Microsoft IE Zero day CVE-2018-8653

/in /by

Microsoft released an Out of Band security update today to cover a new zero day (CVE-2018-8653) in Internet Explorer’s scripting engine.

Microsoft describes this vulnerability, as a remote code execution vulnerability in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

SonicWall Capture Labs provides protection against this threat via the following signature:

IPS 13959 : Scripting Engine Memory Corruption Vulnerability (DEC 18) 5

ASPY 5345:  Malformed-File html.MP.79

4 Security Predictions for MSSPs in 2019

/1 Comment/in /by

Each year introduces new cyberattack trends that MSSPs must track, analyze and solve for their customers. Many new attack techniques amount to nothing. Others have devastating impact. But it’s important to remain diligent in monitoring the behaviors of cybercriminal organizations.

What security challenges will you face in 2019? Here are four predictions that could affect how you safeguard your customers in the fast-moving cyber threat landscape.

Cryptojacking will impact your resources.

In case you’re not aware, but as of late 2017, cryptomining made up a half of percent of the world’s energy consumption. In 2019, the main cryptocurrencies will become too expensive to mine legitimately, and cryptomining facilities will either liquidate assets, wait for a price spike again or switch to mining a different altcoin. The legitimate mining of coins is too difficult, thus the spike in cryptojacking.

Cryptominers are a type of malware that are discretely embedded on machines with a single objective: use your processing power to illegally mine for cryptocurrency. It’s not a breach or compliance issue, so it doesn’t always grab the headlines. But cryptojacking will steal resources — from both you and your customers. This form of malware is also very difficult to detect.

The impact to your customers will likely be slower computers and collateral damage that’s a byproduct of the malware itself. To MSSPs, it can be even more damaging. If you have less compute power, you’ll need more boxes to serve your customers … costing you more and more money until the malware is properly mitigated.

The best methods for stopping malware include an overlapping approach of next-generation firewalls, secure email solutions, real-time sandboxing and advanced endpoint security, which help detect and block modern and never-before-seen malware variants, including emerging cryptojacking attacks.

Ransomware will spike again.

While many cybersecurity vendors are still collecting full-year data for 2018, SonicWall’s year-to-date threat intelligence shows a massive ransomware spike in 2018 after a down 2017. And SonicWall’s early prediction is that 2019 will likely witness the same trend. Despite wild downward swings in cryptocurrency prices, the demands remain the same, but language is changed to reflect specific dollar amounts: “Send $750 USD worth of bitcoin.”

Through November 2018, SonicWall recorded an 119 percent year-to-date increase in ransomware attacks. In fact, each SonicWall customer faced an average of 56 ransomware attacks — in November alone. That’s a 149 percent increase over the same month last year.

Ransomware is very visible, very damaging and potentially very expensive — either for ransom payout or post-infection remediation. Simply, ransomware has a scare factor and will be noticed by your customers.

Ransomware is also a mess to clean up for MSSPs and costs you even more in support calls and tickets. The worst part? If a customer becomes a ransomware victim, there’s a high likelihood your reputation is tarnished and your relationship damaged.

Encrypted threats will continue slow rise.

It’s slow and steady, but cyberattacks via encrypted traffic (SSL/TLS) will continue to increase in volume.  As long as an attacker applies for an TLS certificate with the same name that matches his/her domain registration, the (often free) certificate is theirs. Any malicious payloads delivered from said domain/website cannot be inspected by traditional means.

For the most part, SSL/TLS traffic remains an unchecked attack vector for cybercriminals to exploit. Until organizations get serious about responsibly decrypting and inspecting SSL/TLS traffic, cybercriminals will leverage it to circumvent strong networks security controls.

As an MSSP, it’s smart to advise customers to leverage next-generation firewalls and other security appliances that offer deep packet inspection of SSL/TLS traffic. This will help further reduce the attack surface area of your customers.

Customers will want you to prove your worth.

Cybersecurity is a booming — and expensive — business. So much so, many of your customers are more educated about malware trends, evolving attack strategies and criminal behavior. And thanks to data breaches published daily in the news, it’s now part of the mainstream dialogue, too.

In short, savvy customers have more awareness than ever and want indicators that demonstrate how you’re protecting their business — and how much it costs to get those results.

Many security vendors and MSSPs are already down this path. If you’re one that hasn’t yet added this to your value-add, it’s time to plan and market solutions and services that deliver customized threat intelligence to your customers. New real-time data and analysis make it easier to prove your worth.

This story originally appeared on MSSP Alert and was republished with permission.

Is 802.11ax Going Away? And What is Wi-Fi 6?

/0 Comments/in /by

The Wi-Fi Alliance has announced a change in the Wi-Fi naming standards. Yep. That’s right. The terms that you are now used to — like 802.11ax, 802.11ac and 802.11n — are being replaced with a much simpler naming scheme: Wi-Fi 6, Wi-Fi 5 and Wi-Fi 4, respectively.

Anything that predates 802.11n isn’t officially getting a name change. This move from Wi-Fi Alliance is aimed at making it simpler for manufacturers and consumers to understand and use the technologies. Along with the new names, they get new logos as well. However, from a regulatory and specification standpoint, the names still retain its techy naming scheme: IEEE 802.11.

“For nearly two decades, Wi-Fi users have had to sort through technical naming conventions to determine if their devices support the latest Wi-Fi,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance, in the official announcement. “Wi-Fi Alliance is excited to introduce Wi-Fi 6, and present a new naming scheme to help industry and Wi-Fi users easily understand the Wi-Fi generation supported by their device or connection.”

New Wi-Fi Naming Standards

  • Wi-Fi 6 identifies devices that support 802.11ax technology
  • Wi-Fi 5 identifies devices that support 802.11ac technology
  • Wi-Fi 4 identifies devices that support 802.11n technology

Source: Wi-Fi Alliance

According to a new study by the Wi-Fi Alliance, the global economic value of Wi-Fi will reach $1.96 trillion this year and increase to $3.5 trillion by 2023. To keep up with the proliferation of Wi-Fi devices, it is essential to introduce technologies to keep pace with the changing tides. One of the most talked about wireless technologies in the recent times is the 802.11ax standard, or Wi-Fi 6.

What is Wi-Fi 6?

Wi-Fi 6 is currently deemed the future of Wi-Fi. Why? This is because it introduces significant wireless enhancements over the current Wi-Fi 5 technology.

With the rise in the number of devices and bandwidth-intensive applications, one of the biggest challenges we face on Wi-Fi networks is poor performance. In addition to having high, system-wide throughput, it is also essential to ensure high performance on a per-client basis, specifically for high-density use cases.

This is where Wi-Fi 6 could greatly improve performance, concurrent connections and business productivity. The significant benefits introduced by Wi-Fi 6 include:

  • Orthogonal Frequency Division Multiple Access (OFDMA) Wi-Fi 6 introduces OFDMA, which is an enhancement over orthogonal frequency-division multiplexing (OFDM), a technology that is used in Wi-Fi 5 and dates back to the 802.11a era. OFDM allows only one transmission at a time. OFDMA, in comparison, divides a channel into resource units to allow multiple communications simultaneously.With Wi-Fi 6, each resource unit can be as low as 2MHz and as high as 160MHz. This enables multiple data transmissions across multiple devices at the same time, improving overall network efficiency and capacity. Doing so allows frequencies to be divided into smaller subcarriers so that traffic can be coordinated to serve more packets from more devices, increasing the network’s capacity.
  • Upstream and Downstream Multi-User Multiple-In Multiple-Out (MU-MIMO)
    With Wi-Fi 5 Wave 2, MU-MIMO was restricted to only downstream communication, whereas Wi-Fi 6 adds support for MU-MIMO in both upstream and downstream communications. Previously, only the wireless access point (AP) could transmit data to clients simultaneously. Now, clients can transmit data simultaneously back to the AP.
  • 1024 Quadrature Amplitude Modulation (QAM)
    Wi-Fi 5 supports 256 QAM, while Wi-Fi 6 can support 1024 QAM. This denser modulation enables a speed burst of more than 35 percent. This boosts Wi-Fi performance and is most effective for users closer to the access point.
  • Target Wake Time (TWT)
    This mechanism enables AP and client devices to coordinate wake times when devices need to be awake. Doing so improves efficiency, reduces contention and enables power-saving by identifying times when the devices will be awake to send or receive data. This is especially useful in the Internet of Things (IoT) space, leading to significant power-savings for battery-powered devices.
  • Enhancement to 5GHz and 2.4GHz Frequency Bands
    Unlike the Wi-Fi 5 standard that introduced enhancement to only the 5GHz band, Wi-Fi 6 introduces enhancement to both 2.4GHz and 5GHz bands. Data speed of up to 9.6 Gbps is possible with Wi-Fi 6. Enhancements offered by Wi-Fi 6 boost average per-client performance by up to four times in comparison with Wi-Fi 5. In addition, Wi-Fi 6 is backwards-compatible with older technologies like Wi-Fi 5 and Wi-Fi 4.

Solving Challenges with the Wi-Fi 6 Wireless Standard

Wi-Fi 6 is designed for IoT and high-density deployments, including stadiums, universities, shopping malls, transportation hubs, where there are large congregations of people.

At this point in time, Wi-Fi 6 technology is still being amended. The finalized draft is expected in late 2019. Until the standard is finalized, it is not advisable to purchase Wi-Fi 6 products.

In addition, there are no real-world clients to benefit from the Wi-Fi 6 enhancements. Let’s face it, even the latest Apple iPhone XS doesn’t even support Wi-Fi 5 Wave 2. The time is right to expand your network on Wi-Fi 5, as it still gaining traction.

SonicWall offers cutting-edge Wi-Fi 5 Wave 2 access points to address the growing needs of Wi-Fi 5 devices. To learn more about how you can securely expand your network, click here.

Executive Brief: Securing the Next Wave of Wireless

Wireless connectivity is ubiquitous in today’s mobile, global economy. Wireless devices range from smartphones and laptops to security cameras and virtual reality headsets. Businesses need to recognize and address their need for high quality, performance and security across wireless networks and endpoints.

GET THE BRIEF

Cyber Security News & Trends – 12-14-18

/0 Comments/in /by

A history of data breaches, SonicWall expands in Dubai and India, and the reappearance of Shamoon. It’s your cybersecurity news roundup for the week.

SonicWall Spotlight

NetSecOPEN Names Founding Members, Board of Directors – Dark Reading

  • SonicWall is amongst the founding members of NetSecOPEN, an organization that aims to create open network security testing standards. Atul Dhablania’s testimonial confirms SonicWall’s dedication.

The 10 Coolest New Cybersecurity Tools of 2018 – CRN

  • SonicWall Capture Cloud Platform is included on CRN’s coolest tool list for its advanced capabilities at analyzing, classifying and blocking malware.

SonicWall Strengthens Regional Presence With New Dubai HQ – Tahawultech (India)

  • SonicWall executive director Michael Berg is interviewed on video talking about the opening of SonicWall’s new office in Dubai.

India, a Key High Growth Market for SonicWall – CRN India

  • Debasish Mukherjee talks SonicWall’s expansion in India, explaining how it’s strong technology that allows SonicWall to stand out from the crowd.

Cyber Security News

The Wired Guide to Data Breaches – Wired

  • Wired trace the history of electronic data breaches, from a 1984 credit agency leak all the way up to present-day, and look at the future of the cyber arms race.

Is Tech Too Easy to Use? – The New York Times

  • The increase in frictionless tech experiences means end users often don’t think about how their data is being collected and used. This can have devastating effects down the line if a data breach occurs.

Google to Shut Down Google+ Early Due to Bug That Leaked Data of 52.5 Million Users – NPR

  • After inadvertently giving app developers access to information on over 52 million users in November of this year, Google is shutting down Google+ in April rather than August 2019.

Super Micro Finds No Malicious Hardware in Motherboards  – The Wall Street Journal

  • After headline reports earlier this year claimed that the Chinese government had secretly planted spying chips into computers assembled in China, Super Micro Computers Inc. this week told customers that they can find no evidence of hardware tampering.

Poll: Cyber Crime Has Affected One in Four Americans – The Hill

  • Gallup asked the American public if they or a close family member had been affected by cybercrime and 23 percent say they had.

Fortune 500 Cybersecurity Is Better and Worse Than You’d Think – Axios

  • Rapid7 released their first Industry Cyber-Exposure Report and found huge problems with email security at more than half of Fortune 500 companies. However, it also found that most are doing a good job at reducing entry points.

Over Half of Brazil’s Population Exposed in Security Incident – ZDNet

  • As many as 120 million Brazilian citizens had their ID numbers publicly accessible for weeks in the early months of 2018.

Shamoon Reappears, Poised for a New Wiper Attack – Threat Post

  • Shamoon is a data-wiping malware that can completely cripple an infected PC that previously made world news targeting energy firms. It first emerged in 2012, made a comeback in 2016 and is now being detected again, leading experts to predict that another attack may be imminent.

In Case You Missed It

November Cyber Threat Data: Watch out for Encrypted Attacks

/0 Comments/in /by

We’ve reviewed hard numbers from the SonicWall Capture Labs to provide you with our analysis of for November attack patterns, as well as advice on how to combat the trends we’re seeing in the cybersecurity landscape.

November Attack Data

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through November 2018:

  • 9.8 billion malware attacks (29 percent increase from 2017)
  • 3.5 trillion intrusion attempts (41 percent increase)
  • 309 million ransomware attacks (119 percent increase)
  • 2.6 million encrypted threats (65 percent increase)

In November 2018 alone, the average SonicWall customer faced:

  • 1,545 malware attacks (48 percent decrease from November 2017)
  • 798,350 intrusion attempts (14 percent increase)
  • 56 ransomware attacks (149 percent increase)
  • 145 encrypted threats (2 percent decrease)
  • 20 phishing attacks each day (93 percent increase)

Ebb & Flow of Malware Volume

Despite nearly two years of dominating cyberattack data and headlines, SonicWall’s threat data for November shows that the number of malware attacks worldwide is on an interesting seasonal decline, particularly given the traditional volume around holiday shopping.

Earlier this year, SonicWall was reporting an average of around 1 billion malware attacks a month. As of November 2018, malware volume was 650 million, 48 percent less than the November 2017 high of 1.2 billion. Malware volume for the year, however, is still up 29 percent year to date.

Ransomware Continues to be a Global Concern

This does not mean that cybercriminals are slowing down. Any slack has been picked up with huge increases in web app attacks and ransomware this year. SonicWall previously covered the holiday-specific ransomware jumps, but the year has also seen some major regional spikes, with a 112 percent year to date increase in the U.S. and a staggering 1,671 percent increase in the Asia Pacific region.

In real numbers, this brings these regions almost level for the year with 124 million attacks in the U.S. compared to 121 million in Asia Pacific.

Encrypted Threats a Serious Risk

Encryption is growing at a steady rate: nearly 73 percent of all web traffic monitored by SonicWall is encrypted. Unfortunately, there is a corresponding increase in the number of threats that hide in encrypted traffic. SonicWall data shows a 65 percent increase in encrypted threats compared to 2017.

Encryption protocols, such as Transport Layer Security (TLS), Secure Sockets Layer (SSL) and Secure Shell (SSH), are used to hide cyberattacks. Many malware detection and intrusion prevention solutions are not built to inspect encrypted traffic.

Even entry-level SonicWall firewalls combat encrypted threats with Deep Packet Inspection of SSL/TLS-encrypted traffic and the latest TZ600P and TZ300P range includes PoE integration to cut down on unnecessary wiring.

SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

6 Phishing Scams to Look Out for this Holiday Shopping Season

/0 Comments/in /by

It’s the most wonderful time of year … for cybercriminals. Why? Because it’s the easiest time for them to use phishing attacks to target busy holiday shoppers.

“Cyber Monday sales this year surged to new highs, with a record $7.9 billion spent online that day, an increase of 19.3 percent from a year ago,” according to CNBC, which featured data from Adobe Analytics. “That’s after Black Friday pulled in a record $6.22 billion in e-commerce sales, while sales online Thanksgiving Day totaled $3.7 billion.

It’s no wonder retailers had another recording-breaking year for online sales. Unfortunately, cybercriminals were just as successful. Over the nine-day Thanksgiving holiday shopping window (Nov. 19-27), SonicWall customers faced a 45 percent increase in phishing attacks compared to the average day in 2018. It’s a target-rich environment for cybercriminals to cash in, and the threat doesn’t end after Cyber Monday.

Don’t less phishers steal your holiday spirit. Thankfully, there are prove best practices to improve awareness so employees, consumers and businesses aren’t victimized by malware, ransomware or email threats like phishing attacks.

6 Phishing Attacks, Online Tricks & Holiday Scams to Avoid

Consumers are busy scouring the internet for the best deals whenever they get a few mins at work, whether in the office or remote. But this presents risk to both employees and businesses. Review these six attacks and scams to be on the look for this holiday season.

  • Spoofed Websites: It is estimated that 46,000 new phishing sites are created every day, many of which are propagated through email. According to the Anti-Phishing Working Group (APWG), about 35 percent of phishing attacks were hosted on websites that had HTTPS and SSL certificates, so looking for the lock icon is not enough anymore. Cybercriminals are getting savvier, hijacking the look and feel of popular brands and using spoofed domains with hard-to-catch spelling variations to steal information.
  • Phishing Emails: It’s the holiday season, so employees are in festive moods dreaming about vacation or distracted with online shopping. With the increase in the volume of phishing emails, it is easy to let the guard down and click on well-crafted phishing emails while trying to finish work before the holidays. Businesses should ensure they have a secure email solution implemented to mitigate email-based attacks.
  • Gift Card Scams: Most major retailers offer gift cards that can be purchased electronically. This is truly a gift for cybercriminals to lure victims into clicking on an email offering a free gift card from a major brand or, in the case of a targeted phishing attempt, the gift card may appear to be sent from someone familiar, like a friend or co-worker.
  • Shipping Invoices: This type of phishing email seemingly comes from a popular shipping service, such as FedEx, UPS or the USPS. Cybercriminals use the shopping season opportunistically to send email with phishing links under the guise of tracking a package or downloading a shipping label. Similar shipping phishing emails can come from major retailers like Amazon or Walmart
  • Illegitimate Apps: Shoppers are taking to mobile apps to shop and the cybercriminals are taking notice. Lookalike apps and rogue apps crowd popular app stores and, once downloaded, prompt for credit card information, social media login credentials or permission to access data on your phone.
  • Letters from Santa: Scammers send bogus emails promising to send your child a letter from Santa for a fee. Beware of clicking on such emails and providing payment information. Many, unfortunately, are scams that prey on unsuspecting parents.

Phishing Awareness for Employees, Businesses

Practicing simple awareness can keep employees and businesses safe from the majority of phishing-based cyberattacks. After all, criminals are counting on users to be too busy to take a few seconds to vet a deal, email or sale. Implement the following tips and best practices to ensure your holiday remains festive.

Tips for employees to enjoy shopping online safely:

  • If the deal is too good to be true, then it probably is … don’t take the bait
  • Stay away from suspicious websites promising coupon codes
  • Hover over and scan URLs before clicking; malicious URLs are usually easy to spot (e.g., unknown domains, long string of numbers, etc.)
  • Don’t provide personal information, such as passwords and credit card numbers, on unknown websites
  • Use only reputable websites for online shopping
  • Avoid using unsecure public Wi-Fi networks; if you must, use a virtual private network (VPN) to stay safe

Tips for organizations, businesses and enterprises to keep their employees safe:

  • Refresh employee awareness and training programs to help them identify phishing emails
  • Ensure endpoint devices are patched and updated
  • Implement layered security with the following critical components:

SonicWall automated, real-time breach detection and prevent solutions help organizations implement a layered security architecture for enterprises, SMBs, governments, retailers, healthcare organizations and more.

Exclusive Video: Why Layered Security Matters

SonicWall President and CEO Bill Conner and CTO John Gmuender walk you through the current cyber threat landscape, explore the importance of automated real-time breach detection and prevention, and address how to mitigate today’s most modern cyberattacks.

New Variant: PcShare Trojan, With [ups2 version 1.0.2] Server, Dec. 2018

/in /by

Overview:

SonicWall Capture Labs, (Threat Research Team): is announcing the:

  • “Trojan variant called PcShare, with the Server “ups2 V1.0.2”.

The older Forshare Trojan was announced around the time WannaCry and the EternalBlue Exploit were being covered by everyone in 2017. No-one seemed to notice the Forshare Trojan. However, after reading the information below. This may change your mind about this new variant. This Trojan has been rebuilt, modified and upgraded. The Trojan capabilities are as follows:

  • Audio & Video Capturing
  • Downloading & Uploading of Files
  • Token Grabbing
  • Checking Process State
  • CPU Frequency Analysis
  • Disk Operations
  • Get Directory List
  • Get File Information
  • Get Directory Information
  • Get Disk Information
  • Renaming Files
  • Executing Files
  • Searching For Files
  • Copying Files
  • Saving Files
  • Searching Directories
  • Get Process List
  • Kill Process
  • Enumerate Processes
  • Enumerate Windows
  • Control Services
  • Reconfigure Services
  • Delete Services
  • Get Service Configs
  • Delete Registry Keys
  • Enumerate Registry Keys
  • Fill Disk Capacity
  • Memory Copying and Comparing
  • Mouse & Keyboard Logging
  • Proxy Support
  • Shell Redirection
  • The bottom of this article will have pictures of the capabilities within the code base

Our network sensor displayed the following IP address information. So, let’s take a deeper look into the sample:

Sample Static Information:

The sample is packed with UPX 2.90 [LZMA] (Delphi Stub) as seen by the following picture:

Unpacking The Sample:

Using CFF Explorer, you can use the “UPX unpack feature” on this sample. The new static information is as follows:

Main Server Information:

Once the sample is unpacked, we can see various information inside the (Main Function) such as:

  • The version number of the server (ups2 V1.0.2).
  • The parameters of the server: (Control Mode, Debug Log, Create Action, Version and Help).
  • The log file name is also given below.

Multiple server instances are allowed:

Windows Audio Control Service:

Scanning through the main function we can find where the (Windows Audio Control) service gets created:

Searching MSDN for CreateServiceA().
We can see that the service is 0x10, meaning a “Service that runs in its own process”.
The service also sets SERVICE_AUTO_START 0x2, A service started automatically by the SCM during startup.

Next, the service will setup its control handler procedure:

The service callback handler can accept (Five) controls.

The controls are all defaulted to the error handling and debugging of the server. It only has one default routine.

This information about the service tells us the (Windows Audio Control) is just a front for debugging and error handling.

The Server Updating and Downloading Multiple Files:

The server will check for and execute every line of the following files listed in “HTTP Network Objects” every two hours:

  • xpdown.dat
  • down.html
  • 64.html
  • vers.html
  • kill.txt
  • downs.txt
  • downs.exe
  • b.exe aka msief.exe
  • item.dll aka item.dat

HTTP Network Objects

Wireshark Http Objects:

[Network Object 1]: xpdown.dat:

When we exported the xpdown.dat object from Wireshark. The object was (RSA Encrypted) with one of the keys below:

This is the object pulled from Wireshark.

This file was also created by the CreateFile API, xpdown.dat code

After the file was created we were able to look at the contents of the file xpdown:

[Network Object 2]: down.html:

[Network Object 3] 64.html:

[Network Object 4]: vers.html:

[Network Object 5]: kill.txt:

[Network Object 6]: downs.txt:

[Network Object 7]: downs.exe:

downs.exe file static information.

downs.exe file information for CACL, legit clean software:

[Network Object 8]: b.exe aka msief.exe:

b.exe static information.

The “b.exe” binary is a self extracting archive file or install file. We can see one of the resources below:

We can use 7zip to unzip the self extracting installer and you will see the following directory structure:

c3.bat

cacls changes permissions on files and folders.
(/e is equal to edit ACL instead of replacing it.)
(/d is deny specified user access.)


n.vbs

The n.vbs script will call c3.bat above.

Special Find, (Item.dll aka Item.dat)

Inside (downs.txt, Network Object 6) we’ve found something pretty special.
When we visited the “/item.dll” location to see if we could download “item.dat” it was active.
We were able to pull down the file. Here is what the static information looks like:

Next, we found out what it the entropy was to see if it was encrypted or packed.

Being that it had a high entropy, we scanned it for packers and protects and found:

Knowing the file was packed and protected we decided to throw the file into Ida Pro anyway.
Mostly, to find out if there were any artifacts we could find and sure enough we found the following:

Finding, “zsdfvvgt.dll” was amazing because it led us straight to github:

(Item.dll aka Item.dat) is a part of this project: https://github.com/sinmx/pcshare/

We located the artifact here: https://github.com/sinmx/pcshare/blob/master/%E4%BC%81%E4%B8%9A%E5%AE%9A%E5%81%9A/PcMain/PcMain.def

This gives us access to the entire code base without unpacking the sample.
Sometimes, you get lucky and find what you need in the dark corners of a binary.

Supported Systems:

Capability Overview:

Audio

Delete Service

CPU Frequency

Disk Operations

Memory Operations

Mouse and Keyboard Operations

Proxy Support

CMyClientMain Class Code Base

Summary:

This Trojan is disguised as legitimate software (Windows Audio Control Service).
This Trojan displayed the following actions:

  • A backdoor which gives malicious users remote control over the machine.
  • An up-loader, down-loader and updater to install malware components and scripts over time.
  • Sample is statically linked with OpenSSL 0.9.8x (10 May 2012). Making the code base larger than it should be. This will generate false positives for Ransomware and Miner Malware.
  • Modifies, deletes, and copies data disrupting the natural performance of your computer and network.
  • Sample uses RSA (Public and Private) Asymmetric Encryption.

SonicWall Gateway AntiVirus, provides protection against this threat:

  • GAV: Barys.A_733

GandCrab Ransomware has started hiding under Javascript and Powershell

/in /by

SonicWall Capture Labs Research team recently observed a malware campaign delivering a GandCrab ransomware hiding under JavaScript and PowerShell. The ransomware is capable of encrypting the files when installed on the victims computer and ask for ransom to decrypt the files. This variant of GandCrab uses powershell.exe to load the payload dll in the memory to perform encryption instead of dropping any PE file and execute it.

Infection Cycle:

The infection begins with a JavaScript file shown in image below.

Fig-1. Initial JavaScript containing encrypted scripts

The above JavaScript contains an encrypted PowerShell script and an encrypted JavaScript. After 10 seconds of delay, it decrypts the encrypted JavaScript and executes it.

Fig-2. Decrypted JAVA Script

This JavaScript creates a log file in %appdata% folder. This log file contains an encoded PowerShell script that is decrypted from the data shown in Fig-1. The encoded PowerShell script shown in Fig below.

Fig-3. Encoded PowerShell Script
 

The PowerShell script is decoded by removing ‘?’ and executed.

To execute the PowerShell Script is uses the following command:

jklqtyurkut.ShellExecute(wcnquc, ‘-ExecutionPolicy Bypass -Command “IEX (([System.IO.File]::ReadAllText(\”+bygeyemm+”bwcuoqir.log”+’\’)).Replace(\’?\’,\’\’));”‘, “”, “open”, 0);

 

where “wcnquc” has the path for PowerShell.exe.

Fig- 4. Decoded powershell script

 

This decoded PowerShell script decodes another PowerShell script using base64 algorithm and executes new PowerShell script. The new decoded PowerShell script is below:

Fig-5. 2nd PowerShell Script

This second PowerShell script contains a compressed PE file encoded with base64. It decompresses the PE file and loads this file in the memory of powershell.exe. This loaded PE file is a dotnet dll, which contains a base64 encoded another PE file. The dotnet dll the decodes the new PE file and loads in the memory as shown in fig below:

Fig-6. Dotnet Dll containing Base64 encoded PE file

This decoded PE file is a Borland Delphi dll, which contains an encrypted GandCrab payload file. It decrypt the main payload in memory and executes it. Now payload is executing in the memory of powershell.exe and it starts the encryption. There is no PE file dropped on disk and malicious GandCrab payload is loaded and executed inside the memory of powershell.exe.

After encryption, it shows the following message by changing desktop’s wallpaper.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GandCrab.RSM_10 (Trojan)

Microsoft Security Bulletin Coverage for December 2018

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of December 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2018-8477 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8514 Remote Procedure Call runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8517 .NET Framework Denial Of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8540 .NET Framework Remote Code Injection Vulnerability
There are no known exploits in the wild.
CVE-2018-8580 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8583 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13943 Chakra Scripting Engine Memory Corruption Vulnerability (DEC 18) 3
CVE-2018-8587 Microsoft Outlook Remote Code Execution Vulnerability
ASPY 5339 Malformed-File rwz.MP.2
CVE-2018-8595 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8596 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8597 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8598 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8599 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8604 Microsoft Exchange Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2018-8611 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5341 Malformed-File exe.MP.46
CVE-2018-8612 Connected User Experiences and Telemetry Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8617 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 3756 EXPLOIT HTTP Client Shellcode 19
CVE-2018-8618 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13944 Chakra Scripting Engine Memory Corruption Vulnerability (DEC 18) 4
CVE-2018-8619 Internet Explorer Remote Code Execution Vulnerability
IPS 13939 Internet Explorer Remote Code Execution Vulnerability (DEC 18)
CVE-2018-8621 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8622 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8624 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13936 Chakra Scripting Engine Memory Corruption Vulnerability (DEC 18) 1
CVE-2018-8625 Windows VBScript Engine Remote Code Execution Vulnerability
IPS 13945 VBScript Engine Remote Code Execution Vulnerability (DEC 18) 1
CVE-2018-8626 Windows DNS Server Heap Overflow Vulnerability
There are no known exploits in the wild.
CVE-2018-8627 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8628 Microsoft PowerPoint Remote Code Execution Vulnerability
ASPY 5340 Malformed-File ppt.MP.8
CVE-2018-8629 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13937 Chakra Scripting Engine Memory Corruption Vulnerability (DEC 18) 2
CVE-2018-8631 Internet Explorer Memory Corruption Vulnerability
IPS 13935 Internet Explorer Memory Corruption Vulnerability (DEC 18) 2
CVE-2018-8634 Microsoft Text-To-Speech Remote Code Execution Vulnerability
IPS 13934 Internet Explorer Memory Corruption Vulnerability (DEC 18) 1
CVE-2018-8635 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8636 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8637 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8638 DirectX Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8639 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8641 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8643 Scripting Engine Memory Corruption Vulnerability
IPS 13946 Windows Scripting Engine Memory Corruption Vulnerability (DEC 18) 1
CVE-2018-8649 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8651 Microsoft Dynamics NAV Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2018-8652 Windows Azure Pack Cross Site Scripting Vulnerability
There are no known exploits in the wild.

PDF campaign distributing Ursnif through malicious VBS

/in /by

SonicWall RTDMI engine detected a number of PDF files containing link to malicious archive file. The non-existence of this malicious file at the time of detection in popular malware search portals like the VirusTotal and the Reversing Labs indicates the effectiveness of the RTDMI engine.

Fig-1 VirusTotal results for the PDF file

 

Analysis

PDF file are being distributed to victims, disguised as a document from Australian Organizations like Indigenous Business Australia etc. To deceive victims, PDF file is made to look as realistic as possible by having misleading text and icons related to the organization whose users would be targeted. The document file displays an icon showing the victim that a document file would be downloaded on clicking the icon, as shown in the images below. Rather an archive containing malicious VBScript is downloaded from “hxxp://kruanchan.com/00198728883.zip”.

Fig-2 Snapshots of PDF files.

At the time of analysis, both the archive and the malicious VBScript have detection from a handful of AV Vendors as could be seen below:

Fig-3 VirusTotal results for the downloaded archive file

Fig-4 VirusTotal results for the VBS script file

To hinder analysis, the VBScript is highly obfuscated as shown below:

Fig-5: Obfuscated VBScript code

Fig-6 Code of VBScript after deobfuscation

It could be seen above, the script first creates an Internet shortcut file named “Google.url” in the %TEMP% directory, having ‘www.google.com’ as the target link. Then it tries to download malicious content from “hxxp://news.pompeox.org/”, save it in the %TEMP% folder as “ie.exe”, finally executes the downloaded file. The downloaded file belongs to Ursnif malware family.

Indicators of Compromise:

 PDF:

0a2f235f05f376fcf150fda15229b070dec2018cb944b1bd0d9a4e25b5bdcf93

27ea0ef04a082aa7a48f48d4197b9039eeadd4b01eb6c285581acdcc436d5d9c

3a22b101a3af813080be8aaeb73583eef5f4683363330cd6a0342efee1282b7b

3e96c3c6829cd3fc3b79c9407321f832ff30d372a350e5eead67a907c188f814

97992932e1651273168da68bfbbe7ed50a02e5829ccdfde9543faeb83020835d

b3da4bbdc7e6da8111eff84051f0c91da2424905e7ea81facd8f3ceba01e1222

e9fc167781608914489c500ed5445c27db0b3e216a7917c2c9b88269ba864b6c

Archive: ab74a5181b552055621e1abbd0336a1d7f110360db20ab8e51f97a332d4024e3

VBS: 554da6d32b3226bfe058fa545be80dc06895cca33843bf618c7c65a5e14d47b4

Fig-7 Snapshot of SMASH detection Report