Posts

WordPress WP Statistics plugin SQL Injection

/in /by

WP-Statistics is an advanced plugin that tracks your website statistics. It analyzes your website’s users by showing their browser, the search engine they use, and the most visited contents based on categories, tags, and authors. The plugin also allows the export of statistical data into different formats. The primary way of communicating with WordPress is over HTTP protocol.
A SQL injection vulnerability exists in WP Statistics Plugin for WordPress. The vulnerability is due to insufficient sanitization of the current_page_id and current_page_type parameter.

Sql Injection
SQL injection attacks occur when SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data and execute administration operations on the database.

WordPress WP Statistics plugin SQL Injection|CVE-2022-25148
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the class-wp-statistics-hits.php file . This allows unauthenticated attackers  to inject arbitrary SQL queries to obtain sensitive information.
The vulnerable versions are 13.1.5 and up.
Following are some examples of exploits


Vulnerable current_page_id is exploited to make the query sleep for certain time.


Vulnerable current_page_type is exploited to make the query sleep for certain time.

This vulnerability is patched.

In the patched code we can see that, they are now escaping the input and using parametrized query.

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 2553:WordPress WP Statistics plugin SQL Injection 1
  • IPS 2554:WordPress WP Statistics plugin SQL Injection 2
  • IPS 2567:WordPress WP Statistics plugin SQL Injection 3

Threat graph

McAfee themed Android malware spotted

/in /by

SonicWall Threats Research team received yet another report about an Android malware hosted on Discord. The URL associated with this threat being –

  • https[:]//cdn.discordapp.com/attachments/900818589068689461/948690034867986462/McAfee9412.apk

 

Application specifics

 

The application requests for a number of suspicious permissions, some of them include:

  • READ_PHONE_NUMBERS
  • CAMERA
  • ACCESS_COARSE_LOCATION
  • ACCESS_FINE_LOCATION
  • RECEIVE_SMS
  • READ_CONTACTS
  • WRITE_SMS
  • READ_SMS
  • RECEIVE_SMS
  • SEND_SMS
  • GET_ACCOUNTS
  • RECORD_AUDIO
  • READ_CALL_LOG
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • RECEIVE_BOOT_COMPLETED
  • CALL_PHONE
  • DISABLE_KEYGUARD

 

Infection cycle

The instance of malware that we analyzed masquerades itself as a legitimate McAfee application. Upon installation, the application is visible as below:

 

Once the app is executed, it requests for Accessibility service. If this service is granted, the malware does a number of things in the background as visible in the GIF below:

 

User device related information is sent to the attacker. This acts as an identifier for the infected device, the name of the PHP page further solidifies this:

 

The malware is capable of accepting a number of commands from the attacker, some of them are as listed below:

  • Push CC Injection
  • Take Photo
  • Send SMS
  • Send SMS to All Contacts
  • Inject a web page
  • Download File
  • Kill Bot
  • Push Bank Injection with Time
  • Push Bank Injection
  • Uninstall an app
  • Record Audio
  • Get Google Authenticator Codes
  • Call a number/Run USSD code
  • Start VNC
  • VNCClick
  • VNCHold
  • VNCDrag
  • SWIPE UP
  • SWIPE DOWN
  • RECENTS
  • HOME
  • BACK
  • SCROLL UP
  • SCROLL DOWN
  • NOTIFICATIONS
  • SCREEN OFF
  • SCREEN ON

 

Additional Observations

  • There are a number of hardcoded .PHP pages which indicate their purpose based on the naming convention. Some of them are listed below:
    • /project/apiMethods/register.php?botid=
    • /project/apiMethods/updateLoc.php?botid=
    • /project/apiMethods/updateStat.php?botid=
    • /project/apiMethods/uploadCall.php?botid=
    • /project/apiMethods/uploadFilesList.php?botid=
    • /project/apiMethods/uploadInbox.php?botid=
    • /project/apiMethods/uploadKeylogs.php?botid=
    • /project/apiMethods/uploadLog.php?log=
    • /project/apiMethods/uploadVNC.php?botid=

 

  • The malware contains a large number of classes and strings with random names, these are used to make it difficult for researchers to perform analysis:

 

  • There is a HTML file in assets folder titled startaccessibility.html. However its contains just HTML tags with no real content. There is another file titled welcome.html which contains contents that are showed when asking AccessibilityServices request. This is a sign that probably the malware is still under construction or this might be a test version :

 

  • There is a hardcoded URL within the code – http[:]//melanieparker.42web.io – which has now been taken down

 

Overall this malware contains the capability to do a number of things once it infects a device. The power of Accessibility Services is on display as the malware grants a number of permissions and performs a multitude of actions once the user grants this permission.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Spy.ES

 

Indicators of Compromise:

 

Microsoft Security Bulletin Coverage for March 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of March 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-21990 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 300:Malformed-File exe.MP_239

CVE-2022-23253 Point-to-Point Tunneling Protocol Denial of Service Vulnerability
IPS 2558:Malformed PPTP Request 2

CVE-2022-23285 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 301:Malformed-File exe.MP_240

CVE-2022-23286 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
ASPY 302:Malformed-File exe.MP_241

CVE-2022-23299 Windows PDEV Elevation of Privilege Vulnerability
ASPY 303:Malformed-File exe.MP_242

CVE-2022-24502 Windows HTML Platforms Security Feature Bypass Vulnerability
IPS 15754:Internet Explorer Security Feature Bypass (CVE-2022-24502)

CVE-2022-24507 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ASPY 304:Malformed-File exe.MP_243

The following vulnerabilities do not have exploits in the wild :
CVE-2020-8927 Brotli Library Buffer Overflow Vulnerability
There are no known exploits in the wild.
CVE-2022-21967 Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21973 Windows Media Center Update Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21975 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21977 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22006 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22007 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22010 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-23265 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23266 Microsoft Defender for IoT Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23277 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23278 Microsoft Defender for Endpoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-23281 Windows Common Log File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-23282 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23283 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23284 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23287 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23288 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23290 Windows Inking COM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23291 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23293 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23294 Windows Event Tracing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23295 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23296 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23297 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-23298 Windows NT OS Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23300 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23301 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24451 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24452 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24453 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24454 Windows Security Support Provider Interface Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24455 Windows CD-ROM Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24456 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24457 HEIF Image Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24459 Windows Fax and Scan Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24460 Tablet Windows User Interface Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24461 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24462 Microsoft Word Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-24463 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24464 .NET and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24465 Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-24467 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24468 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24469 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24470 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24471 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24501 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24503 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24505 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24506 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24508 Windows SMBv3 Client Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24509 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24510 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24511 Microsoft Office Word Tampering Vulnerability
There are no known exploits in the wild.
CVE-2022-24512 .NET and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24515 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24517 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24518 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24519 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24520 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24522 Skype Extension for Chrome Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24525 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24526 Visual Studio Code Spoofing Vulnerability
There are no known exploits in the wild.

A look at PartyTicket Ransomware targeting Ukrainian systems

/in /by

The conflict between Russia and Ukraine has quickly escalated from the ground onto the cyberspace. Last week, the Sonicwall Capture Labs Research team has analyzed the HermeticWiper malware attack that was targeting Ukraine in this article. This week we take a look at the ransomware that was believed to have been deployed in conjunction with the aforementioned data wiping malware.

Infection Cycle:

The ransomware arrives as a Windows executable. Once executed it spawns conhost exe which then spawns cmd exe to carry out its functionality.

Cmd creates a temporary copy of the ransomware which then encrypts a target file.

This simultaneous action of create, encrypt, delete bogs down the system and just makes the entire process really slow. Below is an example of how many copies of itself was created in a span of a few minutes trying to encrypt a system.

The following file extensions are targeted for encryption:

acl.avi.bat.bmp.cab.cfg.chm.cmd.com.crt.css.dat.dip.dll.doc.dot.exe.gif.htm.ico.iso.jpg.mp3.msi.odt.one.ova.pdf.png.ppt.pub.rar.rtf.sfx.sql.txt.url.vdi.vsd.wma.wmv.wtv.xls.xml.xps.zip

Encrypted files have an appended file extension of “[vote2024forjb@protonmail.com].encryptedJB”

A ransom note named “Read.me.html” is added on desktop.

There are references to the US President in the module/project names used in the file as evident in the strings below possibly to obscure the real source of malware or mislead researchers.

Overall this is an unsophisticated ransomware that appears to be created in a rush.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: PartyTicket.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

Samba vfs_fruit Module RCE Vulnerability

/in /by

Overview:

  Samba is an open-source implementation of file, print, and other network services suite known as SMB/CIFS (Server Message Block/Common Internet File System). Samba implements several protocols and services including NetBIOS over TCP/IP (NBT), SMB, CIFS, DCE/RPC, MSRPC, the network neighborhood suite of protocols, Netlogon remote protocol and more. A Samba server listens on 139/TCP and 445/TCP for SMB over TCP (default). If Samba is configured to use NetBIOS over UDP as transport, it uses the nmbd daemon to listen on 137/UDP and provides NetBIOS name service and on 138/UDP for NetBIOS datagram service.

  A out-of-bounds heap read/write vulnerability has been reported in vfs_fruit module of Samba. The vulnerability is due a flaw while parsing EA metadata when opening files in smbd. Unauthenticated attackers can exploit this vulnerability by sending crafted requests to the target service.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44142.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability occurs due to improper validation of the EntryOffset field of the ADEID_FILEDATESI Entry inside AppleDouble data. To set the AFP_AfpInfo of a file, a SMB2_SET_INFO request containing an extended attribute org.netatalk.Metadata can be sent to the Samba server, via SMBv2 protocol. When the Samba server receives the request, the org.netatalk.Metadata attribute will be saved in the file extended attribute user.org.netatalk.Metadata using system call setxattr().

  There are two internal functions ad_getdate() and ad_setdate() to use the ADEID_FILEDATESI Entry stored in the AFP_AfpInfo of a file. Both functions use the offset value set in the EntryOffset of the ADEID_FILEDATESI Entry for memory operations. The length of the memory operations are 4 bytes. However, these functions only validate that if the EntryOffset field is within the AppleDouble data. If the EntryOffset field plus 4 is exceeding the total size of the AppleDouble data (402 bytes) , then the operation will trigger an out-of-bounds read or write condition.

  The vulnerable function ad_setdate() can be triggered when the time related file information is updated through SMB protocol. For example, it is observed that if a remote client sent an SMB2_SET_INFO containing FileInfoClass as SMB_FILE_BASIC_INFORMATION(0x04). The Samba server will eventually call ad_setdate() to update the file information with supplied data. Similarly the vulnerable function ad_getdate() can be triggered when the time related file information is queried through SMB protocol. It is observed that even SMB2_CREATE message will end up calling fruit_stat() function and eventually calling ad_getdate() to reproduce the out-of-bounds read condition.

  SMB Protocol

Triggering the Problem:

  • The attacker must have network connectivity to the target host.
  • The attacker can connect to a share on the target system.
  • The attacker must have write permission on a shared folder.

Triggering Conditions:

  The attacker establishes an SMB session and sends multiple crafted requests to the target server. The vulnerability is triggered as the server processes the requests.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMB/CIFS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2481 Samba vfs_fruit Module Remote Code Execution 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Apply the IPS signature above.
    • Disable SMBv2 if it is not required.
    • Apply the vendor-supplied patch that eliminates this vulnerability.
    • Remove write permissions for untrusted users.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

H2 Database JDBC URL Arbitrary Code Execution

/in /by

Overview:

  The H2 console application allows a user to access a SQL database using a browser interface.

  H2 is an open source Java SQL database that includes the following technology; JDBC, (Java Database Connectivity) is a Java API that can access any kind of tabular data, especially data stored in a relational database. JDBC helps you to write Java applications that manage some of the activities below:
    • Connect to a data source, like a database
    • Send queries and update statements to the database
    • Retrieve and process the results received from the database in answer to your query

  A remote code execution vulnerability has been reported in H2 Database console. This vulnerability is due to improper input validation when handling a specific JDBC URL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result, in the worst case, arbitrary code execution.

  H2 Homepage
  JDBC Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-23221.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When accessing a JDBC database, the H2 console will ask the user for the location of the database. A user can access an existing database or create a new database if one does not exist and the connection option FORBID_CREATION is not set. The JDBC URL is stored in the variable databaseUrl and is passed into the function getConnection(). The variable databaseUrl is then trimmed of whitespace and is checked if the variable starts with the string “jdbc:h2:”. If so, the current user key, in the variable userKey, is compared to the default key, in the variable key. The variable userKey has a value of null for new users and the variable key has a default value of null for non-privileged connections. Since both keys are the same, the string “;FORBID_CREATION=TRUE” is appended to databaseUrl.

  This information is passed into the function JdbcUtils.getConnection() which then calls the function ConnectionInfo(). This function will check the settings in the JDBC URL by calling the function readSettingsFromURL(). This function checks for settings inside of the JDBC URL. An exception will be thrown if any unknown settings exist and the setting IGNORE_UNKNOWN_SETTINGS setting is not set. After checking the JDBC URL, the connection information is eventually passed into the function openSession() through the ConnectionInfo variable, ci. ci is then parsed to find settings inside of the current URL. The settings are stored into the following boolean variables: ifExists, forbidCreation, and ignoreUnknownSetting.

  A remote code execution vulnerability exists H2 Database. A remote, unauthenticated attacker could exploit this vulnerability by sending a Database name value with the IGNORE_UNKNOWN_SETTINGS setting set and a backslash at the end of the string. The backslash causes the added semicolon delimiter to be escaped and interpreted as part of the appended FORBID_CREATION option name, causing it to be ignored. Without the FORBID_CREATION option, a new database can created with full administrator privileges. An SQL TRIGGER query can be used to run either JavaScript or Ruby code. Successful exploitation could lead to remote code execution under the security context of the H2 process.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.
  • The target must have network connectivity to the attacker controlled server.

Triggering Conditions:

  The attacker sends three maliciously crafted requests to the target server. The vulnerability is triggered after the target server receives a malicious .sql file and executes the file’s code.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2496 H2 Database JDBC URL RCE

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

BitPyLock ransomware leaves decryption key visible in decompiled code

/in /by

The Sonicwall threat research team have recently observed a new variant of BitPyLock ransomware.  This family of ransomware surfaced in early 2020.  It encrypts files and also threatens extortion by claiming to have sent files to the attackers server.  This claim, however, is not true.  In addition to this, the decryption key can be easily obtained through basic reverse engineering.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Unlike most ransomware, the filenames remain unchanged.

 

The following message is displayed on the desktop:

 

The note mentions that files have been transfered to the attackers server.  However, this is not the case.  There was no network traffic observed during the infection cycle.

 

The following keys are added to the registry:

  • HKEY_CURRENT_USER\Software\Rnz     ID “1”
  • HKEY_USERS\S-1-5-21-4236731928-1562650142-1211730654-1001\Software\Rnz      ID      “1”

 

The following file is added to the filesystem:

  • %APPDATA%\Roaming\rnz.bin

 

rnz.bin contains the following data (list of encrypted files):

 

Each encrypted file has the string “root” prepended to its contents:

 

The malware is written in C# and is trivial to decompile.  The encryption and decryption functions can be easily seen in the code:

 

 

A registry key is added to mark infection:

 

The decryption key and file type targets can be clearly seen in the code:

 

The following file types are targeted for encryption:

"1ng", "1scp", "1v1", "31k", "3dm", "3ds", "3fr", "3g2", "3gp", "3pr", "72e", "7s", "7sp", "7tt", "7z", "ARC", "PAQ", "ab4", "accdb", "accde", "accdr", "accdt", "ach", "acr", "act", "adb", "ads", "aes", "agdl", "ai", "aimi", "ait", "al", "alf", "apj", "apk", "ari", "arw", "asc", "asf", "asm", "asmx", "asp", "aspx", "asset", "asx", "avi", "awg", "back", "backup", "backupdb", "bak", "bank", "bas", "bat", "bay", "bdb", "bgt", "big", "bik", "bikey", "bin", "bkf", "bkp", "blend", "bmp", "bpw", "brd", "bsa", "bz2", "c", "cab", "cad", "capx", "cd", "cdf", "cdr", "cdr3", "cdr4", "cdr5", "cdr6", "cdrw", "cdx", "ce1", "ce2", "cer", "cfm", "cfp", "cgi", "cgm", "cib", "class", "cls", "cmd", "cmt", "cfg", "conf", "config", "cos", "cpi", "cpp", "cr2", "craw", "crt", "crw", "cs", "csh", "csl", "csproj", "csr", "csv", "cxi", "dac", "dat", "db", "db3", "dbf", "dbx", "dc2", "dch", "dcr", "dcs", "ddd", "ddoc", "ddrw", "dds", "ddv", "deb", "der", "des", "design", "dgc", "dif", "difz", "dip", "djvu", "dng", "doc", "docb", "docm", "docx", "dot", "dotm", "dots", "dotx", "drf", "drw", "dtd", "dwg", "dxb", "dxf", "dxg", "edb", "eip", "eml", "epk", "eps", "erbsql", "erf", "exf", "fdb", "ff", "ffd", "fff", "fh", "fhd", "fla", "flac", "flv", "fmb", "forge", "fpx", "frm", "fxg", "g8z", "gblorb", "gif", "go", "gpg", "gpx", "gray", "grey", "gry", "gz", "h", "hbk", "hpp", "htm", "html", "hwp", "ibank", "ibd", "ibz", "idx", "iif", "iiq", "img", "incpas", "indd", "iso", "j6i", "jar", "java", "jpe", "jpeg", "jpg", "js", "json", "jsp", "k25", "kbx", "kc2", "kdbx", "kdc", "key", "kml", "kmz", "kpdx", "lay", "lay6", "lbf", "ldf", "litemod", "log", "ltd", "ltx", "lua", "m", "m2ts", "m3u", "m4a", "m4u", "m4v", "max", "md", "mdb", "mdc", "mdf", "mdl", "mef", "mfw", "mid", "mkv", "mlv", "mml", "mmw", "moneywell", "mos", "mov", "mp3", "mp4", "mpeg", "mpeg4", "mpg", "mpk", "mpq", "mrw", "msg", "myd", "myi", "nd", "ndd", "nef", "nk2", "nop", "nrg", "nrw", "ns2", "ns3", "ns4", "nsd", "nsf", "nsg", "nsh", "nwb", "nx2", "nxl", "nyf", "oab", "obj", "odb", "odc", "odf", "odg", "odm", "odp", "ods", "odt", "ogg", "oil", "old", "onetoc2", "orf", "ost", "otg", "oth", "otp", "ots", "ott", "p12", "p7b", "p7c", "pab", "pages", "pak", "papa", "pas", "pat", "patch", "pbl", "pcd", "pck", "pct", "pdb", "pdd", "pdf", "pef", "pem", "pfx", "php", "php5", "phtml", "pkg", "pl", "plc", "png", "pot", "potm", "pots", "potx", "ppam", "pps", "ppsm", "ppsx", "ppt", "pptm", "pptx", "prf", "ps", "ps1", "psafe3", "psark", "psd", "pspimage", "pst", "psw", "pta", "ptx", "py", "pyc", "qba", "qbb", "qbm", "qbr", "qbw", "qbx", "qby", "qst", "r33", "r3d", "raf", "rar", "rat", "raw", "rb", "rdb", "rem", "rgss3a", "rm", "rofl", "rtf", "rw2", "rwl", "rwz", "rx3", "s3db", "sas7bdat", "sav", "say", "sch", "sd0", "sda", "sdc", "sdd", "sdf", "sdp", "sdw", "sgl", "sh", "sldm", "sldx", "slk", "sln", "snt", "spx1", "sql", "sqlite", "sqlite3", "sqlitedb", "sr2", "srf", "srt", "srw", "st4", "st5", "st6", "st7", "st8", "stc", "std", "sti", "stw", "stx", "suo", "sv2i", "svg", "swf", "swift", "sxc", "sxd", "sxg", "sxi", "sxm", "sxw", "t3", "tar", "targz", "tbk", "tc", "tex", "tga", "tgz", "thm", "tib", "tif", "tiff", "tiger", "tlg", "ttarch", "txt", "uasset", "uax", "unicy3d", "uof", "uop", "uot", "upk", "vb", "vbproj", "vbs", "vcd", "vcf", "vdi", "vef", "vib", "vmdk", "vmx", "vob", "vor", "vsd", "vsdx", "wallet", "war", "wav", "wb2", "wk1", "wkl", "wks", "wma", "wmf", "wmv", "wpd", "wpl", "wps", "wsf", "wtf", "x11", "x3f", "xex", "xhtml", "xis", "xla", "xlam", "xlc", "xlk", "xlm", "xlr", "xls", "xlsb", "xlsm", "xlsx", "xlt", "xltm", "xltx", "xlw", "xml", "xtbl", "ycbcra", "ydk", "yrp", "yuv", "ze4", "zip"

 

Upon entering the decryption key “Gt4vJ04kZ9bAe36A” into the ransomware interface, all files are decrypted back to their original form:

 

 

 

We reached out to ranzon@protonmail.com but did not receive a reply.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: BitPyLock.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

 

HermeticWiper data wiping malware targeting Ukrainian organizations

/in /by

The SonicWall Capture Labs Threat Research team has analyzed a sample which is widely believed to be targeting Ukrainian organizations.

The malware sample is digitally signed issued under the company name ‘Hermetica Digital Ltd’. There is a possibility that the attacker might have used a shell company to issue this digital certificate.

At the start and in due course of the execution it looks for the following privileges:

  • SeShutdownPrivilege
  • SeBackupPrivilege
  • SeLoadDriverPrivilege

The malware sample then identifies the operating system architecture and depending upon that loads the relevant driver.

If the malware is running on x64bit system it uses Wow64DisableWow64FsRedirection windows API to disable file system redirection so that the sample can copy the driver file in the %system32%\Drivers folder.

This malware’s resource section contains EaseUS Partition Manager drivers.
These are legitimate drivers associated with EaseUS Partition Master application which is a free partition software. These driver files are compressed by the Lempel-Ziv algorithm.

The malware enumerates the registry key SYSTEM\CurrentControlSet\Control\CrashControl and sets the value of CrashDumpEnabled form 2 (default value) to 0 so that Windows does not record any information in the memory dump file.

The malware drops the driver file in the %System%\Drivers folder and using SeLoadDriverPrivilege loads the driver.

It then uses the CreateServiceW and StartServiceW to load the driver as a Service.

The malware establishes connection with service control manager using OpenSCManager API and using OpenServiceW and ChangeServiceConfigW, it disables the VSS service (Volume Shadow Copy Service). This service is used to back up the application data.

The malware enumerates the physical drives starting from 0-100 and for each physical Drive \\.\EPMNTDRV\ device is called for a device number.

The EaseUS partition manager driver epmntdrv.sys is then used to access physical drives directly as well as getting partition information through specific IOCTLs.

The malware corrupts the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. It then waits for all sleeping threads to complete before initiating a reboot. And once the system is rebooted the missing OS prompt is displayed leaving the system unusable.

SonicWall RTDMI engine – part of Capture ATP – has a proactive 0-day protection against this malware.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: HermeticWiper.A (Trojan)
  • GAV: HermeticWiper.A_1 (Trojan)

Functionality rich Android malware identified in the wild

/in /by

SonicWall Threats Research Team  received reports of an Android malware in the wild that was hosted on an active domain. This malware appears to be a Remote Access Trojan that has a number of capabilities.

 

Application Specifics

 

App Execution

Installing the application, the icon is visible without any application name:

 

The AndroidManifest.xml file can be used to identify how the application starts the execution flow. In this application the main activity is listed as – com.depart.buddy.lz. However looking at the code, this class is not visible in the list of classes:

 

This indicates that most likely a new dex file might be dropped during execution and this file will contain the class pointed as the main activity. Once executed, a file named kreaslX.json is dropped in the folder below:

 

Renaming the .json file to .zip and opening it in a disassembler shows us the missing class files:

 

The file shared preferences file settings.xml can be viewed as the configuration file for this application. A number of capabilities of this malware are listed in this file:

 

Notable capabilities include:

  • Log SMS messages on the device
  • Log applications installed on the device
  • Log contacts
  • Request for Admin privileges
  • Lock device
  • Start TeamViewer application
  • Switch the sound off
  • Kill an application
  • Keylogger functionality
  • Turn PlayProtect off

Network Investigation

The application is hosted on hxxps://www.kisa.link/PMmG. VirusTotal graph shows multiple malicious indicators connected with this domain:

 

A hardcoded admin panel IP was identified in the shared_preferences.xml fille – hxxp://helalolsundayiogli.co.vu. VirusTotal graph for this domain shows multiple apk files connected to this domain:

 

Overall this application appears to be part of a larger campaign which is being propagated via the links mentioned. The nature of this application is that of a Remote Access Trojan which is capable of accepting commands and executing the in-built functionality.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Spy.SM

 

Indicators of Compromise:

  • bfdd4663a096b21a1d2b7c993bb0aecd
  • 2dc70002c841181ee1e832381f8429ab

 

Realtek Jungle SDK remote code execution

/in /by

Realtek currently manufactures and sells a variety of microchips globally. Realtek chipsets are found in many embedded devices in the IoT space. Realtek offers total HomeKit solutions with Ameba (RTL8711 series) and iCOM (RTL8196/8188 series) that can be easily implemented into various IoT platform designs, e.g. smart plug, smart home appliances, home security systems, and smart sensor/lighting devices.RTL8xxx SoCs provide wireless capabilities and the SDK exposes services over the network.

CVE-2021-35395
Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point.There are two versions of of this management interface namely one based on Go-Ahead named webs and another based on Boa named boa. Arbitrary command execution in formSysCmd via the sysCmd parameter exists in this SDK. Successful exploitation of this vulnerability allows remote attackers to gain arbitrary code execution on the device.

The HTTP web server ‘boa’ is also vulnerable to multiple buffer overflows due to unsafe copies of some overly long parameters submitted in the form, such as

  • unsafe copy of ‘submit-url’ parameter in formRebootCheck/formWsc/formWlanMultipleAP
  • unsafe copy of ‘peerPin’ parameter in formWsc

  • unsafe copy of ‘ifname’ parameter in formWlSiteSurvey

  •  unsafe copy of ‘hostname’ parameter in formStaticDHCP


The root cause of the above vulnerabilities is insufficient validation of the  buffer size and unsafe calls to sprintf/strcpy. An attacker can exploit these vulnerabilities by crafting arguments in a specific request. Successful exploitation could lead  server crash and denial of service.
Realtek has patched these vulnerabilities.

SonicWall Capture Labs provides protection against this threat via following IPS signatures:

  • 18646:Realtek Jungle SDK Remote Code Execution 2
  • 18645 Realtek Jungle SDK Remote Code Execution 1
  • 18649 Realtek Jungle SDK HTTP Server Buffer Overflow 5
  • 18648 Realtek Jungle SDK HTTP Server Buffer Overflow 4
  • 18647 Realtek Jungle SDK HTTP Server Buffer Overflow 3
    • 18644 Realtek Jungle SDK HTTP Server Command Injection
  • 18643 Realtek Jungle SDK HTTP Server Buffer Overflow 2
  • 18642 Realtek Jungle SDK HTTP Server Buffer Overflow

Threat Graph