Posts

Fraudsters victimizing innocent users through a dubious Android finance app

/in /by

CoViD19 pandemic has created a global crisis, and threat actors have worsened the situation by unleashing their malicious handiwork.

SonicWall capture labs threats research team has been blogging regularly about the malware threats leveraging the current CoViD19 pandemic. SonicWall has found another Android app using this theme. The app until some time was distributed via Google Play Store, it has been removed from the Play Store after we reported this to the concerned team.

The app named Cashbox is categorized as a Finance app. It targets Indian Android Phone consumers and is portrayed as an app that would assist customers to get a loan. The high number of installs indicates a large number of users may have been victimized:

 

The fraudulent app seems to have passed unnoticed by security solutions, as illustrated by the fact that the app isn’t detected by AV vendors on the popular threat intelligence sharing portal VirusTotal:

 

The app promises to help provide easy loans to customers. Description of the app contains Loan EMI and interest details as shown below:

 

Post installation, it showed a list of permissions required. Interestingly, the app prompts the user to grant permissions by describing why those permissions are required:

 

The user must provide the loan amount first; eventually, it asks for PAN (Permanent Account Number) Card, and self-photo clicked using the phone camera to be uploaded:

 

Thereafter, the user is informed that authentication is completed and the user’s name, along with PAN Card number and Date of Birth are displayed to look genuine, which reduces suspicion:

 

Next, it asks the user to make a payment of Rs. 99 through any of the four options Card, UPI, Wallets, or Net Banking as shown below:

 

Then, other loan facilitating apps are recommended:

    Recommended apps

 

All the personal information is requested again if the user decides to use any of the recommended apps. The users are first promised easy loans but in return their personal information is stolen and a new loan app is recommended.

Reviews shared by some of the users of the fraudulent app reflect their frustration:

 

The below code snippet indicates the app fetched user’s location and device information as well:

 

SonicWall Capture Labs provides protection against this threat with the following signature :

Android_FraudApp.A (Trojan)

 

Indicators Of Compromise (IOC’s):

1ab6fe4483a77ccffe9876d5426822a57037d6a890382666442342b2704464bb

Cybersecurity News & Trends – 06-19-20

/0 Comments/in /by

This week, SonicWall’s new Switches and Secure SD-Branch made waves, hackers made a stronger Qbot, and attacks on AWS made history.

SonicWall Spotlight

ChannelPro 5 Minute Roundup — ChannelPro Network

  • Erick and Rich of ChannelPro explore the far-reaching implications of SonicWall’s new branch office networking solution, which they say arrived at a great time for businesses.

SonicWall Launches New Network Switches — Enterprise Times

  • SonicWall has announced a range of new products, including new multi-gigabit switches and an SD-Branch solution.

SonicWall Advances Network Edge Security, Adds Multi-gigabit Switch Series and New SD-Branch Capabilities — TMCnet

  • TMCnet highlights SonicWall’s momentum over the past quarter, including the release of new and enhanced MSSP offerings and the launch of its SD-Branch capabilities.

SonicWall takes threat protection to the branch level — MicroScope

  • This article covers the  latest SD-Branch offering as a major shift and a milestone in its corporate history, with it set to have a major impact on the security player’s channel.

Cybersecurity News

Researchers Expose a New Vulnerability in Intel’s CPUs — Wired

  • Modern CPUs — particularly those made by Intel — have been under siege in recent years by an unending series of attacks. Now, two separate academic teams disclosed two new and distinctive exploits that pierce Intel’s Software Guard eXtension, by far the most sensitive region of the company’s processors.

Google Sees Increase in COVID-19 Phishing in Brazil, India, UK — Security Week

  • Cyberthreats taking advantage of the COVID-19 pandemic are evolving, and Google is seeing an increase in related phishing attempts in some countries.

Attackers impersonate secure messaging site to steal bitcoins — Bleeping Computer

  • In what can be described as the case of both cybersquatting and phishing, threat actors have created a site that imitates the legitimate secure note sharing service privnote.com to steal bitcoins.

Coder-Turned-Kingpin Paul Le Roux Gets His Comeuppance — Wired

  • Paul Le Roux, 47 — who faced up to a life sentence after pleading guilty to crimes ranging from methamphetamine trafficking to selling weapons technology to Iran — has been sentenced to 25 years in federal prison.

Targeting U.S. banks, Qbot trojan evolves with new evasion techniques — SC Magazine 

  • By malware standards, the banking trojan Qbot is long in the tooth, but it still has some bite, according to researchers who say it has added some detection and research evasion techniques to its arsenal.

Hackers Trigger Far-Reaching Disruption by Targeting Low-Profile Firm — The Wall Street Journal

  • Small and midsize companies are fighting a rising tide of cyberattacks largely out of public view, posing an underappreciated risk for the bigger companies and institutions that use their services.

Google Alerts catches fake data breach notes pushing malware — Bleeping Computer

  • Fraudsters have begun pushing fake data breach notifications using big company names to distribute malware and scams. They’re mixing black SEO, Google Sites, and spam pages to direct users to dangerous locations.

Exclusive: Massive spying on users of Google’s Chrome shows new security weakness — Bloomberg

  • A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s Chrome web browser, highlighting the tech industry’s failure to protect browsers despite their increasing use for email, payroll and other sensitive functions.

AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever — ZDNet

  • The previous record for the largest DDoS attack ever recorded was of 1.7 Tbps, recorded in March 2018.

In Case You Missed It

Fake ransomware decryptor spreads Zorab ransomware

/in /by

Sonicwall Capture Labs threat research team observed  Zorab ransomware posing as DJVU ransomware decryptor .

When a user’s computer files are encrypted by a ransomware,he desperately looks for tool to decrypt files instead of paying ransom. One such decyptor called DecryptorDjvuMlagham.exe instead of removing the DJVU ransomware infection, it spreads Zorab ransomware.

Infection cycle

Upon clicking the application it launches a console and asks for relevant information.

But it accepts any input and does not validate it.

Once you click Start Scan instead of scanning it extracts another executable called crab[.]exe at users\AppData\Local\Temp

Dissembling the code one can see that on the button click crab.exe is extracted.

This executable then starts encrypting files. The encrypted files have extension .ZRB
It also encrypts the already encrypted files and changes the extension to .ZRB
 

The attacker keeps a ransom note in each folder called -DECRYPT~ZORAB.txt

The ransomware note reads the following and boasts that this is just a business and they don’t care about the victim. They also demand to write an email to zorab28@protonmail.com for information about how to decrypt files.

At the time of writing this alert we had not yet received a response to the email that we sent to the attacker.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Zorab.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

This long spreading Android locker has been spotted using Coronavirus theme

/in /by

SonicWall Capture Labs threat research team observed a number of Android locker samples that cover the homescreen with a ransom message. We observed a number of malicious apps belonging to this locker campaign that are re-packaged to appear as popular apps such as Whatsapp, Netflix and a recent Coronavirus app named in Uzbek – Koronavirus haqida – which translates to “About Coronavirus”

We observed samples as latest as 2020-06-15  on the popular malware portal VirusTotal belonging to this campaign.

Infection Cycle

Upon execution the screen is covered by a warning message, the message varies from app to app. Only some apps from this campaign demand a ransom in exchange of the unlock keys. However the template used by these ransom messages is somewhat similar:

 

Translation of some of the messages shown on the screen by few malicious lockers belonging to this campaign are as below:

  • “Your Android is Blocked! You have visited or used sites in violation of law”
  • “Android is locked !”
  • “Your phone is coded!”

However there are few apps from this campaign that make an effort to stand out:

 

Startup trigger

Even though the locker does not encrypt files such as a regular ransomware, the phone becomes unusable as buttons do not respond and the phone screen is covered by the ransom message. At this point a victim may not have many options other than to try and reboot the device.

However that does not work because of the permission requested by the malicious locker – RECEIVE_BOOT_COMPLETED. As soon as the device boots, the background service in the malicious locker LockService gets triggered which starts the locker and displays the ransom message over the screen.

Hardcoded unlock key

This locker campaign locks the screen with a ransom message and demands ransom for an unlock code. However the unlock code is hardcoded and can be found within the same class file in the samples belonging to this campaign  – com.lololo/LockService;->onClick()

The image below shows hardcoded unlock codes for few samples:

 

Easy removal

The apps from this campaign do not request dangerous permissions such as BIND_DEVICE_ADMIN and BIND_ACCESSIBILITY_SERVICE, there are no safeguards against their uninstallation from the device. If Developer Tools are enabled on the device a victim can easily remove this locker by issuing the command below over adb:

  • adb shell pm uninstall com.lololo

 

Popular Targets

The apps from this campaign are re-packaged with different app names and icons that match popular apps. Some of the apps we observed during our analysis include:

  • WhatsApp
  • Netflix
  • Telegram
  • Grand Theft Auto 5 hacks
  • Minecraft hack
  • King root

With the recent Coronavirus pandemic and malware writers capitalizing the ‘Coronavirus’ theme to propagate their malware, apps belonging to this campaign might soon carry this theme. We already identified one sample by the name –  Koronavirus haqida – we can expect more apps from this campaign to carry this theme.

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.LockScreen.HM

 

Indicators Of Compromise (IOC):

  • 476b68a650223780ec73f804e639b7ce
  • f5cbc2e11e236e5d22d5a3d9af94fdef
  • 80738faefeee89e9356645b31e1854e5
  • 9e300ed7388a597cdc528b4720859526
  • 3178ad2f9d84ba06e14184dd4426c39b
  • 19be9e9f7d26cb47054354eefe4bc86c
  • 3372427fcd1c02bfc2ab2d65cc3b6311
  • 5ece87cded91da6e2a1e7c6a4b8afe0d

 

Watch out for this BlackLivesMatter spam email delivering malware

/in /by

Black Lives Matter protests have spread across the United States and worldwide. The core of the protests have been activists taking to the streets but in this very online age while also amidst a pandemic, there have been a lot of inventive ways that people have shown their support online  with viral tweets to hashtags and to signing online petitions. Unfortunately cybercriminals have also seized this opportunity to distribute emails disguised as supporting the movement using a malicious attachment of a document intended for the victim to “sign” to show their support.

Infection cycle:

This spam email comes with a malicious attachment that bears the following filename:

  • e-vote_form_xxxx.doc

Upon opening of the malicious Word document file, the victim is presented with the image below:

Once the user follows the instructions to enable editing and enable content, a fake error will be displayed while the legitimate command prompt executable is spawned to continue its malicious actions.

 

 

It then does a DNS query to ppid dot indramayukab dot go dot id. And then simultaneously sends encrypted data to a remote server.

Sending encrypted data to remote server IP: 113.20.29.29

It also communicates with another server at inspeclabeling dot com.

Connecting to 74.252.14.248, inspeclabeling.com

Both web addresses appear to be legitimate servers that could be well compromised.

Command prompt continues to run in the background even after closing the said word document, thus the malicious activity continues.

However, no further change in the system was made to ensure persistence therefore the infection does not continue after a system reboot.

The macro content within the malicious document is protected with a password therefore we were not able to view it using Word.

As always,  we urge our users to only use official and reputable websites as their source of information and news. Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Downloader.DOC.VBA_2 (Trojan)
  • GAV: Trickbot.D_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 06-12-20

/0 Comments/in /by

This week, SonicWall launched its new SD-Branch capabilities and multi-gigabit SonicWall Switches, bringing cost-effective simplicity and centralized management to the hyperdistributed era.

SonicWall Spotlight

Sonicwall Advances Network Edge Security, Adds Multi-Gigabit Switch Series, Easy-To-Manage SD-Branch Capabilities — SonicWall Press Release

  • To simplify security deployment, management and visibility for organizations with growing branch footprints, SonicWall is introducing new secure SD-Branch capabilities and a complete line of new multi-gigabit switches to cost-effectively scale and manage remote or branch locations.

SonicWall Adds Multi-Gigabit Switches to SD-Branch Portfolio — DevOps.com

  • Dmitriy Ayrapetov, vice president of platform architecture for SonicWall, talks about the new SonicWall Switches and SD-Branch capabilities, and how they centralize management of remote offices.

Seven Factors To Consider When Evaluating Endpoint Protection Solutions — MSSP Alert

  • Attackers are getting craftier when infiltrating secure environments. SonicWall’s Vishnu Chandra Pandey offers several ways to know whether your endpoint protection solution will be able to keep up.

Boundless Cybersecurity for the New Work Reality — SC Magazine

  • With the widespread adoption of remote work, we’ve moved into a hyperdistributed IT landscape. SonicWall’s Terry Greer-King explains how Boundless Cybersecurity can help businesses survive this new business normal.

Cybersecurity News

Ransomware: Hackers took just three days to find this fake industrial network and fill it with malware — ZDNet

  • Researchers set up a tempting honeypot to monitor how cybercriminals would exploit it. Then it came under attack.

Fake Black Lives Matter voting campaign spreads Trickbot malware — Bleeping Computer

  • A phishing email campaign asking you to vote anonymously about Black Lives Matter is spreading the TrickBot information-stealing malware.

Rate of Ransomware Attacks in Healthcare Slows in H1 2020 — Dark Reading

  • A lower number of ransomware attacks on healthcare entities suggests many threat groups are indeed avoiding targeting them during the current pandemic. But the lull may be short-lived.

Encryption Utility Firm Accused of Bundling Malware Functions in Product — Threat Post

  • A legally registered Italian company is selling what it claims is a legitimate encryption utility, but the service it provides has been a common denominator in thousands of attacks over the past year.

Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk — Dark Reading

  • “CallStranger” flaw in UPnP allows attackers to launch DDoS attacks and scan internal ports, security researcher says.

Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. — The New York Times

  • Federal prosecutors are investigating a global hacker-for-hire operation that sent phishing emails to environmental groups, along with thousands of individuals and hundreds of institutions around the world.

Valak malware gets new plugin to steal Outlook login credentials — Bleeping Computer

  • A new module discovered by researchers suggests the authors of the Valak information stealer are increasingly focusing on stealing email credentials.

Amid Pandemic and Upheaval, New Cyberthreats to the Presidential Election — The New York Times

  • Fear of the coronavirus is speeding up efforts to allow voting from home, but some of them pose security risks and may make it easier for Vladimir Putin or others to hack the vote.

NATO Condemns Cyberattacks Against COVID-19 Responders — Security Week

  • Over the past couple of months, there has been a surge in attacks targeting those who work in response to the pandemic, prompting NATO to publicly condemn the malicious cyber-activities directed against COVID-19 responders.

In Case You Missed It

Microsoft Security Bulletin Coverage for June 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-0915 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0916 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0986 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5954 :Malformed-File exe.MP.143
CVE-2020-1073 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1120 Connected User Experiences and Telemetry Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1148 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1160 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1162 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1163 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1170 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1177 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1178 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1181 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1183 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1194 Windows Registry Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1196 Windows Print Configuration Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1197 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1199 Windows Feedback Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1201 Windows Now Playing Session Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1202 Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1203 Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1204 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1206 Windows SMBv3 Client/Server Information Disclosure Vulnerability
ASPY 5952:Malformed-File exe.MP.142
CVE-2020-1207 Win32k Elevation of Privilege Vulnerability
ASPY 5951:Malformed-File exe.MP.141
CVE-2020-1208 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1209 Windows Network List Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1211 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1212 OLE Automation Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1213 VBScript Remote Code Execution Vulnerability
IPS 15042:VBScript Remote Code Execution Vulnerability (CVE-2020-1213)
CVE-2020-1214 VBScript Remote Code Execution Vulnerability
IPS 15041:VBScript Remote Code Execution Vulnerability (CVE-2020-1214)
CVE-2020-1215 VBScript Remote Code Execution Vulnerability
IPS 15040:VBScript Remote Code Execution Vulnerability (CVE-2020-1215)
CVE-2020-1216 VBScript Remote Code Execution Vulnerability
IPS 15035:VBScript Remote Code Execution Vulnerability (CVE-2020-1216)
CVE-2020-1217 Windows Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1219 Microsoft Browser Memory Corruption Vulnerability
IPS 15036:Microsoft Browser Memory Corruption Vulnerability (CVE-2020-1219)
CVE-2020-1220 Microsoft Edge (Chromium-based) in IE Mode Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1222 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1223 Word for Android Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1225 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1226 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1229 Microsoft Outlook Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1230 VBScript Remote Code Execution Vulnerability
IPS 15037:VBScript Remote Code Execution Vulnerability (CVE-2020-1230)
CVE-2020-1231 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1232 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1233 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1234 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1235 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1236 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1237 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1238 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1239 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1241 Windows Kernel Security Feature Bypass Vulnerability
ASPY 5949:Malformed-File exe.MP.140
CVE-2020-1242 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1244 Connected User Experiences and Telemetry Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1246 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1247 Win32k Elevation of Privilege Vulnerability
IPS 2282:Suspicious Executable File Download 9
CVE-2020-1248 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1251 Win32k Elevation of Privilege Vulnerability
ASPY 5947:Malformed-File exe.MP.138
CVE-2020-1253 Win32k Elevation of Privilege Vulnerability
ASPY 5948:Malformed-File exe.MP.139
CVE-2020-1254 Windows Modules Installer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1255 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1257 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1258 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1259 Windows Host Guardian Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1260 VBScript Remote Code Execution Vulnerability
IPS 15034:VBScript Remote Code Execution Vulnerability (CVE-2020-1260)
CVE-2020-1261 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1262 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1263 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1264 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1265 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1266 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1268 Windows Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1269 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1270 Windows WLAN Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1271 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1272 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1273 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1274 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1275 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1276 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1277 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1278 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1279 Windows Lockscreen Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1280 Windows Bluetooth Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1281 Windows OLE Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1282 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1283 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1284 Windows SMBv3 Client/Server Denial of Service Vulnerability
IPS 15038:Windows SMBv3 Denial of Service (CVE-2020-1284) 1
CVE-2020-1286 Windows Shell Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1287 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1289 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1290 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1291 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1292 OpenSSH for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1293 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1294 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1295 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1296 Windows Diagnostics & feedback Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1297 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1298 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1299 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1300 Windows Remote Code Execution Vulnerability
ASPY 5960 Malformed-File cab.TL.5
CVE-2020-1301 Windows SMB Remote Code Execution Vulnerability
IPS 15039:Windows SMB Remote Code Execution (CVE-2020-1301)
CVE-2020-1302 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1304 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1305 Windows State Repository Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1306 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1307 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1309 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1310 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1311 Component Object Model Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1312 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1313 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1314 Windows Text Service Framework Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1315 Internet Explorer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1316 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1317 Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1318 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1320 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1321 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1322 Microsoft Project Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1323 SharePoint Open Redirect Vulnerability
There are no known exploits in the wild.
CVE-2020-1324 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1327 Azure DevOps Server HTML Injection Vulnerability
There are no known exploits in the wild.
CVE-2020-1329 Microsoft Bing Search Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1331 System Center Operations Manager Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1334 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1340 NuGetGallery Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1343 Visual Studio Code Live Share Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1348 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.

Mustang Panda Group Side Loading DLL

/in /by

Overview:

SonicWall, Capture Labs Threat Research Team; observed new activity from MUSTANG PANDA, using a unique infection chain related to the PlugX Trojan. The legitimate vulnerable binary is part of Adobe’s Suite which will load any library named “hex.dll”.

Sample 1st Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Win32 binary.

Command-Line Static Information:

Extracted Files From Binary:

Side-Loaded DLL: hex.dll

HTTP Network Artifacts:

  • www.destroy2013.com
  • www.fitehook.com

Dynamic Artifacts:

Loaded Modules:

  • See hex.dll in the list.

Process:

  • Command-Line String Used: “C:\ProgramData\AAM Updatesnnk\AAM Updates.exe” 862
  • Autostart string active

Process Security:

Setting SeDebugPrivilege gives you the ability to start using hacking techniques used in malware. By default, users can debug only processes that they own. In order to debug processes owned by other users, you have to possess the SeDebugPrivilege privilege. Once this privilege is granted you gave away the farm. This allows code injection.

  • SeDebugPrivilege
  • Group NT AUTHORITY

CreateFile Artifacts:

  • Folder Created: AAM updatesnnk

Hex DLL Static Information

Side-Loaded DLL Exports:

Shellcode:

The malware author tries to hide the loading of Kernel32 dll, However you can see it within a debugger. This slow loading one character at a time is needed to bypass signature filters. You can also see the junkcode between the characters of Kernel32 dll. It’s always interesting to watch how malware authors bypass signature enforcement within their shellcode.

Decryption of Shellcode:

IDA Pro View of Algorithm:

Whats inside the encrypted buffer after it’s decrypted:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Mustang.PAN (Trojan)

Appendix:

Sample Hash: c56ac01b3af452fedc0447d9e0fe184d093d3fd3c6631aa8182c752463de570c

Indian e-commerce websites are being targeted by malvertising on Facebook

/in /by

The deadly Covid-19 pandemic has made a lockdown situation for people all over the world. India has enforced lockdown on March 23, 2020, which is still imposed with relief in few areas. The e-commerce companies were restricted from selling non-essential goods almost for 2 months in India. As the e-commerce companies are fully operational for the last few weeks, malware authors have started malvertising abusing the lockdown situation. SonicWall threat research team has observed scams spreading on Facebook, claiming as Flipkart lockdown sale, Amazon India sale and Paytm sale. The scam sale is offering premium mobile phones at unbelievable prices, saying deals end in a few minutes. This attracts users and makes them purchase the product immediately.

You will see the below scam Ad on your Facebook profile claiming Flipkart lockdown sale and Paytm limited period offer for premium mobiles at very low prices:

 

     

 

Clicking on Flipkart lockdown sale will take the user to the next page which asks the user to continue:

 

After clicking to continue user will be redirected to Flipkart looking website. The website shows many premium mobiles at very low prices and says them as Deals of the Day which will end in a few minutes. The website looks like a fully functional Flipkart website but only the mobile phones links work:

 

Clicking on any product will take users to the product details page similar to the genuine Flipkart website which also includes ratings and reviews, which are not accessible for detailed view. User is only allowed to click on BUY NOW:

    

 

Clicking on BUY NOW will take the user to the address page. However, users need not worry about filling the delivery address, they are not going to ship you the product. All the field are marked compulsory but the user can continue without filling any field:

 

Now the user is in the final stage of being looted by this scam. The payment page accepts payment only through UPI:

     

 

The user is now all set for losing his hard-earned money within 5 minutes. He just needs to click on Proceed to pay and enter the UPI pin:

 

This scam is targeting people located in India having ages between 18 to 55 years. Facebook users can report this Ad scam to Facebook:

           

 

Some users are abusing these scams in a comment, some are asking for Cash On Delivery (COD), some are educating other users against this scam but there are also many users who have paid the money to these fraud accounts:

Creating this type of malvertising will take only a few hours for the malware author which can result in looting thousands of users in an hour.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • Infector.ML

Fake image file containing Javascript leads to Avaddon ransomware

/in /by

The SonicWall Capture Labs threat research team have observed reports of spam inviting people to view an “image” in which the email states they are present.  The “image”, which in our case was named IMG148150.jpg.js is actually a file containing malicious Javascript downloader code.  Once executed, Avaddon ransomware is downloaded and run in the background.

 

Infection Cycle:

 

IMG148150.jpg.js contains the following script:

 

Upon running the script, sava.exe is downloaded from hxxp://217.8.117.63/sava.exe and executed.  It displays the following message on the desktop background:

 

The following command is run to remove shadow copies on the system:

wmic.exe SHADOWCOPY /nointeractive and vssadmin.exe Delete Shadows /All /Quiet

 

The following registry entry is made:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run update "%APPDATA%\Roaming\{malware file}.exe"

 

Files on the system are then encrypted by the malware and are given a .avdn extension.  431680-readme.html is copied into all directories containing encrypted files. 431680-readme.html contains the following page:

 

avaddonbotrxmuyl.onion leads to the following page hosted on the tOr network:

 

After entering the ID provided in the html page, the following page is presented asking for $500 USD in Bitcoin to be paid to 32rmhhgJaCDEaB2RGv3joCc5K75niYtxZ5:

 

The site provides a chat interface in order to communicate with the operators and possibly negotiate.  We tried to reach out to the operators using this interface but received no response:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: BitsAdmin.N (Trojan)
  • GAV: Avaddon.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.