Static Analysis of Malicious PDFs

/in /by

PDF documents are made of objects and streams. Sometimes attackers use PDF documents to embed malicious scripts in it.
These documents when opened execute the scripts which in turn try and connect to the attacker’s webserver to download malicious executables.

Below is such an example. Let’s analyze this PDF statically:

Observe that this PDF has embedded javascript and openaction objects which makes it suspicious.

The javacript is obfuscated.

Beautifying it makes it easier to read.

Looking at the javascript closely notice the presence of unescape and eval functions .
These indicate that attacker is trying to exploit some vulnerability and is probably spraying the memory with shellcode.

SonicWall Capture Labs Threat Research team have researched these PDFs and released following signatures to protect their customers.

  • SPY :Malformed-File pdf
  • GAV: Pdfka.AK

The evolution of Android RAT SpyNote continues

/in /by

Code for the Android Remote Administration Tool (RAT) SpyNote was being distributed in underground forums in mid 2016. Since then multiple variants have surfaced with slight modifications but preserving the core functionality of SpyNote intact – which is spying on its victims.

Yet again a new variant has been spotted and according to few reports some of samples belonging to this new variant were available on Google Play and have been potentially installed by few users.

An overview of SpyNote

Spynote is an Android Remote Administration Tool (RAT) that aims at capturing sensitive data on the victim’s device and sends it to the attacker. It is usually found advertised on underground forums as shown below, based on the descriptions on one such forum SpyNote is currently at version 4 (as per the below post on 4/30/2017):

A new variant

We received reports of a new campaign that has been spreading for a while that is heavily based off SpyNote. This variant carries most of the features of SpyNote, some of them are as listed below:

  • Read call logs
  • Call a number
  • Extract contact details from the device
  • List files present in different folders on the device
  • Record Audio
  • Delete an app from the device

Spying on the user is not the only only objective of this app, it makes the device vulnerable to further attacks. One of the commands is to initiate a download using a URL, this can be used to download additional malicious apps and further infect the device or use the device as a conduit for spreading other malicious campaigns

  • Initiate a download via URL

A major addition in the new variant is how he attacker communicates with the malware post infection. Commands are sent by the attacker which follow the code A[number] like A0,A1 and so on. For every such code there is a case which determines what the malware should do:

The output is displayed to the attacker using the format B[number] like B3, B4 followed by the data:

The code contains as many as 72 hardcoded commands.

Some similarities between earlier versions of Spynote and the current malware which strongly suggest ties between the two are:

  • The code structure and class names are similar
  • The focus is on extracting sensitive user information
  • All of the different versions however contain a string screamHacker

Android malware constantly evolves with modifications and addtions, we have seen that with a number of malware families. It is the same with SpyNote as well, similar to current changes we can expect more modifications from this malware family that improve the potency of this campaign.

SonicWall Capture Labs Threat Research team provides protection against this threat via the following signatures:

  • GAV: AndroidOS.SpyNote.SH (Trojan)
  • GAV: AndroidOS.SpyNote.BN (Trojan)

NSS Labs Affirms SonicWall Excellence in Security Value Map

/0 Comments/in /by

On June 6, 2017, NSS Labs published its annual 2017 Next-Generation Firewall (NGFW) Test Report and Security Value MapTM (SVM). For the first time in five years, NSS Labs did not place SonicWall in its “Recommended” quadrant of the SVM. In response, SonicWall immediately resolved the identified issues, automatically updated our firewalls worldwide, and was then publicly retested by NSS Labs to place in its upper right quadrant.

The results of this public retest mean that, SonicWall has excelled in the industry’s most comprehensive, real-world testing of NGFWs once again. With its updated 2017 findings, NSS Labs verifies that the SonicWall NSA 6600:

  • Blocked 99.76% of real-time, real-world live exploits
  • Tested 100 percent effective in countering all advanced HTTP evasion, obfuscation and fragmentation techniques
  • Earned 100 percent in stability and reliability, firewall, application control and identity awareness tests

Rapid response

It is perfectly normal in these types of cyber war games to uncover security gaps. It took NSS Labs five years and seven iterations of its test methodology to introduce a new evasion technique that uncovered a security gap in the SonicWall device.  In the initial tests, the SonicWall NSA 6600 running SonicOS version 6.2 had failed a number of HTTP evasion test cases.  After analyzing the evidence provided by NSS Labs, SonicWall immediately mitigated the identified issues with an automatic worldwide update to our security services on our installed base of next-generation firewalls.

Affirmation from NSS Labs

Only one vendor has been able to maintain the NSS Labs Recommended rating for all five years since the NGFW report first published.  In fact, for four years straight, SonicWall was one of only two vendors to be recommended each year, and in last year’s test, we earned a 100% score in the evasions category.

With SonicWall’s updates, NSS Labs retested the NSA 6600 using the same HTTP evasion techniques with a modified exploit. NSS Labs verified that SonicWall was no longer susceptible to the previously cited HTTP evasion techniques. The NSA 6600 now consistently blocks tested HTTP evasion techniques. NSS Labs noted this in both its SVM and its individual SonicWall SVM test report.

As the graph below shows, the SonicWall NSA 6600 now is strongly positioned in the upper right quadrant.  The blue dot (Figure 1) shows the new SonicWall positioning and demonstrates that the SonicWall NSA 6600 is one of the highest-rated, best-valued NGFWs in the industry, with scores of 97.8% Security Effectiveness and a low TCO of $10 per Protected Mbps.  Another critical data point is that in this retest, the SonicWall NSA 6600 scored 100 percent of evasions in the HTTP evasion test. (Figure 2).

NSS Labs

SonicWall recognizes and values NSS Labs long-standing reputation as an unbiased third party product test and validation organization. We endorse NSS Labs’ test methodology and trust its results. NSS Labs tests have produced extremely useful test results that challenge security vendors to be continuously vigilant. The value of this type of service is maximized when the tests uncover security gaps in security devices before real adversaries do.

Flexible, automated, self-healing security

More importantly, the flexibility of our solution allowed us to automatically provide protections for the evasions NSS Labs discovered to all of our worldwide firewalls, with no need for firmware updates. This flexibility is unique in the market, and a core strength of SonicWall’s automated real-time breach detection and prevention solution, consisting of our next-generation firewalls, intrusion prevention, gateway anti-malware, Capture Advanced Threat Protection, email security and secure remote access products.

In fact, our Capture Labs team provided remediation for the newly discovered NSS issues within 24 hours! This means our customers don’t need to wait for days or even months until new, fully tested firmware is available. Remember, in cases like this, any network is vulnerable until the solution patch is applied.

Staying ahead of the pack

It is important to note that in this year’s NSS Labs SVM, eight of the ten vendors were actually susceptible to the new HTTP evasion test cases. Of the eight, only SonicWall and one other vendor were able to remediate the evasions in an automated fashion.  Tellingly, several vendors placed in the “Recommended” quadrant had still not provided remediation at all. This is why an automated, self-healing solution is absolutely required in today’s extremely fast-paced and complicated cyber threat landscape.

We encourage you to read the full NSS Labs SonicWall Secure Value Map report to learn more.

READ THE REPORT

NewShell ransomware spotted in the wild

/in /by

The SonicWall Threats Research team observed reports of a new variant family of NewShell Ransomware [GAV: NewShell.RSM] actively spreading in the wild.

NewShell encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The Trojan adds the following keys to the Windows registry startup:

Once the computer is compromised, the malware copies its own executable file to C:tmp folder and runs following commands:

The malware downloads following image from its own server and set it as backgroud wallpaper.

The Malware encrypts all personal documents and files it shows the following webpage:

It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files.

The malware adds ‘.enc’ extension all target files.

Command and Control (C&C) Traffic

NewShell performs C&C communication over HTTP protocol.

The malware sends HTTP request to its own C&C server with following formats, here is an example:

SonicWall Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: NewShell.RSM (Trojan)

Microsoft Security Updates Coverage

/in /by

SonicWall has analyzed and addressed August 2017 Microsoft Security Updates. A list of issues reported, along with SonicWall coverage information are as follows:

  • CVE-2017-0174 Windows NetBIOS Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0250 Microsoft JET Database Engine Remote Code Execution Vulnerability
    Anti-Spyware:1541 Malformed-File mdb.MP.1
  • CVE-2017-0293 Windows PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8503 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8516 Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8591 Windows IME Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8593 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8620 Windows Search Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8622 Windows Subsystem for Linux Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8623 Windows Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8624 Windows CLFS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8625 Internet Explorer Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8627 Windows Subsystem for Linux Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8633 Windows Error Reporting Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8634 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8635 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8636 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8637 Scripting Engine Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8638 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8639 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8640 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8641 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8642 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8644 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8645 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8646 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8647 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8650 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8651 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8652 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8653 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8654 Microsoft Office SharePoint XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8655 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8656 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8657 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8659 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8661 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8662 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8664 Windows Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8666 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8668 Volume Manager Extension Driver Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8669 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8670 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8671 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8672 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8673 Windows Remote Desktop Protocol Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8674 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8691 Express Compressed Fonts Remote Code Execution Vulnerability
    There are no known exploits in the wild.

Ebaywall ransomware, a digital revenge against Ebay

/in /by

This week, the SonicWall Capture Labs Threat Research team has received reports of yet another ransomware with a very obvious purpose, target and even a message that it wants to send across the ditigal landscapes. The author appears to be carrying grudge against Ebay for its seeming lack of value for security and this is his way of digital revenge. A back story is provided which appears to concern Kijiji.ca, an online classified service in Canada and is a subsidiary of Ebay. The ransomware calls itself Ebaywall and is demanding an exorbitant ransom payment amounting to roughly $8.9M to unlock all files. It also encourages victims to send angry phone calls or messages to Ebay.

Infection Cycle:

Upon execution, it creates the file “ebay_was_here” as an infection marker:

It then proceeds to encrypt the victim’s files and appends “.ebay” to all encrypted files.

It also creates the file “ebay-msg.html” and adds it to every directory where files were encrypted.

This file contains the back story which explains the purpose of this ransomware. Unlike other ransomware programs, it does not demand to be paid within a certain time limit.

To ensure that this html file with the message is launched during start up, it also creates a copy of it in the Startup directory.

Ebaywall is asking for a ransomware payment in Monero, another cryptocurrency amounting to XMR 200,000 or roughly $8.95M in the current exchange rate.

Click here to read the entirety of the back story and the author’s message.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Ebaywall.RSM (Trojan)

HPE Intelligent Management Center Integer Underflow Vulnerability

/in /by

The HPE Intelligent Management Center (IMC) Basic Software Platform is a network management, software tool with unified resource and device management providing a lower total cost of ownership. The platform is designed for small to medium sized businesses with small network environments that need a single display screen to show their network infrastructures. The Wireless Services Manager (WSM) Module provides uniformity over a wireless network for even geographically dispersed network. The WSM module uses several methods of authentication, one of which is the “Wireless Protocol”.

A stack buffer overflow vulnerability exists in WSM module of HPE Intelligent Management Center. The vulnerabilty occurs when a special message was sent when WSM is parsing it without validating the fields correctly. A remote, unauthenticated attacker could exploit this vulnerability to execute arbitrary code remotely on the target server in the context of SYSTEM or root. This vulnerability has been assigned by the Common Vulnerabilities and Exposures with ID CVE-2017-5804.

SonicWall threat research team has researched this vulnerability and released the following IPS signature:

  • IPS:12915 HPE Intelligent Management Center Buffer Overflow 5

CVE-2017-0199 attacks still active

/in /by

Microsoft Office allows remote attackers to execute arbitrary code via a crafted document described as Microsoft Office/WordPad Remote Code Execution Vulnerability. CVE-2017-0199 attacks are still active.
The SonicWall Capture Labs Threat Research team observed a surge of these attacks in July, after the zero day was first discovered in April.

The malicious rtf document contains objautlink object with embedded link in it.

The document has references to outside link, which it updates when the user opens the document.

The document makes following http calls to attacker’s website.

And downloads script.

After deocding the script we see that the script is downloading and running some malicious executable files.

SonicWall Capture Labs Threat Research team has researched this vulnerability and released following signature to protect their customers.

  • SPY 1446 :Malformed-File rtf.MP.17
  • GAV: CVE-2017-0199.A
  • GAV: CVE-2017-0199

Android Ransomware spreading as codec pack installer

/in /by

SonicWALL Threats Research Team received reports of yet another ransomware for Android which encrypts the files on a device and demands a ransom in exchange of potentially unlocking the content.

Infection Cycle

The malware requests for the following permissions during installation:

  • internet
  • get tasks
  • kill background processes
  • access fine location
  • receive sms
  • access coarse location
  • call phone
  • vibrate
  • read sms
  • write sms
  • send sms
  • read contacts
  • read phone state
  • system alert window
  • wake lock
  • disable keyguard
  • receive boot completed
  • write external storage
  • read external storage
  • quickboot poweron

Upon execution it sends a GET request to the domain fsdf2tvwev-ru.1gb.ru. This is a general behavior exhibited by malware where they register/inform the attacker about the infection on a device. The name of the webpage (reg.php) is another indication of this behavior. Unfortunately we get a base 64 encoded response that states as error:

After a couple of minutes we get a ransom message that covers the entire screen as shown below:

In the background the ransomware encrypts files on the device and adds a “.Lucy” extension at the end

This ransomware demands the victims to pay 600 Canadian Dollars (CAD) which amounts to roughly $481 at the time of writing this blog. The attackers demand payment via Neosurf – wherein we purchase a Neosurf voucher of a certain value using cash. To fulfill the payment the victim needs to add the voucher number or code.

Additional points

  • The malware contains the following hardcoded urls in its code:
    • hxxp://fsdf2tvwev-ru.1gb.ru/private/add_log.php
    • hxxp://fsdf2tvwev-ru.1gb.ru/private/reg.php
    • hxxp://fsdf2tvwev-ru.1gb.ru/private/set_data.php
  • Since its discovery, statistics on the above URLs indicate most of the clicks/visits for these links have been coming from Canada indicating where this ransomware might have spread the most
  • There is a hardcoded phone number present in the code +190[removed] which belongs to the United States
  • We observed code that looks for a card number, name and date. This code might be for Neocash which is a CreditCard by Neosurf:
  • There is code in the ransomware that extracts the contact details stored on the device:
  • This ransomware has the ability to execute commands received by the attacker, few interesting ones are listed below:
    • Execute shell commands
    • Grab SMS messages on the device
    • Compose and send SMS messages
    • Get location of the device

The ransomware gets installed on a device as a codec pack, based on its name it is likely that this is spreading via rogue websites that host a video but show an error when the user tries to play the content. The error usually claims that a codec pack is missing on the device and the video will play once the codec is installed.

We urge our readers to please be aware when such an error is encountered, it is always advisable to install apps on the device via the official Google Play store and not directly from websites.

SonicWALL provides protection against this threat via the following signature:

  • GAV: AndroidOS.Ransomware.CAD (Trojan)

The following sample was analyzed for this blog:

  • MD5: 615869b81f1ccdbdbb1fa338744c0a6d
  • Package: com.android

State of Encrypted Traffic – New Cyber Attacks Spreading via Use of Encryption

/0 Comments/in /by

The earliest schemes of cryptography, such as substituting one symbol or character for another or changing the order of characters instead of changing the characters themselves, began thousands of years ago.  Since then, various encoding and decoding systems were developed, based on more complex versions of these techniques, for the fundamental purpose of securing messages sent and received in written or electronic forms for all sorts of real world applications.  Although the progress we have made in modern cryptography has its advantages, we are seeing that it creates many security risks too dangerous to be ignored.  This blog reviews what this means to your organization and helps your security teams stay alert and be ready for the new threats and attack vectors that spread from the criminal use of encryptions.

The momentum in information and communication technology innovations have significantly changed the way we function in both the public and private sectors.  How we store, share, communicate and transact information over the web, for personal use, for work or to run businesses, agencies and institutions, require that we adopt strong information security in everything that we do digitally. As the result, the majority of today’s web traffic are encrypted using the latest Transport Layer Security (TLS), formerly known as Secure Socket Layer (SSL), encryption protocol to establish a private connection between two computer networks for securing data transmission and web traffic and interactions.

According to the Google Transparency Report, encrypted connections, displayed as HTTPS on the browser address bar, account for approximately 87 percent (Figure 1) of web requests sent to Google’s data centers from around the world, as of June 17, 2017. Moreover, the report reveals that Windows, Mac, Linux and Chrome users spend more than three-quarter of their time on HTTPS pages (Figure 2).  With these facts, we can reasonably generalize that the majority of the web traffic traversing our networks are encrypted today.

Figure 1: Percentage of page requests that used encrypted connections

Percentage of page requests that used encrypted connections

Figure 2: Percentage of browsing time spent on HTTPS websites

Percentage of browsing time spent on HTTPS websites

Now imagine from a security standpoint, what is the likely scenario if your network security such as a firewall or intrusion detection/prevention system (IDS/IPS) is not examining the encrypted traffic?  Obviously, the security system would have zero visibility of any malicious activities. Therefore, attacks carried out inside the encrypted session will go unnoticed and likely lead to a data breach event.  This method of attack is among the top security issue facing many organizations right now.  A recent survey1 of over 1000 security professionals from various industries in North America and Europe conducted by the Ponemon Institute on behalf of A10 Networks reveals:

  1. Of eighty percent of respondents who were victims of cyber-attacks, forty-one percent of those attacks hid in SSL encrypted traffic to evade detection.
  2. Only one-third of respondents believe their organization can properly decrypt and inspect SSL encrypted traffic, even though an overwhelming 89 percent of them agree it is an essential procedure required for the performance and safety of their business.
  3. Use of SSL encryption to mask malicious activity will parallel the growth of encryption of inbound and outbound web traffic.

So what must you do to address the security risks associated with encrypted threats?  Watch the informative webcast, “Defeat Encrypted Threats,” presented by a SonicWall Security Solution Engineer, to learn how you can defeat it.  This presentation provides detail analysis of the latest trends and tactics of the cyber threat landscape as seen from the eyes of a practicing security professional. Once you have seen what your adversaries have been up to today, you will receive a crash course in security policy management and network security architecture design that will help prevent the breach of tomorrow.

1 2016 Ponemon Study, Uncovering Hidden Threats within Encrypted Traffic

View Webcast