684006db0079d24e2a685c98873bb8b02746890
  • feb251419cc220062e65609efd81c9eb307f61ac5cd36fd9aceec0bc419e008c

Ransomware – (Cerber):

  • 327a9503b5b5d09669d2e516a0b0dbf53266b06c269616b22d9a66e898aaa4f2
  • 563c47b15c78b68bd41db35a2af9fea77bc679cfa446a4fdc0400ef4e99f5a5b
  • 723584a72cb469401489b455f238cfa77f92e16e2861e72b7a39718fd56fb9da
  • 55346262aff4b260ab8a9e44186682c1374dffa953a42e2b01731ac697d59636

RAT – (Ghost):

  • b0144595eea1790d235b8b4e1885929f48102cef899632439f2cfe4b837870a2

Spyware – (Lokibot):

  • 534673bc3b061309221efc082d02927bf32f000d8985767e861d1b11a3b03057
  • 38361585de3fa6b8793bbcb608aa79dbf25be083de61e888e4f71801ee2fab02
  • c72cde7d189526c5bcdd80bc16e8cd7eee1e976465cb7793f4c2e7c684c7df7d
  • facd430e4674fd773c5b3affd6130ca96917cdd59be537bde38b072e275ec2ad

Trojan – (agentTesla):

  • 719865cf1608e2f8e0e4395ffff1ec34a517fddb099dd9ceb39c3398d2cd9797
  • ba617f6635ce2caf19a9d5bb05a667fa7085aa7ee999148a5d2faaa1ac2df6bd
  • e313e7310ccd7f9b7998b02de559097ec1190054ee2949421a6187b1feb26e95
  • fd056b98472911f456cd1a5812b7a347f6f359a8c79ec4cce0bd51850528b932

Virus – (Ramnit):

  • c9ef1e01e8659dc0592551ed6ed0d7f83e9977219e57eafce3a27c5208763836

 

SonicWall, GAV Cloud, provides protection as follows:

  • 4db9ac02052fcd3dc4f018b759702fac Agent.FL (Trojan)
  • ac34c3791e18df680a5cf312f6ff1260 ShipUp.AHKI (Trojan)
  • ae4b716db77cd68cb0f1cb7971345ced ShellCode.CU (Trojan)
  • aeab456e79e3674218acbf9b3d342187 ShellCode.CU (Trojan)
  • a563ce41a7fd372b01ec4fb4bb8d3db0 ShipUp.AHKI (Trojan)
  • 3ca0aa45ce02c21470800ececd433f31 ShipUp.AHKI (Trojan)
  • bb27eb314630990d51206522ee3fd2bc Agent.FL (Trojan)
  • 4da5ff526990b5126482dcd151f7789d Agent.FL (Trojan)
  • d395fac36926af0bb84ce86a2899c60a Agent.FL (Trojan)
  • 546a3025af00a70bdf7b89f5ad97b0e4 Agent.FL (Trojan)
  • 93b56ff3345605f1dd08bf0175a72abd ASPM.GEN (Trojan)
  • 4486f26e601d4983fe5b60a088e6053f Agent.FL (Trojan)
  • 16a71ac5bd752d1aa8355f7160633fca BackDoor.AAM (Trojan)
  • 72fedc43471d9aa1bc13b1d6890e25dd Agent.FL (Trojan)
  • a93e789306d284dbe70e5f3db19a80a3 Dropper.GEN (Trojan)
  • 1d1be478050ca2f9be47c5ecf0e8ad84 MalAgent.G (Trojan)
  • c7f34ef7a2b9b2c4a1dfa7ea824bca93 Upx-48 (Trojan)
  • 3e4f4fd7e20b67c422c6d40ea17df2b7 Ramnit
  • bb3b32504829fe1c5324a9547270be16 Kovter.B (Trojan)
  • d6e2ee16ee75bf4a3c8da8e9e3715b3d Upx-48 (Trojan)
  • e5c02b1fe5fb3f1c37f4a416e482870a Agent.FL (Trojan)
  • 71d776ccd4ab54ef45653da12e0c66c8 ShellCode.CU (Trojan)
  • 28138c67f492e56414bff82a39b0781d agentTesla
  • 8332b98416c224335d9d24d98fb35395 PA!MTB (Trojan)

Cyber Security News & Trends – 11-08-19

/0 Comments/in /by

This week, ransomware in Spain, a doomsday cybersecurity exercise, and why rebooting your computer won’t rid it of malware.

SonicWall Spotlight

Spanish Ryuk Ransomware Attack Hints at New WannaCry – IT Pro (UK)

  • With several institutions and businesses in Spain currently under attack by a strain of the Ryuk ransomware, there is a fear that a problem of the scale of WannaCry is at risk of being unleashed. SonicWall CEO Bill Conner talks to IT Pro on the similarities between the two ransomwares, and how to best protect your business from them.

How Healthy Is Your Web of Connected Devices? – Security Boulevard

  • There are over 25 billion Internet of Things (IoT) connected devices currently in the world, and this number is rising. Security Boulevard uses SonicWall Cyber Threat Intelligence to demonstrate the dangers of, and from, these devices if they are not shielded from cyberthreats.

Cybersecurity News

The Financial Industry Just Finished Its Annual ‘Doomsday’ Cybersecurity Exercise — Here’s What They Imagined Would Happen – CNBC

  • The Securities Industry and Financial Markets Association recently held a worst-case scenario cybersecurity simulation dubbed Quantum Dawn. The fictional event centered around a financial giant being attacked by malicious ransomware.

Ransomware Is Crippling Schools. What Can They Do About It? – EdSurge

  • Tech and education website EdSurge takes a look at the recent rise in ransomware attacks on educational institutions. It explains how ransomware works, why education is being attacked, and how to protect against cyberattacks.

Cybersecurity Risk Is Growing, and We Are Not Ready – Infosecurity Magazine

  • In a new survey of over 4 thousand people in 140 countries, cybersecurity is named as the biggest worry to companies. Between a skills shortage and a general lack of understanding of the threats, many companies are simply unprepared for cyberattacks.

Specially Crafted ZIP Files Used to Bypass Secure Email Gateways – Bleeping Computer

  • A new malware campaign has been discovered by researchers that hides the payload in a complex system of compressed files and archive restructuring. It appears to have been specifically designed by bypass secure email scanners, although at the cost of not always extracting correctly.

Feds Warn Against Hidden Cobra’s Hoplight Malware – SC Magazine

  • US federal agencies released a notification about Hoplight, a new sophisticated data collecting malware being used by North Korean cyberattack group Hidden Cobra.
And Finally

Experts: Don’t Reboot Your Computer After You’ve Been Infected With Ransomware – ZDNet

In a turnaround from the traditional “have you tried turning it off and on again” line, cybersecurity experts are not recommending rebooting your computer if caught by ransomware. The line of thinking is that if something has gone wrong with the ransomware, rebooting a computer might allow it try again, successfully this time.

In Case You Missed It

PHP-FPM Vulnerability leads to Remote code execution

/in /by

PHP-FPM (PHP Fast Process Manager) is a FastCGI handler for PHP scripts and applications, especially useful for busier sites. It’s commonly paired with web servers to serve applications which require a PHP framework, such as web forums or login gateways, while the web server returns HTML, JavaScript, and other non-PHP content.

FastCGI is a way to have CGI scripts execute time-consuming code (like opening a database) only once, rather than every time the script is loaded. It mainly helps to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time.

Vulnerability | CVE-2019-11043
This vulnerability can be triggered only with the following Nginx configurations and only when NGINX is paired with PHP-FPM.  It allows the  FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

location ~ [^/]\.php(/|$) {
                  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                  fastcgi_param PATH_INFO $fastcgi_path_info;
                  fastcgi_pass php:9000;
                  …

The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (%0a, in url encoded form). Broken regexp leads to empty PATH_INFO. While php-fpm handling PATH_INFO as empty, there is a logical flaw allowing attackers to create fake PHP_VALUE variables. Using this technique, attackers can create a chain of carefully chosen config values to get remote code execution.

Exploit:

The attacker’s requests look like the below ones:

GET /index.php/PHP_VALUE%0Asession.auto_sart=0;;;;
GET /index.php/PHP_VALUE%0Ahtml_errors=0;;;;;;;;;;
GET /index.php/PHP_VALUE%0Ainclude_path=/tmp;;;;;;
GET /index.php/PHP_VALUE%0Aauto_prepend_file=a;;;;
GET /index.php/PHP_VALUE%0Alog_errors=1;;;;;;;;;;;
GET /index.php/PHP_VALUE%0Aerror_reporting=2;;;;;;
GET /index.php/PHP_VALUE%0Aerror_log=/tmp/a;;;;;;;
GET /index.php/PHP_VALUE%0Aextension_dir=%22%3C%3F
GET /index.php/PHP_VALUE%0Aextension=%22$_GET%5Ba%

Fix:

Admins are advised to check whether their servers are vulnerable by executing a simple bash command:
                  egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/

It is recommended to upgrade to the patched release (or later) of your PHP version

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

          IPS 14523: PHP-FPM NGINX Remote Code Execution

SonicWall WAF has been designed to provide protection against this exploit by default.

Cyber Security News & Trends – 11-01-19

/0 Comments/in /by

This week, the financial cost in a worst-case scenario cyberattack, a nuclear power plant is targeted, and SonicWall figures are used to look at the Internet of Things.

SonicWall Spotlight

Intelligent Living: The Smart Home and IoT – Silicon (UK)

  • Silicon investigate the future of smart homes and rise of Internet of Things (IoT). When looking at the security risks they defer to SonicWall CEO Bill Conner and SonicWall research.

A Sneaky Online Security Threat: Encrypted Malware in SSL – Security Boulevard

  • Security Boulevard tackles the double-edged sword of encryption, used by both cybersecurity experts and cybercriminals alike. They refer to the 2019 SonicWall Cyber Threat Report for details on the rising number of cyberattacks coming in on encrypted channels.

Cybersecurity News

One Cyber Attack Can Cost Major APAC Ports $110B – ZDNet

  • A new study has laid out a possible “extreme” scenario where a single software virus infecting 15 ports across five Asian markets can result in losses totaling $110 billion. 92% of these costs are currently uninsured.

Indian Nuke Plant’s Network Reportedly Hit by Malware Tied to N. Korea Arstechnica

  • A cyberattack on India’s Kudankulam Nuclear Power Plant that took place in September of 2019 has been linked, through the use of the “Dtrack” malware, to a known North Korean government hacking group. Officials at the plant have stated that there was never any risk of losing control of the plant as the control systems are neither connected to the administrative network or any other networks in general.

ICS Attackers Set to Inflict More Damage With Evolving Tactics – ThreatPost

  • New research claims that future attacks on industrial control system (ICS) networks, such as the power grid, may inflict even more damage in the long run as attackers will learn from previous cyberattacks. Analysts expect attacks to evolve from immediate, direct impact to stealthy attacks with multiple infection stages.

Muhstik Ransomware: A Hack-Back Story – Security Boulevard

  • While ransomware is making headlines for the large targets, like government and multinational industries, there are still small scale ransomware attacks being launched. Security Boulevard report on one victim who, caught by Muhstik Ransomware, decided to hack back and took down the entire ransomware network, releasing a complete set of decryption keys in the process.

21 Million Stolen Fortune 500 Credentials for Sale on Dark Web – SecurityWeek

  • A new study on leaked data used deep-learning techniques to sift through millions of leaked credentials on the darkweb. After removing duplicates, anomalies and default passwords it still found around 21 million different credentials belonging to the Fortune 500 companies; more than 16 million of which were compromised during the last 12 months. All the results were cleartext passwords, either because they were never encrypted, or hackers had decrypted them already.

Ohio Establishes ‘Cyber Reserve’ to Combat Ransomware – NextGov

  • Ohio has become the first state to set up a “Cyber Reserve” force; five volunteer teams of 10 people apiece who are ready to be called into service in a cybersecurity emergency.

Why the EU Is About to Seize the Global Lead on Cybersecurity – Forbes

  • The European Commission has made cybersecurity a “high priority” and proposed that the cybersecurity budget for 2021-27 include €2 billion to fund “safeguarding the EU’s digital economy, society and democracies through polling expertise, boosting EU’s cybersecurity industry, financing state-of-the-art cybersecurity equipment and infrastructure.” Forbes argues that similar US legislation and programs have been left in a segmented and fragmentary state with little national or international cohesion to them.

In Case You Missed It