Posts

This spyware poses as a fake Android WhatsApp update app

/in /by

SonicWall Capture Labs threats researchers observed an interesting Android sample that passes itself as a WhatsApp Updater app. Anyone with basic security awareness will quickly point that there is no separate app to update WhatsApp as clearly stated on the WhatsApp FAQ. As expected this app simply uses WhatsApp as a disguise to hide its spyware capabilities.

 

Distribution mechanism

This fake updater app (at the time of writing this blog) is hosted on android-update[.]net/whatsapp-update.apk. Installation of apps from unknown sources is blocked by default on Android devices, as a result whenever an apk file is downloaded the user is shown a warning stating that it might be dangerous to install said app. This website tries to convince the user to ignore that warning and states that WhatsApp update is completely safe to install:

The site android-update.net has been deemed malicious on Virustotal

 

Dangerous Permissions

This app requests for a few permissions that can be risky in the wrong hands:

  • receive_boot_completed
  • read_contacts
  • access_fine_location
  • read_history_bookmarks
  • write_settings
  • system_alert_window
  • record_audio
  • send_sms
  • bind_accessibility_service
  • bind_device_admin

Infection Cycle

After installation and execution the app is prompt in requesting for device admin privileges. This alone should be a red flag as WhatsApp itself does not request device admin privileges:

If the permission is not granted immediately, the app keeps requesting for the permission until its granted. This tactic is aimed towards ruining the user experience and forcing the user into granting the permission.

 

Siphoning personal data

The app communicates with the server  – superwat.biz – and begins ex-filtrating sensitive user related information from the device and the network. We have listed a few of these exchanges:

The communication begins with a POST message to the folder settings which signifies the different options/switches under which the app (which now shows indications of being a spyware) will operate:

 

Some noteworthy switches:

  • line_call_record
  • whatsapp_call_record
  • stream_recording
  • spy_call

 

There was a POST message to the folder DeviceInfo which sent device related data:

 

There was a POST message to the folder Put with high sensitivity data  that included:

  • Device imei
  • Apps installed with their memory usage
  • GPS location data
  • Browser history that displayed webpages opened
  • Name and phone number of contacts present on the device
  • Wifi network access point names with their mac addresses

 

Few more interesting network messages:

  • POST /play/WS/RemoteCommands
  • GET /play/ws/update-check/?update=getversion&brand=gvd8
  • GET /play/ws/update-check/?asset=armeabi-v7a

 

We created a VirusTotal relations graph that represents all the parties that were contacted by the spyware app

 

Domain WHOIS details

We found the following artifacts about the server superwat.biz and android-update.net:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Spy.PN (Trojan)

 

Indicators of Compromise (IOC)

Sample details

Cybersecurity News & Trends – 09-11-20

/0 Comments/in /by

This week, students are going back to school, cybersecurity is going into outer space, and Emotet is going through the roof.

SonicWall Spotlight

Cybersecurity for the post-COVID new normal of work — Managing the Future of Work podcast

  • SonicWall CEO Bill Conner discusses how COVID-19 and the 2020 election are creating unprecedented infrastructure challenges in cybersecurity, and how forces such as the cybersecurity business gap and the need for secure remote access will shape the cybersecurity landscape going forward.

Tackle the Growing Number of IoT Ransomware Threats — TechTarget – IoT Agenda

  • Ransomware attacks have increased 20% worldwide in the first half of the year and 105% in the U.S., according to SonicWall’s latest cyberthreat report.

Cybersecurity News

FBI: Thousands of orgs targeted by RDoS extortion campaign — Bleeping Computer

  • The FBI has warned U.S. companies that thousands of organizations around the world, from various industry sectors, have been threatened with DDoS attacks within six days unless they pay a Bitcoin ransom.

Inter: a ‘low bar’ kit for Magecart credit card skimmer attacks on e-commerce websites — ZDNet

  • Researchers say that any attacker with “a little cash to burn” can join the attack trend.

 Website Crashes and Cyberattacks Welcome Students Back to School — The New York Times

  • With many districts across the country opting for online learning, a range of technical issues marred the first day of classes.

Phishing adds overlay on official company page to steal logins — Bleeping Computer

  • A phishing campaign deployed recently at various businesses uses the company’s home page to disguise the attack and trick potential victims into providing login credentials.

Money from bank hacks rarely gets laundered through cryptocurrencies — ZDNet

  • Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks, the SWIFT financial organization said.

White House issues cybersecurity space policy — SpaceNews

  • Space Policy Directive 5 is the first comprehensive government policy on cybersecurity for satellites and related systems, and outlines best practices to protect space systems from hacking and other cyber threats.

U.S. Department of Defense discloses critical and high severity bugs — Bleeping Computer

  • The U.S. Department of Defense has disclosed details about four security vulnerabilities on its infrastructure. Two of them have a high severity rating, while the other two received a critical score.

France, Japan, New Zealand warn of sudden spike in Emotet attacks — ZDNet

  • Emotet activity has ramped up to new levels in September 2020, alarming some cybersecurity agencies.

In Case You Missed It

Anubis infostealer wants your cryptocurrency wallet

/in /by

This week the Sonicwall Capture Labs research team analyzed an infostealing Trojan that is a mash up of another infostealer Trojan and a ransomware. This Trojan, is called Anubis but borrowed most of its code from another Trojan named Loki which is popularly sold in the underground market.

Infection Cycle

This Trojan uses the following icon:

Upon execution, it proceeds with perusing through the system and start stealing data, taking screenshots, etc. It then creates a random folder within the %temp% directory where it stores log files of stolen data.

This stolen data is then sent to a remote server.

During static analysis, it was noted that it had references to “Loki” within its strings as evidence of it borrowing code from this other infostealer Trojan. After all, Loki is a commodity malware commonly sold in underground sites.

This Trojan functions much like Loki and comes after the victim’s system information, browser data, credentials, credit card details and cryptocurrency wallets.

Coincidentally, during analysis we noticed references to ransomware functionality within its strings although this was not evident during runtime.

Apart from being sold underground, Lokibot has been known to be distributed via spam emails and Anubis, will highly be likely to be similarly distributed.

Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Anubis.ST (Trojan)
  • GAV: VHDLocker.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for September 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-0664 Active Directory Information Disclosure Vulnerability
IPS 15131:Microsoft Active Directory Information Disclosure Vulnerability (CVE-2020-0664)

CVE-2020-0856 Active Directory Information Disclosure Vulnerability
IPS 15132:Microsoft Active Directory Information Disclosure Vulnerability (CVE-2020-0856)

CVE-2020-0941 Win32k Information Disclosure Vulnerability
ASPY 5993:Malformed-File exe.MP.156

CVE-2020-1115 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 5994:Malformed-File exe.MP.157

CVE-2020-1152 Windows Win32k Elevation of Privilege Vulnerability
ASPY 5995:Malformed-File exe.MP.158

CVE-2020-1245 Win32k Elevation of Privilege Vulnerability
ASPY 5991:Malformed-File exe.MP.154

CVE-2020-1308 DirectX Elevation of Privilege Vulnerability
ASPY 5992:Malformed-File exe.MP.155

Following vulnerabilities do not have exploits in the wild :
CVE-2020-0648 Windows RSoP Service Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0718 Active Directory Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0761 Active Directory Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0766 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0782 Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0790 Microsoft splwow64 Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0805 Projected Filesystem Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0836 Windows DNS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0837 ADFS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-0838 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0839 Windows dnsrslvr.dll Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0870 Shell infrastructure component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0875 Microsoft splwow64 Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0878 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0886 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0890 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0904 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0908 Windows Text Service Module Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0914 Windows State Repository Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0921 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0922 Microsoft COM for Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0928 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0951 Windows Defender Application Control Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0989 Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0997 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0998 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1012 WinINet API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1013 Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1030 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1031 Windows DHCP Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1033 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1034 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1038 Windows Routing Utilities Denial of Service
There are no known exploits in the wild.
CVE-2020-1039 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1044 SQL Server Reporting Services Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1052 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1053 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1057 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1074 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1083 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1091 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1097 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1098 Windows Shell Infrastructure Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1119 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1122 Windows Language Pack Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1129 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1130 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1133 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1146 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1159 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1169 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1172 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1180 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1193 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1198 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1200 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1205 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1210 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1218 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1224 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1227 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1228 Windows DNS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1250 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1252 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1256 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1285 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1303 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1319 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1332 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1335 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1338 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1345 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1376 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1440 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-1452 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1453 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1460 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1471 Windows CloudExperienceHost Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1482 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1491 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1506 Windows Start-Up Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1507 Microsoft COM for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1508 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1514 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1523 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-1532 Windows InstallService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1559 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1575 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1576 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1589 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1590 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1592 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1593 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1594 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1595 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1596 TLS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1598 Windows UPnP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16851 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16852 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16853 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16854 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16855 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16856 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16857 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16858 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16859 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16860 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16861 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16862 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16864 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16871 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16872 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16873 Xamarin.Forms Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-16874 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16875 Microsoft Exchange Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-16878 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16879 Projected Filesystem Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16881 Visual Studio JSON Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16884 Internet Explorer Browser Helper Object (BHO) Memory Corruption Vulnerability
There are no known exploits in the wild.

ECCENTRIC BANDWAGON, DPRK

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for:
ECCENTRIC BANDWAGON, DPRK.

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. North Korea, is officially named the Democratic People’s Republic of Korea (DPRK) as a country in East Asia constituting the northern part of the Korean Peninsula. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.

ECCENTRIC BANDWAGON, one of the new Remote Access Trojans (RAT) was created by HIDDEN COBRA.

The details behind the use of these remote tools are believed to be used in highly targeted attacks against financial, engineering, government, and non-governmental organisations.

All ECCENTRIC BANDWAGON variants consist of a primary DLL file that, when executed, uses three separate files for screen shots, systems logs, and key logs. Some variants will encrypt these files using RC4, while others include basic clean-up functionality that will attempt to remove log files once ECCENTRIC BANDWAGON has finished executing.

Sample, Static Information:

Dynamic Information:

Key-logging Artifacts:

Clipboard Capture:

Directory Removal and Clean-up:

Strings Set 01:

Strings Set 02:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: EccentricBandwagon.N (Trojan)

Appendix:

Sample SHA256 Hash: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

Cybersecurity News & Trends – 09-04-20

/0 Comments/in /by

This week, teenage hackers and nation-state attackers made trouble worldwide.

SonicWall Spotlight

SonicWall TZ 600 POE — SC Magazine

  • SC Media takes a close look at the TZ 600 POE and awards it top marks.

Why Small Businesses Must Deal With Emerging Cybersecurity Threats — Entrepreneur

  • Cybercriminals are counting on small businesses to be less protected — and they’re often right.

Surging CMS attacks keep SQL Injections On The Radar During The Next Normal — Help Net Security

  • Cyberattacks have risen during the pandemic, leaving businesses to wonder whether things will settle down when COVID-19 begins to wane, or if the increase in attacks is here to stay.

Cybersecurity News

Teenager arrested in cyberattacks on Miami-Dade schools — The Washington Times

  • A 16-year-old student has been arrested for orchestrating a series of network outages and cyberattacks during the first week of school in Florida’s largest district.

Microsoft Defender can ironically be used to download malware — Bleeping Computer

  • A recent update to Windows 10’s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

Twitter Hack May Have Had Another Mastermind: A 16-Year-Old — The New York Times

  • A Massachusetts teenager appears to have played a significant role in the July 15 Twitter attack, investigators and fellow hackers said.

Chinese Hackers Targeted European Officials in Phishing Campaign — Bloomberg

  • Chinese nation-state hackers launched a phishing campaign against European government officials, diplomats, non-profits and other organizations to gather intelligence about global economies reeling from the pandemic.

Minister: New Zealand Enduring Wave of Cyberattacks — Security Week

  • According to the Associated Press, tracking down the perpetrators will be extremely difficult, as the distributed denial of service attacks are being routed through thousands of computers.

Federal agencies deny seeing attacks on voting infrastructure — The Hill

  • The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have denied seeing any reports of attacks on voting infrastructure, following the publication of a report on potential Russian election interference.

The FBI Botched Its DNC Hack Warning in 2016—but Says It Won’t Next Time — Wired

  • Facing looming election threats and a ransomware epidemic, the bureau says it has revamped its process for warning hacking victims.

The accidental notary: Apple approves notorious malware to run on Macs — Ars Technica

  • Newfangled malware protection gives users a false sense of security, critics say, making it potentially worse than nothing at all.

Attackers abuse Google DNS over HTTPS to download malware — Bleeping Computer

  • More details have emerged on a malware sample that uses Google DNS over HTTPS to retrieve the stage 2 malicious payload.

‘UltraRank’ Gang Sells Card Data It Steals — Bank Info Security

  • A cybercriminal gang that has spent five years planting malicious JavaScript code in order to steal payment card data from hundreds of e-commerce websites also takes the unusual step of selling the data on its own.

Hackers Attack Norway’s Parliament — Security Week

  • Norway’s parliament said Tuesday it had been the target of a “vast” cyberattack that allowed hackers to access the some lawmakers’ emails.

In Case You Missed It

Jackpot ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Jackpot ransomware [Jackpot.RSM] actively spreading in the wild.

The Jackpot ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < .Coin >
    • %App.path%\ payment request.txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the Coin extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: JACKPOT.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Darkside ransomware targets large corporations. Charges up to $2M.

/in /by

The SonicWall Capture Labs threat research team have observed a new family of ransomware called Darkside.   The operators of this ransomware primarily target large corporations.  Recently, a Canadian land developer and home builder, Brookfield Residential has been hit with Darkside ransomware.  In this case, the operators have not just encrypted data, but have stolen it and threatened to publish the company’s data online if it does not pay up.  Darkside has been around since early August and its operators have been launching multiple customized attacks towards known high revenue companies.  The operators charge between $200,000 and $2M for file decryption.  It has been reported that the operators have already obtained over $1M since the start of their campaign.

 

Infection Cycle:

 

When running the malware the following User Account Control dialog is shown:

 

Files on the system are encrypted and given a “ehre.eb2e8d90″ extension.  A file named README.eb2e8d90.TXT is copied into all directories containing encrypted files.

 

README.eb2e8d90.TXT contains the following message:

 

As the malware is aimed at large corporations, the message states that over 100GB of data has been uploaded to the operators.  However, we did not observe any data being uploaded during our analysis.

 

The link provided in the ransom message leads to the following page hosted on a server on tOr:

 

Upon entering the key provided in the message, the following page is displayed:

 

$2 Million in crypto is demanded for file decryption.  It is interesting to note that in addition to Bitcoin, Monero is offered as a valid paymenet method.  Compared to Bitcoin, Monero is used significantly less by ransomware operators.  However, one of Monero’s key features is its untraceability.  We expect to see an increase in malware operators using cryptocurrency of this nature.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Darkside.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Advantech WebAccess NMS Arbitrary File Upload Vulnerability is being exploited

/in /by

Advantech WebAccess/NMS is a web browser-based software package for networking management systems (NMS). It is designed with SNMP and ICMP communication standards for managing all Ethernet-Enabled Advantech products and third-parties devices. NMS can bring users an easy-to-use platform to monitor and manage networking remotely. Advantech WebAccess/NMS platform runs on top of the Apache webserver

Vulnerability | CVE-2020-10621

One of the services provided by Advantech WebAccess NMS enables users to upload a config file to the server and then instructs devices to restore their configuration with this uploaded config file. The service is requested via an HTTP request which places the uploaded file and several parameters in the format of multipart/form-data. The request is handled in the class ConfigRestoreAction via the following Request-URI:

/SCMS/web/access/ConfigRestoreAction.action

An arbitrary file upload vulnerability exists in the Advantech WebAccess NMS. This is due to the lack of sanitation on the “cfgfile” parameter in the ConfigRestoreAction class. When receiving the request submitted to the “ConfigRestoreAction.action” endpoint, the execute() method of the ConfigRestoreAction class is called to handle the request.  The input parameter “cfgfile” is not sanitized before applying it to create the destination file path in the application installation directory. The destination file path could point to any location on the NMS server, which leads to arbitrary file upload conditions.

In the below request, the attacker posts an HTTP request with a malicious file and crafted parameters to the vulnerable server.

POST /SCMS/web/access/ConfigRestoreAction.action?cfgfile=<crafted input> HTTP/1.1

A remote, unauthenticated attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation could lead to arbitrary file upload and, in the worst case, code execution condition under the security context of the system.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15119 Advantech WebAccess ConfigRestoreAction Arbitrary File Upload

Affected Products:

Advantech WebAccess/NMS versions prior to 3.0.2 are affected by this vulnerability.

 

Android spyware abusing app icons for Amazon, Netflix and other popular apps

/in /by

Mobile applications have made our life easy be it entertainment, social media, e-commerce or banking, an app is available for everything. Popular app names are misused by malware authors to victimize users.

SonicWall Capture Labs threat research team has been observing spyware using icons of well-liked android apps with millions of downloads. Icons of some popular apps being abused by spyware:

 

 (Original vs fake app icon)

 

Upon clicking the app icon, a pop-up with the message “App isn’t installed” is displayed, suggesting the user that the app didn’t install besides hiding the app icon from the app drawer.

 

The config file is created which indicates the app tried to establish a connection with remote host “193.161.193.99”.

 

The spyware is capable of:

  • Hiding icon from the app drawer
  • Reading contacts and call logs
  • Reading SMS
  • Reading geolocation data
  • Internet connection type
  • Fetching Installed application list and updates
  • Recording Audio
  • Check if the device is rooted
  • Make phone call

Technical Details:

The app hides its icon, making it difficult for the user to identify the app responsible for the spying activity:

 

Reads contact list with other details using the MIME like saved Email-id, and call log:

 

            (Victim’s call log)

 

Reads SMS every time the user receives a new SMS with “android.provider.Telephony.SMS_RECEIVED”:

 

It accesses the victim’s geo-location data:

 

Checks victim’s Internet connection type WIFI or using mobile data(2g/3g/4g) based on the return type of “getNetworkType

 

It fetches installed application information from the victim’s device:

 

Captures audio with multiple recording options supported on the device:

 

Capable to make phone call on specified number:

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.SpyNote.SD

 

Indicators Of Compromise (IOC’s):

  • 5fe3a6571f7709ea967af6d5b333ebc200375c986575d44a66f032b053741339
  • 7419092afc4b71d5ec50f5ed32452520a36b3c20efb0efddb37b9de9ed0a4b7f
  • 8d6158ae2c442aa3aa6a3d3291b14a76b7007903c1fe4df5b16c15c962f7e4cd
  • ad9191973d233f53a55b498ad55710b9a2abc15d905eeea14753fc3df5c0d880
  • 6b02203b5ca6133f4c7c51be4be1784f3c695523d7e70b39db098668bd1201c6
  • 90e6113130cea5c601399c7804793f34a76af10974e6c70920a964f6ddc3a21a
  • 7491a5d7dccf2034826a984c9dca42718ca7921d63596d68fb4586fe652291c2
  • e73d9c382da3e108ef13dace8b644100d89d766106bdbdf7e4f5853b5b75f279
  • 5bd051ee3610fb752c16a319131e93846c321b80752df3d54aea346a03aa6155
  • eaee3179c7e9be8b5653b404f7d29990c1644193c7f6f8e52729a7878ae4c2a7
  • a9f6f8b2fb0ddaf6f6e9171c566950d2c604aa2d2e703e2397f1450b1075db91
  • 80f14b2fce58261442622fa77d861604b7f8548f4cf373387f2aa360d4f3560a
  • a3abb775436bcf82554cd90150974867bff000c9ab432b1bd6937cdf525bcf81
  • c8dd02c9b2874c5a8ab6d79e713665d17e405505fbc18464cd070d1368e2d4a0
  • 442d0177494542ec553196e689d9e6120dbff5e3acc0dfa777fce470dea937cb
  • 6f14f011dc2eced02b0bbab79e05f985b39cd66dd8f5dc950092c9ffa3c82a51