Hiddentear ransomware variant encrypts and gives files .poop extension

/in /by

The SonicWall Capture Labs Threat Research Team have received reports of ransomware that encrypts files and gives them a .poop extenstion.  The malware is created based on the open source platform known as HiddenTear.  The operator charges 0.12277114 BTC ($1200 USD) for decryption.

Infection Cycle:

Upon infection, files on the system are encrypted and the desktop background is changed to the following image:

A window pops up with the following message:

The trojan is seen in the process list running as “Ranso”:

The trojan drops the following files onto the system:

  • %SYSTEMDRIVE%\Users\%USERNAME%\Desktop\READ_IT.txt
  • %SYSTEMDRIVE%\%USERNAME%\bg.jpg (desktop background image shown above)
  • %SYSTEMDRIVE%\%USERNAME%\Rand\local.exe (copy of original) [Detected as: GAV: Hiddentear.RSM_22 (Trojan)]

Encrypted files are renamed with “.poop” appended to their original filenames.

READ_IT.txt contains the following text:

The trojan makes the following DNS query:

  • hostfs1mai.temp.swtest.ru

The infection is reported to a remote server and leaks system information:

 

The ransom note suggests using Telegram to contact @CyberDexter, the operator. We had the following brief conversation via Telegram with @CyberDexter discussing payment:

The operator offers reassurence that they have control of decryption keys for their victims.

The transaction history for the supplied bitcoin address (1K3YKBq8qGrnmJ7TKkLbTiGL59UHBYh7LF) suggests that the operator may have had some success:

 

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Hiddentear.RSM_22 (Trojan)

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cyber Security News & Trends – 06-21-19

/1 Comment/in /by

This week, it’s National Selfie Day, Facebook launches its cryptocurrency, and, as predicted by SonicWall, ransomware is all over the news.

SonicWall Spotlight

National Selfie Day

  • June 21 is National Selfie Day and SonicWall staff around the world are taking part! Can you name all the locations?

Innovation Will Sharpen America’s Tech Edge, Federal Officials Say – NextGov

  • SonicWall CEO Bill Conner appeared at a Chertoff Group Security Series Event this week. Next Gov quotes his insight as they cover the full discussion between him, Christopher Krebs, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, and Dimitri Kusnezov, Deputy Under Secretary for Artificial Intelligence & Technology, Department of Energy.

Latest Attack From TrickBot Malware Family Identified: SonicWall – CRN (India)

  • CRN follow up on the SonicWall Capture Labs Threat Research Team’s identification of a new variant of Trickbot malware. The modular structure on this malware allows it to freely add new functionalities without modifying the core bot. This story was also covered in Var India, DataQuest, NCN Online, Tech Herald, and CSO Forum.

Cyber Security News

U.S. Lawmaker Calls for Facebook to Pause Cryptocurrency Project – Reuters

  • Amid comments that Facebook is “already too big and too powerful,” House Representative Maxine Waters is calling for Facebook to halt development on the Libra cryptocurrency until Congress and regulators can review the issue.

Hit by Ransomware Attack, Florida City Agrees to Pay Hackers – New York Times

  • The City Council of Riviera Beach unanimously agrees to have its insurance carrier pay 65 Bitcoin, about $592,000, to hackers after the city systems were caught by a ransomware attack three weeks previously.

Is AI Fundamental to the Future of Cybersecurity? – CSO Online

  • While traditional cybersecurity tools require some level of human interaction to keep them running and up-to date, CSO Online investigate the development and advancement of AI which may be able to develop and improve with little to no human involvement. They also predict that passwords will become obsolete if AI proves to be the more secure option.

U.S. Cities Are Under Attack From Ransomware — and It’s Going to Get Much Worse – Vice News

  • With Atlanta, Baltimore, and many smaller cities getting hurt by ransomware, Vice argues that ransomware attacks appear to be spiking right now due to increased focus on government targeting, and just how easy launching an attack has become.

Inside the FBI’s Fight Against Cybercrime – Dark Reading

  • Dark Reading conducts an interview with a member of one of the small FBI teams that are dedicated to fighting cybercrime. The agent discusses the difficulties of being heavily outnumbered by criminal actors, but also the surprisingly high level of successes that they have achieved – including defeating the massive Mirai DDoS-for-hire attacks

Desjardins, Canada’s Largest Credit Union, Announces Security Breach – ZDNet

  • Canada’s largest credit union announces that 2.9 million members had customer data – including names, date of birth, social insurance number, addresses and more – taken from its database by a now ex-employee. The Credit Union is currently working with law enforcement to investigate the breach.

Maryland Governor Signs Order to Boost Cybersecurity After Baltimore Ransomware Attack – The Hill

  • Responding to Baltimore’s recent ransomware woes, Maryland Governor Larry Hogan signs an executive order establishing the “Maryland Cyber Defense Initiative” and creating a Chief Information Security Officer who will be charged with giving cybersecurity recommendations to the governor.

In Case You Missed It

Old Microsoft Office vulnerability CVE-2017-11882 actively being exploited in the wild

/in /by

Attacks exploiting an one and half year old vulnerability in Microsoft office (CVE-2017-11882), are active in the wild again.

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user.

The vulnerability is caused by the Equation Editor, which fails to properly handle OLE objects in memory. This allows the attacker to execute arbitrary code in RTF files without interaction. Microsoft had patched this on 11/14/2017 . Recently Sonicwall Capture Labs threat research team observed a wave of exploits in the wild attacking this vulnerability.

The malicious rtf file has equation object

Microsoft has this warning about equation editor.

In the current wave of attacks, the malicious office document files are attached in the emails. The sender lures the user to open the file. The file has some content but the in background it exploits this vulnerability to download malicious payload on the victims computer.

The spam emails look like this:

 

 

 

 

 

 

 

The file when opened looks like this

The rtf file drops file and contacts the attacker-controlled server.

These types of attacks are a reminder to the importance of keeping systems updated with latest security patches.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

  • SPY 5046 Malformed-File rtf.MP.22
  • GAV MalAgent.J_37354
  • GAV CB_3 (Exploit)
  • GAV H_12144 (Trojan)
  • GAV CB_4 (Exploit)
  • GAV CB_5 (Exploit)
  • GAV CB_6 (Exploit)
  • GAV BX_10 (Exploit)
  • GAV BS_4 (Exploit)
  • GAV AS (Exploit)

SonicWall Capture Advanced Threat Protection (ATP) with RTDMI provides protection against this threat.

Threat Graph:

IoC:

Rtf files :

760ff63642a0c236c4d1f88a8a6c94de1d4087010d3373a6122ab48fa505aed3

2af097a6fe6cc30943ef386c8950787492c5a20ae5de2d15b7d8a248b0c44a8c

cf00a1c2a61cc6a684e768b71bbca78436a28d37e8f982af409eaea1881f1f1f

ab618f0fc42cd3dd63d4901a678cfef419ee06ee374d6425d2ea27668c207b62

b865e203294170ed4de563371dee3a5c4e42d3bf19345ae72c5b2b463121edfb

5b5e9b8165cc731fe242796422dabd8721433a07426de4717f248e3c250439a5

Email:

9ccb84d16ff5ea5b1837bfe4951934b3382ce0bc2b9dd2ffd795a75232303831

7ba7a39fc505601966e88c31ecc3521a3f44ab9397ec24f1b2d5c136fe8c60c2

JURASIK Ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of JURASIK ransomware [JSWormC.RMS] actively spreading in the wild.

The JURASIK ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the JURASIK ransomware

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %Userprofile\Desktop %\ JURASIK-DECRYPT.txt
      • Instruction for recovery
    • %App.path%\ [File Name]. JURASIK

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [.JURASIK]  extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: JSWormC.RMS (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Defending Endpoints from Fast, Ferocious Ransomware Attacks

/1 Comment/in /by

It’s 2019 and massive ransomware attacks are still making headlines, especially against city governments.

In 2018, the City of Atlanta attack shut down over a third of 424 software programs with total damages expected to be over $40 million USD. This year, the City of Baltimore was targeted with multiple systems and agencies down. At the time of writing, the damage caused by the attack hasn’t been fully repaired and the bill is coming in at $18 million.

As much as people preach about segmenting networks, backing up data and improved network security, ransomware attacks are happening at scale with increasing ferocity.

IT administrators look for solutions and that quest usually involves security for the endpoint. Since a lot has changed in the world of endpoint security, administrators are exploring the options that fall into the endpoint detection and response (EDR) category.

“As much as people preach about segmenting networks, backing up data and improved security, ransomware attacks are happening at scale with increasing ferocity.”

Osterman Research published a research paper to outline the concerns, reasons and requirements admins on the front lines have with EDR solutions. Use this latest white paper to guide your organizations as you deploy your first endpoint protection solution or upgrade legacy antivirus protection.

The SonicWall Capture Client endpoint solution offers many endpoint detection and response (EDR) capabilities that give organizations the ability to mitigate attacks, remediate them and report back to the organization.

Cyber Security News & Trends – 06-14-19

/0 Comments/in /by

This week, why businesses need layered cybersecurity, the “most dangerous hacking group” are eyeing up the US power grid, and inside the online leak of hours of sought-after Radiohead rehearsals.

SonicWall Spotlight

Technology Enablement Demands Layered Cyber-Security – SC Magazine

  • Writing in SC Magazine, SonicWall CEO Bill Conner explains why organizations need layered cybersecurity to keep up with modern cyberthreats. He warns that businesses cannot take their cyberdefenses for granted when criminals will use every available vector to launch an attack.

SonicWall Identifies TrickBot Malware, That Steals Customer’s Online Banking Information – CRN India

  • The SonicWall Capture Labs Threat Research Team recently released an update detailing a variant of the Trickbot malware family actively spreading across the internet. CRN India investigate the update.

Cyber Security News

This “Most Dangerous” Hacking Group Is Now Probing Power Grids – ZDNet

  • A hacking group described as “the most dangerous threat” to industrial control systems has been has been detected probing US power grid cybersecurity. Known as Xenotime, the hackers previously launched a successful cyberattack on a petrochemical plant in Saudi Arabia.

House Passes Bill to Establish DHS Cyber “First Responder” Teams – The Hill

  • New legislation has been passed in the US that aims to create “cyber incident response teams” – providing fast assistance to public or private organizations suffering from a breach or cyberattack.

Dark Web Becomes a Haven for Targeted Hits – Dark Reading

  • Almost half of Dark Web vendors sell targeted hacking services aimed at FTSE 100 and Fortune 500 businesses. Dark Reading investigates what is available to would-be cybercriminals and finds that access to corporate networks is sold openly and that malware prices range from $150 to $1500 depending on how sophisticated the request.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far) – ZDNet

  • As we reach the halfway point in the year, ZDNet take a look at what they consider the biggest cybercrime events of the year so far, including multiple medical breaches and a university that had 19 years of data stolen.

Lawmakers Demand Answers on Border Patrol Data Breach – The Hill

  • After hackers broke into a third-party border patrol database, lawmakers have been pushing hard to find out both what happened and how to prevent it from happening again. The breach resulted in the exposure of images of as many as 100,000 people entering and exiting the U.S. over the period of a month and a half.

This data-stealing malware has returned with new attacks and nasty upgraded features – ZDNet

  • The malware known as Scranos has upped its game after operators had their previous plans interrupted. Having updated their methods they have also taken time to add on a trojan and cryptojacker on top of their previous payload.

For Sale: Have I Been Pwned – Gizmodo

  • The owner behind the popular security website that lets people know if their details have been compromised is selling up. In a blog post he explained that the website has gone as far as it possibly can when only run by one person.

Radiohead Fans vs. Black-Market Sellers: The Battle to Leak the OK Computer Tapes – Pitchfork

  • After initial reports that minidiscs were being held to ransom, Pitchfork investigates the full story behind the leak of over 16 hours of rehearsals and demos, going deep into the world of online fandom.

In Case You Missed It

Microsoft Security Bulletin Coverage for June 2019

/in /by

CVE-2019-0620 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0709 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0710 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0711 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0713 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0722 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0888 ActiveX Data Objects (ADO) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0904 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0905 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0906 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0907 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0908 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0909 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0920 Scripting Engine Memory Corruption Vulnerability
IPS 14236:Scripting Engine Memory Corruption Vulnerability (JUN 19) 1
CVE-2019-0941 Microsoft IIS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0943 Windows ALPC Elevation of Privilege Vulnerability
ASPY 5526:Malformed-File exe.MP.75
CVE-2019-0948 Windows Event Viewer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0959 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 5527:Malformed-File exe.MP.76
CVE-2019-0960 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0968 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0972 Local Security Authority Subsystem Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0973 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0974 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0977 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0983 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0984 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 5528:Malformed-File exe.MP.77
CVE-2019-0985 Microsoft Speech API Remote Code Execution Vulnerability
ASPY 1176:Malformed-File pdf.MP.253
CVE-2019-0986 Windows User Profile Service Elevation of Privilege Vulnerability
ASPY 5529:Malformed-File exe.MP.78
CVE-2019-0988 Scripting Engine Memory Corruption Vulnerability
IPS 14237:Scripting Engine Memory Corruption Vulnerability (JUN 19) 2
CVE-2019-0989 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14238:Chakra Scripting Engine Memory Corruption Vulnerability (JUN 19) 1
CVE-2019-0990 Scripting Engine Information Disclosure Vulnerability
IPS 14239:Scripting Engine Information Disclosure Vulnerability (JUN 19) 1
CVE-2019-0991 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14129:Chakra Scripting Engine Memory Corruption Vulnerability GM 1
CVE-2019-0992 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14129:Chakra Scripting Engine Memory Corruption Vulnerability GM 1
CVE-2019-0993 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14129:Chakra Scripting Engine Memory Corruption Vulnerability GM 1
CVE-2019-0996 Azure DevOps Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0998 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1002 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14249:Chakra Scripting Engine Memory Corruption Vulnerability (JUN 19) 4
CVE-2019-1003 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14250:Chakra Scripting Engine Memory Corruption Vulnerability (JUN 19) 5
CVE-2019-1005 Scripting Engine Memory Corruption Vulnerability
IPS 14252:Scripting Engine Memory Corruption Vulnerability (JUN 19) 4
CVE-2019-1007 Windows Audio Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1009 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1010 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1011 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1012 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1013 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1014 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1015 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1016 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1017 Win32k Elevation of Privilege Vulnerability
ASPY 5535:Malformed-File exe.MP.83
CVE-2019-1018 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1019 Microsoft Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1021 Windows Audio Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1022 Windows Audio Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1023 Scripting Engine Information Disclosure Vulnerability
IPS 13068:Scripting Engine Memory Corruption Vulnerability GM 1
CVE-2019-1024 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14251:Chakra Scripting Engine Memory Corruption Vulnerability (JUN 19) 6
CVE-2019-1025 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-1026 Windows Audio Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1027 Windows Audio Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1028 Windows Audio Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1029 Skype for Business and Lync Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-1031 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-1032 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-1033 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-1034 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1035 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1036 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-1038 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-1039 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1040 Windows NTLM Tampering Vulnerability
There are no known exploits in the wild.
CVE-2019-1041 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5534:Malformed-File exe.MP.82
CVE-2019-1043 Comctl32 Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1044 Windows Secure Kernel Mode Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1045 Windows Network File System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1046 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1047 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1048 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1049 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1050 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1051 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14247:Chakra Scripting Engine Memory Corruption Vulnerability (JUN 19) 3
CVE-2019-1052 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14246:Chakra Scripting Engine Memory Corruption Vulnerability (JUN 19) 2
CVE-2019-1053 Windows Shell Elevation of Privilege Vulnerability
ASPY 5532:Malformed-File exe.MP.81
CVE-2019-1054 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1055 Scripting Engine Memory Corruption Vulnerability
IPS 14245:Scripting Engine Memory Corruption Vulnerability (JUN 19) 3
CVE-2019-1064 Windows Elevation of Privilege Vulnerability
ASPY 5531:Malformed-File exe.MP.80
CVE-2019-1065 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5534:Malformed-File exe.MP.82
CVE-2019-1069 Task Scheduler Elevation of Privilege Vulnerability
ASPY 5530:Malformed-File exe.MP.79
CVE-2019-1080 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-1081 Microsoft Browser Information Disclosure Vulnerability
There are no known exploits in the wild.

TrickBot Banking Variant Actively Spreading

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new variant sample and activity in June for the TrickBot malware family. This family has been well known for many years, mainly focused on stealing victim’s online banking information. This variant has been written by developers with slick development skills wrapping its core functionality with a “Squirrel Shooting Game” code base to throw off initial analysis. It is often called a banker, however its modular structure allows it to freely add new functionalities without modifying the core bot. This particular variant uses an RSA encryption schema to protect certain areas of its core code along with custom xor encrypted strings. TrickBot also has the ability to continually update itself by downloading new modules from the C&C server and change its configuration on the fly. A picture of the game wrapped malware:

Game Wrapper: Squirrel Shootout by Brenton Andrew Saunders.

The game wrapped malware only serves as an analysis trick to throw off Security Researchers and others that want to try and analyze its code base. The game code doesn’t ever execute.

Sample Static Information:

The sample tries to mask itself as an internal component to the Windows Operating System listed as:
“Microsoft Windows Mobile Broadband USSD API” naming itself as “MbUssdApi.dll”
however, it executes as an .exe not injected as a .dll.

Packer & Compression Information:

C&C & Network Activity:


The sample makes connections to multiple IP Addresses:

  • 216.239.32.21
  • 186.159.2.153
  • 72.21.81.240
  • 94.23.172.196

The longer the sample is able to run the more IP Addresses are generated and connected too. At first initial analysis we’ve seen the sample connect to over ten IPs. As you close each connection the sample seems to auto rotate the IP Addresses that are established.

Process Creation:

Right Click the picture below to open the image in a new tab. This will allow you to see the commands easier.

Command Line Execution List:

  • cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  • cmd /c sc stop WinDefend
  • cmd /c sc delete WinDefend
  • AppData\Roaming\chromedata\teut.exe

The commands that are executed will disable RealtimeMonitoring, stop the service “WinDefend”, and try to delete the service after its terminated. Once finished it will execute a new process called “teut.exe” which is just the original .exe above just in a new location.

RSA Key Material:

The key Information can be found in the following directory:
AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1641868771-3925178861-3970043647-1000\
Your directory may have other random numbers after /RSA/

Right Click the picture below to open the image in a new tab.

Debugging System:

The sample was tested and debugged on (x86) – 32 Bit, Windows 7 Professional.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: TrickBot.A_4 (Trojan )

Cyber Security News & Trends – 06-07-19

/0 Comments/in /by

This week, there’s a new cybersecurity power couple as SonicWall and ADT announce a strategic partnership to protect SMBs, U.S. cities face a ransomware pandemic and the ‘invisible web’ is growing rapidly.

SonicWall Spotlight

ADT Selects SonicWall as Exclusive Provider of Managed Cybersecurity Service Offerings for SMBs – SonicWall

  • SonicWall and ADT announce a strategic partnership that provides an exclusive cybersecurity offering to better protect small- and medium-sized businesses (SMB) from the growing volume of cyberattacks.

ADT Teams Up with SonicWall for SMB Security Services – Dark Reading

  • SonicWall CEO Bill Conner explains why SonicWall was the logical choice for a new cybersecurity offering from ADT, a company best known or delivering physical security monitoring. The connection between the two companies dates back to ADT’s acquisition of Secure Designs, Inc (SDI), formerly an MSSP selling SonicWall SMB security products.

Cyber Security News

Hackers Won’t Let Up in Their Attack on U.S. Cities – The Wall Street Journal

  • As Baltimore is still recovering a month after a devastating ransomware attack crippled the city’s infrastructure, the FBI is warning that this is not an isolated incident, calling the growing levels of ransomware attacks a “pandemic in the United States”.

Cyber-Thieves Turn to ‘Invisible Net’ to Set Up Attacks – BBC News

  • Gated chat forums, invitation-only communities and encrypted apps are the new communication channels of choice for cybercriminals to evade law enforcement agencies.

Hackers Steal $9.5 Million from GateHub Cryptocurrency Wallets – ZD Net

  • GateHub has released a preliminary statement confirming a security breach that has resulted in nearly $9.5 million stolen from the users of their cryptocurrency wallet service.

Hacking Diabetes: People Break into Insulin Pumps as an Alternative to Delayed Innovations – USA Today

  • Diabetes patients are jailbreaking their own insulin pumps, using instructions found online, in order to give their pumps the ability to self-adjust and remove the need for constant blood sugar monitoring.

LabCorp Data Breach Exposes Information of 7.7 Million Consumers – USA Today

  • A day after Quest Diagnostics announced 12 million patients were affected by a data breach, another medical testing company says its patients’ data was also compromised.

Hackers Can Now Bypass Two-Factor Authentication With a New Kind of Phishing Scam – Fortune

  • Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks.

Baltimore Ransomware Attack: NSA Faces Questions – BBC

  • After a ransomware attack currently estimated to cost at least $18M Baltimore officials are questioning why the hacking vulnerability known as EternalBlue was not disclosed when discovered by the NSA years ago. The NSA are declining to comment on the issue.

New Zealand Budget Leak: ‘Hackers’ Had Simply Searched Treasury Website – The Guardian

  • After the embargoed New Zealand budget was leaked to the opposition National Party days before it was due to be released, officials were quick to call it a hack. However, it has now been found that the documents were searchable on the New Zealand treasury website.

HawkEye Malware Campaign Upticks on Business Users – SC Magazine

  • Hawkeye, a keylogger than has been around for six years, has seen a major increase in a campaign targeting business users worldwide.

Startups: Embrace Cybersecurity Priorities From Day One – Forbes

  • Forbes argues that cybersecurity in startups should not be considered an add-on or a luxury product and provide four cybersecurity priorities that a startup needs to think about from day one.

Emotet Made up 61% of Malicious Payloads in Q1 – Dark Reading

  • A new study has found that 61% of all malware payloads in the first quarter of 2019 contained the Emotet botnet.

Security Expert: Here’s How Driverless Cars Could Be Hacked – Yahoo! Finance

  • As cars modernize and driverless cars are becoming a reality it is fair to say that they are becoming more and more like a series of interconnected computers. Yahoo! Finance looks at where the security weakpoint in these computers might be found, how it could be targeted by hackers, and how the car industry is struggling to keep up with security requirements.

Nation-State Security: Private Sector Necessity – SecurityWeek

  • Attackers with the funding and technical support of nation-states are now targeting commercial entities and the obvious split between commercial and political cyberattacks is disappearing. SecurityWeek examine the current threat landscape, including the increasing number of organizations embracing “Zero Trust” security models where all environments are considered untrusted until proven otherwise. They then offer some advice on how to ensure your organization is ready for cyberattacks.

Microsoft Issues Second Warning About Patching BlueKeep as PoC Code Goes Public – ZDNet

  • Microsoft again warned users to ensure their patches are up to date to protect against the Bluekeep vulnerability – described as similar to the EternalBlue exploit – after a proof-of-concept attack appeared online. SonicWall provides protection against this threat.

In Case You Missed It

Android Gustuff still actively spreading under the cover of social media apps

/in /by

SonicWall Capture Labs Threats Research Team observed a highly obfuscated and packed Android malware which showed hints of anti-vm capabilities. Upon getting the malware to execute and studying its behavior this sample turned out to be part of the infamous Gustuff malware family.

Initial Observations

The malware requests for the following permissions:

  • change network state
  • uses policy force lock
  • write sms
  • disable keyguard
  • access coarse location
  • internet
  • access fine location
  • send sms
  • bind accessibility service
  • c2dm.permission.receive
  • access network state
  • get tasks
  • permission.read external storage
  • write external storage
  • receive boot completed
  • authenticate accounts
  • call phone
  • write settings
  • read phone state
  • read sms
  • vibrate
  • system alert window
  • access wifi state
  • wake lock
  • change wifi state
  • receive sms
  • read contacts
  • get accounts

This malware requests for the permission bind accessibility service which can give an application the ability to perform things like button clicks on behalf of the user. This permission has been observed to be used by a number of Android malware samples in recent times.

The sample we obtained carries the name Instagram Shared and is installed with the icon similar to that of Instagram:

Once executed it shows the image of a puppy with a button named Close:

After a while the icon disappears from the app drawer but the application still runs in the background via  services:

Evasion mechanisms

As mentioned earlier this malware is highly obfuscated and not a lot of information can be gained upon looking at its code, this allows the malware to escape automated scanners that reply on code based detection mechanisms alone and it also adds a roadblock for security researchers from studying its code:

We extracted the deobfuscated .jar file that is dropped in one of the folders of this application and analyzed the code further:

This sample has multiple levels of checks to ensure that its not running in a virtual/sandboxed environment, it checks for presence of specific files related to Qemu, Genymotion, Bluestacks and Bignox:

The application also checks if SafetyNet is active on the device:

Behavior Upon Execution

Once the malware starts execution, we observed it communicated with the server and relayed data about the device which included the imei number, Android version, default SMS app, etc:

An interesting thing we observed was anytime we did not perform an activity on the device, the malware would calculate and keep track of the idle time and relay it to the C2C server, below image shows how the time gets reset to 0 once we performed an activity on the device (which includes any sort of user intervention):

 

Additional network communication data:

  • 88.99.17.62/api/v2/get.php – Posts device related information
  • 88.99.17.62/api/v2/load_sms.php – Posts SMS messages from the infected device

  • 88.99.17.62/api/v2/set_card.php – Posts credit card related data

 

A Host of Commands and Targets

Within the code we found a number of commands that this malware is capable of executing:

One of the commands checkApps checks for presence of apps among a long list of financial applications that the malware keeps track of. This list includes a mix of banking and crypto related apps, this is something new as malware traditionally targeted banking apps. The recent rise in popularity and currency of crypto may have led to this new inclusion:

The malware also maintains a list of anti-virus apps for Android:

Although this malware did not show a lot of network activity for us, the sheer list of commands and capabilities showcase the potency of this malware family.

 

SonicWAall Capture Labs provides protection against this threat via the following signatures:

  • AndroidOS.Gustuff.DCD
  • AndroidOS.Gustuff.DN

Appendix

List of financial apps that are targets for this malware:

  • com.xapo
  • secret.pattern
  • org.westpac.bank
  • btg.org.freewallet.app
  • com.anz.android
  • com.bitcoin.wallet
  • com.coinspace.app
  • com.wirex
  • com.bitpay.wallet
  • com.commbank.netbank
  • com.aegiswallet
  • au.com.ingdirect.android
  • secret.access
  • com.coinbase.android
  • btc.org.freewallet.app
  • com.circle.android
  • de.schildbach.wallet_test
  • com.anz.android.gomoney
  • eth.org.freewallet.app
  • com.kryptokit.jaxx
  • bcn.org.freewallet.app
  • com.bitpay.copay
  • bcc.org.freewallet.app
  • com.hashengineering.bitcoincash.wallet
  • com.btcontract.wallet
  • piuk.blockchain.android
  • org.stgeorge.bank
  • de.schildbach.wallet
  • lt.spectrofinance.spectrocoin.android.wallet
  • co.edgesecure.app
  • com.citibank.mobile.au
  • org.electrum.electrum
  • me.cryptopay.android
  • net.bither
  • au.com.nab.mobile
  • com.coincorner.app.crypt
  • com.arcbit.arcbit
  • com.qcan.mobile.bitcoin.wallet
  • com.plutus.wallet
  • org.banksa.bank
  • org.bom.bank
  • com.kibou.bitcoin
  • distributedlab.wallet
  • com.airbitz
  • au.com.bankwest.mobile
  • com.bitcoin.mwallet

List of anti-virus app scanned for:

  • com.avast.android.mobilesecurity
  • com.avast.android.batterysaver
  • com.avast.android.passwordmanager
  • com.avast.android.cleaner
  • com.atvcleaner
  • com.digibites.accubattery
  • com.lionmobi.battery
  • ch.smalltech.battery.free
  • com.samsung.android.lool
  • com.sec.pcw com.antivirus
  • org.antivirus
  • com.zrgiu.antivirus
  • com.nqmobile.battery
  • com.dianxinos.dxbs
  • com.noxgroup.app.cleaner
  • com.lionmobi.powerclean
  • com.lm.powersecurity
  • com.cleanmaster.mguard
  • com.dianxinos.optimizer.duplay
  • com.lionmobi.netmaster
  • com.darshancomputing.BatteryIndicator
  • com.antivirus.tablet
  • com.avira.android
  • com.avira.optimizer
  • om.a0soft.gphone.aDataOnOff
  • com.avira.homeapp
  • com.kms.free
  • com.kms.me
  • com.kaspersky.batterysaver
  • com.kaspersky.kes
  • com.kaspersky.iot.scanner
  • com.bitdefender.antivirus
  • com.bitdefender.security
  • com.bitdefender.centralmgmt
  • com.bitdefender.parentaladvisor
  • com.bitdefender.wifibox
  • com.bitdefender.agent
  • com.symantec.mobilesecurity
  • com.symantec.mobile.idsafe
  • com.symantec.familysafety
  • com.nitrodesk.honey.nitroid
  • com.symantec.norton.snap
  • com.sophos.smsec
  • com.sophos.appprotectionmonitor
  • com.sophos.mobilecontrol.client.android
  • com.sophos.smenc
  • com.sophos.sse
  • com.sophos.mobilecontrol.client.android.plugin.lggate
  • com.sophos.mobilecontrol.client.android.plugin.samsung
  • com.sophos.smnfc
  • com.cleanmaster.security
  • com.wsandroid.suite
  • com.psafe.msuite
  • com.qihoo.security
  • com.cmsecurity.lite
  • com.drweb
  • com.drweb.mcc
  • com.eset.ems2.gp
  • com.eset.stagefrightdetector
  • com.eset.avtest
    com.lookout
  • com.lookout.net
  • com.lookout.stagefrightdetector
  • com.lookout.enterprise
  • com.lookout.heartbleeddetector
  • org.malwarebytes.antimalware
  • com.trendmicro.tmmspersonal
  • com.trendmicro.tmmssuite.mdm
  • com.trendmicro.homenetworkscanner
  • com.trendmicro.virdroid5
  • me.doubledutch.trendmicrogps
  • com.trendmicro.vmi.remotepush
  • com.trendmicro.safesync4biz
  • com.mcafee.security.safefamily
  • com.mcafee.batteryoptimizer
  • com.mcafee.endpointassist
  • com.mcafee.personallocker
  • com.mcafee.mvision
    com.mcafee.mmi
  • com.mcafee.apps.easmail
  • com.wsandroid.suite
  • com.wsandroid.suite.tmobile
  • com.trustgo.mobile.security
  • com.ijinshan.kbatterydoctor_en
  • com.macropinch.pearl
  • com.gomo.battery
  • com.a0soft.gphone.aDataOnOff