Posts

Cloudatlas: an advanced persistent threat spreading in the wild

/in /by

The Dell SonicWall Threats Research team observed reports of an advanced persistent threat Trojan named GAV: Cloudatlas.AAC actively spreading in the wild. Cloud Atlas it’s a highly complex malware that targeted high level executives from the oil and financial industries as well as government organizations.

The Malware tries to resides in the registry as a DLL in the computer’s registry. This mechanism could be used by malicious Visual Basic script that people could download from email attachments as part of received documents or exploit kits such as crafted RTF Stack-based buffer overflow in Microsoft Office XP CVE-2010-3333 and CVE-2012-0158.

Once the target system is compromised, the attacker would control the malware through their free accounts on the Swiss cloud storage company, CloudMe.

Infection Cycle:

Md5: 19ad782b0c58037b60351780b0f43e43 [crafted RTF file]

Md5: D007616DD3B2D52C30C0EBB0937E21B4 [DLL file]

The Trojan adds the following files to the system:

  • %windir%ctfmonrn.dll [DLL file]
  • %Userprofile%Local SettingsTempHRTODiK.vbs [Visual Basic script]
  • %Userprofile%Local Settings Tempdocument.doc [Document file ]
  • C:WINDOWSmiditiming [Encrypted file]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  • regsvr32 “C:WINDOWSctfmonrn.dll” /s /n /i:”i”

The Malware uses RTF Microsoft Office exploit (CVE-2012-0158) which is contains a Visual Basic script with it. The Script didn’t write a PE backdoor on the disk directly. Instead, its drops and execute a Visual Basic script, which in turn dropped the loader and the payload onto the infected system. Each payload is encrypted with a unique key, making it impossible for it to be decrypted without a corresponding dynamic link library file.

Here is a sample of the Crafted RTF File:

When the VBSript is run it drops two files to disk, here is how malware works on target machine:

The malware executes the encoded VBScript to create an auto startup registry key on the target machine:

  • Regsvr32 “C:WINDOWSctfmonrn.dll” /s /n /i:”i”

The regsvr32 is responsible for all malware components on the infected system, here is the VBScript Sample:

Also here is the DLL dropper sample:

Malware Traffic

Cloud Atlas has communication over HTTPS and WebDav works with Cloudme.com server.

Cloudme it’s a cloud services provider which offers free and paid Cloud file storage. The attackers created their accounts on the cloud and only using it for storing their files.

There are some files containing system information and other data in the free CloudMe accounts registered by the attackers. Here are some examples of URL Traffic used by malware on Following:

As you can see the Traffic seems to very normal traffic by system services.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Cloudatlas.AAC

Red October cyber-espionage malware uses MS Office exploits (Jan 18, 2013)

/in /by

The Dell Sonicwall Threats research team received reports of malware that has targeted international diplomatic service agencies. The malware named Red October is part of a large scale cyber-espionage network that has been in existence since 2007. It is designed to steal sensitive information from infected systems. The malware uses GAV: CVE-2012-0158 (Exploit) and GAV: CVE-2010-3333 (Exploit) that exploit known vulnerabilities in unpatched versions of Microsoft Word and Excel. There have also been reports of the malware using Java vulnerabilities: GAV: CVE-2011-3544 (Exploit). It is reported that the Trojan is spread via email and uses infected Word and Excel files.

Infection cycle:

The file containing the exploit may be a legitimate but infected Word or Excel file. In this case it was an Excel file:

After the exploit has run successfully it will cause Excel to display a spreadsheet containing fake corporate data in order to thwart suspicion:

The Trojan adds the following keys to the windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Userinit “%WINDIR%system32userinit.exe,%PROGRAMFILES%Windows NTsvchost.exe”
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-6948-B838-A1A0-B0132CCF0BA1} @ “D74C3FB1”
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-7657-A727-BEBF-AF0C33D014BE} @ “C85320AE”

The Trojan adds the following files to the filesystem:

  • %PROGRAMFILES%Windows NTlhafd.gcp
  • %PROGRAMFILES%Windows NTsvchost.exe [Detected as GAV: Rocra.A (Trojan)]
  • %TEMP%msc.bat
  • %TEMP%Dsc.tmp [Detected as GAV: Kolab.ABVR (Worm)]

msc.bat contains the following post-infection clean up code:

      chcp 1251
      :Repeat
      attrib -a -s -h -r "%TEMP%Dcs.tmp"
      del "%TEMP%Dcs.tmp"
      if exist "%TEMP%Dcs.tmp" goto Repeat
      del "%TEMP%msc.bat"

The chcp command suggests that the malware is Russian in origin. 1251 is the ANSI codepage for Cyrillic.

The Trojan was observed querying microsoft.com to verify internet connectivity:

The Trojan was observed using the CreateEvent API in order to be alerted of various system events:

The Trojan steals information from the following web browsers:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera

We observed the Trojan reading data from files written by Firefox that we had installed on the system:

It is widely reported that the Trojan contains the ability to update and add modules from a remote Command & Control server.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Exploit.CVE-2012-0158 (Exploit)
  • GAV: Exploit.CVE-2010-3333 (Exploit)
  • GAV: Exploit.CVE-2011-3544 (Exploit)
  • GAV: Kolab.ABVR (Worm)
  • GAV: Rocra.A (Trojan)

Microsoft Security Bulletins Coverage (Nov 09, 2010)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2010. A list of issues reported, along with SonicWALL coverage information follows:

MS10-087 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)

  • CVE-2010-3333 – RTF Stack Buffer Overflow Vulnerability
    IPS 5950 Word RTF File Parsing Stack BO
  • CVE-2010-3334 – Office Art Drawing Records Vulnerability
    IPS 5955 Office Art Drawing Records Vulnerability
  • CVE-2010-3335 – Drawing Exception Handling Vulnerability
    IPS 5956 Malicious Excel Document 7b
  • CVE-2010-3336 – MSO Large SPID Read AV Vulnerability
    IPS 5957 Malicious Word Document 5b
    IPS 5958 Malicious Excel Document 8b
  • CVE-2010-3337 – Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt

MS10-088 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)

  • CVE-2010-2572 – PowerPoint Parsing Buffer Overflow Vulnerability
    IPS 5954 Malicious PowerPoint Document 1b
  • CVE-2010-2573 – PowerPoint Integer Underflow Causes Heap Corruption Vulnerability
    IPS 5945 Malicious PowerPoint Document 1b

MS10-089 Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

  • CVE-2010-2732 – UAG Redirection Spoofing Vulnerability
    Note: There is no way to differentiate malformed and legitimate traffic.
  • CVE-2010-2733 – UAG XSS Allows EOP Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-2734 – XSS Issue on UAG Mobile Portal Website in Forefront Unified Access Gateway Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3936 – XSS in Signurl.asp Vulnerability
    Note: There are no known public exploits targeting this vulnerability.