Android mining trojan so aggressive it can break your device

/in /by

As cryptocurrencies become more valuable, cybercriminals are upping their game to try to make a healthy profit out of their unwilling victims. This week, the SonicWall Capture Labs Threat Research Team has received reports of a malicious android app which turns your mobile device into a cryptocurrency mining slave.

Infection cycle:

The sample we have analyzed installed a fake security application called CM Security. It even uses the same icon as the legitimate version from Cheetah Mobile.

Upon installation it asks for admin privileges.

After being granted with the admin rights, the malicious app hides its icon from the main menu. It also makes it difficult for a standard user to uninstall this app with the option grayed out.

This app checks for the operating system build to verify whether it is being run on a virtual environment or an emulator. It checks for common emulators such as Android emulator kernel Goldfish, Genymotion and Droid4x.

With admin rights, this malware now has access to the phone’s address book and send SMS among many others.

This malware uses the wakelock mechanism to force the device to stay on while also using the keyguard service to let it lock and unlock the keyboard.

We found the following modules within the app which are related to displaying advertisements on the user’s device.

We also found modules on what appears to be how the compromised device will communicate back to a remote server and possibly how commands can be received and malicious tasks can then be carried out.

And lastly, we found this mining class from within the app. This malware used Coinhive which is a javascript miner for Monero blockchain.

It has been reported that with the aggressive mining efforts that this malware does, it puts the device under strain making it work at full load which then causes it to overheat and break the device.

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: AndroidOS.Coinminer.JS (Trojan)

Cisco Prime Network Analysis Module Directory Traversal Vulnerability

/in /by

Cisco Prime Network Analysis Module (NAM) is a network management software that allows network administrators with multifaceted visibility to help optimize network resources, troubleshoot performance issues, and deliver a consistent enduser experience.

A directory traversal vulnerability has been reported in the Cisco Prime Network Analysis Module. Because an input validation bug when processing certain HTTP parameters, an attacker could send a certain crafted HTTP request to graph.php to gain access to any file/folder accessible to the web service, and even delete any file if the permission is allowed to the web service.

The file graph.php in Cisco Prime Network Analysis Module is used for displaying graphic elements such as charts on the webpage. This file has a module of reading local files inside /tmp. The name of the file in /tmp directory will be specified by the sfile parameter. However, the graph.php lacks necessary filtering on this parameter. When a request is set with “../”, it could access files outside the web folder, causing a directory traversal vulnerability. What makes things worse is, the HTTP request is used for deleting a file. That means an unauthenticated attacker could cause decent damage on the target server.

 // open file if(!file_exists($sfile) || !($f = fopen($sfile, "r"))) { error_log("Stat file not found: $sfile"); exit; }  // read file while(!feof($f) && strncmp(fgets($f, 2000), "| Interval ", 12)) // skip other stats {;} fgets($f, 2000); $j = 0; $bytes = array(); while(!feof($f)) { $s = fgets($f, 2000);   $s = substr($s , strrpos($s, "| "));   $s = substr($s, 1, -2);   $bytes[$j++] = (int)trim($s); } fclose($f);  // only checks if the path starts with /tmp/, if so, delete the file. // no filter on the parameter  if(strncmp($sfile, "/tmp/", 5)==0) unlink($sfile);

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13122: Cisco Prime Network Analysis Module graph sfile Directory Traversal

Home Automation Security: Is it too late?

/0 Comments/in /by

In a casual conversation with my realtor friend, I learned that many upscale tract builders now include home automation to increase margin. We’ve come a long way since the X10 days.

Home automation is still a splintered industry. No end-to-end solutions exist. There are, of course, the commercial integrators targeting custom estates with project cost measured in the percentage of home values.

The value of these integrators is that these specialized vendors found various sub-systems that work well together. These solutions are often around for decades. The security works by virtue of being discrete systems interconnected via serial copper links, some with odd protocols like bit banging. These are easy to hack, but one needs physical access. We have not heard of many breaches for that reason.

Apple, Amazon Change the Game

But with Apple HomeKit and Amazon Echo, the world changed dramatically. From a vendor’s perspective, solutions such as HomeKit significantly decrease the complexity of a product. A HomeKit vendor only focuses on contributing a small part of a solution, which can be as small as a single light bulb. HomeKit brings it all together.

Some devices have built-in Ethernet or Wi-Fi interfaces, but many speak some proprietary wired or wireless protocols and use a small device called a “bridge” or a “hub” to translate to a central controller. I actually like the bridge approach. It brings many legacy players into the consumer arena with very solid solutions.

Echo and HomeKit are not the only controllers in town. There are many many other products from old dogs, such as HomeSeer, to new vendors, like Wink, popping up each day. Some are already exiting. Any of these devices can be grouped into on-prem and cloud solutions.

Home automation: On-prem or in the cloud

On-prem controllers theoretically can be deployed with air-gap. They do not need internet access other than for optional remote access and software updates, and perhaps initial licensing. Cloud controllers need internet access to work. If you lose access to the internet, devices stop working.

Complexity doesn’t end there. Since vendors came up with bridges and hubs, it does not cost them much more to add out-of-the box siloed cloud access, giving consumers an instant plug-and-play experience without the need of a controller. Consumers appreciate the ease of deployment, but need an app for each island.

Geeks like me appreciate the APIs into these bridges, which provide the same benefits as systems that used to cost into the tens of thousands of dollars.

3 Best Practices for Home Automation Security

How do we secure all of this? Because of the diversity of systems around, I cannot give a flat response. Here are some basic tips:

  1. Unique emails and passwords. First, give anything with cloud access a very secure password registered to an email account that is not used for anything else and not generally known.
  2. Secure and segment Wi-Fi access. Secure the home network very thoroughly with a strong Wi-Fi password. Add an isolated guest network for devices outside the family. This goes, of course, with solid perimeter controls, such as gateway antivirus (GAV) and intrusion prevention systems (IPS).
  3. Implement network isolation. This can be challenging. Many systems need client devices — smart phones, bridges and controllers — to all be in the same broadcast domain.For instance, HomeKit uses an Apple TV as a remote access hub to HomeKit devices within the broadcast domain.  Firewalls can be still deployed here, but in L2 bridged mode. Luckily, bridges typically use HTTPS, SSH, telnet and HTTP to communicate, in that order. Occasionally, you see some odd sockets. But, mostly, we can control them via SPI rules and apply IPS on common services. L2 segmentation is the key word here, such as Native Bridge support in SonicOS 6.5.

It will be very exciting to observe the consumer home automation industry mature — both from capabilities and security. You will hear more from us in the coming quarters as SonicWall takes a special interest in IoT.

Cxor Infostealer actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Cxor Malware [Cxor.A] actively spreading in the wild.

The Malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile% svchost.exe [Fake SvcHost.exe]

    • % Userprofile%Local SettingsApplication DataGDIPFONTCACHEV1.DAT [ LogData ]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

Once the computer is compromised, the malware copies its own executable file to Userprofile folder and runs following commands:

A user’s data can be very valuable for an attacker, thereby more data translates to more profit. The main goal of this malware is to get as much user data as possible. The malware also performs key logging and steals clipboard data from target and saves in following registry key:

Command and Control (C&C) Traffic

Cxor.A performs C&C communication over port 1177. The malware sends a victim’s system information

to its own C&C server via following format, here are some examples:

SonicWall Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cxor.A (Trojan)

Microsoft Security Bulletin Coverage

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of December, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

  • CVE-2017-11885 Windows RRAS Service Remote Code Execution Vulnerability
    IPS:7037 Suspicious SMB Traffic -ts 7

  • CVE-2017-11886 Scripting Engine Memory Corruption Vulnerability
    IPS:11665 Scripting Engine Memory Corruption Vulnerability (MS16-063) 2

  • CVE-2017-11887 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11888 Microsoft Edge Memory Corruption Vulnerability
    SPY:5049 Malformed-File html.MP.71

  • CVE-2017-11889 Scripting Engine Memory Corruption Vulnerability
    IPS:13119 Scripting Engine Memory Corruption Vulnerability (DEC 17) 10

  • CVE-2017-11890 Scripting Engine Memory Corruption Vulnerability
    IPS:13118 Scripting Engine Memory Corruption Vulnerability (DEC 17) 9

  • CVE-2017-11893 Scripting Engine Memory Corruption Vulnerability
    IPS:13117 Scripting Engine Memory Corruption Vulnerability (DEC 17) 8

  • CVE-2017-11894 Scripting Engine Memory Corruption Vulnerability
    IPS:13116 Scripting Engine Memory Corruption Vulnerability (DEC 17) 7

  • CVE-2017-11895 Scripting Engine Memory Corruption Vulnerability
    IPS:13115 Scripting Engine Memory Corruption Vulnerability (DEC 17) 6

  • CVE-2017-11899 Microsoft Windows Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11901 Scripting Engine Memory Corruption Vulnerability
    IPS:13114 Scripting Engine Memory Corruption Vulnerability (DEC 17) 5

  • CVE-2017-11903 Scripting Engine Memory Corruption Vulnerability
    IPS:13113 Scripting Engine Memory Corruption Vulnerability (DEC 17) 4

  • CVE-2017-11905 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11906 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11907 Scripting Engine Memory Corruption Vulnerability
    IPS:13109 Scripting Engine Memory Corruption Vulnerability (DEC 17) 1

  • CVE-2017-11908 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11909 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11910 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11911 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11912 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11913 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11914 Scripting Engine Memory Corruption Vulnerability
    IPS:13110 Scripting Engine Memory Corruption Vulnerability (DEC 17) 2

  • CVE-2017-11916 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11918 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11919 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11927 Microsoft Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11930 Scripting Engine Memory Corruption Vulnerability
    IPS:13111 Scripting Engine Memory Corruption Vulnerability (DEC 17) 3

  • CVE-2017-11932 Microsoft Exchange Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11934 Microsoft PowerPoint Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11935 Microsoft Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11936 Microsoft SharePoint Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11937 Microsoft Malware Protection Engine Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11939 Microsoft Office Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11940 Microsoft Malware Protection Engine Remote Code Execution Vulnerability
    There are no known exploits in the wild.

Cryptocurrency, Ransomware and the Future of Our Economy

/0 Comments/in /by

History is full of people who’ve labored over missed opportunities. Like all other non-bitcoin-owning people, I am one of them.

I first heard of cryptocurrency in early 2013 and scoffed at the idea that something with no intrinsic or collectable value would trade for $20. The concept of owning a portion of a cryptographic code — and it having actual value — is still hard for many to swallow.

Now that an available bitcoin (BTC) is valued at over $19,000 (USD), I languish the fact that an investment of $1,000 in 2013 would have net me half of a million dollars today. Furthermore, had I been tuned into the movement in 2010, I would be a billionaire today. You too. Stings a little, doesn’t it?

At no point in history has it been so easy to become extremely wealthy out of thin air. And it is not just people like you and me who think about this, but criminals as well. This is not only causing major shifts in financial markets, but also in malware development.

What is Cryptocurrency?

With all of the noise about cryptocurrency, here is what we know as we near 2018:

  • There are, or have been, over 1,300 other cryptocurrencies on the market. These are called altcoins.
  • Most people have never owned a single “coin” from any blockchain.
  • Most have no basis for value, which means it’s subjective and speculative (e.g., like a baseball card or an artistic sketch). The community dictates the value.
  • Some are tied to a real currency (e.g., 1 Tether coin = $1 USD).
  • Governments struggle with regulation and don’t want to encourage the use of decentralized currencies.
  • They often function like startups. Founders get an early crack at the supply chain and hold an equitable stake in the algorithm. Instead of a stock IPO they release them as part of an Initial Coin Offering (ICO).
  • Most of the popular coins cannot be mined by your computer anymore. Today, it’s only achieved through professional-grade mining operations.
  • No one knows how high or low bitcoins and cryptocurrency will go; either they will die or become the basis for our future economy.
  • The popular coins today are desired by cybercriminals and are the main form of payment within ransomware.
  • Like a TLS digital certificate, cracking the actual encryption is nearly impossible. Bitcoins are, however, fairly easy to steal and even easier to lose or destroy.
  • Malware is used to steal coins and to also turn infected endpoints into mining bots.

Bitcoin Is the Great Ransomware Enabler

Because cryptocurrency is virtually un-trackable, holds great value and is easily traded online, they are the preferred way to get paid on the black market. Without the value of bitcoin, you wouldn’t have heard about ransomware.

Ransomware is responsible for causing billions of dollars (USD) in damage across the world. Furthermore, the actual cost of the problem isn’t the cost of bitcoin to return your files (if you ever get them back), but the fallout from an attack.

Ransomware is fun for the media because you can easily quantify the ransoms and take photos of the demand screens, but not so fun for hackers. Through the development, updates and propagation of the malware, only between five and 10 percent of people pay the demands. But there is another way.

Bitcoin Mining

Instead of having your victims pay you once, what about having your victims unknowingly work for you? Well, that is what a lot of malware is doing today. By leveraging a portion of your compute power to form a bitcoin mining pool, hackers don’t have to kill the goose that lays the golden egg.

The result? The home computer has less power to run normal processing and incurs higher energy costs. When this approach works its way into a corporate network, it could cause major productivity and service issues.

For some hackers, these two attack vectors are small-time thinking. Instead of counting on a distributed attack vector across a global landscape of endpoints with mixed vulnerabilities, what about a single targeted attack?

Hackers don’t attack the algorithm behind the coins, they attack where they are stored. Cryptocurrency banks and exchanges are ripe targets for attacks. If you factor in the price of a bitcoin (at the time of I started writing it was $8,160 and after editing its $16,000) — the second Mt. Gox attack emptied bitcoin wallets to the tune of over $11 billion USD. Wow! At the time, the bitcoin haul was nearly 744,000 coins worth $436 million USD and caused the value of bitcoin to fall to a three-month low.

Cryptocurrency: Is it the Future?

Like most dual-sided arguments, those inside a social ecosystem are bullishly optimistic. Those outside remain pessimistic. I’m in between. I see the opportunity to capitalize on the attention, but recognize the many limitations behind cryptocurrencies that cap their viability into the future.

I’ve never owned a bitcoin coin but have entered into a few key platforms for the short-term. As mentioned, the value is purely subjective, much like an arbitrary piece of art, which can be a good investment as long as there is a large pool of people with the financial ability to support and bloat its value.

What is the difference in value between this rare Honus Wagner T206 card ($3.12 million USD) and the common Dusty Baker’s 1987 Topps card ($0.70 USD)? The answer lies in the availability of the item and the demand from the consumer.

Bitcoin, Ethereum and Monero all have value because a community of people feels it does. The more people who enter this pool, the greater the potential value. Some are investors and others are victims buying a ransom. But what truly drives the cost of bitcoin is attention — just like a piece of sports memorabilia. When you mirror Google’s search trend data to the historical price of BTC, you see a direct correlation.

What does this tell me? Once the attention fades, people will lose interest. At that point, the price will come down, similar to a Derek Jeter autographed baseball. Additionally, as ransomware becomes less effective, fewer people will buy bitcoin for the sake of digital freedom. And that freedom is the primary thing cryptocurrency can buy.

In the past year, every time the price of bitcoin dropped the Chicken Littles of the world wanted to be the first to cry out, “The sky is falling!” I do believe there will come a time when bitcoins will have the value the 1986 Topps Traded Pete Ladd sitting in the back of your closet (less than $1), but its value won’t crumble in a day.
With the remaining 1,000-odd altcoin cryptocurrencies (that currently hold value) out there with a collective market cap of over $400 billion (at the time of writing), it would take a lot for crypto-investors to create the needed fire sale that would cause the market’s topple. Instead, I see it like the Ice Age; built in stages and then a slow recession.

The altcoins wouldn’t exist today if bitcoin wasn’t popular and a goldmine for the early investors. The creators of these algorithms are like the leaders of pyramid scams. They created the rules and the ecosystem to make money and only exist if their supporters exist, much like an Amway Double-Dutch Triple-Black Platinum Diamond Founder’s Crown Elite Wizard. These will be the first to die. The beginning of their end is when bitcoin hits a plateau lasting more than two months.

In the Ice Age analogy, bitcoin is much like a large glacier that icicles attach to. As the sun shines, they will melt, leaving only the strongest cryptocurrencies to linger. I see bitcoin and Ethereum lasting for years, but only at a small price point. The coins in active circulation will be mostly in the possession of cyber criminals (if they aren’t already) and will be sold to the victims of cybercrimes to pay ransoms until the practice to buy cryptocurrency is outlawed country by country.

And, with that, the official death of ransomware.

Death in a Cathedral

Thirty years from now when we look back at cryptocurrency, we will reminisce about the second coming of the roaring ‘20s. Without the presence of Babe Ruth and the Charleston, we’ll have great unregulated wealth that comes to a crash.

In my conservative outsider-ish advice, I recommend minor, short-term cryptocurrency investments that you are not afraid to lose. Watch the price of bitcoin. When you see a plateau lasting a month, sell. (However, I’m not a financial advisor and I have no fiduciary duties to you. Please do your own research.)

Remember the old adage: movements are built in caves and die in cathedrals. Bitcoin is in the cathedral phase of its life. And if you understand the politics and history of cathedrals, you would be wary of entry. If not, read The Gothic Enterprise: A Guide to Understanding the Medieval Cathedral. Pay attention to fallout surrounding the bankrupt Bishop Milo de Nanteuil.

The Marriage Between Malware & Cryptocurrency

Another adage I was raised with, “make hay when the sun shines,” is what hackers are doing today. As the flames of bitcoin flare, more moths will be drawn to its light. The illicit creation, extortion and theft of digital coins will drive the price to an all-time high.

Because of the outrageous volume of ransomware infections of 2016, and the infamous attacks in 2017, malware defense is at an all-time high too, but it is not enough. Network and end-point security needs to be a serious topic of discussion.

At SonicWall, we’ve made great strides to get ahead of the cryptocurrency attacks; far before a hunk of digital code was valued at dollar volumes higher than what your grandfather paid for his first home.

Before the public release of Zcash, we released the SonicWall Capture Advanced Threat Protection service, which is a cloud-based network sandbox that works in line with SonicWall next-gen firewalls to run and test suspicious code in an isolated environment to prevent newly developed ransomware attacks (and other forms of malware too).

To bolster endpoint protection, we created an alliance with SentinelOne to provide an enhanced endpoint security client framework to provide next-generation anti-virus capabilities to our current endpoint offerings.

To learn more on how SonicWall can prevent malicious attacks, please read our solution brief, Five Best Practices for Advanced Threat Protection. If you’d like to discuss this blog, the marriage between malware and cryptocurrency, and to send your potentially future-worthless digital collectibles, reach out to me on Twitter.

Download Solution Brief

3 Disruptive Trends Driving Demand for Automated Cyber Security for SMBs

/0 Comments/in , /by

Organizations typically struggle to provide a holistic security posture. There are many security vendors providing exciting and innovative solutions. But from a customer perspective, they often become various point solutions solving several unique problems. This often becomes cumbersome, expensive and unmanageable. Some of the most recent trends in this area are discussed in this blog, which could bring about even further complexity to an organizations security posture.

IoT the new mobile?

Internet of Things (IoT) brings similar challenges to the industry, to those which mobile introduced over the last eight years. These endpoints are non general-purpose computing devices often with a specific function, but typically have an operating system, applications and internet access. Unlike Mobile, IoT devices do not usually have the same high level of user interaction, so breaches are more likely to go unnoticed.  The result of poor security controls can result in similar events, to the recent IoT botnet which caused havoc to major online services, including Twitter, Spotify and GitHub.

The industry should look to the lessons from securing mobile and apply these to IoT. This is most important in the consumer space, but as with mobile we’ll see risks arise in the commercial also, including HVAC, alarm systems and even POS devices.

Mobile and Desktop Convergence

More focus needs to be spent on unifying the identity, access and controls for mobile and desktop security. As this often requires custom integration across differing solutions and products, it’s difficult to maintain and troubleshoot when things go wrong.

Some solutions only focus on data protection, endpoint lockdown or only on mobile applications. By themselves, none of these go far enough, and software vendors should aim to provide more open ecosystems. By exposing well documented APIs to customers and integration partners, this would allow for better uniformity across services, with a richer workflow and improved security.

Cloud and SaaS

As we see endpoints split across mobile and desktop, customers are rapidly splitting data across a hybrid IT environment. While we expect hybrid to be the norm for many years to come, organizations need to consider how the security and usability can be blended, in a way that security controls don’t become too fragmented, or result in a poor experience for users and unmanageable for IT.

How SMBs can automate breach detection and prevention

The impact of a security breach to the SMB is significant. When large organizations detect fraudulent activities, they expect to write off a fair percentage of the cost. On the flip side, the impact of a $50,000-$200,000 incident to a small business could be enough for it to cease trading. To the attacker, SMBs are a relatively easy target; as they may not have the expertise or man-power to protect against an advanced and persistent threat.

For 25 years, SonicWall has maintained a rich security portfolio, which is primarily focused on delivering enterprise-grade security for our SMB customers. Our vision is to simplify and automate, to solve complex security challenges — all while meeting the constantly evolving threats. It’s an ongoing arms race after all!

Taking full advantage of our vast database of threat intelligence data, coupled with our advanced research from SonicWall Capture Labs team, we ensure our customers of all sizes can detect and prevent from these threats.  The breadth and depth of our portfolio, also includes those that specifically help with mobile, cloud and IoT security.

Stop ransomware and zero-day cyber attacks

One of our biggest strengths is combatting advanced persistent threats, ransomware and zero-day cyber attacks with the award-winning SonicWall Capture Advanced Threat Protection (ATP) multi-engine sandbox. Capture ATP is now available as a security service across each product in our portfolio, providing a unique protection solution across a multitude of scenarios.

Simplify endpoint protection

For endpoint protection, we are also very excited with our recent partnership agreement with SentinelOne.  This brings the highest level of zero-day malware prevention on the endpoint while concurrently simplifying solutions for organizations of all shapes and sizes.

To learn more about how SonicWall helps our customers implement mobile security, download: Empowering Mobile Workforce to Collaborate Securely.

Download Solution Brief

PayDay – Negotiating ransom with a ransomware operator

/in /by

The SonicWall Capture Labs Threat Research Team has conducted an experimental dialog with a ransomware operator using the PayDay ransomware trojan. PayDay, is a recent variant of the BTCWare ransomware trojan and has been in the wild for a few weeks. PayDay follows the current ransomware operator trend of using email to communicate with their victims in order to demand payment for file decryption. Payment has increased to an astronomical 0.5 Bitcoins (roughly $8000 USD at today’s prices). In this case however, the price could be negotiated lower.

Infection cycle:

Upon infection the following page is displayed on the screen:

The Trojan makes the following changes to the filesystem:

  • encrypts files and adds the following extension to the filename: .[payday@rape.lol]-id-1274.wallet
  • adds %APPDATA%Roamingpayday.hta (as seen above)
  • adds ! FILES ENCRYPTED.txt to any attached drives/network shares after encrypting files

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 1payday “%APPDATA%Roamingpayday.hta”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 2baby “%APPDATA%Roamingpayday.hta”

! FILES ENCRYPTED.txt contains the following message:

Good afternoon. Your computer underwent PayDay infection. All data are ciphered by a unique key which is only at us. Without unique key - files cannot be recovered.Each 24 hours are removed 24 files. (we have their copies)If not to start the program the decoder within 72 hours, all files on the computer are removed completely, without a possibility of recovery.Read Attentively instructions how to recover all ciphered data.PayDay------------------------------------------------------You will be able to recover files so:1. to contact us by e-mail: payday@rape.lol- you send your ID identifier and 2 files, up to 1 MB in size everyone.We decipher them, as proof of a possibility of interpretation.also you receive the payment instruction. (payment will be in bitcoin)- report your ID and we will switch off any removal of files (if do not report your ID identifier, then each 24 hours will beto be removed on 24 files. If report to ID-we will switch off it)2. you pay and confirm payment.3. after payment you receive the program the decoder. Which will recover your data and will switch off function of removal of files.------------------------------------------------------You have 48 hours on payment.If you do not manage to pay in 48 hours, then the price of interpretation increases twice.To recover files, without loss, and on the minimum rate, you have to pay within 48 hours.Address for detailed instructions e-mail: payday@rape.lol

We followed the instructions and sent an email attached with 2 encrypted files to payday@rape.lol. In under 10 minutes we received the following response:

The response included an attachment to one of the encrypted files that we sent for decryption. Although the file content had changed, it remained encrypted. Perhaps the operator had used the wrong key. The response also contained an unused (probably freshly generated) bitcoin address for receiving funds: 1PKxaj5JSuZnUE8rLcgLTd7vGDJoNgQQda.

The conversation continued:

“that I would prepare an instrument” ?? Perhaps a job for a seasoned forensic linguistics team. However, what is more interesting is that the operator is prepared to negotiate the price for decryption and accept my 50% discount offer:

The operator begins to show signs of impatience and offers additional help in my request to (obviously not) pay him via PayPal:

We make a brash attempt to obtain an IP address associated with the operator by causing him to visit a webserver under our control:

Moments later access logs reveal a visit from an IP address located in the Czech Republic. After perhaps realizing his mistake, there were subsequent visits from IP addresses located in multiple countries around the world.

This however, may be the operators attempt to obfuscate his tracks after visiting the site directly the first time.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: PayDay.RSM (Trojan)

Apache CouchDB JSON Remote Privilege Escalation

/in /by

Apache CouchDB is open source database software that focuses on ease of use and having a scalable architecture. It has a document-oriented NoSQL database architecture and is implemented in the concurrency-oriented language Erlang; it uses JSON to store data, JavaScript as its query language using MapReduce, and HTTP for an API.

A privilege escalation vulnerability exists in CouchDB. The vulnerability is due to a discrepancy in the behaviours of the JavaScript JSON parser, used in design documents, and the Jiffy JSON parser, used within the CouchDB Erlang-based internals. Allowing an attacker to bypass the user access control.

Vulnerability details

CouchDB has its own web interfac for interaction with the REST API. Both interfaces listen on port 5984/TCP by default. The URL for opening its GUI is: http://:5984/_utils

To send an API request, a user will send the following HTTP POST request, carrying the parameters within a JSON file. For example:

PUT /_users/org.couchdb.user:new_user HTTP/1.1
Host: localhost:5984
Content-Type: application/json
Content-Length: 80
{
“type”: “user”,
“name”: “[username]”,
“roles”: [],
“password”: “[password]”
}

When a JSON object has duplicate keys, only the last value will be assigned. For example, the JSON {“key”:”value1″,”key”:”value2″} will assign value2 to key. And when CouchDB is handling such an API request, the function validate_doc_update() will be called to verify the current user’s privillege. However, CouchDB uses get_value() function which returns only the first value of a given key. And due to the above mentioned JSON rule of handling duplicated key, the last value will be assigned.

{
“type”: “user”,
“name”: “[username]”,
“roles”: “[_admin]”,
“roles”: “[]”,
“password”: “[password]”
}

Such a request will submit a malicious document to the _users or _replicator databases. And escalate the user’s privilege to the server admin of CouchDB.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13106: Apache CouchDB JSON Remote Privilege Escalation

SonicWall MAPP

/in /by

SonicWall is a participant in Microsoft in MAPP (Microsoft Active Protections Program). Through this program, SonicWall Unified Threat Management provides comprehensive, accurate and timely protection for Microsoft products.

SonicWall has released technical articles for Microsoft advisories, listed below: