Posts

SSH ProxyCommand Command Injection

/in /by

Overview

SonicWall Capture Labs threat research team became aware of a command injection threat within OpenSSH versions before 9.6, assessed its impact, and developed mitigation measures for the vulnerability. OpenSSH is a widely used connectivity tool for encrypted, remote login, both standalone and embedded in enterprise and consumer applications.
CVE-2023-51385 allows an attacker to inject commands into the command line if the client utilizes the ProxyCommand parameter within their configuration file for the connecting server. There is no known active exploitation at the time of writing, likely due to the requirements around exploitation. While exploitation requirements reduce the risk of exploitation, several well-known applications and services utilize this feature in advanced configurations, such as Okta, CloudFlare, and AWS; they should, therefore, be reviewed for potential risk. This vulnerability can be mitigated by upgrading OpenSSH to version 9.6p1 or greater and removing any usage of the ProxyCommand feature within your environment.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-51385.

CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • The impact of this vulnerability on data confidentiality is high.
  • The impact of this vulnerability on data integrity is high.
  • The impact of this vulnerability on data availability is high.

Technical Overview

Advanced usage of OpenSSH includes the ability to provide a configuration file that can perform actions when initiating an SSH connection. One of those actions is ProxyCommand. ProxyCommand allows the user to specify a command to execute within the context of the user’s current shell during the connection process. The reason the keyword includes “proxy” is the intention is for the user to be able to proxy a connection through another server. Within the command string, ‘%h’ can be used to substitute a hostname, and ‘%p’ can be used to substitute a port number. The user provides these values, which are not sanitized before being placed onto the command line. As a result, an attacker can replace a hostname and/or port number to achieve command injection.

Triggering the Vulnerability

To trigger this vulnerability, an attacker must convince a user to connect to a malicious URL using the vulnerability version of SSH in a scenario where the end user uses ProxyCommand within their configuration file for the connecting server. As the end-user needs a specific configuration, this reduces the likelihood of exploitation. However, there are several well-known applications and services that utilize this feature in advanced configurations, such as Okta, CloudFlare, and AWS. In the cases where this advanced configuration has been leveraged, exploitation is more likely.

Exploitation

Assuming the previously mentioned conditions are met, exploitation can occur any time SSH is leveraged. This includes standard connections such as SSH and SCP. The discovering researcher, vin01, released a proof of concept that leverages Github’s clone command using SSH to open the MacOS calculator. This can also be done on Linux or Windows operating systems with slight modifications. To execute the proof of concept, a single git clone command is used. Exploitation occurs when the user’s SSH configuration file is set to utilize the ProxyCommand parameter with any “.example.com” domain, as seen in Figure 1.


Figure 1 Local SSH Config File

When git recursively attempts to get the submodules from the repository, shown in Figure 2, the vulnerability is triggered and exploited.


Figure 2 Repository submodules

The video in Figure 3 demonstrates leveraging this proof of concept on a Linux workstation to execute calculator.

Figure 3 – Linux workstation exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • SPY:520 "Malformed-gitmodules gitmodules.OT_1"

Remediation Recommendations

OpenSSH has released an update to address the issue, and it is strongly recommended that the application be updated to version 9.6p1 or newer as appropriate. Additionally, it is recommended to review any client SSH configuration files and ensure the ProxyCommand parameter is only utilized when necessary.

Relevant Links

GuLoader upgrades its Vectored Exception Handler

/in /by

Overview

For the last three years, GuLoader has gained popularity among threat actors, due to its sophisticated, robust, and powerful defense techniques against security software. The SonicWall Capture Labs Threat Research team has observed that GuLoader malware is being distributed on victim’s machine by obfuscated VBScript insides an archive as an email attachment. The malware is continuously updating its code to stay undetected and impactful against security software. While the malware has rich anti-VM, anti-debug, anti-analysis, and anti-dump techniques, one of the best anti-analysis features used by the malware is the updating of its Vectored Exception Handler code. The malware deliberately executes instructions in the malware code which throws an exception, and the Vectored Exception Handler code is used to compute the next executable instruction address. The beauty of the malware is that it is a fileless and true shellcode-based malware which did not include a PE header, not even in memory. The malware is used to deliver various malware families including AgentTesla, Remcos, Lokibot and NanoCore etc.

Infection Cycle

The effectiveness of the malware can be reckoned by the evidence that the malware has not changed its infection cycle for a year and is still undetected by various security software. The initial VBScript file is obfuscated and contains large comments which constructs and launches a PowerShell script.

Figure 1 – Obfuscated VBScript

PowerShell script

The PowerShell script is complex to understand, as it computes variables dynamically at runtime. The malware uses one function to decrypt the cmdlets, variables and strings and another function to execute the cmdlets.

Figure 2 – Obfuscated first level PowerShell script.

The PowerShell script needs to be decrypted and simplified to make it legible. If the running PowerShell process is a 64-bit process, the malware launches the script under 32-bit PowerShell executable, to inject and execute a 32-bit shellcode, in later stages. The script downloads base64 encoded file from URL “h[t][t]p://85.209.176.46/Schoolm.ocx” into “%APPDATA%\Dumpste.Mue”. Initial 648 bytes from the downloaded file are the shellcode bytes, followed by the encrypted GuLoader bytes and ended with a PowerShell script which continues the execution.

Figure 3 – Simplified first level PowerShell script.

The downloaded script is again obfuscated and uses function from the downloader script to decrypt and execute cmdlets which makes this standalone script unusable and non-understandable. The script again uses dynamic variable computing and is needs to be decrypted and simplified, to make it legible.


Figure 4 – Obfuscated second level PowerShell script.

The PowerShell script hides the PowerShell window to stay unnoticed from the user, using an API ShowWindow. The PowerShell script allocates 648 bytes with PAGE_EXECUTE_READWRITE access using API NtProtectVirtualMemory and writes the shellcode bytes from the downloaded file. The script allocates 0x3D84000 bytes with PAGE_READWRITE access and writes the encrypted GuLoader bytes. The script executes the shellcode bytes using the API CallWindowProcA and provides encrypted bytes address and NtProtectVirtualMemory API address as arguments.


Figure 5 – Simplified second level PowerShell script

GuLoader

The GuLoader is a very well-known advanced malware which is widely adopted by the threat actors to deliver various payloads. We have already covered technical details of the malware in our previous blog .
In the recent variant, the malware has upgraded its Vectored Exception Handler (VEH) code. Initially GuLoader’s VEH only supported EXCEPTION_BREAKPOINT exception and in later variants it added EXCEPTION_ACCESS_VIOLATION and EXCEPTION_SINGLE_STEP exceptions support. In the recent variant, we have observed the malware added support for EXCEPTION_PRIV_INSTRUCTION and EXCEPTION_ILLEGAL_INSTRUCTION exceptions to prevent neutralization of VEH impact from script-based automations by threat researchers. To bypass the VEH impact threat researchers now need to identify all illegal and privileges instructions.

Figure 6 – Code checks exception type

The malware deliberately generates an exception supported by the VEH and computes the next valid EIP address using the VEH code, to continue the malicious execution. The malware code also checks for hardware breakpoints by inspecting debug registers while executing the VEH code. If any hardware breakpoint is found, the malware zeros out one the structure’s address which causes EXCEPTION_ACCESS_VIOLATION exception inside the VEH code.

Figure 7 – Code inspects hardware debug registers.

The malware next computes EIP by adding a value from 0x14 byte from the current EIP, XOR with 0x04 and add it to the current EIP.

Figure 8 – Code computes next EIP address

The malware generates supported exception throughout the code and handled them inside the VEH code.

EXCEPTION_ACCESS_VIOLATION (0xC0000005)

In case of EXCEPTION_ACCESS_VIOLATION exception the malware examines the address for which the exception has been thrown and it should it be less than 0x10000, the malware terminates the execution.

Figure 9 – Code generates access violation exception.


Figure 10 – Code handles access violation exception

EXCEPTION_BREAKPOINT (0x80000003)

Figure 11 – Code generates breakpoint exception

EXCEPTION_SINGLE_STEP (0x80000004)

Figure 12 – Code generates single step exception.

EXCEPTION_PRIV_INSTRUCTION (0xC0000096)

Figure 13 – Code generates privileged instruction exception.

EXCEPTION_ILLEGAL_INSTRUCTION (0xC000001D)

Figure 14 – Code generates illegal instruction exception.

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.

Figure 15 VirusTotal detections.

Evidence of the detection by the RTDMI engine can be seen below in the Capture ATP report for this file

Figure 16 – RTDMI detection.

Apache Struts Unauthorized Arbitrary File Upload

/in /by

Overview

The SonicWall Capture Labs threat research team became aware of an unauthorized arbitrary file upload vulnerability in Apache Struts, assessed its impact and developed mitigation measures for the vulnerability. Apache Struts, an open-source MVC framework to develop modern web applications based on Java, has released versions 2.5.33 and 6.3.0.2 addressing this issue which is affecting the following versions of Struts: Struts 2.0.0 – Struts 2.3.37 (EOL), Struts 2.5.0 – Struts 2.5.32, and Struts 6.0.0 – Struts 6.3.0. Since Apache Struts has historically been a luring target among threat actors due to its widespread usage, this vulnerability has already started being exploited in the wild. This could be easily anticipated considering its ease of exploitation as well as existence of public POC. Due to active exploitation, we strongly recommend upgrading to the latest version of Struts.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-50164.
The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

This vulnerability allows the threat actors to upload an arbitrary file in the webroot of the tomcat web server through a POST request. This flaw allows the attacker to not only tamper with the file upload parameters but also to append an additional parameter, which allows the threat actor to upload a file at any location. The implemented sanitization is inadequate to prevent parameter pollution. Changing the case of parameters to lowercase can override the file name variable uploadFileName allowing path traversal and leading to compromise of the system.
To remediate the issue, Apache Struts has released a patch as commits 162e29f and d8c6969 for versions 2.5.x and 6.3.x respectively. A closer look at the patch confirms the improvements in the functions get, contains and remove by making them case insensitive to prevent unique consideration of manipulated parameters based on case sensitivity as seen in Figure 1 for the function get.

Figure 1: Improved case-insensitive get function

Additionally, the function appendAll is improved to append all the parameters in a case-insensitive way to deny the overriding attempt of existing parameters as seen in Figure 2.

Figure 2: Improved appendAll function

Triggering the Vulnerability

This vulnerability can be triggered using a specially crafted POST request which contains a parameter with name=”Upload” (or uPLoad or uploaD) instead of the default value upload and the additional uploadFileName parameter that will override the path where the file will be saved as well as the name of the file as seen in Figure 3.

Figure 3: Malicious exploitation request

Exploitation

We used the publicly available PoC to analyze and understand the vulnerability and to set up a lab environment. The remote code execution in the vulnerable system is demonstrated by leveraging this vulnerability. The following video illustrates the uploading of a web shell and execution of the system command by sending a request, as seen in Figure 3 above.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4194 Web Application Suspicious form-data 2

Additionally, a generic detection signature mentioned below is utilized to strengthen the protection.

  • IPS:2764 Web Application Suspicious form-data 1

Threat Graph

SonicWall sensors have confirmed a spike in exploitation attempts of this vulnerability and a surge in exploitation attempts is expected in upcoming days considering the popularity of the software.

Figure 4: SonicWall signature hits data

Remediation Recommendations

Apache Struts has released an update to address the issue, and it is strongly recommended to update the application to the version 2.5.33 or 6.3.0.2 or newer as appropriate.

Relevant Links

Malicious Android Spyware Employing RAT and Capturing Device Info and User Credentials

/in /by

Overview

The SonicWall Capture Labs threat research team has been actively tracking malware campaigns deploying a formidable Android Remote Access Trojan (RAT). We encountered a variant of that malware equipped with extensive features such as keylogging, theft of sensitive device information and the ability to bypass Google Authenticator, even loading web pages within the application. These functionalities provide attackers with the means to achieve unauthorized access to the victim’s device.

Infection Cycle

This malware utilizes a tactic called icon masquerading, wherein it camouflages itself by adopting the appearance of icons from well-known and legitimate applications.

Figure 1: Malware utilizing well-known application icons

After installation, the malware prompts the victim to activate the Accessibility Service on the targeted device. If the victim grants permission, the malware exploits the Accessibility Service to carry out malicious activities covertly, without the user’s awareness.

Figure 2: Prompt users to activate the accessibility service

Here, the malware author is asking the user to grant device admin permissions.

Figure 3: Device admin code snippet

Accessibility Services make it hard for users to remove the app or install other apps. It can click ‘install’ without needing any input from the user.

Figure 4: Ease of installing other applications granted by Accessibility Services

We initiated the activity responsible for presenting Google Translator and Google News on WebView. Upon launching, the application opens, showcasing the Google account web pages. We noticed the webpage appearing within the malicious application.

Figure 5: Displaying webpage within the malicious application

The spyware sends the gathered sensitive information to a control server when directed by the attacker through the Accessibility Service. The host and port number are encrypted using Base64.

Figure 6: Network connection

The compromised device establishes a connection with the Command and Control (C&C) server and receives various commands to execute operations, as shown in the image below.

Figure 7: C&C server

Google Authenticator creates two-factor authentication (2FA), enhancing security for accounts by adding a second verification step during sign-in. This malicious software bypasses extra security measures by using Accessibility Services to obtain 2FA codes.

Figure 8: Stealing Google authenticator code

It sends messages to the server based on the received commands.

Figure 9: Sends SMS

The code displayed in the image is designed to capture screenshots from the compromised device and subsequently transmit the collected screenshots to the Command and Control (C&C) server.

Figure 10: Forwarding all screenshots to the C&C server

This malware transmits information about the victim’s current location to its remote Command and Control (C&C) server.

Figure 11: Retrieving location info

This code extracts information about all the installed package names.

Figure 12: Reading installed packages.

The code handles a log file on the device’s external storage. It changes certain parts of the log file name and provides all content from the log file.

Figure 13: Log file created for activity monitoring

It establishes a database within web data to store sensitive personal information and credit card details of the targeted individual.

Figure 14: Storing information within a database

This spyware can steal social app credentials by checking if either the "com.facebook.katana" or "com.facebook.lite" app is installed on the device. If found, it uses an overlay attack to display a fake login page, tricking users and stealing their credentials.

Figure 15: Stealing social app credentials

SonicWall Capture Labs provides protection against this threat via SonicWall Capture ATP with RTDMI.

IOCs

  • 62f027c0a8f856ef30ceba8432cd80a9462e03cf7809ea91fcbac60427f6a1bd
  • 06629bab34a4218262339659590656408c22f33411201d73977fc69700a4e68a

Windows Software Licensing Management Tool is Abused to Deliver XWorm3.1

/in /by

Overview

The SonicWall Capture Labs threat research team has observed and detected a VBScript file which delivers XWorm3.1 to the victim’s machine. The trend of malware authors hiding behind a genuine tool is continuing, and this time they have abused the Windows Software Licensing Management Tool (“slmgr.vbs”). The cracked versions of XWorm are available on GitHub and are widely used by the malware authors. The VBScript file inside the archive is delivered to the victim’s machine as an email attachment.

The initial VBScript contains a URL (“h[t][t]ps://paste.ee/d/p5W9H”) to download the second level VBScript file which pretends to be “slmgr.vbs”. The URL contains malicious obfuscated code which is injected into “slmgr.vbs” and is responsible for launching a PowerShell script that continues the malicious execution.

Figure 1: Initial VBScript

Figure 2: Malicious code injected slmgr.vbs

The injected VBScript code has large variable names which are concatenated to create two layers of encoded string. The first layer of encoding is decoded by the VBScript and passed to a PowerShell script to decrypt the second layer of encoding. The PowerShell script decodes the second layer of encoding by replacing “DgTre” with “A” to get a Base64 encoded final PowerShell script.

Figure 3: Displays injected malicious code.

Figure 4: PowerShell execution

PowerShell Script

The PowerShell script downloads an image file from the URL “h[t][t]ps://uploaddeimagens.com.br/images/004/689/631/original/new_image.jpg?1702461175” which contains a Base64 encoded payload that starts from tag “<< BASE64_START>>” and ends by tag “<< BASE64_END>>”. The encoded payload is decoded to get the first-level loader executable. The PowerShell script executes the first level loader and passes on the XWorm malware URL “h[t][t]ps://firebasestorage.googleapis.com/v0/b/testing-edacd.appspot.com/o/order.txt?alt=media&token=4a130ca4-3664-4c4a-9260-44749ba2e5e3” as an argument:

Figure 5: PowerShell script

First Level Loader

The loader makes the persistent entry for the malicious VBScript using the registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”. The malware downloads an image file from the URL “h[t][t]ps://uploaddeimagens.com.br/images/004/682/782/original/Rump_vbs.jpg?1701793262” and retrieves a second-level loader executable from the appended bytes. The malware now downloads the XWorm payload from the URL provided by the PowerShell script and calls the second-level loader by providing the path of RegAsm.exe and XWorm bytes.

Figure 6: First level loader

Second Level Loader

The loader starts the process RegAsm.exe and does process hollowing to execute the XWorm malware in the context of RegAsm.exe:

Figure 7: Second level loader

Figure 8: APIs needed for process hollowing

XWorm 3.1

Old, cracked versions of XWorm are available on GitHub and are being used widely by malware authors. The main function is to decrypt and assign the configuration information which contains C&C host, port number, key, XWorm data separator and the spreading name of the executable. The malware is a multithread process that starts one thread to do the keylogging activity and another thread to communicate with the C&C server:

Figure 9: XWorm Main

C&C Communication

The malware sends system information to the C&C server which includes the victim’s ID, username, OS information, XWorm variant name, current date, spreading capacity, execution privilege, recording capability and installed antivirus. The victim’s ID is an MD5 hash from the combination of processor count, username, machine name, OS version and size of the system drive.

Figure 10: Victim’s information sent to the C&C server

The malware supports the below commands from the C&C server:
• rec (Restart)
• CLOSE (Terminate)
• uninstall (Terminate and delete)
• update
• DW (Execute from disk)
• FM (Execute from memory)
• LN (Download and execute from an URL)
• Urlopen
• Urlhide
• PCShutdown
• PCRestart
• PCLogoff
• StartDDos
• StopDDos
• StartReport
• StopReport
• Xchat
• DDos
• ngrok
• plugin
• savePlugin
• OfflineGet
• $Cap
• MessageBox

The malware sends the currently active Window’s name to the C&C server which may help them detect a debugging or controlled environment.

Figure 11: Sending active Window’s name

You can find old references of the malware detected by SonicWall RTDMI ™ engine here:

The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

Figure 12: Virus Total

Figure 13: Virus Total 2

Evidence of the detection by the RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Figure 14: Capture ATP Report

Deceptive PDF Disguised as RingCentral Leads to Phishing Attacks

/in /by

Overview

The SonicWall Capture Labs threat research team has observed PDF files masquerading as Ring Central, which is a communication and collaboration platform. This is achieved by incorporating malicious URLs with the intention of executing social engineering attacks for credential theft.

Infection Cycle

The PDF document bears the message, "You have a new voice message." alongside the Ring Central logo. It prompts the user to take action with the instruction, "Click here to listen." However, upon clicking the provided link, the user is redirected to an adobe privileged host URL. Malware authors are abusing sites (or hosts) that identify privileged locations that host trusted content (in this case, an Adobe URL).

Figure 1: PDF document

Upon accessing the Adobe URL, the user is initially presented with a progress bar, cleverly designed to simulate the loading process of a voice message.

Figure 2: Fake voice message loading

Subsequently, a webpage unfolds, adorned with the Ring Central logo and featuring a conspicuous button labelled, "Listen to Voice Message." This orchestrated sequence is deliberately crafted to mislead individuals, creating a false sense of legitimacy by leveraging familiar branding elements. The user, encountering the seemingly authentic environment, may be enticed to click on the provided button, unknowingly falling victim to the deceptive tactics employed by the malicious actors. It underscores the sophistication of the social engineering technique, as it exploits trust in recognizable visuals to enhance the effectiveness of the fraudulent scheme.

Figure 3: Fake Ring Central on Adobe domain

Following the user’s click on the provided link in the PDF file, a redirection occurs, leading them to another malicious URL. At this destination, the user is presented with a phishing page cleverly designed to imitate the Microsoft sign-in interface. The deceptive page is crafted to closely resemble the legitimate Microsoft sign-in page, tricking users into believing they are interacting with an authentic platform.

Figure 4: Microsoft phishing page

On this fraudulent Microsoft sign-in page, unsuspecting users may be prompted to enter their login credentials — such as usernames and passwords — under the false pretense of accessing the supposed voice message or related content. However, the entered information is captured by malicious actors for unauthorized access and potential misuse.
Non-existence of this malicious file (at the time of writing this blog) on popular malware search portals like the Virus Total and the Reversing Labs indicates its spreading potential:

Figure 5: Virus Total

This multi-stage attack involves the initial lure of a fake voice message in the PDF, the redirection to a malicious URL, and the presentation of a deceptive Microsoft sign-in page. It highlights the need for users to exercise caution and verify the authenticity of online interactions, especially when prompted to provide sensitive information, to prevent falling victim to phishing attempts and safeguard personal security.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: MalAgent.A_1994

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

IOCs

  • 85a38010b20ce02fd0387b1e36e0ab68a2d87d39d754434e6929dca67e9bc962

Relevant Links

  • hxxps://new[.]express[.]adobe[.]com/webpage/jWVSJkpCewb2X
  • hxxps://zqpfl[.]ipisecti[.]ru/97c9zhbt/

Fake AnyDesk Drops a Myriad of Malicious Tools

/in /by

Overview

This week, the Sonicwall Capture Labs threat research team analyzed a fake copy of AnyDesk. AnyDesk is a legitimate remote desktop application commonly used by tech support agents to troubleshoot computer problems remotely and provide remote assistance. Cybercriminals are known to use such tools by silently installing the application and then using it to remotely control a victim’s machine. However, in this scenario, an unsuspecting user is tricked into installing what seems to be a legitimate copy of AnyDesk. In reality, the download comes with an assortment of malicious software.

Infection Cycle

The malware is hosted on a website with a domain name “Anydesk.cyou” that closely resembles the real AnyDesk website.

Figure 1: Fake AnyDesk website hosting a fake AnyDesk application

The website downloads a file named “Anydsk.exe” which uses the legitimate AnyDesk icon.

Figure 2: Fake application named Anydsk.exe next to a copy of the legitimate AnyDesk.exe using very similar icons

Upon execution, it opens up an installation window that guides you through the installation process.

Figure 3: Fake AnyDesk installation window

This process in fact installs a legitimate copy of the software application in question, however it also installs other components.

The components of the legitimate AnyDesk software are installed in the following directory:

  • %AppData%\Roaming\CAS_BYBAnyDesk\AnyDesk.exe
  • %AppData%\Roaming\AnyDesk\ad.trace
  • %AppData%\Roaming\AnyDesk\service.conf
  • %AppData%\Roaming\AnyDesk \system.conf
  • %AppData%\Roaming\AnyDesk user.conf
    Upon completed installation, it adds a shortcut link to the user’s desktop which runs a legitimate copy of AnyDesk.

Figure 4: Running a legitimate copy of the AnyDesk software application

However, more component files have been installed along with AnyDesk in the %APPDATA% directory as seen in the figure below.

Figure 5: More files, both malicious and clean, were seen installed within a folder in the %APPDATA% directory.

During runtime, we have observed that N0vaDesktop.exe was used to spawn the legitimate wscript executable to run a file named “try.vbs” which contains the following code.

Figure 6: Contents of try.vbs

It executes a batch file named “test.bat” which then launches lnnloader.exe. Below are the contents of test.bat.

Figure 7: Contents of test.bat

Lnnloader.exe is used for reconnaissance and was seen perusing the file system and its registry.

Figure 8: Memory dump of lnnloader.exe seen with the infected system’s information.

It then runs Haloonoroff.exe which was seen constantly connecting to a remote server.

Figure 9: Haloonoroff.exe seen connecting to a remote server

A log file named “Haloonoroff_.log” (or Haloonoroff_20231214.log) was seen created which appeared to be process log.

Figure 10: Event log for Haloonoroff.exe

OTGContainer.exe and SearchRun.exe were copies of N0vaDesktop.exe. PSpendZ.exe is a legitimate tool named PSSuspend, while rar.exe is the command line archiving tool. The rest are non-malicious files.

Interestingly, we also found traces of what seemed to be Tencent QQ -related files that were not seen used during our analysis.

Figure 11: Tencent QQ component files

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Trojanspy.ANY (Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI™ and the Capture Client endpoint solutions.

Thanos ransomware encrypts files and installs PowerAdmin for backdoor access

/in /by

The Sonicwall Capture Labs threat research team has recently been tracking a new variant of Thanos ransomware. It is named after the Marvel supervillian and according to the FBI, is created by Moises Luis Zagala Gonzalez, a Venezualan-French cardiologist. Thanos is Ransomware as a Service (RaaS) and has been sold in the underground market place since around Feb 2020. It contains a suite of functionality that includes network spreading, anti-analysis and additional tool download.

Infection Cycle:

Upon infection, the malware encrypts files and drops the following text file on to the desktop:


Each encrypted file is given a .locked file extension. HOW_TO_DECYPHER_FILES.txt is dropped into all directories containing encrypted files.

The malware is written in C# and is trivial to decompile. We can easily see all of its functions:



The malware contains many components to enable it to spread more effectively and hinder analysis. The anti-analysis component contains a list of programs to kill:



The list is base64 encoded. Decoding it reveals the following program names:

AppFilter http analyzer stand-alone fiddler effetech http sniffer firesheep IEWatch Professional dumpcap wireshark wireshark portable sysinternals tcpview NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter Intercepter-NG ollydbg x64dbg x32dbg dnspy dnspy-x86 de4dot ilspy dotpeek dotpeek64 ida64 procexp procexp64 RDG Packer Detector CFF Explorer PEiD protection_id LordPE pe-sieve MegaDumper UnConfuserEx Universal_Fixer NoFuserEx NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter

The SniffersKiller function is used to kill all programs in the list if they are running:



The Anti_Analysis class contains basic debugger and sandbox detection:



The network component contains a wake-on-lan function. If the infected machines IP address indicates that it is within a LAN, the malware issues a wake-on-lan signal to bring any sleeping machines back online for potential infection:



Once these machines have woken up, the malware checks if they are online by checking replies to pings:



For each ping response, the malware attempts to log in to each machine. It contains a short basic list of usernames and passwords which it will try:



It contains a DownloadTool function to download additional components.



The base64 string in this function decodes to:

https://www.poweradmin.com/paexec/paexec.exe

PowerAdmin is an open source remote system administration tool similar to PAExec. In this case, it is used as a backdoor to remotely control the infected machine.

We reached out to the email address in the ransom note for details on file retrieval but received no response.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Thanos.RSM_1 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Multi-Stage Chinese Trojan Records Everything, Even Sounds

/in /by

Overview

This week the SonicWall Capture Labs threat research team investigated a sample of malware that has multiple infostealer, monitoring and C2 capabilities. The name of the file is translated as ‘Easy Language Program’ from Chinese, and it has two embedded payloads that are only accessible once a variety of system, language and time zone checks have been passed.

Infection Cycle

The original sample is packed with NsPack, which hinders static analysis. Normally, this format can be unpacked with relative ease, but due to certain unknown changes made, the sample had to be manually extracted from memory while being debugged.

Figure 1: Original sample detection

Figure 2: Unpacked sample detection

When the file is run, there is no window or visible activity. It will attempt to establish the correct environment by collecting information in the following ways:

  • Location via GetSystemLocale, GetTimeZoneInformation, GetLocalTime, FileTimeToLocalTime, FileTimeToSystemTime
  • Debuggers via IsDebuggerPresent, OutputDebugString, GetTickCount, GetEnvironmentStrings, CreateToolhelp32Snapshot, IsProcessorFeaturePresent, NtQuerySystemInformation

If any of these return the incorrect information, the file will terminate immediately. Successfully bypassing these measures will drop two files named ‘Delfile.sys’ and ‘Del.exe’.

Figure 3: Embedded file locations

The .sys file is used explicitly to run ‘Del.exe’ and has a self-modifying section for runtime. There are no imports, functions or libraries listed. ‘Del.exe’ is used to control and register system services. A registry key is written to ‘SYSTEM\CurrentControlSet\Services\DelFile’. This is the persistence mechanism.

Figure 4: Output showing the self-modifying ‘INIT’ section of ‘Delfile.sys’

The main executable uses process injections to inject itself into KernelBase.dll where it hooks into and begins enumerating multiple areas of the system, including but not limited to:

  • Keyboard/Mouse: GetKeyState, GetAsyncKeyState, GetCursorPos
  • Processes: GetCurrentProcess, CreateToolhelp32Snapshot, Process32First, Process32Next
  • Desktop: GetForegroundWindow, GetFocus, GetCapture
  • Registry: RegQueryValue, RegOpenKey, RegCreateKey
  • System Drive Volume: GetVolumeInformation
  • Clipboard: GetClipboardData, FlushClipboardData
  • Audio: waveOutWrite, midiStreamOpen
  • Game software: Xbox, TenCent

The malware also looks for several networking applications: F5 VPN, Checkpoint VPN, SonicWall MobileConnect and Juniper Networks Junos Pulse. There also appears to be HTML code for a page that will show a fake error, potentially to grab credentials.

Figure 5: Partial list of software in unpacked sample

Figure 6: “Bogus message code” is referenced with HTML page code

In addition to this list, there are networking functions used to configure sockets using an older library (ws2_32.dll), along with bcrypt to encrypt any extracted data for transfer. All of the ws2_32 functions are obfuscated by using ordinals instead of the names. Additional tools confirm C2 capabilities, but no network connections were made during analysis.

Figure 7: All of the function names have been removed and replaced with original codes

Figure 8: Partial output of capa showing evasion and C2 capabilities

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

  • MalAgent.Lang.A
  • MalAgent.Lang.B
  • MalAgent.Lang.Del.A
  • MalAgent.Lang.Del.B

IOCs

Hashes
Main: 306710d0aef6d8f233f92a33530fce2758fab778cebe0dde2d047a50428b9813
Main (unpacked): 49d383c2422c1be0651d6c49acbf34f6e3547db3b5305bab3ea480fe383a9481
Del.exe: 7a21cd7f0364e50a2e631348e662a86fc7351ced4b7a9c8eb3f6d0688a2ec52d
Delfile.sys: 85cb69375e8be5ec8f0dfb130253fa13af3563d5dab2e4dc0b10c3dd1336c39a

URLs

  • hxxp://yy[.]com/5336/1705313832
  • hxxp://www.super-ec[.]cn
  • hxxp://wghai[.]com/ec
  • hxxp://qsyou[.]com/ec
  • hxxp://www.wghai[.]com
  • hxxp://bbs.wghai[.]com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

Novel Malicious code evasion method for AI/ML based detection

/in /by

The SonicWall Capture Labs Threat Research team has observed Remcos RAT (Remote Access Trojan) being distributed by adding malicious code in existing open-source software. This appears to be an attempt to evade Security products which are based on Machine Learning / Artificial Intelligence as most of the machine code will be same to that of the clean application code. The malicious code also has anti-sandboxing and anti-emulation features added to it. This further helps in evading Security products.

Binary Comparison with clean application

In the malware sample that we have analyzed, we noticed that the legitimate code was taken from TightVNC Software, which is free and Open-Source remote desktop software that lets you access and control a computer over the network. The source is available on the website downloads page. Below image is the comparison of the analyzed sample against a clean TightVNC viewer (2.8.81) application, which shows approximately 90% of the code is similar in both these files.

Fig1: Binary comparison the sample with the clean binary (TightVNC viewer.exe)

Malicious code Analysis

On analyzing the malware sample binary code, it is observed that a malicious function, which has code to load required DLLs (kernel32.dll, wininet.dll, etc.,) to download additional payloads, has been added to the legitimate source code before compilation. The malicious code is placed in such a way that it gets executed always and exits with an error message if it encounters any failure in the checks (filename not matching, download failing etc.,)

Fig-2: Left side is the original clean code and right side is the decompiled code from the malware

Below is the image which shows that the malicious function is exclusively available in the sample only.

Fig-3: Showing that malicious code does not have a matching function in clean binary

Infection Cycle

The malware code is obfuscated, and it uses anti-emulation and anti-sandbox techniques to evade detection in a controlled environment. The malware terminates the execution by displaying an error message while executed in the controlled environment:

Fig4: Code displays error message in controlled environment

Anti-Sandboxing feature

The malware retrieves its own executable file name and calculates a checksum value by adding each alphabet’s ascii value in the filename. If the checksum value is either 0x7AE or 0x718 then malware continues execution otherwise the malware terminates itself. The corresponding filename for the checksum value 0x7AE is “patchSvc_beta_v2.exe” and filename length must be 0x14. The filename length for checksum value 0x718 must be 0x12. Below is the code to calculate the checksum and filename length:

Fig5: Code calculates and compares checksum of its own executable

Anti-Emulation feature

The malware downloads a PNG image file from Unified Resource Locator (URL) h[t][t]ps://www.pleumeurbodou.com/squelettes/img/port.png by setting user agent value as “spirochete” to the web request:

Fig6: Code downloads a PNG image from an URL

Initial 0x20 bytes from the downloaded PNG image file are used to decrypt the API name “InitOnceExecuteOnce”. The malware retrieves the address of API “InitOnceExecuteOnce” using GetProcAddress and invokes this API by passing argument of the next executable module of the malware. Because the API name is dynamically decrypted using the downloaded image file bytes, this acts as an anti-emulation / anti-analysis feature when the URL is not serving any data or is unreachable.

Fig7: Code decrypts an API name using downloaded data

Next the malware resolves the address and invokes the “VirtualProtect” API by the same manner, it used to execute the “InitOnceExecuteOnce” API. The malware modifies the memory protection to PAGE_EXECUTE_READWRITE to decrypt the next layer code using a hardcoded key and again modifies the memory protection to PAGE_EXECUTE_READ before transferring control to the decrypted code:

Fig8: Code decrypts next layer malicious code

Next the malware drops ASUS software component files into “%APPDATA%\TaskWordpad_test” along with malicious DLL file “AsIO.dll.” The malware executes the “atkexComSvc.exe” which loads malicious DLL file “AsIO.dll” and further executes and injects Remcos malware into explorer.exe:

Fig9: Code does create process for a dropped file

Fig10: Process execution sequence

Remcos is a well-known Remote Access Trojan (RAT) which collects various information from the victim’s machine including executable’s name, computer name, Windows version, RAM information and key logs etc., The malware keeps the Remcos data into registry entry “HCU\Software\Rmc-OPX7KW.” Please refer here for detailed analysis of Remcos RAT.

Fig11: Remcos data stored in the registry entry

The malware keeps the keylogging information into file “C:\ProgramData\remcos\logs.dat” and sends the stolen data to the C&C server “retghrtgwtrgtg.bounceme.net”:

Fig12: File stores keystrokes information

Detection by Security Products

For the first few initial days when the sample was submitted to VirusTotal, it can be observed that there were virtually no detections, which only slowly improved over time. This shows that malware can evade ML/AI based security products during the initial days of propagation by hiding inside a legitimate application code.

Fig13: detections on VirusTotal over time

This threat is detected by SonicWALL Capture ATP with RTDMI.

IOCs

SHA256:

  • 6e07b6ef7a182f367f596cbe4baa148336fa7e7592166ce51e483db81221e220

Network Connections:

  • h[t][t]ps://www.pleumeurbodou.com/squelettes/img/port.png
  • h[t][t]ps://i.imgur.com/vUptouc.png
  • retghrtgwtrgtg.bounceme.net

User Agent:

  • spirochete