SonicWall: Encrypted Attacks, IoT Malware Surge as Global Malware Volume Dips

/3 Comments/in /by

New cyber threat intelligence from SonicWall shows that malware and ransomware attacks have dipped through the third quarter of 2019, but other attack types, including encrypted threats and IoT malware, are spiking in volume.

SonicWall, which blocks an average of 26 million malware attacks globally each day, recorded 7.2 billion malware attacks and 151.9 million ransomware attacks globally through the first three quarters of 2019, marking 15% and 5% year-over-year declines, respectively.

“Historically, the goal for most malware authors was quantity of infections and now we’re seeing attackers focus on fewer higher-value targets where they can spread laterally,” said SonicWall President and CEO Bill Conner in an official announcement. “This shift in tactics has also seen a corresponding rise in the ransom demands, as attackers attempt to make more money from fewer, but higher value, targets like local municipalities and hospitals.”

Encrypted attacks up 58%

Alarmingly, encrypted threats continue to show record volume compared to 2018. Malware attacks over HTTPs (e.g., TLS and SSL encryption standards) are up 58% year-over-year. Seasonal data — including attacks over holiday shopping seasons — indicate that this number will likely grow through the final quarter of 2019.

Source: SonicWall Capture Labs

Attacks over non-standard ports still a problem

As outlined in the mid-year update to the 2019 SonicWall Cyber Threat Report, malware authors continue to take advantage of unguarded attack vectors, particularly non-standard ports.

While an average of 14% of malware came across non-standard ports through the first three quarters of 2019, attacks across the vector have grown in both the second (20%) and third quarters (17%). SonicWall’s non-standard port data is based on a sample size of more than 275 million malware attacks recorded worldwide through September 2019.

“What the data shows is that cybercriminals are becoming more nuanced, more targeted and savvier in their attacks,” said Conner. “Businesses need to align to create stricter security rules within their organizations to reduce the threats that our researchers are identifying.”

IoT malware volume up again

The Internet of Things (IoT) grew out of an appetite of speed, convenience and hyper-connectivity. But as has been outlined before, this came often came at the expense of sound cybersecurity practices.

It was only a matter of time before cybercriminals exploited this decision of apathy.

In 2018, SonicWall Capture Labs recorded 32.7 million IoT malware attacks, a 215.7% year-over-year increase. During the first half of 2019, that number jumped another 55%. Now, through three quarters of 2019, IoT malware attacks have eclipsed 25 million, a 33% year-over-year increase.

2019 Cyber Threat Intelligence & Data from SonicWall

For more 2019 third-quarter cyber threat intelligence, please view the official announcement and explore the SonicWall Capture Security Center for interactive data across different attack vectors and geographical regions.

vBulletin Remote command execution vulnerability

/in /by

vBulletin is a proprietary Internet forum software. It is written in PHP and uses a MySQL database server. Once installed and configured, the forum is accessible via Hypertext Transfer Protocol (HTTP).

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request ( CVE-2019-16759 )

A remote command execution vulnerability exists in vBulletin . An attacker can exploit this vulnerability by specially crafted httpPOST request. For exploiting authentication is not required therefore it is a pre-auth remote command injection. The commands would be executed with the same privileges as the vBulletin service. This could result in hackers taking over vulnerable web forums.

Examining the PoC code we understand that malicious parameters commands could be passed to widgetConfig[code] which will then get posted via the routestring POST request.

The POST request looks like this

Followed by the exploit code.

Some examples of exploits in the wild

after decoding :

another example:

after decoding :

In both examples attacker tries to execute web shell commands.

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

  • IPS 14453 vBulletin widgetConfig Remote Command Execution 1
  • IPS 3185 Web Application Remote Code Execution 14

IoCs:

  • 182.161.18.135
  • 191.37.220.126
  • 14.231.65.23
  • 129.0.76.131

Threat Graph:

Cyber Security News & Trends – 10-18-19

/0 Comments/in /by

This week, SonicWall wins at the Computing Security Awards, and the cyberattack that almost took down the 2018 Olympics.

SonicWall Spotlight

SonicWall Wins at the Computing Security Awards

SonicWall Investing in Direct Touch and Channel Skills – ComputingWeekly

  • SonicWall’s Terry Greer-King talks to Computer Weekly about the expansion of SonicWall University amongst SonicWall Partners, and how additional staffing in direct-touch model has increased growth in the EMEA market.

Nanocore Under the Microscope – Security Boulevard

  • Using work previously published by the SonicWall Threat Labs, Security Boulevard takes a deep dive into the inner workings of the Remote Access Trojan known as NanoCore RAT, currently undergoing a change in delivery methods.

Using EDR for Layered Security – Techradar Pro

  • With the requirement for a layered security approach increasingly becoming public knowledge, SonicWall’s Terry Greer-King argues that the rapidly growing market of Endpoint Detection and Response (EDR) is the best solution. He explains what it is, how it works and why cybersecurity systems need to be multi-faceted and layered to compete in the modern threat landscape.

Cybersecurity News

The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History – Wired

  • Reviewing the 2018 Olympics opening ceremony in South Korea, USA Today wrote that “it’s possible no Olympic Games have ever had so many moving pieces all run on time.” Little did they know that behind the scenes an entire team of cybersecurity experts were fire-fighting a major cyberattack that was working to take the entire Olympics network down.

French TV Station Shrugs Off Ransomware Attack to Keep Running – CBR Online

  • One of France’s largest privately-owned media groups, M6, survived a ransomware attack without a disruption to radio or tv. They group praised the “quick and efficient intervention of our cybersecurity experts” for its ability to keep operating during the attack.

Major Airport Malware Attack Shines a Light on OT Security – Threat Post

  • A cryptomining infection that spread rapidly through an unnamed European airport has shined a spotlight on poor cybersecurity practices. Despite being part of a known strain of cryptomining software, the malware had been altered enough to raise no red flags with airport personnel and was active for months before being detected.

Cybersecurity & Data Privacy Trends in 2020 – ITProPortal

  • 5G, cybersecurity budgets, data privacy regulations, staffing problems, Internet of Things; ItProPortal looks to the future and argues that all of these disparate but related trends will converge in 2020.

Sodinokibi Ransomware: Where Attackers’ Money Goes – Dark Reading

  • Researchers investigate ransomware-as-a-service malware Sodinokibi in an attempt to understand how much money is involved. Factoring in how much money is involved, and who it goes to, they conclude that the operators are making a “fortune, ” as much as $86,000 pure profit from a single affiliate in one 72 hour period.
And Finally:

‘Sextortion Botnet Spreads 30,000 Emails an Hour’ – BBC

  • There is an ongoing large-scale “sextortion” campaign making use of more than 450,000 hijacked computers. Sending emails at 30,000 an hour they threaten to release compromising photographs of the recipient unless $800 is paid in Bitcoin. By using real data gleaned from data breaches the extortion attempt can seem legitimate but this is a fear-based campaign with the extortioners working from the“rule of big numbers.“

In Case You Missed It

BURAN Ransomware spreading through Javascript

/in /by

SonicWall RTDMI ™ engine has recently detected a highly obfuscated Javascript file which is delivering BURAN Ransmoware as payload. The malware is delivered to the victim’s computer as an archive containing JavaScript file as shown below:

This malicious script is obfuscated using Javascript obfuscator available on https://obfuscator.io. This script uses Compact Code, Rotate String Array, String Array encoding using RC4 obfuscations to name a few.


Fig-1: JavaScript file

After inserting the line breaks one can easily identify the Rotation of String Array and other obfuscation techniques as shown in below images.


Fig-2: String Rotation technique used in obfuscation

After string rotation on the array sdisdoihdofoiofidiafgobdoa, elements order is changed as shown below:

As shown above, after rotation the element at index 166 becomes the first element and the element at index 167 becomes the second and so on.

Elements of this array are de-obfuscated further by Base64 decoding and RC4 decryption.  Keys for RC4 decryption are present in the file.


Fig-3: Base 64 decoding

 


Fig-4: RC4 decryption

As shown below, the deobfuscated code downloads and executes the payload:

 

Payload Analysis:

At present, the payload being distributed belongs to the BURAN ransomware family.

Infection Cycle:
Malware creates a copy of itself as %appdata%\Microsoft\windows\lsass.exe and adds a Run entry for persistence as follows:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • “Local Security Authority Subsystem Service” = %appdata%\Microsoft\Windows\lsass.exe -start

Adds the following Registry key:

  • HKEY_CURRENT_USER\Software\Buran V
    • “Knock” = 0x0000029a

Post-infection malware shows the following ransom notes to the victim:

For an encrypted file, personal id shown in the ransom note is appended to the filename. For example, “notes.txt” file is renamed to “notes.txt.[2074D3D3-7546-6D74-A84E-9A1F4AEF44E6]” after encryption.

 

Network Connections:

Connects to the following domains:

    • http://geoiptool.com
    • http://iplogger.ru/1EMT77.jpg
      • User-Agent : BURAN

 

Indicators of Compromise:

  • 3b17292dd99059a56a3c06686d217c9ac9b75386501666f0a2141164edbbf2bf  [Archive sha256]
  • ed90f116281e1287fda0e181d768a75614983cd81418f9c6fdb6c1a2fa803489 [Javascript sha256]
  • ef2dfe3cb46bc5c7f9e0a935fbbccc100256cec4063a2e2945731cce540608a6 [Buran Ransomware]

 

Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Additional Remark:

Please note that the RTDMI ™ engine analyzed and gave us a verdict for the samples as ‘Malicious’ on October 7, 2019 15:58 pm (GMT) as visible in the report:

Whereas the samples were first seen on Virustotal at later dates/times as evident by the ‘First Submission’ date:

Astaroth latest variant using Alternative Data Stream (ADS), Living Off The Land technique and YouTube for hosting content

/in /by

SonicWall RTDMI ™ engine has recently detected a LNK file inside an archive which delivers Astaroth Trojan to the victim’s machine. Archive file contains malicious LNK file has shown below:

 

LNK file contains an obfuscated command which uses EXPLORER.EXE to execute malicious JavaScript embedded in remote Uniform Resource Locator (URL):

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

JavaScript Analysis:

JavaScript contains 10 different URLs to download malicious files. It generates a random number to select a URL from the list. If the selected URL is not active, it will again generate a random number to select a URL in next iteration:

 

JavaScript creates a directory C:\Users\Public\Libraries\trust and downloads below files from the selected URL using Bitsadmin tool:

  • landoqeahjkya.jpg
  • landoqeahjkyb.jpg
  • landoqeahjkyc.jpg
  • landoqeahjkydwwn.gif
  • landoqeahjkydx.gif
  • landoqeahjkyg.gif
  • landoqeahjkygx.gif
  • landoqeahjkyi.gif
  • landoqeahjkyxa.~
  • landoqeahjkyxb.~
  • landoqeahjky64a.dll
  • landoqeahjky64b.dll

JavaScript immediately moves downloaded file into the Alternative Data Steam of desktop.ini, except landoqeahjky64a.dll and landoqeahjky64b.dll.

 

“Alternative Data Stream (ADS) is a feature of New Technology File System (NTFS) in Windows to store metadata for a specific file”

 

Alternative Data Streams of desktop.ini have been shown below using Streams tool:

 

JavaScript combines content from landoqeahjky64a.dll and landoqeahjky64b.dll to construct a valid Dynamic Link Library (DLL) and copies it to below files:

  • landoqeahjky64.dll
  • mozcrt19.dll
  • mozsqlite3.dll
  • sqlite3.dll

JavaScript writes “145_MULT1T3SL4S_” to r1.log file. It uses ExtExport.exe which is part of Windows Internet Explorer, to load one of the above DLL file. The loaded DLL belongs to Astaroth malware family:

 

Astaroth Analysis:

Astaroth is an information stealer which is primarily affecting Brazilian citizens since 2018. This malware prominently known for using Living Off The Land tactics to become invisible from security software.

 

Once landoqeahjky64.dll is loaded by ExtExport.exe, it combines content from landoqeahjkyxa.~  and landoqeahjkyxb.~ to construct a valid Dynamic Link Library (DLL). The malware uses process hollowing to load the constructed DLL in memory.

 

The malware looks for the default language of the system. If the default language is not Portuguese, the malware terminates immediately:

 

The malware reads and decrypts ADS content from desktop.ini:landoqeahjkygx.gif:

 

The malware uses above decryption logic for all the encrypted files. The same decryption logic was also used in previous version of Astaroth. We can decrypt Astaroth component files using the below code:

 

The malware searches below files in sequence to the victim’s system:

  • C:\Program Files\Diebold\Warsaw\unins000.exe
  • C:\Windows\SysWOW64\userinit.exe
  • C:\Windows\System32\userinit.exe

 

The malware finds C:\Windows\System32\userinit.exe and creates a new process to inject ADS content from desktop.ini:landoqeahjkygx.gif:

 

The malware reads and decrypts DLL file from ADS desktop.ini:landoqeahjkyg.gif, then uses process hollowing to load the decrypted DLL in memory:

 

The malware checks for below installed antivirus software on victim’s machine:

  • AVAST Software
  • AVG
  • Symantec
  • McAfee
  • COMODO
  • Bitdefender
  • ESET

The malware collects system information and saves it into the ADS desktop.ini:auid.log as shown below:

Network:

The malware uses YouTube to host the encrypted content as shown below:

 

Other Component:

The malware contains below well known files:

WebBrowserPassView by NirSoft: It is a password recovery tool that reveals the passwords stored by browsers.

Mail Password Recovery by Nirsoft: It is a password-recovery tool that reveals the passwords and other account details for email clients.

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

 

How to Protect Multi-Cloud Environments with a Virtual Firewall

/3 Comments/in /by

Virtualization technology is powering a momentous revolution in today’s modern data centers and clouds, leading to designs that are commonly a mix of private, public and hybrid cloud computing environments.

International Data Corporation (IDC) research predicts that more than 90% of organizations will have some portion of their applications or infrastructure running in the cloud by the end of 2024.

As multi-cloud migration happens and organizations embrace technologies, such as containers, network virtualization must expand to adequately secure highly dynamic environments ranging from public clouds to private clouds to data centers. Otherwise, organizations face the risks of visibility blind spots and control challenges.

To circumvent this, organizations are implementing cloud security solutions that operate together and are easily managed. The benefits of cloud computing are well-known and significant. However, so are the security challenges, exemplified by the many recent high-profile data breaches. Whether stored in a physical data center or in a public, private or hybrid cloud, your data is the hacker’s goal.

Securing the cloud introduces a range of challenges, including a lack of network traffic visibility, unpredictable security functionality and the struggle to keep pace with the rate of change commonly found in cloud computing environments. To be efficacious, organizations need a cloud security solution that:

  • Identifies and controls network traffic within the cloud based on identity, not the ports and protocols they may use.
  • Stops malware from gaining access to and moving laterally within the cloud.
  • Determines who should be allowed to use the applications, and grants access based on need and credentials.
  • Streamlines deployment and gets a new instance up and running with a click. You do not want to configure each virtual firewall, since that is time-consuming. Ideally, you have a pre-defined configuration pushed to the device and it is up and running.
  • Cost-effectively replaces expensive WAN connection technologies, such as MPLS, with secure SD-WAN.
  • Simplifies administration and minimizes the security policy delay as virtual machines (VM) are added, removed or moved within the cloud environment.

Securing the cloud with SonicWall NSv virtual firewalls

Recently, SonicWall announced a new firmware, SonicOS 6.5.4, on its virtual firewall platforms to provide feature parity with its hardware firewall platform.

SonicWall Network Security virtual (NSv) firewalls now support secure SD-WAN, Zero-Touch Deployment, DNS security, Restful API and many more features that help solve the aforementioned problems.

SonicWall NSv firewalls help security teams reduce different types of security risks and vulnerabilities, which can cause serious disruption to business-critical services and operations.

With full-featured security tools and services, including reassembly-free deep packet inspection (RFDPI), security controls and networking services equivalent to what a SonicWall physical firewall provides, NSv effectively shields all critical components of your private/public cloud environments.

NSv is easily deployed and provisioned in a multi-tenant virtual environment, typically between virtual networks (VN). This allows it to capture communications and data exchanges between VMs for automated breach prevention, while establishing stringent access control measures for data confidentiality and VM safety and integrity.

Security threats (such as cross-virtual-machine or side-channel attacks and common network-based intrusions and application and protocol vulnerabilities) are neutralized successfully through SonicWall’s comprehensive suite of security services.

All VM traffic is subjected to multiple threat analysis engines, including intrusion prevention, gateway anti-virus and anti-spyware, cloud anti-virus, botnet filtering, application control and the Capture Advanced Threat Protection (ATP) multi-engine sandbox.

Aggressive Android adware communicates with a number of malicious domains

/in /by

SonicWall Capture Labs Threats Research Team came across an adware that showed high network communication during its execution. This is typical behavior of an adware but this adware communicated with a number of malicious domains which peaked our interest.

Infection Cycle

Among the permissions needed by this adware, few high-risk permissions are listed below:
  • Read settings
  • Write settings
  • Write external storage
  • Read sms
  • Send sms
  • Receive sms
  • System alert window
  • Receive boot completed

Soon after starting the adware app we began seeing ads that covered parts of the screen. We saw these advertisements at different times during our analysis. The advertisements were for casual games most of the times (more on this later in the blog).

Network Communications

We saw a spike in network traffic once we started the app, a network capture revealed a multitude of domains that were contacted in quick successions. A number of these domains have been flagged as malicious on VirusTotal as few of these domains have connections with or are hosting malicious applications.

Below are few domains that were contacted and VirusTotal highlights about them:

45.33.125.188

139.162.141.85

cdn.jsdelivr.net

ps.okyesmobi.com:8802

In one instance we saw the IMEI of our device was transmitted to one of the connected domains:

 

Some of the domains that were contacted host a number of malicious apk files, below are VirusTotal graphs for a few:

 

 

Spike in Network consumption

During our analysis we measured the network consumption from the infected device. Unsurprisingly, we saw high network consumption from the adware and apps installed by the adware as shown below:

This can be extremely annoying especially for folks with limited data capacity mobile plans.

Installed apps and shortcuts

We observed a few shortcuts on the homescreen for different apps shown by the adware:

Later, we saw few apps installed on the device without our knowledge:

Gaming for ad profit

During our analysis we saw a lot of game related ads on the screen. We decided to try a few of them out. When playing these games we observed something simple yet clever:
  • The games are of the ‘endless runner’ category where the player accumulates points the more time he is alive
  • Whenever the player loses, an advertisement is played

In short, the hosting company profits whenever the player loses. So how do they maximize their profits ? By making the games harder!

Compared to casual games like these, we observed the level of difficulty to be a bit steep in comparison. As a result we ended up losing more frequently which resulted in ads getting displayed each time we lost.

Overall this contributed towards an increase in network consumption and advertisement related profit for the uploaders.

 

Rooting mechanisms

The adware constantly requested superuser permissions once we started it:

One of the files present in the adware’s installed folder is a script file that contains code to root the device:

Closing thoughts

Overall this adware does a lot of activities after infecting a device. It displays advertisements, installs rogue apps, communicates with malicious domains and overall increases the network consumption of the device. We saw few instances where sensitive information from the device was leaked, but the fact that it communicates with domains with malicious content hosted on them is worrying.

 

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.Adware.LO

Indicators Of Compromise (IOC’s):

  • f1c7ff832393feac50d2ed3dc80ba3b8

 

LATEST REMCOS (Remote Control & Surveillance Software) V2.5.0 IS BEING USED BY MALWARE AUTHORS

/in /by

SonicWall RTDMI ™ engine has recently detected a malware file which is using REMCOS (Remote Control & Surveillance Software) as payload. The malware is delivered to the victim’s computer as an email attachment. Archive file contains the executable file has shown below:

Unavailability of the archive file and Portable Executable (PE) file inside the archive in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

 

PE Static Information:



 

Malware Execution:

The malware creates a copy of itself in %AppData%\Roaming\hpsupportk\ hpsupportw.exe and uses install.vbs to delete itself and execute hpsupportw.exe from %APPDATA% directory.


The malware decrypts and executes highly obfuscated code in multiple layers which makes the analysis of the malware difficult for reverse engineers.

First Layer Execution:

The malware code has thousands of instruction in which only few instructions are real. The malware does not contain any decryption key to decrypt encrypted data; instead it generates the key using a fascinating logic.

The malware picks the initial DWORD of encrypted data as MarkerValue and takes a stack address as KeyValue. Malware keeps performing XOR operation on MarkerValue and KeyValue, decrementing KeyValue by 1 in each iteration until the result value matches to 0x41414141. Now the KeyValue is the actual key to decrypt the second layer code:



The malware decrypts the second layer code using the previously generated decryption key as shown below:


Second Layer Execution:

The malware reads the PEB_LDR_DATA structure from Process Environment Block (PEB) to iterate loaded modules and looks for the MSVBVM60.DLL:



The malware iterates the exports directory of MSVBVM60.DLL and looks for DllFunctionCall Application programming interface (API) by matching initial bytes of the API module. The malware now retrieves address of all required Windows APIs using the DllFunctionCall API.


Anti-Debugging:

GetTickCount:

 

ThreadHideFromDebugger:

The malware calls ZwSetInformationThread API by setting ThreadInformationClass argument as ThreadHideFromDebugger which detaches the debugger and terminates the process immediately, if running inside a debugger:

 

Hardware Breakpoints:

The Malware calls ZwGetContextThread API by setting ContextFlags argument as CONTEXT_DEBUG_REGISTERS.  The API gives us the values of debug registers which are used for hardware breakpoints. The malware examines retrieved values and if it finds any hardware breakpoint, it terminates the execution:

 

Software Breakpoints:

The malware checks for software breakpoints and undefined instruction at the beginning of Windows APIs before calling it:

 

Sandbox Evasion:

The malware uses GetCursorPos API to monitor the mouse movement:

 

Malware iterates in loop checking for hardware breakpoints, software breakpoints and cursor position until cursor position is changed. The malware encrypts the second layer code when it is not in use and decrypts it back when the code needs to be executed.

Finding start of decrypted code:

 

Encrypting second layer code:

 

Decrypting second layer code:

Persistence:

The malware creates Run key in the registry to maintain persistence on the system as shown below:

 

Bringing REMCOS in action:

The malware contains REMCOS executable’s encrypted bytes in chunks of 97 bytes and uses 0s padding after each chunk. The malware keeps count of padding bytes in a data structure. It brings all encrypted bytes which are contiguous in memory as shown below:

The malware decrypts the REMCOS executable’s bytes using 34 bytes key. It does not bring MZ at e_magic field in memory to prevent understanding of a PE file decryption by reverse engineers:

 

After completing decryption and correcting e_magic field to MZ, the malware loads and start executing the REMCOS executables.

 

About REMCOS

REMCOS designed as Remote Control and Surveillance tool for legitimate purpose but it is being used by malware authors from a few years. Free edition with limited capabilities can be downloaded from the official website as shown below:

 

REMCOS in Action

REMCOS keeps the configuration information in the resource named as settings. The very first byte tells us the RC4 key size, followed by RC4 key which is further followed by the encrypted configuration information:

 

REMCOS reads the key from the resource and decrypts configuration data using RC4 algorithm which contains Command and Control (C&C) server’s IP address, port number, password, REMCOS executable’s name and key logging filename etc.:

 

REMCOS gathers victim’s system information which contains REMCOS executable’s name, computer name, Windows version, RAM information, REMCOS version (2.5.0 Pro), keylogging file path and CPU information etc. REMCOS uses “|cmd|” as delimiter which is as shown below:

 

Network:

REMCOS encrypts collected system information using RC4 algorithm with the key “pass” retrieved from configuration data and sends it to the C&C server:

 

Key Logging:

REMCOS records keystroke and saves them into %AppData%\Roaming\hpsupportl\logs.dat:

 

Additional capabilities of REMCOS

  • Screen Capture
  • Remote CommandLine
  • Remote Registry Editor
  • Download, Upload and Execute files
  • Logins cleaner

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Nemty 1.6 ransomware released. Uses 8192-bit encryption.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new version of Nemty ransomware being delivered via the RIG exploit kit. Previous versions of Nemty have used a variety of methods to infect users including a phishing techniques using a fake Paypal website. Released in August 2019, Nemty has undergone various changes including using 8192-bit encryption keys to encrypt files.  The proposed cost of decryption is 0.17968 BTC (around $1500 USD at the time of writing).

 

Infection Cycle:

 

The trojan uses the following icon:

 

Upon infection, files on the system are encrypted and “_NEMTY_8MD1JU0_” is appended to each filename.

 

The following ransom note is displayed on the desktop:

 

The trojan adds the following file to the system:

  • %USERPROFILE%\AdobeUpdate.exe (copy of original) [Detected as GAV: Nemty.FN_2 (Trojan)]

 

The trojan adds the following data to the registry to keep track of crypto key information:

  • HKEY_CURRENT_USER\Software\NEMTY
  • HKEY_CURRENT_USER\Software\NEMTY fid “_NEMTY_8MD1JU0_”
  • HKEY_CURRENT_USER\Software\NEMTY pbkey “BgIAAACkAABSU0ExAAgAA….”
  • HKEY_CURRENT_USER\Software\NEMTY cfg “ydtMmiDIWOLCeoUK…..”

 

It adds a scheduled task so that it starts up after reboot via the following command:

 

The trojan is packed with TitanCrypt in an attempt to thwart debugging:

 

The trojan obtains the systems public IP address and geolocation:

 

The ransom note contains instructions to go to https://nemty.hk/pay in order to decrypt files.

The link leads to a page with the following dialog:

 

After uploading the ransom note that contains the “NEMTY DECRYPTION KEY“, you are able to upload a sample file to decrypt:

 

The following page allows you to download the decrypted file and also chat with the operators via the chat box.  At the time of our analysis no one responded to our questions.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Nemty.RSM (Trojan)
  • GAV: Nemty.RSM_2 (Trojan)
  • GAV: Nemty.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cyber Security News & Trends – 10-11-19

/0 Comments/in /by

This week, SonicWall partners with Etisalat Digital and appears at GITEX Technology Week 2019. Meanwhile, several governmental level warnings about cyberthreats are issued, and the Magecart group chalks up another successful month.

SonicWall Spotlight

SonicWall, Etisalat Digital Partnership Delivers Network Security in Bundle Offer to SMBs – SonicWall Press Release

  • Etisalat Digital is now offering SonicWall technology in its ‘Business Quick Start’ SMB bundle that provides businesses with telco-grade network security devices and a zero-touch feature, making installation less than one hour. SonicWall and Etisalat celebrated this news with a ceremony at GITEX Tech Week.

SonicWall at GITEX Tech Week 2019 – Tahawultech.com

  • GITEX Technology Week, the biggest tech show in the Middle East, North Africa and South Asia, took place this week at the Dubai World Trade Centre. SonicWall showcased its networking and security solutions including our powerful Capture ATP with RTDMI technology. At the show, SonicWall’s Michael Berg was kept busy with interviews at outlets like Tahawultech and ChatterBoxPRE.

5 Steps to Deploy Fast, Secure WiFi in K-12 Schools – MSSPAlert

  • Schools and school districts connecting to the internet via Wi-Fi is par for the course in 2010; SonicWall’s Srudi Dineshan lists five ways K-12 schools can protect themselves from cyber threats.

Cybersecurity News

In the Last 10 Months, 140 Local Governments, Police Stations and Hospitals Have Been Held Hostage by Ransomware Attacks – CNN

  • With ransomware increasingly recognized as much more than a niche concern, CNN has created an accessible article with video and text intended to introduce the malware method and execution to a wider audience.

White-Hat Hacks Muhstik Ransomware Gang and Releases Decryption Keys – ZDNet

  • A frustrated hacker, annoyed after being caught by a successful ransomware attack, analyzed the ransomware software and successfully infiltrated the online database connected to the database. As a result, he has now released a free decryption method for anyone else caught by the same ransomware.

Copycat Coders Create ‘Vulnerable’ Apps – BBC News

  • A new study has found that developers who take shortcuts by copying and pasting code are leaving applications with security holes. Code chunks with no purpose have been found to be riddled with obsolete commands that could be taken advantage of by a hacker who recognized the programming.

EU Warns of 5G Cybersecurity Risks, Stops Short of Singling out China – Reuters

  • The European Union had issued a warning about the risk of increased cyberattacks by state-backed entities, especially with the advent of next-gen 5G mobile and Internet of Things objects.

NIST is Hunting for Tech to Secure the Energy Sector’s Network – NextGov

  • With the thoughts of a nationwide cyberattack on the power grid growing in people’s minds, the National Institute of Standards and Technology is seeking input from tech and cyber experts on how to secure the countless internet-connected devices that could be used as a way in to the network.
And Finally:

Magecart Attack on eCommerce Platform Hits Thousands of Online Shops – SecurityWeek

  • Everyone’s least favorite online card skimming group Magecart has continued its hacking spree with another successful campaign on online retailers. In the past month the group has been found to be active on over 3 thousand online stores, including the Sesame Street Live online store.

In Case You Missed It