New Heracles Stealer in the Wild

/in /by

Overview

This week, the SonicWall Capture Labs threat research team analyzed a new sample of an infostealer dubbed ‘Heracles’, which has multiple evasion and persistence techniques. The malware is programmed to search for system credentials, installed programs and crypto currency wallets.

Technical Analysis

The file is detected as “Обязанности старшего техника на самолете ТУ-160_вч_85927_Д_Каплунов.exe”, which translates to “Responsibilities of a senior technician on a TU-160 aircraft_vch_85927_D_Kaplunov.exe”. It is a .NET executable.

Figure 1: Sample Detection

When attempting to look at the file resources in DNSpy, the records are completely obfuscated.

Figure 2: Obfuscated (left) and deobfuscated data (right)

Once the file has been deobfuscated, it shows hundreds of classes and attributes. In a secondary check against the deobfuscated sample, two embedded files are found. The first is ‘DotNetZip.dll’, and the second is another .NET DLL file (“zx_8d21b2346df842017090f44c62fec926.dll”). The former is used for handling zip files in memory and is a legitimate application, while the latter is a secondary payload.

Figure 3: Payload detection

Looking at the payload sample, it shows the name “PDF_Reader” in its resource section. However, it has a number of domains listed related to cryptocurrency and dark web sites, including a .onion address.

Figure 4: Domains listed in the payload, which also mentions ‘Eazfuscator’, an obfuscation tool

Once runtime occurs, the main file will perform checks against CPU features using WMI using the following queries:

  • CreateInstanceEnum – root\cimv2 : Win32_Processor
  • ExecQuery – root\cimv2 : SELECT ProcessorId FROM Win32_Processor
  • ExecQuery – root\cimv2 : SELECT * FROM Win32_VideoController
  • ExecQuery – root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

It will also check for VMWare and QEMU virtual environments specifically while running processes and debuggers to ensure it is running on a viable system. All errors are disabled via SetErrorMode to prevent the user/system from detecting activity. Files are dropped into the following locations for persistence and staging:

  • ~AppData\Roaming\\\Files\Local Settings\Temp
  • ~AppData\Roaming\\Files\Start Menu\Programs
  • ~AppData\Roaming\\Files\Start Menu\Programs\Windows Powershell
  • ~AppData\Roaming…\Files\Start Menu\Programs\System Tools\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Administrative Tools\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Maintenance\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Accessories\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Accessibility\

The main sample creates copies of itself in the ‘Temp’ location as ‘.tmp’ files. In testing, these were presented as ‘wct3D66.tmp’ or similar. For all other locations, either ‘.ini’ or ‘.lnk’ files are created that will point back to one or more of the copies. Enumeration begins by going through the main directory and looking for Microsoft Office profiles, cryptocurrency wallets and clipboard data. The main wallets are: Electrum, Ethereum, Exodus, bytecoin and Zcash.

Figure 5: Wallet strings found during runtime

Data is staged in the same ‘Temp’ directory and is compressed via DotNetZip. While no network connections were made, the following IP addresses were found in memory:

208.95.112.1 (ip-api.com)
149.154.167.220 (api.telegram.org)
104.237.62.212 (api.ipify.org)
64.185.227.156 (api.ipify.org)
173.231.16.77 (api.ipify.org)

The telegram IP is used for communications, as it has been confirmed that there is a telegram group associated with this sample (‘https://t{.}me/rusvolcorp’) in other tests. Rusvolcorp is a Russian group fighting on behalf of Ukraine, but it is unknown whether this link is legitimate.

Protection

To ensure SonicWall customers are prepared for any exposure that may occur due to this malware, the following signatures have been released:

  • MalAgent.Heracles.A
  • MalAgent.Heracles.Payload

IOCs

  • 53d5c2574c7f70b7aa69243916acf6e43fe4258fbd015660032784e150b3b4fa (Обязанности старшего техника на самолете ТУ-160_вч_85927_Д_Каплунов.exe)

  • BAD79DB7BE7C9C4BFBA84BFE7B3254E215650A5532098DC7C4A787695D52A983 (PDF_Reader.dll)

URLs

  • xss.is
  • coinbase.com
  • antiscan.me
  • dyncheck.com
  • avcheck.net
  • dark2web.cc
  • blockchain.com
  • freewallet.org
  • btc.com
  • bhf.io
  • direct.yandex.ru
  • payeer.com
  • exploit.in
  • exploitinqx4sjro.onion

SSH ProxyCommand Command Injection

/in /by

Overview

SonicWall Capture Labs threat research team became aware of a command injection threat within OpenSSH versions before 9.6, assessed its impact, and developed mitigation measures for the vulnerability. OpenSSH is a widely used connectivity tool for encrypted, remote login, both standalone and embedded in enterprise and consumer applications.
CVE-2023-51385 allows an attacker to inject commands into the command line if the client utilizes the ProxyCommand parameter within their configuration file for the connecting server. There is no known active exploitation at the time of writing, likely due to the requirements around exploitation. While exploitation requirements reduce the risk of exploitation, several well-known applications and services utilize this feature in advanced configurations, such as Okta, CloudFlare, and AWS; they should, therefore, be reviewed for potential risk. This vulnerability can be mitigated by upgrading OpenSSH to version 9.6p1 or greater and removing any usage of the ProxyCommand feature within your environment.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-51385.

CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • The impact of this vulnerability on data confidentiality is high.
  • The impact of this vulnerability on data integrity is high.
  • The impact of this vulnerability on data availability is high.

Technical Overview

Advanced usage of OpenSSH includes the ability to provide a configuration file that can perform actions when initiating an SSH connection. One of those actions is ProxyCommand. ProxyCommand allows the user to specify a command to execute within the context of the user’s current shell during the connection process. The reason the keyword includes “proxy” is the intention is for the user to be able to proxy a connection through another server. Within the command string, ‘%h’ can be used to substitute a hostname, and ‘%p’ can be used to substitute a port number. The user provides these values, which are not sanitized before being placed onto the command line. As a result, an attacker can replace a hostname and/or port number to achieve command injection.

Triggering the Vulnerability

To trigger this vulnerability, an attacker must convince a user to connect to a malicious URL using the vulnerability version of SSH in a scenario where the end user uses ProxyCommand within their configuration file for the connecting server. As the end-user needs a specific configuration, this reduces the likelihood of exploitation. However, there are several well-known applications and services that utilize this feature in advanced configurations, such as Okta, CloudFlare, and AWS. In the cases where this advanced configuration has been leveraged, exploitation is more likely.

Exploitation

Assuming the previously mentioned conditions are met, exploitation can occur any time SSH is leveraged. This includes standard connections such as SSH and SCP. The discovering researcher, vin01, released a proof of concept that leverages Github’s clone command using SSH to open the MacOS calculator. This can also be done on Linux or Windows operating systems with slight modifications. To execute the proof of concept, a single git clone command is used. Exploitation occurs when the user’s SSH configuration file is set to utilize the ProxyCommand parameter with any “.example.com” domain, as seen in Figure 1.


Figure 1 Local SSH Config File

When git recursively attempts to get the submodules from the repository, shown in Figure 2, the vulnerability is triggered and exploited.


Figure 2 Repository submodules

The video in Figure 3 demonstrates leveraging this proof of concept on a Linux workstation to execute calculator.

Figure 3 – Linux workstation exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • SPY:520 "Malformed-gitmodules gitmodules.OT_1"

Remediation Recommendations

OpenSSH has released an update to address the issue, and it is strongly recommended that the application be updated to version 9.6p1 or newer as appropriate. Additionally, it is recommended to review any client SSH configuration files and ensure the ProxyCommand parameter is only utilized when necessary.

Relevant Links

GuLoader upgrades its Vectored Exception Handler

/in /by

Overview

For the last three years, GuLoader has gained popularity among threat actors, due to its sophisticated, robust, and powerful defense techniques against security software. The SonicWall Capture Labs Threat Research team has observed that GuLoader malware is being distributed on victim’s machine by obfuscated VBScript insides an archive as an email attachment. The malware is continuously updating its code to stay undetected and impactful against security software. While the malware has rich anti-VM, anti-debug, anti-analysis, and anti-dump techniques, one of the best anti-analysis features used by the malware is the updating of its Vectored Exception Handler code. The malware deliberately executes instructions in the malware code which throws an exception, and the Vectored Exception Handler code is used to compute the next executable instruction address. The beauty of the malware is that it is a fileless and true shellcode-based malware which did not include a PE header, not even in memory. The malware is used to deliver various malware families including AgentTesla, Remcos, Lokibot and NanoCore etc.

Infection Cycle

The effectiveness of the malware can be reckoned by the evidence that the malware has not changed its infection cycle for a year and is still undetected by various security software. The initial VBScript file is obfuscated and contains large comments which constructs and launches a PowerShell script.

Figure 1 – Obfuscated VBScript

PowerShell script

The PowerShell script is complex to understand, as it computes variables dynamically at runtime. The malware uses one function to decrypt the cmdlets, variables and strings and another function to execute the cmdlets.

Figure 2 – Obfuscated first level PowerShell script.

The PowerShell script needs to be decrypted and simplified to make it legible. If the running PowerShell process is a 64-bit process, the malware launches the script under 32-bit PowerShell executable, to inject and execute a 32-bit shellcode, in later stages. The script downloads base64 encoded file from URL “h[t][t]p://85.209.176.46/Schoolm.ocx” into “%APPDATA%\Dumpste.Mue”. Initial 648 bytes from the downloaded file are the shellcode bytes, followed by the encrypted GuLoader bytes and ended with a PowerShell script which continues the execution.

Figure 3 – Simplified first level PowerShell script.

The downloaded script is again obfuscated and uses function from the downloader script to decrypt and execute cmdlets which makes this standalone script unusable and non-understandable. The script again uses dynamic variable computing and is needs to be decrypted and simplified, to make it legible.


Figure 4 – Obfuscated second level PowerShell script.

The PowerShell script hides the PowerShell window to stay unnoticed from the user, using an API ShowWindow. The PowerShell script allocates 648 bytes with PAGE_EXECUTE_READWRITE access using API NtProtectVirtualMemory and writes the shellcode bytes from the downloaded file. The script allocates 0x3D84000 bytes with PAGE_READWRITE access and writes the encrypted GuLoader bytes. The script executes the shellcode bytes using the API CallWindowProcA and provides encrypted bytes address and NtProtectVirtualMemory API address as arguments.


Figure 5 – Simplified second level PowerShell script

GuLoader

The GuLoader is a very well-known advanced malware which is widely adopted by the threat actors to deliver various payloads. We have already covered technical details of the malware in our previous blog .
In the recent variant, the malware has upgraded its Vectored Exception Handler (VEH) code. Initially GuLoader’s VEH only supported EXCEPTION_BREAKPOINT exception and in later variants it added EXCEPTION_ACCESS_VIOLATION and EXCEPTION_SINGLE_STEP exceptions support. In the recent variant, we have observed the malware added support for EXCEPTION_PRIV_INSTRUCTION and EXCEPTION_ILLEGAL_INSTRUCTION exceptions to prevent neutralization of VEH impact from script-based automations by threat researchers. To bypass the VEH impact threat researchers now need to identify all illegal and privileges instructions.

Figure 6 – Code checks exception type

The malware deliberately generates an exception supported by the VEH and computes the next valid EIP address using the VEH code, to continue the malicious execution. The malware code also checks for hardware breakpoints by inspecting debug registers while executing the VEH code. If any hardware breakpoint is found, the malware zeros out one the structure’s address which causes EXCEPTION_ACCESS_VIOLATION exception inside the VEH code.

Figure 7 – Code inspects hardware debug registers.

The malware next computes EIP by adding a value from 0x14 byte from the current EIP, XOR with 0x04 and add it to the current EIP.

Figure 8 – Code computes next EIP address

The malware generates supported exception throughout the code and handled them inside the VEH code.

EXCEPTION_ACCESS_VIOLATION (0xC0000005)

In case of EXCEPTION_ACCESS_VIOLATION exception the malware examines the address for which the exception has been thrown and it should it be less than 0x10000, the malware terminates the execution.

Figure 9 – Code generates access violation exception.


Figure 10 – Code handles access violation exception

EXCEPTION_BREAKPOINT (0x80000003)

Figure 11 – Code generates breakpoint exception

EXCEPTION_SINGLE_STEP (0x80000004)

Figure 12 – Code generates single step exception.

EXCEPTION_PRIV_INSTRUCTION (0xC0000096)

Figure 13 – Code generates privileged instruction exception.

EXCEPTION_ILLEGAL_INSTRUCTION (0xC000001D)

Figure 14 – Code generates illegal instruction exception.

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.

Figure 15 VirusTotal detections.

Evidence of the detection by the RTDMI engine can be seen below in the Capture ATP report for this file

Figure 16 – RTDMI detection.

SonicWall Discovers Critical Apache OFBiz Zero-day -AuthBiz

/0 Comments/in /by

Update 1/2/24

According to our sensor network, SonicWall is seeing a large number of exploitation attempts of CVE-2023-51467. We highly recommend upgrading to Apache OFBiz version 18.12.11 or newer.

Overview

SonicWall Capture Labs threat research team has discovered an Authentication Bypass vulnerability being tracked as CVE-2023-51467 with a CVSS score of 9.8. It was discovered while researching the root cause for the previously disclosed CVE-2023-49070. The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present.

Apache OfBiz is an open-source Enterprise Resource Planning (ERP) system. It may seem unfamiliar, but as part of the software supply chain it has a wide install base in prominent software, such as Atlassian’s JIRA (used by over 120K companies). As a result, like with many supply chain libraries, the impact of this vulnerability could be severe if leveraged by threat actors. Our research demonstrates that this flaw could lead to the exposure of sensitive information or even the ability to execute arbitrary code as demonstrated in the short video below using version 18.12.10, where the system “ping” application is executed by an unauthenticated attacker.

SonicWall is committed to helping provide defenders with the necessary resources to protect their organizations. As part of this effort, we responsibly disclosed the discovered vulnerability to Apache OFBiz providing them advanced noticed with the intent that patches or other mitigation strategies can be deployed. We advise anyone using Apache OFbiz to update to version 18.12.11 or newer immediately.  In addition to the patch, SonicWall has developed IPS signature IPS:15949 to detect any active exploitation of this vulnerability.

Technical Analysis and Discovery

We were intrigued by the chosen mitigation when analyzing the patch for CVE-2023-49070 and suspected the real authentication bypass would still be present since the patch simply removed the XML RPC code from the application. As a result, we decided to dig into the code to figure out the root cause of the auth-bypass issue. As anticipated, the root issue was in the login functionality. We focused our analysis on the LoginWorker.java file in order to understand the flow of data within the various functions and checks during the authentication process.

This led us to run a couple of testcases which we have outlined below to examine the authentication functionality using Apache OFbiz version 18.12.09. For testing, we started by using the publicly available poc1 and poc2 for CVE-2023-49070.

Testcase 1

Our first test case was based on using empty USERNAME and PASSWORD parameters while including the parameter requirePasswordChange=Y in URI This test was derived from the testing of CVE-2023-49070 during our signature development to ensure detection in all use cases.  The question was posed, what if there is no username and password in the request? For instance, the request might look like https[:]//www.example.com:8443/webtools/control/xmlrpc/?USERNAME=&PASSWORD=&requirePasswordChange=Y.

In this testcase (lines #437 to #448 from the LoginWorker.java file), the login function returns the value requirePasswordChange due to username and password being empty, and requirePasswordChange set to ‘Y’ as seen in the code snippet in Figure 1.

List<String> unpwErrMsgList = new LinkedList<String>();
if (UtilValidate.isEmpty(username)) {
unpwErrMsgList.add(UtilProperties.getMessage(resourceWebapp, “loginevents.username_was_empty_reenter”, UtilHttp.getLocale(request)));
}
if (UtilValidate.isEmpty(password) && UtilValidate.isEmpty(token)) {
unpwErrMsgList.add(UtilProperties.getMessage(resourceWebapp, “loginevents.password_was_empty_reenter”, UtilHttp.getLocale(request)));
}
boolean requirePasswordChange = “Y”.equals(request.getParameter(“requirePasswordChange”));
if (!unpwErrMsgList.isEmpty()) {
request.setAttribute(“_ERROR_MESSAGE_LIST_”, unpwErrMsgList);
return requirePasswordChange ? “requirePasswordChange” : “error”;
//return value depends on the requirePasswordChange parameter
}

Figure 1: Login function when empty username and password is provided

Subsequently, the given return value from the function login is passed to the checkLogin function. Unexpectedly, the flow doesn’t enter in the conditional block shown in Figure 2 due to the boolean checks (username == null) and (password == null) returning false even though both the parameters are empty or blank. Additionally, the “error”.equals(login(request, response)) also holds false due to the return value given by login function was requirePasswordChange.

if (userLogin == null) {
// check parameters
username = request.getParameter(“USERNAME”);
password = request.getParameter(“PASSWORD”);
token = request.getParameter(“TOKEN”);
// check session attributes
if (username == null) username = (String) session.getAttribute(“USERNAME”);
if (password == null) password = (String) session.getAttribute(“PASSWORD”);
if (token == null) token = (String) session.getAttribute(“TOKEN”);// in this condition log them in if not already; if not logged in or can’t log in, save parameters and return error
if (username == null
|| (password == null && token == null) // This condition is getting checked.
|| “error”.equals(login(request, response))) {

Figure 2: Code responsible to verify the empty username/password

As a result, the checkLogin function ends up returning success, allowing the authentication to be bypassed.

Testcase 2

In this testcase, we attempted to authenticate with a known invalid USERNAME and PASSWORD parameter with the parameter requirePasswordChange set equal to ‘Y’ This testcase is derived from the original public poc for CVE-2023-49070  and used to further our understanding of how the authentication process works.  For instance, the request would look like, https[:]//www.example.com:8443/webtools/control/xmlrpc/?USERNAME=x&PASSWORD=y&requirePasswordChange=Y.

In this scenario, lines #601 to #605 from the LoginWorker.java file in the login function return the value requirePasswordChange due to the parameter requirePasswordChange=Y as seen in the code snippet in Figure 3.

} else {
Map<String, String> messageMap = UtilMisc.toMap(“errorMessage”, (String) result.get(ModelService.ERROR_MESSAGE));
String errMsg = UtilProperties.getMessage(resourceWebapp, “loginevents.following_error_occurred_during_login”, messageMap, UtilHttp.getLocale(request));
request.setAttribute(“_ERROR_MESSAGE_”, errMsg);
return requirePasswordChange ? “requirePasswordChange” : “error”;
}

Figure 3: Code responsible for return value when non-empty username and password

Subsequently, the given return value from the function login is passed to the checkLogin function. Here, the flow didn’t enter in the conditional block in Figure 2 due to username and password not being null. Additionally, the “error”.equals(login(request, response)) also held false due to the return value given by login function was requirePasswordChange, similar to testcase 1.

Hence, the checkLogin function returns success, allowing the authentication to be bypassed.

Conclusion

Considering the above result, it can be concluded that the requirePasswordChange=Y, the magic string, is causing the authentication to be bypassed regardless of the username and password field or other parameters.  As a result, removing the XML RPC code was not an effective patch and the bypass remained.

Patch Review

The vulnerability was fixed swiftly (Kudos!) by the Apache OFbiz  with commit d8b097f and ee02a33.  For due diligence, we confirmed the patch was effective by running the same two testcases.

Verification of Testcase 1

In this scenario, the lines #436 to #446 in the function login still returns requirePasswordChange, but now there is an added utilization of the function UtilValidate.isEmpty. This comes into play on lines #341 to #343 in the function checkLogin as seen in the code snippet in Figure 4.

if (UtilValidate.isEmpty(username)
|| (UtilValidate.isEmpty(password) && UtilValidate.isEmpty(token))
|| “error”.equals(login(request, response))) {

Figure 4: Use of UtilValidate.isEmpty function to verify empty values

Here, boolean checks UtilValidate.isEmpty(username) and UtilValidate.isEmpty(password) return true, unlike (username == null) and (password == null), before resulting in the code returning the value error within the checkLogin function.

This prevents the authentication bypass from occurring and confirms testcase 1 has been patched.

Verification of Testcase 2

In this scenario, the lines #609 to #614 in the function login return in contrast to requirePasswordChange before the patch as seen in Figure 5.

} else {
Map<String, String> messageMap = UtilMisc.toMap(“errorMessage”, (String) result.get(ModelService.ERROR_MESSAGE));
String errMsg = UtilProperties.getMessage(RESOURCE, “loginevents.following_error_occurred_during_login”,
messageMap, UtilHttp.getLocale(request));
request.setAttribute(“_ERROR_MESSAGE_”, errMsg);
return “error”;
}

Figure 5: Code changes to return error in case of error during login

This leads to return true by the boolean check “error”.equals(login(request, response)) in the checkLogin function conditional block seen in Figure 4. This ends up returning the value error by the checkLogin function preventing the authentication bypass.

Acknowledgement

We appreciate the prompt response and remediation by the Apache OFBiz team. They demonstrated extreme care for the security of their customers and were a pleasure to work with.

Apache Struts Unauthorized Arbitrary File Upload

/in /by

Overview

The SonicWall Capture Labs threat research team became aware of an unauthorized arbitrary file upload vulnerability in Apache Struts, assessed its impact and developed mitigation measures for the vulnerability. Apache Struts, an open-source MVC framework to develop modern web applications based on Java, has released versions 2.5.33 and 6.3.0.2 addressing this issue which is affecting the following versions of Struts: Struts 2.0.0 – Struts 2.3.37 (EOL), Struts 2.5.0 – Struts 2.5.32, and Struts 6.0.0 – Struts 6.3.0. Since Apache Struts has historically been a luring target among threat actors due to its widespread usage, this vulnerability has already started being exploited in the wild. This could be easily anticipated considering its ease of exploitation as well as existence of public POC. Due to active exploitation, we strongly recommend upgrading to the latest version of Struts.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-50164.
The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

This vulnerability allows the threat actors to upload an arbitrary file in the webroot of the tomcat web server through a POST request. This flaw allows the attacker to not only tamper with the file upload parameters but also to append an additional parameter, which allows the threat actor to upload a file at any location. The implemented sanitization is inadequate to prevent parameter pollution. Changing the case of parameters to lowercase can override the file name variable uploadFileName allowing path traversal and leading to compromise of the system.
To remediate the issue, Apache Struts has released a patch as commits 162e29f and d8c6969 for versions 2.5.x and 6.3.x respectively. A closer look at the patch confirms the improvements in the functions get, contains and remove by making them case insensitive to prevent unique consideration of manipulated parameters based on case sensitivity as seen in Figure 1 for the function get.

Figure 1: Improved case-insensitive get function

Additionally, the function appendAll is improved to append all the parameters in a case-insensitive way to deny the overriding attempt of existing parameters as seen in Figure 2.

Figure 2: Improved appendAll function

Triggering the Vulnerability

This vulnerability can be triggered using a specially crafted POST request which contains a parameter with name=”Upload” (or uPLoad or uploaD) instead of the default value upload and the additional uploadFileName parameter that will override the path where the file will be saved as well as the name of the file as seen in Figure 3.

Figure 3: Malicious exploitation request

Exploitation

We used the publicly available PoC to analyze and understand the vulnerability and to set up a lab environment. The remote code execution in the vulnerable system is demonstrated by leveraging this vulnerability. The following video illustrates the uploading of a web shell and execution of the system command by sending a request, as seen in Figure 3 above.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4194 Web Application Suspicious form-data 2

Additionally, a generic detection signature mentioned below is utilized to strengthen the protection.

  • IPS:2764 Web Application Suspicious form-data 1

Threat Graph

SonicWall sensors have confirmed a spike in exploitation attempts of this vulnerability and a surge in exploitation attempts is expected in upcoming days considering the popularity of the software.

Figure 4: SonicWall signature hits data

Remediation Recommendations

Apache Struts has released an update to address the issue, and it is strongly recommended to update the application to the version 2.5.33 or 6.3.0.2 or newer as appropriate.

Relevant Links

Malicious Android Spyware Employing RAT and Capturing Device Info and User Credentials

/in /by

Overview

The SonicWall Capture Labs threat research team has been actively tracking malware campaigns deploying a formidable Android Remote Access Trojan (RAT). We encountered a variant of that malware equipped with extensive features such as keylogging, theft of sensitive device information and the ability to bypass Google Authenticator, even loading web pages within the application. These functionalities provide attackers with the means to achieve unauthorized access to the victim’s device.

Infection Cycle

This malware utilizes a tactic called icon masquerading, wherein it camouflages itself by adopting the appearance of icons from well-known and legitimate applications.

Figure 1: Malware utilizing well-known application icons

After installation, the malware prompts the victim to activate the Accessibility Service on the targeted device. If the victim grants permission, the malware exploits the Accessibility Service to carry out malicious activities covertly, without the user’s awareness.

Figure 2: Prompt users to activate the accessibility service

Here, the malware author is asking the user to grant device admin permissions.

Figure 3: Device admin code snippet

Accessibility Services make it hard for users to remove the app or install other apps. It can click ‘install’ without needing any input from the user.

Figure 4: Ease of installing other applications granted by Accessibility Services

We initiated the activity responsible for presenting Google Translator and Google News on WebView. Upon launching, the application opens, showcasing the Google account web pages. We noticed the webpage appearing within the malicious application.

Figure 5: Displaying webpage within the malicious application

The spyware sends the gathered sensitive information to a control server when directed by the attacker through the Accessibility Service. The host and port number are encrypted using Base64.

Figure 6: Network connection

The compromised device establishes a connection with the Command and Control (C&C) server and receives various commands to execute operations, as shown in the image below.

Figure 7: C&C server

Google Authenticator creates two-factor authentication (2FA), enhancing security for accounts by adding a second verification step during sign-in. This malicious software bypasses extra security measures by using Accessibility Services to obtain 2FA codes.

Figure 8: Stealing Google authenticator code

It sends messages to the server based on the received commands.

Figure 9: Sends SMS

The code displayed in the image is designed to capture screenshots from the compromised device and subsequently transmit the collected screenshots to the Command and Control (C&C) server.

Figure 10: Forwarding all screenshots to the C&C server

This malware transmits information about the victim’s current location to its remote Command and Control (C&C) server.

Figure 11: Retrieving location info

This code extracts information about all the installed package names.

Figure 12: Reading installed packages.

The code handles a log file on the device’s external storage. It changes certain parts of the log file name and provides all content from the log file.

Figure 13: Log file created for activity monitoring

It establishes a database within web data to store sensitive personal information and credit card details of the targeted individual.

Figure 14: Storing information within a database

This spyware can steal social app credentials by checking if either the "com.facebook.katana" or "com.facebook.lite" app is installed on the device. If found, it uses an overlay attack to display a fake login page, tricking users and stealing their credentials.

Figure 15: Stealing social app credentials

SonicWall Capture Labs provides protection against this threat via SonicWall Capture ATP with RTDMI.

IOCs

  • 62f027c0a8f856ef30ceba8432cd80a9462e03cf7809ea91fcbac60427f6a1bd
  • 06629bab34a4218262339659590656408c22f33411201d73977fc69700a4e68a

Windows Software Licensing Management Tool is Abused to Deliver XWorm3.1

/in /by

Overview

The SonicWall Capture Labs threat research team has observed and detected a VBScript file which delivers XWorm3.1 to the victim’s machine. The trend of malware authors hiding behind a genuine tool is continuing, and this time they have abused the Windows Software Licensing Management Tool (“slmgr.vbs”). The cracked versions of XWorm are available on GitHub and are widely used by the malware authors. The VBScript file inside the archive is delivered to the victim’s machine as an email attachment.

The initial VBScript contains a URL (“h[t][t]ps://paste.ee/d/p5W9H”) to download the second level VBScript file which pretends to be “slmgr.vbs”. The URL contains malicious obfuscated code which is injected into “slmgr.vbs” and is responsible for launching a PowerShell script that continues the malicious execution.

Figure 1: Initial VBScript

Figure 2: Malicious code injected slmgr.vbs

The injected VBScript code has large variable names which are concatenated to create two layers of encoded string. The first layer of encoding is decoded by the VBScript and passed to a PowerShell script to decrypt the second layer of encoding. The PowerShell script decodes the second layer of encoding by replacing “DgTre” with “A” to get a Base64 encoded final PowerShell script.

Figure 3: Displays injected malicious code.

Figure 4: PowerShell execution

PowerShell Script

The PowerShell script downloads an image file from the URL “h[t][t]ps://uploaddeimagens.com.br/images/004/689/631/original/new_image.jpg?1702461175” which contains a Base64 encoded payload that starts from tag “<< BASE64_START>>” and ends by tag “<< BASE64_END>>”. The encoded payload is decoded to get the first-level loader executable. The PowerShell script executes the first level loader and passes on the XWorm malware URL “h[t][t]ps://firebasestorage.googleapis.com/v0/b/testing-edacd.appspot.com/o/order.txt?alt=media&token=4a130ca4-3664-4c4a-9260-44749ba2e5e3” as an argument:

Figure 5: PowerShell script

First Level Loader

The loader makes the persistent entry for the malicious VBScript using the registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”. The malware downloads an image file from the URL “h[t][t]ps://uploaddeimagens.com.br/images/004/682/782/original/Rump_vbs.jpg?1701793262” and retrieves a second-level loader executable from the appended bytes. The malware now downloads the XWorm payload from the URL provided by the PowerShell script and calls the second-level loader by providing the path of RegAsm.exe and XWorm bytes.

Figure 6: First level loader

Second Level Loader

The loader starts the process RegAsm.exe and does process hollowing to execute the XWorm malware in the context of RegAsm.exe:

Figure 7: Second level loader

Figure 8: APIs needed for process hollowing

XWorm 3.1

Old, cracked versions of XWorm are available on GitHub and are being used widely by malware authors. The main function is to decrypt and assign the configuration information which contains C&C host, port number, key, XWorm data separator and the spreading name of the executable. The malware is a multithread process that starts one thread to do the keylogging activity and another thread to communicate with the C&C server:

Figure 9: XWorm Main

C&C Communication

The malware sends system information to the C&C server which includes the victim’s ID, username, OS information, XWorm variant name, current date, spreading capacity, execution privilege, recording capability and installed antivirus. The victim’s ID is an MD5 hash from the combination of processor count, username, machine name, OS version and size of the system drive.

Figure 10: Victim’s information sent to the C&C server

The malware supports the below commands from the C&C server:
• rec (Restart)
• CLOSE (Terminate)
• uninstall (Terminate and delete)
• update
• DW (Execute from disk)
• FM (Execute from memory)
• LN (Download and execute from an URL)
• Urlopen
• Urlhide
• PCShutdown
• PCRestart
• PCLogoff
• StartDDos
• StopDDos
• StartReport
• StopReport
• Xchat
• DDos
• ngrok
• plugin
• savePlugin
• OfflineGet
• $Cap
• MessageBox

The malware sends the currently active Window’s name to the C&C server which may help them detect a debugging or controlled environment.

Figure 11: Sending active Window’s name

You can find old references of the malware detected by SonicWall RTDMI ™ engine here:

The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

Figure 12: Virus Total

Figure 13: Virus Total 2

Evidence of the detection by the RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Figure 14: Capture ATP Report

Deceptive PDF Disguised as RingCentral Leads to Phishing Attacks

/in /by

Overview

The SonicWall Capture Labs threat research team has observed PDF files masquerading as Ring Central, which is a communication and collaboration platform. This is achieved by incorporating malicious URLs with the intention of executing social engineering attacks for credential theft.

Infection Cycle

The PDF document bears the message, "You have a new voice message." alongside the Ring Central logo. It prompts the user to take action with the instruction, "Click here to listen." However, upon clicking the provided link, the user is redirected to an adobe privileged host URL. Malware authors are abusing sites (or hosts) that identify privileged locations that host trusted content (in this case, an Adobe URL).

Figure 1: PDF document

Upon accessing the Adobe URL, the user is initially presented with a progress bar, cleverly designed to simulate the loading process of a voice message.

Figure 2: Fake voice message loading

Subsequently, a webpage unfolds, adorned with the Ring Central logo and featuring a conspicuous button labelled, "Listen to Voice Message." This orchestrated sequence is deliberately crafted to mislead individuals, creating a false sense of legitimacy by leveraging familiar branding elements. The user, encountering the seemingly authentic environment, may be enticed to click on the provided button, unknowingly falling victim to the deceptive tactics employed by the malicious actors. It underscores the sophistication of the social engineering technique, as it exploits trust in recognizable visuals to enhance the effectiveness of the fraudulent scheme.

Figure 3: Fake Ring Central on Adobe domain

Following the user’s click on the provided link in the PDF file, a redirection occurs, leading them to another malicious URL. At this destination, the user is presented with a phishing page cleverly designed to imitate the Microsoft sign-in interface. The deceptive page is crafted to closely resemble the legitimate Microsoft sign-in page, tricking users into believing they are interacting with an authentic platform.

Figure 4: Microsoft phishing page

On this fraudulent Microsoft sign-in page, unsuspecting users may be prompted to enter their login credentials — such as usernames and passwords — under the false pretense of accessing the supposed voice message or related content. However, the entered information is captured by malicious actors for unauthorized access and potential misuse.
Non-existence of this malicious file (at the time of writing this blog) on popular malware search portals like the Virus Total and the Reversing Labs indicates its spreading potential:

Figure 5: Virus Total

This multi-stage attack involves the initial lure of a fake voice message in the PDF, the redirection to a malicious URL, and the presentation of a deceptive Microsoft sign-in page. It highlights the need for users to exercise caution and verify the authenticity of online interactions, especially when prompted to provide sensitive information, to prevent falling victim to phishing attempts and safeguard personal security.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: MalAgent.A_1994

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

IOCs

  • 85a38010b20ce02fd0387b1e36e0ab68a2d87d39d754434e6929dca67e9bc962

Relevant Links

  • hxxps://new[.]express[.]adobe[.]com/webpage/jWVSJkpCewb2X
  • hxxps://zqpfl[.]ipisecti[.]ru/97c9zhbt/

Fake AnyDesk Drops a Myriad of Malicious Tools

/in /by

Overview

This week, the Sonicwall Capture Labs threat research team analyzed a fake copy of AnyDesk. AnyDesk is a legitimate remote desktop application commonly used by tech support agents to troubleshoot computer problems remotely and provide remote assistance. Cybercriminals are known to use such tools by silently installing the application and then using it to remotely control a victim’s machine. However, in this scenario, an unsuspecting user is tricked into installing what seems to be a legitimate copy of AnyDesk. In reality, the download comes with an assortment of malicious software.

Infection Cycle

The malware is hosted on a website with a domain name “Anydesk.cyou” that closely resembles the real AnyDesk website.

Figure 1: Fake AnyDesk website hosting a fake AnyDesk application

The website downloads a file named “Anydsk.exe” which uses the legitimate AnyDesk icon.

Figure 2: Fake application named Anydsk.exe next to a copy of the legitimate AnyDesk.exe using very similar icons

Upon execution, it opens up an installation window that guides you through the installation process.

Figure 3: Fake AnyDesk installation window

This process in fact installs a legitimate copy of the software application in question, however it also installs other components.

The components of the legitimate AnyDesk software are installed in the following directory:

  • %AppData%\Roaming\CAS_BYBAnyDesk\AnyDesk.exe
  • %AppData%\Roaming\AnyDesk\ad.trace
  • %AppData%\Roaming\AnyDesk\service.conf
  • %AppData%\Roaming\AnyDesk \system.conf
  • %AppData%\Roaming\AnyDesk user.conf
    Upon completed installation, it adds a shortcut link to the user’s desktop which runs a legitimate copy of AnyDesk.

Figure 4: Running a legitimate copy of the AnyDesk software application

However, more component files have been installed along with AnyDesk in the %APPDATA% directory as seen in the figure below.

Figure 5: More files, both malicious and clean, were seen installed within a folder in the %APPDATA% directory.

During runtime, we have observed that N0vaDesktop.exe was used to spawn the legitimate wscript executable to run a file named “try.vbs” which contains the following code.

Figure 6: Contents of try.vbs

It executes a batch file named “test.bat” which then launches lnnloader.exe. Below are the contents of test.bat.

Figure 7: Contents of test.bat

Lnnloader.exe is used for reconnaissance and was seen perusing the file system and its registry.

Figure 8: Memory dump of lnnloader.exe seen with the infected system’s information.

It then runs Haloonoroff.exe which was seen constantly connecting to a remote server.

Figure 9: Haloonoroff.exe seen connecting to a remote server

A log file named “Haloonoroff_.log” (or Haloonoroff_20231214.log) was seen created which appeared to be process log.

Figure 10: Event log for Haloonoroff.exe

OTGContainer.exe and SearchRun.exe were copies of N0vaDesktop.exe. PSpendZ.exe is a legitimate tool named PSSuspend, while rar.exe is the command line archiving tool. The rest are non-malicious files.

Interestingly, we also found traces of what seemed to be Tencent QQ -related files that were not seen used during our analysis.

Figure 11: Tencent QQ component files

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Trojanspy.ANY (Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI™ and the Capture Client endpoint solutions.

Thanos ransomware encrypts files and installs PowerAdmin for backdoor access

/in /by

The Sonicwall Capture Labs threat research team has recently been tracking a new variant of Thanos ransomware. It is named after the Marvel supervillian and according to the FBI, is created by Moises Luis Zagala Gonzalez, a Venezualan-French cardiologist. Thanos is Ransomware as a Service (RaaS) and has been sold in the underground market place since around Feb 2020. It contains a suite of functionality that includes network spreading, anti-analysis and additional tool download.

Infection Cycle:

Upon infection, the malware encrypts files and drops the following text file on to the desktop:


Each encrypted file is given a .locked file extension. HOW_TO_DECYPHER_FILES.txt is dropped into all directories containing encrypted files.

The malware is written in C# and is trivial to decompile. We can easily see all of its functions:



The malware contains many components to enable it to spread more effectively and hinder analysis. The anti-analysis component contains a list of programs to kill:



The list is base64 encoded. Decoding it reveals the following program names:

AppFilter http analyzer stand-alone fiddler effetech http sniffer firesheep IEWatch Professional dumpcap wireshark wireshark portable sysinternals tcpview NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter Intercepter-NG ollydbg x64dbg x32dbg dnspy dnspy-x86 de4dot ilspy dotpeek dotpeek64 ida64 procexp procexp64 RDG Packer Detector CFF Explorer PEiD protection_id LordPE pe-sieve MegaDumper UnConfuserEx Universal_Fixer NoFuserEx NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter

The SniffersKiller function is used to kill all programs in the list if they are running:



The Anti_Analysis class contains basic debugger and sandbox detection:



The network component contains a wake-on-lan function. If the infected machines IP address indicates that it is within a LAN, the malware issues a wake-on-lan signal to bring any sleeping machines back online for potential infection:



Once these machines have woken up, the malware checks if they are online by checking replies to pings:



For each ping response, the malware attempts to log in to each machine. It contains a short basic list of usernames and passwords which it will try:



It contains a DownloadTool function to download additional components.



The base64 string in this function decodes to:

https://www.poweradmin.com/paexec/paexec.exe

PowerAdmin is an open source remote system administration tool similar to PAExec. In this case, it is used as a backdoor to remotely control the infected machine.

We reached out to the email address in the ransom note for details on file retrieval but received no response.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Thanos.RSM_1 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.