Posts

Mobef ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Mobef ransomware actively spreading in the wild.

The Mobef ransomware encrypts the victim’s files with a strong encryption algorithm just for fun.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ IMPORTANT.README
    • %App.path%\ SECRET.KEYFILE

Once the computer is compromised, the ransomware runs the following commands:

When Mobef is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

mp3, mp4, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, rwl, srf, srw, wb2, wpd, wps, xlk, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, xls, xlsb, xlsm, xlsx, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf.

Here is an example:

The ransomware encrypts all the without changing their extension filename.

After encrypting all personal documents, the ransomware shows the following image containing a message reporting that the computer has been encrypted just for fun.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Mobef.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

SolarWinds Orion Vulnerability

/in /by

Updated January 15, 2021

The U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that malicious threat actors have been and are actively exploiting vulnerabilities in SolarWinds Orion products, specifically affected versions 2019.4 through 2020.2.1 HF1.

 

The threat actor primarily leverages a malware commonly known as SUNBURST to conduct a global supply-chain attack against the SolarWinds Orion platform. SolarWinds Orion is an enterprise-grade IT monitoring solution.

 

This malware was seen being distributed as part of SolarWinds Orion software updates from March 2020.  As part of the software update, this malware comes in the form of a dynamic linked library (DLL) that was digitally signed by SolarWinds.  Once loaded by legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, this malware is capable of transferring data, file execution, system profiling, rebooting and more.

 

Apart from being digitally signed, this malware employed other evasion tactics.  These include employing Teardrop, which is a memory only dropper, to deploy a customized Cobalt Strike beacon.  It also encoded strings such as domain names, user-agents, registry keys and others.

 

A few of the notable encoded strings are as follows:

  • 583da945-62af-10e8-4902-a8f205c72b2e -> This is the name of a named pipe which will be used as a mutex to avoid multiple instances of the malware from running.
  • avsvmcloud[.]com -> one of the domain names this malware connects to.
  • SolarWindsOrionImprovementClient/3.0.0.382 -> the User-Agent field the malware will use during HTTP communication to the C&C Server

 

The Command & Control traffic is also difficult to detect as it was designed to mimic legitimate SolarWinds API calls.  Unlike other botnet malware which connects to their C&Cs in a regular basis, SUNBURST only communicates to the malicious server once every 12 to 14 days.

 

SolarWinds has confirmed the attack and has asked impacted customers using Orion to immediately upgrade to 2019.4 HF 6 or 2020.2.1 HF 1. Please visit www.solarwinds.com/securityadvisory for more information about your Orion upgrade options.

 

Both SolarWinds and the CISA strongly suggest that organizations using SolarWinds Orion verify the version they’re running and upgrade immediately, if required.

 

SonicWall Capture Labs threat researchers have investigated the vulnerability and published multiple signatures in different categories that identify malicious activity against affected SolarWinds Orion versions. It includes application identification signatures that detect if an organization has SolarWinds Orion deployed within its network; malicious domain signatures; malicious IPs; malware such as Sunburst, Supernova and Teardrop. These signatures are applied automatically to SonicWall firewalls with active security subscriptions.

Application signatures – identify SolarWinds Orion applications:

  • 15296: BUSINESS-APPS SolarWinds Orion (API Activity)
  • 2014: BUSINESS-APPS SolarWinds Orion (Update Activity)

IPS signatures – identify malicious domains:

  • 15292: SolarWinds Supply Chain Malware Activity 1
  • 15293: SolarWinds Supply Chain Malware Activity 2
  • 15294: SolarWinds Supply Chain Malware Activity 3
  • 15295: SolarWinds Supply Chain Malware Activity 4
  • 15298: SolarWinds Supply Chain Malware Activity 5
  • 15299: SolarWinds Supply Chain Malware Activity 6
  • 15300: SolarWinds Supply Chain Malware Activity 7
  • 15301: SolarWinds Supply Chain Malware Activity 8
  • 15302: SolarWinds Supply Chain Malware Activity 9
  • 15303: SolarWinds Supply Chain Malware Activity 10
  • 15308: SolarWinds Supply Chain Malware Activity 11
  • 15309: SolarWinds Supply Chain Malware Activity 12
  • 15310: SolarWinds Supply Chain Malware Activity 13
  • 15311: SolarWinds Supply Chain Malware Activity 14
  • 15312: SolarWinds Supply Chain Malware Activity 15
  • 15313: SolarWinds Supply Chain Malware Activity 16
  • 15314: SolarWinds Supply Chain Malware Activity 17
  • 15315: SolarWinds Supply Chain Malware Activity 18
  • 15316: SolarWinds Supply Chain Malware Activity 19
  • 15317: SolarWinds Supply Chain Malware Activity 20

GAV signatures – identify malwares: [Updated on Jan 14]

Sunburst – Backdoor malware that has been trojanized into multiple SolarWinds Orion update versions.

  • SunBurst.A (Trojan) IOC:d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
  • SolarWinds.DL (Trojan), IOC:ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • SunBurst.A_1 (Trojan), IOC:32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • SunBurst.A_2 (Trojan), IOC:ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1
  • SunBurst.A_3 (Trojan), IOC:019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

Supernova – a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanized versions of the software.

  • Injector.DN_35 (Trojan) IOC:c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
  • Supernova.A_1 (Trojan), IOC:1c96021ac8cb52173e762f6b008fb4c6e5ef113e6baa4e2cf4848e88c61d9700

Teardrop – a memory only dropper that runs as a service

  • Teardrop.B (Trojan), IOC:6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d

Domain Blacklist: [Updated on Jan 15]

  • avsvmcloud.com
  • digitalcollege.org
  • freescanonline.com
  • deftsecurity.com
  • thedoccloud.com
  • virtualdataserver.com
  • incomeupdate.com
  • databasegalore.com
  • panhardware.com

 

SonicWall products and real-time security services can help organizations identify and mitigate SUNBURST malware and other attacks against vulnerable SolarWinds Orion versions.

 

To verify you have the latest SonicWall Intrusion Prevention Signatures (IPS), please follow the steps in this knowledgebase (KB) article: https://www.sonicwall.com/support/knowledge-base/detailed-information-on-intrusion-prevention-signature-ips-signature-ids/170505742887527/

 

Cybersecurity News & Trends – 12-11-20

/0 Comments/in /by

This week, cybersecurity news moved to the federal level as nation-state hacking and international cybersecurity cooperation made headlines.

SonicWall in the News

SonicWall Wins Six Prestigious Awards In The 15th Annual Network Product Guide’s 2020 IT World Awards — SonicWall Press Release

  • SonicWall has swept six industry awards at the 15th Annual Network Product Guide’s 2020 IT World Awards, including the coveted Grand Trophy distinction for having exhibited overall excellence in diverse categories.

An Outside View of Cybersecurity ‘Inside the Beltway’ — Federal News Network

  • Federal News Network shared a podcast interview with SonicWall President and CEO Bill Conner on the persistent threats impacting the federal space and how ransomware and IoT will impact federal IT systems moving forward.

FDA Approval Is Not The Only Vaccine Challenge — Industry Week

  • Bill Conner explains how cybercriminals could impact the vaccine supply chain if a successful attack is to occur, and what organizations need to do to defend themselves.

Healthcare in Crisis: Diagnosing Cybersecurity Shortcomings in Unprecedented Times — Threatpost

  • The pandemic’s unprecedented impact on healthcare lay bare the gaping holes in the healthcare industry’s cybersecurity defenses — and security experts say the fallout will impact the healthcare industry well into 2021.

Industry News

Russian hackers hide Zebrocy malware in virtual disk images — Bleeping Computer

  • Russian-speaking hackers behind Zebrocy malware have changed their technique and are now packing the threats in virtual hard drives (VHD) to avoid detection.

Ransomware gangs are getting faster at encrypting networks. That will make them harder to stop — ZDNet

  • The window for finding attackers on your network before ransomware is deployed is getting much smaller.

Russia’s FireEye Hack Is a Statement—but Not a Catastrophe — Wired

  • The cybersecurity firm has acknowledged that it has itself been the victim of a breach — and that the attackers made off with some of its offensive tools.

Norwegian police implicate Fancy Bear in parliament hack, describe ‘brute forcing’ of email accounts — Cyberscoop

  • In their accusation of Russian involvement in an August cyberattack on Norwegian parliament, authorities have implicated the same notorious group accused of interfering in the 2016 U.S. election.

Critical Flaws in Millions of IoT Devices May Never Get Fixed — Wired

  • Amnesia:33 is the latest in a long line of vulnerabilities that affect countless embedded devices.

Credit card stealing malware bundles backdoor for easy reinstall — Bleeping Computer

  • An almost-impossible-to-remove malware, programmed to automatically activate on Black Friday, was deployed on multiple Magento-powered online stores.

The EU is making overtures about cybersecurity collaboration under Biden — Cyberscoop

  • European Union members convened in an effort to take stock of the U.S. presidential election and plan how to best jumpstart cooperation with the incoming Biden administration on matters including cybersecurity.

U.S. National Security Agency warns of Russian hacking against VMware products — Reuters

  • A new cybersecurity alert from the U.S. National Security Agency warns that Russian “state-sponsored” hackers are actively exploiting a software vulnerability in multiple products made by cloud computing company VMware Inc.

Iranian Hackers Access Unprotected ICS at Israeli Water Facility — Security Week

  • A group of Iranian hackers recently posted a video showing how they managed to access an industrial control system at a water facility in Israel.

Man Pleads Guilty to Role in Malware Protection Scam — Security Week

  • A man has pleaded guilty to his role in a computer protection services scam that cheated victims out of nearly $1 million by misleading them into believing that malware had been detected on their computers.

U.S. and Australia to develop shared cyberattack training platform — Bleeping Computer

  • The U.S. and Australia have signed a first-ever bilateral agreement that allows the U.S. Cyber Command and Australia’s Information Warfare Division to jointly develop and share a virtual cyber training platform.

Android apps with millions of downloads are vulnerable to serious attacks — Ars Technica

  • Android apps with hundreds of millions of downloads are vulnerable to attacks that allow malicious apps to steal contacts, login credentials, private messages and other sensitive information.

Home Offices Face Bigger Cyber Threat, Biden Top Economist Warns — Bloomberg

  • Brian Deese, chosen by Biden to lead the National Economic Council, said in an interview broadcast Wednesday, “The risk of operating from home offices in terms of cyberattacks is exponentially greater.”

In Case You Missed It

Breach of FireEye Offensive Tools

/in /by

On December 8, 2020, Cyber Security Firm FireEye disclosed an incident that resulted in theft of their offensive security tools (OSTs) used by their Red-Team to test the security posture of their customers.

Some of these tools look like the well-known offensive framework Cobalt Strike. This is evident in the naming convention used by FireEye,

In response to the breach, FireEye has provided Red Team tools countermeasures which are available on Github. These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV, and HXIOC. Since none of these tools leverage 0-day vulnerability, FireEye also provided a listing of CVEs used by these tools.

An important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities which are known to exploit.

SonicWall Capture Labs Threat Research team provides protection against the list of CVEs shown above as well as the Beacon tool used by FireEye Red-Team with the following signatures

IPS:14422 Pulse Connect Secure Information Disclosure
IPS:15143 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 1
IPS:15156 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
IPS:15158 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3
IPS:15185 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 4
IPS:15081 Fortinet SSL VPN Web Portal Directory Traversal
IPS:13910 Adobe ColdFusion Arbitrary File Upload 1
IPS:14689 Microsoft SharePoint Remote Code Execution (FEB 19)
IPS:14225 Remote Desktop Services Remote Code Execution (MAY 19)
IPS:14725 Citrix NetScaler ADC/Gateway Directory Traversal 2
IPS:14886 ManageEngine Desktop Central Insecure Deserialization
IPS:14826 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)
IPS:14888 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 2
IPS:14889 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 3
IPS:14890 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 4
IPS:11556 Win32k Elevation of Privilege (MS16-039) 2
IPS:2007 FireEye RUBEUS nonce 2 TCP
IPS:2009 FireEye RUBEUS nonce 2 UDP
IPS:15285 FireEye BEACON CSBundle USAToday Server
IPS:15286 FireEye RUBEUS Process
IPS:15287 FireEye GORAT Build ID
IPS:15288 FireEye BEACON CSBundle Original Stager

An Android stealer with a multitude of spyware capabilities

/in /by

SonicWall Threats Research team came across an Android spyware that steals sensitive user information and sends it to the attacker. The app has a plethora of functionalities that are centered towards stealing information from the device. However a more concerning element of the malware is that all the stolen information is transmitted over an unsecured http channel.

Infection Cycle

Details of the sample analyzed:

  • MD5:5c698417916ab2a9df1d577507be5725
  • App Name: 19금 틱톡 (19 gold tiktok)
  • Package Name: com.yjx.callservice

Upon installation the app is visible in the app drawer as follows:

Upon execution the app starts communicating with the attacker using the hardcoded IP 116.193.152.176:7788. The communication happens over http which indicates that any user information sent to the user is done so over an unsecured channel. One of the first things done by the app is creating a unique id for the infected device, this id is saved in the shared_prefs file locally and then shared with the attacker to report the initial infection. This is performed using a POST request to addNewUser as shown below:

The malware then sends the following data from the infected device:

  • Contacts on the device are sent to addContactes (notice the spelling error):

  • Apps installed are sent to addAppes (another spelling mistake):

 

There are additional interesting API requests present in the code that highlight the features and capabilities of this malware:

  • addNewAccount
  • addNewCallloges
  • addNewLocation
  • addNewSmses
  • getAllBlackList
  • editUserMobileNetwork
  • findCall
  • getRealPhone
  • getAllIncoming
  • uploadFile

 

Functionalities in the code

The malware is capable of communicating with the attacker using webSocket. The malware can execute the following functionality based on the code received via webSockets:

  • take_photo

  • start_record

There are additional traces in the code which reveal more functionality of the malware. It is capable of the following:

  • Steal all the SMS on the device:

  • Steal the call logs from the device:

  • Steal all contacts:

  • Get all apps installed on the device, we saw this functionality being used via network communication earlier:

 

Additional investigation

  • A network graph of the attacker’s domain reveals two additional apps that communicate with it:

 

  • The two apk’s related to this campaign have similar functionality. Below are the MD5’s:
    • e8509b2a57423a1b4b2d8bcf33973974
    • b67d42100440dd6c03b56da2c71b5130

 

  • The hardcoded attacker’s  domain opens a login page. As mentioned before this happens over http, as a result any sensitive information can be further snooped by someone else:

 

  • Following hardcoded information is present in the code:

Attacker server IP:

Gmail credentials:

QQ chat id:

Overall this malware is geared towards stealing sensitive user information from an infected device. The log messages and text present in the code is Korean, additionally the language used on the attacker’s server login is Korean as well.

 

SonicWall Capture Labs provide protection against this threat with the following signature:

  • Banker.SP (Trojan)

Indicators of Compromise (IOC’s):

  • 5c698417916ab2a9df1d577507be5725
  • e8509b2a57423a1b4b2d8bcf33973974
  • b67d42100440dd6c03b56da2c71b5130

 

 

Microsoft Security Bulletin Coverage for December 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of December 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability
ASPY 136:Malformed-File dll.MP.6

CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability
ASPY 135:Malformed-File cab.MP.2

CVE-2020-17140 Windows SMB Information Disclosure Vulnerability
IPS 15284 Windows SMBv2 Information Disclosure (CVE-2020-17140)

CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability
ASPY 134:Malformed-File exe.MP.167

CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
IPS 15283:Microsoft Dynamics 365 Remote Code Execution Vulnerability

CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
IPS 15283:Microsoft Dynamics 365 Remote Code Execution Vulnerability

Following vulnerabilities do not have exploits in the wild :
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure
There are no known exploits in the wild.
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability
There are no known exploits in the wild.

Egregor Ransomware

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Egregor Ransomware. The Egregor sample below is a library (DLL) that contains code and data that can be used by more than one program at the same time. The library is highly obfuscated and encrypted using Salsa20, ChaCha Stream Cipher and RSA encryption. This makes analysis difficult to bypass from the reverse engineering and debugging point of view.

The library contains export functions that are required to be called from other stages of the infection chain. The export function parameters usually accept the key or password to unlock, deobfuscated, and decrypt the code sections. Once the sample is done unwinding, it will release the payload hidden inside. The key and/or password is normally unique or specific to each sample. This key and/or password is always located somewhere inside the sample. It’s up to the researcher to locate the desired information inside.

The command we can use to bypass the distribution methods below for debugging:
regsrv32.exe path_to_dll DllRegisterServer param1 param2

Egregor, releases stolen data on their website egregornews to increase pressure on the victim to pay the ransom. Egregor News, is used to post the names and domains, along with data sets of Egregor victims.

Distribution Methods & Tactics:

  • Cobalt Strike
  • RDP Exploit
  • Phishing
  • CVE-2020-0688
  • CVE-2018-8174
  • CVE-2018-4878
  • CVE-2018-15982
  • QBot
  • Ursnif
  • icedID

RaaS News Website:

Stage 1, Static Information:

ChaCha / Salsa20 Initial State Information:

Stage 1: uses a implementation of ChaCha(2008)/Salsa20(2005) as the main encryption. The “nothing-up-my-sleeve number”, which is used to pinpoint ChaCha or Salsa20 is “expand 32-byte k” This is considered the algorithm constant and “nothing-up-my-sleeve number”. When you see this constant its considered a 256 bit implementation. The 32-byte constant can be seen below:

The key used for unlocking stage 1:
“Elon Musk 2024! To The Future!!!” and “SpaceX!!”
The words are filtered, parsed and rearranged for parts of the ChaCha decryption stage.

Stage 1, Dynamic Information:

Start of Encrypted Data

End of Encrypted Data

The size of the encrypted data: 0x4EAADh or 322,221d.

After Decryption:

String Artifacts:

Two of the parameters shown in this picture above are (dash dash)del and (dash dash)dubisteinmutterficker.
dubisteinmutterficker is German for “you’re a mother fucker.”
We also see references to Elon Musk and SpaceX.

2nd Stage, Commands Payload Will Accept:

Egregor’s payload can accept several command line arguments, including:

  • –fast: Is used to limit file size for encryption.
  • –full: perform encryption of the full victim system (including local and network drives).
  • –multiproc: multi-process support.
  • –nomimikatz: Mimikatz is an open source toolkit.
  • –nonet: does not encrypt network drives.
  • –path: specific folder to encrypt.
  • –target: target extension for encryption.
  • –append: file extension to append to encrypted files.
  • –norename: does not rename the files it encrypts.
  • –greetings: prepends the name to the ransom note, presumably to directly address the victim.
  • –samba: provide shared access to files, printers, and serial ports between nodes.
  • –killrdp: remote desktop protocol

The most common command that is used is (-full).

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Egregor.RSM (Trojan)

Appendix:

Sample SHA256 Hash: 38b155b6546db882189cc79bcac0b0284d3f858e0feb1e5dbc24b22f78cdfb68

Cybersecurity News & Trends – 12-04-20

/0 Comments/in /by

This week, Trickbot is gaining strength, Bitcoin is gaining value, and cybercriminals are gaining ground against vaccine manufacturers.

SonicWall in the News

New Partnerships Boost OT/IoT Security Across Digital Environments — Security Boulevard

  • SonicWall’s Q3 Threat Report data is cited in this article about Nozomi Networks partnership with Honeywell and Yokogawa Europe.

Top Tips to Stay Safe During Black Friday & Cyber Monday — Security Toolbox

  • Check out five tips to maintain security hygiene when shopping online during the upcoming holiday season.

Industry News

Manchester United attack illuminates the cyberthreats facing an overlooked sports sector — Cyberscoop

  • The headline-making attack is a stark reminder that major sports franchises have targets on their backs, even if regulators and the press don’t apply the same amount of scrutiny to data protection strategies in athletics as in other sectors.

 Federal agencies warn that hackers are targeting US think tanks — The Hill

  • The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned Tuesday that major hacking groups are targeting U.S. think tanks.

 Companies Urged to Adjust Hiring Requirements for Cyber Jobs — The Wall Street Journal

  • Companies need millions more cybersecurity professionals to fill roles around the world, but researchers say the problem may be outlandish job requirements, rather than a lack of workers.

FINRA Warns Brokerage Firms of Phishing Campaign — Security Week

  • Cybercriminals are using a recently registered lookalike domain in a phishing campaign targeting U.S. organizations, the Financial Industry Regulatory Authority warns.

Cyberespionage APT group hides behind cryptomining campaigns — Bleeping Computer

  • An advanced threat group called Bismuth recently used cryptocurrency mining as a way to hide the purpose of their activity and to avoid triggering high-priority alerts.

Bitcoin Hits New Record, This Time With Less Talk of a Bubble — The New York Times

  • The crazy cousin of traditional currencies, which fell below $4,000 in March, has now passed $19,783 — and more investors are now buying it for the long term.

Government watchdog urges policymakers to boost cybersecurity for 5G networks — The Hill

  • The agency detailed “capabilities and challenges” involved in the buildout of 5G networks and made a number of recommendations aimed at scaling up cybersecurity, spectrum availability and consumer data privacy.

Supreme Court considers scope of federal anti-hacking law in biggest cyber case to date — Cyberscoop

  • This case is the biggest to come before the nation’s highest court involving the Computer Fraud and Abuse Act (CFAA), written in the 1980s and centering on when an individual “exceeds authorized access” to a computer.

It’s hard to keep a big botnet down: TrickBot sputters back toward full health — Cyberscoop

  • Mounting evidence suggests that TrickBot, the vast botnet that both U.S. Cyber Command and a Microsoft-led coalition sought to disable around the 2020 elections, is on the mend and evolving.

Coronavirus: Hackers targeted Covid vaccine supply ‘cold chain’ — BBC

  • The international vaccine supply chain has reportedly been targeted by cyber-espionage.

The Internet’s Most Notorious Botnet Has an Alarming New Trick — Wired

  • The hackers behind TrickBot have begun probing victim PCs for vulnerable firmware, which would let them persist on devices undetected.

North Korean Hackers Are Said to Have Targeted Companies Working on Covid-19 Vaccines — The Wall Street Journal

  • At least six pharmaceutical companies in the U.S., the U.K. and South Korea were targeted as the regime seeks sensitive information it could sell or weaponize.

In Case You Missed It

Beware of fraud apps leveraging Google Play Store for distribution

/in /by

SonicWall Capture Labs threat research team has been regularly sharing information about the malware threats plaguing Android devices. SonicWall has tracked down another finance-based malicious app. The app until recently was distributed via Google Play Store which has now been removed from the Play Store after we reported this to the concerned team.

The app targets Indian Android Phone consumers and is portrayed as an app that would assist in obtaining a loan. High installation count (0.1-0.5 Milion) indicates many users might have fallen prey to this fraud app. A similar fraud app has been noticed in the Google Play Store, the concerned team has already been notified of the app.

 

At present, the fraudulent app isn’t detected by any AV vendor as is seen on the popular threat intelligence sharing portal VirusTotal.

 

 

The app promised to provide easy loans to customers and appeared to look genuine by providing information about Loan EMI and interest in its description.

Post installation, it showed a list of permissions required. Interestingly, the app prompted the user to grant permissions by describing why those permissions are required. The app instructed the user to complete 3 steps to get a loan.

 

In the first step, called the “Submit info”, personal, work and bank related information are collected from the user. There is no validation for entered user account details which are being asked  as shown below:

  

 

 

In the second step, the user’s credit limit is computed as is assumed based on the information provided in step one. The user is then asked to make a payment of 399INR as a security deposit before the loan request could be processed further. Various payment options like Net banking, UPI, and Debit/Credit Card are provided to the user.  An active timer is also started to rush in the user into making payment.

 

SonicWall Capture Labs provide protection against this threat with the following signatures:

  • FraudApp.B (Trojan)
  • FraudApp.C (Trojan)

 

Indicators of Compromise (IOC’s):

  • 2dd16df38421e8ba98e52bbc4fab81145a672775b72bf676f19b6c55a209cb1c
  • 0317c1270d57ffc57dda791f3786de34205055d6e42a1e2f30216971b790867

Ransomware spares no one except if you are from Russia, Kazakhstan or Ukraine

/in /by

The Sonicwall Capture Labs Research team has observed another ransomware being circulated in the wild recently. It was first spotted earlier this year but has not gained much traction then. Interestingly, this not so popular ransomware promises to decrypt your files if you are from Russia, Kazakhstan or Ukraine and does not impose a time limit on when victims can send payment to decrypt files.

Infection Cycle:

Erica ransomware comes as an executable that use the following icons:

Upon execution, it connects to a remote server 178.170.219.108.

It spawns a legitimate file to carry out its malicious functionality. During our analysis it used cvtres.exe, a Microsoft Windows file which is part of the C++ tool chain. (See more details here).

Cvtres.exe then encrypts the victim’s files and appends random characters to the file’s original name.

This ransomware uses the Microsoft Enhanced RSA and AES Cryptographic Provider to create keys and encrypt data using the RSA algorithms.

It then zips up the entire %users% directory and names it with a random name. This is then sent out to a remote server.

A ransom note is created in every directory with which files have been encrypted. They promise to help with decryption if you are from Russia, Kazakhstan or Ukraine. And also do not impose a time limit on when you decide to pay to decrypt your files.

An email is included in the note but is base64 encoded and reads:

erica_affiliate @ protonmail.com

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Erica.RSM (Trojan)
  • GAV: Erica.RSM_1 (Trojan)
  • GAV: Erica.RSM_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.