Apple Quicktime Memory Corruption Vulnerability (Apr 21, 2016)

/in /by

Apple QuickTime is an extensible multimedia framework, capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. QuickTime is bundled with OS X. QuickTime for Microsoft Windows is downloadable as a standalone installation. Apple Ends Support for QuickTime for Windows this year and the last security update was released in January 2016.

There was a memory corruption vulnerability found in QuickTime product which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted Photoshop file. The vulnerability is referred by CVE as CVE-2016-1769. A security patch was released for OS X El Capitan v10.11 to v10.11.3. However, for QuickTime Window versions, please remove the application to eliminate the possibility of being attacked.

Dell SonicWALL researcher team has investigated this vulnerability and released the following signature to protect their customers:

  • SPY: 4493 Malformed-File psd.TL.1

Jigsaw Ransomware spotted in the wild (April 22, 2016)

/in /by

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Jigsaw (named after the fictional character) which encrypts the system files and also deletes them if the payment is not made on time.

Infection cycle:

The Trojan poses as firefox with the following properties:

The Trojan adds the following files to the filesystem:

  • %APPDATA%RoamingFrfxfirefox.exe (copy of original) [Detected as GAV: Jigsaw.A (Trojan)]

The Trojan creates the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “”%APPDATA%RoamingFrfxfirefox.exe””

It displays the following iconic image and the message while encrypting the files:

It starts countdown and threatens to delete the files mentioned each hour.

The trojan finds the following files on the victim’s machine and encrypts them:

It copies the filenames before encrypting at the following location:

It encrypts all the victims files listed above with .fun extension.

When trying to close the ransom window, it displays the following message:

It checks for the payment contacting the C&C server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Jigsaw.A (Trojan)

How to Open Your Own Department of Yes

/0 Comments/in /by

Securing large organizations is a massively complex task. There are so many different domains of security to think about, it can drive a person crazy. Fortunately, as we work closely with our customers and partners, we have the opportunity to see and address many of these challenges. We share what we learn with the security community to show them how to think about identity and access management (IAM) and network security in a unified way to get more out of each solution without incurring more cost. We are on a mission to help CISOs open their very own “Department of Yes.” The goal is to help them see how IAM and network security can be business enablers.

For example, with SonicWall IAM and network security solutions working together, a policy on the next-generation firewall can help enforce an application governance policy defined in the IAM solution. SonicWall next-generation firewalls can be easily integrated with SonicWall One Identity Safeguard for Privileged Passwords to help tighten up security of the most trusted assets in any organization. Cloud Access Manager can consume data from the firewall to require elevated authentication. These are just a few examples of what we can do today and there will be more integration in the future that will help the CISO say yes more often.

On Monday, Curtis Hutcheson, VP and GM of SonicWall Security Solutions discussed in his blog the importance of becoming the Department of Yes. Curtis discussed our new approach to IT security ““ Govern and Protect ““ where our network-aware identity solutions and our identity-aware network solutions work together to enable organizations to take advantage of better security with less complexity and lower costs. By becoming the Department of Yes, the security team can now easily embrace new, innovative initiatives such as moving to the cloud, BYOD, digital transformation, the internet of things and more.

By governing every identity across the organization with our identity governance, privileged management and access management while inspecting every packet with our next-gen firewalls, secure mobile access, and email security, IT organizations no longer need to say no to supporting new strategic business initiatives.

We believe that our customers should be able to deploy strong identity and access management in concert with robust network security solutions where the two reinforce each other. By making the network security solution identity-aware and the identity management solution network-aware, we can now deliver superior protection and governance while lowering costs.

For more information on how you can open your own Department of Yes, be sure to check out this new SonicWall Security web site.

Is Your CISO Organization the Department of Yes? SonicWall Security Delivers

/0 Comments/in /by

Businesses are ramping technology investments and capabilities faster than ever. Employees, customers and partners are accessing more applications and data every day. These investments drive enormous value to the business, but also create IT complexity and security vulnerabilities.

Our customers and partners constantly ask us to help them rise to these challenges, to help them deliver innovative initiatives and improve collaboration, while protecting their company. Often, the security risks around these new applications, projects and technologies, force IT to say “NO” to their business partners.

To change this model, we have invested in  SonicWall and SonicWall One Identity solutions to help organizations become more innovative and create competitive advantages by driving initiatives such as:

  • Leading your organization to the cloud
  • Deploying BYOD across your organization
  • Enabling a digital transformation
  • Completing stress-free audits

We feel that it’s time for a radically different point of view and SonicWall Security’s context-aware, integrated security solutions put us in the unique position to offer organizations the security they need in today’s complex IT environment.  SonicWall and SonicWall One Identity enable CISOs to govern every identity and inspect every packet, effectively identifying and isolating rogue activity, while letting the acceptable traffic flow.

These network inspection and identity governance capabilities give organizations the ability to confidently push beyond traditional boundaries while controlling vulnerabilities. We are empowering IT teams to deliver the strategic projects and capabilities that drive your business forward while providing the security you need.

We want to enable the IT security team to become the Department of “Yes.”

SonicWall and One Identity solutions reinforce each other to ensure we’re setting the highest bar for value to our partners and customers.

We’ve created this extensive security portfolio to enable you to:

  • Not only detect but also block advhelpanced threats at the gateway before they get into your network with extreme low latency
  • Automatically allow or deny ““ or step up authentication ““ for every user access attempt based on context that is derived from the network to identify abnormal activity
  • Provision a new employee, partner or contractor in 15 minutes across your enterprise and then de-provisioning them 15 minutes after they depart
  • Leverage Privileged Account Management controls like password vaulting and session management for those identities who have the “keys to the kingdom”

As we lead in the market with our innovative solutions, we can help you attain true governance of user and admin access to your network, applications and data and deeper security without compromising performance. We are committed to do all of this, effectively raising productivity and security, without increasing your costs.

For more information on how to start become the Department of Yes, explore our new informative SonicWall Security web site

Metasploit enhanced Android malware spotted in the wild (April 15, 2016)

/in /by

Metasploit is one of the most widely used Penetration Testing tool to test and improve defenses of internet facing services. It boasts of more than 1300 exploits and new ones are added at regular intervals thanks to the strong community that backs these efforts. Metasploit contains a number of different modules that cater to different requirements. For instance there are exploits that focus on a particular weakness whereas payloads consist of code that runs remotely.

Android has been relishing popularity among mobile phone users but at the same time there has been a lot of security concerns with regards to malware and other vulnerabilities, Metasploit developers saw this as a new avenue for research and introduced the support to generate Android specific payloads. Using these payloads an attacker can run myriad commands on a victims Android device, provided a modified APK (Android Package) with Metasploit modules is present on the target.

Dell SonicWALL Threats Research team recently observed a slew of Android malware that contain Metasploit specific components. This might be an indication of a new wave of Metasploit specific Android malware that will become commonplace in the near future.

Metasploit for Android

Using Metasploit it is possible to gain shell access on a target device which allows the attacker to perform a number of operations, additionally if the device is rooted the attacker can perform system level changes as well. The following high level steps are involved in creating a malicious Metasploit modified apk to compromise a victims device:

  • msfvenom module is used to modify a clean APK and add a reverse TCP component into it
  • Reverse TCP essentially makes the malicious apk initiate a connection back to the attacker who has a listener for incoming connections
  • Once the device is infected with this modified APK, it connects back to the attacker with a shell which potentially gives him unlimited access

In the past few weeks we observed a number of malicious APK’s with Metasploit reverse TCP component present in them. Below image shows the code for three APK’s; first one is the code for a clean un-modified APK, second one is for a clean APK that we modified using the msfvenom module and the last one is for a malicious APK that we obtained:



We can see that the code for both the modified APK and malicious APK has striking similarity, this gives an indication that the attacker has been using the same Metasploit module for this modification.

A callback address needs to be specified in the case of Reverse TCP, following is a subset of few IP’s that we observed in malicious APK’s during our analysis:

  • 10.0.2.15:443
  • 10.20.4.28:4444
  • 104.3.138.65:50106
  • 75.133.215.49:4444
  • 192.168.0.101:8888
  • 192.168.1.2:4444
  • 192.168.1.8:4443
  • 192.168.43.225:4444
  • 192.168.77.132:4444
  • 192.168.254.66:4444
  • 127.0.0.1:8888

Some of the IPs belong to 192.168 block, in such cases it is possible that an infected private server is present that forwards the data back to the attacker. Most of the malicious APK’s we observed were standalone APK’s with only the Metasploit modules, however we did see two cases where the Metasploit module was bundled with a separate completely working APK. In these cases the Metasploit module will run in the background while the original APK keeps running in the foreground. In this scenario the victim is oblivious to the fact that the attacker has gained an open shell to his device.

The following figure shows code for the malicious APK’s with bundled Metasploit modules:


As we can see both the APK’s have similar Metasploit components along with other class files that make up the APK. The callback addresses specified in these two APK’s are as below, at the moment Virustotal deems these links as clean:

  • security-checks.de
  • 92.97.176.17

Using Metasploit as a component of a malicious APK might become more common as time passes but for now it still looks like this campaign is in its early stages. As mentioned before, this attack has tremendous impact on rooted devices as it would allow the attacker to perform system level changes. This further highlights the dangers of rooting an Android device.

Another good way to be cautious is to use security tools like OS Monitor and check for open connections on the device. A vigilant eye can catch connections opened by unknown apps as shown below:

Few MD5’s with package name com.metasploit.stage:

  • 5781e46a33b1e680606aa1bc6de0f4b3
  • e72f2256beb00995f75756fe6b1015ff
  • 8be2a9c3deb2cb042f0d169f7aa1e09c
  • 62ce4bfac9515391cf491202bde612d1
  • b72e70d3354637a1789a42766fb02b85
  • 98fa5306c6fa7a582f5cc20bee4199dd
  • dca3e24d8a713b48509ec71f7f08393a
  • 2fa4c90f4e18da57f35e20e2cfc94b36
  • 54991e04f5dea9e6b889482dd32199a6
  • babac94884531c8ded98a4a4631ec0aa
  • 955404e259d848411c6b7663eae2efb5
  • 9cfac5052012a36db9f68cad629f88bb
  • 115a6624c31874fada0480c785a25490
  • 6445745776b76f8740cd9dcbf1d819fd
  • 7d250daa3247eb9fdce99d77a4244dba
  • 52107f2cff13644cd376e3d896d4e774
  • ef1f8d649e4aa63118973f198520557a
  • 4fee3d7d944cbd16d4b43d9a45cc3ec7
  • e206152242dc89565d824378a509dbc0
  • c5951a883b738b19304ca0cda72b2ac9
  • 148bb86e18af8d49b1e41e13c00f65d8

MD5’s with Metasploit component in a working APK:

  • 3763b28338dff3f703a8192eff0f1c82 – com.thepapership.braingames.espanol
  • f36704560abc8172433820ecabcef76a – com.piriform.ccleaner

Dell SonicWALL provides protection against multiple versions of this threat via the following signature:

  • GAV: AndroidOS.Metasploit.PL (Trojan)

Protect Remote Workforce Anywhere, Anytime on Any Device

/0 Comments/in /by

Every day, we hear terrifying headlines such as this one – 27 million doctors’ mobile devices at high risk of malware. Our recent SonicWall Threat Report confirms the increase in malware targeted to Android devices. Fortunately today we are announcing the news of our latest  SonicWall Secure Mobile Access 11.4 OS and the SMA 1000 Series to arm your IT organization with greater security, scalability and ability to abide by compliance standards. With this launch, we deliver more power and speed to remote workers to securely access corporate data via policy-based access on any mobile device.

Our new  SonicWall SMA 11.4 offers numerous state of the art features. The dynamic Global Traffic Optimizer (GTO) will enable thousands of concurrent users to have protected remote access capabilities. Our new Regulatory Compliance standards meet the strictest security for the latest government regulations. The innovative Management API will deliver enhanced workflow; and the SAML 2.0 Support will save valuable remote workforce time. Enterprises like the NFL-champion Denver Broncos are using SonicWall Secure Mobile Access (SMA). I hope you will explore what this solution can do for you and your mobile strategy.

“We increased our return on investment by using SonicWall SRA with SuperMassive next-gen firewall because we offload VPN traffic from our main firewall to the SRA.” Russ Trainor, vice president of Technology, Denver Broncos.

Secure Mobile Access (SMA) 1000 11.4 OS brings the following additional functionality enhancements to this series.

  • Global Traffic Optimizer (GTO) – provides a turnkey approach to delivering massive global scalability of concurrent users while continuing to maintain secure access. This allows customers to better address secure access of data as they face an ever-growing workforce, company expansion to different locations both within country and globally, and proliferation of device types used by workers.
  • Regulatory Compliance – ensures security compliance with the most stringent industry and government regulations, like “Federal Information Processing Standards” (FIPS) and Suite B cipher support. This is crucial in highly regulated organizations to maintain compliance (e.g., Government, Financial, Healthcare, etc.).
  • Management API – gives access to SonicWall’s SMA API. This enables enhanced workflow, orchestration and automation, improving customers’ operational processes, increasing productivity and reducing costs.
  • Enhanced SAML 2.0 support – creates a great end-user experience by allowing Single Sign-On (SSO) eliminating individual sign on to SaaS applications. This saves time used to spend in logging onto multiple applications, one at a time.

These key innovations are critical because mobile users are often using the same device for both business and personal tasks.  Consequently, businesses are at a growing risk of multiple security breaches such as:

  • Unauthorized users gaining access to company networks and systems from lost or stolen devices
  • Malware-infected devices acting as a conduit to infect company systems
  • Interception of company data “in-flight” on unsecured public Wi-Fi networks
  • Loss of business data stored on devices if rogue personal apps or unauthorized users gain access

SonicWall’s Secure Mobile Access (SMA) portfolio solves these problems our customers are facing by providing mobile and remote workers using smart phones, tablets or laptops (whether managed or unmanaged) with policy-enforced SSL VPN access to mission-critical applications, data and resources without compromising security.

In case you missed this, the following key functionality enhancements have already been added across the SMA 1000 line that are especially noteworthy: Centralized Management System (CMS), HTML Clients and Proxies and Personal Device Authorization. 

This entire impressive operating system runs on the SonicWall SMA 1000 Series Models: SRA EX6000, SMA 6200, SMA 8200V (Virtual Appliance), SRA EX7000, SMA 7200, and SRA EX9000.

Our customers are already benefiting from these powerful anytime, anywhere on any device security solutions.

“With SonicWall, we can stay at the forefront of this changing landscape. We have a great business relationship with SonicWall, and its customer service and engineering support was outstanding,” said our customere C.J. Daab, Technology Support Coordinator, Hall County School.

Learn more detail on  SonicWall Secure Mobile Access data sheet.

DOWNLOAD DATASHEET

Microsoft Security Bulletin Coverage (Apr 12, 2016)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of Apr. 12, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-037 Cumulative Security Update for Internet Explorer

  • CVE-2016-0154 Microsoft Browser Memory Corruption Vulnerability
    IPS:11559 ” Microsoft Browser Memory Corruption Vulnerability (MS16-037) “
  • CVE-2016-0159 Internet Explorer Memory Corruption Vulnerability
    IPS:11557 ” Internet Explorer Memory Corruption Vulnerability (MS16-037) 1″
  • CVE-2016-0160 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0162 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0164 Internet Explorer Memory Corruption Vulnerability
    IPS: 11558 “Internet Explorer Memory Corruption Vulnerability (MS16-037) 2”
  • CVE-2016-0166 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS16-038 Cumulative Security Update for Microsoft Edge

  • a href=”http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0154″ target=”_blank”>CVE-2016-0154 Microsoft Browser Memory Corruption Vulnerability
    IPS:11559 ” Microsoft Browser Memory Corruption Vulnerability (MS16-037) “
  • CVE-2016-0155 Microsoft Edge Memory Corruption Vulnerability
    SPY:4382 ” Malformed-File exe.MP.13″
  • CVE-2016-0156 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0157 Microsoft Edge Memory Corruption Vulnerability
    IPS: 11550 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 2”
  • CVE-2016-0158 Microsoft Edge Elevation of Privilege Vulnerability
    IPS: 11551 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 3”
  • CVE-2016-0161 Microsoft Edge Elevation of Privilege Vulnerability
    IPS: 11552 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 4”

MS16-039 Security Update for Microsoft Graphics Component

  • CVE-2016-0143 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0145 Graphics Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0165 Win32k Elevation of Privilege Vulnerability
    SPY:4357 “Malformed-File exe.MP.11”
  • CVE-2016-0167 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-040 Security Update for Microsoft XML Core Services

  • CVE-2016-0147 MSXML Remote Code Execution Vulnerability
    IPS: 11548 ” MSXML Remote Code Execution Vulnerability (MS16-039)1″

MS16-041 Security Update for .NET Framework

  • CVE-2016-0148 .NET Framework Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-042 Security Update for Microsoft Office

  • CVE-2016-0122 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0127 Microsoft Office Memory Corruption Vulnerability
    SPY:4336 “Malformed-File rtf.MP.13”
  • CVE-2016-0136 Microsoft Office Memory Corruption Vulnerability
    IPS:11258 “Malformed Excel Document 1”
  • CVE-2016-0139 Microsoft Office Memory Corruption Vulnerability
    SPY:4335 “Malformed-File xls.MP.52 “

MS16-044 Security Update for Windows OLE

  • CVE-2016-0153 Windows OLE Remote Code Execution Vulnerability
    SPY:4491 “Malformed-File doc.MP.36 “

MS16-045 Security Update for Windows Hyper-V

  • CVE-2016-0088 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0089 Windows OLE Memory Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0090 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-046 Security Update for Secondary Logon

  • CVE-2016-0135 Secondary Logon Elevation of Privilege Vulnerability
    IPS: 11554 “Windows Secondary Logon Elevation of Privilege Vulnerability”

MS16-047 Security Update for SAM and LSAD Remote Protocols

  • CVE-2016-0128 Windows RPC Downgrade Vulnerability
    IPS: 11555 “DCERPC AuthLevel Downgrade (Windows)”

MS16-048 Security Update for CSRSS

  • CVE-2016-0151 Windows CSRSS Security Feature Bypass Vulnerability
    SPY:4358 ” Malformed-File exe.MP.12″

MS16-049 Security Update for HTTP.sys

  • CVE-2016-0150 HTTP.sys Denial of Service Vulnerability
    There are no known exploits in the wild.

Badlock: Windows SAM and LSAD Downgrade Vulnerability

/in /by

An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols. Microsoft and SAMBA are vulnerable to these attacks. The vulnerability is triggered when these protocols accept authentication levels that do not protect them adequately. It is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database. To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user. The attacker can access domain passwords as well. The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.

There are two different CVE identifiers associated with this vulnerability:

  • Microsoft: CVE-2016-0128
  • SAMBA: CVE-2016-2118

In addition to this, the vulnerability has been known by ‘badlock’.

Microsoft has two protocols that are vulnerable to this attack:

  • Security Account Manager Remote Protocol(SAMR): This protocol provides management functionality for user account store and for user/group directries.
  • Local Security Authority (LSAD): This protocol provides management functionality for user account store and for user/group directries.

These protocols manintain security account manager database. They are supported by both Windows and Samba and they support all domain profiles.
In addition to these, SAMBA’s following protocols are susceptible to this vulnerability:

  • Directory Replication Service Remote Protocol (DRSR): RPC protocol for replication and management of data in Active Directory
  • BackupKey Remote Protocol (BKRP): Encrypts and decrypts sensitive data (such as cryptographic keys)

Attack mechanism:

There are 6 authentication level (auth levels), as described in dcerpc protocol. ‘1’ is the lowest and ‘6’ being the highest:

Example of an attack scenario:

  • 1: Client sends a bind request to the server with highest security level ‘6’.
  • 2: MITM intercepts this request and changes the value from ‘6’ to ‘2’
  • 3: Server responds with auth level ‘2’ instead.

The attacker lowers the auth level to ‘2’. Level ‘2’, as shown earlier, provides minimum authetication. Note that it does not protect the messages tranferred between the client and the server. This is an ideal scenario for an attacker. With this, the attacker can achieve read/write access to the SAMR services and potentially obtain passwords and any other sensitive information

Dell Sonicwall has written the following signature that protects our cutomers from this issue. It will be available in today’s (04/12/2016) release.

  • 11560: BadLock Vulnerability
  • 11555: DCERPC AuthLevel Downgrade

Guatambu: new multi-component InfoStealer drops Kartoxa POS Malware (Apr 08, 2016)

/in /by

The Dell Sonicwall Threats Research team observed reports of a new multi-component InfoStealer family named GAV: Guatambu.AAB and GAV: Guatambu.POS actively spreading in the wild.

Guatambu malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

One major component of Guatambu contains features such as memory scrapping functions.

The Malware drops Kartoxa POS Malware on the target system.

Infection Cycle:

Md5:

  • 823c663a4aecdc74e36fb224c2ff1ddc Detected as GAV: Guatambu.AAB (Trojan)
  • fa88a7c8e6779993eb70370c9263b3c3 Detected as GAV: Guatambu.POS (Trojan)

The Malware adds the following files to the system:

  • %Userprofile%Start MenuProgramsStartupWordPad.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataTaskhost.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataDwn.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataPOS.exe Detected as GAV: Guatambu.POS (Trojan)
  • %Userprofile%Application DataOutput.txt [POS Credit Card Data ]

The Malware adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsGUIDGUID=520EAFA9
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUACDisableNotify= dword:00000000

The Malware running following commands on the system:

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware starts to communicate with its own domain to see if there is new update and updates its own sample and also starts to download the POS Component Detected as GAV: Guatambu.POS (Trojan).

For Guatambu, the goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware gathers data such as following examples:

  • COMPUTERNAME
  • &admin=
  • &hid=
  • &arc=
  • &user=USERNAME
  • Full
  • &ram=
  • &cpu=
  • &gpu=

Once Guatambu Downloads the POS Component, the malware retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for Credit Card information periodically, such as following example:

Command and Control (C&C) Traffic

Guatambu performs C&C communication over TCP and UDP Protocols.

The malware sends your Computer information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Guatambu.AAB
  • GAV: Guatambu.POS

Adobe Type Confusion Vulnerability CVE-2016-1019 Exploited in the Wild

/in /by

A critical vulnerability is reported in Adobe’s Flash Player. The CVE identifier for this vulnerability is CVE-2016-1019. This vulnerability applies to Windows, Mac, Linux, as well as Chrome OS. An attacker who successfully exploits this vulnerability can execute remote code and potentially take over the system. Versions 21.0.0.197 and before are vulnerable.

Exploits of this vulnerability has been seen in the wild. Some examples below:

  • 9d7561f5613114431bf906ede4bc1c40208a9e35
  • 7021457e03445f8f10e38cf5aed4a60a757ea326
  • 8670993b2e63e32260685a80b78d15adf5742a6a
  • 2173970148947e7954ac028fc2fd855445897be1

Although it is exploited in the wild, a mitigation that was introduced in the Flash Player 21.0.0.182 prevents the exploitation of this vulnerability.

The exploits are obfuscated as usual. However, it is clear to see the attempts to exploit this vulnerability:

As you can see above, the code attempts to load bytes from ‘var_51’ which essentially points to one of the bytes arrays in ‘binaryData’ section within the SWF file. This is another SWF file embedded inside:

Let’s load this embedded SWF:

This is a heavily obfuscated file. The nature of the vulnerability requires two SWFs to work together. The latter SWF is merely the second part which triggers the vulnerability.

Dell Sonicwall team as created following signatures that protect our customers from these expoits:

  • CVE-2016-1019.A_4(Exploit)
  • CVE-2016-1019.A_3
  • CVE-2016-1019.A_2
  • CVE-2016-1019.A