Posts

Don’t get Caught by Raspberry Robin: Dissecting the evasion methods

Recently, the SonicWall Capture Labs Research team analyzed a Raspberry Robin, which is known for its endless anti-evasion’s techniques and multiple layers of packing. The layers have several anti-debugger, anti-sandbox, anti-VM and anti-emulator checks. The malware keeps evolving over the time and intensified itself to become more robust by adding various evasions and tactics.

Overview: 

Raspberry Robin is packed with 14 layers, each one is heavily obfuscated and performing a particular goal. From the structure of each layer, we can understand that initially it began as PE files but were changed into unique encrypted structures without PE headers that could only be retrieved and decrypted by the preceding layers. 

Once Raspberry Robin identified the execution is happening in a controlled environment then it mislead the execution flow in a variety of ways:

  • Terminate execution of the malware. 
  • Executes in a infinite loop. 
  • Generate a exception and terminates.
  • Execution of fake payload instead of real payload. 

Obfuscation: 

Malware does an extensive use of obfuscation. This makes it exceedingly difficult to statically analyze anti-analysis tactics and figure out how to get malware to unpack itself by passing all the checks. Malware uses API hashing to retrieve API addresses. Malware only uses VirtualAlloc and  VirtualProtect API’s to unpack next layer. 

Series of Layers:

Start:

Malware directly starts decryption of layer 1, which is stored in .data section, using simple XOR and jump to it:

Layer 1: 

This layer decrypts the next layer and starts its execution.

Layer 2:

It is a DLL file with no import and exports directory:

It has one unique check , where it initially set cx = 2. After performing some instruction it checks if cx is still equal to 2. Since cx value should remain the same. The gs selector’s value would be reset by a single step event and a new value would be placed into cx at the end of the procedure. 

This layer decrypts the next layer and starts its execution.

Layer 3:

This layer decrypts the next layer and starts its execution.

Layer 4:

This layer decrypts the next layer and starts its execution:

Layer 5:

Here, malware allocates large memory buffer with PAGE_WRITECOMBINE flag, where it first writes and then reads from it, evaluating read/write performance. Malware loops this check 32 times and compares that write performance is at least 6th times more than read performance. 

This check focuses on the execution in the emulator, if it is unsuccessful, malware will choose an incorrect RC4 key and leads to crash.

Function responsible for write-read performance check: 

Malware performs above operation 32 times: 

After successfully bypassing above check, it decrypts the next layer and starts its execution.

Layer 6:

It performs simple task of decryption by using very complex calls. Check the below call graph of this layer.

This layer decrypts the next layer and starts its execution.

Layer 7:

Every time malware has to call any API, it search for the required module in PEB->InLoadOrderModuleList. If the module found, it retrieves the address of required API from exports:

This layer decrypts the next layer and starts its execution.

Layer 8:

In this layer malware creates a new thread , which executes below mentioned checks as a separate function one by one:

1:

  • Malware checks NtMinorVerion and NtMajorVerionfields of KUSER_SHARED_DATA structure to get operating system version. At least windows 7 required to continue its execution:

  • Malware check KdDebuggerEnabled field of KUSER_SHARED_DATA structure to detect presence of kernel debugger:

  • Malware checks BeingDebugged and NtGlobalFlag fields of PEB structure to detect user mode debugger:

2:

  • Malware iterates through USERNAME and COMPUTERNAME environment variables to check for blacklisted user names and computer names:

3:

  • Malware uses CPUID instruction with multiple values of EAX to get various information about system processor. It sets EAX=0x01 to check whether it is running in Hypervisor or not. It sets EAX = 0x0 to get processor family name such as GenuineIntel is defined for intel processors. It set EAX =0x1c but this is invalid as per intel’s developer documentation. It sets EAX = 0x40000000 to check vendor ID string:

4:

  • Malware uses NumberOfPhysicalPages field of KUSER_SHARED_DATA structure to get ram size. It does to compare with minimum threshold to continue its execution:

5:

  • Malware gets Hash of absolute process path then check it against blacklisted paths which are generally used by sandbox:

6:

  • Malware implements an anti emulation method based on FileMapping. It creates a section of approx. 57MB size then it maps created section 9 times into malware’s memory address space. After mapping , it write’s dummy instructions and jump instruction at the end of each section:

 

7:

  • Malware get MAC address of machine using GetAdaptersAddresses API and check it against default adapter addresses of virtual machines:

 

8:

  • Malware check ProductId of HardDisk and compares it against blacklisted names. It uses DeviceIOControl API to get information about HardDisk:

9:

  • Malware check for display device name of system and compares it against blacklisted names. It uses EnumDisplayDevicesW API to get list of display devices:

10:

  • Malware checks for hashes of running process names against process names related to virtual environment and analysis tools. To fetch running processes names malware use NtQuerySystemInformation API with SystemProcessInformation class as parameter:

  • Also malware uses PEB->InLoadOrderModuleList to list all DLL modules, hashing each of module’s name and compare against hardcoded list of blacklisted modules. Function for checking DLL modules name: 

  • Name Hashing Algorithm: 

11:

  • Malware checks for sandbox related files in C: folder:

12:

  • Malware uses NtQuerySystemInformation API with SystemVhdBootInformation = 0x70 class to get virtual hard disk boot information. It also uses NtQuerySystemInformation API with SystemFirmwareTableInformation = 0x4C class to get firmware table information:

13:

  • Malware check whether default execution of VBA macro’s is enabled or not. For this it queries registry key using SHGetValueW API:

Malware has a variety of anti-analysis checks in this Layer. If malware is successful in detecting an analysis environment in at least one check, It will unpack and run the fake payload rather than the real payload  

LAYER 9:

On physical machine MulDiv API returns value 2 but on WineHQ’s MulDiv’s API implementation it returns value 1. So malware makes use of this opportunity and detects its execution under wine successfully:

Runtime call to allocated region:

It decrypts the next layer and starts its execution.

Layer 10:

Strings from the fake loader:

LAYER 11:

Malware drops fake payload into %TEMP% directory and execute it.

Fake Payload: 

LAYER 12:

It decrypts the next layer and starts its execution.

LAYER 13:

It decrypts the next layer and starts its execution.

LAYER 14:

 Raspberry Robin’s Main payload is unpacked.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Roshtyak.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

New campaign spreading Android Remote Access Trojan

SonicWall Capture Labs Threat research team recently discovered a malware campaign that utilizes a Remote Access Trojan (RAT) with enormous capabilities, including keylogging, stealing sensitive device information, bypassing Google Authenticator, etc. These features allow the attacker to access and steal valuable information from the victim’s device, which can lead to various types of fraud, including financial fraud and identity theft.

This malware uses icon masquerading, a common tactic used by malware authors to evade detection and deceive users. The technique involves using the icons of legitimate and popular apps as a disguise for malicious apps. This allows the malware to blend in with other apps on the device and avoid suspicion.

After installation, the malware prompts the victim to enable the Accessibility Service on the targeted device. If the victim grants permission, the malware then takes advantage of the Accessibility Service to perform malicious activities without the user’s knowledge.

Fig1: Installed malicious app

 

Accessibility service usage is shown below:

Fig2: Accessibility permission

 

We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig3: Latest samples found on VT

Infection cycle:

The malware requests 34 permissions, some of the critical permissions used in these apps are mentioned below:

  • READ_SMS
  • CALL_PHONE
  • RECEIVE_SMS
  • RECORD_AUDIO
  • READ_PHONE_STATE
  • WRITE_EXTERNAL_STORAGE
  • USES_POLICY_FORCE_LOCK
  • REQUEST_DELETE_PACKAGES
  • ACCESS_NOTIFICATION_POLICY
  • ACCESS_BACKGROUND_LOCATION

The components mentioned in the manifest file are absent from the compiled dex file.

Fig4: Mismatched components in the manifest file

 

During execution, the malware unpacks the “PFf.so” file from the assets section and drops it into the application system folder.

 

Fig5: drops unpacked dex file in the application folder

 

The application hides its own icon so that it is not visible in the launcher’s app tray.

Fig6: Hide app icon

 

The threat actor uses the below functions to collect the device information like IMEI no, country code, device model, installed package name etc.

Fig7: Collecting device info

 

It stores the user’s details using Shared Preferences and tries to connect to the C&C server (hxxps://141[.]98[.]6[.]86)

Fig8: Package Installation list

 

The malware has the ability to download HTML phishing pages from the Command and Control (C&C) server and then inject them into a WebView, to steal sensitive information such as login credentials and credit card numbers.

Fig9: Webview injection

 

Read incoming messages on a device and save them in JSON format.

Fig10: Read incoming SMS

 

Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig11: 2FA code

 

The malware accepts commands from the C&C server allowing the malware author to send SMS  and calls from the infected device.

Fig12: Ability to make calls

 

Fig13: Ability to send SMS

 

The malware has integrated keylogging functionality by taking advantage of the Accessibility Service.

Fig14: Store the key logs

 

This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.

Fig15: Malware capture screenshots

 

It disables notifications by setting the interruption filter to “INTERRUPTION_FILTER_NONE”,

locks the device, and sets the ringer volume silent to remain unnoticed and silently reads the incoming notifications.

Fig16: Disable incoming notification

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicators of Compromise (IOC):

0098fef6d54bc27d2cec81fccdb319ed9949ed4edd80e56c8d9acd00e8f0131a

013185b920a6b6cc1f38ae361f6a134502f87c847372c4d70f3d704fce1a8138

3f7c7af5153f5a4b30d35f7ff2ba832887bcbfe3d37f9915dcc23c76896ee199

50651c753d57e12f155c2261fe8735c077e65ed84f4b3d58b2fd82965c24f6ef

6d3e64e9a60aa9e098226815aad96d620285c98ed4812fd39ae0d2a3f7f03783

70bd486f69815312e6e23b75680cb1fd05bad69e3b538ccddb277e86d4818ab7

873d3211bde4614a1dcb04c4c059a7aa3a1ef314ce95cca3d9c733525c80177b

a0360aac3b925a5185d7bd00e6392be6419e6c4dde871526b6a7dcaaa3fe2aa2

a78659bbc0c03b06a9985aa360ae1390e5f2a1081387da9b3be3f2eb5910932d

ae6cca0df5a4a005ae157bab3567e19a9059adc2f308ebfb972815ecb8838350

b0de190c20c17d5c02d1a80bc1d157a8a63b2abf6e701722a0168d48efbfe492

e0eaf12b806baf45add1f959619cfa548a6265705c08d59d9a914813a04da5a3

e74a55e74835579eed7fc80296171435a0e2a1aae01e791d723e9b2d51954190

ec0d682cd5d72fa32b8e47f0eede32b30216bc88f08acba88d403071df69b233

 

Adobe ColdFusion Deserialization Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Adobe ColdFusion is a powerful web development platform that enables developers to create dynamic, data-driven websites and applications with ease. ColdFusion Markup Language (CFML) is the programming language behind Adobe ColdFusion, offering a versatile and expressive syntax for writing server-side scripts. CFML combines the simplicity of HTML with the functionality of scripting languages, allowing developers to build web applications faster and more efficiently. Adobe ColdFusion’s robust set of features and integrations, such as support for Java, .NET, and various web services, makes it a popular choice among developers for creating scalable and high-performance web applications.

  Despite its many advantages, Adobe ColdFusion is not immune to security vulnerabilities, one of which is the insecure deserialization vulnerability. Insecure deserialization occurs when an application accepts serialized data from an untrusted source and deserializes it without proper validation or sanitization. This vulnerability can be exploited by attackers to execute arbitrary code, modify application data, or perform other malicious activities. In the context of Adobe ColdFusion, this vulnerability arises due to deserialization of untrusted data when processing HTTP parameters sent to ColdFusion Component (CFC) endpoints.

  A remote, unauthenticated, attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary code execution in the security context of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-26360.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When a request is sent to a CFC endpoint, it is processed by the CFCServlet, which adds the ComponentFilter to the filter chain for both GET and POST requests. The invoke() method checks the cfclient parameter, and if set to “true,” it sets the cfclientCall flag of the FusionContext class to true. The GetArgumentCollection() method then retrieves the arguments from the argumentCollection HTTP parameter, and if its value begins with ‘{‘, it is deserialized using the deserializeJSON() method, which may also be called with the variables HTTP parameter value.

  The deserializeJSON() method results in parseObject(), where, if the cfclientCall flag is set, the convertToTemplateProxy() method is invoked. This method retrieves the metadata JSON property and the classname property within it, which is used to determine the full path to the referenced class file. The resolved file is sent to the resolveFile() method of the TemplateProxyFactory class, leading to the resolveName() method, which generates a ColdFusion page by calling the getCFCInstance() method, and subsequently, the newInstance() method of the TemplateClassLoader class.

  This method retrieves the Java class associated with the file by calling findClass() and fetch() of the TemplateCache class. If not found in the cache, the NeoTranslator class’s translateJava() method is called to obtain the class bytes. The method then creates an instance of TemplateReader, which reads the file header to identify the file type. Based on the header, the translateJava() method loads classes from the Java file or generates a Java class from CFML. The generated class is loaded, instantiated, and returned as a CfJspPage object. The resolveName() method then calls resolveComponentHelper(), which executes any compiled CFML tags on the page.

  An attacker can exploit this vulnerability by sending a crafted request to a valid CFC endpoint with the cfclient parameter set to true and a crafted argumentCollection or variables HTTP parameter containing a JSON object with a metadata property, including a classname property set to a file with attacker-controlled content. This could result in arbitrary code execution in the security context of SYSTEM.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker injects cfexecute tag into the log file. Next, the attacker sends a malicious HTTP request to the vulnerable server. The vulnerability is triggered when the affected software processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3711 Adobe ColdFusion Remote Code Execution 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Apply proper input validation and sanitization to any deserialized data.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Linux Backdoor Uses Old Tricks For Wide Reach

Overview:

  This week, SonicWall Capture Labs Threat Research Team analyzed a Linux backdoor sample, labelled as ‘Gafgyt’, that targets multiple platforms and acts as an enumeration tool, downloader, and C2 agent. This sample is a combination of known malware tools, namely Mirai’s method of generating C2 IP addresses and the use of multiple password lists for accessing services. It evades detection by deleting the binaries and scripts after they’re run, as well as deleting bash history. The original sample, ‘file-27084672.exe.bin’, is an unpacked 32-bit ELF binary 970kb in size. Initial infection method is unknown.

Figure 1: Detection of original sample

The file itself has no obfuscation in regards to content or instructions. Figures 2 and 3 are examples of usernames, passwords, methods for generating IP addresses, and IP address ranges that are pre-configured. These are from multiple sources and involve the following:

  • Mirai botnet
  • Bot Killer malware
  • SSH/Telnet/FTP services
  • Busybox software
  • BCMScanner (Baramundi Configuration Management)

Figure 2: Common usernames and password lists

Figure 3: Pre-configured IP address ranges for downloads or C2 comms

Since this backdoor is an amalgam of different malware techniques, it also contains a list of UserAgents that can be used during communications as seen in Figure 4. Given the nature of this malware, no traffic is received by the victim machine until all stages have been downloaded and installed.

Figure 4: UserAgent list for Firefox, Chrome, Safari, and others

Embedded in the strings (Figure 5) are multiple methods of pulling down the next stage of the malware, using wget, curl, busybox, ftp, and tftp. It should be noted that during testing, only two IPs were active (209.141.41{.}27, 94.177.230{.}2) but not presently delivering malware. There are multiple methods of randomly generating the C2 IPs including Mirai and Python that stage one will use to download stage two.

Figure 5: Commands to download stage two, ‘bins.sh’ or ‘tftp1.sh’

While stage one is attempting to download stage two, it will enumerate through multiple subdirectories on the system, as well as network connections using ‘proc/net/route’ and reading ‘etc/hosts’ file. Bash history is read and deleted. The binary itself is set to delete once a process has been created, or if it fails to find the correct environment.

The contents of ‘bins.sh’ are seen in Figure 6, which is set to pull the stage three payload for a victims’ specific architecture, named ‘Demon’. The file is made executable, run, and then immediately deleted.

Figure 6: Stage three is Demon.(arch)

Looking at ‘Demon.mpsl’, once a connection is made, the malware will send details including the IP address, operating system details, architecture, and installed software. If no connection can be made, the malware will sleep for a random period of time before attempting to connect and send the encoded information to another IP address.

 Figure 7: Calling ‘defpkgs’, ‘defarchs’, and ‘defopsys’ to pull saved system information and send via Demonicsock

As a connection is established and system data is sent, the program will wait for a reply and either sleep or push the command. It also checks whether or not the process is a parent or a child and bases its next actions on that information.

Figure 8: C2 commands in Demon.mpsl

While none of these techniques are new, this has been made to be far-reaching with some of the UserAgents including Playstation and Nintendo DS browsers, as well as phone browsers. The source code for much of the first stage can be found at a pastebin repository here. These samples are detected by the following signatures:

  • MalAgent.Gafgyt.Stage1
  • MalAgent.Gafgyt.Demon

IOCs

Samples

file-27084672.exe.bin – a2c5db1807e510421bb76757a033ff39e4b6dc64a9b49a362fbabf758c8bf3f1
bins.sh – a183ebf8170284f84a1251b56848a9cc34f8b92b8797817c80f604b12d608e3b
demon.mpsl – 2145a816884ed20909c8cd51a1543d8e71c17531e245dcca07c86c816200c644

IP Addresses

209.141.41{.}27
94.177.230{.}2

vBulletin Deserialization RCE Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  vBulletin is written in PHP and uses MySQL as its database management system. It is designed to provide a robust platform for online communities to discuss and share ideas, information, and content. vBulletin is known for its ease of use, flexibility, and scalability, making it a popular choice for both small and large forums.

  vBulletin offers several key features that make it a popular choice for forum management. Its user-friendly interface is designed with usability in mind, ensuring that both administrators and users can easily navigate and manage the forum. Powerful administration tools are provided through a comprehensive control panel, which allows administrators to manage and customize various aspects of the forum, including user permissions, content moderation, and appearance. The platform’s extensibility means that it supports a wide range of plugins and add-ons, enabling administrators to tailor their forum’s functionality to meet specific needs. Moreover, vBulletin’s responsive design ensures that the forum displays well and operates smoothly on various devices, such as smartphones and tablets.

  A remote code execution vulnerability has been identified in vBulletin due to inadequate validation of the ‘searchprefs’ field, leading to arbitrary deserialization. Exploiting the unserialize() function can be achieved by using PHPGGC to generate a payload or discovering a new gadget chain within the code.

  A remote, authenticated attacker could exploit these vulnerabilities by sending crafted requests to the target server. Successful exploitation could result in arbitrary remote code execution under the security context of system.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-25135.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept code.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Understanding the deserialization remote code execution (RCE) vulnerability in vBulletin necessitates familiarity with several key technologies and concepts. One such concept is deserialization of untrusted data, which refers to converting a serialized data stream back into an object or data structure without properly validating or sanitizing the input. Serialization is the process of converting complex data structures, such as objects, into a format that can be easily stored or transmitted, while deserialization is the reverse process. When an application deserializes untrusted data without proper validation, it can lead to various security vulnerabilities, including remote code execution, denial of service, or unauthorized access to sensitive information.

  Another critical concept is the use of gadget chains, typically comprising one or more interconnected objects with specific properties or methods that can be abused during the deserialization process. An attacker crafts a malicious serialized data stream containing references to these objects, along with manipulated data that exploits their properties or methods. When the application deserializes this malicious data, the gadget chain is executed, resulting in unintended behavior or code execution. Furthermore, understanding Object-Relational Mapping (ORM), scalar fields, autoloading, and the serialize() and unserialize() functions is vital for comprehending the intricacies of the vBulletin deserialization RCE vulnerability.

  vBulletin’s ORM offers an abstraction layer between the application logic and the database, while scalar fields represent columns in database tables storing single-value data types. Autoloading in vBulletin is a feature that automatically loads required class files as needed, streamlining class file inclusion in the code and promoting a more organized and efficient structure for the application. Lastly, vBulletin utilizes PHP’s built-in serialize() and unserialize() functions to handle serialization and deserialization processes within the application. These functions play a critical role in converting complex data structures, such as objects or arrays, into a storable or transmittable format (serialization) and reversing this process to recreate the original data structures (deserialization).

  Payload Expanded:
  

  This serialized payload represents a gadget chain using objects from two different libraries: GoogleLogin extension for MediaWiki and Monolog. The payload comprises an array with two objects:

  

  When this payload is deserialized using PHP’s unserialize() function, the objects will be recreated, and their destructors will be called upon script termination or when the objects are no longer needed.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious serialized payloads containing gadget chains to the application.
  • The attacker must use the unserialize() function to deserialize the payload.

Triggering Conditions:

  The attacker sends a POST request to the target system. A deserialization vulnerability, such as CWE-502, may arise in an application under certain circumstances. One contributing factor is the application accepting serialized data from untrusted sources without implementing proper validation or sanitization measures. Additionally, the application employs the unserialize() function to deserialize this untrusted data, which can inadvertently instantiate objects containing malicious gadget chains. These gadget chains can be present in the application’s code or in third-party libraries used by the application, making them exploitable during the deserialization process. Furthermore, the autoloader mechanism plays a role in this vulnerability by loading classes required for deserialization. This can lead to unintended consequences or even the execution of malicious code when an attacker exploits the autoloader during a deserialization attack.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15584 vBulletin Insecure Deserialization

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
    • Apply proper input validation and sanitization to any deserialized data.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Malicious PDF delivering Xworm 3.1 payload

Delivering Malicious PDF documents as email attachments is the easiest way for threat actors to get into the victim’s machine be it phishing, or embedded scripts for delivering malware payloads.

This time SonicWall Capture Labs threat research team has observed PDF being used to deliver Xworm 3.1 malware.

Infection Cycle:

Fig: Infection Cycle

 

Victim receives a phishing email with an attached malicious PDF file disguised as a genuine invoice attachment. When PDF file is opened it shows a blurry invoice image with a note saying ”right click on the pdf and open the link for the clear invoice”.

Fig: PDF file

 

When the user clicks the link in pdf it is opened in the browser and downloads a malicious executable without the user’s consent. The downloaded executable is named Invoicedav4564 to look like a regular bill.

Fig: PE file downloaded

 

The downloaded PE file is a SmartAssembly obfuscated dotNet file to prevent analysis. When the user tries to open the downloaded file considering an invoice malicious PE starts executing. It drops self-copy in the %Appdata% folder after creating a folder named svchost and file name also as svchost.exe .

Fig: Self-copy in %Appdata% as svchost.exe

 

For persistence, it schedules a task named “Nafifas” with a recurrence time of 1 minute setting from the dropped location which triggers the new process from the svchost folder with the legitimate system process name to remain unnoticed.

Fig: Scheduling Task

 

There is a decryption loop which then decrypts the final payload PE file as shown in the below image.

Fig: Decrypted Xworm payload PE

 

Decrypted PE file is the Xworm3.1 payload which is a RAT that comes with a bundle of malicious tasks, this version of Xworm uses APIs similar to other RAT like PreventSleep for hassle-free execution. It also creates Mutex and context switching to perform multiple malicious activities simultaneously.

Fig: RAT functionalities

 

Then it decrypts strings for the following essential details :

hxxp[:]//david1234[.]duckdns[.]org/

Port :7000

Key  :123456789

SPL : Xwormmm

USBNM : USB.exe

Decrypted strings are shown below images:

Fig: Host, Port, SPL, USB

 

Malware checks for installed antivirus products in the WMI namespace called root\SecurityCenter2 to sustain in the system and remain unnoticed.

Fig: Antivirus check

 

To bypass UAC malware makes sure to run in the security context of the administrator account by checking the current in role profile, so that it can perform all its desired tasks.

Fig: UAC bypass

 

Malware shares all the information about the current state of the computer like operating system version and installed version of itself to receive commands from C&C accordingly.

Fig: System details

 

There are specific user agents to communicate with C&C for different operating systems like Windows and MAC.

Fig: User Agents

 

It starts monitoring running processes, shares details using webrequests with server and gets commands as response using GET method.

It has a keylogging module named Xlogger which captures all the keystrokes. Xlogger uses the following APIs :

GetActiveWindowTitle

GetForegroundWindow

GetWindowThreadProcessId

GetProcessById

HookCallback

GetKeyState

It captures all the keystrokes in HookCallback function as shown in the below figure

Fig: Logging Keystrokes

 

After establishing the socket connection & getting full control over the system it can perform any critical task like:

  • screen recording
  • Install/Uninstall/Update any application
  • Open/Hide any URL
  • Shutting Down PC
  • Restart PC
  • PCLogoff
  • StartDDos
  • StopDDos
  • StartReport
  • XChat (Xworm chat option with the victim)

Fig: System control & DDoS

 

It also captures the screen and shares the detail with C&C as shown in the below figure:

Fig: ScreenCapture

 

It sends all the data to the host using TCP protocol as shown in the figure:

Fig: Post data using TCP

 

The malware must have been named Xworm because it has a dedicated function named spread, which spreads as worm via USB. It looks for all the drives on the system and checks for

  • removable drive type
  • drive name as USB

Fig: Checking for USB drive

 

Then searches for the current working directory and creates shortcut.

Fig: USB spread function

 

The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

Fig: VirusTotal image

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

Fig: RTDMI capture

QNAP Photo Station Externally Controlled Reference Vulnerability

QNAP (Quality Network Appliance Provider) is a Taiwanese corporation that specializes in Network Attached Storage (NAS) appliances used for file sharing, virtualization, storage management and surveillance applications.
QNAP’s Photo Station is a private cloud photo storage , service that can centrally store and manage full resolution photos across all devices with QNAP NAS.

QNAP Photo Station Externally Controlled Reference | CVE-2022-27593
An externally controlled reference to a resource vulnerability exists in QNAP NAS systems that are running Photo Station. If exploited, this could allow an attacker to modify system files. SonicWall Capture Labs threat research team has observed this vulnerability being exploited in the wild.
Following versions are vulnerable:

  • QTS 5.0.1: Photo Station 6.1.2
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22
  • QTS 4.3.6: Photo Station 5.7.18
  • QTS 4.3.3: Photo Station 5.4.15
  • QTS 4.2.6: Photo Station 5.2.14

According to CWE , Externally Controlled Reference Vulnerability means the product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Following is an example of exploit:

The code is a URL string that includes a query parameter with the value “/photo/combine.php”. The query parameter “type” has a value of “javascript” and the parameter “g” has a value of 
The code is attempting to combine multiple JavaScript files located in the directory “/photo/” using the script “/photo/combine.php”. An attacker can manipulate the parameter ‘g’ by inserting directory traversal characters, potentially granting them the ability to make changes to system files.

This vulnerability can be exploited by remote, unauthenticated attackers without any user interaction.
The CVSS(Common Vulnerability Scoring System) score is 9.1 with Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is none.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

QNAP has patched this vulnerability.
Querying Shodan shows numerous QNAP devices, many of which many are still vulnerable.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15790:QNAP Photo Station Externally Controlled Reference

Threat Graph

Money message Ransomware actively targeting large organization

Recently, the SonicWall Capture Labs Research team analyzed a ransomware called Money message. Written in C++, this ransomware encrypts the victim’s files without changing the filename or appending the extension, making it more difficult to identify which files have been compromised. Once the files are encrypted, the attackers demand a ransom payment in exchange for the decryption key.

Infection Cycle:

At the start of the execution it creates a named mutex “12345-12345-12235-12354” to avoid different instance of Money message Ransomware running on the same system.

It uses WMI (Windows Management Instrumentation) Query and Service Control Manager to disable the specific list of services.

Associators of {Win32_ServiceName=’sql’} Where AssocClass=Win32_DependentService Role=Antecedent­

It opens the Service Control Manager (SCM) by calling OpenSCManagerW() function.
It then calls OpenServiceW() function to open the service from the list and EnumDependentServicesW() function to enumerate all its dependent services, If any of the services present from the list is found to be running, the ransomware stops them using ControlService() function.

Below are the list of the services that are stopped by the ransomware

vss
sql
svc$
memtas
mepocs
sophos
veeam
backup
vmms

It then enumerates the running processes on the system and terminates the below list of processes.

sql.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocauto upds.exe
encsvc.exe
firefox.exe
tbirdconfig.exe
mdesktopqos.exe
ocomm.exe
dbeng50.exe
sqbcoreservice.exe
excel.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
outlook.exe
powerpnt.exe
steam.exe
thebat.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
vmwp.exe

It deletes the volume shadow copies using ShellExecuteW() function by passing below command

It avoids encrypting the files from below directories

It also has a list of files which it avoids encrypting:

The files which are not present in the whitelisted directories nor the files are whitelisted are encrypted by the ransomware.
Once the files are encrypted the filename of the original file remains the same nor the extension of it is changed.

Once the files are encrypted it displays below ransom message

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV:MoneyMsg.RSM (Trojan)

SonicWall RTDMI engine – part of capture ATP – has a proactive 0-day protection against this ransomware.

Laplas Clipper Strikes Again: With Anti Analysis Techniques

Recently, SonicWall Capture Labs threat research team has come across a new C++ based variant of Laplas Clipper which targets the cryptocurrency users. Laplas clipper have been observed in the past using .NET and GO language variants. In this variant, the malware employs various anti debug, anti sandbox and anti analysis techniques to evade detection. 

The malware’s main purpose is to exchange victim’s cryptocurrency wallet address with the threat actor’s provided wallet address, so that it can receive the payments by tricking the user. 

Analysis: 

Before starting main activity, malware performs anti checks to evade detection and stops its execution if any condition is not satisfied.

Anti Sandbox():

  • No. of Processor: SYSTEMINFO structure contains information about current computer system. This includes the architecture, type of the processor, the number of processors in the system, the page size, and other such information. 

          Malware checks NumberOfProcessors field which should be more than 1 processor. 

  • GlobalMemoryStatusEx API retrieves information about the system’s current usage of both physical and virtual memory. MEMORYSTATUSEX structure contains field ullTotalPhys which contains total size of actual physical memory in Bytes. 

          Malware check ullTotalPhys field which should be more than 2 GB. 

  • DeviceIoControl sends a control code (this case 0x70000 corresponds to IOCTL_DISK_GET_DRIVE_GEOMETRY) directly to a specified device driver.  

_DISK_GEOMETRY structure contains the media type, number of cylinders, tracks per cylinder, sectors per track, and bytes per sector.  

Malware uses _DISK_GEOMETRY struct to calculate total size of hard disk in bytes, which should be more than 80GB to continue its execution otherwise it will stop its execution. 

 Anti Analysis():

  • IsDebuggerPresent(): Determines whether the current process is being debugged by a user-mode debugger such as OllyDbg or x64dbg. 
  • CreateToolhelp32Snapshot(): Malware obtains the list of currently running processes on the system and compares the executable name associated with them against the following list of executable file names associated with common analysis tools as listed below.

ida.exe, x32dbg.exe, x64dbg.exe, ida64.exe, wireshark.exe, netstat.exe, netmon.exe, tcpview.exe, filemon.exe, regmon.exe  

 

  • IsNonWritableinCurrentImage(): If a process is running under a debugger and an invalid handle is passed to the API ntdll!NtClose or API kernel32!CloseHandle, then the EXCEPTION_INVALID_HANDLE (0xC0000008) exception will be raised. The exception can be catch by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
  • NtDelayExecution(): Suspends execution for specified nano seconds. 
  • GetTickCount64(): Measures elapsed time between functions calls and if difference is less than specified value then malware knows it executing under controlled environment and stops it execution. 

After performing all the above functions malware checks whether it is running from the %Appdata% folder. If not, then it copies bloated copy of itself (701 MB) into %Appdata% by appending random bytes as overlay. Malware does this to evade scanning from various security software which is recently seen in Emotet malware family. 

 

Malware adds itself to a Autoruns entry for persistence: 

Malware executes from %Appdata% through command line using API ShellExecuteA:

Wallet Address Exchange:

Malware starts decrypting all encrypted strings, regular expression(regex) for cryptocurrency wallet addresses and c2 URL. 

Malware sends GET request to download regex from the c2 server: 

Regex belongs to the below currency wallet address:

Cyptocurrency Regular Expression
Bitcoin (BTC) ^(?:(1[1-9A-HJ-NP-Za-km-z]{32,33})
Bitcoin (BTC) (3[1-9A-HJ-NP-Za-km-z]{32,33})
Bitcoin (BTC) (bc1q[023456789acdefghjklmnpqrstuvwxyz]{38,58})
Bitcoin Cash (BCH) (q[a-z0-9]{41})
Bitcoin Cash (BCH) (p[a-z0-9]{41})
Litecoin (LTC) (L[a-km-zA-HJ-NP-Z0-9]{33})
Litecoin (LTC) (M[a-km-zA-HJ-NP-Z0-9]{33})
Litecoin (LTC) (ltc1q[a-zA-Z0-9]{38})
Ethereum (ETH) (0x[a-fA-F0-9]{40})
Binance coin (BNB) (bnb1[0-9a-z]{38})
Dogecoin (DOGE) (D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})
Monero (XMR) (4[0-9AB][1-9A-HJ-NP-Za-km-z]{93})
Monero (XMR) (8[0-9AB][1-9A-HJ-NP-Za-km-z]{93})
Ripple (XRP) (r[0-9a-zA-Z]{33})
Tezos (t1[a-km-zA-HJ-NP-Z1-9]{33})
Dash (DASH) (X[1-9A-HJ-NP-Za-km-z]{33})
Ronin (RON) (ronin:[a-fA-F0-9]{40})
Tron (TRX) (T[A-Za-z1-9]{33})
Tezos (XTZ) (tz[1-3][1-9A-HJ-NP-Za-km-z]{33})
Cardano (ADA) (addr1[a-z0-9]+)
Cosmos (ATOM) (cosmos1[a-z0-9]{38})
Ripple (XRP) (R[a-zA-Z0-9]{33})
UNKNOWN ([A-Z2-7]{58})
UNKNOWN ([1-9A-HJ-NP-Za-km-z]{44}))$

After receiving regex list, malware register itself to c2 server by sending GET request containing guid (computer name\\username) and key which is encrypted using simple XOR in malware. 

Malware runs in infinite loop while searching for the cryptocurrency wallet address in the clipboard buffer using regular expressions. Malware uses GetClipboardData and SetClipboardData API’s to fetch and replace clipboard data respectively. 

If malware founds valid wallet address in clipboard, then it sends GET request to obtain similar threat actor’s wallet address, so that malware can replace it with original victim’s wallet address and receive the payment send by victim. 

After receiving similar wallet address from c2 server, Malware replaces it with victim’s wallet address: 

Although the malware has smaller functionality it may cause huge financial losses to victims.

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

IOC: 

634129f11f0b78602fe43104fa0b8b987bfbecb0670d078db870e7acceed8831 

Unveiling the Hidden Threat: Malware Disguised as Trusted Downloads

The SonicWall Capture Labs threat research team has observed and analyzed a new malware which is distributed along with legitimate software such as Advanced Port Scanner. The malware has the ability to download and execute additional malware payload, as well as receive and execute commands from a remote command and control server. 

This malware comes bundled with a legitimate software such as the Advanced Port Scanner. One of the bundled components is a malicious dll named, ssleay32.dll, which is a commonly used library for open source projects such as OpenSSL and Qt.

Analysis: 

Upon execution of the main Setup.exe, it loads the malicious packed DLL (ssleay32.dll) into memory. 

Stage 1: 

Dll code is obfuscated with fake API calls: 

Once DLL get loaded into memory, it decodes Base64 encoded shellcode on to Heap and start execution from heap. Shellcode contains the encrypted downloader module which is later decrypted using Tiny Encryption Algorithm. 

Malware uses API hashing for resolving the API addresses. Library names and API names are stored as CRC32 hash and they are resolved at runtime: 

After the decryption of the downloader module, malware injects it into newly created suspended process “explorer.exe”. Malware uses Process Hollowing technique to inject downloader module in “explorer.exe”: 

Stage 2:

Command and Control (C2) Server communication:  

At this point, the downloader starts its execution by sending Get request to the C2 Server: 

Downloader prepares Get c2 request with domain “chap-domain[.]com” which is hardcoded in binary. Malware configuration is encrypted using RC4 algorithm which is decrypted at runtime. Malware uses three different RC4 keys for each different operation. RC4 keys are stored in .data section of binary. Malware uses an implementation of Mersenne Twister Random Number Generator (MTRNG) to generate random values for the query string “%s?a=%s&id=%s”.

Snapshot of CyberChef Tool shows the decryption of Malware configuration using RC4 Algorithm:

Get Request sent to C2: 

C2 Response Decrypted: 

Downloader uses open source RapidJSON C++ library to parse C2 response. 

C2 response contains various commands and options to carry out further execution 

{ 

    “postback”: “true”,                                         <– Response Back is True 

   “geo”: “IN”, <– Geo Location 

    “crypto_domain”: “false”, 

    “powershell”: “false”,                                     <– PowerShell Commands to execute 

    “moderation”: “false”, 

    “postback_id”: “false”, 

    “postback_url”: “post-make.com”,             <– Domain to send another Get Request 

    “postback_path”: “c4fel7k.php?cnv_id=” <– URL Path  

} 

At the time of analysis c2 server did not respond with other available commands. 

Malware has capabilities to download file and execute it from URL sent by c2 server. 

Below code snippet shows the ability to download file from URL and save into temporary path:

Below code snippet shows the execution of downloaded file as a new process:

Following code snippet shows the execution of PowerShell commands received from C2:


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

DLL files

938cafbfd9c84f2db9e391d102982c64175af490283ee68e10e621cae886a885
332523f94c37396b7153883e294d714f13e18b5026986c7a1d7f861d58cf610f
33687ee592b099fe341a7c8eae0369f9375b52ce4622cf98a6db0372023dc31e
ca0e784c1aaed612f264135f655e17476ade7077801aa01b5e055768236c3bdf
ca96a44effbdb6a995dacd109eb57f7ad5bbef69ac1699244190eeabfe1ad72a
7b65e764f78e0ce82bef0785758512890ad2bf768ed27c3e42b44b3af91956bf
8365ad9f6f1f7ccb6d3e45ef21be0472ff98c1e8d8f9cb6d8ec22b2632f92743
9d706ec7fcfb0b12db84c2d733f8120804c2ab55475ce610f1bef186be587249
b111ad556bc72b1a48bd4b30a62bd7696f6532d6c5694701015013abe72577a7
938cafbfd9c84f2db9e391d102982c64175af490283ee68e10e621cae886a885
8c96bb583bcbe85b1d05071771a6b6be25bb43af705ca4f8ea87ffb9751ddad4
a7123ca2efb1faa7347fa7f7002ab3763880762db0522bb200d3e869882a3954
7de5a0ca3a10e4e560ef072b63e55e9729c208a8bcee450becfa960cdd27aa53
da78a9e850da9c05833fd099c687a4f180b2616db7e87db7ccf3cb33232501f1
3ea5b5d31972d766ee107ad8ba67bc4586b58718f0f4997ebe91182a2f261d1d
d9488f6deab5c07f84d0c05a151970aaf67e637ed1456d9fd61401c756c6f070
d40ec00f3695818024496fb770e15fcee45677d481b81f54705e133319f2bf90
928ff06e101981e1dd4db46ca3e3f38d7896e99a4b9517c1628ab84a5c0d0247
2f7d2feaf87023af233d2f0fd97b45e8df62304bdbb4c7a02b1cee58c80911f2
5470c5fed4d8201d4e3f41922c38b336ac5e6a2a2c163b3afc403fdc6a30c65d
41bfc00cb7987adb691673335018dd45f1250464b9270514f09aa9c5cb8fcbb2