Posts

Akira ransomware double-extortion scheme encrypts and publicly leaks sensitive data

/in /by

The SonicWall Capture Labs threats research team has been tracking a newly discovered form of ransomware called “Akira”. This malicious software is actively targeting numerous organizations and stealing sensitive data. To maximize the likelihood of receiving payment, the Akira ransomware employs a dual-extortion technique, whereby it both steals and encrypts the victim’s data and threatens to sell or leak the stolen data on the dark web unless the ransom is paid to decrypt the compromised information.  Akira ransomware appeared in April 2023 and has already affected a variety publicly disclosed victims, primarily located in the United States.  These victims span various sectors such as construction, education, healthcare, and manufacturing.

 

Infection cycle:

 

Once the malware is run, the following command prompt is briefly shown:

 

Files on the system are encrypted and given a “.akira” file extension.  During this process, the following ransom note is dropped on to the desktop:

 

The malware obtains details on all connected drives:

 

The malware can be seen setting up its encryption key and encrypting data.  It uses the “Microsoft Enhanced RSA and AES Cryptographic Provider” API in order to achieve this.  The public key can be seen in the code when being run in a debugger:

 

The tOr link from the ransom note leads to the following page:

 

After entering the code contained in the ransom note, the following page is presented summarizing what has happened and how to retrieve lost files.  The page is designed in a Linux terminal style with a list of commands:

 

The “leaks” command leads to the following page listing of companies that have fallen victim to the attackers.  These companies have not paid their ransom and as a result, their data is downloadable via bittorrent magnet links:

 

The “contact” command brings up a page where victims can have direct conversations with the attackers.  It appears to also show past conversations between victims and the operator:

 

This victim tries to reason with the attacker but the attackers stresses that their data will be released if a $1M ransom is not paid.  As motivation, invoices and bank statements are used by the attacker to prove that the victim is capable of paying the ransom:

 

Microsoft Security Bulletin Coverage for May 2023

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-24902 Win32k Elevation of Privilege Vulnerability
ASPY : 443 Exploit-exe exe.MP_321

CVE-2023-24941 Windows Network File System Remote Code Execution Vulnerability
IPS : 3768 Windows NFS Remote Code Execution (CVE-2023-24941)
IPS : 3826 Windows NFS Remote Code Execution (CVE-2023-24941) 2
IPS : 3836 Windows NFS Remote Code Execution (CVE-2023-24941) 3

CVE-2023-24949 Windows Kernel Elevation of Privilege Vulnerability
ASPY : 444 Exploit-exe exe.MP_322

CVE-2023-24950 Microsoft SharePoint Server Spoofing Vulnerability
IPS : 3769 Microsoft SharePoint Server Spoofing (CVE-2023-24950)

CVE-2023-29324 Windows MSHTML Platform Elevation of Privilege Vulnerability
IPS : 15875 Windows MSHTML Platform Elevation of Privilege (CVE-2023-29324)

CVE-2023-29325 Windows OLE Remote Code Execution Vulnerability
ASPY : 446 Malformed-rtf rtf.MP_33

CVE-2023-29336 Win32k Elevation of Privilege Vulnerability
ASPY : 445 Exploit-exe exe.MP_323

The following vulnerabilities do not have exploits in the wild :
CVE-2023-24881 Microsoft Teams Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24898 Windows SMB Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24899 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24900 Windows NTLM Security Support Provider Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24901 Windows NFS Portmapper Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24903 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24904 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24905 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24932 Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-24939 Server for NFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24940 Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24942 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24943 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24944 Windows Bluetooth Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24945 Windows iSCSI Target Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24946 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24947 Windows Bluetooth Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24948 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24953 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24954 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24955 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28251 Windows Driver Revocation List Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28283 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28290 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-29333 Microsoft Access Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-29335 Microsoft Word Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-29338 Visual Studio Code Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-29340 AV1 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29341 AV1 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29343 SysInternals Sysmon for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29344 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.

Don’t get Caught by Raspberry Robin: Dissecting the evasion methods

/in /by

Recently, the SonicWall Capture Labs Research team analyzed a Raspberry Robin, which is known for its endless anti-evasion’s techniques and multiple layers of packing. The layers have several anti-debugger, anti-sandbox, anti-VM and anti-emulator checks. The malware keeps evolving over the time and intensified itself to become more robust by adding various evasions and tactics.

Overview: 

Raspberry Robin is packed with 14 layers, each one is heavily obfuscated and performing a particular goal. From the structure of each layer, we can understand that initially it began as PE files but were changed into unique encrypted structures without PE headers that could only be retrieved and decrypted by the preceding layers. 

Once Raspberry Robin identified the execution is happening in a controlled environment then it mislead the execution flow in a variety of ways:

  • Terminate execution of the malware. 
  • Executes in a infinite loop. 
  • Generate a exception and terminates.
  • Execution of fake payload instead of real payload. 

Obfuscation: 

Malware does an extensive use of obfuscation. This makes it exceedingly difficult to statically analyze anti-analysis tactics and figure out how to get malware to unpack itself by passing all the checks. Malware uses API hashing to retrieve API addresses. Malware only uses VirtualAlloc and  VirtualProtect API’s to unpack next layer. 

Series of Layers:

Start:

Malware directly starts decryption of layer 1, which is stored in .data section, using simple XOR and jump to it:

Layer 1: 

This layer decrypts the next layer and starts its execution.

Layer 2:

It is a DLL file with no import and exports directory:

It has one unique check , where it initially set cx = 2. After performing some instruction it checks if cx is still equal to 2. Since cx value should remain the same. The gs selector’s value would be reset by a single step event and a new value would be placed into cx at the end of the procedure. 

This layer decrypts the next layer and starts its execution.

Layer 3:

This layer decrypts the next layer and starts its execution.

Layer 4:

This layer decrypts the next layer and starts its execution:

Layer 5:

Here, malware allocates large memory buffer with PAGE_WRITECOMBINE flag, where it first writes and then reads from it, evaluating read/write performance. Malware loops this check 32 times and compares that write performance is at least 6th times more than read performance. 

This check focuses on the execution in the emulator, if it is unsuccessful, malware will choose an incorrect RC4 key and leads to crash.

Function responsible for write-read performance check: 

Malware performs above operation 32 times: 

After successfully bypassing above check, it decrypts the next layer and starts its execution.

Layer 6:

It performs simple task of decryption by using very complex calls. Check the below call graph of this layer.

This layer decrypts the next layer and starts its execution.

Layer 7:

Every time malware has to call any API, it search for the required module in PEB->InLoadOrderModuleList. If the module found, it retrieves the address of required API from exports:

This layer decrypts the next layer and starts its execution.

Layer 8:

In this layer malware creates a new thread , which executes below mentioned checks as a separate function one by one:

1:

  • Malware checks NtMinorVerion and NtMajorVerionfields of KUSER_SHARED_DATA structure to get operating system version. At least windows 7 required to continue its execution:

  • Malware check KdDebuggerEnabled field of KUSER_SHARED_DATA structure to detect presence of kernel debugger:

  • Malware checks BeingDebugged and NtGlobalFlag fields of PEB structure to detect user mode debugger:

2:

  • Malware iterates through USERNAME and COMPUTERNAME environment variables to check for blacklisted user names and computer names:

3:

  • Malware uses CPUID instruction with multiple values of EAX to get various information about system processor. It sets EAX=0x01 to check whether it is running in Hypervisor or not. It sets EAX = 0x0 to get processor family name such as GenuineIntel is defined for intel processors. It set EAX =0x1c but this is invalid as per intel’s developer documentation. It sets EAX = 0x40000000 to check vendor ID string:

4:

  • Malware uses NumberOfPhysicalPages field of KUSER_SHARED_DATA structure to get ram size. It does to compare with minimum threshold to continue its execution:

5:

  • Malware gets Hash of absolute process path then check it against blacklisted paths which are generally used by sandbox:

6:

  • Malware implements an anti emulation method based on FileMapping. It creates a section of approx. 57MB size then it maps created section 9 times into malware’s memory address space. After mapping , it write’s dummy instructions and jump instruction at the end of each section:

 

7:

  • Malware get MAC address of machine using GetAdaptersAddresses API and check it against default adapter addresses of virtual machines:

 

8:

  • Malware check ProductId of HardDisk and compares it against blacklisted names. It uses DeviceIOControl API to get information about HardDisk:

9:

  • Malware check for display device name of system and compares it against blacklisted names. It uses EnumDisplayDevicesW API to get list of display devices:

10:

  • Malware checks for hashes of running process names against process names related to virtual environment and analysis tools. To fetch running processes names malware use NtQuerySystemInformation API with SystemProcessInformation class as parameter:

  • Also malware uses PEB->InLoadOrderModuleList to list all DLL modules, hashing each of module’s name and compare against hardcoded list of blacklisted modules. Function for checking DLL modules name: 

  • Name Hashing Algorithm: 

11:

  • Malware checks for sandbox related files in C: folder:

12:

  • Malware uses NtQuerySystemInformation API with SystemVhdBootInformation = 0x70 class to get virtual hard disk boot information. It also uses NtQuerySystemInformation API with SystemFirmwareTableInformation = 0x4C class to get firmware table information:

13:

  • Malware check whether default execution of VBA macro’s is enabled or not. For this it queries registry key using SHGetValueW API:

Malware has a variety of anti-analysis checks in this Layer. If malware is successful in detecting an analysis environment in at least one check, It will unpack and run the fake payload rather than the real payload  

LAYER 9:

On physical machine MulDiv API returns value 2 but on WineHQ’s MulDiv’s API implementation it returns value 1. So malware makes use of this opportunity and detects its execution under wine successfully:

Runtime call to allocated region:

It decrypts the next layer and starts its execution.

Layer 10:

Strings from the fake loader:

LAYER 11:

Malware drops fake payload into %TEMP% directory and execute it.

Fake Payload: 

LAYER 12:

It decrypts the next layer and starts its execution.

LAYER 13:

It decrypts the next layer and starts its execution.

LAYER 14:

 Raspberry Robin’s Main payload is unpacked.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Roshtyak.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

New campaign spreading Android Remote Access Trojan

/in /by

SonicWall Capture Labs Threat research team recently discovered a malware campaign that utilizes a Remote Access Trojan (RAT) with enormous capabilities, including keylogging, stealing sensitive device information, bypassing Google Authenticator, etc. These features allow the attacker to access and steal valuable information from the victim’s device, which can lead to various types of fraud, including financial fraud and identity theft.

This malware uses icon masquerading, a common tactic used by malware authors to evade detection and deceive users. The technique involves using the icons of legitimate and popular apps as a disguise for malicious apps. This allows the malware to blend in with other apps on the device and avoid suspicion.

After installation, the malware prompts the victim to enable the Accessibility Service on the targeted device. If the victim grants permission, the malware then takes advantage of the Accessibility Service to perform malicious activities without the user’s knowledge.

Fig1: Installed malicious app

 

Accessibility service usage is shown below:

Fig2: Accessibility permission

 

We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig3: Latest samples found on VT

Infection cycle:

The malware requests 34 permissions, some of the critical permissions used in these apps are mentioned below:

  • READ_SMS
  • CALL_PHONE
  • RECEIVE_SMS
  • RECORD_AUDIO
  • READ_PHONE_STATE
  • WRITE_EXTERNAL_STORAGE
  • USES_POLICY_FORCE_LOCK
  • REQUEST_DELETE_PACKAGES
  • ACCESS_NOTIFICATION_POLICY
  • ACCESS_BACKGROUND_LOCATION

The components mentioned in the manifest file are absent from the compiled dex file.

Fig4: Mismatched components in the manifest file

 

During execution, the malware unpacks the “PFf.so” file from the assets section and drops it into the application system folder.

 

Fig5: drops unpacked dex file in the application folder

 

The application hides its own icon so that it is not visible in the launcher’s app tray.

Fig6: Hide app icon

 

The threat actor uses the below functions to collect the device information like IMEI no, country code, device model, installed package name etc.

Fig7: Collecting device info

 

It stores the user’s details using Shared Preferences and tries to connect to the C&C server (hxxps://141[.]98[.]6[.]86)

Fig8: Package Installation list

 

The malware has the ability to download HTML phishing pages from the Command and Control (C&C) server and then inject them into a WebView, to steal sensitive information such as login credentials and credit card numbers.

Fig9: Webview injection

 

Read incoming messages on a device and save them in JSON format.

Fig10: Read incoming SMS

 

Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig11: 2FA code

 

The malware accepts commands from the C&C server allowing the malware author to send SMS  and calls from the infected device.

Fig12: Ability to make calls

 

Fig13: Ability to send SMS

 

The malware has integrated keylogging functionality by taking advantage of the Accessibility Service.

Fig14: Store the key logs

 

This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.

Fig15: Malware capture screenshots

 

It disables notifications by setting the interruption filter to “INTERRUPTION_FILTER_NONE”,

locks the device, and sets the ringer volume silent to remain unnoticed and silently reads the incoming notifications.

Fig16: Disable incoming notification

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicators of Compromise (IOC):

0098fef6d54bc27d2cec81fccdb319ed9949ed4edd80e56c8d9acd00e8f0131a

013185b920a6b6cc1f38ae361f6a134502f87c847372c4d70f3d704fce1a8138

3f7c7af5153f5a4b30d35f7ff2ba832887bcbfe3d37f9915dcc23c76896ee199

50651c753d57e12f155c2261fe8735c077e65ed84f4b3d58b2fd82965c24f6ef

6d3e64e9a60aa9e098226815aad96d620285c98ed4812fd39ae0d2a3f7f03783

70bd486f69815312e6e23b75680cb1fd05bad69e3b538ccddb277e86d4818ab7

873d3211bde4614a1dcb04c4c059a7aa3a1ef314ce95cca3d9c733525c80177b

a0360aac3b925a5185d7bd00e6392be6419e6c4dde871526b6a7dcaaa3fe2aa2

a78659bbc0c03b06a9985aa360ae1390e5f2a1081387da9b3be3f2eb5910932d

ae6cca0df5a4a005ae157bab3567e19a9059adc2f308ebfb972815ecb8838350

b0de190c20c17d5c02d1a80bc1d157a8a63b2abf6e701722a0168d48efbfe492

e0eaf12b806baf45add1f959619cfa548a6265705c08d59d9a914813a04da5a3

e74a55e74835579eed7fc80296171435a0e2a1aae01e791d723e9b2d51954190

ec0d682cd5d72fa32b8e47f0eede32b30216bc88f08acba88d403071df69b233

 

Adobe ColdFusion Deserialization Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Adobe ColdFusion is a powerful web development platform that enables developers to create dynamic, data-driven websites and applications with ease. ColdFusion Markup Language (CFML) is the programming language behind Adobe ColdFusion, offering a versatile and expressive syntax for writing server-side scripts. CFML combines the simplicity of HTML with the functionality of scripting languages, allowing developers to build web applications faster and more efficiently. Adobe ColdFusion’s robust set of features and integrations, such as support for Java, .NET, and various web services, makes it a popular choice among developers for creating scalable and high-performance web applications.

  Despite its many advantages, Adobe ColdFusion is not immune to security vulnerabilities, one of which is the insecure deserialization vulnerability. Insecure deserialization occurs when an application accepts serialized data from an untrusted source and deserializes it without proper validation or sanitization. This vulnerability can be exploited by attackers to execute arbitrary code, modify application data, or perform other malicious activities. In the context of Adobe ColdFusion, this vulnerability arises due to deserialization of untrusted data when processing HTTP parameters sent to ColdFusion Component (CFC) endpoints.

  A remote, unauthenticated, attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary code execution in the security context of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-26360.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When a request is sent to a CFC endpoint, it is processed by the CFCServlet, which adds the ComponentFilter to the filter chain for both GET and POST requests. The invoke() method checks the cfclient parameter, and if set to “true,” it sets the cfclientCall flag of the FusionContext class to true. The GetArgumentCollection() method then retrieves the arguments from the argumentCollection HTTP parameter, and if its value begins with ‘{‘, it is deserialized using the deserializeJSON() method, which may also be called with the variables HTTP parameter value.

  The deserializeJSON() method results in parseObject(), where, if the cfclientCall flag is set, the convertToTemplateProxy() method is invoked. This method retrieves the metadata JSON property and the classname property within it, which is used to determine the full path to the referenced class file. The resolved file is sent to the resolveFile() method of the TemplateProxyFactory class, leading to the resolveName() method, which generates a ColdFusion page by calling the getCFCInstance() method, and subsequently, the newInstance() method of the TemplateClassLoader class.

  This method retrieves the Java class associated with the file by calling findClass() and fetch() of the TemplateCache class. If not found in the cache, the NeoTranslator class’s translateJava() method is called to obtain the class bytes. The method then creates an instance of TemplateReader, which reads the file header to identify the file type. Based on the header, the translateJava() method loads classes from the Java file or generates a Java class from CFML. The generated class is loaded, instantiated, and returned as a CfJspPage object. The resolveName() method then calls resolveComponentHelper(), which executes any compiled CFML tags on the page.

  An attacker can exploit this vulnerability by sending a crafted request to a valid CFC endpoint with the cfclient parameter set to true and a crafted argumentCollection or variables HTTP parameter containing a JSON object with a metadata property, including a classname property set to a file with attacker-controlled content. This could result in arbitrary code execution in the security context of SYSTEM.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker injects cfexecute tag into the log file. Next, the attacker sends a malicious HTTP request to the vulnerable server. The vulnerability is triggered when the affected software processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3711 Adobe ColdFusion Remote Code Execution 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Apply proper input validation and sanitization to any deserialized data.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Linux Backdoor Uses Old Tricks For Wide Reach

/in /by

Overview:

  This week, SonicWall Capture Labs Threat Research Team analyzed a Linux backdoor sample, labelled as ‘Gafgyt’, that targets multiple platforms and acts as an enumeration tool, downloader, and C2 agent. This sample is a combination of known malware tools, namely Mirai’s method of generating C2 IP addresses and the use of multiple password lists for accessing services. It evades detection by deleting the binaries and scripts after they’re run, as well as deleting bash history. The original sample, ‘file-27084672.exe.bin’, is an unpacked 32-bit ELF binary 970kb in size. Initial infection method is unknown.

Figure 1: Detection of original sample

The file itself has no obfuscation in regards to content or instructions. Figures 2 and 3 are examples of usernames, passwords, methods for generating IP addresses, and IP address ranges that are pre-configured. These are from multiple sources and involve the following:

  • Mirai botnet
  • Bot Killer malware
  • SSH/Telnet/FTP services
  • Busybox software
  • BCMScanner (Baramundi Configuration Management)

Figure 2: Common usernames and password lists

Figure 3: Pre-configured IP address ranges for downloads or C2 comms

Since this backdoor is an amalgam of different malware techniques, it also contains a list of UserAgents that can be used during communications as seen in Figure 4. Given the nature of this malware, no traffic is received by the victim machine until all stages have been downloaded and installed.

Figure 4: UserAgent list for Firefox, Chrome, Safari, and others

Embedded in the strings (Figure 5) are multiple methods of pulling down the next stage of the malware, using wget, curl, busybox, ftp, and tftp. It should be noted that during testing, only two IPs were active (209.141.41{.}27, 94.177.230{.}2) but not presently delivering malware. There are multiple methods of randomly generating the C2 IPs including Mirai and Python that stage one will use to download stage two.

Figure 5: Commands to download stage two, ‘bins.sh’ or ‘tftp1.sh’

While stage one is attempting to download stage two, it will enumerate through multiple subdirectories on the system, as well as network connections using ‘proc/net/route’ and reading ‘etc/hosts’ file. Bash history is read and deleted. The binary itself is set to delete once a process has been created, or if it fails to find the correct environment.

The contents of ‘bins.sh’ are seen in Figure 6, which is set to pull the stage three payload for a victims’ specific architecture, named ‘Demon’. The file is made executable, run, and then immediately deleted.

Figure 6: Stage three is Demon.(arch)

Looking at ‘Demon.mpsl’, once a connection is made, the malware will send details including the IP address, operating system details, architecture, and installed software. If no connection can be made, the malware will sleep for a random period of time before attempting to connect and send the encoded information to another IP address.

 Figure 7: Calling ‘defpkgs’, ‘defarchs’, and ‘defopsys’ to pull saved system information and send via Demonicsock

As a connection is established and system data is sent, the program will wait for a reply and either sleep or push the command. It also checks whether or not the process is a parent or a child and bases its next actions on that information.

Figure 8: C2 commands in Demon.mpsl

While none of these techniques are new, this has been made to be far-reaching with some of the UserAgents including Playstation and Nintendo DS browsers, as well as phone browsers. The source code for much of the first stage can be found at a pastebin repository here. These samples are detected by the following signatures:

  • MalAgent.Gafgyt.Stage1
  • MalAgent.Gafgyt.Demon

IOCs

Samples

file-27084672.exe.bin – a2c5db1807e510421bb76757a033ff39e4b6dc64a9b49a362fbabf758c8bf3f1
bins.sh – a183ebf8170284f84a1251b56848a9cc34f8b92b8797817c80f604b12d608e3b
demon.mpsl – 2145a816884ed20909c8cd51a1543d8e71c17531e245dcca07c86c816200c644

IP Addresses

209.141.41{.}27
94.177.230{.}2

vBulletin Deserialization RCE Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  vBulletin is written in PHP and uses MySQL as its database management system. It is designed to provide a robust platform for online communities to discuss and share ideas, information, and content. vBulletin is known for its ease of use, flexibility, and scalability, making it a popular choice for both small and large forums.

  vBulletin offers several key features that make it a popular choice for forum management. Its user-friendly interface is designed with usability in mind, ensuring that both administrators and users can easily navigate and manage the forum. Powerful administration tools are provided through a comprehensive control panel, which allows administrators to manage and customize various aspects of the forum, including user permissions, content moderation, and appearance. The platform’s extensibility means that it supports a wide range of plugins and add-ons, enabling administrators to tailor their forum’s functionality to meet specific needs. Moreover, vBulletin’s responsive design ensures that the forum displays well and operates smoothly on various devices, such as smartphones and tablets.

  A remote code execution vulnerability has been identified in vBulletin due to inadequate validation of the ‘searchprefs’ field, leading to arbitrary deserialization. Exploiting the unserialize() function can be achieved by using PHPGGC to generate a payload or discovering a new gadget chain within the code.

  A remote, authenticated attacker could exploit these vulnerabilities by sending crafted requests to the target server. Successful exploitation could result in arbitrary remote code execution under the security context of system.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-25135.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept code.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Understanding the deserialization remote code execution (RCE) vulnerability in vBulletin necessitates familiarity with several key technologies and concepts. One such concept is deserialization of untrusted data, which refers to converting a serialized data stream back into an object or data structure without properly validating or sanitizing the input. Serialization is the process of converting complex data structures, such as objects, into a format that can be easily stored or transmitted, while deserialization is the reverse process. When an application deserializes untrusted data without proper validation, it can lead to various security vulnerabilities, including remote code execution, denial of service, or unauthorized access to sensitive information.

  Another critical concept is the use of gadget chains, typically comprising one or more interconnected objects with specific properties or methods that can be abused during the deserialization process. An attacker crafts a malicious serialized data stream containing references to these objects, along with manipulated data that exploits their properties or methods. When the application deserializes this malicious data, the gadget chain is executed, resulting in unintended behavior or code execution. Furthermore, understanding Object-Relational Mapping (ORM), scalar fields, autoloading, and the serialize() and unserialize() functions is vital for comprehending the intricacies of the vBulletin deserialization RCE vulnerability.

  vBulletin’s ORM offers an abstraction layer between the application logic and the database, while scalar fields represent columns in database tables storing single-value data types. Autoloading in vBulletin is a feature that automatically loads required class files as needed, streamlining class file inclusion in the code and promoting a more organized and efficient structure for the application. Lastly, vBulletin utilizes PHP’s built-in serialize() and unserialize() functions to handle serialization and deserialization processes within the application. These functions play a critical role in converting complex data structures, such as objects or arrays, into a storable or transmittable format (serialization) and reversing this process to recreate the original data structures (deserialization).

  Payload Expanded:
  

  This serialized payload represents a gadget chain using objects from two different libraries: GoogleLogin extension for MediaWiki and Monolog. The payload comprises an array with two objects:

  

  When this payload is deserialized using PHP’s unserialize() function, the objects will be recreated, and their destructors will be called upon script termination or when the objects are no longer needed.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious serialized payloads containing gadget chains to the application.
  • The attacker must use the unserialize() function to deserialize the payload.

Triggering Conditions:

  The attacker sends a POST request to the target system. A deserialization vulnerability, such as CWE-502, may arise in an application under certain circumstances. One contributing factor is the application accepting serialized data from untrusted sources without implementing proper validation or sanitization measures. Additionally, the application employs the unserialize() function to deserialize this untrusted data, which can inadvertently instantiate objects containing malicious gadget chains. These gadget chains can be present in the application’s code or in third-party libraries used by the application, making them exploitable during the deserialization process. Furthermore, the autoloader mechanism plays a role in this vulnerability by loading classes required for deserialization. This can lead to unintended consequences or even the execution of malicious code when an attacker exploits the autoloader during a deserialization attack.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15584 vBulletin Insecure Deserialization

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
    • Apply proper input validation and sanitization to any deserialized data.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Malicious PDF delivering Xworm 3.1 payload

/in /by

Delivering Malicious PDF documents as email attachments is the easiest way for threat actors to get into the victim’s machine be it phishing, or embedded scripts for delivering malware payloads.

This time SonicWall Capture Labs threat research team has observed PDF being used to deliver Xworm 3.1 malware.

Infection Cycle:

Fig: Infection Cycle

 

Victim receives a phishing email with an attached malicious PDF file disguised as a genuine invoice attachment. When PDF file is opened it shows a blurry invoice image with a note saying ”right click on the pdf and open the link for the clear invoice”.

Fig: PDF file

 

When the user clicks the link in pdf it is opened in the browser and downloads a malicious executable without the user’s consent. The downloaded executable is named Invoicedav4564 to look like a regular bill.

Fig: PE file downloaded

 

The downloaded PE file is a SmartAssembly obfuscated dotNet file to prevent analysis. When the user tries to open the downloaded file considering an invoice malicious PE starts executing. It drops self-copy in the %Appdata% folder after creating a folder named svchost and file name also as svchost.exe .

Fig: Self-copy in %Appdata% as svchost.exe

 

For persistence, it schedules a task named “Nafifas” with a recurrence time of 1 minute setting from the dropped location which triggers the new process from the svchost folder with the legitimate system process name to remain unnoticed.

Fig: Scheduling Task

 

There is a decryption loop which then decrypts the final payload PE file as shown in the below image.

Fig: Decrypted Xworm payload PE

 

Decrypted PE file is the Xworm3.1 payload which is a RAT that comes with a bundle of malicious tasks, this version of Xworm uses APIs similar to other RAT like PreventSleep for hassle-free execution. It also creates Mutex and context switching to perform multiple malicious activities simultaneously.

Fig: RAT functionalities

 

Then it decrypts strings for the following essential details :

hxxp[:]//david1234[.]duckdns[.]org/

Port :7000

Key  :123456789

SPL : Xwormmm

USBNM : USB.exe

Decrypted strings are shown below images:

Fig: Host, Port, SPL, USB

 

Malware checks for installed antivirus products in the WMI namespace called root\SecurityCenter2 to sustain in the system and remain unnoticed.

Fig: Antivirus check

 

To bypass UAC malware makes sure to run in the security context of the administrator account by checking the current in role profile, so that it can perform all its desired tasks.

Fig: UAC bypass

 

Malware shares all the information about the current state of the computer like operating system version and installed version of itself to receive commands from C&C accordingly.

Fig: System details

 

There are specific user agents to communicate with C&C for different operating systems like Windows and MAC.

Fig: User Agents

 

It starts monitoring running processes, shares details using webrequests with server and gets commands as response using GET method.

It has a keylogging module named Xlogger which captures all the keystrokes. Xlogger uses the following APIs :

GetActiveWindowTitle

GetForegroundWindow

GetWindowThreadProcessId

GetProcessById

HookCallback

GetKeyState

It captures all the keystrokes in HookCallback function as shown in the below figure

Fig: Logging Keystrokes

 

After establishing the socket connection & getting full control over the system it can perform any critical task like:

  • screen recording
  • Install/Uninstall/Update any application
  • Open/Hide any URL
  • Shutting Down PC
  • Restart PC
  • PCLogoff
  • StartDDos
  • StopDDos
  • StartReport
  • XChat (Xworm chat option with the victim)

Fig: System control & DDoS

 

It also captures the screen and shares the detail with C&C as shown in the below figure:

Fig: ScreenCapture

 

It sends all the data to the host using TCP protocol as shown in the figure:

Fig: Post data using TCP

 

The malware must have been named Xworm because it has a dedicated function named spread, which spreads as worm via USB. It looks for all the drives on the system and checks for

  • removable drive type
  • drive name as USB

Fig: Checking for USB drive

 

Then searches for the current working directory and creates shortcut.

Fig: USB spread function

 

The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

Fig: VirusTotal image

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

Fig: RTDMI capture

QNAP Photo Station Externally Controlled Reference Vulnerability

/in /by

QNAP (Quality Network Appliance Provider) is a Taiwanese corporation that specializes in Network Attached Storage (NAS) appliances used for file sharing, virtualization, storage management and surveillance applications.
QNAP’s Photo Station is a private cloud photo storage , service that can centrally store and manage full resolution photos across all devices with QNAP NAS.

QNAP Photo Station Externally Controlled Reference | CVE-2022-27593
An externally controlled reference to a resource vulnerability exists in QNAP NAS systems that are running Photo Station. If exploited, this could allow an attacker to modify system files. SonicWall Capture Labs threat research team has observed this vulnerability being exploited in the wild.
Following versions are vulnerable:

  • QTS 5.0.1: Photo Station 6.1.2
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22
  • QTS 4.3.6: Photo Station 5.7.18
  • QTS 4.3.3: Photo Station 5.4.15
  • QTS 4.2.6: Photo Station 5.2.14

According to CWE , Externally Controlled Reference Vulnerability means the product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Following is an example of exploit:

The code is a URL string that includes a query parameter with the value “/photo/combine.php”. The query parameter “type” has a value of “javascript” and the parameter “g” has a value of 
The code is attempting to combine multiple JavaScript files located in the directory “/photo/” using the script “/photo/combine.php”. An attacker can manipulate the parameter ‘g’ by inserting directory traversal characters, potentially granting them the ability to make changes to system files.

This vulnerability can be exploited by remote, unauthenticated attackers without any user interaction.
The CVSS(Common Vulnerability Scoring System) score is 9.1 with Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is none.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

QNAP has patched this vulnerability.
Querying Shodan shows numerous QNAP devices, many of which many are still vulnerable.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15790:QNAP Photo Station Externally Controlled Reference

Threat Graph

Money message Ransomware actively targeting large organization

/in /by

Recently, the SonicWall Capture Labs Research team analyzed a ransomware called Money message. Written in C++, this ransomware encrypts the victim’s files without changing the filename or appending the extension, making it more difficult to identify which files have been compromised. Once the files are encrypted, the attackers demand a ransom payment in exchange for the decryption key.

Infection Cycle:

At the start of the execution it creates a named mutex “12345-12345-12235-12354” to avoid different instance of Money message Ransomware running on the same system.

It uses WMI (Windows Management Instrumentation) Query and Service Control Manager to disable the specific list of services.

Associators of {Win32_ServiceName=’sql’} Where AssocClass=Win32_DependentService Role=Antecedent­

It opens the Service Control Manager (SCM) by calling OpenSCManagerW() function.
It then calls OpenServiceW() function to open the service from the list and EnumDependentServicesW() function to enumerate all its dependent services, If any of the services present from the list is found to be running, the ransomware stops them using ControlService() function.

Below are the list of the services that are stopped by the ransomware

vss
sql
svc$
memtas
mepocs
sophos
veeam
backup
vmms

It then enumerates the running processes on the system and terminates the below list of processes.

sql.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocauto upds.exe
encsvc.exe
firefox.exe
tbirdconfig.exe
mdesktopqos.exe
ocomm.exe
dbeng50.exe
sqbcoreservice.exe
excel.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
outlook.exe
powerpnt.exe
steam.exe
thebat.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
vmwp.exe

It deletes the volume shadow copies using ShellExecuteW() function by passing below command

It avoids encrypting the files from below directories

It also has a list of files which it avoids encrypting:

The files which are not present in the whitelisted directories nor the files are whitelisted are encrypted by the ransomware.
Once the files are encrypted the filename of the original file remains the same nor the extension of it is changed.

Once the files are encrypted it displays below ransom message

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV:MoneyMsg.RSM (Trojan)

SonicWall RTDMI engine – part of capture ATP – has a proactive 0-day protection against this ransomware.