This long spreading Android locker has been spotted using Coronavirus theme

/in /by

SonicWall Capture Labs threat research team observed a number of Android locker samples that cover the homescreen with a ransom message. We observed a number of malicious apps belonging to this locker campaign that are re-packaged to appear as popular apps such as Whatsapp, Netflix and a recent Coronavirus app named in Uzbek – Koronavirus haqida – which translates to “About Coronavirus”

We observed samples as latest as 2020-06-15  on the popular malware portal VirusTotal belonging to this campaign.

Infection Cycle

Upon execution the screen is covered by a warning message, the message varies from app to app. Only some apps from this campaign demand a ransom in exchange of the unlock keys. However the template used by these ransom messages is somewhat similar:

 

Translation of some of the messages shown on the screen by few malicious lockers belonging to this campaign are as below:

  • “Your Android is Blocked! You have visited or used sites in violation of law”
  • “Android is locked !”
  • “Your phone is coded!”

However there are few apps from this campaign that make an effort to stand out:

 

Startup trigger

Even though the locker does not encrypt files such as a regular ransomware, the phone becomes unusable as buttons do not respond and the phone screen is covered by the ransom message. At this point a victim may not have many options other than to try and reboot the device.

However that does not work because of the permission requested by the malicious locker – RECEIVE_BOOT_COMPLETED. As soon as the device boots, the background service in the malicious locker LockService gets triggered which starts the locker and displays the ransom message over the screen.

Hardcoded unlock key

This locker campaign locks the screen with a ransom message and demands ransom for an unlock code. However the unlock code is hardcoded and can be found within the same class file in the samples belonging to this campaign  – com.lololo/LockService;->onClick()

The image below shows hardcoded unlock codes for few samples:

 

Easy removal

The apps from this campaign do not request dangerous permissions such as BIND_DEVICE_ADMIN and BIND_ACCESSIBILITY_SERVICE, there are no safeguards against their uninstallation from the device. If Developer Tools are enabled on the device a victim can easily remove this locker by issuing the command below over adb:

  • adb shell pm uninstall com.lololo

 

Popular Targets

The apps from this campaign are re-packaged with different app names and icons that match popular apps. Some of the apps we observed during our analysis include:

  • WhatsApp
  • Netflix
  • Telegram
  • Grand Theft Auto 5 hacks
  • Minecraft hack
  • King root

With the recent Coronavirus pandemic and malware writers capitalizing the ‘Coronavirus’ theme to propagate their malware, apps belonging to this campaign might soon carry this theme. We already identified one sample by the name –  Koronavirus haqida – we can expect more apps from this campaign to carry this theme.

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.LockScreen.HM

 

Indicators Of Compromise (IOC):

  • 476b68a650223780ec73f804e639b7ce
  • f5cbc2e11e236e5d22d5a3d9af94fdef
  • 80738faefeee89e9356645b31e1854e5
  • 9e300ed7388a597cdc528b4720859526
  • 3178ad2f9d84ba06e14184dd4426c39b
  • 19be9e9f7d26cb47054354eefe4bc86c
  • 3372427fcd1c02bfc2ab2d65cc3b6311
  • 5ece87cded91da6e2a1e7c6a4b8afe0d

 

Beat the Managed Services Blues with SonicWall and ConnectWise

/0 Comments/in /by

Are you a managed services provider (MSP or MSSP)? Are you tired of having to manually account for product and services usage by your customers, or hearing your operations team complain about manually creating and triaging tickets for security and product issues?

Have no fear: SonicWall is excited to launch the official integration of ConnectWise Manage with SonicWall’s portfolio of products. ConnectWise Manage is an out-of-the-box and easy-to-use integration that helps automate the invoicing and billing of security services for your customers. In addition, the integration automates the creation and processing of service tickets within ConnectWise Manage, including the automatic closure of tickets when alerts are closed in the product consoles.

SonicWall partners will now see a new menu option in MySonicWall for ConnectWise Integrations, under their My Workspace menu. Navigating to this page will allow them to not only set up the integration with their ConnectWise Manage instance, but also map tenants to companies.

With this integration:

  1. SonicWall hardware, software and cloud products are added to the product catalog, where partners can set their standard prices
  2. Active SonicWall software and cloud products are listed as additions to their company agreements of choice for automated product usage accounting and invoicing
  3. SonicWall hardware and virtual appliances are added as configurations, which can in turn be shared with other automation platforms like IT Glue
  4. Auto-creation of tickets is enabled based on alerts from Capture Client

This integration supports synchronization of all billable SonicWall products, including all current firewalls, Secure Mobile Access appliances, Capture Client, Cloud App Security and Global Management System, among others. While tickets are limited to alerts from Capture Client in this release, subsequent versions will bring alerts from firewall, Cloud App Security, Wireless and more.

Take a look at this video to see the integration in action!

With the recent changes to how you experience MySonicWall, the enhancements to Risk Meters, the recently launched MSSP Program, and now the launch of the ConnectWise Manage integration, if you’re a managed services provider, you can rest assured that SonicWall has your back!

Like what you see but want more? It’s in the works — we already have a ConnectWise Automate integration available as a preview. Feel free to reach out via our Communities if you need more information, and stay tuned for more integrations with other Professional Services Automation (PSA) and Remote Monitoring and Management (RMM) platforms!

Watch out for this BlackLivesMatter spam email delivering malware

/in /by

Black Lives Matter protests have spread across the United States and worldwide. The core of the protests have been activists taking to the streets but in this very online age while also amidst a pandemic, there have been a lot of inventive ways that people have shown their support online  with viral tweets to hashtags and to signing online petitions. Unfortunately cybercriminals have also seized this opportunity to distribute emails disguised as supporting the movement using a malicious attachment of a document intended for the victim to “sign” to show their support.

Infection cycle:

This spam email comes with a malicious attachment that bears the following filename:

  • e-vote_form_xxxx.doc

Upon opening of the malicious Word document file, the victim is presented with the image below:

Once the user follows the instructions to enable editing and enable content, a fake error will be displayed while the legitimate command prompt executable is spawned to continue its malicious actions.

 

 

It then does a DNS query to ppid dot indramayukab dot go dot id. And then simultaneously sends encrypted data to a remote server.

Sending encrypted data to remote server IP: 113.20.29.29

It also communicates with another server at inspeclabeling dot com.

Connecting to 74.252.14.248, inspeclabeling.com

Both web addresses appear to be legitimate servers that could be well compromised.

Command prompt continues to run in the background even after closing the said word document, thus the malicious activity continues.

However, no further change in the system was made to ensure persistence therefore the infection does not continue after a system reboot.

The macro content within the malicious document is protected with a password therefore we were not able to view it using Word.

As always,  we urge our users to only use official and reputable websites as their source of information and news. Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Downloader.DOC.VBA_2 (Trojan)
  • GAV: Trickbot.D_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends

/0 Comments/in /by

This week, SonicWall launched its new SD-Branch capabilities and multi-gigabit SonicWall Switches, bringing cost-effective simplicity and centralized management to the hyperdistributed era.

SonicWall Spotlight

Sonicwall Advances Network Edge Security, Adds Multi-Gigabit Switch Series, Easy-To-Manage SD-Branch Capabilities — SonicWall Press Release

  • To simplify security deployment, management and visibility for organizations with growing branch footprints, SonicWall is introducing new secure SD-Branch capabilities and a complete line of new multi-gigabit switches to cost-effectively scale and manage remote or branch locations.

SonicWall Adds Multi-Gigabit Switches to SD-Branch Portfolio — DevOps.com

  • Dmitriy Ayrapetov, vice president of platform architecture for SonicWall, talks about the new SonicWall Switches and SD-Branch capabilities, and how they centralize management of remote offices.

Seven Factors To Consider When Evaluating Endpoint Protection Solutions — MSSP Alert

  • Attackers are getting craftier when infiltrating secure environments. SonicWall’s Vishnu Chandra Pandey offers several ways to know whether your endpoint protection solution will be able to keep up.

Boundless Cybersecurity for the New Work Reality — SC Magazine

  • With the widespread adoption of remote work, we’ve moved into a hyperdistributed IT landscape. SonicWall’s Terry Greer-King explains how Boundless Cybersecurity can help businesses survive this new business normal.

Cybersecurity News

Ransomware: Hackers took just three days to find this fake industrial network and fill it with malware — ZDNet

  • Researchers set up a tempting honeypot to monitor how cybercriminals would exploit it. Then it came under attack.

Fake Black Lives Matter voting campaign spreads Trickbot malware — Bleeping Computer

  • A phishing email campaign asking you to vote anonymously about Black Lives Matter is spreading the TrickBot information-stealing malware.

Rate of Ransomware Attacks in Healthcare Slows in H1 2020 — Dark Reading

  • A lower number of ransomware attacks on healthcare entities suggests many threat groups are indeed avoiding targeting them during the current pandemic. But the lull may be short-lived.

Encryption Utility Firm Accused of Bundling Malware Functions in Product — Threat Post

  • A legally registered Italian company is selling what it claims is a legitimate encryption utility, but the service it provides has been a common denominator in thousands of attacks over the past year.

Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk — Dark Reading

  • “CallStranger” flaw in UPnP allows attackers to launch DDoS attacks and scan internal ports, security researcher says.

Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. — The New York Times

  • Federal prosecutors are investigating a global hacker-for-hire operation that sent phishing emails to environmental groups, along with thousands of individuals and hundreds of institutions around the world.

Valak malware gets new plugin to steal Outlook login credentials — Bleeping Computer

  • A new module discovered by researchers suggests the authors of the Valak information stealer are increasingly focusing on stealing email credentials.

Amid Pandemic and Upheaval, New Cyberthreats to the Presidential Election — The New York Times

  • Fear of the coronavirus is speeding up efforts to allow voting from home, but some of them pose security risks and may make it easier for Vladimir Putin or others to hack the vote.

NATO Condemns Cyberattacks Against COVID-19 Responders — Security Week

  • Over the past couple of months, there has been a surge in attacks targeting those who work in response to the pandemic, prompting NATO to publicly condemn the malicious cyber-activities directed against COVID-19 responders.

In Case You Missed It

SonicWall’s New SD-Branch Solution, Multi-gigabit Switch Line Secure Dispersed Businesses, Branch Locations

/0 Comments/in /by

There’s nothing normal about the “new business normal.” The past few months have represented a complete shift in the way we think of work  — and with vastly more employees working remotely than ever before, bringing with them an unprecedented quantity of exposure points and risk, the traditional cybersecurity model is proving woefully inadequate.

As cybercriminals ramp up attacks on anyone they perceive to be vulnerable, it isn’t enough to simply enable working from home. To truly ensure business continuity, you must secure and rearchitect these massively distributed networks with a platform capable of stopping the ever-increasing number of threats — both known and unknown.

To help your organization meet the challenges brought by this new cybersecurity reality, SonicWall is introducing three new solutions: SonicWall SD-Branch, SonicWall Switch and SonicWall Capture Client 3.0.

SonicWall SD-Branch

Many businesses need to secure remote branch offices and retail stores, but it often isn’t possible — or practical — to have dedicated IT staff at each of these locations. SonicWall SD-Branch enables your organization to provide seamless connectivity that keeps pace with escalating bandwidth demands, and allows you to quickly and cost-effectively upgrade the network security at your remote locations.

Secure SD-Branch is a comprehensive solution that combines the power of secure SD-WAN, secure wireless and wired LAN technology with zero-touch deployment. Through the power of Capture Security Center — SonicWall’s cloud-based, single-pane-of-glass management console — the management, reporting and analytics for all locations is centralized and accessible from any web-enabled device.

SonicWall Switches

The shift to remote work has resulted in a sudden rise in the use of high-bandwidth applications — something that can easily overwhelm branch networks. At the same time, monitoring, managing and continually refreshing a growing number of network devices across multiple branches has grown exponentially more difficult, especially since many branch locations don’t have trained IT staff.

SonicWall Switches offer multi-gigabit wired performance that lets you rapidly scale your branch networks through remote installation. Available in seven models — ranging from eight to 48 ports, with gigabit and 10 gigabit ethernet ports — SonicWall Switches deliver network switching that accommodates the growing number of mobile and IoT devices in branch locations and provides the network performance needed to support cloud-delivered applications. SonicWall Switches also fit seamlessly into your existing SonicWall ecosystem, helping you to unify your network security posture. They’re SD-Branch-ready and managed via firewalls — either locally or through SonicWall’s cloud-based Capture Security Center — for unified, single-pane-of-glass management of your entire SonicWall infrastructure.

SonicWall Capture Client 3.0

SonicWall Capture Client 3.0 allows employees to operate remotely without having to worry to about advanced threats, all while giving administrators comprehensive visibility and the ability to extend standard protections to remote endpoints. SonicWall Capture Client 3.0 is the latest iteration of our lightweight, unified endpoint protection platform, and features a number of new and upgraded features.

Capture Client 3.0’s comprehensive, client-based content filtering allows you to easily extend network-based content filtering to off-network users. It provides HTTP and HTTPS traffic inspection capabilities, along with the ability to assign exclusions for trusted applications or blacklist untrusted applications. Capture Client also offers real-time visibility of applications and identifies vulnerabilities.

Starting with Capture Client 3.0, administrators can leverage Azure active directory properties for granular policy assignment based on categories such as group membership — regardless of whether the directory is hosted on-prem or in the cloud.

Capture Client 3.0 also brings in support for the SentinelOne Linux agent, enabling you to extend next-generation antimalware capabilities to Linux servers. This feature will allow customers to safeguard Linux-based workloads irrespective of their location — on-prem or in the cloud.

Limited-Time Offer: The Boundless Cybersecurity Bundle

For a limited time, SonicWall is giving you the opportunity to save on these and other solutions by building a custom Boundless Cybersecurity Bundle. Best of all, the more you buy, the more you save. Just buy one qualifying product and then get incremental discounts on up to five additional products for a complete solution. Visit our official promotions page or contact a trusted SonicWall security expert who will help you build and enhance your security posture — the right way.

BUILD YOUR BUNDLE

SonicWall Reinvents Branch Connectivity with Secure SD-Branch and Switches

/0 Comments/in /by

In the wake of the COVID-19 pandemic, organizations are discovering a new business normal. More than ever before, businesses both big and small are embracing mobility, cloud applications and remote operations. To support this change, your network security must change, too.

To help businesses safeguard your newly boundless workforce, SonicWall is launching Secure SD-Branch and SonicWall Switches. Secure SD-Branch and SonicWall Switches are designed to ensure secure branch connectivity while also keeping up with future business transformations and security challenges.

SonicWall Secure SD-Branch

SonicWall Secure SD-Branch solution is an integrated platform that secures connectivity and transforms user experience at branch offices by combining Software-Defined Local Area Network (SD-LAN), Software-Defined Wide Area Network (SD-WAN) and security for distributed enterprises. Furthermore, this solution offers unified visibility and threat detection. This platform enables your branch offices — regardless of how many you have — to take advantage of cheaper connectivity with headquarters, enable adoption of BYOD (bring your own device) and SaaS applications, and scale easily as the number of mobile devices increases. Secure SD-Branch can be set up at your branches swiftly with Zero-Touch Deployment and can be controlled through a single pane of glass, simplifying deployment, management and troubleshooting.

A typical SonicWall SD-Branch solution consists of a mid- to high-end firewall, such as NSsp or NSa, deployed at a data center or corporate HQ. The mid- to entry-level firewall, such as NSa/TZ, is then deployed at the various branch locations. All SonicWall next-generation firewalls feature integrated SD-WAN capability at no additional cost. SonicWall Switches work seamlessly to these firewalls to extend wired connectivity to devices such as IoT devices and IP phones. The access points are connected to the switch as well, and provide WiFi connectivity to smartphones and other mobile devices. SonicWall Capture Client delivers endpoint security to these mobile devices, while SonicWall Cloud App Security helps safeguard cloud applications such as Office 365. Plus, the entire network can be managed from a single pane of glass with SonicWall Capture Security Center (CSC).

Introducing SonicWall Switches

An integral part of the SD-Branch solution, the SonicWall Switch delivers high-speed switching while providing unparalleled performance and manageability. Its unified security posture, high port density, Power over Ethernet (PoE) options and multi-gigabit performance capabilities make it ideal for SD-Branch and enterprise deployments. SonicWall Switch helps enable smoother digital transformation and allows you to keep pace with the changing network and security landscape.

The SonicWall Switch is completely firewall managed: Admins can easily manage the switch from a single pane of glass via CSC. This simplified management provides unified management, reporting and analytics across the entire SonicWall ecosystem.

The switches feature 10 gigabit ports and work seamlessly with SonicWall next-generation firewalls and SonicWave Access Points (AP) to create an end-to-end multi-gigabit network. The switches also include gigabit Ethernet ports to power on devices such as APs, VOIP phones and IP cameras.

The switches are available in 7 models with various PoE options, all at affordable price points. They’re packed with features and available in a compact form factor with an energy-efficient design.

The switch provides Zero-Touch Deployment capability, allowing you to quickly roll out devices across globally distributed enterprise branches. Purchasing an end-to-end security solution enables you to easily pass compliance checks and reduces your overall operational costs.

With SonicWall Secure SD-Branch and SonicWall Switches, you can safeguard your growing distributed workforce from advanced threats, all with a lower TCO. To learn more about our solutions, visit www.sonicwall.com

Microsoft Security Bulletin Coverage for June 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-0915 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0916 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0986 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5954 :Malformed-File exe.MP.143
CVE-2020-1073 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1120 Connected User Experiences and Telemetry Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1148 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1160 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1162 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1163 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1170 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1177 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1178 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1181 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1183 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1194 Windows Registry Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1196 Windows Print Configuration Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1197 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1199 Windows Feedback Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1201 Windows Now Playing Session Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1202 Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1203 Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1204 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1206 Windows SMBv3 Client/Server Information Disclosure Vulnerability
ASPY 5952:Malformed-File exe.MP.142
CVE-2020-1207 Win32k Elevation of Privilege Vulnerability
ASPY 5951:Malformed-File exe.MP.141
CVE-2020-1208 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1209 Windows Network List Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1211 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1212 OLE Automation Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1213 VBScript Remote Code Execution Vulnerability
IPS 15042:VBScript Remote Code Execution Vulnerability (CVE-2020-1213)
CVE-2020-1214 VBScript Remote Code Execution Vulnerability
IPS 15041:VBScript Remote Code Execution Vulnerability (CVE-2020-1214)
CVE-2020-1215 VBScript Remote Code Execution Vulnerability
IPS 15040:VBScript Remote Code Execution Vulnerability (CVE-2020-1215)
CVE-2020-1216 VBScript Remote Code Execution Vulnerability
IPS 15035:VBScript Remote Code Execution Vulnerability (CVE-2020-1216)
CVE-2020-1217 Windows Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1219 Microsoft Browser Memory Corruption Vulnerability
IPS 15036:Microsoft Browser Memory Corruption Vulnerability (CVE-2020-1219)
CVE-2020-1220 Microsoft Edge (Chromium-based) in IE Mode Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1222 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1223 Word for Android Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1225 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1226 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1229 Microsoft Outlook Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1230 VBScript Remote Code Execution Vulnerability
IPS 15037:VBScript Remote Code Execution Vulnerability (CVE-2020-1230)
CVE-2020-1231 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1232 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1233 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1234 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1235 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1236 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1237 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1238 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1239 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1241 Windows Kernel Security Feature Bypass Vulnerability
ASPY 5949:Malformed-File exe.MP.140
CVE-2020-1242 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1244 Connected User Experiences and Telemetry Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1246 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1247 Win32k Elevation of Privilege Vulnerability
IPS 2282:Suspicious Executable File Download 9
CVE-2020-1248 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1251 Win32k Elevation of Privilege Vulnerability
ASPY 5947:Malformed-File exe.MP.138
CVE-2020-1253 Win32k Elevation of Privilege Vulnerability
ASPY 5948:Malformed-File exe.MP.139
CVE-2020-1254 Windows Modules Installer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1255 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1257 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1258 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1259 Windows Host Guardian Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1260 VBScript Remote Code Execution Vulnerability
IPS 15034:VBScript Remote Code Execution Vulnerability (CVE-2020-1260)
CVE-2020-1261 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1262 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1263 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1264 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1265 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1266 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1268 Windows Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1269 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1270 Windows WLAN Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1271 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1272 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1273 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1274 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1275 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1276 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1277 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1278 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1279 Windows Lockscreen Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1280 Windows Bluetooth Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1281 Windows OLE Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1282 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1283 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1284 Windows SMBv3 Client/Server Denial of Service Vulnerability
IPS 15038:Windows SMBv3 Denial of Service (CVE-2020-1284) 1
CVE-2020-1286 Windows Shell Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1287 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1289 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1290 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1291 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1292 OpenSSH for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1293 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1294 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1295 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1296 Windows Diagnostics & feedback Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1297 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1298 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1299 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1300 Windows Remote Code Execution Vulnerability
ASPY 5960 Malformed-File cab.TL.5
CVE-2020-1301 Windows SMB Remote Code Execution Vulnerability
IPS 15039:Windows SMB Remote Code Execution (CVE-2020-1301)
CVE-2020-1302 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1304 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1305 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1306 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1307 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1309 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1310 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1311 Component Object Model Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1312 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1313 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1314 Windows Text Service Framework Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1315 Internet Explorer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1316 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1317 Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1318 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1320 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1321 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1322 Microsoft Project Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1323 SharePoint Open Redirect Vulnerability
There are no known exploits in the wild.
CVE-2020-1324 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1327 Azure DevOps Server HTML Injection Vulnerability
There are no known exploits in the wild.
CVE-2020-1329 Microsoft Bing Search Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1331 System Center Operations Manager Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1334 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1340 NuGetGallery Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1343 Visual Studio Code Live Share Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1348 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.

Mustang Panda Group Side Loading DLL

/in /by

Overview:

SonicWall, Capture Labs Threat Research Team; observed new activity from MUSTANG PANDA, using a unique infection chain related to the PlugX Trojan. The legitimate vulnerable binary is part of Adobe’s Suite which will load any library named “hex.dll”.

Sample 1st Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Win32 binary.

Command-Line Static Information:

Extracted Files From Binary:

Side-Loaded DLL: hex.dll

HTTP Network Artifacts:

  • www.destroy2013.com
  • www.fitehook.com

Dynamic Artifacts:

Loaded Modules:

  • See hex.dll in the list.

Process:

  • Command-Line String Used: “C:\ProgramData\AAM Updatesnnk\AAM Updates.exe” 862
  • Autostart string active

Process Security:

Setting SeDebugPrivilege gives you the ability to start using hacking techniques used in malware. By default, users can debug only processes that they own. In order to debug processes owned by other users, you have to possess the SeDebugPrivilege privilege. Once this privilege is granted you gave away the farm. This allows code injection.

  • SeDebugPrivilege
  • Group NT AUTHORITY

CreateFile Artifacts:

  • Folder Created: AAM updatesnnk

Hex DLL Static Information

Side-Loaded DLL Exports:

Shellcode:

The malware author tries to hide the loading of Kernel32 dll, However you can see it within a debugger. This slow loading one character at a time is needed to bypass signature filters. You can also see the junkcode between the characters of Kernel32 dll. It’s always interesting to watch how malware authors bypass signature enforcement within their shellcode.

Decryption of Shellcode:

IDA Pro View of Algorithm:

Whats inside the encrypted buffer after it’s decrypted:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Mustang.PAN (Trojan)

Appendix:

Sample Hash: c56ac01b3af452fedc0447d9e0fe184d093d3fd3c6631aa8182c752463de570c

Indian e-commerce websites are being targeted by malvertising on Facebook

/in /by

The deadly Covid-19 pandemic has made a lockdown situation for people all over the world. India has enforced lockdown on March 23, 2020, which is still imposed with relief in few areas. The e-commerce companies were restricted from selling non-essential goods almost for 2 months in India. As the e-commerce companies are fully operational for the last few weeks, malware authors have started malvertising abusing the lockdown situation. SonicWall threat research team has observed scams spreading on Facebook, claiming as Flipkart lockdown sale, Amazon India sale and Paytm sale. The scam sale is offering premium mobile phones at unbelievable prices, saying deals end in a few minutes. This attracts users and makes them purchase the product immediately.

You will see the below scam Ad on your Facebook profile claiming Flipkart lockdown sale and Paytm limited period offer for premium mobiles at very low prices:

 

     

 

Clicking on Flipkart lockdown sale will take the user to the next page which asks the user to continue:

 

After clicking to continue user will be redirected to Flipkart looking website. The website shows many premium mobiles at very low prices and says them as Deals of the Day which will end in a few minutes. The website looks like a fully functional Flipkart website but only the mobile phones links work:

 

Clicking on any product will take users to the product details page similar to the genuine Flipkart website which also includes ratings and reviews, which are not accessible for detailed view. User is only allowed to click on BUY NOW:

    

 

Clicking on BUY NOW will take the user to the address page. However, users need not worry about filling the delivery address, they are not going to ship you the product. All the field are marked compulsory but the user can continue without filling any field:

 

Now the user is in the final stage of being looted by this scam. The payment page accepts payment only through UPI:

     

 

The user is now all set for losing his hard-earned money within 5 minutes. He just needs to click on Proceed to pay and enter the UPI pin:

 

This scam is targeting people located in India having ages between 18 to 55 years. Facebook users can report this Ad scam to Facebook:

           

 

Some users are abusing these scams in a comment, some are asking for Cash On Delivery (COD), some are educating other users against this scam but there are also many users who have paid the money to these fraud accounts:

Creating this type of malvertising will take only a few hours for the malware author which can result in looting thousands of users in an hour.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • Infector.ML

Fake image file containing Javascript leads to Avaddon ransomware

/in /by

The SonicWall Capture Labs threat research team have observed reports of spam inviting people to view an “image” in which the email states they are present.  The “image”, which in our case was named IMG148150.jpg.js is actually a file containing malicious Javascript downloader code.  Once executed, Avaddon ransomware is downloaded and run in the background.

 

Infection Cycle:

 

IMG148150.jpg.js contains the following script:

 

Upon running the script, sava.exe is downloaded from hxxp://217.8.117.63/sava.exe and executed.  It displays the following message on the desktop background:

 

The following command is run to remove shadow copies on the system:

wmic.exe SHADOWCOPY /nointeractive and vssadmin.exe Delete Shadows /All /Quiet

 

The following registry entry is made:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run update "%APPDATA%\Roaming\{malware file}.exe"

 

Files on the system are then encrypted by the malware and are given a .avdn extension.  431680-readme.html is copied into all directories containing encrypted files. 431680-readme.html contains the following page:

 

avaddonbotrxmuyl.onion leads to the following page hosted on the tOr network:

 

After entering the ID provided in the html page, the following page is presented asking for $500 USD in Bitcoin to be paid to 32rmhhgJaCDEaB2RGv3joCc5K75niYtxZ5:

 

The site provides a chat interface in order to communicate with the operators and possibly negotiate.  We tried to reach out to the operators using this interface but received no response:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: BitsAdmin.N (Trojan)
  • GAV: Avaddon.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.