Posts

Infostealer Trojan with Remote Access and Ransomware Capabilities Seen in the Wild

This week, the Sonicwall Capture Labs threat research team analyzed a full-featured infostealer and remote access trojan that also has ransomware functionality built in. This trojan is capable of terminating applications, logging keystrokes, opening web pages, connecting to a remote host, executing DDoS attacks and encrypting the victim’s data.

Infection Cycle:

The malware arrives as a portable executable using the following file name and icon:


Figure 1: Filename and icon used by the trojan

Upon execution, it creates a copy of itself in the temp directory named csrss.exe. It then spawns the legitimate Windows Task Scheduler and runs an schtasks command to ensure that this copy runs itself periodically.


Figure 2: Scheduled task added

It also adds a run key in the HKU hive:

  • HKU\Software\Microsoft\Windows\CurrentVersion\Run csrss %temp%\csrss.exe

During runtime, it intermittently connects to a remote host.


Figure 3: Malware seen connecting to a remote host

It also creates a log file in the user’s temp directory, which appears to be keystrokes of websites visited and processes executed.


Figure 4: Log file with all the keystrokes logged during runtime

Upon further analysis, this trojan appears to be capable of encrypting files using AES encryption using the RijndaelManaged class.


Figure 5: AES encryption function inside this trojan

It also has the ability to open and close arbitrary web pages, shutdown, logoff, or restart the machine, run PowerShell commands, and start a DDoS attack.


Figure 6: All the other malicious functionalities available within this trojan

This trojan also has the ability to capture screenshots of the victim’s machine.


Figure 7: Screen capturing functionality within the trojan

SonicWall Protections:

SonicWall Capture Labs provides protection against this threat via the following signature:
GAV: Malagent.XCL(Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI and Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for January 2024

Overview

Microsoft’s January 2024 Patch Tuesday has 48 vulnerabilities, 11 of which are Remote Code Execution. The vulnerabilities can be classified into the following categories:

  • 11 Remote Code Execution Vulnerabilities
  • 11 Information Disclosure Vulnerabilities
  • 10 Elevation of Privilege Vulnerabilities
  • 6 Denial of Service Vulnerabilities
  • 7 Security Feature Bypass Vulnerabilities
  • 3 Spoofing Vulnerabilities

Figure 1: Vulnerabilities by category

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2024 and has produced coverage for 5 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE-2024-20653     Microsoft Common Log File System Elevation of Privilege Vulnerability

  • ASPY 523 Exploit-exe exe.MP_362

CVE-2024-20683     Win32k Elevation of Privilege Vulnerability

  • ASPY 524 Exploit-exe exe.MP_363

CVE-2024-20698     Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 525 Exploit-exe exe.MP_364

CVE-2024-21307     Remote Desktop Client Remote Code Execution Vulnerability

  • ASPY 521 Exploit-exe exe.MP_360

CVE-2024-21310     Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

  • ASPY 522 Exploit-exe exe.MP_361

Remote Code Execution Vulnerabilities

CVE-2024-20654     Microsoft ODBC Driver Remote Code Execution Vulnerability

CVE-2024-20655     Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability

CVE-2024-20676     Azure Storage Mover Remote Code Execution Vulnerability

CVE-2024-20677     Microsoft Office Remote Code Execution Vulnerability

CVE-2024-20682     Windows Cryptographic Services Remote Code Execution Vulnerability

CVE-2024-20696     Windows Libarchive Remote Code Execution Vulnerability

CVE-2024-20697     Windows Libarchive Remote Code Execution Vulnerability

CVE-2024-20700     Windows Hyper-V Remote Code Execution Vulnerability

CVE-2024-21307     Remote Desktop Client Remote Code Execution Vulnerability

CVE-2024-21318     Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2024-21325     Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2024-20653     Microsoft Common Log File System Elevation of Privilege Vulnerability

CVE-2024-20656     Visual Studio Elevation of Privilege Vulnerability

CVE-2024-20657     Windows Group Policy Elevation of Privilege Vulnerability

CVE-2024-20658     Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability

CVE-2024-20681     Windows Subsystem for Linux Elevation of Privilege Vulnerability

CVE-2024-20683     Win32k Elevation of Privilege Vulnerability

CVE-2024-20686     Win32k Elevation of Privilege Vulnerability

CVE-2024-20698     Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21309     Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

CVE-2024-21310     Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Denial of Service Vulnerabilities

CVE-2024-20661     Microsoft Message Queuing Denial of Service Vulnerability

CVE-2024-20672     .NET Core and Visual Studio Denial of Service Vulnerability

CVE-2024-20687     Microsoft AllJoyn API Denial of Service Vulnerability

CVE-2024-20699     Windows Hyper-V Denial of Service Vulnerability

CVE-2024-21312     .NET Framework Denial of Service Vulnerability

CVE-2024-21319     Microsoft Identity Denial of Service vulnerability

Information Disclosure Vulnerabilities

CVE-2024-20660     Microsoft Message Queuing Information Disclosure Vulnerability

CVE-2024-20662     Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability

CVE-2024-20663     Windows Message Queuing Client (MSMQC) Information Disclosure

CVE-2024-20664     Microsoft Message Queuing Information Disclosure Vulnerability

CVE-2024-20680     Windows Message Queuing Client (MSMQC) Information Disclosure

CVE-2024-20691     Windows Themes Information Disclosure Vulnerability

CVE-2024-20692     Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

CVE-2024-20694     Windows CoreMessaging Information Disclosure Vulnerability

CVE-2024-21311     Windows Cryptographic Services Information Disclosure Vulnerability

CVE-2024-21313     Windows TCP/IP Information Disclosure Vulnerability

CVE-2024-21314     Microsoft Message Queuing Information Disclosure Vulnerability

Security Feature Bypass Vulnerabilities

CVE-2024-0056     Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

CVE-2024-0057     NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

CVE-2024-20652     Windows HTML Platforms Security Feature Bypass Vulnerability

CVE-2024-20666     BitLocker Security Feature Bypass Vulnerability

CVE-2024-20674     Windows Kerberos Security Feature Bypass Vulnerability

CVE-2024-21305     Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability

CVE-2024-21316     Windows Server Key Distribution Service Security Feature Bypass

Spoofing Vulnerabilities

CVE-2024-20690     Windows Nearby Sharing Spoofing Vulnerability

CVE-2024-21306     Microsoft Bluetooth Driver Spoofing Vulnerability

CVE-2024-21320     Windows Themes Spoofing Vulnerability

SMTP Smuggling

Overview

The SonicWall Capture Labs threat research team has observed attackers targeting Simple Mail Transfer Protocol (SMTP) to send spoofed emails that can bypass traditional authentication mechanisms. A flaw tracked as three separate CVEs, CVE_2023_51764, CVE_2023_51765 and CVE_2023_51766, was found in some SMTP server configurations within Postfix. This issue may allow a remote attacker to break out of the email message data to "smuggle" SMTP commands and send spoofed emails that pass SPF checks.
SMTP smuggling is a serious threat that allows attackers to send fake emails from millions of domains like Microsoft, Amazon, PayPal, eBay, GitHub, Outlook, Office365, Tesla and Mastercard. Demonstrations showed that the emails could appear as if they came from ‘admin(at)outlook.com’, which gives insight into the severity of this attack. Vulnerable software versions include:

  • Postfix through 3.8.4
  • Sendmail through 8.14.7
  • Exim before 4.97.1

Organizations still running one of the vulnerable software versions should upgrade to the latest version with specific settings that reject unauthorized pipelining by default: "smtpd_forbid_unauth_pipelining = yes".

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2023-51764, CVE-2023-51765 and CVE-2023-51766.

The overall CVSS 3.1 score is 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Base score is 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), based on the following metrics:
  •Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is required.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is low.
  • Impact of this vulnerability on data integrity is low.
  • Impact of this vulnerability on data availability is high.
Temporal score is 3.9 (E:P/RL:O/RC:C), based on the following metrics:
  • The exploit code maturity level of this vulnerability is proof of concept code.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview

The exploitation technique wherein spoof emails are created and communicated by manipulating SMTP conversations is known as SMTP Smuggling. Basically, what happens is SMTP servers interpret the end-of-data sequences such as <CR><LF>.<CR><LF> improperly which additionally bypasses basic security checks such as sender policy framework (SPF) alignment. This simple exploitation technique bypassed email security and has proven effective against multiple free and open-source mail transfer agents, including Postfix (CVE-2023-51764), Sendmail (CVE-2023-51765) and Exim (CVE-2023-51766).

Postfix versions up to 3.8.4 allow SMTP Smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking options. Sendmail also allows SMTP Smuggling through at least version 8.14.7 in certain configurations. Similarly, Exim versions before 4.97.1 also allow SMTP Smuggling in certain PIPELINING/CHUNKING configurations.

Remote attackers can leverage this vulnerability to inject e-mail messages with a spoofed source address, allowing attackers to bypass SPF protection mechanisms. This occurs due to some mail clients supporting <LF>.<CR><LF> as end-of-data sequences while other popular e-mail servers do not.

The main issue within the mail transfer agents (MTAs) occurs when they are configured as outbound SMTP servers and have insufficient filtering techniques and interpret weird end-of-data sequences as legitimate.

According to RFC definitions, configuration standards for inbound as well as outbound mail servers are predefined.

Figure 1: RFC 5321, 5322, 2008

Exploitation

The exploitation technique lies in the end-of-data sequences. Different operating systems have a different interpretation of "a line by itself". A "." on a line by itself on Windows OS would be separated via two carriage return line feeds (<CR><LF>.<CR><LF> or \r\n.\r\n), while a "." on a line by itself on Linux OS would be separated with two line feeds (<LF>.<LF> or \n.\n).

Figure 2: Server responses on end-of-data sequence

MTAs can be configured as inbound SMTP servers as well as outbound SMTP servers. <CR><LF> (Carriage Return Line Feed, standard text delimiters) decides where the message data ends in messaging over SMTP. A special crafted email and manipulating end-of-data sequence used in email messaging leads to exploitation. A nefarious activist takes advantage of this technique to bypass email protection protocols such as SPF, DMAC and DKIM.
Consider the following example as shown in Figure 3 using non-vulnerable mail servers. Whenever <LF>.<LF> is supported as end-of-data sequence by the inbound SMTP server, only the first data, (“lorem ipsum”) will be part of the message data, otherwise, the message also includes the second data post end-of-data sequence, i.e., “This server is ignoring line feeds as end-of-data sequence!".

Figure 3: Email delivery with sequence to Non-Vulnerable SMTP servers

If SMTP pipelining is allowed on the vulnerable inbound SMTP servers, there is a higher chance of <LF>.<LF> being used as the end-of-data sequence and therefore the second message would be interpreted as SMTP command as shown in Figure 4. A malicious user takes advantage of this and manipulates various SMTP commands, spoofing millions of domains with fake sender addresses (e.g., admin(at)outlook.com)

Figure 4: Email delivery with LF sequence on Vulnerable SMTP servers

Some other examples of End-of-Data Sequences:

  • Interrupted end-of-data sequences: 
    <CR><LF>\x00.<CR><LF>
    <CR><LF>.\x00<CR><LF>
  • End-of-data sequences using incomplete CRLFs:
    <LF>.<LF>
    <CR><LF>.<CR>
    <CR>.<LF>
  • End-of-data sequences in the message header

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4207 – SMTP Smuggling Attack 1
  • IPS:4209 – SMTP Smuggling Attack 2
  • IPS:4217 – SMTP Smuggling Attack 3

Remediation Recommendations

To prevent attack variants by always disallowing <LF> without <CR),: utilize the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Admins still running one of the vulnerable software versions should disconnect remote SMTP clients that send bare newlines but can allow local clients with non-standard SMTP implementations such as netcat, fax machines, or load balancer health checks by using the following options:

  • smtpd_forbid_bare_newline = yes
  • smtpd_forbid_bare_newline_exclusions = $mynetworks

Relevant Links

Image credit: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

Uransomware encrypts and leaves victims stranded

The Sonicwall Capture Labs threat research team has been tracking a new ransomware family known as Uransomware. This ransomware appears to be in early development. The sample we analyzed does not ask for payment for file retrieval and does not provide any instructions or operator contact information, typical for most ransomware. It is written in .NET and contains no obfuscation which makes it trivial to decompile and analyze.

Infection Cycle:

After disassembling the malware code we can see the intended program flow:



After encryption, the malware runs dle.bat to remove traces of itself:



The malware contains code to inject itself into other processes. However, this was not seen during our analysis. Instead, an embedded exe file is written to disk after being base64 decoded:



It writes the file to C:\Temp\uransomware20.exe and executes it:



This malware module spawns multiple copies of svchost.exe and encrypts files:



Files are encrypted then base64 encoded with the public key wrapped in an xml-like tag at the beginning of the file:



After file encryption, read_it.txt is written to all directories where files were encrypted. It contains the following text:



The names of encrypted files are given a .markus extension. After disassembling uransomware20.exe we can see a list of file extensions targeted for encryption:




We can also see a list of targeted directories:



It contains a function called spreadIt() which targets attached storage media and network drives:




It also contains functions to disabled system recovery and delete backups:



The malware contains another large array of base64 encoded bytes:



After decoding, this turns out to be a jpeg image file:



This image file is written to disk and displayed as the desktop background wallpaper:



SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Uransomware20.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

New Heracles Stealer in the Wild

Overview

This week, the SonicWall Capture Labs threat research team analyzed a new sample of an infostealer dubbed ‘Heracles’, which has multiple evasion and persistence techniques. The malware is programmed to search for system credentials, installed programs and crypto currency wallets.

Technical Analysis

The file is detected as “Обязанности старшего техника на самолете ТУ-160_вч_85927_Д_Каплунов.exe”, which translates to “Responsibilities of a senior technician on a TU-160 aircraft_vch_85927_D_Kaplunov.exe”. It is a .NET executable.

Figure 1: Sample Detection

When attempting to look at the file resources in DNSpy, the records are completely obfuscated.

Figure 2: Obfuscated (left) and deobfuscated data (right)

Once the file has been deobfuscated, it shows hundreds of classes and attributes. In a secondary check against the deobfuscated sample, two embedded files are found. The first is ‘DotNetZip.dll’, and the second is another .NET DLL file (“zx_8d21b2346df842017090f44c62fec926.dll”). The former is used for handling zip files in memory and is a legitimate application, while the latter is a secondary payload.

Figure 3: Payload detection

Looking at the payload sample, it shows the name “PDF_Reader” in its resource section. However, it has a number of domains listed related to cryptocurrency and dark web sites, including a .onion address.

Figure 4: Domains listed in the payload, which also mentions ‘Eazfuscator’, an obfuscation tool

Once runtime occurs, the main file will perform checks against CPU features using WMI using the following queries:

  • CreateInstanceEnum – root\cimv2 : Win32_Processor
  • ExecQuery – root\cimv2 : SELECT ProcessorId FROM Win32_Processor
  • ExecQuery – root\cimv2 : SELECT * FROM Win32_VideoController
  • ExecQuery – root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

It will also check for VMWare and QEMU virtual environments specifically while running processes and debuggers to ensure it is running on a viable system. All errors are disabled via SetErrorMode to prevent the user/system from detecting activity. Files are dropped into the following locations for persistence and staging:

  • ~AppData\Roaming\\\Files\Local Settings\Temp
  • ~AppData\Roaming\\Files\Start Menu\Programs
  • ~AppData\Roaming\\Files\Start Menu\Programs\Windows Powershell
  • ~AppData\Roaming…\Files\Start Menu\Programs\System Tools\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Administrative Tools\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Maintenance\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Accessories\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Accessibility\

The main sample creates copies of itself in the ‘Temp’ location as ‘.tmp’ files. In testing, these were presented as ‘wct3D66.tmp’ or similar. For all other locations, either ‘.ini’ or ‘.lnk’ files are created that will point back to one or more of the copies. Enumeration begins by going through the main directory and looking for Microsoft Office profiles, cryptocurrency wallets and clipboard data. The main wallets are: Electrum, Ethereum, Exodus, bytecoin and Zcash.

Figure 5: Wallet strings found during runtime

Data is staged in the same ‘Temp’ directory and is compressed via DotNetZip. While no network connections were made, the following IP addresses were found in memory:

208.95.112.1 (ip-api.com)
149.154.167.220 (api.telegram.org)
104.237.62.212 (api.ipify.org)
64.185.227.156 (api.ipify.org)
173.231.16.77 (api.ipify.org)

The telegram IP is used for communications, as it has been confirmed that there is a telegram group associated with this sample (‘https://t{.}me/rusvolcorp’) in other tests. Rusvolcorp is a Russian group fighting on behalf of Ukraine, but it is unknown whether this link is legitimate.

Protection

To ensure SonicWall customers are prepared for any exposure that may occur due to this malware, the following signatures have been released:

  • MalAgent.Heracles.A
  • MalAgent.Heracles.Payload

IOCs

  • 53d5c2574c7f70b7aa69243916acf6e43fe4258fbd015660032784e150b3b4fa (Обязанности старшего техника на самолете ТУ-160_вч_85927_Д_Каплунов.exe)

  • BAD79DB7BE7C9C4BFBA84BFE7B3254E215650A5532098DC7C4A787695D52A983 (PDF_Reader.dll)

URLs

  • xss.is
  • coinbase.com
  • antiscan.me
  • dyncheck.com
  • avcheck.net
  • dark2web.cc
  • blockchain.com
  • freewallet.org
  • btc.com
  • bhf.io
  • direct.yandex.ru
  • payeer.com
  • exploit.in
  • exploitinqx4sjro.onion

SSH ProxyCommand Command Injection

Overview

SonicWall Capture Labs threat research team became aware of a command injection threat within OpenSSH versions before 9.6, assessed its impact, and developed mitigation measures for the vulnerability. OpenSSH is a widely used connectivity tool for encrypted, remote login, both standalone and embedded in enterprise and consumer applications.
CVE-2023-51385 allows an attacker to inject commands into the command line if the client utilizes the ProxyCommand parameter within their configuration file for the connecting server. There is no known active exploitation at the time of writing, likely due to the requirements around exploitation. While exploitation requirements reduce the risk of exploitation, several well-known applications and services utilize this feature in advanced configurations, such as Okta, CloudFlare, and AWS; they should, therefore, be reviewed for potential risk. This vulnerability can be mitigated by upgrading OpenSSH to version 9.6p1 or greater and removing any usage of the ProxyCommand feature within your environment.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-51385.

CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • The impact of this vulnerability on data confidentiality is high.
  • The impact of this vulnerability on data integrity is high.
  • The impact of this vulnerability on data availability is high.

Technical Overview

Advanced usage of OpenSSH includes the ability to provide a configuration file that can perform actions when initiating an SSH connection. One of those actions is ProxyCommand. ProxyCommand allows the user to specify a command to execute within the context of the user’s current shell during the connection process. The reason the keyword includes “proxy” is the intention is for the user to be able to proxy a connection through another server. Within the command string, ‘%h’ can be used to substitute a hostname, and ‘%p’ can be used to substitute a port number. The user provides these values, which are not sanitized before being placed onto the command line. As a result, an attacker can replace a hostname and/or port number to achieve command injection.

Triggering the Vulnerability

To trigger this vulnerability, an attacker must convince a user to connect to a malicious URL using the vulnerability version of SSH in a scenario where the end user uses ProxyCommand within their configuration file for the connecting server. As the end-user needs a specific configuration, this reduces the likelihood of exploitation. However, there are several well-known applications and services that utilize this feature in advanced configurations, such as Okta, CloudFlare, and AWS. In the cases where this advanced configuration has been leveraged, exploitation is more likely.

Exploitation

Assuming the previously mentioned conditions are met, exploitation can occur any time SSH is leveraged. This includes standard connections such as SSH and SCP. The discovering researcher, vin01, released a proof of concept that leverages Github’s clone command using SSH to open the MacOS calculator. This can also be done on Linux or Windows operating systems with slight modifications. To execute the proof of concept, a single git clone command is used. Exploitation occurs when the user’s SSH configuration file is set to utilize the ProxyCommand parameter with any “.example.com” domain, as seen in Figure 1.


Figure 1 Local SSH Config File

When git recursively attempts to get the submodules from the repository, shown in Figure 2, the vulnerability is triggered and exploited.


Figure 2 Repository submodules

The video in Figure 3 demonstrates leveraging this proof of concept on a Linux workstation to execute calculator.

Figure 3 – Linux workstation exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • SPY:520 "Malformed-gitmodules gitmodules.OT_1"

Remediation Recommendations

OpenSSH has released an update to address the issue, and it is strongly recommended that the application be updated to version 9.6p1 or newer as appropriate. Additionally, it is recommended to review any client SSH configuration files and ensure the ProxyCommand parameter is only utilized when necessary.

Relevant Links

GuLoader upgrades its Vectored Exception Handler

Overview

For the last three years, GuLoader has gained popularity among threat actors, due to its sophisticated, robust, and powerful defense techniques against security software. The SonicWall Capture Labs Threat Research team has observed that GuLoader malware is being distributed on victim’s machine by obfuscated VBScript insides an archive as an email attachment. The malware is continuously updating its code to stay undetected and impactful against security software. While the malware has rich anti-VM, anti-debug, anti-analysis, and anti-dump techniques, one of the best anti-analysis features used by the malware is the updating of its Vectored Exception Handler code. The malware deliberately executes instructions in the malware code which throws an exception, and the Vectored Exception Handler code is used to compute the next executable instruction address. The beauty of the malware is that it is a fileless and true shellcode-based malware which did not include a PE header, not even in memory. The malware is used to deliver various malware families including AgentTesla, Remcos, Lokibot and NanoCore etc.

Infection Cycle

The effectiveness of the malware can be reckoned by the evidence that the malware has not changed its infection cycle for a year and is still undetected by various security software. The initial VBScript file is obfuscated and contains large comments which constructs and launches a PowerShell script.

Figure 1 – Obfuscated VBScript

PowerShell script

The PowerShell script is complex to understand, as it computes variables dynamically at runtime. The malware uses one function to decrypt the cmdlets, variables and strings and another function to execute the cmdlets.

Figure 2 – Obfuscated first level PowerShell script.

The PowerShell script needs to be decrypted and simplified to make it legible. If the running PowerShell process is a 64-bit process, the malware launches the script under 32-bit PowerShell executable, to inject and execute a 32-bit shellcode, in later stages. The script downloads base64 encoded file from URL “h[t][t]p://85.209.176.46/Schoolm.ocx” into “%APPDATA%\Dumpste.Mue”. Initial 648 bytes from the downloaded file are the shellcode bytes, followed by the encrypted GuLoader bytes and ended with a PowerShell script which continues the execution.

Figure 3 – Simplified first level PowerShell script.

The downloaded script is again obfuscated and uses function from the downloader script to decrypt and execute cmdlets which makes this standalone script unusable and non-understandable. The script again uses dynamic variable computing and is needs to be decrypted and simplified, to make it legible.


Figure 4 – Obfuscated second level PowerShell script.

The PowerShell script hides the PowerShell window to stay unnoticed from the user, using an API ShowWindow. The PowerShell script allocates 648 bytes with PAGE_EXECUTE_READWRITE access using API NtProtectVirtualMemory and writes the shellcode bytes from the downloaded file. The script allocates 0x3D84000 bytes with PAGE_READWRITE access and writes the encrypted GuLoader bytes. The script executes the shellcode bytes using the API CallWindowProcA and provides encrypted bytes address and NtProtectVirtualMemory API address as arguments.


Figure 5 – Simplified second level PowerShell script

GuLoader

The GuLoader is a very well-known advanced malware which is widely adopted by the threat actors to deliver various payloads. We have already covered technical details of the malware in our previous blog .
In the recent variant, the malware has upgraded its Vectored Exception Handler (VEH) code. Initially GuLoader’s VEH only supported EXCEPTION_BREAKPOINT exception and in later variants it added EXCEPTION_ACCESS_VIOLATION and EXCEPTION_SINGLE_STEP exceptions support. In the recent variant, we have observed the malware added support for EXCEPTION_PRIV_INSTRUCTION and EXCEPTION_ILLEGAL_INSTRUCTION exceptions to prevent neutralization of VEH impact from script-based automations by threat researchers. To bypass the VEH impact threat researchers now need to identify all illegal and privileges instructions.

Figure 6 – Code checks exception type

The malware deliberately generates an exception supported by the VEH and computes the next valid EIP address using the VEH code, to continue the malicious execution. The malware code also checks for hardware breakpoints by inspecting debug registers while executing the VEH code. If any hardware breakpoint is found, the malware zeros out one the structure’s address which causes EXCEPTION_ACCESS_VIOLATION exception inside the VEH code.

Figure 7 – Code inspects hardware debug registers.

The malware next computes EIP by adding a value from 0x14 byte from the current EIP, XOR with 0x04 and add it to the current EIP.

Figure 8 – Code computes next EIP address

The malware generates supported exception throughout the code and handled them inside the VEH code.

EXCEPTION_ACCESS_VIOLATION (0xC0000005)

In case of EXCEPTION_ACCESS_VIOLATION exception the malware examines the address for which the exception has been thrown and it should it be less than 0x10000, the malware terminates the execution.

Figure 9 – Code generates access violation exception.


Figure 10 – Code handles access violation exception

EXCEPTION_BREAKPOINT (0x80000003)

Figure 11 – Code generates breakpoint exception

EXCEPTION_SINGLE_STEP (0x80000004)

Figure 12 – Code generates single step exception.

EXCEPTION_PRIV_INSTRUCTION (0xC0000096)

Figure 13 – Code generates privileged instruction exception.

EXCEPTION_ILLEGAL_INSTRUCTION (0xC000001D)

Figure 14 – Code generates illegal instruction exception.

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.

Figure 15 VirusTotal detections.

Evidence of the detection by the RTDMI engine can be seen below in the Capture ATP report for this file

Figure 16 – RTDMI detection.

Apache Struts Unauthorized Arbitrary File Upload

Overview

The SonicWall Capture Labs threat research team became aware of an unauthorized arbitrary file upload vulnerability in Apache Struts, assessed its impact and developed mitigation measures for the vulnerability. Apache Struts, an open-source MVC framework to develop modern web applications based on Java, has released versions 2.5.33 and 6.3.0.2 addressing this issue which is affecting the following versions of Struts: Struts 2.0.0 – Struts 2.3.37 (EOL), Struts 2.5.0 – Struts 2.5.32, and Struts 6.0.0 – Struts 6.3.0. Since Apache Struts has historically been a luring target among threat actors due to its widespread usage, this vulnerability has already started being exploited in the wild. This could be easily anticipated considering its ease of exploitation as well as existence of public POC. Due to active exploitation, we strongly recommend upgrading to the latest version of Struts.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-50164.
The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

This vulnerability allows the threat actors to upload an arbitrary file in the webroot of the tomcat web server through a POST request. This flaw allows the attacker to not only tamper with the file upload parameters but also to append an additional parameter, which allows the threat actor to upload a file at any location. The implemented sanitization is inadequate to prevent parameter pollution. Changing the case of parameters to lowercase can override the file name variable uploadFileName allowing path traversal and leading to compromise of the system.
To remediate the issue, Apache Struts has released a patch as commits 162e29f and d8c6969 for versions 2.5.x and 6.3.x respectively. A closer look at the patch confirms the improvements in the functions get, contains and remove by making them case insensitive to prevent unique consideration of manipulated parameters based on case sensitivity as seen in Figure 1 for the function get.

Figure 1: Improved case-insensitive get function

Additionally, the function appendAll is improved to append all the parameters in a case-insensitive way to deny the overriding attempt of existing parameters as seen in Figure 2.

Figure 2: Improved appendAll function

Triggering the Vulnerability

This vulnerability can be triggered using a specially crafted POST request which contains a parameter with name=”Upload” (or uPLoad or uploaD) instead of the default value upload and the additional uploadFileName parameter that will override the path where the file will be saved as well as the name of the file as seen in Figure 3.

Figure 3: Malicious exploitation request

Exploitation

We used the publicly available PoC to analyze and understand the vulnerability and to set up a lab environment. The remote code execution in the vulnerable system is demonstrated by leveraging this vulnerability. The following video illustrates the uploading of a web shell and execution of the system command by sending a request, as seen in Figure 3 above.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4194 Web Application Suspicious form-data 2

Additionally, a generic detection signature mentioned below is utilized to strengthen the protection.

  • IPS:2764 Web Application Suspicious form-data 1

Threat Graph

SonicWall sensors have confirmed a spike in exploitation attempts of this vulnerability and a surge in exploitation attempts is expected in upcoming days considering the popularity of the software.

Figure 4: SonicWall signature hits data

Remediation Recommendations

Apache Struts has released an update to address the issue, and it is strongly recommended to update the application to the version 2.5.33 or 6.3.0.2 or newer as appropriate.

Relevant Links

Malicious Android Spyware Employing RAT and Capturing Device Info and User Credentials

Overview

The SonicWall Capture Labs threat research team has been actively tracking malware campaigns deploying a formidable Android Remote Access Trojan (RAT). We encountered a variant of that malware equipped with extensive features such as keylogging, theft of sensitive device information and the ability to bypass Google Authenticator, even loading web pages within the application. These functionalities provide attackers with the means to achieve unauthorized access to the victim’s device.

Infection Cycle

This malware utilizes a tactic called icon masquerading, wherein it camouflages itself by adopting the appearance of icons from well-known and legitimate applications.

Figure 1: Malware utilizing well-known application icons

After installation, the malware prompts the victim to activate the Accessibility Service on the targeted device. If the victim grants permission, the malware exploits the Accessibility Service to carry out malicious activities covertly, without the user’s awareness.

Figure 2: Prompt users to activate the accessibility service

Here, the malware author is asking the user to grant device admin permissions.

Figure 3: Device admin code snippet

Accessibility Services make it hard for users to remove the app or install other apps. It can click ‘install’ without needing any input from the user.

Figure 4: Ease of installing other applications granted by Accessibility Services

We initiated the activity responsible for presenting Google Translator and Google News on WebView. Upon launching, the application opens, showcasing the Google account web pages. We noticed the webpage appearing within the malicious application.

Figure 5: Displaying webpage within the malicious application

The spyware sends the gathered sensitive information to a control server when directed by the attacker through the Accessibility Service. The host and port number are encrypted using Base64.

Figure 6: Network connection

The compromised device establishes a connection with the Command and Control (C&C) server and receives various commands to execute operations, as shown in the image below.

Figure 7: C&C server

Google Authenticator creates two-factor authentication (2FA), enhancing security for accounts by adding a second verification step during sign-in. This malicious software bypasses extra security measures by using Accessibility Services to obtain 2FA codes.

Figure 8: Stealing Google authenticator code

It sends messages to the server based on the received commands.

Figure 9: Sends SMS

The code displayed in the image is designed to capture screenshots from the compromised device and subsequently transmit the collected screenshots to the Command and Control (C&C) server.

Figure 10: Forwarding all screenshots to the C&C server

This malware transmits information about the victim’s current location to its remote Command and Control (C&C) server.

Figure 11: Retrieving location info

This code extracts information about all the installed package names.

Figure 12: Reading installed packages.

The code handles a log file on the device’s external storage. It changes certain parts of the log file name and provides all content from the log file.

Figure 13: Log file created for activity monitoring

It establishes a database within web data to store sensitive personal information and credit card details of the targeted individual.

Figure 14: Storing information within a database

This spyware can steal social app credentials by checking if either the "com.facebook.katana" or "com.facebook.lite" app is installed on the device. If found, it uses an overlay attack to display a fake login page, tricking users and stealing their credentials.

Figure 15: Stealing social app credentials

SonicWall Capture Labs provides protection against this threat via SonicWall Capture ATP with RTDMI.

IOCs

  • 62f027c0a8f856ef30ceba8432cd80a9462e03cf7809ea91fcbac60427f6a1bd
  • 06629bab34a4218262339659590656408c22f33411201d73977fc69700a4e68a

Windows Software Licensing Management Tool is Abused to Deliver XWorm3.1

Overview

The SonicWall Capture Labs threat research team has observed and detected a VBScript file which delivers XWorm3.1 to the victim’s machine. The trend of malware authors hiding behind a genuine tool is continuing, and this time they have abused the Windows Software Licensing Management Tool (“slmgr.vbs”). The cracked versions of XWorm are available on GitHub and are widely used by the malware authors. The VBScript file inside the archive is delivered to the victim’s machine as an email attachment.

The initial VBScript contains a URL (“h[t][t]ps://paste.ee/d/p5W9H”) to download the second level VBScript file which pretends to be “slmgr.vbs”. The URL contains malicious obfuscated code which is injected into “slmgr.vbs” and is responsible for launching a PowerShell script that continues the malicious execution.

Figure 1: Initial VBScript

Figure 2: Malicious code injected slmgr.vbs

The injected VBScript code has large variable names which are concatenated to create two layers of encoded string. The first layer of encoding is decoded by the VBScript and passed to a PowerShell script to decrypt the second layer of encoding. The PowerShell script decodes the second layer of encoding by replacing “DgTre” with “A” to get a Base64 encoded final PowerShell script.

Figure 3: Displays injected malicious code.

Figure 4: PowerShell execution

PowerShell Script

The PowerShell script downloads an image file from the URL “h[t][t]ps://uploaddeimagens.com.br/images/004/689/631/original/new_image.jpg?1702461175” which contains a Base64 encoded payload that starts from tag “<< BASE64_START>>” and ends by tag “<< BASE64_END>>”. The encoded payload is decoded to get the first-level loader executable. The PowerShell script executes the first level loader and passes on the XWorm malware URL “h[t][t]ps://firebasestorage.googleapis.com/v0/b/testing-edacd.appspot.com/o/order.txt?alt=media&token=4a130ca4-3664-4c4a-9260-44749ba2e5e3” as an argument:

Figure 5: PowerShell script

First Level Loader

The loader makes the persistent entry for the malicious VBScript using the registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”. The malware downloads an image file from the URL “h[t][t]ps://uploaddeimagens.com.br/images/004/682/782/original/Rump_vbs.jpg?1701793262” and retrieves a second-level loader executable from the appended bytes. The malware now downloads the XWorm payload from the URL provided by the PowerShell script and calls the second-level loader by providing the path of RegAsm.exe and XWorm bytes.

Figure 6: First level loader

Second Level Loader

The loader starts the process RegAsm.exe and does process hollowing to execute the XWorm malware in the context of RegAsm.exe:

Figure 7: Second level loader

Figure 8: APIs needed for process hollowing

XWorm 3.1

Old, cracked versions of XWorm are available on GitHub and are being used widely by malware authors. The main function is to decrypt and assign the configuration information which contains C&C host, port number, key, XWorm data separator and the spreading name of the executable. The malware is a multithread process that starts one thread to do the keylogging activity and another thread to communicate with the C&C server:

Figure 9: XWorm Main

C&C Communication

The malware sends system information to the C&C server which includes the victim’s ID, username, OS information, XWorm variant name, current date, spreading capacity, execution privilege, recording capability and installed antivirus. The victim’s ID is an MD5 hash from the combination of processor count, username, machine name, OS version and size of the system drive.

Figure 10: Victim’s information sent to the C&C server

The malware supports the below commands from the C&C server:
• rec (Restart)
• CLOSE (Terminate)
• uninstall (Terminate and delete)
• update
• DW (Execute from disk)
• FM (Execute from memory)
• LN (Download and execute from an URL)
• Urlopen
• Urlhide
• PCShutdown
• PCRestart
• PCLogoff
• StartDDos
• StopDDos
• StartReport
• StopReport
• Xchat
• DDos
• ngrok
• plugin
• savePlugin
• OfflineGet
• $Cap
• MessageBox

The malware sends the currently active Window’s name to the C&C server which may help them detect a debugging or controlled environment.

Figure 11: Sending active Window’s name

You can find old references of the malware detected by SonicWall RTDMI ™ engine here:

The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

Figure 12: Virus Total

Figure 13: Virus Total 2

Evidence of the detection by the RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Figure 14: Capture ATP Report