This spyware poses as a fake Android WhatsApp update app

/in /by

SonicWall Capture Labs threats researchers observed an interesting Android sample that passes itself as a WhatsApp Updater app. Anyone with basic security awareness will quickly point that there is no separate app to update WhatsApp as clearly stated on the WhatsApp FAQ. As expected this app simply uses WhatsApp as a disguise to hide its spyware capabilities.

 

Distribution mechanism

This fake updater app (at the time of writing this blog) is hosted on android-update[.]net/whatsapp-update.apk. Installation of apps from unknown sources is blocked by default on Android devices, as a result whenever an apk file is downloaded the user is shown a warning stating that it might be dangerous to install said app. This website tries to convince the user to ignore that warning and states that WhatsApp update is completely safe to install:

The site android-update.net has been deemed malicious on Virustotal

 

Dangerous Permissions

This app requests for a few permissions that can be risky in the wrong hands:

  • receive_boot_completed
  • read_contacts
  • access_fine_location
  • read_history_bookmarks
  • write_settings
  • system_alert_window
  • record_audio
  • send_sms
  • bind_accessibility_service
  • bind_device_admin

Infection Cycle

After installation and execution the app is prompt in requesting for device admin privileges. This alone should be a red flag as WhatsApp itself does not request device admin privileges:

If the permission is not granted immediately, the app keeps requesting for the permission until its granted. This tactic is aimed towards ruining the user experience and forcing the user into granting the permission.

 

Siphoning personal data

The app communicates with the server  – superwat.biz – and begins ex-filtrating sensitive user related information from the device and the network. We have listed a few of these exchanges:

The communication begins with a POST message to the folder settings which signifies the different options/switches under which the app (which now shows indications of being a spyware) will operate:

 

Some noteworthy switches:

  • line_call_record
  • whatsapp_call_record
  • stream_recording
  • spy_call

 

There was a POST message to the folder DeviceInfo which sent device related data:

 

There was a POST message to the folder Put with high sensitivity data  that included:

  • Device imei
  • Apps installed with their memory usage
  • GPS location data
  • Browser history that displayed webpages opened
  • Name and phone number of contacts present on the device
  • Wifi network access point names with their mac addresses

 

Few more interesting network messages:

  • POST /play/WS/RemoteCommands
  • GET /play/ws/update-check/?update=getversion&brand=gvd8
  • GET /play/ws/update-check/?asset=armeabi-v7a

 

We created a VirusTotal relations graph that represents all the parties that were contacted by the spyware app

 

Domain WHOIS details

We found the following artifacts about the server superwat.biz and android-update.net:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Spy.PN (Trojan)

 

Indicators of Compromise (IOC)

Sample details

Cybersecurity News & Trends

/0 Comments/in /by

This week, students are going back to school, cybersecurity is going into outer space, and Emotet is going through the roof.

SonicWall Spotlight

Cybersecurity for the post-COVID new normal of work — Managing the Future of Work podcast

  • SonicWall CEO Bill Conner discusses how COVID-19 and the 2020 election are creating unprecedented infrastructure challenges in cybersecurity, and how forces such as the cybersecurity business gap and the need for secure remote access will shape the cybersecurity landscape going forward.

Tackle the Growing Number of IoT Ransomware Threats — TechTarget – IoT Agenda

  • Ransomware attacks have increased 20% worldwide in the first half of the year and 105% in the U.S., according to SonicWall’s latest cyberthreat report.

Cybersecurity News

FBI: Thousands of orgs targeted by RDoS extortion campaign — Bleeping Computer

  • The FBI has warned U.S. companies that thousands of organizations around the world, from various industry sectors, have been threatened with DDoS attacks within six days unless they pay a Bitcoin ransom.

Inter: a ‘low bar’ kit for Magecart credit card skimmer attacks on e-commerce websites — ZDNet

  • Researchers say that any attacker with “a little cash to burn” can join the attack trend.

 Website Crashes and Cyberattacks Welcome Students Back to School — The New York Times

  • With many districts across the country opting for online learning, a range of technical issues marred the first day of classes.

Phishing adds overlay on official company page to steal logins — Bleeping Computer

  • A phishing campaign deployed recently at various businesses uses the company’s home page to disguise the attack and trick potential victims into providing login credentials.

Money from bank hacks rarely gets laundered through cryptocurrencies — ZDNet

  • Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks, the SWIFT financial organization said.

White House issues cybersecurity space policy — SpaceNews

  • Space Policy Directive 5 is the first comprehensive government policy on cybersecurity for satellites and related systems, and outlines best practices to protect space systems from hacking and other cyber threats.

U.S. Department of Defense discloses critical and high severity bugs — Bleeping Computer

  • The U.S. Department of Defense has disclosed details about four security vulnerabilities on its infrastructure. Two of them have a high severity rating, while the other two received a critical score.

France, Japan, New Zealand warn of sudden spike in Emotet attacks — ZDNet

  • Emotet activity has ramped up to new levels in September 2020, alarming some cybersecurity agencies.

In Case You Missed It

Overcoming Advanced Evasion of Malware Detection

/0 Comments/in /by

Malware evasion tactics are now fully present in the arsenal of threat actors. It’s essential that any threat detection technology remain hidden from malware to be able to effectively detect advanced attacks. Equally important, the technology must be able to detect malicious objects that don’t have signatures and to identify malicious capabilities — even if the malicious code hasn’t yet executed. SonicWall Capture Advanced Threat Protection (ATP) with Real-Time Deep Memory Inspection™ (RTDMI) technology offers an advanced layered defense to stay ahead of advanced evasive threats.

It’s this technology stack that SonicWall security services, clients and devices plug into for advanced malware detection and protection. From Next-Generation Firewall (NGFW), to Email Security, to Capture Client and more, Capture ATP is exposed to the latest evasive threats from around the globe, all day, every day.

Overview of SonicWall Capture ATP

To protect customers against the increasing dangers of zero-day threats, SonicWall Capture ATP Service detects and can block advanced threats at the gateway until verdict (on select devices and services). This service is the industry’s first advanced threat-detection offering that combines multilayer sandboxing, including full system emulation and virtualization techniques, to analyze suspicious code behavior that can block until verdict.

Because of the increased focus on developing evasion tactics for malware, it’s important to apply a multi-engine approach to analyzing suspicious code, especially to find and stop ransomware and credential theft.

SonicWall’s award-winning multi-engine sandbox platform efficiently discovers what code wants to do — from the application, to the OS, to the software that resides on the hardware. This approach includes the ability to analyze code within the memory of a system using RTDMI.

RTDMI was specifically designed to provide complete visibility into malware behavior that other technologies miss, while remaining hidden from the malware itself. Combined with the rest of the Capture ATP technology stack, it offers a uniquely isolated inspection environment that simulates an entire host, including the CPU, system memory and all input/output devices.

This approach to advanced malware detection allows SonicWall to observe all the malicious actions engineered into a piece of malware, without being visible to the malware. Detecting evasive tactics is essential and complements our ability to detect malicious network, memory, settings, and other malware actions and changes.

Common malware evasion tactics

One of the key characteristics of advanced malware is its level of stealth and ability to evade detection. In addition to defeating signature-based detection products and behavior-based detection tools, there are dozens of these evasion techniques advanced malware uses to avoid detection. The table below lists the basic categories of these tactics.

Evasion Tactic Tactic DescriptionTactic Result
Stalling DelaysTactic remains idle to defeat timer-based recognitionMost legacy sandboxes can detect if malware calls the OS sleep function, but they can’t spot evasion if the malware performs the delay internally without calling the OS.
Action-Required DelaysTactic delays malicious activity pending a specific user action (e.g., click mouse, open or close a file or app).Conventional sandbox will not detect malware waiting on user action.
Intelligent DelaysTactic discovers sandbox and suspends all malicious activities.Malware waits until it has completed penetration of host or machine before injecting, modifying or downloading code; decrypting files; moving laterally across network; or connecting to C2 servers
FragmentationTactic splits malware into fragments, which only execute when reassembled by the targeted system.As legacy sandboxes typically evaluate fragments separately, each fragment appears harmless, thus evading detection.
Return-Oriented Programming (ROP) EvasionTactic modifies the stack (memory addresses of code to be executed next), thus injecting functionality without altering the actual code.ROP evasions delegates the execution of its malicious code to other programs, instead of the malware program, thereby hiding it from conventional detection.
RootkitsA rootkit is an application (or set of applications) that hides malicious code in the lower OS layers.A conventional sandbox does not monitor what an OS does with calls from applications, so the malicious actions performed by a rootkit will generally go undetected.

Espionage, ransomware and other advanced threats are growing ever more sophisticated. The only way to defeat these types of malware is to implement tools that have been designed specifically to detect known evasion techniques, easily adapt to new ones and work with your existing security stack. SonicWall leverages and maximizes your existing investment in security systems, and with SonicWall Capture ATP with RTDMI, you’ll be ready to defeat today’s sophisticated threats. Click here to learn more.

Anubis infostealer wants your cryptocurrency wallet

/in /by

This week the Sonicwall Capture Labs research team analyzed an infostealing Trojan that is a mash up of another infostealer Trojan and a ransomware. This Trojan, is called Anubis but borrowed most of its code from another Trojan named Loki which is popularly sold in the underground market.

Infection Cycle

This Trojan uses the following icon:

Upon execution, it proceeds with perusing through the system and start stealing data, taking screenshots, etc. It then creates a random folder within the %temp% directory where it stores log files of stolen data.

This stolen data is then sent to a remote server.

During static analysis, it was noted that it had references to “Loki” within its strings as evidence of it borrowing code from this other infostealer Trojan. After all, Loki is a commodity malware commonly sold in underground sites.

This Trojan functions much like Loki and comes after the victim’s system information, browser data, credentials, credit card details and cryptocurrency wallets.

Coincidentally, during analysis we noticed references to ransomware functionality within its strings although this was not evident during runtime.

Apart from being sold underground, Lokibot has been known to be distributed via spam emails and Anubis, will highly be likely to be similarly distributed.

Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Anubis.ST (Trojan)
  • GAV: VHDLocker.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for September 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-0664 Active Directory Information Disclosure Vulnerability
IPS 15131:Microsoft Active Directory Information Disclosure Vulnerability (CVE-2020-0664)

CVE-2020-0856 Active Directory Information Disclosure Vulnerability
IPS 15132:Microsoft Active Directory Information Disclosure Vulnerability (CVE-2020-0856)

CVE-2020-0941 Win32k Information Disclosure Vulnerability
ASPY 5993:Malformed-File exe.MP.156

CVE-2020-1115 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 5994:Malformed-File exe.MP.157

CVE-2020-1152 Windows Win32k Elevation of Privilege Vulnerability
ASPY 5995:Malformed-File exe.MP.158

CVE-2020-1245 Win32k Elevation of Privilege Vulnerability
ASPY 5991:Malformed-File exe.MP.154

CVE-2020-1308 DirectX Elevation of Privilege Vulnerability
ASPY 5992:Malformed-File exe.MP.155

Following vulnerabilities do not have exploits in the wild :
CVE-2020-0648 Windows RSoP Service Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0718 Active Directory Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0761 Active Directory Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0766 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0782 Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0790 Microsoft splwow64 Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0805 Projected Filesystem Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0836 Windows DNS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0837 ADFS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-0838 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0839 Windows dnsrslvr.dll Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0870 Shell infrastructure component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0875 Microsoft splwow64 Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0878 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0886 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0890 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0904 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0908 Windows Text Service Module Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0914 Windows State Repository Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0921 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0922 Microsoft COM for Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0928 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0951 Windows Defender Application Control Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0989 Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0997 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0998 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1012 WinINet API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1013 Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1030 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1031 Windows DHCP Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1033 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1034 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1038 Windows Routing Utilities Denial of Service
There are no known exploits in the wild.
CVE-2020-1039 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1044 SQL Server Reporting Services Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1052 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1053 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1057 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1074 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1083 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1091 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1097 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1098 Windows Shell Infrastructure Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1119 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1122 Windows Language Pack Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1129 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1130 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1133 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1146 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1159 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1169 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1172 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1180 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1193 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1198 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1200 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1205 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1210 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1218 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1224 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1227 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1228 Windows DNS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1250 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1252 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1256 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1285 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1303 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1319 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1332 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1335 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1338 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1345 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1376 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1440 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-1452 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1453 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1460 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1471 Windows CloudExperienceHost Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1482 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1491 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1506 Windows Start-Up Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1507 Microsoft COM for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1508 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1514 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1523 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-1532 Windows InstallService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1559 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1575 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1576 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1589 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1590 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1592 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1593 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1594 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1595 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1596 TLS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1598 Windows UPnP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16851 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16852 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16853 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16854 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16855 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16856 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16857 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16858 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16859 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16860 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16861 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16862 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16864 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16871 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16872 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16873 Xamarin.Forms Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-16874 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16875 Microsoft Exchange Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-16878 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16879 Projected Filesystem Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16881 Visual Studio JSON Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16884 Internet Explorer Browser Helper Object (BHO) Memory Corruption Vulnerability
There are no known exploits in the wild.

ECCENTRIC BANDWAGON, DPRK

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for:
ECCENTRIC BANDWAGON, DPRK.

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. North Korea, is officially named the Democratic People’s Republic of Korea (DPRK) as a country in East Asia constituting the northern part of the Korean Peninsula. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.

ECCENTRIC BANDWAGON, one of the new Remote Access Trojans (RAT) was created by HIDDEN COBRA.

The details behind the use of these remote tools are believed to be used in highly targeted attacks against financial, engineering, government, and non-governmental organisations.

All ECCENTRIC BANDWAGON variants consist of a primary DLL file that, when executed, uses three separate files for screen shots, systems logs, and key logs. Some variants will encrypt these files using RC4, while others include basic clean-up functionality that will attempt to remove log files once ECCENTRIC BANDWAGON has finished executing.

Sample, Static Information:

Dynamic Information:

Key-logging Artifacts:

Clipboard Capture:

Directory Removal and Clean-up:

Strings Set 01:

Strings Set 02:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: EccentricBandwagon.N (Trojan)

Appendix:

Sample SHA256 Hash: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

Cybersecurity News & Trends

/0 Comments/in /by

This week, teenage hackers and nation-state attackers made trouble worldwide.

SonicWall Spotlight

SonicWall TZ 600 POE — SC Magazine

  • SC Media takes a close look at the TZ 600 POE and awards it top marks.

Why Small Businesses Must Deal With Emerging Cybersecurity Threats — Entrepreneur

  • Cybercriminals are counting on small businesses to be less protected — and they’re often right.

Surging CMS attacks keep SQL Injections On The Radar During The Next Normal — Help Net Security

  • Cyberattacks have risen during the pandemic, leaving businesses to wonder whether things will settle down when COVID-19 begins to wane, or if the increase in attacks is here to stay.

Cybersecurity News

Teenager arrested in cyberattacks on Miami-Dade schools — The Washington Times

  • A 16-year-old student has been arrested for orchestrating a series of network outages and cyberattacks during the first week of school in Florida’s largest district.

Microsoft Defender can ironically be used to download malware — Bleeping Computer

  • A recent update to Windows 10’s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

Twitter Hack May Have Had Another Mastermind: A 16-Year-Old — The New York Times

  • A Massachusetts teenager appears to have played a significant role in the July 15 Twitter attack, investigators and fellow hackers said.

Chinese Hackers Targeted European Officials in Phishing Campaign — Bloomberg

  • Chinese nation-state hackers launched a phishing campaign against European government officials, diplomats, non-profits and other organizations to gather intelligence about global economies reeling from the pandemic.

Minister: New Zealand Enduring Wave of Cyberattacks — Security Week

  • According to the Associated Press, tracking down the perpetrators will be extremely difficult, as the distributed denial of service attacks are being routed through thousands of computers.

Federal agencies deny seeing attacks on voting infrastructure — The Hill

  • The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have denied seeing any reports of attacks on voting infrastructure, following the publication of a report on potential Russian election interference.

The FBI Botched Its DNC Hack Warning in 2016—but Says It Won’t Next Time — Wired

  • Facing looming election threats and a ransomware epidemic, the bureau says it has revamped its process for warning hacking victims.

The accidental notary: Apple approves notorious malware to run on Macs — Ars Technica

  • Newfangled malware protection gives users a false sense of security, critics say, making it potentially worse than nothing at all.

Attackers abuse Google DNS over HTTPS to download malware — Bleeping Computer

  • More details have emerged on a malware sample that uses Google DNS over HTTPS to retrieve the stage 2 malicious payload.

‘UltraRank’ Gang Sells Card Data It Steals — Bank Info Security

  • A cybercriminal gang that has spent five years planting malicious JavaScript code in order to steal payment card data from hundreds of e-commerce websites also takes the unusual step of selling the data on its own.

Hackers Attack Norway’s Parliament — Security Week

  • Norway’s parliament said Tuesday it had been the target of a “vast” cyberattack that allowed hackers to access the some lawmakers’ emails.

In Case You Missed It

New SonicWall Solutions: Engineered for the New Normal

/0 Comments/in /by

Over the past three-and-a-half years since SonicWall separated from Dell, it has been our mission to radically change how SonicWall does business, supports its customers and develops solutions for the workplace of the future. We logged thousands of hours interviewing customers of all sizes, from all over the world. We also conducted hundreds of security reviews within several key business models, such as distributed enterprises, universities, primary educational institutions and retail, as well as federal, state/provincial, and local government agencies.

Our solution roadmap over the past three years was built around a future where a mostly mobile workforce used a variety of internal and cloud-native applications. But even we could not anticipate the speed at which this transition was going to happen. When shelter-in-place orders were mandated across the world and employees began working from home 100% of the time, we knew we had the right solutions in development for our customers. These solutions furthered our commitment to Boundless Cybersecurity: Launched earlier this year, the Boundless Cybersecurity model offers our customers ways to know the unknown and gain unified visibility and control, all while delivering disruptive economics to help reconcile IT sprawl with fixed budgets and headcount. These needs have only increased since the start of the pandemic.

With this in mind, we launched a series of new products in August that was focused on large and distributed enterprises. Let me share some details on what we announced:

  • New Generation Seven SonicOS Operating System — Built from the ground up as a completely new operating system, SonicOS 7 offers a cleaner UI to make management training quicker and easier. Underpinning this improved interface is the new X86 Linux-based architecture, which strengthens security and allows us to develop a platform faster to adjust to changing customer demands. Although SonicWall Next-Generation Firewalls (NGFWs) are the most secure (as judged by numbers of vulnerabilities), this change will strengthen our customer’s confidence in choosing a security partner.
  • The Generation Seven SonicOSX Operating System — Like SonicOS (without the “X”), this platform is built on a new X86 Linux-based architecture — the difference is that SonicOSX was designed for our high-end NGFWs such as the NSsp. This new OS enables the NGFW to support a true multi-instance architecture, allowing customers to provide tenants with dedicated resources to enable supporting unique configurations and software versions. It also features Unified Policy, which combines Layer Three through Seven rules into a single rule base for an easier and more intuitive configuration.
  • New Generation Seven TZ 570 & 670 NGFW — The TZ 570 and 670 are the first firewalls in desktop form factor to offer multi-gigabit (5/10G) interfaces with threat prevention speeds of up to 2.5 Gbps. Built on SonicOS 7, these new TZ Series firewalls are designed for integration with the new SonicWall Switches, while also offering Zero-Touch Deployment, TLS 1.3 and 5G support. With higher VPN capacity, our customers can better serve remote employees who connect to smaller offices.
  • New NSsp 15700 NGFW — Designed for MSSPs and large enterprises, this firewall is powered by SonicOSX 7 and offers improved UI, Unified Policy, multi-instance architecture and more to make life easier for IT admins. With its 82 Gbps threat prevention throughput, it’s designed to be extremely fast compared to similarly priced firewalls on the market. Despite offering high-end features — such as greater throughput and true multi-instance capabilities that eliminate problems associated with traditional multitenancy architecture—the NSsp 15700 doesn’t sacrifice SonicWall’s commitment to helping our customers bridge the budget gap. The NSsp 15700 doesn’t charge for multiple instances or for threat protection software on the second device in an HA pair setting — a configuration which represents 90% of all seen deployments. This makes the NSsp 15700 at least 45% less expensive over a five-year period than the second less-expensive NGFW in its class.
  • SonicWall Network Security Manager (NSM) 2.0 SaaS — As NGFW deployments grew in size and scope, our customers began asking for better firewall management across the largest distributed enterprises. The SonicWall NSM 2.0 SaaS was designed to better control, manage, and monitor tens of thousands of network security devices — including firewalls, managed switches and secure wireless access points — from anywhere via a simple cloud interface. As the SonicWall universe of solutions grows, so must the manageability of this ecosystem. NSM 2.0 does just that.
  • Capture Security appliance (CSa) 1000 — Since we launched Capture Advanced Threat Protection (Capture ATP) in 2016 and Real-Time Deep Memory Inspection (RTDMI) in 2019, we have built up our largest customer base for advanced threat protection. Despite its success as a cloud-based malware detection and prevention platform, Capture ATP cannot be used by some customers for regional and internal compliance reasons. We built CSa 1000 using the memory-based RTDMI engine and a new UI to help our compliance-restricted customers and those who have latency concerns to accurately and quickly detect, stop and report on new threats.

Both my team and I strongly believe these latest releases will help you better secure your network and make managing it a lot easier. I encourage you to read and review our website for more information on these solutions. Moving forward through the second half of 2020, we have many exciting new offerings for you, including our first release of Zero-Trust Network Access (ZTNA) solution that gives SonicWall customers the ability to comply with the Secure Access Service Edge (SASE) architecture. Stay tuned for more groundbreaking solutions from SonicWall.

Kind Regards,

Atul

Jackpot ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Jackpot ransomware [Jackpot.RSM] actively spreading in the wild.

The Jackpot ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < .Coin >
    • %App.path%\ payment request.txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the Coin extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: JACKPOT.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.