Posts

MOVEit SQL Injection Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  MOVEit provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA and GDPR. MOVEit can be accessed via an API or the provided web interface that can be accessed over HTTPS.

  A SQL injection vulnerability has been reported for MOVEit Transfer. This vulnerability is due to flawed input validation sent to the endpoints “/moveitsapi.dll” and “/guestaccess.aspx”.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-34362.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  This vulnerability is due to flawed input validation sent to the endpoints “/moveitsapi.dll” and “/guestaccess.aspx”. The “/moveitisapi/moveitisapi.dll” will process requests with a parameter named action with a value “m2”. When processing such a request the server expects the “X-siLock-Transaction “(case-sensitive) header to be set to “folder_add_by_path” to process the request, The server will then pass the request to “/machine2.aspx”. The “/machine2.aspx” resource is meant to be used internally by various MOVEit components to manage “high speed” file transfers.

  However, if the string “X-siLock-Transaction: folder_add_by_path” is found in another header the “/moveitisapi/moveitisapi.dll” resource will continue to process the request and pass it to “/machine2.aspx”. The “/machine2.aspx” resource will then process the request based on the value of the actual “”XsiLock-Transaction” header. An attacker can set the “X-siLock-Transaction” header value to “session_setvars” which will lead to the SetAllSessionVarsFromHeaders() method of the SILHttpSessionWrapper class to be called. The SetAllSessionVarsFromHeaders() method will process each HTTP header with the name “X-siLockSessVar” (case-sensitive) and attempt to set the associated HTTP session variable related to the value of the header.

  For example the header:
    X-siLock-SessVar: MyPkgSelfProvisionedRecips: realuser@gmail.com

  This will set the session variable MyPkgSelfProvisionedRecips, which controls the recipients of a data package, to the value “realuser@gmail.com”. When a guest user is in the process of sending a data package a request can be sent to the “/machine2.apsx” endpoint via “/moveitisapi/moveitisapi.dll” that will update the value of session variables. Then when the final data package is sent via form submission to the “/guestaccess.aspx” endpoint the updated session variables will be used allowing an attacker to update the recipients email address to contain SQL injection characters.

  When the form is submitted the method GetHTML() loads the updated session variables and calls the MsgPostForGuest() method from the class MOVEit.DMZ.ClassLib.MsgEngine. The method will call the UserGetSelfProvisionUserRecipsWithEmailAddress() method from the MOVEit.DMZ.ClassLib.UserEngine class which will then call the UserGetUsersWithEmailAddress() method. The UserGetUsersWithEmailAddress() method will build an SQL statement by concatenating the updated recipient email address to the query string without performing any sanitation and then execute the SQL query.

Triggering the Problem:

  • The target system must have the vulnerable product installed and enabled.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must be able to register as a guest user and be able to send a data package

Triggering Conditions:

  An attacker requests to register as a guest user and send a data package. The attacker then sends a request to update the session variables. Finally the attacker sends a request to send the data package. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15883 Progress MOVEit SQL Injection

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Fake ChatGPT installs an infostealer

With the popularity of ChatGPT, an artificial intelligence (AI) chatbot, cybercriminals has been using it to lure unsuspecting victims to online scams. Recently, the Sonicwall Capture Labs Research team has come across a scam promising the most powerful version of this AI chatbot only to install an infostealer.

Infection Cycle:

This so called better version of ChatGPT is hosted on a website that promises the download of its AI tool which outperforms and is more advanced than ChatGPT.

The website even links to the promotional Youtube video of the legitimate ChatGPT-4 from the original developer, OpenAI.

fake chatgpt website

The user gets a password- protected RAR archive from the download link on this malicious website. This password is conveniently provided on the website and upon execution runs a Microsoft software installer file (msi).

The rar archive and the msi file use the following file names:

  • ChatGPT4_V2_3.3_Setup.rar
  • ChatGPT4 V2 3.3 Setup.msi

It opens a popup box that will guide the user to a seemingly legitimate program installation.

fakeinstallbox

It drops the following files in the program files directory:

Upon completed installation, it opens the chrome browser to OpenAI’s real website which will lead  the victim to believe that the real ChatGPT from the original developer was installed.

openaiwebsite

But silently, it spawned the command prompt to run the batch file named gpt4.bat which started the Chrome browser and loaded a browser extension named “dmkamcknogkgcdfhhbddcghachkejeapgpt4.”

gpt4.bat

To hide its real intent and to make it sound benign, this malicious extension is named “Google Translate.”

fake google extension

googleextensiondetails

After careful examination of the original file that was installed as a browser extension we found that it was an obfuscated javascript file whose primary function is to steal facebook cookies presumably to use stolen credentials to further this online scam.

facebook info stealer

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Fake.GPT (Trojan)
  • GAV: Fakechrome.EXT (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Code-Projects SQLi Bus Dispatch Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The vulnerability labeled as CVE-2023-2951 is a critical issue found in the “Code-Projects” Bus Dispatch and Information System version 1.0, specifically involving a file called delete_bus.php. The vulnerability arises from the fact that the argument ‘busid’ can be manipulated in a way that leads to SQL injection. SQL injection is a type of cyber attack in which an attacker can manipulate the database through user inputs. This particular type of attack is often categorized under CWE-89, CWE-74, and CWE-707 which refers to the improper neutralization of special elements used in an SQL Command.

  A remote, authenticated attacker could exploit the vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary remote code execution under the security context of system.

  CVE-89, CVE-74, CVE-707

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2951.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept code.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  ”SQLMap” is an open-source tool used for detecting and exploiting SQL injection vulnerabilities in an application’s database. It’s a powerful tool that supports a wide range of databases and has many features, including database fingerprinting, data fetching from the database, and accessing the underlying file system and executing commands on the operating system.

  When you see an SQLMap attack with a reference like “busid (GET)”, it generally refers to a SQL injection attack on the ‘busid’ parameter using the HTTP GET method.

  Here’s a bit of detail:

    ”busid”: The parameter being passed in the HTTP GET request.

    ”(GET)”: This refers to the HTTP method being used. GET is a common HTTP method used for retrieving data.

  The goal of this attack is to manipulate the ‘busid’ parameter in a way that allows for execution of arbitrary SQL commands on the application’s database.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious “SQLMap” payloads containing “SQL inputs” to the application.
  • The attacker must use “busid” within the HTTP GET Request.

Triggering Conditions:

  The attacker sends GET Request to the URI location “delete_bus.php” with the “busid=3” parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  Three POC SQLMap inputs below:

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:19132 Code-projects Bus Dispatch and Information System SQLi

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
    • Apply proper input validation and sanitization to any deserialized data.
  A Github member has released the following advisory regarding this vulnerability:
  Github Source

GuLoader Demystified: Unraveling its Vectored Exception Handler Approach

OVERVIEW

SonicWall Capture Labs Research team recently observed a new variant of GuLoader (a.k.a Cloudeye). GuLoader is a shellcode-based downloader, known for its numerous anti-analysis techniques and control flow obfuscation. In latest variant of GuLoader it introduces new ways to raise exceptions that hamper complete analysis process and its execution under controlled environment.

In this blog post, we will discuss

  • Unpacking of GuLoader’s shellcodes.
  • Understanding a new anti-debug technique deployed by GuLoader.
  • Deep dive into GuLoader’s custom Vectored Exception Handler.
  • Writing an IDAPython script to deobfuscate the control flow of shellcode and to make GuLoader’s analysis easy and fast.

INTRODUCTION

GuLoader is an advanced downloader first discovered in 2019 and since then it kept evolving, adding new anti-debugging techniques with its every new variant. It downloads malicious payload including AgentTesla, Azorult and Ramcos RAT etc. Currently GuLoader is spreading through malspam campaign and packed using NSIS installer.

UNPACKING GULOADER’S SHELLCODE

GuLoader’s shellcode is executed after three layers.

Layer 1:

Recent variant of GuLoader is spreading as NSIS Installer consisting of NSIS script, DLL plugin and encrypted shellcode’s file. We need NSIS variant of 7-zip to extract the NSIS script, as typical installer of 7-zip is unable to extract the NSIS script.

Fig 1. Extracted files from NSIS installer.

File “Hangarer.Man” contains shellcode of Layer 2 and an encrypted shellcode of Layer 3 which is main shellcode of GuLoader.

System.dll is DLL file which exports multiple functions. An Exported function named as “Call” is called by NSIS script. This function is responsible to allocate and execute Layer 2 shellcode.

Fig 2. NSIS script calling Exported function Call.

Call function allocates memory space and copies content of file Hangarer.Man from offset 0x409 till last byte. It then calls CallWindowProcW API. First parameter of CallWindowProcW is lpPrevWndFunc. lpPrevWndFunc is callback function, which is set to address of allocated memory space, which results in indirect execution of the Layer 2’s shellcode.

Layer 2:

Malware immediately decrypts the third layer which located at offset 0x1c9 in layer 2 and starts its execution.

Fig 3. Decryption of layer 3.

Layer 3:

It is the final GuLoader shellcode. This shellcode has complex obfuscation, consisting of junk code, indirect function calls, dynamic API resolution, obfuscated arithmetic value calculations, using stack to decrypt strings, fake instructions, anti-debug, anti-vm, anti-analysis, anti-dump, anti-API hook, anti-emulation techniques.

  • During analysis of this variant, we have identified a significant enhancement in GuLoader’s one of most effective anti-debug technique that it’s custom Vectored Exception Handler.
  • Malware raises exceptions by executing cleverly crafted series of instructions. Also it uses same instructions multiple times in shellcode to make it hard for reverser to perform static and dynamic analysis and to consume lot of time.
  • Ultimate goal of GuLoader for using this anti-debug technique is to achieve runtime control flow obfuscation.

GuLoader incorporates various evasions techniques. Mentioning them below in order in which they are get executed.

  • Scan the virtual memory for the strings related to analysis tools.
  • Uses Heaven Gate technique to redirect it’s execution under x64 OS.
  • Check QEMU emulator related strings.
  • Patch DbgBreakPoint and DbgUiRemoteBreakin API used by debuggers.
  • Uses EnumWindows API to enumerates windows.
  • Uses NtSetInformationThread API with ThreadHideDebugger(0x11).
  • Uses EnumDeviceDrivers and GetDeviceDriverBaseNameA APIs.
  • Uses MsiEnumProductsA and MsiGetProductInfoA APIs.
  • Uses OpenSCManagerA and EnumServicesStatusA APIs.
  • Use NtQueryInformationProcess API with DebugPort(0x7).

An Overview of the Payload’s Execution Sequence

  • Create suspended child process of itself.
  • In newly created process, it creates a section using genuine file to avoid AVs suspicious scanning. In this case it was using mshtml.dll.
  • Injects complete main shellcode in child process.
  • Repeats executing the mentioned evasion techniques one more time.
  • After successful bypass , it decrypts the c2 URL and download encrypted payload from c2.
  • Generate the payload decryption key. In analyzed sample, key length was 0x303 bytes.
  • GuLoader allocates approximately 60MB of memory space for the payload of size few KBs. It decrypts an encrypted payload, use process hollowing to inject decrypted payload into child process and resolves its Import Address Table.
  • Lastly, it starts payload execution using the ZwCreateThreadEx API.

 

Fig 4. Snippet of Payload decryption function.

All of the above-mentioned evasion techniques and payload execution sequences are already explained in detail in SonicWall Capture Labs Research team’s blog.

NEW ENHANCED ANTI-DEBUG TECHNIQUE

In the below section we will discuss

  • Exception types and implementation.
  • Decoding Vectored Exception Handler function.
  • Writing IDAPython script to restore deobfuscate control flow.

EXCEPTION TYPES & IMPLEMENTATION

This variant of GuLoader has added two new additional exceptions EXCEPTION_ACCESS_VIOLATION & EXCEPTION_SINGLE_STEP compared to last variant it has only one exception EXCEPTION_BREAKPOINT exception. We will discuss each exception and understand its pattern to write a script.

EXCEPTION_ACCESS_VIOLATION (code 0xC0000005)

When malware intentionally tries to write to an inaccessible memory address, exception EXCEPTION_ACCESS_VIOLATION is raised.

Here, malware constructs zero by series of arithmetic calculations. Then it tries to access memory address pointed by it, which raises exception as zero is inaccessible memory address.

Fig 5. EXCEPTION_ACCESS_VIOLATION instructions pattern.

As we can see the constant values and operations (mov, xor, sub) are keeps varying for each exception raised.

EXCEPTION_SINGLE_STEP (code 0x80000004)

The FLAGS register is the status register that contains the current state of a x86 CPU. The trap flag is 8th bit of FLAGS register. When the trap flag is set, the system is instructed to single step, it will execute one instruction and then stop. Then contents of registers and memory locations can be examined by Vectored Exception Handler; if they are correct, the system can execute the next instruction.

The x86 processor has no instruction to directly set or reset the trap flag. Malware uses combination of (PUSHFD/POPFD) instructions to set trap flag.

These operations are done by.

  1. Pushing the flag register on the stack (PUSHFD) .
  2. Modifying the trap flag bit (uses 0x100)
  3. Popping the flag register back off the stack (POPFD).

When malware is running without debugger, when SINGLE_STEP exception is raised and handled by Vectored Exception Handler.

Fig 6. SINGLE_STEP exception instructions pattern.

However while using debugger, no exception can be seen being raised as trap flag is always gets reset after each debugger event is delivered.

EXCEPTION_BREAKPOINT (code 0x80000003)

INT3 instruction (0xCC opcode) is used as software breakpoint in debuggers, that’s why when program is running under debugger, control remains to the debugger after it encounter INT3.

When malware is running without debugger exception EXCEPTION_BREAKPOINT is raised, and control is transferred to the Vectored Exception Handler.

Fig 7. BREAKPOINT exception instruction patterns.

Now we have understood how exceptions are being raised by malware. Next will see how malware uses these exceptions to change the control flow at runtime using its custom Vectored Exception Handler.

 

DECODING VECTORED EXCEPTION HANDLER

An application can register a function to handle all exceptions for the application. Vectored handlers are called in the order that they were added.

GuLoader call RtlAddVectoredExceptionHandler API to add its custom Vectored Exception Handler. RtlAddVectoredExceptionHandler accepts two parameters.

Fig 8. Structures of EXCEPTION RECORD & CONTEXT.

As we can see in below image, pointer of structure EXCEPTION_POINTERS is being passed as an argument to Vectored Exception Handler(VEH). Using structure EXCEPTION_POINTERS, VEH can access all the information regarding raised exceptions and reading the values of all the registers of processor using structure CONTEXT.

Fig 9. Pseudocode of Custom Vectored Exception Handler.

When EXCEPTION_ACCESS_VIOLATION and SINGLE_STEP_EXCEPTION exceptions are raised, handler perform following steps:

  1. It checks whether memory address being currently accessed is zero or not. If it is not zero, then it returns 0 and ultimately crashes down.

But how handler gets the address of currently accessed memory location? So it uses ExceptionInformantion[1] member of Exception Record to get this additional information about exception.

  1. Checks if any hardware breakpoints have been set by checking status of the debug registers(DR0 to DR7). If found it set the ContextRecord to 0 which leads malware to crash.
  2. If successfully pass the check, it then transforms the EIP to new address using logic Context->Eip += ByteAt(Eip + 2) ^ 0x6A where
    • Value 2 depicts size of instruction (mov, jg, jne etc.) where exception is raised.
    • 0x6A is byte key to transform EIP. (It differs sample to sample)

Fig 10. Debug register check.

When EXCEPTION_BREAKPOINT exception is raised, handler perform following steps:

  1. Checks whether hardware breakpoints have been set by checking status of the debug registers(DR0 to DR7). If found it set the ContextRecord to 0 which leads malware to crash.
  2. Scans for applied software breakpoint i.e. CC byte in loop.
  3. If successfully pass the check, it then transforms the EIP to new address using logic Context->Eip += ByteAt(Eip + 1) ^ 0x6A where
    • Value 1 depicts size of instruction (CC) where exception is raised.
    • 0x6A is byte key to transform EIP.

WRITING IDA PYTHON SCRIPT

IDAPython is an IDA Pro plugin that integrates the python programming language, allowing scripts to run in IDA Pro. IDA provides different modules to work on disassembly of instructions.

The python script finds instructions pattern that raise an exception and patch them by jump instruction with transformed EIP offset as a target.

After running the python script in IDA, we get clean, easy to analyze, deobfuscated code of GuLoader’s shellcode. Also finds out that GuLoader’s VEH has been called more than 1100 times.

Fig 11. Obfuscated code(A), deobfuscated code(B), GuLoader’s entire shellcode graph view(C).

CONCLUSION

GuLoader malware introduces new techniques very often which takes much time and efforts of malware analysts to fully analyzed it. We have completely analyzed GuLoader’s custom Vectored Exception Handler and understood how it works.

We have written python script to defeat GuLoader shellcode control flow obfuscation and saving time and efforts of malware analyst.

We expect further development in GuLoader anti-analysis, anti-debug techniques in upcoming days.

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

IOC’s

SHA256 : 55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6

C2 URL : hxxp[:]//lena[.]utf[.]by/wp-content/plugins/f8eb81f6deba45169c3b41c05c4590ad/y/mm/mmd/kdRrHFMqRUIujuOy126[.]bin

Final Payload (Azorult stealer): d5af42b118d0597c6b71831f2b2ebc8294eca907481d53939563fce7c0f14767

REFERENCES

[1] https://securitynews.sonicwall.com/xmlpost/guloader-a-fileless-shellcode-based-malware-in-action/

[2] https://learn.microsoft.com/en-us/windows/win32/debug/vectored-exception-handling

[3] https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-exception_record

DCN DCBI-Netlog-LAB Remote Command Execution

DCN(Digital China Networks) focuses on the data communication field with full product lines, including switch, wireless router, security firewall and gateway, storage, CPE and Cloud services. DCBI-Netlog-LAB is an online behavior log system.

DCBI-Netlog-LAB Remote Command Execution | CVE-2023-26802
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
This vulnerability affects seven fields, namely proto, ip, pport, p_dip, pdport, odev, and tport, allowing the attacker to inject arbitrary malicious commands.

As seen in the exploit, the parameters are set to exploit the vulnerability by sending a GET request to the “/cgi-bin/network_config/nsg_masq.cgi” endpoint. Lets analyze the parameters of the request.

  • user_name=admin: This parameter is specifying the username as “admin”.
  • session_id=../: This parameter is setting the session ID to “../”. The use of “../” suggests a directory traversal attempt, where the attacker tries to navigate to a parent directory.
  • lang=zh_CN.UTF-8: This parameter sets the language to “zh_CN.UTF-8”, indicating Chinese language with UTF-8 encoding.
  • act=2: This parameter sets the action to “2”, potentially indicating a specific operation or task.
  • proto=;ls>/usr/local/lyx/lyxcenter/web/hack_result.html: This is the most critical part of the code. It sets the “proto” parameter to execute a command. In this case, the command being executed is “ls” which lists the contents of a directory. The output of this command is then redirected (using “>”) to a file called “hack_result.html” located at “/usr/local/lyx/lyxcenter/web/” directory. This suggests an attempt to create a file containing the result of the “ls” command, possibly for further analysis or exploitation.

So overall this vulnerability allows unauthorized individuals to bypass authentication and inject harmful commands. By sending carefully crafted requests that exploit directory traversal, an attacker can bypass authentication and gain unauthorized access. If successfully exploited, this vulnerability enables the attacker to remotely execute any commands they choose on affected systems.

The CVSS (Common Vulnerability Scoring System) score is 9.8 with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15852:DCN DCBI-Netlog-LAB Remote Command Execution

Threat Graph

Unmasking the Dot Net InfoStealer: A Deep Dive into its Techniques

Recently, SonicWall Capture Labs Threat research team discovered a Dot Net stealer malware with enormous capabilities including stealing information from Browsers, VPNs, Steam profiles, installed Apps, Cryptocurrency wallets, Cryptocurrency wallets browsers extensions and sensitive device information. These capabilities provide attackers to obtain valuable information from the victim’s systems that can lead to big financial frauds which can make huge financial losses to victim.

Technical Analysis:

Once user executes the file, Malware starts with creating Mutex using GetCustomAttributes() API. After creating mutex it uses threading by using Task task = Task.Run() to perform stealing activity simultaneously.

 

Browsers Data:

First activity malware does is that it steals information from web browsers. Here malware divides the browsers into 2 categories, 1st is Chromium-based web browsers and 2nd is Gecko-based web browsers. First, it searches for the installed Chromium-based web browsers from the victim’s computer from which he wants to steal information.

Figure 1. Stealing Chromium based browsers information.

Below is the list of Chromium based browsers malware targets:

Chromium Google Opera ChromePlus Iridium 7Star CentBrowser
Chedot Vivaldi Kometa Elements Browser Epic Privacy Browser Microsoft Edge Uran
Sleipnir Citrio Coowon liebao QIP Surf Orbitum Comodo
Amigo Torch Yandex Comod 360Browser Maxthon3 K-Melon
Sputnik Nichrome CocCoc Chromodo Atom Brave

List of Gecko based web browsers that malware targets:

Mozilla Firefox Comodo IceDragon Mozilla SeaMonkey
Pale Moon Waterfox K-Meleon
Thunderbird Cyberfox BlackHaw

After searching for targeted browsers, if malware finds the any of above-mentioned browser directory on the victim’s machine, then steals data from that directory and keep the same in respected folder. For Example, if malware steals History data from Google Chrome and FireFox browser then it creates a folder with the name Histories and keeps the stolen History data of Chrome and Firefox in Google Chrome.txt and Firefox.txt respectively. As shown in below Figure 2.

Figure 2. Stolen browsers History

Here is list of data malware steals from browsers:

  • Login data
  • Cookies
  • Credit card data
  • Bookmarks
  • AutoFill data
  • History

If malware founds any of above-mentioned data, then it keeps its count also in Counter.txt file shown in below Figure 3.

Figure 3. Stolen data from browser with counter

In this malware binary, there is a function DetectCreditCardType() which is called if any Credit Card info found in above mentioned web browsers on the victims’ machine, then it checks that Credit Card number using Regular Expression with major Credit Card Companies which are already hardcoded present in malware as shown in below figure 4.

Figure 4. Credit Card Parsing

Stealing Clipboard Data:

After stealing browsers information, it obtains the clipboard data and keeps in “Clip_BoardText.txt” file and bundles it into a zip file as shown in the below Figure.

Figure 5. Stealing Clipboard Data

Crypto Wallet Extension:

Then this stealer malware extracts information from crypto wallet browser extensions. Right now, the malware only targets 3 browsers OperaOpera GX and Google Chrome. These extension IDs hard coded presents in the file.

Figure 6. Stealing information from Crypto Wallet browser extensions.

Below table shows the targeted crypto wallets with respective browser extension IDs:

Browser extension ID Extension Name
nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask
ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink
fhbohimaelbohpjbbldcngcnapndodjp Binance

Cryptocurrency Wallets:

This stealer not only steals Crypto Wallet Extensions information from browsers but also targets the Cryptocurrencies Wallets installed on victim’s system by looking for text ends with “wallet” or “json” into associated directories mentioned in below table. If any specified Cryptocurrency wallet found on victim’s system, then it reads all the information and bundles into a zip file with folder name “CryptoWallets” along with No. of counts of CryptoWallets in Counter.txt files which is also present in zip file.

Figure 7. Stealing Cryptocurrencies information

Here is the list of Cryptocurrency wallets which malware targets:

Cryptocurrency Name Targeted Directory
Electrum %AppData%\Roaming\Electrum\wallets
Electrum-Dash %AppData%\Roaming\Electrum-DASH\wallets
Ethereum %AppData%\Roaming\Ethereum\keystore
Exodus %AppData%\Roaming\Exodus\exodus.wallet
Atomic %AppData%\Roaming\atomic\Local Storage\leveldb
Jaxx %AppData%\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Coinomi %AppData%\Local\Coinomi\Coinomi\wallets
Guarda %AppData%\Roaming\Guarda\Local Storage\leveldb
Armory %AppData%\Roaming\Armory
Zcash %AppData%\Roaming\Zcash
Bytecoin %AppData%\Roaming\bytecoin

Targeted Apps:

Malware does not stop after stealing Crypto wallets and extensions from browsers, then it looks for specified installed apps from the victim’s machine. Below is list of targeted apps which are also hardcoded in binary. If malware found the specified app on machine, then it creates text file with “AppName_log.txt” and writes all data in it.

Application Name
DynDNS
FileZilla
Foxmail
Pidgin
Telegram

 

Pidgin:

Pidgin defines itself as a chat program that lets you log into accounts on multiple chat networks simultaneously. The credentials targeted by the stealer are located in an XML file containing the account information (accounts.xml), which should be located under the “%ApplicationData%\.purple” directory. As shown in below Figure, After obtaining pidgin data, malware copies it into a text file with name “Pidgin_Log.txt” and bundle into a zip.

Figure 8. Stealing Pidgin data.

Filezilla:

The FileZilla software program is a free-to-use (open source) FTP utility, allowing a user to transfer files from a local computer to a remote computer. This stealer will try to obtain the two files where the FPT client stores its passwords. Below table shows path where files will be located with description.

                         File                        Description
%AppData%\Roaming\FileZilla\recentservers.xml Contains the passwords associated with Site Manager
%AppData%\Roaming\FileZilla\sitemanager.xml Contains the passwords for QuickConnect

 

If malware founds above mentioned files, then XML documents will be examined to locate “Server” elements and extract the “Host,” “Port,” “User,” and “Pass” fields from each instance. “Pass” field will be decoded from Base64.The retrieved information will be saved in “FileZilla_Log.txt” file and bundle in into a zip file.

Figure 9. Stealing FileZilla Credentials

Foxmail:

The stealer targets POP3 accounts and passwords associated with this mailing software. Inside FoxMail’s installation directory, there is a file named “Accounts\Account.rec0” where these credentials are stored. The location of the installation directory is obtained from following registry key:

SOFTWARE\\Classes\\Foxmail.url.mailto\\Shell\\open\\command”

Under the “\\Storage” directory, the stealer searches for all directories that match the regular expression “@”. It then attempts to locate the “Accounts\Account.rec0” file within these directories. If the file is found, it will be read and parsed to obtain POP3 account details and passwords. After this, malware copy stolen info into “FoxMail_Log.txt” and bundle it into a zip.

 

Telegram:

This stealer tries to steal information from Telegram in 2 ways as shown in below Figure 10. In a first way, it targets to installed Telegram app on victims’ machine by checking %AppData%\Roaming\Telegram Desktop\tdata directory. If the directory found, then collects all the file from that directory then bundle into zip file with the folder name “TelegramFiles/Installed/tdata”. Here malware Bypasses some files while collecting information from both installed Telegram app and Portable Telegram.

 

Below it the list of directories and files which malware bypass:

  • dumps
  • temp
  • user_data
  • user_data#2
  • tdummy
  • emoji
  • modules
  • exe
  • txt
  • .json
  • Dictionaries

In second way, Malware retrieves all running processes by using Process.GetProcesses() method. If it finds a process name starting with “Telegram” then retrieves all the information Bypassing above listed directories and files and put it into a zip file with the name “TelegramFiles/Portable

Figure 10. Stealing Information from Telegram App.

Apart from above mentioned apps, Malware also steals information from Discord App and keep in “Discord/Tokens.txt” and bundle into zip file. Then next it steals information from RDP files if present on victims’ system by searching for .rdp extension.

 

Targeted VPNs (Virtual Private Network):

After targeting Apps from victims’ machine, this stealer malware has the capabilities to steals VPNs information  from victim’s machine.

VPN Name    VPN Directories
NordVPN %APPDATA%\Local\NordVPN
ProtonVPN %APPDATA%\Local\ProtonVPN
OpenVPN %USERPROFILE%\ OpenVPN\config, %APPDATA%\Roaming\OpenVPN\config
KerioVPN %APPDATA%\Roaming\kerio

 

Stealing Steam Credentials:

Steam is a video game digital distribution service that provides automatic updates for various games. It is highly popular among gamers as it allows for multiplayer capabilities.

Figure 11. Stealing Steam ID.

As shown in above Figure 11, stealer reads all lines from “configloginusers.vdf” file and obtain steam ID. This obtained ID is then written into “SteamID_Log.txt” which will be stored in Steam folder.

Figure 12. Stealing Steam files.

As shown in above Figure 12, this stealer gets the Steam location of the victim’s system by targeting “SOFTWARE\\Wow6432Node\\Valve\\Steam” and “Software\\Valve\\Steam” directories using GetLocationSteam(). If Steam directory is found, then it copies all the files into “Steam” folder and escapes files which having “. crash” extension. After this, stealer also grabs config information and stores it into “Steam/Config” directory.

 

C2 Communication:

Figure 13. Uploading stolen data to C2

As shown in above Figure, malware adds header by using “DateTime.Now.Ticks()” which is used to Get the number of ticks that represent the date and time of this instance. After adding header malware bundles stolen data into a zip file and sends it to C2 server (hxxps://es-megadom.com) which is hardcode present in binary using the POST request method. As now writing this blog, while uploading data to C2 malware throwing Exception because it is down and terminating by returning false.

 

Exfiltration:

After stealing all important information from victim’s machine the last step malware does is, it bundles all this information into folder with name like “c33f028dee6e06ed_[mr0001]” which is obtained by performing some operation on victims UserName and MachineName and contacting “_[mr0001]” string as shown in below Figure.

Figure 14. Exfiltration File

ProcessInfo_Log.txt:

As name suggests, ProcessInfo_Log.txt file contains All running processes with format like:

  • Process Name:
  • Process Tittle:
  • Process Path:

Figure 15. Obtaining running processes

Information.html file:

Information.html file contains all the following information of victim’s machine and all running process followed by process ID.

  1. Operating system
  2. Registered user
  3. Windows Product Code
  4. Computer name
  5. Logical processes
  6. System directory
  7. Central Processing Unit (CPU)
  8. Processor ID
  9. Screen resolution
  10. BIOS version
  11. Physical memory
  12. Memory type
  13. Video card
  14. Computer model
  15. Computer model manufacturerFigure 16. Stolen Systems information inside Information.html file

List of WMIQUERY used by malware to obtain above information from victims’ system.

  • root\\CIMV2″, “SELECT * FROM Win32_OperatingSystem
  • root\\CIMV2″, “SELECT * FROM Win32_Processor
  • root\\CIMV2″, “SELECT * FROM Win32_DesktopMonitor
  • root\\CIMV2″, “SELECT * FROM Win32_BIOS
  • root\\SecurityCenter2″, “SELECT * FROM AntiVirusProduct
  • root\\SecurityCenter2″, “SELECT * FROM FirewallProduct
  • root\\CIMV2″, “SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
  • root\\CIMV2″, “SELECT * FROM Win32_PhysicalMemory
  • root\\CIMV2″, “SELECT * FROM Win32_VideoController
  • root\\CIMV2″, “SELECT * FROM Win32_ComputerSystem

 

Apart from all of this, malware has some additional capabilities like Taking Screenshots, Doing AntiVM checks and country check. In this sample malware author not using above mention functionalities. But in future it may use to make analysis of this binary more difficult and obtaining some additional information from victim’s machine.

Figure 17. AntiVM Code present in malware binary.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Passwordstealer.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

LB-LINK Router Command Injection Vulnerability

LB-Link is a well-known company in the networking industry that specializes in the design, manufacturing, and distribution of wireless networking products. The company’s product portfolio includes a wide range of wireless routers, network adapters, Wi-Fi extenders, and other networking accessories.

A command injection vulnerability exists in LB-LINK’s BL-AC1900, BL-WR9000, BL-X26 and BL-LTE300 wireless routers.

Command Injection Vulnerability
The goal of a command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.)

LB-LINK Routers Command Injection | CVE-2023-26801

As seen from the exploit, the command injection vulnerability is possible due to the insufficient input validation of the ‘mac’ parameter. In the payload the value  is appended to the ‘mac’ parameter . This value is a command injection attempt. This parameter value attempts to execute the ‘telnetd’ command with the ‘l’ option to start a new login shell (/bin/sh). This is how an unauthorized attacker can send crafted requests to /goform/set_LimitClient_cfg, and execute arbitrary commands on remote devices.
Following LB-LINK’s router versions are vulnerable :

  • BL-AC1900_2.0 V1.0.1
  • BL-WR9000 V2.4.9
  • BL-X26 V1.2.5
  • BL-LTE300 V1.0.8

The CVSS (Common Vulnerability Scoring System) score is 9.8 with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15851:LB-LINK Routers Command Injection

Threat Graph

Akira ransomware double-extortion scheme encrypts and publicly leaks sensitive data

The SonicWall Capture Labs threats research team has been tracking a newly discovered form of ransomware called “Akira”. This malicious software is actively targeting numerous organizations and stealing sensitive data. To maximize the likelihood of receiving payment, the Akira ransomware employs a dual-extortion technique, whereby it both steals and encrypts the victim’s data and threatens to sell or leak the stolen data on the dark web unless the ransom is paid to decrypt the compromised information.  Akira ransomware appeared in April 2023 and has already affected a variety publicly disclosed victims, primarily located in the United States.  These victims span various sectors such as construction, education, healthcare, and manufacturing.

 

Infection cycle:

 

Once the malware is run, the following command prompt is briefly shown:

 

Files on the system are encrypted and given a “.akira” file extension.  During this process, the following ransom note is dropped on to the desktop:

 

The malware obtains details on all connected drives:

 

The malware can be seen setting up its encryption key and encrypting data.  It uses the “Microsoft Enhanced RSA and AES Cryptographic Provider” API in order to achieve this.  The public key can be seen in the code when being run in a debugger:

 

The tOr link from the ransom note leads to the following page:

 

After entering the code contained in the ransom note, the following page is presented summarizing what has happened and how to retrieve lost files.  The page is designed in a Linux terminal style with a list of commands:

 

The “leaks” command leads to the following page listing of companies that have fallen victim to the attackers.  These companies have not paid their ransom and as a result, their data is downloadable via bittorrent magnet links:

 

The “contact” command brings up a page where victims can have direct conversations with the attackers.  It appears to also show past conversations between victims and the operator:

 

This victim tries to reason with the attacker but the attackers stresses that their data will be released if a $1M ransom is not paid.  As motivation, invoices and bank statements are used by the attacker to prove that the victim is capable of paying the ransom:

 

Is Red/Blue Teaming Right for Your Network?

War games, fire drills and dress rehearsals all exist for the same reason: If you wait until the chips are down to think about whether you’re ready to face a given situation, the answer will probably be a resounding “no.” As it turns out, there’s an equivalent exercise in cybersecurity, designed to simulate an attack and find holes in your network defenses before an actual attacker does. It’s called red and blue teaming, and it’s available to anyone — for a price.

What is Red, Blue and Purple Teaming?

In cybersecurity, the red team is a group of “ethical hackers” that acts as the adversary and carries out a physical or digital intrusion. For best results, the red team is hired by the organization, rather than made up of insiders, allowing them to take the sort of outsider view that an adversary will have — but the group can also be made up of individuals within the organization.

Often, these exercises consist of tasks such as gaining access to a network, conducting reconnaissance, gaining credentials, performing encryption, taking control of browsers, social engineering and much more. For some exercises, the red team spends part of the simulation laying low to avoid being detected by employees or others associated with the organization.

The main advantage of red/blue/purple teaming versus pen-testing is the element of surprise: The blue team, which is created to act in opposition to the red team, often has no indication that a simulation is occurring. As a result, the blue team (and others in the company) will treat the simulation as an actual intrusion, carrying out threat hunting and other defense strategies exactly as they could be expected to in an actual security event. This allows the blue team to help refine incident response plans and ensure they’re ready to face an actual attack.

In addition to developing defenses, these exercises also help to foster a more security-minded culture in the organization.

Many simulations also make use of a “purple team.” This group is made up of members of both the red team and the blue team and can also include individuals outside the simulation, such as managers, software engineers and others. While optional, purple teams can help organizations get the most out of their red/blue teaming exercise by recording findings and outcomes and helping to make adjustments to ongoing simulations.

Why Red/Blue/Purple Testing Is Better Than Pen-testing

While red/blue/purple testing shares some elements of pen-testing, it is a distinct exercise: Red team testing is lengthier and more thorough, including more complex rules of engagement and more expansive evaluation.

While pen-testing is generally limited to describing vulnerabilities and how they were breached, red-teaming provides a comprehensive overview of a security program’s response capabilities.

Red/blue/purple teaming evaluates an organization’s security posture in a way that pen-testing alone cannot, allowing the organization to validate its level of risk and determine the potential financial impact of a security breach.

The Rising Cost of Red/Blue/Purple Teaming

But all of this comes at a cost — red team testing starts at around $10,000, and can run as high as $85,000 for more complex and lengthy evaluation.

There are a number of ways to limit this cost, such as capping the scope and amount of time spent by a red team, limiting the red team to a particular attack surface or vector, or shopping around for a red-team vendor at a lower price point that is still capable of meeting an organization’s security objectives. But red/blue/purple teaming is inherently expensive, so it might not be right for organizations that are unlikely to see a benefit commensurate with the cost.

Is Red/Blue/Purple Teaming Right for You?

While the insights yielded by red/blue/purple teaming can be highly valuable, it is more valuable for some organizations than others. Organizations that are globally regulated or affiliated with the federal government, as well as organizations that work with complex supply chains, can be expected to see the greatest benefit from this testing.

Whether an organization opts to start a red/blue/purple testing journey can depend on several factors, such as the compliance mandates that the organization is subject to, data privacy requirements, and the organization’s overall risk tolerance. With the average data breach costing millions of dollars, organizations need to perform their own assessment as to whether their likelihood of being targeted justifies the expense.

If you can’t justify the cost — or can’t justify it yet — that doesn’t mean you can’t gain some of the benefits that red/blue/purple teaming. For more on how to reap red/blue benefits on a make-do budget, register for the upcoming Mindhunter #13 webinar here.

Microsoft Security Bulletin Coverage for May 2023

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-24902 Win32k Elevation of Privilege Vulnerability
ASPY : 443 Exploit-exe exe.MP_321

CVE-2023-24941 Windows Network File System Remote Code Execution Vulnerability
IPS : 3768 Windows NFS Remote Code Execution (CVE-2023-24941)
IPS : 3826 Windows NFS Remote Code Execution (CVE-2023-24941) 2
IPS : 3836 Windows NFS Remote Code Execution (CVE-2023-24941) 3

CVE-2023-24949 Windows Kernel Elevation of Privilege Vulnerability
ASPY : 444 Exploit-exe exe.MP_322

CVE-2023-24950 Microsoft SharePoint Server Spoofing Vulnerability
IPS : 3769 Microsoft SharePoint Server Spoofing (CVE-2023-24950)

CVE-2023-29324 Windows MSHTML Platform Elevation of Privilege Vulnerability
IPS : 15875 Windows MSHTML Platform Elevation of Privilege (CVE-2023-29324)

CVE-2023-29325 Windows OLE Remote Code Execution Vulnerability
ASPY : 446 Malformed-rtf rtf.MP_33

CVE-2023-29336 Win32k Elevation of Privilege Vulnerability
ASPY : 445 Exploit-exe exe.MP_323

The following vulnerabilities do not have exploits in the wild :
CVE-2023-24881 Microsoft Teams Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24898 Windows SMB Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24899 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24900 Windows NTLM Security Support Provider Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24901 Windows NFS Portmapper Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24903 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24904 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24905 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24932 Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-24939 Server for NFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24940 Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24942 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-24943 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24944 Windows Bluetooth Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24945 Windows iSCSI Target Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24946 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24947 Windows Bluetooth Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24948 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-24953 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-24954 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-24955 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28251 Windows Driver Revocation List Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-28283 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-28290 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-29333 Microsoft Access Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-29335 Microsoft Word Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-29338 Visual Studio Code Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-29340 AV1 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29341 AV1 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29343 SysInternals Sysmon for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29344 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.